8b8524d99c41e32912669ff4be7aba713495ad3fc03e345c5a7e16d473718e48

Analysis

max time kernel
422s
max time network
1713s
platform
windows10_x64
resource
win10v20210408
submitted
06-08-2021 11:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Raccine/yara/yara32.exe
Size

1.4MB
MD5

3c925b83553cb7c6178622583c400a0e
SHA1

361374efb75d6fe4510f529cb5a30e4159625b00
SHA256

e61f4b167e36da4e2fd182bb6764c174954816e72b27f65d33ae302bc8fcc92a
SHA512

1e8027b13dc39190018e63da515985960acecb25758a8c0df5dfb7b5fb231fb0ab794763e1907bdb28ddfc5e2be29817f5a54fa3221a5910747bb7360168537e

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

IEXPLORE.EXEunregmp2.exeIEXPLORE.EXE

description	ioc	process
File opened (read-only)	\??\F:	IEXPLORE.EXE
File opened (read-only)	\??\J:	IEXPLORE.EXE
File opened (read-only)	\??\P:	IEXPLORE.EXE
File opened (read-only)	\??\Q:	IEXPLORE.EXE
File opened (read-only)	\??\S:	IEXPLORE.EXE
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\T:	IEXPLORE.EXE
File opened (read-only)	\??\V:	IEXPLORE.EXE
File opened (read-only)	\??\Z:	IEXPLORE.EXE
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\H:	IEXPLORE.EXE
File opened (read-only)	\??\J:	IEXPLORE.EXE
File opened (read-only)	\??\I:	IEXPLORE.EXE
File opened (read-only)	\??\L:	IEXPLORE.EXE
File opened (read-only)	\??\W:	IEXPLORE.EXE
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\F:	IEXPLORE.EXE
File opened (read-only)	\??\M:	IEXPLORE.EXE
File opened (read-only)	\??\O:	IEXPLORE.EXE
File opened (read-only)	\??\U:	IEXPLORE.EXE
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\F:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\S:	IEXPLORE.EXE
File opened (read-only)	\??\N:	IEXPLORE.EXE
File opened (read-only)	\??\A:	IEXPLORE.EXE
File opened (read-only)	\??\Q:	IEXPLORE.EXE
File opened (read-only)	\??\W:	IEXPLORE.EXE
File opened (read-only)	\??\U:	IEXPLORE.EXE
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\B:	IEXPLORE.EXE
File opened (read-only)	\??\V:	IEXPLORE.EXE
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\I:	IEXPLORE.EXE
File opened (read-only)	\??\M:	IEXPLORE.EXE
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\B:	IEXPLORE.EXE
File opened (read-only)	\??\L:	IEXPLORE.EXE
File opened (read-only)	\??\Y:	IEXPLORE.EXE
File opened (read-only)	\??\Z:	IEXPLORE.EXE
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\E:	IEXPLORE.EXE
File opened (read-only)	\??\G:	IEXPLORE.EXE
File opened (read-only)	\??\H:	IEXPLORE.EXE
File opened (read-only)	\??\X:	IEXPLORE.EXE
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\A:	IEXPLORE.EXE
File opened (read-only)	\??\P:	IEXPLORE.EXE
File opened (read-only)	\??\K:	IEXPLORE.EXE
File opened (read-only)	\??\O:	IEXPLORE.EXE
File opened (read-only)	\??\E:	IEXPLORE.EXE
File opened (read-only)	\??\Y:	IEXPLORE.EXE
File opened (read-only)	\??\G:	IEXPLORE.EXE
File opened (read-only)	\??\K:	IEXPLORE.EXE
File opened (read-only)	\??\R:	IEXPLORE.EXE
File opened (read-only)	\??\T:	IEXPLORE.EXE
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 6ead5207ab2cd701	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEiexplore.exeiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEiexplore.exeiexplore.exeiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3355354983"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30902986"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30902986"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30902986"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EC7780EF-F6BD-11EB-B2DB-52F460BD0637} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3250198713"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff720000001a000000f80400007f020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3250198713"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff720000001a000000f80400007f020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff720000001a000000f80400007f020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3253167405"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff720000001a000000f80400007f020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30902986"	iexplore.exe

Modifies registry class 2 IoCs

Processes:

iexplore.exeiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

7116 NOTEPAD.EXE

pid	process
7116	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXEunregmp2.exe

description	pid	process
Token: SeShutdownPrivilege	5888	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	5888	IEXPLORE.EXE
Token: SeShutdownPrivilege	5800	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	5800	IEXPLORE.EXE
Token: SeShutdownPrivilege	7364	unregmp2.exe
Token: SeCreatePagefilePrivilege	7364	unregmp2.exe

Suspicious use of FindShellTrayWindow 29 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

pid	process
1276	iexplore.exe
1380	iexplore.exe
1588	iexplore.exe
668	iexplore.exe
4172	iexplore.exe
804	iexplore.exe
1692	iexplore.exe
392	iexplore.exe
508	iexplore.exe
1780	iexplore.exe
1080	iexplore.exe
632	iexplore.exe
1112	iexplore.exe
492	iexplore.exe
392	iexplore.exe
3344	iexplore.exe
1076	iexplore.exe
860	iexplore.exe
1128	iexplore.exe
1752	iexplore.exe
1208	iexplore.exe
640	iexplore.exe
1216	iexplore.exe
676	iexplore.exe
1516	iexplore.exe
1620	iexplore.exe
1480	iexplore.exe
1420	iexplore.exe
488	iexplore.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
1112	iexplore.exe
1112	iexplore.exe
1380	iexplore.exe
1380	iexplore.exe
1276	iexplore.exe
1276	iexplore.exe
1620	iexplore.exe
1620	iexplore.exe
668	iexplore.exe
668	iexplore.exe
1692	iexplore.exe
1692	iexplore.exe
1588	iexplore.exe
1588	iexplore.exe
1516	iexplore.exe
1516	iexplore.exe
1216	iexplore.exe
1216	iexplore.exe
632	iexplore.exe
632	iexplore.exe
3344	iexplore.exe
3344	iexplore.exe
488	iexplore.exe
488	iexplore.exe
1208	iexplore.exe
860	iexplore.exe
860	iexplore.exe
1208	iexplore.exe
492	iexplore.exe
492	iexplore.exe
804	iexplore.exe
804	iexplore.exe
1752	iexplore.exe
1752	iexplore.exe
4172	iexplore.exe
4172	iexplore.exe
392	iexplore.exe
392	iexplore.exe
676	iexplore.exe
676	iexplore.exe
1080	iexplore.exe
1080	iexplore.exe
1128	iexplore.exe
1128	iexplore.exe
508	iexplore.exe
508	iexplore.exe
3216	iexplore.exe
3216	iexplore.exe
1780	iexplore.exe
1780	iexplore.exe
640	iexplore.exe
640	iexplore.exe
1480	iexplore.exe
1480	iexplore.exe
1420	iexplore.exe
1420	iexplore.exe
1076	iexplore.exe
1076	iexplore.exe
5208	IEXPLORE.EXE
5208	IEXPLORE.EXE
5224	IEXPLORE.EXE
5224	IEXPLORE.EXE
5200	IEXPLORE.EXE
5200	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1588 wrote to memory of 5208	1588	iexplore.exe	IEXPLORE.EXE
PID 1588 wrote to memory of 5208	1588	iexplore.exe	IEXPLORE.EXE
PID 1588 wrote to memory of 5208	1588	iexplore.exe	IEXPLORE.EXE
PID 1112 wrote to memory of 5232	1112	iexplore.exe	IEXPLORE.EXE
PID 1112 wrote to memory of 5232	1112	iexplore.exe	IEXPLORE.EXE
PID 1112 wrote to memory of 5232	1112	iexplore.exe	IEXPLORE.EXE
PID 1276 wrote to memory of 5224	1276	iexplore.exe	IEXPLORE.EXE
PID 1276 wrote to memory of 5224	1276	iexplore.exe	IEXPLORE.EXE
PID 1276 wrote to memory of 5224	1276	iexplore.exe	IEXPLORE.EXE
PID 1380 wrote to memory of 5200	1380	iexplore.exe	IEXPLORE.EXE
PID 1380 wrote to memory of 5200	1380	iexplore.exe	IEXPLORE.EXE
PID 1380 wrote to memory of 5200	1380	iexplore.exe	IEXPLORE.EXE
PID 668 wrote to memory of 5256	668	iexplore.exe	IEXPLORE.EXE
PID 668 wrote to memory of 5256	668	iexplore.exe	IEXPLORE.EXE
PID 668 wrote to memory of 5256	668	iexplore.exe	IEXPLORE.EXE
PID 1620 wrote to memory of 5216	1620	iexplore.exe	IEXPLORE.EXE
PID 1620 wrote to memory of 5216	1620	iexplore.exe	IEXPLORE.EXE
PID 1620 wrote to memory of 5216	1620	iexplore.exe	IEXPLORE.EXE
PID 1692 wrote to memory of 5272	1692	iexplore.exe	IEXPLORE.EXE
PID 1692 wrote to memory of 5272	1692	iexplore.exe	IEXPLORE.EXE
PID 1692 wrote to memory of 5272	1692	iexplore.exe	IEXPLORE.EXE
PID 1516 wrote to memory of 5284	1516	iexplore.exe	IEXPLORE.EXE
PID 1516 wrote to memory of 5284	1516	iexplore.exe	IEXPLORE.EXE
PID 1516 wrote to memory of 5284	1516	iexplore.exe	IEXPLORE.EXE
PID 1216 wrote to memory of 5464	1216	iexplore.exe	IEXPLORE.EXE
PID 1216 wrote to memory of 5464	1216	iexplore.exe	IEXPLORE.EXE
PID 1216 wrote to memory of 5464	1216	iexplore.exe	IEXPLORE.EXE
PID 632 wrote to memory of 5480	632	iexplore.exe	IEXPLORE.EXE
PID 632 wrote to memory of 5480	632	iexplore.exe	IEXPLORE.EXE
PID 632 wrote to memory of 5480	632	iexplore.exe	IEXPLORE.EXE
PID 3344 wrote to memory of 5516	3344	iexplore.exe	IEXPLORE.EXE
PID 3344 wrote to memory of 5516	3344	iexplore.exe	IEXPLORE.EXE
PID 3344 wrote to memory of 5516	3344	iexplore.exe	IEXPLORE.EXE
PID 488 wrote to memory of 5572	488	iexplore.exe	IEXPLORE.EXE
PID 488 wrote to memory of 5572	488	iexplore.exe	IEXPLORE.EXE
PID 488 wrote to memory of 5572	488	iexplore.exe	IEXPLORE.EXE
PID 1208 wrote to memory of 5644	1208	iexplore.exe	IEXPLORE.EXE
PID 1208 wrote to memory of 5644	1208	iexplore.exe	IEXPLORE.EXE
PID 1208 wrote to memory of 5644	1208	iexplore.exe	IEXPLORE.EXE
PID 860 wrote to memory of 5656	860	iexplore.exe	IEXPLORE.EXE
PID 860 wrote to memory of 5656	860	iexplore.exe	IEXPLORE.EXE
PID 860 wrote to memory of 5656	860	iexplore.exe	IEXPLORE.EXE
PID 492 wrote to memory of 5752	492	iexplore.exe	IEXPLORE.EXE
PID 492 wrote to memory of 5752	492	iexplore.exe	IEXPLORE.EXE
PID 492 wrote to memory of 5752	492	iexplore.exe	IEXPLORE.EXE
PID 4172 wrote to memory of 5784	4172	iexplore.exe	IEXPLORE.EXE
PID 4172 wrote to memory of 5784	4172	iexplore.exe	IEXPLORE.EXE
PID 4172 wrote to memory of 5784	4172	iexplore.exe	IEXPLORE.EXE
PID 804 wrote to memory of 5792	804	iexplore.exe	IEXPLORE.EXE
PID 804 wrote to memory of 5792	804	iexplore.exe	IEXPLORE.EXE
PID 804 wrote to memory of 5792	804	iexplore.exe	IEXPLORE.EXE
PID 1752 wrote to memory of 5800	1752	iexplore.exe	IEXPLORE.EXE
PID 1752 wrote to memory of 5800	1752	iexplore.exe	IEXPLORE.EXE
PID 1752 wrote to memory of 5800	1752	iexplore.exe	IEXPLORE.EXE
PID 392 wrote to memory of 5844	392	iexplore.exe	IEXPLORE.EXE
PID 392 wrote to memory of 5844	392	iexplore.exe	IEXPLORE.EXE
PID 392 wrote to memory of 5844	392	iexplore.exe	IEXPLORE.EXE
PID 676 wrote to memory of 5888	676	iexplore.exe	IEXPLORE.EXE
PID 676 wrote to memory of 5888	676	iexplore.exe	IEXPLORE.EXE
PID 676 wrote to memory of 5888	676	iexplore.exe	IEXPLORE.EXE
PID 1080 wrote to memory of 6044	1080	iexplore.exe	IEXPLORE.EXE
PID 1080 wrote to memory of 6044	1080	iexplore.exe	IEXPLORE.EXE
PID 1080 wrote to memory of 6044	1080	iexplore.exe	IEXPLORE.EXE
PID 1128 wrote to memory of 6100	1128	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\Raccine\yara\yara32.exe
"C:\Users\Admin\AppData\Local\Temp\Raccine\yara\yara32.exe"
1⤵
PID:4652

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ResizeConvertFrom.svg
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4172

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4172 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
PID:5784

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Public\Desktop\Acrobat Reader DC.lnk
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3344

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3344 CREDAT:82945 /prefetch:2
2⤵
PID:5516

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\FindWatch.potm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:804

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:804 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
PID:5792

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ConfirmExpand.AAC
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1588

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1588 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5208

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RevokeEnter.mpeg
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1516

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1516 CREDAT:82945 /prefetch:2
2⤵
PID:5284

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ProtectConfirm.ps1xml
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1620

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1620 CREDAT:82945 /prefetch:2
2⤵
PID:5216

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\TestEdit.jpg
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1480

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1480 CREDAT:82945 /prefetch:2
2⤵
PID:5472

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\UninstallSet.php
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1420

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1420 CREDAT:82945 /prefetch:2
2⤵
PID:5452

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ConvertToFormat.wvx
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1380

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1380 CREDAT:82945 /prefetch:2
2⤵
- Suspicious use of SetWindowsHookEx
PID:5200

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ResizeSave.MOD
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1276

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1276 CREDAT:82945 /prefetch:2
2⤵
- Suspicious use of SetWindowsHookEx
PID:5224

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ConvertToOpen.jpeg
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1216

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1216 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
PID:5464

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\CompleteConvertTo.mpeg3
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1128

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1128 CREDAT:82945 /prefetch:2
2⤵
PID:6100

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ConvertFromExport.ram
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1112

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1112 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
PID:5232

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\UnregisterRevoke.fon
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1076

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1076 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
PID:6244

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\DisableDisconnect.aifc
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1080

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1080 CREDAT:82945 /prefetch:2
2⤵
PID:6044

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ExpandBlock.m3u
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:488

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:488 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
PID:5572

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\SubmitMove.wax
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:676

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:676 CREDAT:82945 /prefetch:2
2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:5888

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /OCX /NoLibraryAdd /Play "file://C:\Users\Admin\Desktop\SubmitMove.wax" /prefetch:10
3⤵
PID:3564

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\OpenInvoke.css
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:392

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:392 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
PID:5844

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\OpenInvoke.css
2⤵
- Opens file in notepad (likely ransom note)
PID:7116

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RequestConfirm.gif
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1208

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1208 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
PID:5644

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ConvertToUninstall.tif
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:860

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:860 CREDAT:82945 /prefetch:2
2⤵
PID:5656

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\AssertUnpublish.csv
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:632

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:632 CREDAT:82945 /prefetch:2
2⤵
PID:5480

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\CheckpointSplit.mpp
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:668

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:668 CREDAT:82945 /prefetch:2
2⤵
PID:5256

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ConfirmRemove.mpe
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1692

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1692 CREDAT:82945 /prefetch:2
2⤵
PID:5272

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Public\Desktop\Google Chrome.lnk
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:640

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:640 CREDAT:82945 /prefetch:2
2⤵
PID:5192

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Public\Desktop\Firefox.lnk
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:508

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:508 CREDAT:82945 /prefetch:2
2⤵
PID:3228

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Public\Desktop\VLC media player.lnk
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:492

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:492 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
PID:5752

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" ::{645FF040-5081-101B-9F08-00AA002F954E}
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3216

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3216 CREDAT:82945 /prefetch:2
2⤵
PID:2460

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\UpdatePublish.wmx
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1752

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1752 CREDAT:82945 /prefetch:2
2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:5800

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /OCX /NoLibraryAdd /Play "file://C:\Users\Admin\Desktop\UpdatePublish.wmx" /prefetch:10
3⤵
PID:6736

C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /OCX /NoLibraryAdd /Play "file://C:\Users\Admin\Desktop\UpdatePublish.wmx" /prefetch:10
4⤵
PID:7192

C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
4⤵
PID:7288

C:\Windows\System32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
5⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:7364

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ResizeSkip.ps1
1⤵
PID:1776

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\PushBackup.xlt
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1780

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1780 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
PID:5188

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
b2290fa3601ff2b1e67c23732c9f347e

SHA1
1b968c45712f2a0c454f18866024caae060582b9

SHA256
9e67436c46e29410a6e548cb5a326f59a5e34820ff2b563fcd67f25f13a574f5

SHA512
26069dd78f7ea315999e5ac0b0ebf0663773592d09b9e7165da07ace340865c0c3a9b2645fa64aad25d10a4ab09eb127271c4e3ae3ea268ec7016c66a3387c1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
94060569ed1b9d73bc805c17f299cbc7

SHA1
aea66418ec31988d45de21bdf2ce81be69f7aeea

SHA256
b5c466d84402de46995627de993a9cd700b245d4f0e2896c733cb60b9ef0f27d

SHA512
9d8f2651ec09cd8309cbf961847e843819f0cc745a1659feeea98ba371d380ae7d408c5cf3ef22dd87a05fc6cbd7768f8aed9ddb50cc91ed7ae126947a3fab41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EC620B8E-F6BD-11EB-B2DB-52F460BD0637}.dat
MD5
f62262f07e2c48218efa889e5ee7f52b

SHA1
50434b400be4a5304138383e65f804fcf5536580

SHA256
a0183a911491bab7d3d0a5f2cf7362908bcda5d773a2354760b8bd9e0c9f8828

SHA512
c44b36662f5af2ac49c53e989820c48ff2375d28c77deacb847b92a1701363b9a9b6dda8a8159fbca550aa754eacb87523a9fc6b57740347f80236e4ba92acbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EC66D01A-F6BD-11EB-B2DB-52F460BD0637}.dat
MD5
a00ae3bd20ec6f9fa98247f21a82e4b9

SHA1
25f5094f41e754af02134258f35b3e3214d7a17f

SHA256
c944d9283ba02b04b77fcdf0151023abb7ef491d476cb843646659862b7008f2

SHA512
0ecad3c279b1dcd782d26664815c1271d3e4792afc6792c0217d1dd51462c3939c39d6a8b0d79590b69c55e822ec3168362ef63389bc7e44910709b6a05c2f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EC693510-F6BD-11EB-B2DB-52F460BD0637}.dat
MD5
3952494a9e0f0e85ccf58957c61a6c12

SHA1
ba191ef0e448e92da57fbb89dbc1f9d93b4a5996

SHA256
7b2b256960b24c9c676005d0a017f08d0ce7a3726518f90e9c0bcd9df722a1d7

SHA512
08184cf82b17301ad6a5798a26f5e9d93591b07590ced193b3ae7d07a4e54c9c0b6943800b913b763eaa6cc7fafbe16d0b93712b392507cf7dff0db4231c8acb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EC695C20-F6BD-11EB-B2DB-52F460BD0637}.dat
MD5
a8165f7f7b0762559302e7228c8cb9a8

SHA1
4be6e16de5217e8b1031d48ad7c1606c045348d0

SHA256
6fd7967fa289723649dd944c13579ce0100385ceb2495eb3ef98095488df4ea8

SHA512
3b67794aac3a227b01213e5d982432cd2db7ff50627a10d23176d5012cfbfcc18195ff4382333d1d2de49bc5a9116afe85541b638eb7101713e36468cbab4162

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EC6DF6E3-F6BD-11EB-B2DB-52F460BD0637}.dat
MD5
4e9d7226299474f6f56416c1c2ef2513

SHA1
4952b3d7d457166ae1fd15637923c0663f157a46

SHA256
ef7e87d08b4f8768a54593be4060a73444e25f027fbe3180f21e8359db6c8144

SHA512
02ffd09a001d110572cd03ad4272f69d8cfb59ac07cf4b1ce37b6bd1e554dd7e94ffe006407ac6084db45fedf6c475cfd29db7493f384eb057607c4466b2f49e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EC751DFB-F6BD-11EB-B2DB-52F460BD0637}.dat
MD5
0d8fae2cee74bffcb256eb3bee62b96f

SHA1
a70afdbbcf560292460eecae9076ebf25dd0bdfa

SHA256
ed6c3a053fbde7ba747b554541dcb8d6afe1e39e426c6d11de516cfa7c7a6754

SHA512
ef20c71596daf69271ac5d53a180bb79c8cf9f13ae3b5246a1adc01b893b9d8eac4f0212aea99f72136bba3e163b9d45ec504480a046a93efcc82688ef47cdfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EC7780EF-F6BD-11EB-B2DB-52F460BD0637}.dat
MD5
1115ecd27913a004423425917608c34f

SHA1
14d0022f1792c30ee690301d6f18076e2e4de058

SHA256
eac4c9f848f708510b3acad4375ad621dcc81c885adb9fbb75fe688e9b5a1fd6

SHA512
099970cdebce8dcee7480684b3eea68eaa46aef0e718898f8e199385e269c4f57be5adec2b5a1f5fc5e518b598a87b4b33f9205c534531117c1d52fda57ca524

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EC77A7FF-F6BD-11EB-B2DB-52F460BD0637}.dat
MD5
947a4cdf2302aac56cd9244c4cdee693

SHA1
03feec04778c3ffaa9872855fd79fa2d8f579814

SHA256
9effd730ad4b7f8c5582df2d1f511e029fda37c7f4fd0a8fd61c841a574d9b57

SHA512
b79ae2297c5bf2c074725e096e5d617b0de649743c40e129ca14153b6c6e9680e026c26e2c2d3cd63c1770eb14424763400f7963862d198de4badfaf632a561d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EC7A092B-F6BD-11EB-B2DB-52F460BD0637}.dat
MD5
c0ad0f772e1665c8afe388966be6af46

SHA1
79e9477f266f1250bcd11add059845f3e9bf501e

SHA256
c7e0d7481ed4a56adc7c259bcdc57843870641ae21340656b1c3148e68375d0d

SHA512
cef1d6e8588b4210a2d32998d7fdca41ec6abb2061bc2028fc5bdb7136865ab921c6a70e2fc83c12c656617b81f9d70e7cfba8c8e89af9adce369a8c02de9723

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EC7EA98C-F6BD-11EB-B2DB-52F460BD0637}.dat
MD5
887fdbb763842fda020aeb5303443a1d

SHA1
edfdc5e1ebde03fbc6685ccc4f9137ae45f4c52e

SHA256
09ba89797b68a948bf6a7313ed30a4c6bf75a24fc0e505dd6e9dbd05ddf7ee50

SHA512
a8569b0fd0d821f69b9a8e73328330865f449f87de44c1ba34f7e8e7d20be57b33e471f023baaa1ba0797f03981a4b452be4b2538fd7709b7d04c061e59025c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EC8109BD-F6BD-11EB-B2DB-52F460BD0637}.dat
MD5
dd7f3aa6c333dd761363896bed429a8c

SHA1
8513604fcfaf92334744e45a9890d6fe0e2fbef1

SHA256
4c9f7468d0136f41efb5c48f56b6a519928cfd66e72dd55d720050ce2e31e8b1

SHA512
42620c5b82f4167513d150a04688bf48ed02d2f73467a3f525c6e4261aa24f25e148bc15bc016a1945598da06862096b5723c52709059cb086a2eec57a72058c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EC8830B3-F6BD-11EB-B2DB-52F460BD0637}.dat
MD5
2100eec559d4bbb2c69eef4dd5068c20

SHA1
d548383c32e6d60277390efae194e5bd5125b270

SHA256
644fd9386edbac38b496ac3670a7584c9faf1f21e2f22abb6542430fbc069386

SHA512
8a5201dba7d32560cf656a43966dbc7dc597607a11ec8490742b16af5e26ca239587ecfaacc003d7455be5a5a3ee4c650a7ab1523163c95eef5dc73a742f2e00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EC91BA21-F6BD-11EB-B2DB-52F460BD0637}.dat
MD5
34de40c5292b49ff3bbb5597d932f42a

SHA1
b7824b0996a007ca3b244203f129fbf0cf2bbebc

SHA256
8adfa440e96a6a48ceff385e2027603cf38087a90765dd0d4c0175402a153247

SHA512
6be251ce2804922748cbd90de1ed875229d9fdebd07a8323ba9e0874f988870bb95c24bfa52e39a18e13d7f52d5ebf310130c885a90c303961fa1e1ea60e3bab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EC967E95-F6BD-11EB-B2DB-52F460BD0637}.dat
MD5
164ea1a963ff2bff0fff77096e19c053

SHA1
760305737a51258acb0d57901127e228f070c95d

SHA256
20279b74193f8405eec745c78ed823eb0f02f705d76a590964a6464974bb85ae

SHA512
edadb7d98646a293665c2a9e60e587ae677bbad60b99fa95a86a47d122401a46e2c4c392734135c4431feb3117ca59e2ce0f53cb7e380b0f2d29982e9b03c117

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EC9B433A-F6BD-11EB-B2DB-52F460BD0637}.dat
MD5
c1f22503a5752486b95ea846be60d3f1

SHA1
c002b0ecf2b33a7c08aa56065b8890ce47425790

SHA256
ca2fe82eafe1453fa606a21ccb9bdc1b7e28deae1c2cd49dd36fc3d57309dc6e

SHA512
59f72a10e8cdf60b60a1d1ce259abf0f59db63eaeca938693626357fd2add54d308628ad5a33c92e921ecb709daa94e38523b5e0ac99864569840042d94b4349

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{ECA4CC43-F6BD-11EB-B2DB-52F460BD0637}.dat
MD5
0a0c767184f994c8575b746b4f0e9fcb

SHA1
06412a277e7cc368eca9fb43a0662d0703c0d55c

SHA256
c0c4f783f3f30ac484d148a4085c33c78dd43bd99b1a2557c780c727e3d5eabe

SHA512
f2aa68e64b06a07a28059bfc3b64032b791e78a16237404d378728f1bf700cb8c476a29b0e9dbf5c8141df17811851bde577272b1e9c622ed27aa49ae8d69e4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{ECAE569F-F6BD-11EB-B2DB-52F460BD0637}.dat
MD5
c0d9998872d1d23f4547efae1a93c40f

SHA1
b800a8bfe4af0f511e8eeeba547a71daf65c4a36

SHA256
f9c4097ac3be34641b7466510b34d0f90fa86a964d8f7fd6410987bad6234940

SHA512
39f17b51f86fdb21822d171d14adb5c839669f37f106f8a21e699e5bf551329ec23a7f1707774f16562b88d177307081fcbcb9544d87a3885755fa7169ec93f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{ECBCA3E9-F6BD-11EB-B2DB-52F460BD0637}.dat
MD5
4b1222740c06a4d84f9e9e902bed2908

SHA1
a7581f53b089c0376092a64f92bc22f3db826bf4

SHA256
184e9d06f3ede204161d40cd924345420d5aea85171a2b042b0883690590a0d7

SHA512
27efedc7b788401f354a77a47af40e74ba22e41affb54bf4c47ed4a140dd44fe5b026fdfc12e9e64a66da3598d149c84a2c0571a8d998962b899da06e17df2f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD
MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\SW7ZUKY0.cookie
MD5
f7b00fc144e1e8c6aac064f4188efc1e

SHA1
5f3fe30c3a8db6c932ebdc88fb0b2a81db3a0506

SHA256
721425128bf15ae74b8bcd2ca98d6e5dee93245505aa2eac8fd543a8f406f8ec

SHA512
d0d20b15c3f01c4f0c6bf9a40fa24e7dc13240cf6e61d34e3699efabf8bbfddcd5b4f90f4e63c61c60ee61efc3b0344fcd3177496e198d53d581772a6c84cc95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\ZX0ANOMM.cookie
MD5
87e073b03314356d9a7b61369939ee24

SHA1
66bf59f2517c57041033123ce565163cf41af5ab

SHA256
948cd5967024d2828910818081eefa2a6b87668bf9944c029b533d535dca7232

SHA512
ff1b1a5af6796b527ab80e827956239cf6eca5a4ab930d3820519a3757d8040dcd93284a70fed2c8f696befc421368051702c60cac39eb4759515bc072f000e9

Download Submit
memory/392-135-0x00007FFA6A060000-0x00007FFA6A0CB000-memory.dmp

Filesize
428KB

Download
memory/488-133-0x00007FFA6A060000-0x00007FFA6A0CB000-memory.dmp

Filesize
428KB

Download
memory/492-140-0x00007FFA6A060000-0x00007FFA6A0CB000-memory.dmp

Filesize
428KB

Download
memory/508-137-0x00007FFA6A060000-0x00007FFA6A0CB000-memory.dmp

Filesize
428KB

Download
memory/632-142-0x00007FFA6A060000-0x00007FFA6A0CB000-memory.dmp

Filesize
428KB

Download
memory/640-129-0x00007FFA6A060000-0x00007FFA6A0CB000-memory.dmp

Filesize
428KB

Download
memory/668-115-0x00007FFA6A060000-0x00007FFA6A0CB000-memory.dmp

Filesize
428KB

Download
memory/676-128-0x00007FFA6A060000-0x00007FFA6A0CB000-memory.dmp

Filesize
428KB

Download
memory/804-125-0x00007FFA6A060000-0x00007FFA6A0CB000-memory.dmp

Filesize
428KB

Download
memory/860-127-0x00007FFA6A060000-0x00007FFA6A0CB000-memory.dmp

Filesize
428KB

Download
memory/1076-138-0x00007FFA6A060000-0x00007FFA6A0CB000-memory.dmp

Filesize
428KB

Download
memory/1080-134-0x00007FFA6A060000-0x00007FFA6A0CB000-memory.dmp

Filesize
428KB

Download
memory/1112-136-0x00007FFA6A060000-0x00007FFA6A0CB000-memory.dmp

Filesize
428KB

Download
memory/1128-139-0x00007FFA6A060000-0x00007FFA6A0CB000-memory.dmp

Filesize
428KB

Download
memory/1208-131-0x00007FFA6A060000-0x00007FFA6A0CB000-memory.dmp

Filesize
428KB

Download
memory/1216-141-0x00007FFA6A060000-0x00007FFA6A0CB000-memory.dmp

Filesize
428KB

Download
memory/1276-114-0x00007FFA6A060000-0x00007FFA6A0CB000-memory.dmp

Filesize
428KB

Download
memory/1380-116-0x00007FFA6A060000-0x00007FFA6A0CB000-memory.dmp

Filesize
428KB

Download
memory/1420-117-0x00007FFA6A060000-0x00007FFA6A0CB000-memory.dmp

Filesize
428KB

Download
memory/1480-118-0x00007FFA6A060000-0x00007FFA6A0CB000-memory.dmp

Filesize
428KB

Download
memory/1516-119-0x00007FFA6A060000-0x00007FFA6A0CB000-memory.dmp

Filesize
428KB

Download
memory/1588-120-0x00007FFA6A060000-0x00007FFA6A0CB000-memory.dmp

Filesize
428KB

Download
memory/1620-121-0x00007FFA6A060000-0x00007FFA6A0CB000-memory.dmp

Filesize
428KB

Download
memory/1692-122-0x00007FFA6A060000-0x00007FFA6A0CB000-memory.dmp

Filesize
428KB

Download
memory/1752-123-0x00007FFA6A060000-0x00007FFA6A0CB000-memory.dmp

Filesize
428KB

Download
memory/1776-124-0x00007FFA6A060000-0x00007FFA6A0CB000-memory.dmp

Filesize
428KB

Download
memory/1780-126-0x00007FFA6A060000-0x00007FFA6A0CB000-memory.dmp

Filesize
428KB

Download
memory/2460-167-0x0000000000000000-mapping.dmp

Download
memory/3216-132-0x00007FFA6A060000-0x00007FFA6A0CB000-memory.dmp

Filesize
428KB

Download
memory/3228-166-0x0000000000000000-mapping.dmp

Download
memory/3344-143-0x00007FFA6A060000-0x00007FFA6A0CB000-memory.dmp

Filesize
428KB

Download
memory/3564-193-0x0000000000000000-mapping.dmp

Download
memory/4172-130-0x00007FFA6A060000-0x00007FFA6A0CB000-memory.dmp

Filesize
428KB

Download
memory/5188-169-0x0000000000000000-mapping.dmp

Download
memory/5192-168-0x0000000000000000-mapping.dmp

Download
memory/5200-147-0x0000000000000000-mapping.dmp

Download
memory/5208-144-0x0000000000000000-mapping.dmp

Download
memory/5216-149-0x0000000000000000-mapping.dmp

Download
memory/5224-146-0x0000000000000000-mapping.dmp

Download
memory/5232-145-0x0000000000000000-mapping.dmp

Download
memory/5256-148-0x0000000000000000-mapping.dmp

Download
memory/5272-150-0x0000000000000000-mapping.dmp

Download
memory/5284-151-0x0000000000000000-mapping.dmp

Download
memory/5452-171-0x0000000000000000-mapping.dmp

Download
memory/5464-152-0x0000000000000000-mapping.dmp

Download
memory/5472-170-0x0000000000000000-mapping.dmp

Download
memory/5480-153-0x0000000000000000-mapping.dmp

Download
memory/5516-154-0x0000000000000000-mapping.dmp

Download
memory/5572-155-0x0000000000000000-mapping.dmp

Download
memory/5644-156-0x0000000000000000-mapping.dmp

Download
memory/5656-157-0x0000000000000000-mapping.dmp

Download
memory/5752-158-0x0000000000000000-mapping.dmp

Download
memory/5784-160-0x0000000000000000-mapping.dmp

Download
memory/5792-159-0x0000000000000000-mapping.dmp

Download
memory/5800-161-0x0000000000000000-mapping.dmp

Download
memory/5844-162-0x0000000000000000-mapping.dmp

Download
memory/5888-163-0x0000000000000000-mapping.dmp

Download
memory/6044-164-0x0000000000000000-mapping.dmp

Download
memory/6100-165-0x0000000000000000-mapping.dmp

Download
memory/6244-172-0x0000000000000000-mapping.dmp

Download
memory/6736-192-0x0000000000000000-mapping.dmp

Download
memory/7116-191-0x0000000000000000-mapping.dmp

Download
memory/7192-196-0x0000000000000000-mapping.dmp

Download
memory/7288-197-0x0000000000000000-mapping.dmp

Download
memory/7364-198-0x0000000000000000-mapping.dmp

Download