ramnit | 5c31386e9646e71bddc4dc5fba330f11e86adb37840d66443e184e97389deabb

Analysis

max time kernel
115s
max time network
127s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
18/12/2024, 20:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd108b8931ff1712da62df14a5cd1b17_JaffaCakes118.html
Size

2.3MB
MD5

fd108b8931ff1712da62df14a5cd1b17
SHA1

660be22ef60df42a413778c81a527e02a82cba0a
SHA256

5c31386e9646e71bddc4dc5fba330f11e86adb37840d66443e184e97389deabb
SHA512

c19313602169fbc79a5e5ea5c60738b1e2c4fcb15cf59e8a5f7a90e32614143cad3b1612301efe4a013b4eca8a72e6a799fd0d71d4ac1b3093ffe1671791b1db
SSDEEP

24576:3+Wt9BJ+Wt9Bq+Wt9BU+Wt9B3X+Wt9Bt+Wt9B1+Wt9B5+Wt9Bi+Wt9BX+Wt9Bz+X:r5

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 25 IoCs

pid	Process
2936	svchost.exe
3020	DesktopLayer.exe
2128	FP_AX_CAB_INSTALLER64.exe
1728	svchost.exe
2072	svchost.exe
2484	DesktopLayer.exe
2352	svchost.exe
1668	DesktopLayer.exe
1068	svchost.exe
2980	svchost.exe
1408	DesktopLayer.exe
1840	svchost.exe
2548	svchost.exe
3040	DesktopLayer.exe
2664	svchost.exe
1768	svchost.exe
1388	DesktopLayer.exe
2300	FP_AX_CAB_INSTALLER64.exe
1708	svchost.exe
408	svchost.exe
2808	DesktopLayer.exe
2000	svchost.exe
1940	DesktopLayer.exe
656	svchost.exe
2352	DesktopLayer.exe

Loads dropped DLL 17 IoCs

pid	Process
1092	IEXPLORE.EXE
2936	svchost.exe
1092	IEXPLORE.EXE
1092	IEXPLORE.EXE
1092	IEXPLORE.EXE
1092	IEXPLORE.EXE
1092	IEXPLORE.EXE
1092	IEXPLORE.EXE
1092	IEXPLORE.EXE
1092	IEXPLORE.EXE
1092	IEXPLORE.EXE
1092	IEXPLORE.EXE
1092	IEXPLORE.EXE
1092	IEXPLORE.EXE
1092	IEXPLORE.EXE
1092	IEXPLORE.EXE
1092	IEXPLORE.EXE

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000019f94-2.dat	upx
behavioral1/memory/2936-6-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2936-9-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/3020-21-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/3020-17-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/3020-19-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1728-127-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1728-128-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2072-137-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1668-147-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1388-517-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Drops file in Program Files directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxCD2E.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px7EB1.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxC6C8.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxCCFF.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxD2F8.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxD27C.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxC6D8.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxD2AA.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxAB6C.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxC716.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxCD4D.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxCCE0.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxCCD1.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxCCFF.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Downloaded Program Files\swflash64.inf	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\SETD23E.tmp	IEXPLORE.EXE
File created	C:\Windows\Downloaded Program Files\SETD23E.tmp	IEXPLORE.EXE
File opened for modification	C:\Windows\INF\setupapi.app.log	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\SETC68A.tmp	IEXPLORE.EXE
File created	C:\Windows\Downloaded Program Files\SETC68A.tmp	IEXPLORE.EXE

System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FP_AX_CAB_INSTALLER64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FP_AX_CAB_INSTALLER64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe

Modifies Internet Explorer settings 1 TTPs 51 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff4b00000000000000d104000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3211dfad18646469dcc261a001b8e66000000000200000000001066000000010000200000007a904fe24d0679d2e64eb43246769020d08d3b531ca624ff42199546dffb124a000000000e8000000002000020000000ea7d28935aaa4458d4c8abb200e42269ccd1fc909c0bebec837689998719bde79000000009d3e9a150bcdb5a52ba329549fe117c2673a6aacf0ee3b7b8afd96e0e98357c1ce2c1b4e5c4c3da8f41020dd2416d1feb68ad4d0816cd8acb196bc870de0a3a3dc9d2e01b540d10b304e8e0f26f2a8ca8ffa7dd9f0a8b95f1178552d0eaf62f0b612e6304fd9d1e7a474533e5904c35e980e6376f762567a6819d7e5e2e51797665081708c63d5550a139d00c9f48dc40000000e5e1cbc708ad89d7c904bdb18b31f687242be0177e2486e629a43996a37595874509f2e1666bc89cf6193d453289ccba310aa855b3e045985fcfa6076ab3613a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6400000019000000ea0400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3200000032000000b804000097020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3211dfad18646469dcc261a001b8e66000000000200000000001066000000010000200000005157b28113337040c30b71e5e2ce72ca17fab43a15440b153283e788a24d66d9000000000e8000000002000020000000d86daa7d9353a43e9e4caaa552d9626d4c304f9f25622a98628dc1c1bc76a811200000004cbeec0734c777d0eaaa0e2ebeffcef880a09d17482ce75f8cf84fc5746e22bc400000006ee2aedecde453ae82f55eebd967a07ce5c6a6bda5cba2f68da3bed43e94ea19156c7cdc7871d82f0b14bb5504750506d8de0b1837d70702165b05e4c685cbe8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{733D4201-BD81-11EF-A5E9-FE7389BE724D} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0db573f8e51db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440716783"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
3020	DesktopLayer.exe
3020	DesktopLayer.exe
3020	DesktopLayer.exe
3020	DesktopLayer.exe
2128	FP_AX_CAB_INSTALLER64.exe
2072	svchost.exe
2072	svchost.exe
2072	svchost.exe
2072	svchost.exe
2484	DesktopLayer.exe
2484	DesktopLayer.exe
2484	DesktopLayer.exe
2484	DesktopLayer.exe
1668	DesktopLayer.exe
1668	DesktopLayer.exe
1668	DesktopLayer.exe
1668	DesktopLayer.exe
1408	DesktopLayer.exe
2980	svchost.exe
1408	DesktopLayer.exe
2980	svchost.exe
1408	DesktopLayer.exe
2980	svchost.exe
1408	DesktopLayer.exe
2980	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
3040	DesktopLayer.exe
3040	DesktopLayer.exe
3040	DesktopLayer.exe
3040	DesktopLayer.exe
1768	svchost.exe
1768	svchost.exe
1768	svchost.exe
1388	DesktopLayer.exe
1768	svchost.exe
1388	DesktopLayer.exe
1388	DesktopLayer.exe
1388	DesktopLayer.exe
2300	FP_AX_CAB_INSTALLER64.exe
408	svchost.exe
2808	DesktopLayer.exe
408	svchost.exe
2808	DesktopLayer.exe
408	svchost.exe
2808	DesktopLayer.exe
408	svchost.exe
2808	DesktopLayer.exe
1940	DesktopLayer.exe
1940	DesktopLayer.exe
1940	DesktopLayer.exe
1940	DesktopLayer.exe
2352	DesktopLayer.exe
2352	DesktopLayer.exe
2352	DesktopLayer.exe
2352	DesktopLayer.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	1092	IEXPLORE.EXE
Token: SeRestorePrivilege	1092	IEXPLORE.EXE
Token: SeRestorePrivilege	1092	IEXPLORE.EXE
Token: SeRestorePrivilege	1092	IEXPLORE.EXE
Token: SeRestorePrivilege	1092	IEXPLORE.EXE
Token: SeRestorePrivilege	1092	IEXPLORE.EXE
Token: SeRestorePrivilege	1092	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 17 IoCs

pid	Process
2308	iexplore.exe
2308	iexplore.exe
2308	iexplore.exe
2308	iexplore.exe
2308	iexplore.exe
2308	iexplore.exe
2308	iexplore.exe
2308	iexplore.exe
2308	iexplore.exe
2308	iexplore.exe
2308	iexplore.exe
2308	iexplore.exe
2308	iexplore.exe
2308	iexplore.exe
2308	iexplore.exe
2308	iexplore.exe
2308	iexplore.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2308	iexplore.exe
2308	iexplore.exe
1092	IEXPLORE.EXE
1092	IEXPLORE.EXE
2308	iexplore.exe
2308	iexplore.exe
2764	IEXPLORE.EXE
2764	IEXPLORE.EXE
2308	iexplore.exe
2308	iexplore.exe
2672	IEXPLORE.EXE
2672	IEXPLORE.EXE
2308	iexplore.exe
2308	iexplore.exe
2308	iexplore.exe
2308	iexplore.exe
2308	iexplore.exe
2308	iexplore.exe
1988	IEXPLORE.EXE
1988	IEXPLORE.EXE
1356	IEXPLORE.EXE
1356	IEXPLORE.EXE
1356	IEXPLORE.EXE
1356	IEXPLORE.EXE
2308	iexplore.exe
2308	iexplore.exe
2308	iexplore.exe
2308	iexplore.exe
2308	iexplore.exe
2308	iexplore.exe
2308	iexplore.exe
2308	iexplore.exe
2308	iexplore.exe
2308	iexplore.exe
2308	iexplore.exe
2308	iexplore.exe
1092	IEXPLORE.EXE
1092	IEXPLORE.EXE
2308	iexplore.exe
2308	iexplore.exe
2308	iexplore.exe
2308	iexplore.exe
2308	iexplore.exe
2308	iexplore.exe
2308	iexplore.exe
2308	iexplore.exe
584	IEXPLORE.EXE
584	IEXPLORE.EXE
2764	IEXPLORE.EXE
2764	IEXPLORE.EXE
2672	IEXPLORE.EXE
2672	IEXPLORE.EXE
1620	IEXPLORE.EXE
1620	IEXPLORE.EXE
2908	IEXPLORE.EXE
2908	IEXPLORE.EXE
584	IEXPLORE.EXE
584	IEXPLORE.EXE
1988	IEXPLORE.EXE
1988	IEXPLORE.EXE
1672	IEXPLORE.EXE
1672	IEXPLORE.EXE
1588	IEXPLORE.EXE
1588	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 1092	2308	iexplore.exe	30
PID 2308 wrote to memory of 1092	2308	iexplore.exe	30
PID 2308 wrote to memory of 1092	2308	iexplore.exe	30
PID 2308 wrote to memory of 1092	2308	iexplore.exe	30
PID 1092 wrote to memory of 2936	1092	IEXPLORE.EXE	31
PID 1092 wrote to memory of 2936	1092	IEXPLORE.EXE	31
PID 1092 wrote to memory of 2936	1092	IEXPLORE.EXE	31
PID 1092 wrote to memory of 2936	1092	IEXPLORE.EXE	31
PID 2936 wrote to memory of 3020	2936	svchost.exe	32
PID 2936 wrote to memory of 3020	2936	svchost.exe	32
PID 2936 wrote to memory of 3020	2936	svchost.exe	32
PID 2936 wrote to memory of 3020	2936	svchost.exe	32
PID 3020 wrote to memory of 2856	3020	DesktopLayer.exe	33
PID 3020 wrote to memory of 2856	3020	DesktopLayer.exe	33
PID 3020 wrote to memory of 2856	3020	DesktopLayer.exe	33
PID 3020 wrote to memory of 2856	3020	DesktopLayer.exe	33
PID 2308 wrote to memory of 2764	2308	iexplore.exe	34
PID 2308 wrote to memory of 2764	2308	iexplore.exe	34
PID 2308 wrote to memory of 2764	2308	iexplore.exe	34
PID 2308 wrote to memory of 2764	2308	iexplore.exe	34
PID 1092 wrote to memory of 2128	1092	IEXPLORE.EXE	36
PID 1092 wrote to memory of 2128	1092	IEXPLORE.EXE	36
PID 1092 wrote to memory of 2128	1092	IEXPLORE.EXE	36
PID 1092 wrote to memory of 2128	1092	IEXPLORE.EXE	36
PID 1092 wrote to memory of 2128	1092	IEXPLORE.EXE	36
PID 1092 wrote to memory of 2128	1092	IEXPLORE.EXE	36
PID 1092 wrote to memory of 2128	1092	IEXPLORE.EXE	36
PID 2128 wrote to memory of 2668	2128	FP_AX_CAB_INSTALLER64.exe	37
PID 2128 wrote to memory of 2668	2128	FP_AX_CAB_INSTALLER64.exe	37
PID 2128 wrote to memory of 2668	2128	FP_AX_CAB_INSTALLER64.exe	37
PID 2128 wrote to memory of 2668	2128	FP_AX_CAB_INSTALLER64.exe	37
PID 2308 wrote to memory of 2672	2308	iexplore.exe	38
PID 2308 wrote to memory of 2672	2308	iexplore.exe	38
PID 2308 wrote to memory of 2672	2308	iexplore.exe	38
PID 2308 wrote to memory of 2672	2308	iexplore.exe	38
PID 1092 wrote to memory of 1728	1092	IEXPLORE.EXE	39
PID 1092 wrote to memory of 1728	1092	IEXPLORE.EXE	39
PID 1092 wrote to memory of 1728	1092	IEXPLORE.EXE	39
PID 1092 wrote to memory of 1728	1092	IEXPLORE.EXE	39
PID 1092 wrote to memory of 2072	1092	IEXPLORE.EXE	40
PID 1092 wrote to memory of 2072	1092	IEXPLORE.EXE	40
PID 1092 wrote to memory of 2072	1092	IEXPLORE.EXE	40
PID 1092 wrote to memory of 2072	1092	IEXPLORE.EXE	40
PID 1728 wrote to memory of 2484	1728	svchost.exe	41
PID 1728 wrote to memory of 2484	1728	svchost.exe	41
PID 1728 wrote to memory of 2484	1728	svchost.exe	41
PID 1728 wrote to memory of 2484	1728	svchost.exe	41
PID 2072 wrote to memory of 1684	2072	svchost.exe	42
PID 2072 wrote to memory of 1684	2072	svchost.exe	42
PID 2072 wrote to memory of 1684	2072	svchost.exe	42
PID 2072 wrote to memory of 1684	2072	svchost.exe	42
PID 2484 wrote to memory of 1064	2484	DesktopLayer.exe	43
PID 2484 wrote to memory of 1064	2484	DesktopLayer.exe	43
PID 2484 wrote to memory of 1064	2484	DesktopLayer.exe	43
PID 2484 wrote to memory of 1064	2484	DesktopLayer.exe	43
PID 1092 wrote to memory of 2352	1092	IEXPLORE.EXE	44
PID 1092 wrote to memory of 2352	1092	IEXPLORE.EXE	44
PID 1092 wrote to memory of 2352	1092	IEXPLORE.EXE	44
PID 1092 wrote to memory of 2352	1092	IEXPLORE.EXE	44
PID 2308 wrote to memory of 1356	2308	iexplore.exe	45
PID 2308 wrote to memory of 1356	2308	iexplore.exe	45
PID 2308 wrote to memory of 1356	2308	iexplore.exe	45
PID 2308 wrote to memory of 1356	2308	iexplore.exe	45
PID 2308 wrote to memory of 1988	2308	iexplore.exe	46

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\fd108b8931ff1712da62df14a5cd1b17_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2308 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3020
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2856
- - C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
    C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2128
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://get3.adobe.com/flashplayer/update/activex
      4⤵
      PID:2668
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1728
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2484
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1064
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1684
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:2352
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1668
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1580
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:1068
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1408
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3004
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2980
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2612
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:1840
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3040
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:592
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2548
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2356
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:2664
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1388
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:336
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1768
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2132
- - C:\Users\Admin\AppData\Local\Temp\ICD2.tmp\FP_AX_CAB_INSTALLER64.exe
    C:\Users\Admin\AppData\Local\Temp\ICD2.tmp\FP_AX_CAB_INSTALLER64.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2300
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://get3.adobe.com/flashplayer/update/activex
      4⤵
      PID:632
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:1708
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2808
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2888
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:408
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:496
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:2000
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1940
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2696
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:656
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2352
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1744
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2308 CREDAT:275464 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2764
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2308 CREDAT:406543 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2672
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2308 CREDAT:668681 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1356
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2308 CREDAT:799751 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1988
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2308 CREDAT:734235 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:584
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2308 CREDAT:996373 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1620
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2308 CREDAT:3683344 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2908
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2308 CREDAT:1782801 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1672
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2308 CREDAT:1061908 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
495c0b0092c10fd5e6f4dc70653b3bad

SHA1
e542c356069aae2af6b7b2f42062781f1ac9cf52

SHA256
015aa5a128f9c43b7ea66a1f627dd01e91312989d437a5ccde3991151852e870

SHA512
04fcef4e36bbd5451decd41b3d7b6321a827442a9363540ee5d87de85e2a41bad75bc3e5875a1dd6d07038d667825e9944f8f91b3e16f309ac35522817c8b85f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7cbbf121da6f315180bde43eb6bf28c3

SHA1
4fd3d957afda2b54a5fe5ebc9f91dcda3e497715

SHA256
c114774a2e4f0ab62301fb335d81ecfe63a886fb8cac5793b3f3399800cb9034

SHA512
bc1729b2aaaf12aedd9b115b6f1d9772c5e13d1ef867ed7be036b8e8d57ecc5ea63037bc6e727ce840bdc3cce13fee7f78b41d60f44e686313d059e092e4ff3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98c5fa38cb46f89412cbbb8cc53eb133

SHA1
e2dfa10e8f028e25bc18c8ad3a674879df9f6b1a

SHA256
be19c622bbd969a0e3cd9473c3252729c7d99dcec20d63ccc779557358dbc659

SHA512
a4487185456165fbe662afa05b569638b4725c8b63b8ea0c4db1fd066f96f660ebb0d2a18558ab63cdc2b32f52c539664e6cfc80a4105556402c445efd276e72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
476c222d39c9252b6c9ab8e671f722b5

SHA1
3ca3368f3b79f4eb061ec56cb1bab4533b196cf1

SHA256
ef5d005f8d3099a8a7cc53f2adf5a50ef226b24a01f797dd4a3e5a14efe7b9ee

SHA512
f3d737d4b39a0f843e918192622895f55015c1caca190e055312696b86adb7bf4674f1ecf140b7001251e8152072235a70d9d25dedd3bfbdffe17454343727a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fc61f02540ec7ab1bfaf1e597ebae693

SHA1
12681dc78bf3b1370780ed623885ab34915e46e5

SHA256
c77f67e193ccfd992cadf4ce6662c26bbe8117ea9940226541cd133c352131ee

SHA512
bd3bf3cf616df91dd0195f1fd10c5d49c8b0ecb47976ddf95849f9102226a0e8dc5e57844231dec2c0e411c5e821c4e12efcd700a3fe508a588451918d2ef87e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
081efda7428dc8c7d9aa46c3e7c763ad

SHA1
efd5e0afae88ed495994add0e76219a0b004c1ec

SHA256
e213a307ae58db999f4d9fd4789e14bd8789fd09cde1e19e62d9653a7d9e9a59

SHA512
bc38ceee1b1113f170c7142f632e0ddf94eb18ce5688f8fc5ca229dfaa245ca60d052ab58e5d7e886b3fcdea6371272d12ff65e85e9421fc8b0a872aea74fee7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b57116e970a0b315395bcb21c3620eb6

SHA1
0c544867cfb27847561ed7c3fc4091c69ff460ed

SHA256
e70cfada6897151f5ce26dd55443b7071a0739495d50e307ccd100e99f6a1a98

SHA512
a5dfc8bd8d4bee4a8bf71bd5792db2d227a9a89d366963591312414d6412a11eb89d107965a9567d8664e312c2d936d65030cdfa7102068d8b6dd44f509e8b04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a639995d0ef4bb5fa04d1ad4788bc69

SHA1
7dbc484237d7af421b811fec1e17cc49a4ce65b9

SHA256
3c5dffd0d8faa6460bebb435cfa1172f4998a74106e4c6df0f8adc2ec17e8613

SHA512
41aeca6e1f7691bebd63efe5e36026bef3322bba275a14d946f9928be6503f5b0615af56f15cabaad5671d0df5126b8a50752939d162c4348990955d1a5735d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe0608d4c3caa700d3c3e5dbafa2618f

SHA1
920ee08bf234e00b71b8cb910895b6e28460fb83

SHA256
cc0ebb84f976363c4c5d8a3e38b444b5a1d68cac5472af4898293ff6bc826e89

SHA512
2bbdaa3a6f68e1ae5d4348ba0684a56d71aa3b6c3d4e6c5189ff9b95ce6a4d2c226530aa5c0abcc05f501c0b634d595238475fd3b72944be38d32d9e5bd53ffc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e7968b90c0f6f6b723c389528ff2f9c

SHA1
be539dcd2e2c41ae28646a0220722bb4fb8c99af

SHA256
cd2e575f66c6a6777a5af68719f48be8f8f0fd44bc78970149fa228165b88050

SHA512
f663e46fac479ad53d793491ee3f563542490f855e40f422cb56338760a5bd3d649a9ce21ff7b66e00693019377c17c788b9b372342b25193c9f407b0ff3c17c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a36a56b18c0b4a3d2f41039aa8024d1

SHA1
5de642540c2615c52d77c3619d02d84528b4fc5b

SHA256
634c69ea41037a23cae1e0d3cfb0dcc55cff425d29e8b88d4c932faae3dfd53b

SHA512
3811d8cb5db7d0998c9e77871dc359c78550e1d52056c0f6873cc694cb3045497eae828d6484abe4e6530dc951090f87ad696c84bc9cbfe1b4bbf9b439d9992c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c0a021fbf2f055c167744b35130f8f72

SHA1
2ca6e0cbf9d4daa5f228cf42d9b3fdc238694787

SHA256
d0d626555e3f0f6862951ea96335f3fcfb36aa73d7016e0e7019bdcf67118554

SHA512
3274faff494fff2d41e26c00ba305c20da642077f3f86375efa938996bbc174642a1fe2887d35e2d30ca679ffe9b35aca783d9af5edc9b5d3096bd2f457fb820

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fae91cae28bb2710e706046eafaa8cda

SHA1
a4bd2231ddf1face46a0b1475b2666743afb71ec

SHA256
09a0a0dd79cf48497705032c8be9f2a9d49e8ff36b09f7caab1103fcd58dcec4

SHA512
092869ca9586110cafe19c62ef67674f43e60089ac01c83e2347cc779bcb36c733b0123cfd6024e1670031cc27741a70e94ce7d2d2bd20aeec9cbf243c7d0769

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6dfcc46eba29598dde15433e21604ea2

SHA1
fc8c78f06499fda1922d08bfacb5526101e00e82

SHA256
51cddcc45eca37ef972d9c1e5bd564dabe06f33a405cdf540841aeb25ba4635e

SHA512
2d18015bbb87864a08f3042b8e8614b3a2b8735210c6d42dfa4ab97f4d9f5755410eda65e7b01a37b7f8680fedccb1d7a9189db0d9b4844f115b1694360cd8c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
549342b198454d3254de21d514eb159b

SHA1
50771a5e8294170000cc5445a83ee6edcc9c303c

SHA256
cb396d01463db862a04c157ffc2ecc07102bf6db930c73268814c02dc5e4f997

SHA512
308e15e24293647fc41dd9bc718444b8c36381d072122b6a716a242cdba236be330d45c09f9c60ad0d8fbe2f7595b38cb7b46113a95a84f31067666553a7b3a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8388cc09d909a43936021bf202edd527

SHA1
32c4c194d525a2243b4328cfdd9ac4ed6d3d2a18

SHA256
efdad547bf40b346a15afcde453b98860defc5220b6983f27f8964ba431633fc

SHA512
6a9cc79fba4d1c5923afb714430d34d25e81753ae4b090bdbb4890f7b2da01d0e175ef4f78d1b67210c8f06f55e531c36bf47fd96ee8cd517f2121cf8088d400

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa9feb8ca18f3a3f308a706b91f32561

SHA1
9c99b2ac7416d9d7a5efa0794e7b24f53680b299

SHA256
37ac42fb4f01939639fb040b470f3bc17ac27dbc432bab6a6fc64d04d5a4d3a4

SHA512
8d1419a19d5b25b113da7b45a974b30b429b2395a1c1efa1d414252d0c4da758323f576d046cb445214165aaa127db1951f68061f9f6ec0614ab0e0ce7e1d5fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a767e32123c5e298b317a51d48f5087c

SHA1
d5ab250182c878300af05cd50b8b358709f0dd53

SHA256
f7139cbc2052d45e7e1963ec9f42fc21a43e17fa50adaf3718bdf300d0c88fb7

SHA512
121e2a0d36451e58390d04b21095859c0fb3da9f0940c40a286a8981327dc93391e14c97c74dadb21c54ff847d5a1cbff06c5c7a083e663c1a897c32fb6b9234

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c8d699d6634295a9047e85ebf7589fa

SHA1
e34eaf989d58375c13047b17d8787f1d194f1fe7

SHA256
a208b9cb4c980e182e30b29ab780d608079c6cb2ceb85ee445784c5b6cb17dc5

SHA512
e49351cb969b7611c610c66930302f54af287b6f693de25daba09c0477057fb73f7f57ee7797ad70ba062cb86c85bb83a878c46d641d2e63e0fdad63c907470f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f4ca35d5095cc590c8fd2bd455a1728c

SHA1
081397c1ed95b423d7a74ae970de057aff118af1

SHA256
b342093685dac7fd6d19e7c202f9ed586849b34d109d69c646900e3ead23b703

SHA512
db19de6a00bceca69f131a89a06f33a495516b0e59ae969220f5c42c45107b5e29d4d72a978240555b12716c65d320692cedba91bb3464740d50391c4c214d59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
772d54aee9c09b70af6c4516b59d788d

SHA1
3754a6ed0379fd1bc467f7c4cecd3536660b578d

SHA256
2351780fb29afe47334394f15c64ceea13276bf13b3f89dccabfe6d085cf4bc5

SHA512
999573c82989957ec63362eeae243b273a49dff79c7f199fc34b8aab6c307c0b267bba41e45375c13bbdc98ceffc6bd6331e41e060134e9771ad0b03319f94d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
f1ecc9ae30d247cf2dc11cec00ee4eb6

SHA1
6e6d5e40d201eedea1e2c3207f8695d01b611cb4

SHA256
c1fadd173156f2533bfba8a442818f01aea6ac205e0eadbf31d1b372df8bc707

SHA512
a0b37e4fd6d5a9e0842384a120be17a83d22df71b921ffed84781e0b303a3a827052bf75a9c71a8d047674618869f7118f96875bb90653580d670e41fa199ed6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\40WV1DY9\swflash[1].cab

Filesize
225KB

MD5
b3e138191eeca0adcc05cb90bb4c76ff

SHA1
2d83b50b5992540e2150dfcaddd10f7c67633d2c

SHA256
eea074db3f86fed73a36d9e6c734af8080a4d2364e817eecd5cb37cb9ec9dc0b

SHA512
82b4c76201697d7d25f2e4f454aa0dd8d548cdfd3ebfa0dd91845536f74f470e57d66a73750c56409510d787ee2483839f799fef5d5a77972cd4435a157a21a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBA0E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe

Filesize
757KB

MD5
47f240e7f969bc507334f79b42b3b718

SHA1
8ec5c3294b3854a32636529d73a5f070d5bcf627

SHA256
c8c8cff5dc0a3f205e59f0bbfe30b6ade490c10b9ecc7043f264ec67ef9b6a11

SHA512
10999161970b874db326becd51d5917f17fece7021e27b2c2dfbee42cb4e992c4d5dbeac41093a345ad098c884f6937aa941ec76fb0c9587e9470405ecb67161

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\swflash64.inf

Filesize
218B

MD5
60c0b6143a14467a24e31e887954763f

SHA1
77644b4640740ac85fbb201dbc14e5dccdad33ed

SHA256
97ac49c33b06efc45061441a392a55f04548ee47dc48aa8a916de8d13dabec58

SHA512
7032669715c068de67d85d5d00f201ee84bb6edac895559b2a248509024d6ce07c0494835c8ee802dbdbe1bc0b1fb7f4a07417ef864c04ebfaa556663dfd7c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC22C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
83KB

MD5
c5c99988728c550282ae76270b649ea1

SHA1
113e8ff0910f393a41d5e63d43ec3653984c63d6

SHA256
d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3

SHA512
66e45f6fabff097a7997c5d4217408405f17bad11748e835403559b526d2d031490b2b74a5ffcb218fa9621a1c3a3caa197f2e5738ebea00f2cf6161d8d0af0d

Download Submit
memory/408-592-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1388-517-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1408-489-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1668-147-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1728-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1728-127-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1940-603-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2072-137-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2936-8-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2936-9-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2936-6-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3020-19-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3020-17-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3020-21-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3020-18-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download