4266b82aa9b242b2f8c05dd9b72bd783cb8e7e655c5525bf8f15710237758cfe

Analysis

max time kernel
160s
max time network
172s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28/11/2022, 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4266b82aa9b242b2f8c05dd9b72bd783cb8e7e655c5525bf8f15710237758cfe.exe
Size

38KB
MD5

f30874c740eccc02f99634e8d4a94214
SHA1

4a5d6c3711c47c52de95be057041fa2722fc86d0
SHA256

4266b82aa9b242b2f8c05dd9b72bd783cb8e7e655c5525bf8f15710237758cfe
SHA512

ac3ec1f4af5438e5ff87cee76fb216ee25c6685b8ba5a0f6d0cf345fe02fd8e638ccb1d401b2dec898fc0b51cc5fbebd2951776eabdfd8375cca20f49fce04ff
SSDEEP

384:/TlWZgXJNEWx+GoN870DRBog9WMXjdTqoaVZGXYP+2VKEkW:/5WZc0BR9WMzdnoP+PEN

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1948-56-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000071c4c20c1d1764ba6aad66d6e114dc60000000002000000000010660000000100002000000068ad622c86779e88659f566cf1e06eafca23fb7eb88e022b74be94341dd8cf08000000000e80000000020000200000008c7a901a5f10fa7b6b3cca5e8067f747b2cc74c07ed3b8204ed074faf763e49f90000000d5ee9f360d24a92ee1a19ddd882da245929c6ce97fe5c97405b7eb45095c76b25cc9e4815ebf5b76d34f42e7138f632daeb87b727b4beb48df0e2543158635dab4bd3b05d3a1a45fae471c61917201f8e4f582b4155a76e68f7bd75f769ef98beefc5329da4ad7cb519f1e57296445e863317aa8d1e08afab4cdae7d7ec479a74004054113cab46defc0f4bc2c3791a94000000075653e0a3355849dd7ae1b55b9c62e5e22e7a95a2cd3aa18f946072509ca930abae5cfff6e9d815269511cb48946d16fcafc11a2665c0233de0511916a040098	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "49"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com\ = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "3"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com\ = "545"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com\ = "10179"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com\ = "89"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "545"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com\ = "111"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000071c4c20c1d1764ba6aad66d6e114dc600000000020000000000106600000001000020000000e848e6da43dd167bd943e10aa6c0425a31973cf75aff353a88c4fdeff06d8071000000000e80000000020000200000008e626badfafd6d6d847bd2f77bd4274e81d5d0b6d9fafcb2e122aa27bf014a41200000003a30db01a034d5abfa1b51da21fb3ef46ec23c38951b7916c40e2cbac0da92ce400000005f875eebd06d87e2a8e3543fa7f22a05b6297afe097e6311adc4a4f22bd56f2b66037a712ed20f6e1c5567f0e57c9e4ece3d5258169650dbca8c1aa4b1b6e9d1	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "35"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "57"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "8"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com\ = "57"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "89"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "35"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{639093F1-6FC4-11ED-BF27-66397CAA4A34} = "0"	IEXPLORE.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
844	IEXPLORE.exe
900	IEXPLORE.exe
1816	IEXPLORE.exe
1664	IEXPLORE.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
1948	4266b82aa9b242b2f8c05dd9b72bd783cb8e7e655c5525bf8f15710237758cfe.exe
844	IEXPLORE.exe
844	IEXPLORE.exe
956	IEXPLORE.EXE
956	IEXPLORE.EXE
900	IEXPLORE.exe
900	IEXPLORE.exe
1816	IEXPLORE.exe
1816	IEXPLORE.exe
1664	IEXPLORE.exe
1664	IEXPLORE.exe
1364	IEXPLORE.EXE
1364	IEXPLORE.EXE
672	IEXPLORE.EXE
672	IEXPLORE.EXE
588	IEXPLORE.EXE
588	IEXPLORE.EXE
588	IEXPLORE.EXE
588	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 844	1948	4266b82aa9b242b2f8c05dd9b72bd783cb8e7e655c5525bf8f15710237758cfe.exe	28
PID 1948 wrote to memory of 844	1948	4266b82aa9b242b2f8c05dd9b72bd783cb8e7e655c5525bf8f15710237758cfe.exe	28
PID 1948 wrote to memory of 844	1948	4266b82aa9b242b2f8c05dd9b72bd783cb8e7e655c5525bf8f15710237758cfe.exe	28
PID 1948 wrote to memory of 844	1948	4266b82aa9b242b2f8c05dd9b72bd783cb8e7e655c5525bf8f15710237758cfe.exe	28
PID 844 wrote to memory of 956	844	IEXPLORE.exe	30
PID 844 wrote to memory of 956	844	IEXPLORE.exe	30
PID 844 wrote to memory of 956	844	IEXPLORE.exe	30
PID 844 wrote to memory of 956	844	IEXPLORE.exe	30
PID 1948 wrote to memory of 900	1948	4266b82aa9b242b2f8c05dd9b72bd783cb8e7e655c5525bf8f15710237758cfe.exe	31
PID 1948 wrote to memory of 900	1948	4266b82aa9b242b2f8c05dd9b72bd783cb8e7e655c5525bf8f15710237758cfe.exe	31
PID 1948 wrote to memory of 900	1948	4266b82aa9b242b2f8c05dd9b72bd783cb8e7e655c5525bf8f15710237758cfe.exe	31
PID 1948 wrote to memory of 900	1948	4266b82aa9b242b2f8c05dd9b72bd783cb8e7e655c5525bf8f15710237758cfe.exe	31
PID 1948 wrote to memory of 1664	1948	4266b82aa9b242b2f8c05dd9b72bd783cb8e7e655c5525bf8f15710237758cfe.exe	32
PID 1948 wrote to memory of 1664	1948	4266b82aa9b242b2f8c05dd9b72bd783cb8e7e655c5525bf8f15710237758cfe.exe	32
PID 1948 wrote to memory of 1664	1948	4266b82aa9b242b2f8c05dd9b72bd783cb8e7e655c5525bf8f15710237758cfe.exe	32
PID 1948 wrote to memory of 1664	1948	4266b82aa9b242b2f8c05dd9b72bd783cb8e7e655c5525bf8f15710237758cfe.exe	32
PID 1948 wrote to memory of 1816	1948	4266b82aa9b242b2f8c05dd9b72bd783cb8e7e655c5525bf8f15710237758cfe.exe	33
PID 1948 wrote to memory of 1816	1948	4266b82aa9b242b2f8c05dd9b72bd783cb8e7e655c5525bf8f15710237758cfe.exe	33
PID 1948 wrote to memory of 1816	1948	4266b82aa9b242b2f8c05dd9b72bd783cb8e7e655c5525bf8f15710237758cfe.exe	33
PID 1948 wrote to memory of 1816	1948	4266b82aa9b242b2f8c05dd9b72bd783cb8e7e655c5525bf8f15710237758cfe.exe	33
PID 900 wrote to memory of 1364	900	IEXPLORE.exe	34
PID 900 wrote to memory of 1364	900	IEXPLORE.exe	34
PID 900 wrote to memory of 1364	900	IEXPLORE.exe	34
PID 900 wrote to memory of 1364	900	IEXPLORE.exe	34
PID 1816 wrote to memory of 672	1816	IEXPLORE.exe	35
PID 1816 wrote to memory of 672	1816	IEXPLORE.exe	35
PID 1816 wrote to memory of 672	1816	IEXPLORE.exe	35
PID 1816 wrote to memory of 672	1816	IEXPLORE.exe	35
PID 1664 wrote to memory of 588	1664	IEXPLORE.exe	36
PID 1664 wrote to memory of 588	1664	IEXPLORE.exe	36
PID 1664 wrote to memory of 588	1664	IEXPLORE.exe	36
PID 1664 wrote to memory of 588	1664	IEXPLORE.exe	36

C:\Users\Admin\AppData\Local\Temp\4266b82aa9b242b2f8c05dd9b72bd783cb8e7e655c5525bf8f15710237758cfe.exe
"C:\Users\Admin\AppData\Local\Temp\4266b82aa9b242b2f8c05dd9b72bd783cb8e7e655c5525bf8f15710237758cfe.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Program Files\Internet Explorer\IEXPLORE.exe
  "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://www.baidu.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:844 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:956
- C:\Program Files\Internet Explorer\IEXPLORE.exe
  "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/Loader_jieku_977.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:900 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1364
- C:\Program Files\Internet Explorer\IEXPLORE.exe
  "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/haozip_tiny.200629.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1664 CREDAT:275457 /prefetch:2
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:588
- C:\Program Files\Internet Explorer\IEXPLORE.exe
  "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/vplay.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1816 CREDAT:275457 /prefetch:2
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
68b676cfdbf6170938ea2215797062d8

SHA1
f8023da3360bb5085137da5992d29f545d8433e4

SHA256
dc96fee2dbba64eb12ce55ca32a37664a719be05649a1a8ee46ef9ee2d442cf5

SHA512
4e2090d5d903b9d3cdb7f63a54dfe0b3586f5fc1731f2a805748562e622e821be82b7395fd64175baa525e88e20bde49d61edb860b31c0367c8c338031285056

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{639093F1-6FC4-11ED-BF27-66397CAA4A34}.dat

Filesize
5KB

MD5
0bc0cfd8ded1223603c22efb1f16d031

SHA1
d0d7f4507a557e7196e5ca02de84fd373f0b0c69

SHA256
25e8074e4b26692a016e2209083f92703bb4acda575e1b490d24ef6e7bac98db

SHA512
7dec9a895d64d79ad361bc76cdc52793a8ec21d63b14bbe7233e9a8a70eb4723be28924bec43983362e337b9f381dbeb31aa16f002ba96eccc1f0a66b08c1ee1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{63954EE1-6FC4-11ED-BF27-66397CAA4A34}.dat

Filesize
4KB

MD5
b6d333427535a10d43d2b5496638dcba

SHA1
41e0e31111d7004d7220394b2d7fbd767b408c2b

SHA256
b5fb4c79012781f1f2dec61978aac656c7cc817877473778fd791df6305e28fe

SHA512
2106d2c73488110b0023e7826566a7a72207a95a591a055eb0174cbed0119c3086f4d6eef9975222e1e0e9838fa4d5ed09a7efc145043530b26f56041c8fe25d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6399BBB1-6FC4-11ED-BF27-66397CAA4A34}.dat

Filesize
5KB

MD5
cd6b1d7d35fd167b989ddfefbae797a0

SHA1
f57a605b76d74c6723c2de9976419d4f0e79cc5e

SHA256
9d171c4d116cda80d5cffba7ab6aba9325883c23b4d2c600301e6a94e9b0cfd7

SHA512
09c969aa936664edae0b678a9b1b960a00e0c9276a947525fe50422c13bbe512712ed6b1b213329dec2df05773f9140e61c0c5a6e605916882ec5d57b8f8c59b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\lwrmjt1\imagestore.dat

Filesize
20KB

MD5
2f40e3a68de0e0a7a96deb6b5860727e

SHA1
9652062b0126f73a11a347a4005e4b0b31932e02

SHA256
4a71adbc7fc88100723e5b05c3c9927688370e575bc505efee2b579eaad01a09

SHA512
28d47072a29290f660b0a1278d7960276724857716b6593ae423ec2de191988bc666b937753d4d9908d68dd187f79cee59d9138c1a572d58807561a8a4904675

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\TMOQNY3W.txt

Filesize
608B

MD5
c0cca3aae0516a8d90b50eb498e57a34

SHA1
5d4a26729d3a60938781fe2d1cbf2c0937a2fcf7

SHA256
c698a8a0873f62bdb7e56010ca03818ac30d41cbfdad48c9bbf9feb3414f3447

SHA512
6be0b2611d3a5342e4e3efe1bd7b713bbfba2993b0a12f3fb1f7c5eecc482226aa917481ab894822255530f4b739b93d624ebb704a2f8c528766969ea2489b42

Download Submit
memory/1948-56-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1948-57-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download