ramnit | 0095c917071d049394999f3a7bff88298df7bf05090cd5f8103e7c4121d84328

Analysis

max time kernel
114s
max time network
136s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
18-12-2024 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fce4c5e1bcd2e15ce70a7a677ddf82df_JaffaCakes118.html
Size

2.3MB
MD5

fce4c5e1bcd2e15ce70a7a677ddf82df
SHA1

8e7218600ee08b4b73e31b41304c648a10413d81
SHA256

0095c917071d049394999f3a7bff88298df7bf05090cd5f8103e7c4121d84328
SHA512

bb665ebe3afebaeefe4a0d331fbc04efa0005e4e9efab4230cd24a0a7ac6249695c8f2109cc1b475abb7662a7aac838d44303c5db8c50439263b85f1a744554d
SSDEEP

24576:I+Wt9BJ+Wt9Bq+Wt9BU+Wt9BJ+Wt9Bt+Wt9B1+Wt9B5+Wt9Bi+Wt9BX+Wt9Bz+W2:m

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 26 IoCs

pid	Process
3012	svchost.exe
2924	DesktopLayer.exe
2292	FP_AX_CAB_INSTALLER64.exe
980	svchost.exe
320	DesktopLayer.exe
760	svchost.exe
704	DesktopLayer.exe
1836	svchost.exe
2680	DesktopLayer.exe
1616	svchost.exe
2604	DesktopLayer.exe
896	svchost.exe
3044	DesktopLayer.exe
3032	svchost.exe
1548	svchost.exe
1976	svchost.exe
840	DesktopLayer.exe
1388	svchost.exe
1556	DesktopLayer.exe
1076	FP_AX_CAB_INSTALLER64.exe
2292	svchost.exe
1504	svchost.exe
1668	svchost.exe
1284	DesktopLayer.exe
3040	svchost.exe
308	DesktopLayer.exe

Loads dropped DLL 17 IoCs

pid	Process
2964	IEXPLORE.EXE
3012	svchost.exe
2964	IEXPLORE.EXE
2964	IEXPLORE.EXE
2964	IEXPLORE.EXE
2964	IEXPLORE.EXE
2964	IEXPLORE.EXE
2964	IEXPLORE.EXE
2964	IEXPLORE.EXE
2964	IEXPLORE.EXE
2964	IEXPLORE.EXE
2964	IEXPLORE.EXE
2964	IEXPLORE.EXE
2964	IEXPLORE.EXE
2964	IEXPLORE.EXE
2964	IEXPLORE.EXE
2964	IEXPLORE.EXE

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000001948c-6.dat	upx
behavioral1/memory/3012-8-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2924-18-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1836-160-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/704-145-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2680-167-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1616-212-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/3032-289-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/3032-287-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Drops file in Program Files directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px148.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px3B8.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px20.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px51F.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxB53B.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px6E.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px4A2.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxEEE1.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px4D1.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px426.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxE24.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px33C.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxDE6.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxED0.tmp	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Downloaded Program Files\swflash64.inf	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\SETD3B.tmp	IEXPLORE.EXE
File created	C:\Windows\Downloaded Program Files\SETD3B.tmp	IEXPLORE.EXE
File opened for modification	C:\Windows\INF\setupapi.app.log	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\SETFF84.tmp	IEXPLORE.EXE
File created	C:\Windows\Downloaded Program Files\SETFF84.tmp	IEXPLORE.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 37 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FP_AX_CAB_INSTALLER64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FP_AX_CAB_INSTALLER64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 400ac95f8651db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3200000032000000b804000097020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6400000019000000ea0400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{934F7FC1-BD79-11EF-AAD8-6AD5CEAA988B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b131900000000020000000000106600000001000020000000ce2a922e4ec5ce8f74dab41947bafbc9b4f5e267e80c39bd4ba92a51f4d6b805000000000e8000000002000020000000593d0437c257e14c1e96868072489c417ad9ed57e057cde4dd6324eb8a214f0990000000b2751d7f0232e9f27bc323057391810b208f392e7207c642bb9ab1f06f4d79ea8bdb1b368f943f487d34a2ad681e3c02cee4f102f7829ce4e9174a60cc7639eb26fda82c8ee5961732cf074db89c521d4acdcaf940b83a99d0453ea5a7333c7f78ab4d2937fb3f5beb1f1a860cbdc513926cf778a23c3083e31309a54e00ccaf7fd302b7a36714d51f2bf33202e1dc1f40000000e27f777e4ee1eb4042d82d15927554d5cca090106b881a2426f82b91ac9a2cbfcaeebba6aa230c384a1a83b99eea2ef151d55ae09f818bff9205086b4836429b	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b13190000000002000000000010660000000100002000000085fe6a1f51e8cbfc47206f0f386989d6d2963afd94beece3ebb11f6a9b6d955d000000000e80000000020000200000001f2dd0bad33683fc3a57166c1b50c3da232b93720f741e869c490c1c2a6665e9200000008ec1fee7c61ac66caa0c99b4bac06d2d91bffdf11f986da3b4d95ca2c972d1b24000000001e35600634d29c521867c2932ec6e1c54c1d1308162e7d828d779b90ab12f73faba8760e7f3eef91fbad501e4bfdd4c56fcd2cbc3cf6c7acf1dbb8f712fa2e0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff4b00000000000000d104000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440713404"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
2924	DesktopLayer.exe
2924	DesktopLayer.exe
2924	DesktopLayer.exe
2924	DesktopLayer.exe
2292	FP_AX_CAB_INSTALLER64.exe
320	DesktopLayer.exe
320	DesktopLayer.exe
320	DesktopLayer.exe
320	DesktopLayer.exe
704	DesktopLayer.exe
704	DesktopLayer.exe
704	DesktopLayer.exe
704	DesktopLayer.exe
2680	DesktopLayer.exe
2680	DesktopLayer.exe
2680	DesktopLayer.exe
2680	DesktopLayer.exe
2604	DesktopLayer.exe
2604	DesktopLayer.exe
2604	DesktopLayer.exe
2604	DesktopLayer.exe
3044	DesktopLayer.exe
3044	DesktopLayer.exe
3044	DesktopLayer.exe
3044	DesktopLayer.exe
3032	svchost.exe
3032	svchost.exe
3032	svchost.exe
3032	svchost.exe
1976	svchost.exe
840	DesktopLayer.exe
1976	svchost.exe
840	DesktopLayer.exe
1976	svchost.exe
1976	svchost.exe
840	DesktopLayer.exe
840	DesktopLayer.exe
1556	DesktopLayer.exe
1556	DesktopLayer.exe
1556	DesktopLayer.exe
1556	DesktopLayer.exe
1076	FP_AX_CAB_INSTALLER64.exe
1504	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1504	svchost.exe
1284	DesktopLayer.exe
1284	DesktopLayer.exe
1284	DesktopLayer.exe
1504	svchost.exe
1284	DesktopLayer.exe
1504	svchost.exe
308	DesktopLayer.exe
308	DesktopLayer.exe
308	DesktopLayer.exe
308	DesktopLayer.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2964	IEXPLORE.EXE
Token: SeRestorePrivilege	2964	IEXPLORE.EXE
Token: SeRestorePrivilege	2964	IEXPLORE.EXE
Token: SeRestorePrivilege	2964	IEXPLORE.EXE
Token: SeRestorePrivilege	2964	IEXPLORE.EXE
Token: SeRestorePrivilege	2964	IEXPLORE.EXE
Token: SeRestorePrivilege	2964	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 17 IoCs

pid	Process
2596	iexplore.exe
2596	iexplore.exe
2596	iexplore.exe
2596	iexplore.exe
2596	iexplore.exe
2596	iexplore.exe
2596	iexplore.exe
2596	iexplore.exe
2596	iexplore.exe
2596	iexplore.exe
2596	iexplore.exe
2596	iexplore.exe
2596	iexplore.exe
2596	iexplore.exe
2596	iexplore.exe
2596	iexplore.exe
2596	iexplore.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2596	iexplore.exe
2596	iexplore.exe
2964	IEXPLORE.EXE
2964	IEXPLORE.EXE
2596	iexplore.exe
2596	iexplore.exe
2764	IEXPLORE.EXE
2764	IEXPLORE.EXE
2596	iexplore.exe
2596	iexplore.exe
2576	IEXPLORE.EXE
2576	IEXPLORE.EXE
2596	iexplore.exe
2596	iexplore.exe
2596	iexplore.exe
2596	iexplore.exe
2596	iexplore.exe
2596	iexplore.exe
1128	IEXPLORE.EXE
1128	IEXPLORE.EXE
2964	IEXPLORE.EXE
2964	IEXPLORE.EXE
2596	iexplore.exe
2596	iexplore.exe
2596	iexplore.exe
2596	iexplore.exe
2596	iexplore.exe
2596	iexplore.exe
2596	iexplore.exe
2596	iexplore.exe
2596	iexplore.exe
2596	iexplore.exe
2596	iexplore.exe
2596	iexplore.exe
1660	IEXPLORE.EXE
1660	IEXPLORE.EXE
2596	iexplore.exe
2596	iexplore.exe
2764	IEXPLORE.EXE
2764	IEXPLORE.EXE
2576	IEXPLORE.EXE
2576	IEXPLORE.EXE
2616	IEXPLORE.EXE
2616	IEXPLORE.EXE
2596	iexplore.exe
2596	iexplore.exe
2596	iexplore.exe
2596	iexplore.exe
2596	iexplore.exe
2596	iexplore.exe
2312	IEXPLORE.EXE
2312	IEXPLORE.EXE
1084	IEXPLORE.EXE
1084	IEXPLORE.EXE
1128	IEXPLORE.EXE
1128	IEXPLORE.EXE
1660	IEXPLORE.EXE
1660	IEXPLORE.EXE
2668	IEXPLORE.EXE
2668	IEXPLORE.EXE
2056	IEXPLORE.EXE
2056	IEXPLORE.EXE
1464	IEXPLORE.EXE
1464	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 2964	2596	iexplore.exe	29
PID 2596 wrote to memory of 2964	2596	iexplore.exe	29
PID 2596 wrote to memory of 2964	2596	iexplore.exe	29
PID 2596 wrote to memory of 2964	2596	iexplore.exe	29
PID 2964 wrote to memory of 3012	2964	IEXPLORE.EXE	30
PID 2964 wrote to memory of 3012	2964	IEXPLORE.EXE	30
PID 2964 wrote to memory of 3012	2964	IEXPLORE.EXE	30
PID 2964 wrote to memory of 3012	2964	IEXPLORE.EXE	30
PID 3012 wrote to memory of 2924	3012	svchost.exe	31
PID 3012 wrote to memory of 2924	3012	svchost.exe	31
PID 3012 wrote to memory of 2924	3012	svchost.exe	31
PID 3012 wrote to memory of 2924	3012	svchost.exe	31
PID 2924 wrote to memory of 2884	2924	DesktopLayer.exe	32
PID 2924 wrote to memory of 2884	2924	DesktopLayer.exe	32
PID 2924 wrote to memory of 2884	2924	DesktopLayer.exe	32
PID 2924 wrote to memory of 2884	2924	DesktopLayer.exe	32
PID 2596 wrote to memory of 2764	2596	iexplore.exe	33
PID 2596 wrote to memory of 2764	2596	iexplore.exe	33
PID 2596 wrote to memory of 2764	2596	iexplore.exe	33
PID 2596 wrote to memory of 2764	2596	iexplore.exe	33
PID 2964 wrote to memory of 2292	2964	IEXPLORE.EXE	68
PID 2964 wrote to memory of 2292	2964	IEXPLORE.EXE	68
PID 2964 wrote to memory of 2292	2964	IEXPLORE.EXE	68
PID 2964 wrote to memory of 2292	2964	IEXPLORE.EXE	68
PID 2964 wrote to memory of 2292	2964	IEXPLORE.EXE	68
PID 2964 wrote to memory of 2292	2964	IEXPLORE.EXE	68
PID 2964 wrote to memory of 2292	2964	IEXPLORE.EXE	68
PID 2292 wrote to memory of 2200	2292	FP_AX_CAB_INSTALLER64.exe	36
PID 2292 wrote to memory of 2200	2292	FP_AX_CAB_INSTALLER64.exe	36
PID 2292 wrote to memory of 2200	2292	FP_AX_CAB_INSTALLER64.exe	36
PID 2292 wrote to memory of 2200	2292	FP_AX_CAB_INSTALLER64.exe	36
PID 2596 wrote to memory of 2576	2596	iexplore.exe	37
PID 2596 wrote to memory of 2576	2596	iexplore.exe	37
PID 2596 wrote to memory of 2576	2596	iexplore.exe	37
PID 2596 wrote to memory of 2576	2596	iexplore.exe	37
PID 2964 wrote to memory of 980	2964	IEXPLORE.EXE	38
PID 2964 wrote to memory of 980	2964	IEXPLORE.EXE	38
PID 2964 wrote to memory of 980	2964	IEXPLORE.EXE	38
PID 2964 wrote to memory of 980	2964	IEXPLORE.EXE	38
PID 980 wrote to memory of 320	980	svchost.exe	39
PID 980 wrote to memory of 320	980	svchost.exe	39
PID 980 wrote to memory of 320	980	svchost.exe	39
PID 980 wrote to memory of 320	980	svchost.exe	39
PID 320 wrote to memory of 780	320	DesktopLayer.exe	40
PID 320 wrote to memory of 780	320	DesktopLayer.exe	40
PID 320 wrote to memory of 780	320	DesktopLayer.exe	40
PID 320 wrote to memory of 780	320	DesktopLayer.exe	40
PID 2964 wrote to memory of 760	2964	IEXPLORE.EXE	41
PID 2964 wrote to memory of 760	2964	IEXPLORE.EXE	41
PID 2964 wrote to memory of 760	2964	IEXPLORE.EXE	41
PID 2964 wrote to memory of 760	2964	IEXPLORE.EXE	41
PID 760 wrote to memory of 704	760	svchost.exe	42
PID 760 wrote to memory of 704	760	svchost.exe	42
PID 760 wrote to memory of 704	760	svchost.exe	42
PID 760 wrote to memory of 704	760	svchost.exe	42
PID 2964 wrote to memory of 1836	2964	IEXPLORE.EXE	43
PID 2964 wrote to memory of 1836	2964	IEXPLORE.EXE	43
PID 2964 wrote to memory of 1836	2964	IEXPLORE.EXE	43
PID 2964 wrote to memory of 1836	2964	IEXPLORE.EXE	43
PID 704 wrote to memory of 776	704	DesktopLayer.exe	44
PID 704 wrote to memory of 776	704	DesktopLayer.exe	44
PID 704 wrote to memory of 776	704	DesktopLayer.exe	44
PID 704 wrote to memory of 776	704	DesktopLayer.exe	44
PID 2596 wrote to memory of 1128	2596	iexplore.exe	45

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\fce4c5e1bcd2e15ce70a7a677ddf82df_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2596 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2924
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2884
- - C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
    C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://get3.adobe.com/flashplayer/update/activex
      4⤵
      PID:2200
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:980
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:320
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:780
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:760
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:704
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:776
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:1836
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2680
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2316
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:1616
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2604
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1684
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:896
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3044
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2844
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3032
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2516
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1976
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1960
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:1548
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:840
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2432
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:1388
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1556
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2644
- - C:\Users\Admin\AppData\Local\Temp\ICD2.tmp\FP_AX_CAB_INSTALLER64.exe
    C:\Users\Admin\AppData\Local\Temp\ICD2.tmp\FP_AX_CAB_INSTALLER64.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1076
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://get3.adobe.com/flashplayer/update/activex
      4⤵
      PID:2328
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:2292
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1284
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2028
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1504
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2440
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1668
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1928
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:3040
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:308
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1956
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2596 CREDAT:406533 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2764
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2596 CREDAT:209943 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2576
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2596 CREDAT:406543 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1128
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2596 CREDAT:209952 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1660
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2596 CREDAT:5649412 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2616
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2596 CREDAT:11940866 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1084
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2596 CREDAT:11744258 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2312
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2596 CREDAT:996372 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2056
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2596 CREDAT:3290128 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2668
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2596 CREDAT:4076562 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
a164162a95354b0c327f31948683b87a

SHA1
aaa4ddf478249361fd58c39d9b5f0fc98ceab1db

SHA256
f08c724c65666680932233e1a24999bf00f683786a28f2cbabe7b52d47427c2f

SHA512
0745e497a6e951c41729af58e0acc0e268839e327c38d7ad34cc1c57ca31676415b8858895ea04aa644590ae77e95dba9d43c32f825438a85472b5f28b966c16

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60ae4260ac96b78bf8eaddfcbad19935

SHA1
a13a5457217da995649382fefab26fff5f852e3b

SHA256
9ae0d2677b0595f0dacdd628553f8449e69cfd5420271b4f03de2b9e43588e92

SHA512
685ea0ca518c75d5aacd3dc869a5f162f0a2cc09c1d2f807e1329fe6a60aa958865c97ea4df4e7f6d3e5247df1a4f9303670c4eb320bbc960ea4de3904d8217a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b1b8dc72621a2a0f23edd9980f4a38b7

SHA1
41b78dda6e7a83784ddbffc996e4cc686c594a4f

SHA256
4cf90581f75ca75c56b0e6defa459e6ed8a550f4a7ca762cb058bde5879efddf

SHA512
26200c0898fb99ba7aec6be3aa89e420ac912bb158fc532b4610821ada5c42eb6f59fbdc7f8adac3bee98eb2c9cb2a080ef306fbaf7fc9fc9d4f4c59c2819b17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
64ce2b8dcd82c0363243e2df9373dc98

SHA1
c9d4f50dca88d1db0db99c742a1fdc689793e7bd

SHA256
512adc7d6079a516283af4245a81d51afb6f5d88457f59e634942068936f0ff3

SHA512
80a2e5ff0aca36eb0d108c547a6ebe9da28583d60f53bb79760df5bae8bcc6913863608fc152ea61dd3c75979232229484d1ca87c13babbf686b0498aa06da7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
92655a72370b8ccfc8ff1d76006758d0

SHA1
5a20fab3c443d4f939dee232983e762dbc3edc98

SHA256
11cc9d9bf08b87c5ff0865a32bfa885e0c9fad5d8ca73153f0a67b315283a515

SHA512
6df8aac5fb5221c6004d3cd22691e53a48cd76bd7a0139c3f3a46a45397d9ba48d3817ee9494211e7fd4f92d8df95b93f23d7a397e09b95d64fa164920034ec7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7cd8dba903e6da4e56e3644c5ac5f58e

SHA1
e731329c6be478ca2521cb399191717fca7369f5

SHA256
d68e864bdf5e5c00326b74487c16a3e93dc8a9ca947cf4857bcefd3aad154f03

SHA512
9212c986614c96398c3d7d3e22c2d0d0f9634ce8fc51cff8fd07e09c29c2cd793d7edde07b2cc43ecda217582f3ce3b2e3f0426dc57a175cec8c171507fdecdc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0ab7c463c156b240ba7e95a15f9306fa

SHA1
1a812ef4f698036de565e018f9f5f394a35d1ee6

SHA256
14d4362306d87dd07ae22d433e8729507d76be91d95b311e263c9dbf8b7efcb1

SHA512
598ce5fbd39da601152cc12fbe99c222d40c9ddc2a302c393e824b09284538f42cdbf8d6c2b8bcf8cf1498682a34cc05bb60029d8851626839e3066b37ecd32d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
668cfc8523863d341820ac93637d0857

SHA1
d062163480cd71b789a499ba46b08925e29f5ddd

SHA256
c4d9577c5eb5e5e7d9f7bb33a09672125b58419082669b8e36defae12df60cbb

SHA512
effd7497aa525ed9f885b1a00aef37a116a6f2ca1f8fc2dd28418b2f0e3b94b9c65055d5c6d7c80fd633edb69ce7441431f5c68457c6aa2890b9065b3dfb1dd7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c06b1ace4268509853eab6c9d2f5aa8

SHA1
c6af3938607dea3e9772424160d86f4bfb93d1b7

SHA256
8887462768611539603dc29406e47c3dcdccd096104cb7bb2e378314c52f47c4

SHA512
6c9eb63edea50e009c3e8ec28f5d6955324b4537c00d812d7e8192a94a4c502f40f207a787f53cb263c039629539cb89b499965fec695ef8972f8dacec95279f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
97a68eb1b38d6dac03a4671c05206478

SHA1
b9678ac813d32338e69cfd882a8922c6da09d004

SHA256
0d884ff1a1f3b7f906c26c8f1a242bcdca2393fcec95decf0bbd7e302540f19f

SHA512
2bf5c6381e837e5bd02b0d407186b1c6f3c15cbbf570f188de76adb6df280437c94b7afdda618dc18df7fd3ddb4485a711a7910d0af7257d749ff7fc8fe34f81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
647a47092c4b9150208408d2715e20f1

SHA1
1ca5f94e2fda017f5be35373feb086c945c5ac56

SHA256
9d63497c39bf2ff24f59c9e4f6729cc8cf636e144497c3cb7ac96a448b86bd29

SHA512
fdd8fd920fe8be7ede57a339d82fa4783bb7e622b33643be8599b2f9d40deb1d7dff17cacea004a240a3d77c0cf81a601115ae9881947a59113c53d2dbfe8612

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
27f28ecd9cab73713f0ec2f2707ff8d6

SHA1
72f8b65210e4f3b671c3ee380692430b7e5a44a9

SHA256
743d780f87304e3c2f94ab43555c7106dcafa487713669d1e8421fd6ecedb444

SHA512
53522304f67a7f64bd26b9f23e0c6db54a11fd2477f9b7b19e38b315055ba3ac2ffae23b1a1fec9f033866b7c15096353073cf8d500d6d0d523676526cb827c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
25a5b2a6b89113b44685f73fb88c5e57

SHA1
abc68f8928f02f61c2fec5dea8d9a66709979ffb

SHA256
206520df2dc5a0ab311f5cbde20db96762519c751756a89f234a6d2fdd20470a

SHA512
0b4e0fe021a3294a68caafec6dff341251ec99fff50d4327b1c466f7b1cbb9585eb892578bb42ed9a552e300ee69a3ac9a2de7e0a35aef2b7bc1b61550ad4b2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
33ea4b647377a23d9aefb37e95738205

SHA1
866574758f3ad3bbb911e42d07743b3e3cbc9ee8

SHA256
22fcdd19b7b55b61f6a3f45418d70ad95ea5f28a4beb99703c4cfccb84ddbd65

SHA512
5099015d35ea2860026525ef15a9a34feebeacccf23085c685a9e395700bcabe0905eb62c9c5fe354f1be69ff32be5d40482ab8582906341f62f26e098490b20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a10ba294e1934a324f9062dcbdb1a3b

SHA1
259e1eed652e811e1f6fd829add5650b14afffdc

SHA256
8ec99e1756a6c82fe57fd99aef7c13d102d005ca0d750642e3267e2a348d51fc

SHA512
5c252f6ed4797396bd43651abe0ec551d935121fdffebf18b162695780b9b37ef3cd76a695a04b850eab4ec3b5cb0bcd80ed6ed1bd01ee765059a67897ec7dbd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f00fa492c0f6b97617123976ed45490

SHA1
8ff358c06267e88f41dda950109ae95467913c5a

SHA256
744172c6ad45fbcada4ab60ef59ea5ddc7408acedd8b18aa162b0f3a58799583

SHA512
650ea43c8ddaf3f0a780b65136598a85fb84506022797b7acfc35978f59e17961925418681ff3d81038b7aa438ff16ffbc003cb9dc2d7c809fdac4bbdb86140b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
22c513a0bee95081fe72f056a7e4cda8

SHA1
e794169bd081eb90c04117b49c1fa4bc3f46d297

SHA256
a205acae53cc62061c0c1c3fd2c6a9c76fff4b1ee99b4c3dabf42477d4f9c91b

SHA512
579002df264c1ee4d4ed9ab34634c326349455fd70caa06bdc6b1faffe73c2f1c94e6ec430e30574e7b659e0b2d4e372de72a009f1272be17938c5f5ed29242b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e21943bd630f171487c6296ad47defb

SHA1
fa9c08b5e010f22229cb0cefaf72cf999f848c38

SHA256
6ba67231dbf4bdf541dfb7fa360a6cd90629aae85de00a3901a8f84d0042e65a

SHA512
24d9647f119d5ed4b79628ee01962d9d788b536a37e2213d64a0a3db031ca4923259f11d30d84a760b0db4a10734a6237a055ab808c489f5c00623734d2aeb03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6954be87042c7513c3e14712b6c693df

SHA1
9a810717059bdd46519e90dff0c3f2862de16468

SHA256
4cab1d426d236890be5e799d63550d8fbdc0b025753491860373c8b79130ea5a

SHA512
9497b8ced4a43d01c9d4ba2951ba1d1e1866d9edf76a264cb6acdbdde5358aa37ba3218590e6c036e7dfb3ef683b14e1b3c2c8e916968cc0be74953ab4c5d1fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8cabd1306d207299869fd622da8f4494

SHA1
ede7c51b8f2dde38e0359d2c3dfea7740a24f267

SHA256
c89205f46595c9574877101aa52c85d67a6029dc77073bff183fd1275e735bc1

SHA512
60dbe0780e7230dbbef73f8d261074051c3b414d14f98544c193c98923f558bb63223bbbce7b14ae2d9a2b36c853c46cc6327d497f268f7a14c23ae006a4f4fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a1f7af0611ba991aa49430d160e8f26

SHA1
6a9fb67c7018e933fe55aea3797ed53aa882715e

SHA256
3490573ab5f5f5779e90614bf8816c59181d3b4b225cf674c70ddde1ce88c9e3

SHA512
fdb89e20add4f425fb41ffb3f31dd2a304a78ade9bd70acd34e8fee0aeb2030db57c190b04cfeb0c1dd24f5a7ef09ec0cb8e00e4737596b783f85d0fed643772

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b035d4616bd57104ae4bd5b34af2e058

SHA1
a6ee8dac990c632d4fdf52849c72225d301c8142

SHA256
4688a091c9fb965ad8405c8d2c047c4a4ab341015da4cec551facc9e5c6089fc

SHA512
cc4d2ef0df4352cd6bc9db3a225243428b87e4016bb6ae5efc13bcae4ed65d9c9a69c4b52ad90a23aa42a6f48330a3d772043e80eacf431db764dd1a35b061d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5353cf8c870ccf058cf2bbc6f47937b6

SHA1
67e78880b169de667daa821fbd31de8835a15df4

SHA256
782b49294e618fb9f2cf279fff001f7aa06150497f7628e4fb431f1b5b3f0dce

SHA512
be1166adc09d19321bd20a0aeec96f047120a21601a76ce4574bb6f809b91dee4f17d920d0bff1ffd6889b2793f79af2e7da013ef8a4a9398bf3edb494b3546a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
52e6b789ce013c7798a11de0dfff6930

SHA1
5e1bf6a4c3757b1cfe237b9b63533ae769bfe0eb

SHA256
41620515a678a12119f164378f90d7862e803f1f17f6913c07baffe4809ae30c

SHA512
adf9834825949c7424cfa886b54f9729ab6685aa56bc694d72597fd10c00541c178d47b2a91e33743b315ebcb8f8f14ae3a9bea7d458274f493e41d6b735c559

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a063acc970e2b89fccc3c4df9cf3ea7a

SHA1
a8543befe40b50c3a3ea19814a04853629f94cc0

SHA256
b714d66ceb4f435fb0bf7f6553a1deee54832871b2e1898ca5dfc0a4b1973a22

SHA512
a13aa1ee9f72b65337cf77d4407a72685bbfbe482180dcd71b5b9b178e41b304c4276c0ede8a39d9d0661a079964dc21515b0ab039a166c7d81fcb0eee92000e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
e74020bbfbe046bf38bd5e631140c306

SHA1
d7420de051d815067dd758e901786881f196b341

SHA256
55936a5e8d254a13482cd9fc105522ad2f8144abb59ff38e265c39f017ce3bb2

SHA512
1e2fdd08f64d3e4463addc280836ad07e4a44b7a38ca4b1c26f14570f246008e55172cb5ddd334533933fd66f186651064e6098f51ecbb72ab2c250b6b7f32ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\swflash[1].cab

Filesize
225KB

MD5
b3e138191eeca0adcc05cb90bb4c76ff

SHA1
2d83b50b5992540e2150dfcaddd10f7c67633d2c

SHA256
eea074db3f86fed73a36d9e6c734af8080a4d2364e817eecd5cb37cb9ec9dc0b

SHA512
82b4c76201697d7d25f2e4f454aa0dd8d548cdfd3ebfa0dd91845536f74f470e57d66a73750c56409510d787ee2483839f799fef5d5a77972cd4435a157a21a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF3B4.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\swflash64.inf

Filesize
218B

MD5
60c0b6143a14467a24e31e887954763f

SHA1
77644b4640740ac85fbb201dbc14e5dccdad33ed

SHA256
97ac49c33b06efc45061441a392a55f04548ee47dc48aa8a916de8d13dabec58

SHA512
7032669715c068de67d85d5d00f201ee84bb6edac895559b2a248509024d6ce07c0494835c8ee802dbdbe1bc0b1fb7f4a07417ef864c04ebfaa556663dfd7c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF4EF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
83KB

MD5
c5c99988728c550282ae76270b649ea1

SHA1
113e8ff0910f393a41d5e63d43ec3653984c63d6

SHA256
d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3

SHA512
66e45f6fabff097a7997c5d4217408405f17bad11748e835403559b526d2d031490b2b74a5ffcb218fa9621a1c3a3caa197f2e5738ebea00f2cf6161d8d0af0d

Download Submit
\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe

Filesize
757KB

MD5
47f240e7f969bc507334f79b42b3b718

SHA1
8ec5c3294b3854a32636529d73a5f070d5bcf627

SHA256
c8c8cff5dc0a3f205e59f0bbfe30b6ade490c10b9ecc7043f264ec67ef9b6a11

SHA512
10999161970b874db326becd51d5917f17fece7021e27b2c2dfbee42cb4e992c4d5dbeac41093a345ad098c884f6937aa941ec76fb0c9587e9470405ecb67161

Download Submit
memory/320-129-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/704-145-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/704-156-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1556-328-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1616-212-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1668-753-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1836-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2604-252-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2680-167-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2924-146-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2924-16-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2924-18-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3012-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3012-9-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/3032-287-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3032-289-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3044-283-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download