14a20798118b4c89dc950cbb2b6cc35379449cce7e1f06e1e34106b549fcc51b

Analysis

max time kernel
122s
max time network
161s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14a20798118b4c89dc950cbb2b6cc35379449cce7e1f06e1e34106b549fcc51b.exe
Size

1.4MB
MD5

56bd1c5228b2fb10916b230726d4f8e9
SHA1

59c5197f8b75c76dcedb1e4b8aa63b6afb034faa
SHA256

14a20798118b4c89dc950cbb2b6cc35379449cce7e1f06e1e34106b549fcc51b
SHA512

b5108a9103afd04780969de0d672ec73e6f9ea638ad920104ecad3e5ca390d3bcac7be283750d4aa1a5e377fed52b4e0f433917e5b7aefb9d2022d7a812609af
SSDEEP

24576:T9SDxKYqm/q8hF2wRG9DrfVSlqkNrm9jT1ZNdjOyxdUnvVtehIkQKFmgaCF9QPy8:T9SXj/9h4U8f7/ZNIvmOQIgXF9Ux

Score

8^/10

upx vmprotect

Malware Config

Signatures

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1664-59-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1664-60-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1664-64-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1664-66-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1664-70-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1664-74-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1664-76-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1664-80-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1664-84-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1664-90-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1664-94-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1664-98-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1664-100-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1664-96-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1664-92-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1664-88-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1664-86-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1664-82-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1664-78-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1664-72-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1664-68-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1664-62-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1664-58-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1664-102-0x0000000010000000-0x000000001003E000-memory.dmp	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/1664-55-0x0000000000400000-0x0000000000785000-memory.dmp	vmprotect
behavioral1/memory/1664-57-0x0000000000400000-0x0000000000785000-memory.dmp	vmprotect
behavioral1/memory/1664-105-0x0000000000400000-0x0000000000785000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

14a20798118b4c89dc950cbb2b6cc35379449cce7e1f06e1e34106b549fcc51b.exe

pid process

1664 14a20798118b4c89dc950cbb2b6cc35379449cce7e1f06e1e34106b549fcc51b.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 63 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F9BD2B11-6D65-11ED-8F62-626C2AE6DC56} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ae0528df93dddd4484d87a80835300940000000002000000000010660000000100002000000011179de59fc9cdaa29c6fb60fe088454db61c66e130c53b14cc5ff5a38261c94000000000e8000000002000020000000c7863b74b7eb122e65541e297b1267c74e19cb0ee39a77c363c3860b3866588020000000918cd9bf4fa5968e81d610b3d6cf87125b617b01e41acfbabb0ecacd03beee3140000000919ae75775921fbdcc2ec6504228da8a6046ededd58a846227be3a103f27755d06fa6ecde08d16ff1a03d12cbfa5101e5eef565303d20f22ec06cea3bfacbdea	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ae0528df93dddd4484d87a8083530094000000000200000000001066000000010000200000003061ce27924172602d77a4fdc75d3ae71278ff84b8a79fd16a2a0bdff30ab561000000000e8000000002000020000000ba365f004709a99a757fa2bc982d9148d7a9d59c218d107b3029bc2a3a77ac8290000000180d308b160ff3bfdbc2a0549335799410fef90c764f913cc714a1e1dc6f2066de10be64d5d2682564d8a99bcf2c1983b582c6a98052332f881d82b42320c74b3694513c186a9cb61bb87265b5b13911422f59f5d4c57ddd338894082fffff9ff0b071726eaa5042f846605c7d876b38661902c563b6411d090ed25feced60ce0b5e62906db18e73db4cb4d87128b91240000000996400d8d1d8cc2901990b214d1e29233e9c214184fcb3db44c083cf10f7bf016a8a3f61a92ebe54150f12a3ea1a256cc342f57aea019383a2fac358563b7225	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376217028"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0e482de7201d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F9BF8C71-6D65-11ED-8F62-626C2AE6DC56} = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

14a20798118b4c89dc950cbb2b6cc35379449cce7e1f06e1e34106b549fcc51b.exe

pid	process
1664	14a20798118b4c89dc950cbb2b6cc35379449cce7e1f06e1e34106b549fcc51b.exe
1664	14a20798118b4c89dc950cbb2b6cc35379449cce7e1f06e1e34106b549fcc51b.exe
1664	14a20798118b4c89dc950cbb2b6cc35379449cce7e1f06e1e34106b549fcc51b.exe
1664	14a20798118b4c89dc950cbb2b6cc35379449cce7e1f06e1e34106b549fcc51b.exe
1664	14a20798118b4c89dc950cbb2b6cc35379449cce7e1f06e1e34106b549fcc51b.exe
1664	14a20798118b4c89dc950cbb2b6cc35379449cce7e1f06e1e34106b549fcc51b.exe
1664	14a20798118b4c89dc950cbb2b6cc35379449cce7e1f06e1e34106b549fcc51b.exe
1664	14a20798118b4c89dc950cbb2b6cc35379449cce7e1f06e1e34106b549fcc51b.exe
1664	14a20798118b4c89dc950cbb2b6cc35379449cce7e1f06e1e34106b549fcc51b.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeiexplore.exe

pid process

1712 iexplore.exe
536 iexplore.exe

pid	process
1712	iexplore.exe
536	iexplore.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

14a20798118b4c89dc950cbb2b6cc35379449cce7e1f06e1e34106b549fcc51b.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
1664	14a20798118b4c89dc950cbb2b6cc35379449cce7e1f06e1e34106b549fcc51b.exe
1664	14a20798118b4c89dc950cbb2b6cc35379449cce7e1f06e1e34106b549fcc51b.exe
1664	14a20798118b4c89dc950cbb2b6cc35379449cce7e1f06e1e34106b549fcc51b.exe
1712	iexplore.exe
1712	iexplore.exe
536	iexplore.exe
536	iexplore.exe
1092	IEXPLORE.EXE
1092	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1092	IEXPLORE.EXE
1092	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

14a20798118b4c89dc950cbb2b6cc35379449cce7e1f06e1e34106b549fcc51b.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 1664 wrote to memory of 1712	1664	14a20798118b4c89dc950cbb2b6cc35379449cce7e1f06e1e34106b549fcc51b.exe	iexplore.exe
PID 1664 wrote to memory of 1712	1664	14a20798118b4c89dc950cbb2b6cc35379449cce7e1f06e1e34106b549fcc51b.exe	iexplore.exe
PID 1664 wrote to memory of 1712	1664	14a20798118b4c89dc950cbb2b6cc35379449cce7e1f06e1e34106b549fcc51b.exe	iexplore.exe
PID 1664 wrote to memory of 1712	1664	14a20798118b4c89dc950cbb2b6cc35379449cce7e1f06e1e34106b549fcc51b.exe	iexplore.exe
PID 1664 wrote to memory of 536	1664	14a20798118b4c89dc950cbb2b6cc35379449cce7e1f06e1e34106b549fcc51b.exe	iexplore.exe
PID 1664 wrote to memory of 536	1664	14a20798118b4c89dc950cbb2b6cc35379449cce7e1f06e1e34106b549fcc51b.exe	iexplore.exe
PID 1664 wrote to memory of 536	1664	14a20798118b4c89dc950cbb2b6cc35379449cce7e1f06e1e34106b549fcc51b.exe	iexplore.exe
PID 1664 wrote to memory of 536	1664	14a20798118b4c89dc950cbb2b6cc35379449cce7e1f06e1e34106b549fcc51b.exe	iexplore.exe
PID 1712 wrote to memory of 1092	1712	iexplore.exe	IEXPLORE.EXE
PID 1712 wrote to memory of 1092	1712	iexplore.exe	IEXPLORE.EXE
PID 1712 wrote to memory of 1092	1712	iexplore.exe	IEXPLORE.EXE
PID 1712 wrote to memory of 1092	1712	iexplore.exe	IEXPLORE.EXE
PID 536 wrote to memory of 1924	536	iexplore.exe	IEXPLORE.EXE
PID 536 wrote to memory of 1924	536	iexplore.exe	IEXPLORE.EXE
PID 536 wrote to memory of 1924	536	iexplore.exe	IEXPLORE.EXE
PID 536 wrote to memory of 1924	536	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\14a20798118b4c89dc950cbb2b6cc35379449cce7e1f06e1e34106b549fcc51b.exe
"C:\Users\Admin\AppData\Local\Temp\14a20798118b4c89dc950cbb2b6cc35379449cce7e1f06e1e34106b549fcc51b.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://zhanimei.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1712 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1092
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://zhanimei.com/ad.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:536 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
a8c03409b74c9377cf79e2e731c1911a

SHA1
3c754ffe163aeb3ecb81fe3ca34f65e6eb6e14e8

SHA256
355e2b460370d728ccf7489fd435e26c51da2ede7ad1b091ac733b9d56974558

SHA512
b7f7811c3abcab59011af3c4f12f1fa81e8bc549f5c32b095f3d8831d2a12d48e3868073052f55f3b0c68ed079ab129cd8f3657b6388a5fd90273db75de7a840

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4

Filesize
472B

MD5
30f833b25d6e5af2229d9584c6f6cf97

SHA1
ee79c3fa994d53c1d0687ca61353d63cce459e25

SHA256
1bc091991c4663dbc86ae735e47ddc3e887a24661050ad9f24b8d458bfd11a6b

SHA512
da38df5335fbbefc9b38bb2cf5f5fc875794d444ed7ec41b8db5e0df128ad9dff34828fb1976977aec6b9ad36312535fa78f28a020531d360d8cc5fbf8cc8d24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_7D0866F648887A7BB8C83FDD7893DE3B

Filesize
472B

MD5
e4d661d999b855142d472fd230fb4ab3

SHA1
b4be1feeaccc98768ec3393929772bd8f75deed7

SHA256
97a1c1b509250dd99cde7f76b53a43b7ee415011744414d83f5980df2e11dc60

SHA512
2825f4435db1f133fc187b9e7a2f6bfbe7a6a95723e4fe1d2f45fffac024ed43364ede77c11ded7c8d0aa2955045097d308c94a928629e0568c53a7015670471

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
f569e1d183b84e8078dc456192127536

SHA1
30c537463eed902925300dd07a87d820a713753f

SHA256
287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

SHA512
49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
b907cd82d2410f0dc77fbe209f9e1864

SHA1
bfd474a892a6ca710ff99961ffff74a26a268921

SHA256
dae43621baa7c19db1a6406a94fb2b69c105b9fa2a78524b02eb34a332536134

SHA512
a68780027cc883d1d4e1ce2b7e4b1c0a5c33b06db32019e4e657477d5c4d3ef7b2c20ecc51c3fe1f4649060c9fc90bf972b9fcea37295953b8ca9276ed881836

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4

Filesize
402B

MD5
46b5fd39978deef65d75d7257fc8ae8b

SHA1
21ac79fb2965f7591a8ecbdcc82105cff0dc68a0

SHA256
3d98488c09dd8af853def821bfa2fea7f29ec130418642d7412b03401e8658ca

SHA512
e6158d7b68494b9b684c2f46999d2e1525044d087057ee57edd1e1db5b97106dd340228f1faa923a40f6577f577aaf1540676a348c9f29e765f1691bc135451c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_7D0866F648887A7BB8C83FDD7893DE3B

Filesize
402B

MD5
ac748732d6d96dd89d974a5f600966d6

SHA1
1c4a62314b7c90c4fb07ad0235e3048cde7f3e8d

SHA256
9dae0d8a55bb43fa37925e4b14e2a49a4d3ca274431ad763ab1cd865283e1c7a

SHA512
4c341b6010519886ba03eebee0df8bb8964bfb1c789db5e6fd118d585cf811658d870428b7f3c56efed46e6360e87981065e1916abd7eecce3955ad478d489ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
bf885626343929faea34e7869698bf94

SHA1
4d53179940b8abbc11e3363d63e2f2750615df7e

SHA256
0aa466c35af41ba6f0eb1cdafb94ff33379c15ab3e365ec7252fbaa3dfdc7cdf

SHA512
0741911ec1dfe25957965d591c5cbfb0705ec3cdb0480149d5cc4ae41f099f1bc890c273799af0af540510e3a35a58489b5e24fa1951499a6788a961a84ca53c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
142955cd6f99396ee710f0ae37dffaf2

SHA1
32d1fffd2d4638772622031fb68b1712c43f34d3

SHA256
20cdc1351be9ee8814eee9cbd366a5db13773bdfe50999c95514b6b3223b152f

SHA512
55ed288a425d7ea4aee306f750a47f706d5d57c06089567f149260ff18e87288ea54b8d05a5304ae00208eec1b6ee3bdaed88058a57ddfd2e7ad48374ea4360d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F9BD2B11-6D65-11ED-8F62-626C2AE6DC56}.dat

Filesize
5KB

MD5
d4b2a029cd5b3aec01e7ed2bc5f696d1

SHA1
4a4d37ffc85a3ad6d07d1bbdd8c74ed4d3d3eac1

SHA256
40a4598eeaf94982160d52ce6d0a89722299747b303825edffb7a4f9a6ad68de

SHA512
7a3edee60d3587885fe75c7b43a48c78dc2dd483248abda55de6d9c51e7f139d106c232a19994f398455ca57c460caa7192948d41547f8f2150a2e3637faa707

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F9BF8C71-6D65-11ED-8F62-626C2AE6DC56}.dat

Filesize
4KB

MD5
aa274c310548a2ace751d7a2dd2c8609

SHA1
ff14ded306e0fcae215ed225e96c76fa7c904a86

SHA256
5136cb232252290517dd77566391e1bc0e8ec2b2dd2de2e6632246216a5d6c6b

SHA512
571ac4ba6cee50a54d508307c99986ba49429568416202343abbdb7659360d68edd70073592c2f0c2da749952ff14cc6308c038e73b6bf00954f04f0fae17c33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CASMTSF8\maincaf[1].js

Filesize
6KB

MD5
3c7567521347bf95b105ffa7fdc7da86

SHA1
08739adacbf1300c74d8ae1cf100d00d9fbd0e5f

SHA256
0e32bca6b67dfdeed3f9b988ddcec1adf0502549a130a78c4ace64c318a7ea29

SHA512
a58d550fb416dfb05cdebae862b52d1c1b15b2031e01bd959b6dfef15c75d8606b59927cd4a6f4583bd5285740dbb24cf230e6428c1564dfe549fbc563771454

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CASMTSF8\style[1].css

Filesize
829B

MD5
96f84d0985af87b4d4f6ae8816f9c5c5

SHA1
9cf62a3e426361587207124eb6caf0aeeb3cb030

SHA256
93a1109ada0cd55dedeaf7e9c4251a7f91ac3c3e1ab85e25e37b6cd4e47d504b

SHA512
0423c77082e7cede3ed0c10219d8dce268d2f137c2b5bd46d1a9fc1a15eefd316d190bacd3ac22c60fde155dc044ed3886646a2c1453ea3b82393abdcf7d22b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CASMTSF8\style[2].css

Filesize
1KB

MD5
a5aa16104510a5c65ae674601bb0cbc2

SHA1
c22550ef8b6664889080d658f3e460aba95960e8

SHA256
3da899cfbc97d2fee347957e5f004a44ca1e661f54b9fa8cea8a1b041ed2a401

SHA512
752238553f6755b1b7c3604c74ee4b2bc0071ca1fae96437392a86573018f67a6f291ab0dda7104c3a89797fc87462012809052256758f88019304d25f135a56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GTUA22LQ\arrows[1].png

Filesize
11KB

MD5
0cb2e5165dc9324eb462199f04e1ffa9

SHA1
9e0f89847ec8a98d98a6020bc5c4ed32b7a48bf8

SHA256
67dff0aad873050f12609885f2264417ccdd0d438311000a704c89f0865f7865

SHA512
7a285c4a87b9f9093b7ba720d8fe08e0ad7e2ebde9ef8c8d11b70afa08245af8f8a7281c7b3fbe8bad21c3afde4f32634d3bd416822892aa47ba82c12f4b8191

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GTUA22LQ\caf[1].js

Filesize
143KB

MD5
ceb2d8acb9756e44913ee7b5d9920790

SHA1
f193c94729a7e578ea07e4e34ca8d646f555b799

SHA256
eb9a58e36ca6161f18089f9fa930ee192926868f743777ff0f6cc4bd44bd2b4b

SHA512
82e39ed4630cfdd7420b69ae90c101d207bd87ca24c7e04ec838e55da2046c4a48306e065d4596ffad9e716b784659d3e2923159b55b8ddd2b973f8976cbcb35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I9NA5QYV\chevron[1].svg

Filesize
200B

MD5
11b3089d616633ca6b73b57aa877eeb4

SHA1
07632f63e06b30d9b63c97177d3a8122629bda9b

SHA256
809fb4619d2a2f1a85dbda8cc69a7f1659215212d708a098d62150eee57070c1

SHA512
079b0e35b479dfdbe64a987661000f4a034b10688e26f2a5fe6aaa807e81ccc5593d40609b731ab3340e687d83dd08de4b8b1e01cdac9d4523a9f6bb3acfcba0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I9NA5QYV\search[1].svg

Filesize
391B

MD5
8959ddcd9712196961d93f58064ed655

SHA1
62ab1e38e7e9fbf58a04381b76c2d96a9c829f24

SHA256
17c7a89bf169c2ee400e31b042cea68513f06b9cd7d1e8990dbec800f0d771c7

SHA512
5e9effa313c30b351345db963238b4afd0728ca302fd79a853c80c89f042266d44cc1d29492520fb0fa80b47135e54e6963dfc21972f6b236b84c1da2fad809d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XB6YKGN8\caf[1].js

Filesize
143KB

MD5
55bcbd1d9af8df915cc056f733fcee4c

SHA1
93c9e722b7d0c7989718c6eaaa0402174992e065

SHA256
0617428d4845f33dbf17caf13ec129526de62fcaf8428ed74637d8697aa30a59

SHA512
f4dff812f25be6b9e158a56b08017ce2b413c55518c2f99a63804cc2320ac7c77f0a8c18d6506073bec0c4bd1a4f17acb4c8c4140151b24455519facf2172e20

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1U75U8HG.txt

Filesize
239B

MD5
a67a738ef692b7b6ed73adaa92aa1cb7

SHA1
a01bafbe32b19086f5c0f90fe3d1a0767f3aaa2d

SHA256
31cd8fcde9300207605c14cd5deaeb892aaf76eb5104393db0e100ce68cc2e91

SHA512
63be1e768f7e7de4737bf92fe4159fe1dc86987414fe3280529b33d1ba43840411a7f698008513a81e5c8c6c10d0026f216dfe535b7695cb2774886743950a54

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\AUWGY4RE.txt

Filesize
330B

MD5
69f2a8a91c3bb819d1cdd4e6220c2255

SHA1
693045b73ec58204371e461b626cf155c05709dc

SHA256
6dea00e2c51bdabf9bbd6ce4967bfc184aab0f3c27533b4f83d7921f6e3c4861

SHA512
dbd2638109e11690d669b2871c82f5468a350e8c374d74ec63cd448565ea80da9852968c0ef77c09bd24442b59bbf4036df97358b793e07eef21b58ef139b917

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\CJ38KFL6.txt

Filesize
102B

MD5
93f438294af455c9096498f74836e759

SHA1
bc86b982c8c073fa3090d89424803d4e76a06400

SHA256
b1f9a82bc11a550b20c0eb907d8d52b656794b15217170c9f0a8c3aa72b0a61d

SHA512
467cf4fe3feef28cbcf4e8f402f846a9796cbdbf72f9a0ea915608ac41ad16b127a1ad97a67cd5c238947b43e3053f77646c6fc294858945da6b6765b7b0b727

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\FKPNM9E0.txt

Filesize
330B

MD5
c80173e9d60afb94b030cc65168f7ac4

SHA1
f2ff6147a51bc6f7c3049d177ed9a99393b70a17

SHA256
9a35b59d3bfa8fa341adb83ff5d8c72bd9415e7568a7014cdfe5d9c79aacac57

SHA512
69cddcb258a5048a8abd3badd0a33112b11c50d1af4ce8095c2023d5cde4e7f1e30ff0cf36431fe4ab696a5e0896291727ded5809e1942d0b08d473cc224e885

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\IDBB03PZ.txt

Filesize
603B

MD5
a1a6ea3a2e2f231b49da83bce1811a07

SHA1
2f007aa08f723ac36fba0d92b0ca51b7cd4fb9a7

SHA256
395f335b5178cc9da894601fb30bea35af8987261a64bc59e3621a50841cc75f

SHA512
321bbfb63cfa96df2aba152e3b7f6ca50fe1e870e539e6c0ea37b85c12c835c5730dfda7fdb03f2bdf98c8937245153bf1c002b0bc586a4938711bc3953646cb

Download Submit
memory/1664-94-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1664-98-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1664-101-0x0000000002150000-0x0000000002177000-memory.dmp

Filesize
156KB

Download
memory/1664-102-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1664-62-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1664-68-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1664-105-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/1664-72-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1664-78-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1664-82-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1664-86-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1664-88-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1664-92-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1664-96-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1664-100-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1664-58-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1664-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

Filesize
8KB

Download
memory/1664-90-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1664-84-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1664-80-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1664-76-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1664-74-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1664-70-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1664-66-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1664-64-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1664-60-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1664-59-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1664-57-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/1664-55-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download