ramnit | 7028c0851e3f73ca8b7e93921854ab013789e9a0fec77cb8ef7e7da4ed35cd19

Analysis

max time kernel
118s
max time network
135s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
04-01-2025 11:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7983a16f84a89415a1b70ddfe1e2f7bd.html
Size

392KB
MD5

7983a16f84a89415a1b70ddfe1e2f7bd
SHA1

29fc84bb540686475fa733a7fa59899d13213262
SHA256

7028c0851e3f73ca8b7e93921854ab013789e9a0fec77cb8ef7e7da4ed35cd19
SHA512

2712a821e7faaf6418ffbe9984a25196c276ccff333ec67f3f4f404960139b07270a95ccfae90c6ee3cd23f98e55e09b7171aaedcd8d67dde563171aa6684910
SSDEEP

6144:S7wsMYod+X3oI+YesMYod+X3oI+YJsMYod+X3oI+YVsMY9:8e5d+X3C5d+X3r5d+X3be

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 7 IoCs

pid	Process
2896	svchost.exe
2660	DesktopLayer.exe
2192	FP_AX_CAB_INSTALLER64.exe
876	svchost.exe
1592	DesktopLayer.exe
1228	svchost.exe
1812	DesktopLayer.exe

Loads dropped DLL 5 IoCs

pid	Process
2228	IEXPLORE.EXE
2896	svchost.exe
2228	IEXPLORE.EXE
2228	IEXPLORE.EXE
2228	IEXPLORE.EXE

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00060000000186bb-2.dat	upx
behavioral1/memory/2896-6-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2896-10-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2660-19-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1592-129-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1812-139-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px5FAD.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px7D79.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px7F0F.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\SET7CAF.tmp	IEXPLORE.EXE
File created	C:\Windows\Downloaded Program Files\SET7CAF.tmp	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\swflash64.inf	IEXPLORE.EXE

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FP_AX_CAB_INSTALLER64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "442153019"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{715DAD41-CA91-11EF-B4AF-66AD3A2062CD} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a081a03b9e5edb01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b131900000000020000000000106600000001000020000000e0d397dbc2e11ffaf1f2679686155717cc066e691eaf25085b36cc0cc2298d26000000000e8000000002000020000000913843e24281e9721d91c818b6d3c2d63ca5b67d2e6ed05324db1e2c30e40202900000002b37ec7255fd034b440e6498c114f3b47a7d810556ccfb70b1b04bb8370827dd4837d258a7d9d838db1fdf98cd070eb139b57b5ada140cf8fb8d9dd84f811f8dda17582ccba49d451668d88ea1156ec3cfe98a99f19a7a77cf92818f71d4c07a10cf2028ddeb44a723bbb197f3e7fc090c04be1fbbadfb0b95593ec31b66f2a121598c07a08748633112a60dbfd1690b40000000f95595308868f38d8cc52ac08484d13ecd51c40cebc4ac1e70afb89ba97c7e9f68a6d514b0b9749f27989dbfcac31a0ef96587d44c918b82ea7721c69d9cc583	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b1319000000000200000000001066000000010000200000001d8588813611998592d337ddd2579f1986282f1e3705e5bb56ec6bd9a08ab800000000000e8000000002000020000000412f83189053072d5cdc74fd46488a5918d91d5188c241b71fb66e6b1bf17020200000007c081d9568d335111f345d4fc1f46801a337b6ec48bb734a4365dab1a17c459c40000000752e157902fb81d4bc5354ce791b47bf9436a1a9aabb67a6bfc88d6fd2d191286a1fc8909bd92db79a7adfdd1c4960ab2be7ad95aea2b941d4022a534532426d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2660	DesktopLayer.exe
2660	DesktopLayer.exe
2660	DesktopLayer.exe
2660	DesktopLayer.exe
2192	FP_AX_CAB_INSTALLER64.exe
1592	DesktopLayer.exe
1592	DesktopLayer.exe
1592	DesktopLayer.exe
1592	DesktopLayer.exe
1812	DesktopLayer.exe
1812	DesktopLayer.exe
1812	DesktopLayer.exe
1812	DesktopLayer.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2228	IEXPLORE.EXE
Token: SeRestorePrivilege	2228	IEXPLORE.EXE
Token: SeRestorePrivilege	2228	IEXPLORE.EXE
Token: SeRestorePrivilege	2228	IEXPLORE.EXE
Token: SeRestorePrivilege	2228	IEXPLORE.EXE
Token: SeRestorePrivilege	2228	IEXPLORE.EXE
Token: SeRestorePrivilege	2228	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2856	iexplore.exe
2856	iexplore.exe
2856	iexplore.exe
2856	iexplore.exe
2856	iexplore.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
2856	iexplore.exe
2856	iexplore.exe
2228	IEXPLORE.EXE
2228	IEXPLORE.EXE
2856	iexplore.exe
2856	iexplore.exe
2380	IEXPLORE.EXE
2380	IEXPLORE.EXE
2856	iexplore.exe
2856	iexplore.exe
2540	IEXPLORE.EXE
2540	IEXPLORE.EXE
2856	iexplore.exe
2856	iexplore.exe
1392	IEXPLORE.EXE
1392	IEXPLORE.EXE
2856	iexplore.exe
2856	iexplore.exe
2228	IEXPLORE.EXE
2228	IEXPLORE.EXE
2228	IEXPLORE.EXE
2228	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2228	2856	iexplore.exe	30
PID 2856 wrote to memory of 2228	2856	iexplore.exe	30
PID 2856 wrote to memory of 2228	2856	iexplore.exe	30
PID 2856 wrote to memory of 2228	2856	iexplore.exe	30
PID 2228 wrote to memory of 2896	2228	IEXPLORE.EXE	31
PID 2228 wrote to memory of 2896	2228	IEXPLORE.EXE	31
PID 2228 wrote to memory of 2896	2228	IEXPLORE.EXE	31
PID 2228 wrote to memory of 2896	2228	IEXPLORE.EXE	31
PID 2896 wrote to memory of 2660	2896	svchost.exe	32
PID 2896 wrote to memory of 2660	2896	svchost.exe	32
PID 2896 wrote to memory of 2660	2896	svchost.exe	32
PID 2896 wrote to memory of 2660	2896	svchost.exe	32
PID 2660 wrote to memory of 1668	2660	DesktopLayer.exe	33
PID 2660 wrote to memory of 1668	2660	DesktopLayer.exe	33
PID 2660 wrote to memory of 1668	2660	DesktopLayer.exe	33
PID 2660 wrote to memory of 1668	2660	DesktopLayer.exe	33
PID 2856 wrote to memory of 2380	2856	iexplore.exe	34
PID 2856 wrote to memory of 2380	2856	iexplore.exe	34
PID 2856 wrote to memory of 2380	2856	iexplore.exe	34
PID 2856 wrote to memory of 2380	2856	iexplore.exe	34
PID 2228 wrote to memory of 2192	2228	IEXPLORE.EXE	36
PID 2228 wrote to memory of 2192	2228	IEXPLORE.EXE	36
PID 2228 wrote to memory of 2192	2228	IEXPLORE.EXE	36
PID 2228 wrote to memory of 2192	2228	IEXPLORE.EXE	36
PID 2228 wrote to memory of 2192	2228	IEXPLORE.EXE	36
PID 2228 wrote to memory of 2192	2228	IEXPLORE.EXE	36
PID 2228 wrote to memory of 2192	2228	IEXPLORE.EXE	36
PID 2192 wrote to memory of 1868	2192	FP_AX_CAB_INSTALLER64.exe	37
PID 2192 wrote to memory of 1868	2192	FP_AX_CAB_INSTALLER64.exe	37
PID 2192 wrote to memory of 1868	2192	FP_AX_CAB_INSTALLER64.exe	37
PID 2192 wrote to memory of 1868	2192	FP_AX_CAB_INSTALLER64.exe	37
PID 2856 wrote to memory of 2540	2856	iexplore.exe	38
PID 2856 wrote to memory of 2540	2856	iexplore.exe	38
PID 2856 wrote to memory of 2540	2856	iexplore.exe	38
PID 2856 wrote to memory of 2540	2856	iexplore.exe	38
PID 2228 wrote to memory of 876	2228	IEXPLORE.EXE	39
PID 2228 wrote to memory of 876	2228	IEXPLORE.EXE	39
PID 2228 wrote to memory of 876	2228	IEXPLORE.EXE	39
PID 2228 wrote to memory of 876	2228	IEXPLORE.EXE	39
PID 876 wrote to memory of 1592	876	svchost.exe	40
PID 876 wrote to memory of 1592	876	svchost.exe	40
PID 876 wrote to memory of 1592	876	svchost.exe	40
PID 876 wrote to memory of 1592	876	svchost.exe	40
PID 1592 wrote to memory of 2272	1592	DesktopLayer.exe	41
PID 1592 wrote to memory of 2272	1592	DesktopLayer.exe	41
PID 1592 wrote to memory of 2272	1592	DesktopLayer.exe	41
PID 1592 wrote to memory of 2272	1592	DesktopLayer.exe	41
PID 2856 wrote to memory of 1392	2856	iexplore.exe	42
PID 2856 wrote to memory of 1392	2856	iexplore.exe	42
PID 2856 wrote to memory of 1392	2856	iexplore.exe	42
PID 2856 wrote to memory of 1392	2856	iexplore.exe	42
PID 2228 wrote to memory of 1228	2228	IEXPLORE.EXE	43
PID 2228 wrote to memory of 1228	2228	IEXPLORE.EXE	43
PID 2228 wrote to memory of 1228	2228	IEXPLORE.EXE	43
PID 2228 wrote to memory of 1228	2228	IEXPLORE.EXE	43
PID 1228 wrote to memory of 1812	1228	svchost.exe	44
PID 1228 wrote to memory of 1812	1228	svchost.exe	44
PID 1228 wrote to memory of 1812	1228	svchost.exe	44
PID 1228 wrote to memory of 1812	1228	svchost.exe	44
PID 1812 wrote to memory of 2600	1812	DesktopLayer.exe	45
PID 1812 wrote to memory of 2600	1812	DesktopLayer.exe	45
PID 1812 wrote to memory of 2600	1812	DesktopLayer.exe	45
PID 1812 wrote to memory of 2600	1812	DesktopLayer.exe	45

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7983a16f84a89415a1b70ddfe1e2f7bd.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2856 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1668
- - C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
    C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2192
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://get3.adobe.com/flashplayer/update/activex
      4⤵
      PID:1868
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:876
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1592
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2272
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1228
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1812
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2600
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2856 CREDAT:209929 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2380
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2856 CREDAT:209934 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2540
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2856 CREDAT:4076550 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
d9985aeb8a14d21021b88822702656bf

SHA1
2ed25de00febd9749237f7d303ed3ee982bc22c6

SHA256
54573b64f2bca7896d3895c2be720553024417d1fad62eb8a7f0ad0ff84fff06

SHA512
f1442504adb165128780de5b3fb4b0e670def2adf94fc372a5c4059e5190895bc8f528991a6b3d6536e558e0e5c8c00cb439cec3d540dad3865c4b2266b6553a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ba53e70bee04fe9af72cbd55c5b929d

SHA1
f554ce695c1cbd354cacfd08e9d51dabd9ca2da6

SHA256
62f44c06c4dc39e2a77769588f4638480130b9a9862c2c321351ccc75885cc16

SHA512
9f9a06a9f43fdeeda6f9b382ac60c22c6f5e7a6236d708c6e05bf824a8510bc43b15142a3faaf99130fffd0dc90519eb9212a1d30893fd3ae348064d7ba66bc8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ebe3eb7bee5d54883e31d3981af6cf9c

SHA1
d5b7c5258557c5bbe674861754453351b8a235c2

SHA256
aab9c3988b08ec053f0a7dcb7c3463bb7ff8a597205793dbc5b694f0779c0744

SHA512
f45efa665b8514860b9aebb8f8908832f349e3775e62c5f97dc75c0972574aca59ba0cefff0a253100dfb24f1d041af1b15e1ad3c475404dcd3d215415a1cea3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf1ea260c4c16c5962bc181a7396c260

SHA1
c67c91538498900d806975510508032b7cf3c764

SHA256
75143dae87404d01cf3ae9463e8684804de1f48e6383d6fa5bede4e36a79e7d2

SHA512
cfd73232b6cfab7e8253d345d68cfb15f4ec12fc216a07c36c71a4ee2c61cf5d0728ec0b5a3aaa7de7a93d347a67d68bab513489843a5addb234c3964ab2e3d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a4906c2db8c85502b39df1a240240852

SHA1
2318b91f28908989b14784cae3536a1f90fb0004

SHA256
ab22053bf5fdecd2159c1ec36336eadc1c0a5ecf2f8b3dc17d34db9bef34225e

SHA512
d9cf925a58964b7c0b3dc15501f94ef2b66d009080c1a5a441bc87e09f3d5cae3b1e1bde840160421196af31932c1f0a7ce6ce77f2b66650578fdfcc55c46f0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7fec92735321ee3e264758b49bf7db06

SHA1
edf43dc4133aba14f2f2fd29af7f1c729331e054

SHA256
36c49ea49a15c67967267004ce86f257bd03a996c63821314adbf17638ee87af

SHA512
8afafc3bcac03a87759f0d30f37ac1ca9fb050e0d7f8f5e31d89846b9a3b08578624dbb2e9c121034676eafe5d0677603a766ba364a6f17eaf168fb85d1b7af5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
768374f4d521b7adafb079ba21cf3665

SHA1
1f50957ed3f605c45b6d33295de168fcdec8cdb0

SHA256
086dd6e98c28b58143f068c7dee9588b19de13907750b0bb29a8bf050ee8dd51

SHA512
1c089c0c90c09376c3b6f6a5f096c99f2e17100a79cff49d6781c3b4f0877612f8f96fba780879df5808414d006f4d2ee05249e5d4a7ca3d55b4c1d2dcf957ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a4b71ffbc451371c0002f65ad1aa107a

SHA1
2845959db05e2510b89dff9d0410840ce836aab8

SHA256
6e8ba7993b60424e86aad334ac6c50af05d275db43928f805abf0fdcb1e05f76

SHA512
389d01b1064c28e25a09da4cee37b79cbf5749f240ed650598ef6ac96e6ae369eb15de350723954f9c7736f1b081fc88ea5685cf0b82f98ee3883be88663398d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
769d8ebad69d8097b09a5f52698e11db

SHA1
fa9eca96040c696cb8698f8dcd74fe3e403832d5

SHA256
1fc70bebc550530556ef53eebc0fbb4593ead3518917f5d7c586bbffd8f11615

SHA512
867d2f3b1f72e19f82252f656da893e322e29f7e627d347068961e785585bbf1c7275334ba9c370fb75c1b53c5a9703a80e90ad82f0a269ec5a601455382f219

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0945c6f9c5233220f178929e8ecb80ae

SHA1
c4b79a9012bc82e884dafc6592d63f0f1007801b

SHA256
3783ebd6b3cf7e749630bfafa94f4c59852a82ecb45f83f6a9129529f989c602

SHA512
d18b44373bbc88a547aa38a77051a501b72324356910dd20d087cb1567bf9e82433c37a5f1b916d4f180f8de2e41b04606393aeba00cafd88e200d1f1a92e82a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
240418c237545690cc05d177e8bdd605

SHA1
8e60a6ef08cfe2dd6b5f062d52177da75a18c47d

SHA256
25550aa288efc408b5807f63de0ec6b8264c235dd8413693f3e5006de061b15a

SHA512
54762eb8e01df34e1d9dbc3ea8c3daff903ee69c208fb5b07775eed196780e17c616b0a77584528da2da8d748fd54131d7e8003c70602b96fa6529afd042437f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b11110bd5accfbb2e9063a371a0aa3c

SHA1
a6cc24788e8647f7831cfcdf52895e14b591a3c0

SHA256
7f17fb086875d9b8aaf1775b49dee76fb6c3638d25e17a8bdfb4fd857ec5c0e8

SHA512
8f59b5c1344409f0acb30c09aaff3fcc15bbda9f7bcc8a7da5a1eb2879f448827fd0709dc5c6e2435e67698ae15fb9f42ce293c67a1a746e8ce7aebf598ca96b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a81058e7c6cd7db12cba47ad169f0ef4

SHA1
a0134749c4f3481d3f42632af33d336ab4eb558e

SHA256
2daba6fe5ff04a23156daf73b882d4d89a8fa2e148bb9255e2e4f1adc9e33a16

SHA512
02dbf7211177e987800eab44aecbaed1b1db956a88c432e9dad714d76cb246859e74350a027ad59633669a4b24724da6bbd46069cc948f961581f9d8a66af6ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3cfa56650726a5327acf49957f15ad0e

SHA1
ff37427965fe7b47dab05febb588aaba3c605978

SHA256
bd0b4845fcce2fe600fe1297c32e6a0f2da9e9543cf390c2cecc865aa839aa5a

SHA512
7d578c3fc58332e764f3c5d97f633a3790fc5926a659835ecd282a05e63a98cd1fb358d407ecdcbc4ce32492dc1afef41b5d656abaf6fe95c3e8ae41aaf496a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14b1bef08c982a4e3338db51dd153564

SHA1
fb2c3f97f6ce9b87f9cbfe9cee56309fe1da823b

SHA256
49eefb262066ce3069ca326b85e8bc665180f06fc6b33696bb8f2613a7f3ecdd

SHA512
abcd5e8b7256d67725c6cc91fe212dfd53fe3d4ae3c59dfbd79bbc91c75570769775de9ee685d35f5a557cc87536af4484d60a269a123fd280d9beb51ce56906

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7dd3a5052c0601b279e455a9b39461b4

SHA1
2024b7c4c117d159729875ade9ba4dd9c2172edf

SHA256
dcd19b8bede3c240e2e57b67ce72e42affe6639920cbdc450cd0760046991854

SHA512
7dc91404cc86edb4dd50de8135d5ad14037bdc5a3fcfd4bae0961af61ae6fe2f939f420521708cbb9be75630a08ee99a49f9c1f2951dca81200355ccd146c5c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1efb6b4f673ca7ef7494af0065f14a2c

SHA1
62c07e207f64ca62541131dab2e7c60f82d6ea94

SHA256
7a51fb91acacce8f0cc2290f8ef052fa68e0b6e6d6defcd143e1b0c34d6d2e56

SHA512
1509e4cc214ea2d3d360f8d90243a398977c05aa593590a496c066561aab9f619ef107ab7f123798dfec558a311f30433e76a130ff607be402afc6f193ba2bbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b2b4e7fd8bfce98ccb0f467671ec49d4

SHA1
6124b72ba1ae4e83a181e7207c6ab141ed85e654

SHA256
022096786db661382159cb6eb38a278336c54d2db8680df2a717bcdd479e21ad

SHA512
ec591cb005961b5c614ee1e460bb981906f56b3715b894013af0f65f51c61a8a40eb3aa9ae802f06b248e276fbe6d67bd7c5eed28956b4534cef4dac08d4f456

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2849ec27559f29fe91c76115f62672f7

SHA1
11491a5181eb69370627380a254eda072e318760

SHA256
65ac910e5e6d629400282df788fc12479d8849cc39b5fbb73dd735e1b3dd6867

SHA512
973d4af374e697f7034c43d8f3b25276ef908f1060122867e7166eab5a7136a57a87174c3eef69c47704607fbc72d7be5d637a50fa7742ca36bff4a6af82c961

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
572ca8587c715f155d1d33456505c20e

SHA1
68677e2b81db7eed506dec4323b03995a4424403

SHA256
60d2b5c668442d102c688be99d6e6651422da90263b0d6bb326959437ab84e66

SHA512
05b79091bd04dfca9bd8616b9eae79dbe03f45d99f73194725646b4fadfcc6e6f3458cb0f351fd2db41e597ff8d3566cc0d8dfcf96dae009e2d4ca4b1d4aebf2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
24c409843c2bc9c8a3fc59f0f2996ba0

SHA1
6c897d7f371a1a68bb6bbe7d9907056784273cba

SHA256
18a4d8755f4a3a168827263befb8749848ec2099a3c4c5c2108ad14643431396

SHA512
de155b5324d345510f89846ad8b06746c4cc4ba76ac445265ac68f7c9350ea903ca7dd0c7b55e552f0408d272953c53947ea3eb1996ea3c922348a9838bbe56b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\swflash[1].cab

Filesize
225KB

MD5
b3e138191eeca0adcc05cb90bb4c76ff

SHA1
2d83b50b5992540e2150dfcaddd10f7c67633d2c

SHA256
eea074db3f86fed73a36d9e6c734af8080a4d2364e817eecd5cb37cb9ec9dc0b

SHA512
82b4c76201697d7d25f2e4f454aa0dd8d548cdfd3ebfa0dd91845536f74f470e57d66a73750c56409510d787ee2483839f799fef5d5a77972cd4435a157a21a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab64CD.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\swflash64.inf

Filesize
218B

MD5
60c0b6143a14467a24e31e887954763f

SHA1
77644b4640740ac85fbb201dbc14e5dccdad33ed

SHA256
97ac49c33b06efc45061441a392a55f04548ee47dc48aa8a916de8d13dabec58

SHA512
7032669715c068de67d85d5d00f201ee84bb6edac895559b2a248509024d6ce07c0494835c8ee802dbdbe1bc0b1fb7f4a07417ef864c04ebfaa556663dfd7c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6618.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe

Filesize
757KB

MD5
47f240e7f969bc507334f79b42b3b718

SHA1
8ec5c3294b3854a32636529d73a5f070d5bcf627

SHA256
c8c8cff5dc0a3f205e59f0bbfe30b6ade490c10b9ecc7043f264ec67ef9b6a11

SHA512
10999161970b874db326becd51d5917f17fece7021e27b2c2dfbee42cb4e992c4d5dbeac41093a345ad098c884f6937aa941ec76fb0c9587e9470405ecb67161

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/1592-129-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1812-139-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2660-17-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2660-19-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2896-8-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2896-10-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2896-6-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download