ramnit | 0f06733a7017f20e177d2aacbcdc2a30edf8eac0a04570f67a4be2a95db603e4

Analysis

max time kernel
124s
max time network
136s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
18/12/2024, 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc966d05a5f7af4601a083ec9b83e99c_JaffaCakes118.html
Size

2.3MB
MD5

fc966d05a5f7af4601a083ec9b83e99c
SHA1

e4be1cadb2b2acc04c61e7e1711d0cf7dc1af514
SHA256

0f06733a7017f20e177d2aacbcdc2a30edf8eac0a04570f67a4be2a95db603e4
SHA512

b30da0b4f6a0427223161c39c2888134ae6a4da67b8230f595cd411c6ff8aac0e065301ee04fafb218abc7390412968cc138c0eb9f14a1e288db825afec04575
SSDEEP

24576:2+Wt9BJ+Wt9Bq+Wt9B8+Wt9BX+Wt9Bt+Wt9B1+Wt9B5+Wt9Bi+Wt9BX+Wt9Bz+Wv:P

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 26 IoCs

pid	Process
2768	svchost.exe
2920	DesktopLayer.exe
3004	FP_AX_CAB_INSTALLER64.exe
2440	svchost.exe
1980	DesktopLayer.exe
1160	svchost.exe
1036	svchost.exe
1932	DesktopLayer.exe
1892	svchost.exe
2520	DesktopLayer.exe
288	svchost.exe
896	DesktopLayer.exe
936	svchost.exe
2924	svchost.exe
2824	DesktopLayer.exe
2316	svchost.exe
2660	DesktopLayer.exe
2120	svchost.exe
2368	FP_AX_CAB_INSTALLER64.exe
1652	svchost.exe
1148	svchost.exe
2436	DesktopLayer.exe
1620	svchost.exe
1720	DesktopLayer.exe
4556	svchost.exe
4584	DesktopLayer.exe

Loads dropped DLL 17 IoCs

pid	Process
2076	IEXPLORE.EXE
2768	svchost.exe
2076	IEXPLORE.EXE
2076	IEXPLORE.EXE
2076	IEXPLORE.EXE
2076	IEXPLORE.EXE
2076	IEXPLORE.EXE
2076	IEXPLORE.EXE
2076	IEXPLORE.EXE
2076	IEXPLORE.EXE
2076	IEXPLORE.EXE
2076	IEXPLORE.EXE
2076	IEXPLORE.EXE
2076	IEXPLORE.EXE
2076	IEXPLORE.EXE
2076	IEXPLORE.EXE
2076	IEXPLORE.EXE

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000170f8-2.dat	upx
behavioral1/memory/2768-6-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2768-9-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2920-20-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1160-137-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1980-130-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1036-141-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1932-149-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/936-192-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Drops file in Program Files directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px32C.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px426.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxD78.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxFFE2.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxE24.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px399.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxD1B.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxB358.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxE0ED.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxFEE8.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px1D5.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxFEAA.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px280.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px483.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\SETFE0E.tmp	IEXPLORE.EXE
File created	C:\Windows\Downloaded Program Files\SETFE0E.tmp	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\swflash64.inf	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\SETC61.tmp	IEXPLORE.EXE
File created	C:\Windows\Downloaded Program Files\SETC61.tmp	IEXPLORE.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 40 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FP_AX_CAB_INSTALLER64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FP_AX_CAB_INSTALLER64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6400000019000000ea0400007e020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CB49D011-BD6A-11EF-B666-DEF96DC0BBD1} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3200000032000000b804000097020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CB6D84B1-BD6A-11EF-B666-DEF96DC0BBD1} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CCD03191-BD6A-11EF-B666-DEF96DC0BBD1} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2920	DesktopLayer.exe
2920	DesktopLayer.exe
2920	DesktopLayer.exe
2920	DesktopLayer.exe
3004	FP_AX_CAB_INSTALLER64.exe
1980	DesktopLayer.exe
1980	DesktopLayer.exe
1980	DesktopLayer.exe
1980	DesktopLayer.exe
1160	svchost.exe
1160	svchost.exe
1160	svchost.exe
1160	svchost.exe
1932	DesktopLayer.exe
1932	DesktopLayer.exe
1932	DesktopLayer.exe
1932	DesktopLayer.exe
2520	DesktopLayer.exe
2520	DesktopLayer.exe
2520	DesktopLayer.exe
2520	DesktopLayer.exe
896	DesktopLayer.exe
896	DesktopLayer.exe
896	DesktopLayer.exe
896	DesktopLayer.exe
2824	DesktopLayer.exe
2924	svchost.exe
2824	DesktopLayer.exe
2924	svchost.exe
2824	DesktopLayer.exe
2924	svchost.exe
2824	DesktopLayer.exe
2924	svchost.exe
2660	DesktopLayer.exe
2660	DesktopLayer.exe
2120	svchost.exe
2120	svchost.exe
2660	DesktopLayer.exe
2120	svchost.exe
2660	DesktopLayer.exe
2120	svchost.exe
2368	FP_AX_CAB_INSTALLER64.exe
2436	DesktopLayer.exe
1148	svchost.exe
2436	DesktopLayer.exe
1148	svchost.exe
1148	svchost.exe
2436	DesktopLayer.exe
1148	svchost.exe
2436	DesktopLayer.exe
1720	DesktopLayer.exe
1720	DesktopLayer.exe
1720	DesktopLayer.exe
1720	DesktopLayer.exe
4584	DesktopLayer.exe
4584	DesktopLayer.exe
4584	DesktopLayer.exe
4584	DesktopLayer.exe
4584	DesktopLayer.exe
4584	DesktopLayer.exe
4584	DesktopLayer.exe
4584	DesktopLayer.exe
4584	DesktopLayer.exe
4584	DesktopLayer.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2076	IEXPLORE.EXE
Token: SeRestorePrivilege	2076	IEXPLORE.EXE
Token: SeRestorePrivilege	2076	IEXPLORE.EXE
Token: SeRestorePrivilege	2076	IEXPLORE.EXE
Token: SeRestorePrivilege	2076	IEXPLORE.EXE
Token: SeRestorePrivilege	2076	IEXPLORE.EXE
Token: SeRestorePrivilege	2076	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2188	iexplore.exe
2188	iexplore.exe
2188	iexplore.exe
2188	iexplore.exe
2188	iexplore.exe
2188	iexplore.exe
2188	iexplore.exe
2188	iexplore.exe
2188	iexplore.exe
2188	iexplore.exe
2188	iexplore.exe
2188	iexplore.exe
2188	iexplore.exe
2188	iexplore.exe
2188	iexplore.exe
2188	iexplore.exe
2808	iexplore.exe
532	iexplore.exe
1196	iexplore.exe
1712	iexplore.exe
1456	iexplore.exe
1892	iexplore.exe
2876	iexplore.exe
2544	iexplore.exe
2556	iexplore.exe
2188	iexplore.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2188	iexplore.exe
2188	iexplore.exe
2076	IEXPLORE.EXE
2076	IEXPLORE.EXE
2188	iexplore.exe
2188	iexplore.exe
2840	IEXPLORE.EXE
2840	IEXPLORE.EXE
2188	iexplore.exe
2188	iexplore.exe
1696	IEXPLORE.EXE
1696	IEXPLORE.EXE
2188	iexplore.exe
2188	iexplore.exe
2188	iexplore.exe
2188	iexplore.exe
2188	iexplore.exe
2188	iexplore.exe
2328	IEXPLORE.EXE
2328	IEXPLORE.EXE
1028	IEXPLORE.EXE
1028	IEXPLORE.EXE
2328	IEXPLORE.EXE
2328	IEXPLORE.EXE
2188	iexplore.exe
2188	iexplore.exe
2188	iexplore.exe
2188	iexplore.exe
2188	iexplore.exe
2188	iexplore.exe
2188	iexplore.exe
2188	iexplore.exe
2188	iexplore.exe
2188	iexplore.exe
2188	iexplore.exe
2188	iexplore.exe
2188	iexplore.exe
2188	iexplore.exe
2188	iexplore.exe
2188	iexplore.exe
2188	iexplore.exe
2188	iexplore.exe
2188	iexplore.exe
2188	iexplore.exe
2076	IEXPLORE.EXE
2076	IEXPLORE.EXE
2808	iexplore.exe
2808	iexplore.exe
1712	iexplore.exe
1712	iexplore.exe
532	iexplore.exe
532	iexplore.exe
1456	iexplore.exe
1456	iexplore.exe
1196	iexplore.exe
1196	iexplore.exe
2840	IEXPLORE.EXE
2840	IEXPLORE.EXE
1892	iexplore.exe
1892	iexplore.exe
1696	IEXPLORE.EXE
1696	IEXPLORE.EXE
2556	iexplore.exe
2556	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2076	2188	iexplore.exe	30
PID 2188 wrote to memory of 2076	2188	iexplore.exe	30
PID 2188 wrote to memory of 2076	2188	iexplore.exe	30
PID 2188 wrote to memory of 2076	2188	iexplore.exe	30
PID 2076 wrote to memory of 2768	2076	IEXPLORE.EXE	31
PID 2076 wrote to memory of 2768	2076	IEXPLORE.EXE	31
PID 2076 wrote to memory of 2768	2076	IEXPLORE.EXE	31
PID 2076 wrote to memory of 2768	2076	IEXPLORE.EXE	31
PID 2768 wrote to memory of 2920	2768	svchost.exe	32
PID 2768 wrote to memory of 2920	2768	svchost.exe	32
PID 2768 wrote to memory of 2920	2768	svchost.exe	32
PID 2768 wrote to memory of 2920	2768	svchost.exe	32
PID 2920 wrote to memory of 3056	2920	DesktopLayer.exe	33
PID 2920 wrote to memory of 3056	2920	DesktopLayer.exe	33
PID 2920 wrote to memory of 3056	2920	DesktopLayer.exe	33
PID 2920 wrote to memory of 3056	2920	DesktopLayer.exe	33
PID 2188 wrote to memory of 2840	2188	iexplore.exe	34
PID 2188 wrote to memory of 2840	2188	iexplore.exe	34
PID 2188 wrote to memory of 2840	2188	iexplore.exe	34
PID 2188 wrote to memory of 2840	2188	iexplore.exe	34
PID 2076 wrote to memory of 3004	2076	IEXPLORE.EXE	37
PID 2076 wrote to memory of 3004	2076	IEXPLORE.EXE	37
PID 2076 wrote to memory of 3004	2076	IEXPLORE.EXE	37
PID 2076 wrote to memory of 3004	2076	IEXPLORE.EXE	37
PID 2076 wrote to memory of 3004	2076	IEXPLORE.EXE	37
PID 2076 wrote to memory of 3004	2076	IEXPLORE.EXE	37
PID 2076 wrote to memory of 3004	2076	IEXPLORE.EXE	37
PID 3004 wrote to memory of 2264	3004	FP_AX_CAB_INSTALLER64.exe	38
PID 3004 wrote to memory of 2264	3004	FP_AX_CAB_INSTALLER64.exe	38
PID 3004 wrote to memory of 2264	3004	FP_AX_CAB_INSTALLER64.exe	38
PID 3004 wrote to memory of 2264	3004	FP_AX_CAB_INSTALLER64.exe	38
PID 2188 wrote to memory of 1696	2188	iexplore.exe	39
PID 2188 wrote to memory of 1696	2188	iexplore.exe	39
PID 2188 wrote to memory of 1696	2188	iexplore.exe	39
PID 2188 wrote to memory of 1696	2188	iexplore.exe	39
PID 2076 wrote to memory of 2440	2076	IEXPLORE.EXE	40
PID 2076 wrote to memory of 2440	2076	IEXPLORE.EXE	40
PID 2076 wrote to memory of 2440	2076	IEXPLORE.EXE	40
PID 2076 wrote to memory of 2440	2076	IEXPLORE.EXE	40
PID 2440 wrote to memory of 1980	2440	svchost.exe	41
PID 2440 wrote to memory of 1980	2440	svchost.exe	41
PID 2440 wrote to memory of 1980	2440	svchost.exe	41
PID 2440 wrote to memory of 1980	2440	svchost.exe	41
PID 2076 wrote to memory of 1160	2076	IEXPLORE.EXE	42
PID 2076 wrote to memory of 1160	2076	IEXPLORE.EXE	42
PID 2076 wrote to memory of 1160	2076	IEXPLORE.EXE	42
PID 2076 wrote to memory of 1160	2076	IEXPLORE.EXE	42
PID 1980 wrote to memory of 940	1980	DesktopLayer.exe	43
PID 1980 wrote to memory of 940	1980	DesktopLayer.exe	43
PID 1980 wrote to memory of 940	1980	DesktopLayer.exe	43
PID 1980 wrote to memory of 940	1980	DesktopLayer.exe	43
PID 1160 wrote to memory of 1552	1160	svchost.exe	44
PID 1160 wrote to memory of 1552	1160	svchost.exe	44
PID 1160 wrote to memory of 1552	1160	svchost.exe	44
PID 1160 wrote to memory of 1552	1160	svchost.exe	44
PID 2188 wrote to memory of 2328	2188	iexplore.exe	45
PID 2188 wrote to memory of 2328	2188	iexplore.exe	45
PID 2188 wrote to memory of 2328	2188	iexplore.exe	45
PID 2188 wrote to memory of 2328	2188	iexplore.exe	45
PID 2076 wrote to memory of 1036	2076	IEXPLORE.EXE	46
PID 2076 wrote to memory of 1036	2076	IEXPLORE.EXE	46
PID 2076 wrote to memory of 1036	2076	IEXPLORE.EXE	46
PID 2076 wrote to memory of 1036	2076	IEXPLORE.EXE	46
PID 2188 wrote to memory of 1028	2188	iexplore.exe	47

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\fc966d05a5f7af4601a083ec9b83e99c_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2188 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2920
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3056
- - C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
    C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://get3.adobe.com/flashplayer/update/activex
      4⤵
      PID:2264
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1980
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:940
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1160
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1552
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:1036
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1932
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:640
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:1892
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2520
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1016
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:288
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:896
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:2808
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2808 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1704
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:936
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2824
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:1712
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1712 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2228
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2924
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:532
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:532 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2920
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:2316
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2660
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:1196
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1196 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1152
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2120
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:1456
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1456 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2316
- - C:\Users\Admin\AppData\Local\Temp\ICD2.tmp\FP_AX_CAB_INSTALLER64.exe
    C:\Users\Admin\AppData\Local\Temp\ICD2.tmp\FP_AX_CAB_INSTALLER64.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2368
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://get3.adobe.com/flashplayer/update/activex
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:1892
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1892 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2524
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:1652
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2436
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:2556
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2556 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2320
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1148
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      PID:2544
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2544 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1976
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:1620
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1720
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        
        PID:2876
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2876 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1876
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:4556
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4584
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4604
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2188 CREDAT:275463 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2840
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2188 CREDAT:275471 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1696
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2188 CREDAT:406545 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2328
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2188 CREDAT:865286 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
6909c24502a5a8ea6da86678fb589da3

SHA1
96884fb27678ea8debadace36229cdaf4e55610e

SHA256
c40a00f202a0ed7b69e9eb817a3584a6d5775aabe00d78fcf47fe3caa0c3a070

SHA512
1822c736a015866131db8855e6e081849602808681f267e81e0dd93a16a8668175b83b91b81887e65902bced3dcef86bb4835d1ae10ec3c3d46650afabef44e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15e01d7ae335c49217967e0ce33aab75

SHA1
a1925abecc6d641399c639bbf3f36599313257f5

SHA256
93625f8de3e509009cac9d9c2a5e12cb6c4729dde04d7b880cdc54fbbeb1bd15

SHA512
9180d7e3319264d84bdf90a0a16c7b2a7e343696c627790391720772b2c9c24a52a180f75594f82ff346911ce7d9978438af5f72ab911b5f31ab57c3cde38b6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
059255e72180e01c366df65be9cfd8e9

SHA1
e43f3ee64947034208002a88b9164576ec66465c

SHA256
c26c6bf0c930830eae390148242697ee97177dba98994bb23dfad16184ed9dbc

SHA512
24bb054e63aa95c86c196398746de7c5be34d1256c0fd3e02ee2f3343444bf7862531d74a9ea6f2c9a32f7f58269ad6930a023a8c05b16f5fd2cce85f0a75a08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73a592ce3cc267e9cb013000bea021eb

SHA1
68eca246127d596d7e9d9cdf068b3ecaefd674b7

SHA256
fc249a92fcdf1f51f68e1af49c900b33af8582485c32c05504ca78fb44af4c58

SHA512
9db19a768bb1cf641829e63beeb7db606026814dd6fe713f8ad62782e47e531da463c35f17784c32af5df964f1b676513e355c8dbaf2e4129393ee37c45238d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
70e7e8c21aec4324d6e41159af30b15d

SHA1
35cc30697a8ee7d636378062146d45813ebd3d0c

SHA256
960622b3a8f61992998cbc56adb2ef89c719caa0a804344b2cfc7feadd9f8913

SHA512
45945dcdfbdef22524e96fa4594f79199d41f74c3fff1d0aae5af2a6dd15b1a380c1de4e45ca235dc297e96af1feb6c4c1d38f8046e5f8326e93b2a2b11a6207

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
34fbfa20c218c557eeac198e51a30191

SHA1
491b6c99838453140f8d3e3cbd5657367fbc5379

SHA256
f711e8c0b3f9e16919ff8f6420a9ec601a0134b81e2a2cdc9c77f282cd67a9a8

SHA512
35e53862fcfbffa3ae28b3f50be696a6579658a49976084241b768d837845a6221c3d81949b80e81697e5b9a37b5e486639185597d8ed101d0029794717dc962

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
86e9eeeea29d4cae82974e022d7dbf13

SHA1
04be31eb792ea3a434c49456a1a230663cbef195

SHA256
93da1cd99afc2445d5215d467bd3c1aab033df586fdef822d11a658f7d9187ec

SHA512
d51c1cb32d2d4dfbdeacc39cdb2fba84bd529df761ffa6e8f9ad26aa130358af7b36dd806acba17ae53cbccc81823b5e6efbe4f498a4547dde4a84ce73fe092e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d64c514973e23a25bbb13a044acd819a

SHA1
7b1d8800e7aed5fe6b06a23a49746a7bb695f6d4

SHA256
3b7ec3313c34d4f03dd7fd6c16dff14b96aeac8310ed3e6ac30d343c8dc663d0

SHA512
b77f6c3037b66ac3615866dbbca0d7b854c28b67e497b310f2d3b8cadd7f17a53e59d99edddba34f2f715cdaa858d9fa6af5ef1b6cba1dcb631d1a943e4d54a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e1a09ebdb5ab55c1b2af7d7f207ff08

SHA1
7514f040e70dabcd8ea438e2f8311e0f6c0715b2

SHA256
f8d2a20a9bf2346284ec5ca155fdd09539ac12bf647bfe79b74efc7892f0832a

SHA512
1c9d93497dc5351bd6c0e132320235b22c3da62196c4e4885fa0925d3edeb1fa75d15238de66e0b4ff95215c85a71cd8d1896cdef23354ab9ec3798ce33aab7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df01318cf35e80a08b76ffed81bff226

SHA1
293b1f432b7ef2ffb1d443b9459809811e4e812e

SHA256
971a297d9be05110c523001d153e7b86daaeb6d8869d7484c878ffcca7d459c6

SHA512
b67b0a5bbe00ee10d9415dba0f5caa59031e94f23a8f60add7a7042e9444a331a7b0f1251029bca04b128e5d4756fe79d1a11d74409c96904f1a126355df4eb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
50aa0f1265c214adc3dfa7fd8ab43437

SHA1
a82356f05423d2541382fda17569b78a0305ddff

SHA256
e4a821848a772de56fd3ef1f55cd21c07cf1f19d025baf39294313e30b2051b2

SHA512
cebf47404957f18a113d0714d945ba458ea95617a254145f57cfb6449a661239be5bf00336101469e6156622d947d0208f5b53f6fa691fba6a0d176b42a530d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d189b655c29ea18634b99fd3584f7420

SHA1
b6a360248a01cad855795586d1db302b0ca8e91b

SHA256
2887f1b7f2b1144888ef47378dae041ceb82f3d0bcbf217601eb95d919b228b3

SHA512
917ed31ebfd1e2b18e3ad3014294a8c22f0d0e36219f1a6d9eee3684d28e6f067c529925f652c350143f437e793ca47c75882b6518f99571047cd99bcfae6756

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73f37cffa4a8ea98249f13c80d0f0645

SHA1
ecddf51796fd8547ea413440c96b0c1310e7e8d3

SHA256
1bbcf53accc4e21a9e5c63553f2d5a37b3a921434d299c51faf38ce5012c55d2

SHA512
a873eeec1c8868440bf2d802dcc683fb2a9cf18ba325c5aea82dd9aae9f9f625c82c8db2a12ef7e5cb2ac82b844b5fe89cecc239fdd5aef90a4ed64b110967a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
68d0041d498dfd19a1c33aef0cc92c77

SHA1
df752a1e2f1dcbdf467605682db14ae150788e0b

SHA256
9f3bf5bd8e1916643f50f6992373dc562a0189114a34ecd7ea206648ba2af17a

SHA512
73d57aea1e97678822587720323a8aa22caa06d7f43fc6cd7d03a18481c9224c3ad9bb958e3dcbfb75dac41141cf65a89122e3b57c9afd25d2ef2633649135a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f708a5f02cc0cc7d6ee3772d2cd0a37

SHA1
f439caf02bd0ad9d4bbab63cc3afc5b80012cee5

SHA256
d006de91ac3425c01d82490dd3ae4ed3f401e6d0905cd709a15f41d379a7a12a

SHA512
dbb024f6c579d582bcf19c88795e58fea982d77b47febdef12cfea01e72b4673c5c06b72c8b1e6e777059dd0826a95fb013b4c31876fc556cbcd77fdb6fdbdd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fded82b3cadc7f67466434abfa99910a

SHA1
afa25e59fb8b40c86abf0b33a4a9f609a7ab9d1f

SHA256
b95d7287bcb2b3e507c0c98b28ffbdb477e8c9a647a8e73b5816ab2b3136cb8e

SHA512
3c253b6af18b247b2ae9d6e8fbed73d1d2ba81e1e66f34ef887f64235c80f73d3519b361538685adb36b69a6b33ee31e6240e43578181564dd04e3c44cab08b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
997a9a3d4d6dc82ca2c564ed6aa6873a

SHA1
83179193ca9a6abd9633c77a47d1ae526bbbecf8

SHA256
6a554da8d4267015a2b6f54bcebf3c216caea5cd429ee883e73fe05b8f2ae761

SHA512
019195c43879dab7e07b8f187ea160a6e184c55a40e34c0f8179902cf8421021c984cfd9b30e7dcce9887475d95037203331a8446e9a7a208bb53b3ba3391050

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a24ae309814e7d68d6cb78703e07e068

SHA1
a9482df97a24d2b641e13daa88c22bf90f4d1157

SHA256
47446240e82b5cbdcfc7419efbf2dcae05e275221fd8164c20c6549114043772

SHA512
7236c22346ec64719cf621bb2116dd643b4585f7ccb04a81d87553fb92923b8ef789129ad003a44600b9f2435c2cc2611025e27d9f0d639cc79a8b7e14e1ccdf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ec498127e9ddd1fc5897ef96b5078d5

SHA1
347decd8640d93f79c728f05e8c8f36421432ee3

SHA256
9fd0d1e839cdb600009bb01366ba9fd61c47ecb4898d1a31ce6453bb08476518

SHA512
4bb9525ef9e293db7550aa173c0e988e511dcb48add717678a23cb6fee8ef073c09f18f787714af54437c6069c8ad46a461497922ef03bfd4508b479d2b82a70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a39d9b25727814a8cae33feaf473001

SHA1
6191922d32a160bd43ba5f48647a7863af5f321e

SHA256
d02fe6f1cc2bd510769d6f74feff2d0d88b48327862daeb5b09bb302dbabee9d

SHA512
88edbab1fae7c972db6597e0050e59dade366ba4648415f91f4e113f3c02d5c5b432b51d02f78c40e81d41b428ca25ba003f09bf49e3be236a6abc5cf5f027af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f47ffcc0229a57854b931f73a316377d

SHA1
5a926461ab1a1432600adc9711b693ebe88f3606

SHA256
4968d9bec294d7f71070301ddb898ab25af7ff5c3ae7a1b269ae9a3d69f4e662

SHA512
a7d38a46c33ba96ec5af5d81f13802c4d77503deb43b026ad7e9875054e7dad9419ab23247d3d7cea080209f6e62e5fbb578f00461238ceb9230c68f50135ad0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d13af7c8559c68490455632461a98b9c

SHA1
d73e3406977e8bd1a200a38734e743e7263f7291

SHA256
9189103ca113cbd368b004316401ccc4decb570c524bc8ffe710d8eddb991978

SHA512
80e370bfe6c38d76d7c9bcaed0d13be349f794d28b7681f430d6767e019252270458e7221fa496b78de273bc14897aed6f6a0f7a534bb11411e6786e9da9aaa9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0a18f4092f80f2cb6368ba132c72c136

SHA1
20c304ee6cdfbce46ceb2fbeb8a9378d04e24e57

SHA256
7856dbf6fe51b3d47ac176ba2194c7140cf9832ac609d9e7c59840dcea9c2744

SHA512
6b06baae262b6c7bee5302a17af4a33339367d489ac72957fcd86c976963dcc1e733040f151e3a4cc9387233d8e60e01c2da66c478d99c058205d220e33da41e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
54efe605d7d04a56da37ea5db9d025ec

SHA1
48a97571edc0d2211bd9c23637e3775cda5c54d6

SHA256
ff6fa6f7cfa6ca9b2ba26b73c9f961a9748bab23c8bc761f395315f3352d4d4b

SHA512
07efddeedb472bb25efd92de14997b4b02da9e7df3ea4040d4963de79f3c4f7b51db45277412e3b637f023ed040e99bfe9ce75d141dd8ead0272150a88633754

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
30888caa5007f76e319fc92e42b04042

SHA1
932d9425f6de52c7fd0d25fc85a8bb1588ebf9b4

SHA256
8b05a8745e071806583825873ef05118800264e9518825db1969f7fb965f92a2

SHA512
9f39efd6374ab42d3ba5f653c99162be114cb520915c72bf8bce0e1608ae0a7608cd5911ce8d2c435433ee6b9c650a8a394e55fa00a9d009da4d71541ce5dd33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b747eb6b4b8ffca328e80f318d05b0f9

SHA1
a094b100fb56a8f3fe37e525a30a03747f1113d8

SHA256
6039ae7e8cc0349deb50074dcb3182d744967829b426f8d6ebf0e8a8f3b00193

SHA512
0c418cf1d011e547b9a840bca6f34c2f91f8468375da4bc41e1e5c6e523adaa3789823c8f19b209143be24bc458e1d2db77f5e5fef1cdac1c50c9ff3c1280ff9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
89e5e1977f92f76b4a38db516068df32

SHA1
abf06e0474e79aad9840b504900f3b347faef18e

SHA256
ea9517259c7d07a9c0b65e420cc5e7937a60db24cad143be8c8757fb22c46b55

SHA512
3444fec48b28f41535f87cbdba7a600e7ee43c3b0c24e3953249e4d89166b47e4dfe116ed375b30bcdde0eb9c6aac30d813541dda7e952833a99fd3f9dc339db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e90add990528379cfb31e2e5f87b0114

SHA1
bfd62a0e08e462eb120026736ae3b10662fe3723

SHA256
98087252c8a19db0768650e62316b0ca30f6afd9e2e75ccffb488166445c744a

SHA512
0b4df3650a4a6504660b77e2c31828377393da33c08b37f6b6b43655f76a5e37b4c7f83dc30baa879bff4cb4ccd7a607dd21090943e770cc99843249e14f9b93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe5d0fe5df262e26139034a92aa77ce5

SHA1
065f2cceb66879a6a4bdfddc153da46c4c31ce24

SHA256
817e6fb78b1555ed65d4fb1b4ff4237ee404d387e0edc14b40c0b9334204253c

SHA512
622451801477074256ad5b42909862d68478a939e383b57e75be77f3fbfd1fd2363785ed90be3cf67e9abbb028a5d7d79673a5a2914effb4913fbe199144b6fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
18c7851678ea4e8d0385a1f83795ebb7

SHA1
6bc15f3d2387fb2bf7fd9e3894fc749676fb160f

SHA256
dbaa4330a63e1686134b5ded7afbec6e624b0689583e87c84f64ea95ef5710d8

SHA512
bb99ddab7954096d55a1087ab2c345e425a9c56049fbdc7d2af9b6048a6a8ac9b3a40634886dc5a33045106310e066f4bfc792f1b80bc5a854eab6ec08fb093b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e6fe818584dc0bc9c686a81f3ceb9ba9

SHA1
6368ad1b3ba76b59c6c56882f1b40496da0c79a1

SHA256
e93c40b91a3ec67b8fc139086f471957995222bd18e7b8531ef23f815b7be684

SHA512
b1acb71dc67b304375b0d23d0742686a734297452134a4b22e3d6bce0f0de1d503932a1b697d2bedb45fa954a1fa31820de0343b65b26b19a3a14a8d0f652845

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3859ea4fadc7f64a2e9f42117cdfd5c4

SHA1
9baaec35ac0f12216e6aef95cf33673509e015c0

SHA256
8034b66b44e7d6647b94c4674a702bedfe9b5d3c071637f906a8cf389875504f

SHA512
1c3a5ece9f5ad0e48d42cb9fa718cfa9ce058460239a9e67cdfedaa1e43b0abeb94531c98f0b91e4443a4b7f5c25b9920987d839f4bda3a7c24c320e5823e565

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7082fc5e0ca68f5cd3d102f6323ecf99

SHA1
3868661d230efdcbf355110ed386fbd4758fc3eb

SHA256
ab85d1dc0b69fd7bc23ab4be8fd8124017cae9d1a9ff24e20e3a48b1b3f81407

SHA512
2f9b4f11aa1e041ce21091ee4e4b619965be7c584bc2de8f803d148a602868f69bffe70e5d9c7f846fe81ec2642b2b74c302c9ad45ab9c021edcbdae183a2ed9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d4b1ded49b1844821a37875a81dda027

SHA1
5a0ae33f1a6cd26cb1a89a91eb725f1325206325

SHA256
a610b7df4f03d5be0da828022710b0f222130eca108cf30f826808984997fbfe

SHA512
4c70e4bb0dbf5c4d79667cba9dfa2002e80a2ed261eb64a7054f72a828c6d478c3ca5209524e4b3c954b218084067684608b7c6d0607d40a986dbb5a9ef93e6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c06bdb2a15a4f37e18165b9f302e8047

SHA1
364554711db09e0c5eec4b90458ee9e9fdf8df58

SHA256
0507a4664c30688c7ecbadaeeeaa290b1ce5556c91ddc8dbd6f425eca17011ee

SHA512
662dd44812531f990255f2df200b089e3ba8406248f12084e03879a9b16f9f08138d008f220acbbf7d61085ef997f5e18fe5cf1c8a4900c6a52a629a95d09d4c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8829754830ae833f82e1abadaa42a724

SHA1
d575cd1c05234caa9389d78a66fa7af2b83e4267

SHA256
6cdc99154b615d69c1bf84f81b5f326d399008b7f2713ffeda80c7e6e994616a

SHA512
5f57260f8d81ea5deaf51c34efc7cc6459200be96aafbe97c0b60acda8ac69a0eab42879f37a814cc64a7fd25a0667d4fd6368a8e74caa1dcf461d306f7cec47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cbf2ef795cbc242ef309a386fd9ea13e

SHA1
b1ab4d7579f096be45e344cb6e0ad81da1a306ff

SHA256
775dd4c5725e91021d5344fa2b138c9a225e4b1a593d14714e646308acb36e19

SHA512
1908033c79004e5f4b0b77f098ae15215a0a555a78dfb5da4d4a7d48f6cd2be8e7ab412dd2be6aaf7c8e7e519425a4a5c8bc5f27227a6b6c1a1b9c0f76647817

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d4272563f714620d8e30667603521de

SHA1
fe3f10d8e698fdde585b152fd8defa20b0328382

SHA256
8aaacc8201f90777029ba3324ab8d074ba27870ca89e5303805f1a598d6a56ab

SHA512
4d7748eca74cf9975272a280734cde6a4f41ad1d8037cb9f7a56edf8c23203872d06e480fc73cae11f3c488baaa7c977dbe0fad6e3020d8d92747cdd50457fce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
5dec78be54ce03ef8d485b47eb5b70b6

SHA1
b36eb34b09956a772087b3016447aa7f9276f60a

SHA256
cc472c5a04bcb16b1e68a049a59b0fca6edda81339c0681f995a63c65aea9a51

SHA512
183ba9dc679640ce22aafe040afbead00c75624f7b4b31b1fe8681bc5ff76122b39300f8017c3b17a034254ee16756818a362b8fe80b0134316c14c63feb3f35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CB261B71-BD6A-11EF-B666-DEF96DC0BBD1}.dat

Filesize
5KB

MD5
5aa029d9a34d63687f404835fc7150c7

SHA1
6bd38f9c7355faa059a503de090c798bbec5d53e

SHA256
3352f699976993bdf12bd2590aee65dadc4d000d91a7732fd88e7502e3ca2016

SHA512
84e50880fc392877876a941be603013d87eb959939f974b9f6d26cc6ba0018bb7d785a43eceb9bfd96ca251dc3aa48b541df21028441decee31cf1b6738f04e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CB42ABF1-BD6A-11EF-B666-DEF96DC0BBD1}.dat

Filesize
5KB

MD5
0c22deb2ec4408a5c74cf650a8785b3c

SHA1
63a451b5d370d42634794efaf5a71f41aea9a393

SHA256
b1736166ddfd17f864c21c896b6a6f5ad6446d055dc839830e0e9550988e1b15

SHA512
1549a77464a2fa85628235d23a691db8e988f3ca5514d6b26eef8b5856d82c15219f55db43f5152fa272cc23d8274e55032b3da12924b994052ea39cd4564fb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CB6B2351-BD6A-11EF-B666-DEF96DC0BBD1}.dat

Filesize
3KB

MD5
46017b01230343d66527d7d6a27a81d5

SHA1
f238a2be5e447b7504aadebed8594eab1acecb21

SHA256
1fdfa8359a6053a912d4216001bf542dfaeb06caeab1578696490cba9e9690fc

SHA512
0f0c5f3ffad68791522950245537bf185a6c3ae3fdbf8de6a218b9151a6ba0c44cffcdc9e8db109a079493a84258a31626e1154988c4b1985c9d5df5bb30d478

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CB6D84B1-BD6A-11EF-B666-DEF96DC0BBD1}.dat

Filesize
5KB

MD5
ec7cf4bdb5411b2c482aa6203252d83f

SHA1
72f41ee031a3e3dbfbcc80f63d5cea851d8315c5

SHA256
62949e4dab9abdf14743c8ca44aaa089636c3d733eba5517b648e984bb30d9c5

SHA512
8c05675c2254075eac5772fba78ce6d4d1f8c6eaa31de190aeb9c21c1942c6e5e730bb54108c011fc8d60faaab0c18d27baa2a594c851ad63f3aab2ae0136604

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CC5208B1-BD6A-11EF-B666-DEF96DC0BBD1}.dat

Filesize
5KB

MD5
834b0d280a7d53ac2d26e13fb60e5a4e

SHA1
c72f2ef7615d6b26a38c5074c48087103f55d38a

SHA256
4fab0a1e3c217969362c86053bd4beff3a59ed2dca77d9efe407ae56f1b85577

SHA512
c0e308392cac00034860ae04a61fbbe11e480e58c312ac014327007f785480172d45936c37e139d60fe3d0147c2db45454696da97d701b0b6196d12224797fba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CCD03191-BD6A-11EF-B666-DEF96DC0BBD1}.dat

Filesize
3KB

MD5
aa0277915346d45f3a0634216b7bffa1

SHA1
0e76cf040e3f041741172e5022888ce6c1a74204

SHA256
0b530926670c93240b5eba9e2baece116006448b26ab3032c9017f934b4ad4f6

SHA512
48cc68713f714d379e6d1e5e9ea6d2d4ed836f3746afe59806448b3807b6054dad63f6919e89b28b4f2119272783ddd489d72fd5c18986bd3531cde3f74bb0e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CCD03191-BD6A-11EF-B666-DEF96DC0BBD1}.dat

Filesize
5KB

MD5
b778dc273c05ff74ecd20a47db0a80f5

SHA1
2d94d422c09030ffaea1dad8c74a7f7c3a995c1f

SHA256
7ff1bcaf74c8ce49a3a8e82c692b9c64b4b68c877b5d13191019684a4e2b8425

SHA512
c4d7e4776cd00639e423c8fb8dd66f8729fe3de35c3c0722549dfc094353a7ecb9be0e0ee3e3a1cac87375450887734db2f5fcd04c5530c8d6c106f0416056a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CCD058A1-BD6A-11EF-B666-DEF96DC0BBD1}.dat

Filesize
3KB

MD5
4b20d6331d647c300963a16f25a0820f

SHA1
015bfd7fa680845e2e54b4735b7f20fff6010b47

SHA256
53c1eaae07dd68fcdd0d047e5588ef969363b82907f130b9120d64dfa2de28e5

SHA512
bb78cd06f64fb4d195fe00f3715a50cfdc797834a09c91a70085bd582ef3f2229a139fbf17bb190d98972b5250381212f828daf0d599b93022a8909da1375d15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CCEF2371-BD6A-11EF-B666-DEF96DC0BBD1}.dat

Filesize
5KB

MD5
4d3e17086ff15354c4cfd88b9461ac50

SHA1
6e5b341ec7f39061870d69f9aa0fc7f57ee276d6

SHA256
90a539a8dcfe73b8b639c93360e83dc982d5ff997d8025d26f7f18d3608ada7b

SHA512
f9f1eccbe8e23faac3ebd70b99ddbd67910e6a567d34c0ba8459513e09da3fe6605fe5028b05c319c472dab011b6e36081ea3a62141e09d51d8f5de24f9cdbce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\swflash[1].cab

Filesize
225KB

MD5
b3e138191eeca0adcc05cb90bb4c76ff

SHA1
2d83b50b5992540e2150dfcaddd10f7c67633d2c

SHA256
eea074db3f86fed73a36d9e6c734af8080a4d2364e817eecd5cb37cb9ec9dc0b

SHA512
82b4c76201697d7d25f2e4f454aa0dd8d548cdfd3ebfa0dd91845536f74f470e57d66a73750c56409510d787ee2483839f799fef5d5a77972cd4435a157a21a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF079.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\swflash64.inf

Filesize
218B

MD5
60c0b6143a14467a24e31e887954763f

SHA1
77644b4640740ac85fbb201dbc14e5dccdad33ed

SHA256
97ac49c33b06efc45061441a392a55f04548ee47dc48aa8a916de8d13dabec58

SHA512
7032669715c068de67d85d5d00f201ee84bb6edac895559b2a248509024d6ce07c0494835c8ee802dbdbe1bc0b1fb7f4a07417ef864c04ebfaa556663dfd7c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF221.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe

Filesize
757KB

MD5
47f240e7f969bc507334f79b42b3b718

SHA1
8ec5c3294b3854a32636529d73a5f070d5bcf627

SHA256
c8c8cff5dc0a3f205e59f0bbfe30b6ade490c10b9ecc7043f264ec67ef9b6a11

SHA512
10999161970b874db326becd51d5917f17fece7021e27b2c2dfbee42cb4e992c4d5dbeac41093a345ad098c884f6937aa941ec76fb0c9587e9470405ecb67161

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
83KB

MD5
c5c99988728c550282ae76270b649ea1

SHA1
113e8ff0910f393a41d5e63d43ec3653984c63d6

SHA256
d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3

SHA512
66e45f6fabff097a7997c5d4217408405f17bad11748e835403559b526d2d031490b2b74a5ffcb218fa9621a1c3a3caa197f2e5738ebea00f2cf6161d8d0af0d

Download Submit
memory/936-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1036-141-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1160-136-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1160-137-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1932-149-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1980-130-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2520-162-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2768-14-0x00000000002F0000-0x0000000000325000-memory.dmp

Filesize
212KB

Download
memory/2768-9-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2768-8-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2768-6-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2920-20-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2920-18-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download