ramnit | b2571e5edd075972d75f7e2d7093b9e8b2e5aef02996f55c2b68dcf0d598c1e8

Analysis

max time kernel
118s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-12-2024 06:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa65e5ea28d7b88acce1df033e7b079f_JaffaCakes118.html
Size

2.3MB
MD5

fa65e5ea28d7b88acce1df033e7b079f
SHA1

e62bd9ef0a8994d52c48931b4ebbecd96e0e39e2
SHA256

b2571e5edd075972d75f7e2d7093b9e8b2e5aef02996f55c2b68dcf0d598c1e8
SHA512

04345a1edf7d0e1c803420e16bf1d050e63c7c02bf589edcb6cee8cac8d1abd81ef41356e28f54b5ed12ec28665183048715dedfc6b470674703af8916955eb3
SSDEEP

24576:L+Wt9BJ+Wt9Bq+Wt9BU+Wt9B7+Wt9Bt+Wt9B1+Wt9B5+Wt9Bi+Wt9BX+Wt9Bz+Wy:1

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 26 IoCs

pid	Process
2620	svchost.exe
2588	DesktopLayer.exe
1924	FP_AX_CAB_INSTALLER64.exe
976	svchost.exe
852	svchost.exe
1628	DesktopLayer.exe
276	svchost.exe
2368	DesktopLayer.exe
2456	svchost.exe
2200	svchost.exe
896	DesktopLayer.exe
2728	svchost.exe
2548	DesktopLayer.exe
2668	svchost.exe
2676	DesktopLayer.exe
1704	svchost.exe
1336	DesktopLayer.exe
2848	svchost.exe
1616	FP_AX_CAB_INSTALLER64.exe
1012	svchost.exe
1592	DesktopLayer.exe
1848	svchost.exe
2728	svchost.exe
2532	DesktopLayer.exe
1504	svchost.exe
1608	DesktopLayer.exe

Loads dropped DLL 17 IoCs

pid	Process
2688	IEXPLORE.EXE
2620	svchost.exe
2688	IEXPLORE.EXE
2688	IEXPLORE.EXE
2688	IEXPLORE.EXE
2688	IEXPLORE.EXE
2688	IEXPLORE.EXE
2688	IEXPLORE.EXE
2688	IEXPLORE.EXE
2688	IEXPLORE.EXE
2688	IEXPLORE.EXE
2688	IEXPLORE.EXE
2688	IEXPLORE.EXE
2688	IEXPLORE.EXE
2688	IEXPLORE.EXE
2688	IEXPLORE.EXE
2688	IEXPLORE.EXE

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000900000001662e-2.dat	upx
behavioral1/memory/2620-10-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2620-6-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2588-16-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2588-19-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2588-17-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2588-21-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2588-23-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/852-135-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/852-138-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2676-238-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2848-284-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Drops file in Program Files directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px19B8.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px20F8.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px2896.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px21F2.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px22AD.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px2868.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px2146.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px2211.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px2904.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px226F.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px2359.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px230B.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxCF41.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px20F8.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\SET20CA.tmp	IEXPLORE.EXE
File created	C:\Windows\Downloaded Program Files\SET20CA.tmp	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\swflash64.inf	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\SET283A.tmp	IEXPLORE.EXE
File created	C:\Windows\Downloaded Program Files\SET283A.tmp	IEXPLORE.EXE

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FP_AX_CAB_INSTALLER64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FP_AX_CAB_INSTALLER64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe

Modifies Internet Explorer settings 1 TTPs 51 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6400000019000000ea0400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e09bb9291351db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff4b00000000000000d104000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003a79180cf85765499f886265e69c964500000000020000000000106600000001000020000000ee1894347030d32ec922b1d09ce335714a397afc7f75d51699c67b6862127b2a000000000e8000000002000020000000ead6ddd3c1fd96673ac4d91e485e2abfb2464a8459f1d313598ddc13ec695efa200000009e85cd80cd58542ce336e35c4277f40cebc4ea100d44b8b60332484f0d20a0c940000000e12037bd0dadcf2701bac6741516a51f54df5519cb36e063c7268dce4c40ccd3315b86b7d00993178b8ecbfc25c093841e0f8e6688562786bb688991b8c34da3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003a79180cf85765499f886265e69c964500000000020000000000106600000001000020000000aa8bc0593f54e5cf2f574647dde9e5a927b8a2d8dcc0c5ddc073e2f4ebeeb060000000000e8000000002000020000000edd9946b670bab7dfa512f5a921597252b11fc6f972f8be60403978197a6bbfe900000000bbbbbbd8b87cd69e838d573b132a0e54c020cd52243402c366c18e21cb1900de9384500da27223940acc2e695a3cbb2f0ba30d6f3b8053ffaa9d0fc8be41815eb94c991dd13a475434ed3e24e31e0f9265771bb50068f1a2d8c6530349c73d9f17feba8ff2ef5288a8ac794251df02242575d4b26bb1732fb167b6630cea8a67ea46293c9735430329b26fd998c2fa04000000007b254e0d88f73dfa013317ffb64eb1e836ba27a8515e9e292b9bc9f6722ea360dfd13ca5c08a83b30c8369b995127771f120c8e4f4fcc90d0a5f4f5826e66cd	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3200000032000000b804000097020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{61671631-BD06-11EF-A17D-4A174794FC88} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440663925"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
2588	DesktopLayer.exe
2588	DesktopLayer.exe
2588	DesktopLayer.exe
2588	DesktopLayer.exe
1924	FP_AX_CAB_INSTALLER64.exe
852	svchost.exe
852	svchost.exe
852	svchost.exe
852	svchost.exe
1628	DesktopLayer.exe
1628	DesktopLayer.exe
1628	DesktopLayer.exe
1628	DesktopLayer.exe
2368	DesktopLayer.exe
2368	DesktopLayer.exe
2368	DesktopLayer.exe
2368	DesktopLayer.exe
896	DesktopLayer.exe
2200	svchost.exe
896	DesktopLayer.exe
2200	svchost.exe
896	DesktopLayer.exe
2200	svchost.exe
896	DesktopLayer.exe
2200	svchost.exe
2548	DesktopLayer.exe
2548	DesktopLayer.exe
2548	DesktopLayer.exe
2548	DesktopLayer.exe
2676	DesktopLayer.exe
2676	DesktopLayer.exe
2676	DesktopLayer.exe
2676	DesktopLayer.exe
2848	svchost.exe
2848	svchost.exe
1336	DesktopLayer.exe
1336	DesktopLayer.exe
2848	svchost.exe
2848	svchost.exe
1336	DesktopLayer.exe
1336	DesktopLayer.exe
1616	FP_AX_CAB_INSTALLER64.exe
1592	DesktopLayer.exe
1592	DesktopLayer.exe
1848	svchost.exe
1592	DesktopLayer.exe
1848	svchost.exe
1592	DesktopLayer.exe
1848	svchost.exe
1848	svchost.exe
2532	DesktopLayer.exe
2532	DesktopLayer.exe
2532	DesktopLayer.exe
2532	DesktopLayer.exe
1608	DesktopLayer.exe
1608	DesktopLayer.exe
1608	DesktopLayer.exe
1608	DesktopLayer.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2688	IEXPLORE.EXE
Token: SeRestorePrivilege	2688	IEXPLORE.EXE
Token: SeRestorePrivilege	2688	IEXPLORE.EXE
Token: SeRestorePrivilege	2688	IEXPLORE.EXE
Token: SeRestorePrivilege	2688	IEXPLORE.EXE
Token: SeRestorePrivilege	2688	IEXPLORE.EXE
Token: SeRestorePrivilege	2688	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 17 IoCs

pid	Process
2496	iexplore.exe
2496	iexplore.exe
2496	iexplore.exe
2496	iexplore.exe
2496	iexplore.exe
2496	iexplore.exe
2496	iexplore.exe
2496	iexplore.exe
2496	iexplore.exe
2496	iexplore.exe
2496	iexplore.exe
2496	iexplore.exe
2496	iexplore.exe
2496	iexplore.exe
2496	iexplore.exe
2496	iexplore.exe
2496	iexplore.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2496	iexplore.exe
2496	iexplore.exe
2688	IEXPLORE.EXE
2688	IEXPLORE.EXE
2496	iexplore.exe
2496	iexplore.exe
2576	IEXPLORE.EXE
2576	IEXPLORE.EXE
2496	iexplore.exe
2496	iexplore.exe
2352	IEXPLORE.EXE
2352	IEXPLORE.EXE
2496	iexplore.exe
2496	iexplore.exe
2496	iexplore.exe
2496	iexplore.exe
2496	iexplore.exe
2496	iexplore.exe
2496	iexplore.exe
2496	iexplore.exe
2496	iexplore.exe
2496	iexplore.exe
2496	iexplore.exe
2496	iexplore.exe
2496	iexplore.exe
2496	iexplore.exe
3008	IEXPLORE.EXE
3008	IEXPLORE.EXE
2496	iexplore.exe
2496	iexplore.exe
2496	iexplore.exe
2496	iexplore.exe
2496	iexplore.exe
2496	iexplore.exe
2496	iexplore.exe
2496	iexplore.exe
2496	iexplore.exe
2496	iexplore.exe
2496	iexplore.exe
2496	iexplore.exe
2256	IEXPLORE.EXE
2256	IEXPLORE.EXE
2256	IEXPLORE.EXE
2256	IEXPLORE.EXE
2688	IEXPLORE.EXE
2688	IEXPLORE.EXE
2576	IEXPLORE.EXE
2576	IEXPLORE.EXE
2352	IEXPLORE.EXE
2352	IEXPLORE.EXE
2892	IEXPLORE.EXE
2892	IEXPLORE.EXE
1624	IEXPLORE.EXE
1624	IEXPLORE.EXE
2904	IEXPLORE.EXE
2904	IEXPLORE.EXE
3008	IEXPLORE.EXE
3008	IEXPLORE.EXE
2528	IEXPLORE.EXE
2528	IEXPLORE.EXE
2892	IEXPLORE.EXE
2892	IEXPLORE.EXE
1576	IEXPLORE.EXE
1576	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2688	2496	iexplore.exe	30
PID 2496 wrote to memory of 2688	2496	iexplore.exe	30
PID 2496 wrote to memory of 2688	2496	iexplore.exe	30
PID 2496 wrote to memory of 2688	2496	iexplore.exe	30
PID 2688 wrote to memory of 2620	2688	IEXPLORE.EXE	31
PID 2688 wrote to memory of 2620	2688	IEXPLORE.EXE	31
PID 2688 wrote to memory of 2620	2688	IEXPLORE.EXE	31
PID 2688 wrote to memory of 2620	2688	IEXPLORE.EXE	31
PID 2620 wrote to memory of 2588	2620	svchost.exe	32
PID 2620 wrote to memory of 2588	2620	svchost.exe	32
PID 2620 wrote to memory of 2588	2620	svchost.exe	32
PID 2620 wrote to memory of 2588	2620	svchost.exe	32
PID 2588 wrote to memory of 1636	2588	DesktopLayer.exe	33
PID 2588 wrote to memory of 1636	2588	DesktopLayer.exe	33
PID 2588 wrote to memory of 1636	2588	DesktopLayer.exe	33
PID 2588 wrote to memory of 1636	2588	DesktopLayer.exe	33
PID 2496 wrote to memory of 2576	2496	iexplore.exe	34
PID 2496 wrote to memory of 2576	2496	iexplore.exe	34
PID 2496 wrote to memory of 2576	2496	iexplore.exe	34
PID 2496 wrote to memory of 2576	2496	iexplore.exe	34
PID 2688 wrote to memory of 1924	2688	IEXPLORE.EXE	35
PID 2688 wrote to memory of 1924	2688	IEXPLORE.EXE	35
PID 2688 wrote to memory of 1924	2688	IEXPLORE.EXE	35
PID 2688 wrote to memory of 1924	2688	IEXPLORE.EXE	35
PID 2688 wrote to memory of 1924	2688	IEXPLORE.EXE	35
PID 2688 wrote to memory of 1924	2688	IEXPLORE.EXE	35
PID 2688 wrote to memory of 1924	2688	IEXPLORE.EXE	35
PID 1924 wrote to memory of 1688	1924	FP_AX_CAB_INSTALLER64.exe	36
PID 1924 wrote to memory of 1688	1924	FP_AX_CAB_INSTALLER64.exe	36
PID 1924 wrote to memory of 1688	1924	FP_AX_CAB_INSTALLER64.exe	36
PID 1924 wrote to memory of 1688	1924	FP_AX_CAB_INSTALLER64.exe	36
PID 2496 wrote to memory of 2352	2496	iexplore.exe	37
PID 2496 wrote to memory of 2352	2496	iexplore.exe	37
PID 2496 wrote to memory of 2352	2496	iexplore.exe	37
PID 2496 wrote to memory of 2352	2496	iexplore.exe	37
PID 2688 wrote to memory of 976	2688	IEXPLORE.EXE	38
PID 2688 wrote to memory of 976	2688	IEXPLORE.EXE	38
PID 2688 wrote to memory of 976	2688	IEXPLORE.EXE	38
PID 2688 wrote to memory of 976	2688	IEXPLORE.EXE	38
PID 2688 wrote to memory of 852	2688	IEXPLORE.EXE	39
PID 2688 wrote to memory of 852	2688	IEXPLORE.EXE	39
PID 2688 wrote to memory of 852	2688	IEXPLORE.EXE	39
PID 2688 wrote to memory of 852	2688	IEXPLORE.EXE	39
PID 976 wrote to memory of 1628	976	svchost.exe	40
PID 976 wrote to memory of 1628	976	svchost.exe	40
PID 976 wrote to memory of 1628	976	svchost.exe	40
PID 976 wrote to memory of 1628	976	svchost.exe	40
PID 852 wrote to memory of 1852	852	svchost.exe	41
PID 852 wrote to memory of 1852	852	svchost.exe	41
PID 852 wrote to memory of 1852	852	svchost.exe	41
PID 852 wrote to memory of 1852	852	svchost.exe	41
PID 1628 wrote to memory of 2432	1628	DesktopLayer.exe	42
PID 1628 wrote to memory of 2432	1628	DesktopLayer.exe	42
PID 1628 wrote to memory of 2432	1628	DesktopLayer.exe	42
PID 1628 wrote to memory of 2432	1628	DesktopLayer.exe	42
PID 2688 wrote to memory of 276	2688	IEXPLORE.EXE	43
PID 2688 wrote to memory of 276	2688	IEXPLORE.EXE	43
PID 2688 wrote to memory of 276	2688	IEXPLORE.EXE	43
PID 2688 wrote to memory of 276	2688	IEXPLORE.EXE	43
PID 2496 wrote to memory of 2256	2496	iexplore.exe	44
PID 2496 wrote to memory of 2256	2496	iexplore.exe	44
PID 2496 wrote to memory of 2256	2496	iexplore.exe	44
PID 2496 wrote to memory of 2256	2496	iexplore.exe	44
PID 2496 wrote to memory of 3008	2496	iexplore.exe	45

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\fa65e5ea28d7b88acce1df033e7b079f_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2496 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1636
- - C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
    C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://get3.adobe.com/flashplayer/update/activex
      4⤵
      PID:1688
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:976
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1628
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2432
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:852
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1852
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:276
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2368
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2724
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:2456
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:896
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2840
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2200
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2072
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:2728
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2548
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3048
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:2668
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2676
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:444
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:1704
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1336
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2192
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2848
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1660
- - C:\Users\Admin\AppData\Local\Temp\ICD2.tmp\FP_AX_CAB_INSTALLER64.exe
    C:\Users\Admin\AppData\Local\Temp\ICD2.tmp\FP_AX_CAB_INSTALLER64.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1616
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://get3.adobe.com/flashplayer/update/activex
      4⤵
      PID:808
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:1012
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1592
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1708
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1848
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2536
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:2728
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2532
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1588
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:1504
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1608
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1604
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2496 CREDAT:406533 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2576
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2496 CREDAT:406538 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2352
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2496 CREDAT:799751 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2256
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2496 CREDAT:603148 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3008
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2496 CREDAT:1586187 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2892
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2496 CREDAT:1520655 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1624
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2496 CREDAT:7091204 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2904
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2496 CREDAT:930834 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1576
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2496 CREDAT:7418889 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
cd6b50b068e1fe219dec9a2f52ac243e

SHA1
2f5a4a07f739f28b720d6bd8fe3b1f0cfc05a7f2

SHA256
a7495df9ff136e5fcc50c1e3d597b4bc3663535e74e643b8fa338976f424af71

SHA512
e3c89133551df829821791169ac6af6f42c4f221f8a085d19af3237b58588e01b376bf5cd620c2785a61eb5725b941a7f9348ae85930dc43df25b050f4a0f594

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b27a8ba6d3c3023fab9863ebdbe52a7

SHA1
47f487d1b3a0adf7425876bd0b325995dc0cde02

SHA256
4820b6e187c0540422376b4e809796fc08cde03db02363977daef24904d0ba74

SHA512
97fe65c70bfd6b2a6bd013594326417ab728b82c4582865b2883c0904d61d8761d5490352cad4ccccbce9e6282bfb754b943bf25a0be7a056abe672499cd1c1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6c4b0632bc55dd4a4fcce80edcb02e6e

SHA1
65a313c3ba844580e7aa719164cab06fbfbe29e9

SHA256
3f9d3469fb22ef5bfbc576262487f5eebc1a9715cb059ad770e367f308713def

SHA512
0b7fabb1f5cbd8917ff06f9d28dab42fb3043d0b1473ae60a77fbdd9aaba180590982e41625e078e8b87f29ba391a95cc5fca6bbc840b35c78500424e24b18f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0a6c36a592e5534078f91e6dc57b9bfe

SHA1
144b3503c15b9131374b77a65d7df0de015b53cc

SHA256
210ffd6d564da18c568d436ef923f1ca6cc39e9db7c0be8319d0ad40ff2b33f1

SHA512
e6c405efa1452c3398eedb9d7902400167ef1d18a20e2f285b210854eaa8262f4c0a76d54e6433e9e842f3fef422dc3844ebaf0e4140b901d39d97db14bc3061

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7e4e263dbced2ba329b091a4ef01dec9

SHA1
f66d83911bb3e1825a48a072b0f3bac6c6a57647

SHA256
476477da31b0ab695cffc702bd452b844b38e48b256ce56b8bafb8918e90ffa8

SHA512
137d8f10b09ea5b434ee4caed40f3117578de6f3b78ddc28470680c196716c77174121f8405c35df4b38567844370d7c615c770126022a39440e2ddb5303fa9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d42019648283e9fd92a1310e964f8b0

SHA1
8fc176ec04998b9a2ffb04cc9ec653864e6ee5d7

SHA256
0a5f363feb137c56a52eb14ef957f3e1fbb7761d72ff4149ce8eb7f5f12c7708

SHA512
57a274b7a8d367d184107b675d983d71330ef234f03d69ab5e4e4bbf807fb10540306679d4098551504f534a1d32049fff21adb0ca8089e6c27b5491f6c1ce20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3cb4e3fa078cc6ca485829373ee66e4c

SHA1
658124ed8fb468de5b74009bc92cea60be92aa53

SHA256
71897a63a0c9d4a99d31df9bd6e3da75329a7bf886604cd7a183d24ced19bafb

SHA512
5a5931d33d2c89726fd8cc72a6500fae8078abca575e0cd3dd5be3c9b7bf450d348c55984972cfc48d1e2bd2135ed51f9ce51bda32b9e422b2566f2a87156ec6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e48903119b6e533bab22766751933dc8

SHA1
33a4cdfcc465a4e0481ad4c229e2ec5f7bf433ce

SHA256
afa24c7c0282eb7e33b894f3fb3da5ee80a9cb02c2f3de2a8bbd4f6b5a847dba

SHA512
1244e517050cedd27aa435ceddc3191d2a7d857a430cdb19b2d1799ea2a022168325b15d44eee7674e061905e1018b1e92e67c9c5d4a9a01f9f2c8ebf4eb166e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b5f5826e43f36b1ccb448e1411db76d

SHA1
7e8de356084c2c7b92b5e26d376cc0be0a9e048a

SHA256
91de48f01521f931e408d0c6ceb544cecd2e4f3adce57107852081b017841f53

SHA512
a0fa7f0bc99354c3b7048f6f3c7e98c16e43dedfc4c908fc34d41b95db3928bb4e169abe1afc6be3e48825f79886899c12addb55cff703fd07e0b2fb9267b080

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
378015b6553532c0e24fa1819b88e9ba

SHA1
091c8024f69111e128b2e591f3fd574d4ca8ce00

SHA256
a809bd8cad7315742923e03970ae3fe4293f3c5602626a3239e683f0b24f89d9

SHA512
3f522c96ee08c5ac76c18abb7162c9a378a4e7fdfaa2a7b18915d2fad8c9b45540404cc3117d6249b3e53d84de680e18500196060bbd79d98d25dec7edac0122

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a7203af110bf56be56a978df273d0028

SHA1
e07774a3f3c9e03e7bc0d14244171a68627c384d

SHA256
b05999ec8b5992fb281ac49674436fff3f404e1ef81917078c608fc295e452b7

SHA512
3075c63b1d44a019ca7ea896b794d858f2723a9937fe20b64614a261d9a3b21217e385ba3560890ecbace6a72b4e99e724236a3b8ee2755b6dea0ae36ba16ef8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c53b9d9709ff762d539eba26f34d24a

SHA1
1d4f92f1851926b3e0acbe4c8b5f3cc263455503

SHA256
9c76ebd9fe4841f2554b1ca9e45964a01d73c09908df898ccbc489bcc80a2dad

SHA512
98ee1ffea2465bac84458688c8713364671927ab56c69ac8face71563cfee98aebbc3e04c58d02c030c77d450b6ef91a8f178dbf6b4bdcefc3bf135929f059b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f3f0f3d409cb0cff86a418a184367b5a

SHA1
216ad3be393f773a61cebea258cd3a2f2d7f3ec4

SHA256
9f8a8d22b99a65c1588998b235eb2086a2656f7e455ce1ca6c4af6bb892dbba8

SHA512
9debf7b25ecc2b704b015dbc80993a14286fc49cdeb68088d2e59154511ec8f0034214a50e3c797a719fe5ffde7741838c587f4dba77512f9ebabb5e96dbd145

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a90a512ca31cb5cdb0ebb1e9e64532f6

SHA1
22c2729538834631aae698764b61ba65e128059d

SHA256
3d7166d9635919df2289cc6dc35011cbcf54b7a3e2ee9923018b19e6a280eaa0

SHA512
05d3e88b7d6fbd52a8ed37a303b29dd77d0df095945fbcf71b179af364c3c1f45f319dddc984eef05a8abbcf69779d0e932cfdb1385cd46fea43159dc3884cdd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
28fffde9d73ae8421d9c4542ba511497

SHA1
c0de1f386a553c7163f4aed55029c03d2c787633

SHA256
3d34249e8edb0a058f9ae4760beb42417526565476f8db9552e8d3f96604a4e9

SHA512
c7c896ae5068e3969e2147577979384009304baf50741e76b23fbfc854de4f2c6d15a9bb730da659c787110d69077b835128b5101904a2cef5ad3765590230bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
883450c2c524f4b392549a254e6ec94b

SHA1
e7290ac9b4cba712e408b9f148f11fd8d5319fbd

SHA256
a8f7127eea0b5fff684dfe7f955e0ce2da5f5af59d28041b26b8fd3ccd35327e

SHA512
2730ef9421f2628b468164a3ab6553ed5a019d1e5089e1c6da497cd1764078e431862fa43f692a79b49d50713a7f7fb406e8c6be19de364f784336ccdc076cd9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02fef6b48961452ded4d9171808b8bcc

SHA1
6129ed6134953377d7f0888bd1aa3788c5a62657

SHA256
289a90720bdf0fea5560d4ea42bdd58ff108f977ee36c4a8d10a8cbd2647022d

SHA512
f1a021b7398551c8a4cef10723645ff5a73294b423fec7f00111ee201ef695cc7bc4a872d9d9d4fb923460e587e6f8d6e0a166243734c8af12ed02d8c6931962

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f32d8765e44e8248a6c0c8e01975c647

SHA1
be612db1ff0473bd4e1a5a303721e9d0dc7a86b9

SHA256
6f67232180d2a520b148b8213213348851439d42ac33d18ac8bc4bfe5607066f

SHA512
df6d476f96213c7c80f26312cd560fe98276ddce9b8a16310fce957b41ec33849b43432cc314e1b99c2bd72f3156f48490f2dd6f1cdbc579a463d50a091e1d0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f691e20e46a9ecdb538f4813245e871

SHA1
56f3c84436a3d7ec23e5e54eb89c8ffe21858455

SHA256
f14cfa814b84e664720500650e8f82164e3a487a7a1d854409aea4d5c7d74fc7

SHA512
3bcbf53b74443de7e517771258555cc255fe304946cab99deeffa09b7b9e06f46eeb88f22d61d37f403db35b5a3e5a0aa6057234724b478502e1b91373163d54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6ef27f97694def18c331163b6458820b

SHA1
a4d6c05f6bde629de3f9d7419bd4eb728c4fb4ff

SHA256
9ea6f3f973a584ece03deddb6edfa4034abc727f29ec434e5b8992ddbde00051

SHA512
1581ea46e83cf532e1aafbb5705e7bf668e83b9feeaf81a2acae32c0d949063440bd25d5eb0161e13e1beaf43db16ff3bf4482fee6798b78558de2bd1a61b075

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5e7b37ec939c18991383c2e4467c233b

SHA1
01dc4f062bddff224d66325587d047400270a7dd

SHA256
302228b00005d1aa0f8f2a776c901827cb6e4cc5375b30dec62ee22b26f98e48

SHA512
97c775225adb3575abccd0cd40cfffeb48ff5b8b31311bcfc99665e41485ce8e78f262d2bbe8d97e1d45982130e3e7d364a6610fe3700edc2d206351742498d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe7734343359047477e830f75475c510

SHA1
3cb4326491a84341daab793e5c3101e0b75c9c23

SHA256
d0a2c6576b10338505fa2710e52c15a2120f2fcabff692bad47a99a5e15cb8e4

SHA512
69d6c96f01172e307ed37f2cff9eeac5f9956f2e39c33216be068f4fa11752832ab186d2a12193a09c61d279f079f7503acab845c9cc4363c113b31d523187bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b77974b2959ada611ce655222cbb5953

SHA1
f68677924d59878c8f2105d503a8d68f3e4ecf78

SHA256
8373f07c1a59008b4fae82535f97695b523613a2ea4a441148acd950ad302ffe

SHA512
9d20de65528637cff985aa1490333be23277a942d4e073dc6c9a93899231824b19c587906188c8402aeeac84e2dff75541a1e907e1fc2a0e6f8d647bfa0ca253

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b6950cf32aa936fb5b7b8e397e67f6b

SHA1
ea3458cac1bf99bfabbc69a866bac53429a2540e

SHA256
0f938f2c281a3da17d8bc702ef42ad2019f8c4db0f556d61787fb0366b5d39e9

SHA512
f3cfd428201800114c2a8140bfa33cf60bf5b2935772188795ca0e702ec1842ab6f9d5536f24300a306d6c78446552fa1e6461f07d6314f0be7065ce6d1d23c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c0fe75a65d86145993ca6761384137f5

SHA1
a557753b65ff6b0eabcca5c4b2ee6ad96dbc5440

SHA256
206d9fbd0da81f27eefe800155b297220d637c93f2819c1fddb19497c63606a4

SHA512
da1a598eccded1dbdfdab93f98515738fb1a3622bc29e30eaad6d0f261d62e1a12c16aee503ede9777f63a4a243ad3ba99db1cfc8168ac285e9386612557e8a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
614103f322a50563079a1b5de6da7eff

SHA1
695a30894275941ff7f52192d7320edf72b6fbff

SHA256
ffa27582ac90ecfc2ee396c8cd95ced4c4051eded2bd33becbfeea4ad8b36f78

SHA512
39993e46cad45e368ca07a53c6e63d1c5a644c404bc0529b3252531a5275f6ef859b71e1d9e11f19f220ebf65db2f79376d8b4bb6b4c5be7484cc52577883108

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0WBLVJY\swflash[1].cab

Filesize
225KB

MD5
b3e138191eeca0adcc05cb90bb4c76ff

SHA1
2d83b50b5992540e2150dfcaddd10f7c67633d2c

SHA256
eea074db3f86fed73a36d9e6c734af8080a4d2364e817eecd5cb37cb9ec9dc0b

SHA512
82b4c76201697d7d25f2e4f454aa0dd8d548cdfd3ebfa0dd91845536f74f470e57d66a73750c56409510d787ee2483839f799fef5d5a77972cd4435a157a21a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1C49.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe

Filesize
757KB

MD5
47f240e7f969bc507334f79b42b3b718

SHA1
8ec5c3294b3854a32636529d73a5f070d5bcf627

SHA256
c8c8cff5dc0a3f205e59f0bbfe30b6ade490c10b9ecc7043f264ec67ef9b6a11

SHA512
10999161970b874db326becd51d5917f17fece7021e27b2c2dfbee42cb4e992c4d5dbeac41093a345ad098c884f6937aa941ec76fb0c9587e9470405ecb67161

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\swflash64.inf

Filesize
218B

MD5
60c0b6143a14467a24e31e887954763f

SHA1
77644b4640740ac85fbb201dbc14e5dccdad33ed

SHA256
97ac49c33b06efc45061441a392a55f04548ee47dc48aa8a916de8d13dabec58

SHA512
7032669715c068de67d85d5d00f201ee84bb6edac895559b2a248509024d6ce07c0494835c8ee802dbdbe1bc0b1fb7f4a07417ef864c04ebfaa556663dfd7c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1CB9.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
83KB

MD5
c5c99988728c550282ae76270b649ea1

SHA1
113e8ff0910f393a41d5e63d43ec3653984c63d6

SHA256
d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3

SHA512
66e45f6fabff097a7997c5d4217408405f17bad11748e835403559b526d2d031490b2b74a5ffcb218fa9621a1c3a3caa197f2e5738ebea00f2cf6161d8d0af0d

Download Submit
memory/852-135-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/852-138-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/896-212-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1592-814-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2532-825-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2548-225-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2588-19-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2588-23-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2588-20-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2588-21-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2588-17-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2588-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2620-6-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2620-7-0x00000000001C0000-0x00000000001CF000-memory.dmp

Filesize
60KB

Download
memory/2620-10-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2676-238-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2848-285-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2848-284-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download