ramnit | d46a7c64293e0e1f79b5700af27dea44cb422ad88bf1dafde16f5fbb58f6b1c8

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
30/01/2025, 13:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_63554146034980285230907f0a70147d.html
Size

524KB
MD5

63554146034980285230907f0a70147d
SHA1

e42a8e43dba1061451b580050781c1fb812c4e5f
SHA256

d46a7c64293e0e1f79b5700af27dea44cb422ad88bf1dafde16f5fbb58f6b1c8
SHA512

92438ba9a6d7f40727e826dfcccd43a85af6963741817d8c7a29c0e2371e4d7ca0799223bfb28fc3f95ab1b6bb0f16e2b5ee9ce30ccb1dd9b2aee747da67f1e4
SSDEEP

6144:oxuvgNV1WAzLIwBMEAbR8GJ8WssIycfVUyaK4SnqKx1nJ08h0X6oUU:8uvsL52EAOK8cIyMUy77nd/nxKX6oUU

Score

10^/10

ramnit banker discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000500000001a3e4-407.dat	acprotect

Executes dropped EXE 3 IoCs

pid	Process
1156	FP_AX_CAB_INSTALLER64.exe
1400	svchost.exe
1948	WaterMark.exe

Loads dropped DLL 7 IoCs

pid	Process
2512	IEXPLORE.EXE
2512	IEXPLORE.EXE
2512	IEXPLORE.EXE
1400	svchost.exe
1400	svchost.exe
1400	svchost.exe
1948	WaterMark.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1948-416-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1400-374-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1400-373-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1400-372-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1400-361-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1400-360-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1400-359-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1400-358-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1948-954-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1948-1316-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplateRTL.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\browse_window.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_ur.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmpconfig.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE	svchost.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ahclient.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\WordpadFilter.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationTypes.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Xml.Linq.Resources.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\VBE7INTL.DLL	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PSTPRX32.DLL	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.Printing.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libskiptags_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.Design.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_gather_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\TRANSMGR.DLL	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\mojo_core.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\verify.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_standard_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\calendar.html	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\clock.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\MpAsDesc.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\slideShow.html	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libx265_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\vcruntime140.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_realrtsp_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XLCALL32.DLL	svchost.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Csi.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\AccessibleHandler.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\spu\libmosaic_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libball_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.Office.Tools.v9.0.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_ro.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationClient.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationBuildTasks.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libedummy_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.Design.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\index.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BULLETS.DLL	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsPreviewTemplate.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\TECHTOOL.HTM	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\fxplugins.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Windows.Presentation.resources.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\FPERSON.DLL	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Green Bubbles.htm	svchost.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\PresentationFramework.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ReachFramework.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.DataSetExtensions.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\liberase_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\skchobj.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\MAPISHELLR.DLL	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\libvlccore.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\IPDSINTL.DLL	svchost.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\Microsoft.Build.Utilities.v3.5.resources.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\currency.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\settings.html	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Downloaded Program Files\SETCE37.tmp	IEXPLORE.EXE
File created	C:\Windows\Downloaded Program Files\SETCE37.tmp	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\swflash64.inf	IEXPLORE.EXE
File opened for modification	C:\Windows\INF\setupapi.app.log	IEXPLORE.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FP_AX_CAB_INSTALLER64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007e271493dc50824f8ecdf336feffc7f200000000020000000000106600000001000020000000dd628aad7ecf83d286e104c049468e0871d51a750c5027f59e8338735a605bfa000000000e80000000020000200000007acbfd4174c5d1a88fc2dffba617594739537a63b33832bef5ede0a22c3aa3ed900000009e893bcc6a8168ec088d76590e2fb35ea588db066f4df1f7b0e6eba77e55fcbce8e9937be4f33c5ea7d7ddc6ab10fab87fa9167c4352b464c4a5dfd1deb579314d5670edc6bbda56baa904e6267c6959c68b6efe3e8a6ef1d54ff1449f3550be1da9c38e672eb6970f62b90a4fc24a975b8630638368d7a74275ae1ca29fbccb0d7dd6ed1f6bf097e873448cdf69a0684000000020ba751104e8ce8e0ebf70edaaff7df291911a958ea1fbf635a6f235008e7fb08fe4818af1e1f2c07779e45c8b12168a224241e528890a55aa52ebc8a0fe2389	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0121DD11-DF10-11EF-9452-E2BC28E7E786} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 008d8dc81c73db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007e271493dc50824f8ecdf336feffc7f200000000020000000000106600000001000020000000b58321d435b745f6a63be48bd52f78c429f446e28d89b8127627fc50bf0337c0000000000e80000000020000200000000c99520a2cf3672311f6c39ac757ab7f30b6c40add12f0da8254eb8ea03135e2200000000cd88d69e70b64a44c924a5a4b8df5a6ad1c0749eefa7a6f486a8a417e70c84b400000004822d12f1c364d6e6a93f697c99a7d8a4c699ab74932b63f49a4f028ce11599156b0763ad8c896445f6858dc4526b7889609d3361640539c358e2f9efe18b7ef	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "444406399"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
1156	FP_AX_CAB_INSTALLER64.exe
1948	WaterMark.exe
1948	WaterMark.exe
1948	WaterMark.exe
1948	WaterMark.exe
1948	WaterMark.exe
1948	WaterMark.exe
1948	WaterMark.exe
1948	WaterMark.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeRestorePrivilege	2512	IEXPLORE.EXE
Token: SeRestorePrivilege	2512	IEXPLORE.EXE
Token: SeRestorePrivilege	2512	IEXPLORE.EXE
Token: SeRestorePrivilege	2512	IEXPLORE.EXE
Token: SeRestorePrivilege	2512	IEXPLORE.EXE
Token: SeRestorePrivilege	2512	IEXPLORE.EXE
Token: SeRestorePrivilege	2512	IEXPLORE.EXE
Token: SeDebugPrivilege	1948	WaterMark.exe
Token: SeDebugPrivilege	2620	svchost.exe
Token: SeDebugPrivilege	2860	IEXPLORE.EXE
Token: SeDebugPrivilege	2512	IEXPLORE.EXE
Token: SeDebugPrivilege	1948	WaterMark.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2376	iexplore.exe
2376	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2376	iexplore.exe
2376	iexplore.exe
2512	IEXPLORE.EXE
2512	IEXPLORE.EXE
2376	iexplore.exe
2376	iexplore.exe
2860	IEXPLORE.EXE
2860	IEXPLORE.EXE
1400	svchost.exe
1948	WaterMark.exe
2860	IEXPLORE.EXE
2860	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1400	svchost.exe
1948	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2512	2376	iexplore.exe	30
PID 2376 wrote to memory of 2512	2376	iexplore.exe	30
PID 2376 wrote to memory of 2512	2376	iexplore.exe	30
PID 2376 wrote to memory of 2512	2376	iexplore.exe	30
PID 2512 wrote to memory of 1156	2512	IEXPLORE.EXE	32
PID 2512 wrote to memory of 1156	2512	IEXPLORE.EXE	32
PID 2512 wrote to memory of 1156	2512	IEXPLORE.EXE	32
PID 2512 wrote to memory of 1156	2512	IEXPLORE.EXE	32
PID 2512 wrote to memory of 1156	2512	IEXPLORE.EXE	32
PID 2512 wrote to memory of 1156	2512	IEXPLORE.EXE	32
PID 2512 wrote to memory of 1156	2512	IEXPLORE.EXE	32
PID 1156 wrote to memory of 1948	1156	FP_AX_CAB_INSTALLER64.exe	36
PID 1156 wrote to memory of 1948	1156	FP_AX_CAB_INSTALLER64.exe	36
PID 1156 wrote to memory of 1948	1156	FP_AX_CAB_INSTALLER64.exe	36
PID 1156 wrote to memory of 1948	1156	FP_AX_CAB_INSTALLER64.exe	36
PID 2376 wrote to memory of 2860	2376	iexplore.exe	34
PID 2376 wrote to memory of 2860	2376	iexplore.exe	34
PID 2376 wrote to memory of 2860	2376	iexplore.exe	34
PID 2376 wrote to memory of 2860	2376	iexplore.exe	34
PID 2512 wrote to memory of 1400	2512	IEXPLORE.EXE	35
PID 2512 wrote to memory of 1400	2512	IEXPLORE.EXE	35
PID 2512 wrote to memory of 1400	2512	IEXPLORE.EXE	35
PID 2512 wrote to memory of 1400	2512	IEXPLORE.EXE	35
PID 1400 wrote to memory of 1948	1400	svchost.exe	36
PID 1400 wrote to memory of 1948	1400	svchost.exe	36
PID 1400 wrote to memory of 1948	1400	svchost.exe	36
PID 1400 wrote to memory of 1948	1400	svchost.exe	36
PID 1948 wrote to memory of 1592	1948	WaterMark.exe	37
PID 1948 wrote to memory of 1592	1948	WaterMark.exe	37
PID 1948 wrote to memory of 1592	1948	WaterMark.exe	37
PID 1948 wrote to memory of 1592	1948	WaterMark.exe	37
PID 1948 wrote to memory of 1592	1948	WaterMark.exe	37
PID 1948 wrote to memory of 1592	1948	WaterMark.exe	37
PID 1948 wrote to memory of 1592	1948	WaterMark.exe	37
PID 1948 wrote to memory of 1592	1948	WaterMark.exe	37
PID 1948 wrote to memory of 1592	1948	WaterMark.exe	37
PID 1948 wrote to memory of 1592	1948	WaterMark.exe	37
PID 1948 wrote to memory of 2620	1948	WaterMark.exe	39
PID 1948 wrote to memory of 2620	1948	WaterMark.exe	39
PID 1948 wrote to memory of 2620	1948	WaterMark.exe	39
PID 1948 wrote to memory of 2620	1948	WaterMark.exe	39
PID 1948 wrote to memory of 2620	1948	WaterMark.exe	39
PID 1948 wrote to memory of 2620	1948	WaterMark.exe	39
PID 1948 wrote to memory of 2620	1948	WaterMark.exe	39
PID 1948 wrote to memory of 2620	1948	WaterMark.exe	39
PID 1948 wrote to memory of 2620	1948	WaterMark.exe	39
PID 1948 wrote to memory of 2620	1948	WaterMark.exe	39
PID 2620 wrote to memory of 256	2620	svchost.exe	1
PID 2620 wrote to memory of 256	2620	svchost.exe	1
PID 2620 wrote to memory of 256	2620	svchost.exe	1
PID 2620 wrote to memory of 256	2620	svchost.exe	1
PID 2620 wrote to memory of 256	2620	svchost.exe	1
PID 2620 wrote to memory of 336	2620	svchost.exe	2
PID 2620 wrote to memory of 336	2620	svchost.exe	2
PID 2620 wrote to memory of 336	2620	svchost.exe	2
PID 2620 wrote to memory of 336	2620	svchost.exe	2
PID 2620 wrote to memory of 336	2620	svchost.exe	2
PID 2620 wrote to memory of 384	2620	svchost.exe	3
PID 2620 wrote to memory of 384	2620	svchost.exe	3
PID 2620 wrote to memory of 384	2620	svchost.exe	3
PID 2620 wrote to memory of 384	2620	svchost.exe	3
PID 2620 wrote to memory of 384	2620	svchost.exe	3
PID 2620 wrote to memory of 392	2620	svchost.exe	4
PID 2620 wrote to memory of 392	2620	svchost.exe	4

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:336

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:480
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:604
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1684
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1644
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:676
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:776
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:820
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1168
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:864
  - - C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /F /T /R
      4⤵
      PID:2160
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:976
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:272
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:340
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1048
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1112
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1344
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2956
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2444
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:496
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:504

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:392

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63554146034980285230907f0a70147d.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2376 CREDAT:275457 /prefetch:2
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
      C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1156
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://get3.adobe.com/flashplayer/update/activex
        5⤵
        
        PID:1948
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:1400
    - - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:1948
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:1592
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2620
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2376 CREDAT:275465 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPrintTemplate.html

Filesize
469KB

MD5
ad1f9ab6689fa6a4ac43dac32ed365fd

SHA1
010015e45cbe5858ba368da64a4f650b715d9a32

SHA256
8ccfaf665feff4b7b567efebf6e873fec710e57e9a93b3393675e3782184a836

SHA512
2a9d77a6e952e22bc68676106c3e7c9fab193def8e49d94fb7da8af10ffe1f5f717ec107740f148e7644c523525f7cedf272f0c0244885df67959670b6eba84f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsColorChart.html

Filesize
469KB

MD5
fa8aa177f82584a4e23ea990fbdeebee

SHA1
c0fbb12d6b3aa2d7437d11d0da868581bc8c621c

SHA256
ff6724b7707a7f88f45b3f33e8b3e01a0ae0c9c1726a7aed84c91c4242e7d013

SHA512
5ca5658b98333c9a7724ff3ea0049e7787faab6973cf7a7ec5f3f5d95a06922ba05e5bf4cc16a8e47ed16f9f1c336df67a301104b39958b973d628524fb31252

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsMacroTemplate.html

Filesize
470KB

MD5
754ca0efcd3f2a106261b5fc46ffa9d1

SHA1
22720282f83a225a310e8f170c9bc59253a950de

SHA256
bf37e5ce78a3d5bb39223aeff91e313167cc15a53658c76271182cf8a68bca7b

SHA512
d4e3cc57713419452f64b0cad0ca0d73a59d87aad0ced1251c1c059b2b38e0c18ce1d877a1e056763f6297f31b5145d7619ed918b77fb9b4678bf56c73e44661

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\Welcome.html

Filesize
469KB

MD5
0610381d46b3d19dfd4a6b19b707db71

SHA1
9aeb46cd158ea79546b2483fef66769118eb6421

SHA256
bd4e6d13ddf033a14d671706a3144fed36cc67cdf45c3df9ea084c62344676a9

SHA512
c72457e1c5e0c1a71664214b9f1f013aa98b9bf1bedb4d7dc5b5ece555f83a79782c5b0c74c052561c0584a4da2141fef586548d30eeae174e5f31feea785ecd

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html

Filesize
469KB

MD5
afdbcd636a20aa1eb9e76133a1655a6a

SHA1
a1603fa76e3438039620c4570f1b5c9efead9401

SHA256
8abee1fe520ac492b047110e1742b90e315888d4ac78c177e84c06dde292f471

SHA512
6786e7340429223e77908326988ddc56acdd375123835f2123103a6ed1e6e5ddee506b92cd0a337e81bdd3d02473efbab57d3202f2c90b458dbfaeb954794592

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html

Filesize
484KB

MD5
9935148d1b28a3b4eee0047fd192f147

SHA1
eacc64ab1d4ce5bb5d9c227e1096404ae5f983d6

SHA256
6687fc240ef32e080536e1414c7a02f9c9e4e12bcc99e0a74eef4e0693c871d7

SHA512
141ac2215d44eb99515f0bc371a654647956b991ea20af6e6786e839ccdec2ee35fe43b887593177a8a90581d88132712ec58e1f6352f6464762eecee2c53a2c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\license.html

Filesize
474KB

MD5
2b613d65a35e44f86f798078dc2be7ed

SHA1
860993e226d459182ea0b4568b7d5f267dc0c82b

SHA256
5d207d01737211e14eb2c646ae136efd97c3dac9b9442206ec6f21e13c5c0a4d

SHA512
51e6b65023382c9a094da942835c0c0bf8e773a6ea81f830900bca914b73fefe3947ffe7ec4948646b68740eeeedd2029405dc3c95b7102955ef7a60a0ccd137

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html

Filesize
469KB

MD5
da06dde92f0968bbdb7ec4292a8c3966

SHA1
3c079915c0a627712ae29ee4555cb0be64beefbd

SHA256
0240752e2eefc13a0d24a2344941a1b6025087bdf7d7546a0b6678dad0c5e399

SHA512
6f8301f59518067042d9534c5de1c11860797f4c70e594401b43d763ad36df075db134a5a15defed3d9d32dcbe1ad6bb8cf92c9ede6c03c96595459218fd955e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
480KB

MD5
0fd3a78644c98e56e8f2ff53a8415ef2

SHA1
72ed826aa2ed62991c15aabf42d0a776572cbcc3

SHA256
32a1592e3e4b4529d4049cb0f6b761103232ad07e80bb4ac763b8fed9843ea9e

SHA512
232e9698efb5097943a6600468a8b0fea4c598a36c7b5195561d165e138e4f9e4065621bab92e21e0757c57599833b1b752d4d3dadac9e3aee44f01a64fa096b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
477KB

MD5
533dd2a7bc395b59819d0450b4f4d42f

SHA1
799674d79a2076f8eb97989b483817cd92802866

SHA256
d081776c2dfcafea43e66d819886ba8333b32a2879891941ac988de0533f0e7e

SHA512
e4ea140607bbd3c3b6cc1c4c437ca89b983e432dc999ab5ccb4aa3f395218905c850875a2090e491ff94abdb8e296240862df588dd017a6f52ce2e06b599f371

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html

Filesize
483KB

MD5
5848d3f8a3a98068ecedc155eb92a32e

SHA1
8cf49a6668a06221cf6d468f1a60cbf1c0b63c12

SHA256
e4213dd0d934ccff6355f236e81424bf8c4d75657d55ef5b344b8520b8959304

SHA512
802d26f4d8893c374939b1d0789eeee80bb559045596afadaf1502b798cf1fe3fab3a4d408594aab64769c4b5cd5fa6322b1f2626eb9fb0a406898a3abb054ee

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\about.html

Filesize
482KB

MD5
b7e03ac035d9eaa89f705dfce90ed3de

SHA1
bf1e1d392d79f739c40d879f158447134cbab2ea

SHA256
c17a3aaf511dc1569d015184d7c83b9ebcf1fecfb83eecf879612a05d0182277

SHA512
08903fa8508b14dc5e14229872c774ec6bd3cf6d26e2cb72e8ea44e22f58831ebbfc92bbafdfea67a2ec017b7378e8950718bc8972bb9ad1656d0cc316325364

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
a3c58534824b33bbefb934ee26e6c9d5

SHA1
044a88450d68581b474f72742b0d0f5747d393e0

SHA256
a690e6d37d3d1d3fa8f09dbdcfa42afedf98e74f2d79b57dfa5e414bd49c81e9

SHA512
5cce83745af3ba354e6f342bb4e6f6f401796028dc7438581442b2aad873ccdcd7721807a4856a6d0a57bb6ff3c536926b84354c10435a2bd8d1c5edae0c413d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
06a05d894e88de8e6a4a42dec6293f63

SHA1
4a4a9aaad1fd09305085c61730b517afb4e96eb6

SHA256
843500e3c1d824b3b1c3faece157b6737b36e2e30f38cfbda0577af1b1569230

SHA512
7e54dbae16af3c3de7f63edc020a66c06bc0a90c4bf6af8edb57ca1a5320e408ce0f3cfe2e989149136ab4088838c373a689f7908099d297d12add87523c7bc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2fc041c0c4cd73cc0ffab9a524d3e7bf

SHA1
67ee4e08e24cf517f655754266c2531599b7eda8

SHA256
288b0bb0fa9e33e22b9fd86d0de1aebf9c2a83dc5f94a1d69fca62f4e0fcfbbf

SHA512
6e17a0334d28cde18a026300058aec2a5bfceb07f2d47e9d731697f3389295e9f5a94d669d3d51730128da1f7b6b9705719a826675657ac3b19786a9bb2d81d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6ebe8a2944846b7a581b5db26da7b96

SHA1
aab289cbdab2aba9be6e748b437de0a7d49d159a

SHA256
ed45326c07dadf254a3db448dbbd5abffa88917b81a78ec662073945035e3804

SHA512
6710f73a8761b3d49c71305c3e50d4f869172d7c7fcf54d90a5ba4b4a3d2e7126b115c050a460e8f15b0469bff82e35b40a42cc9dff6b2b2e203c8ce9e59516f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e039c53ab3aa30f3973150a07069abe9

SHA1
6d1433102009c61ea3d1969203613274ad57e41c

SHA256
39671aa30417c9bc5bfbae468df221fa38fc0741e500461f392bcb4a54d7413d

SHA512
bad6cdc29e4116056084a7a9692ed5b42301e81b0ea6dffaa41f51c4f8202153942c56db232b1a432e57f111483d2af744984fa551a2cd1743739c7068f8c84a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bd9447f73c1dca94c356197403da37d9

SHA1
ab36105136983318ce3de98288482b4c8dc38b0f

SHA256
e385b1a9c1852104666c82d8cbabca198d7eaa24b2fe2fa0952a4f5e506ecaf9

SHA512
5b14e1cc4be4d2b5ace87ab3ccf27bb77c1f6bbb9663559b082584a1726ec62b73b3c63a37db051a6572e6e9ba9b9d1235af32aee5604d5fd503c7478276c18c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e16dabf249254f87370fd4de85251af9

SHA1
faa85acaa9cc5a5f2ffa86ea52990925c45d9146

SHA256
2f953a481318760edf273d7897774aaba297e7af7f871a8fdca5453470fe8b55

SHA512
fef9804c92bfe1fc09a58fbb394e38d341e608cadde9fed86dd9455a92b44ddc3b04d89041f893239a226dfb2968e111ac570aecd3bb335426de848a945dd090

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67f6c72bf3f95aaa10e9ff805f94879a

SHA1
6a1f7fe81406ecd329e07fba3b663ae00a5259b9

SHA256
85cc6182387e4265246f8d93a5cb8ef0c99bab52c88aeaae0f1baf14a57c1622

SHA512
af5ff2306b8104993034e1c1c16bb782be710bbf82288ea53ab69761de029b6a314bf50ab52a549a3cc8cde0d500b0056ed6d3079c86a9cc2d8266e706e3bc34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
669e54f9322ba5e53837d77b719e09f0

SHA1
358e8b74bc0780b471a4d7235e27c242edbc93e5

SHA256
c57a0786335ed041c8840bbda42b863a77f03a724359065da62a2dd8a9bc6ee3

SHA512
214f5b03c1d5c0aa6d10d457be748f1a87ccc60cd7d2575404bac2327caf8b08adb3c54ff3b9348c979180128ead62ae89fb1d1c6a65aa5e58d27d88c706a569

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e7d4866acfccddf86f3bd793d51c46f

SHA1
7e5cae3e0ab73d9efde11806ea61349daa987f75

SHA256
54dd8fe15256f6857692388bd06b187f3813d25d428e69d71d4f9b4b8a1a83b9

SHA512
d9f20f0db877c36dd0225f66414d368069a2fc9d35682cb0a591132beaf71e2ce5c67066b2e9edc0f8cb228ad42bc2c71fe99163523454a9290bd996759c9122

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c00d9d1805596f5697bc026f960c167b

SHA1
b3af9f923e74043f635d80fd09f4bfeb9c39daaa

SHA256
f32df1378842e19440d1a966b82163d962973ca19e9c10fcd35a466b4d06c5f9

SHA512
d48fd15af502b305e3c04fd8b4eb60069416db10920fdea1c169ef2528a2db8e274d9e01eda99611f9bc66dcd8e5c9363831a6033be6959a3cd0b1f32e3f3e97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
745982de68beb4365db82728d54ecbe3

SHA1
9b58c2c3ced19e1caa7e963318307415c0edb758

SHA256
8fd21e4cf0f97fa8eb8a39b65d58daf30abd79cb3fd6a03306b60b0f54e7a9bc

SHA512
72955949fb09db35b900ed57a54b86f5740ab9073a8714ae8f4d004ca014793c92f065a77a4d604501e0eb2f6064caa626076b8776572fb39113b9761d4344fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef6e561f43fdc50000d50a08d0ce48d2

SHA1
f92289043c9639908654538892073ad7992c4dce

SHA256
b8de779d176c3a8a297a798675fe3529afd773e0d768f996883eeb37d610de99

SHA512
1c76ce6860529b522954ae1481bb2bea6ba2ba12ff7ddcc213f30b64518d670759dc7f5ff6bc66f587a01d6e6e56604dbc17ce392dd2a479f4e08be89fa022cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1872e93ff9716b7c5227eef5cd9f55fc

SHA1
be9c5dcf38d15bc7a2b46bc379b741aa37abccb7

SHA256
adcd0bc1c9c2e6a30a033ac3dcaaeff987271a95511ed4f0deec6c129d1c9dae

SHA512
d9a70cd7e7775f63c4c4eea255846459312e5725c114c44064f4be1d54fe1767b131a4f5c586f4902d4a1a83c986a6f59b00366d549aa1e21981427ba5644aa5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ce469e35a2146fd5b93cf963c68d9c9

SHA1
f1a783f15a22b59662023c548490ec47240f01ac

SHA256
78ea15fd8f1da3edfe3a035e538ee0565a91c6ce9d7f8f3d5082a4dc2053a715

SHA512
e9132e0e747c1f1e3c7aeaa3a28eefe3de572be3b8ae1c9f39fcf31e7777f2b8a0f49f5f9376be28e91357cb62436bfe34524c43e38c38cf5c833b711034d536

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fc1c243bf102de5f1d5308b630a0ab2f

SHA1
0aa7dbea2fda64afa3d3cff1be83b561bb4b3905

SHA256
f4c949605a364492c5809e1bedce819a248b4182458ab03b1f85ae67f7a0ca36

SHA512
cd1623fc4ea2c54efd3d9d62a84a7072e6d413e9e84f7d09d60ed870ea8cd02b58b8e63587434958cc8c698d21b11d79881607e6c3938a4b08f7d10c7d87b5ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b272e4c1667e2e9042690ac1c26592c

SHA1
10f7f4b7b61ed020cf9052aed5462f5491199670

SHA256
67c3f683665e4fa4f9f80fbfb5b3b26f4d86d858bf6611ed4a210e758cbcc605

SHA512
ac6e0572766e8bd16ff3a0b66043a9a1d027c6c5e8a0e9cc6b48f719fc68d95905618867701ff1c78c5a277f2e51d5d9597540a7d9d7b15a35a3a937b7883c99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e8212347b5876f8c7438ba18f2b72eb

SHA1
5f59b4ac7af48783e609587acc83e24078c606a1

SHA256
99aea4e665b69a52f09f7e2ec579b3b912302564d5d23fcee884ab0b8b3865db

SHA512
47003cafcb0216607e9ac82afda84d0103db285b41b1378b48d12c393d31553782ca9863456f915d1d1a2a6a740fa2e7a5fb899d9f90dae5c1aeb5d6af308bb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
820f83fb30e30de1f3ac96ebd7984e7f

SHA1
c21f389efe6c6c58f41f64205ccc20f10e10d824

SHA256
696ef207b9c4160d2d48f3beced42949b64c619bd0f9b953c6cbc2be75cb3b3b

SHA512
c002b8212b80f97725bf89b79978ab7a8f52f11d27fe67573c49703cb60feb287982878505591281db6f22c0dc1a28f94d56297321f5e8df4848fe077e36375b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a9e94421b13581a2bb86a8ba42f4f44

SHA1
394459b38f595741759cee16e861873f1175958d

SHA256
825c304e9a554cb61576dea80d39e6acb9166071a14aac4656b81ebef252e422

SHA512
f78b41e9f5644aa5ad90030d1178bc327d210df8536dd34e0e1011f4becb55c09299fa38ea2ceb583cbd3b733ff314e2f0543a5ee2aea0e86355109b18ba1c6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
e6f732c17921eeb0a79d0b26664953ab

SHA1
88155798e660f92a2d1dd69cb74337d07a0182ce

SHA256
40e48a77c419a24fe58cbf212e7a138cdc238b7431ced913aa07573aa85e0754

SHA512
3ff457cf555d24d13c1dc612f070f20e2b29136de268b3234b2785b7218694e895a0edec79b83f9246995db7f48ae0e3a0ca23ae5a0f9da4a8c28a7d25e6b86f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\39GEHZPO\S2WURM0K.HTM

Filesize
469KB

MD5
1cf44520eb2baa93895e581bacbb00bc

SHA1
9279286cafdd95795839cc88ab9ffb96e2f8c74f

SHA256
3e798e071bad7e15e4013580cbcd2f38d021924358877dde0552cc71cf3ad0b3

SHA512
fa11ba235bdf6c6a96ace893b49697114623d2524a99d7f82b4b72168040cebcda96dd3862da49506acbbd5113b38fe037f0eeb103ff7f8c252cfc37803dd749

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LPQ313RR\swflash[1].cab

Filesize
225KB

MD5
b3e138191eeca0adcc05cb90bb4c76ff

SHA1
2d83b50b5992540e2150dfcaddd10f7c67633d2c

SHA256
eea074db3f86fed73a36d9e6c734af8080a4d2364e817eecd5cb37cb9ec9dc0b

SHA512
82b4c76201697d7d25f2e4f454aa0dd8d548cdfd3ebfa0dd91845536f74f470e57d66a73750c56409510d787ee2483839f799fef5d5a77972cd4435a157a21a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\jsapi[1].htm

Filesize
237B

MD5
362d5b448e14803e150656f8f2b2064f

SHA1
46e929aad5f6323e61c895d51c8fa5f46171f16e

SHA256
9361792c2d970710b9e66bb86b6dc9b17dab59a9294a30a5790bdb1e92b38021

SHA512
0c81743679bfd703c29666e96255aed50ae07bb50a86496c3da01cc32e4b6a80cdde505f6cd3699dc01c3f0cf062fe534450cecdd976fc40632024a6186a9d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC718.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\swflash64.inf

Filesize
218B

MD5
60c0b6143a14467a24e31e887954763f

SHA1
77644b4640740ac85fbb201dbc14e5dccdad33ed

SHA256
97ac49c33b06efc45061441a392a55f04548ee47dc48aa8a916de8d13dabec58

SHA512
7032669715c068de67d85d5d00f201ee84bb6edac895559b2a248509024d6ce07c0494835c8ee802dbdbe1bc0b1fb7f4a07417ef864c04ebfaa556663dfd7c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC72B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\vcredist2010_x86.log.html

Filesize
549KB

MD5
ebb85a9bc0e471fe2cf166c75d4048dd

SHA1
29ae096ad892923f3963bd9d4cfe9b0539a7ed64

SHA256
557e1f978334b3ad0cd2dc3576ba60b33512b8c4a6c7c60d19f87d50d8ea0242

SHA512
8a2e436c042e51eaaed18c4defe687c2e06037bb675495eb2600b9ea0d756bc75365048e7a63ca7b555e6a5e44bde6c5d200bb5c21c533e0bf5b37475eff7182

Download Submit
\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe

Filesize
757KB

MD5
47f240e7f969bc507334f79b42b3b718

SHA1
8ec5c3294b3854a32636529d73a5f070d5bcf627

SHA256
c8c8cff5dc0a3f205e59f0bbfe30b6ade490c10b9ecc7043f264ec67ef9b6a11

SHA512
10999161970b874db326becd51d5917f17fece7021e27b2c2dfbee42cb4e992c4d5dbeac41093a345ad098c884f6937aa941ec76fb0c9587e9470405ecb67161

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
233KB

MD5
7f064dc3b475aa06c221241ea5aba118

SHA1
cb4a5f04cca160a8e9eddefa5d848b705e9faceb

SHA256
0fb165fedff4cb57e3a5c78d6b0de772ee56fc4eb2b0df609db1cf43b4d2604c

SHA512
e6208c1d050a382da571881986e2e6d97525e4693df28717a6769f19b58ca0a8dc05bd86a310360618dc2c8c37a989970016aace380e2335410c6c6b4f0a2580

Download Submit
\Users\Admin\AppData\Local\Temp\tulD1C0.tmp

Filesize
172KB

MD5
4f407b29d53e9eb54e22d096fce82aa7

SHA1
a4ee25b066cac19ff679dd491f5791652bb71185

SHA256
cf0ecf30fc95800a34105acb9bcb484bb594a35b3ef26ace8f122af4f9f888dc

SHA512
325f7b599455195101e4c0dafd3654906d20ed2c1ce2a5f38784635e16ab545df6ee44a83bed6128239be2dee5be110552c7b246b7f52482ab31552e14b54183

Download Submit
memory/1400-335-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1400-384-0x0000000000210000-0x0000000000284000-memory.dmp

Filesize
464KB

Download
memory/1400-360-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1400-358-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1400-361-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1400-374-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1400-373-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1400-371-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1400-372-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1400-340-0x0000000000210000-0x0000000000284000-memory.dmp

Filesize
464KB

Download
memory/1400-359-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1592-457-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1592-429-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1592-443-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1592-458-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1592-459-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1592-456-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1592-438-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1592-431-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1948-953-0x0000000000120000-0x0000000000194000-memory.dmp

Filesize
464KB

Download
memory/1948-417-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/1948-416-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1948-1317-0x0000000000120000-0x0000000000194000-memory.dmp

Filesize
464KB

Download
memory/1948-415-0x0000000000120000-0x0000000000194000-memory.dmp

Filesize
464KB

Download
memory/1948-389-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1948-639-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/1948-954-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1948-1043-0x00000000779CF000-0x00000000779D0000-memory.dmp

Filesize
4KB

Download
memory/1948-1316-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1948-418-0x00000000779CF000-0x00000000779D0000-memory.dmp

Filesize
4KB

Download
memory/2620-657-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2620-656-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2620-659-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2620-655-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2620-651-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2620-654-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2620-641-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2620-658-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download