225e338c99557a911841324dbe5bdf547e32e1c362e68d8247c035b469ac430c

Analysis

max time kernel
155s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 05:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

225e338c99557a911841324dbe5bdf547e32e1c362e68d8247c035b469ac430c.exe
Size

645KB
MD5

1f2608f0a7f1604f4229c2cacabaf1b0
SHA1

b282af9d226b507cd6b77dfecf060485319faf98
SHA256

225e338c99557a911841324dbe5bdf547e32e1c362e68d8247c035b469ac430c
SHA512

2b31eee2f8b2bb531d621cfb6ae0e83bbcf81f5b2b2e77bf4061f8f211f7fff3aeee9f2192e082734755c4d3f3c3b181f00054326cf9c6a837863bfd16c60241
SSDEEP

6144:nUW/vqLbCWVT0fJSi7zicwfMTZVrekx9rZ4NInOxBByK5T7FuMIl53JXgKqZ01gS:n7/CbvBkSiu436qvDKK53J+5KUC

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
4928	wmpscfgs.exe
4380	wmpscfgs.exe
548	wmpscfgs.exe
332	wmpscfgs.exe
1424	wmpscfgs.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	225e338c99557a911841324dbe5bdf547e32e1c362e68d8247c035b469ac430c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	wmpscfgs.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\program files (x86)\\internet explorer\\wmpscfgs.exe"	225e338c99557a911841324dbe5bdf547e32e1c362e68d8247c035b469ac430c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\program files (x86)\\internet explorer\\wmpscfgs.exe"	wmpscfgs.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	\??\c:\program files (x86)\adobe\acrotray .exe	225e338c99557a911841324dbe5bdf547e32e1c362e68d8247c035b469ac430c.exe
File created	\??\c:\program files (x86)\adobe\acrotray.exe	225e338c99557a911841324dbe5bdf547e32e1c362e68d8247c035b469ac430c.exe
File created	\??\c:\program files (x86)\internet explorer\wmpscfgs.exe	225e338c99557a911841324dbe5bdf547e32e1c362e68d8247c035b469ac430c.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrotray .exe	wmpscfgs.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrotray.exe	wmpscfgs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 48 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80a930040107d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\superwebbysearch.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\superwebbysearch.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\superwebbysearch.com\Total = "970"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\supernetforme.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "955"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.superwebbysearch.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.superwebbysearch.com\ = "970"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{2D7F94EB-72F4-11ED-89AC-D2D0017C8629} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\supernetforme.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "70144467"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31000321"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000321"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "1925"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\supernetforme.com\Total = "955"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.supernetforme.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "70144467"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003f873a320a12d2489203cf1b1d1ba8bf00000000020000000000106600000001000020000000fdd5a984c97d138f018e06463a486ffc33492792503313a1aeb338185861fa54000000000e800000000200002000000037ea2056eb8a540d425e6e402e8988aad47355abea7e9be6d402af97aafcd09320000000ead3880dfe744eb2fb28f371063cd89666163dc5f7407becb7577d7e71c6083140000000b80fdcf16f59963ca6ca71343fa184e50f5b0422b310d7fa40aa83b84a9b4326e1c01e68f4f540aab34443f36a7594cdb324a0ca9f95a825bd8cd1552bd0661b	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003f873a320a12d2489203cf1b1d1ba8bf00000000020000000000106600000001000020000000fa9672829eee2a6912c74cb31e635e4f93327a79bd1f7a2dab4c42d7defd3214000000000e8000000002000020000000c1afc4c416771d191ca8e41a47aa139bb97d56a4a44c622f1d764438d82f3fe020000000a4a74124f5d41b89dca433bd0cdcb6134dc92d55d540b5e859afe672149fb61d400000004ca0849f6ca1376552275b2d6ea5b66991b1b2f672c469fd21aeddef76d64b0db8fd8ef79a0b43051e92525f38e50db263950ba69c0b01e39c5c9c309047ff6d	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\supernetforme.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 203c770d0107d901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 407c14100107d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.supernetforme.com\ = "955"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003f873a320a12d2489203cf1b1d1ba8bf0000000002000000000010660000000100002000000077cbb6bf7f5485b6d4e87d888ee3771f02a4f28a22c880c9f1e11995f86a0f02000000000e800000000200002000000011be9d45410dea8db07ba0bb81e01aa863cf1e8b8a55836b5a22957e48ec086c200000007491b575086e05a3c4be20bef4d683f2fa9cd0602460c1ca74b38fa57cf1b8b6400000001831ed09ae0ead35353edf84c6e87b7be0e24faf7c820dbf7dd3847832f2655cec8d6c58120818dd550fdc904e6fac2804e1f287fc08acee2568569e08b93886	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2072	225e338c99557a911841324dbe5bdf547e32e1c362e68d8247c035b469ac430c.exe
2072	225e338c99557a911841324dbe5bdf547e32e1c362e68d8247c035b469ac430c.exe
4928	wmpscfgs.exe
4928	wmpscfgs.exe
4928	wmpscfgs.exe
4928	wmpscfgs.exe
4380	wmpscfgs.exe
4380	wmpscfgs.exe
4380	wmpscfgs.exe
4380	wmpscfgs.exe
548	wmpscfgs.exe
548	wmpscfgs.exe
332	wmpscfgs.exe
332	wmpscfgs.exe
1424	wmpscfgs.exe
1424	wmpscfgs.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2072	225e338c99557a911841324dbe5bdf547e32e1c362e68d8247c035b469ac430c.exe
Token: SeDebugPrivilege	4928	wmpscfgs.exe
Token: SeDebugPrivilege	4380	wmpscfgs.exe
Token: SeDebugPrivilege	548	wmpscfgs.exe
Token: SeDebugPrivilege	332	wmpscfgs.exe
Token: SeDebugPrivilege	1424	wmpscfgs.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
832	iexplore.exe
832	iexplore.exe
832	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
832	iexplore.exe
832	iexplore.exe
1948	IEXPLORE.EXE
1948	IEXPLORE.EXE
832	iexplore.exe
832	iexplore.exe
4224	IEXPLORE.EXE
4224	IEXPLORE.EXE
832	iexplore.exe
832	iexplore.exe
956	IEXPLORE.EXE
956	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 4928	2072	225e338c99557a911841324dbe5bdf547e32e1c362e68d8247c035b469ac430c.exe	79
PID 2072 wrote to memory of 4928	2072	225e338c99557a911841324dbe5bdf547e32e1c362e68d8247c035b469ac430c.exe	79
PID 2072 wrote to memory of 4928	2072	225e338c99557a911841324dbe5bdf547e32e1c362e68d8247c035b469ac430c.exe	79
PID 2072 wrote to memory of 4380	2072	225e338c99557a911841324dbe5bdf547e32e1c362e68d8247c035b469ac430c.exe	80
PID 2072 wrote to memory of 4380	2072	225e338c99557a911841324dbe5bdf547e32e1c362e68d8247c035b469ac430c.exe	80
PID 2072 wrote to memory of 4380	2072	225e338c99557a911841324dbe5bdf547e32e1c362e68d8247c035b469ac430c.exe	80
PID 4928 wrote to memory of 548	4928	wmpscfgs.exe	81
PID 4928 wrote to memory of 548	4928	wmpscfgs.exe	81
PID 4928 wrote to memory of 548	4928	wmpscfgs.exe	81
PID 4928 wrote to memory of 332	4928	wmpscfgs.exe	84
PID 4928 wrote to memory of 332	4928	wmpscfgs.exe	84
PID 4928 wrote to memory of 332	4928	wmpscfgs.exe	84
PID 4928 wrote to memory of 1424	4928	wmpscfgs.exe	85
PID 4928 wrote to memory of 1424	4928	wmpscfgs.exe	85
PID 4928 wrote to memory of 1424	4928	wmpscfgs.exe	85
PID 832 wrote to memory of 1948	832	iexplore.exe	88
PID 832 wrote to memory of 1948	832	iexplore.exe	88
PID 832 wrote to memory of 1948	832	iexplore.exe	88
PID 832 wrote to memory of 4224	832	iexplore.exe	91
PID 832 wrote to memory of 4224	832	iexplore.exe	91
PID 832 wrote to memory of 4224	832	iexplore.exe	91
PID 832 wrote to memory of 956	832	iexplore.exe	96
PID 832 wrote to memory of 956	832	iexplore.exe	96
PID 832 wrote to memory of 956	832	iexplore.exe	96

C:\Users\Admin\AppData\Local\Temp\225e338c99557a911841324dbe5bdf547e32e1c362e68d8247c035b469ac430c.exe
"C:\Users\Admin\AppData\Local\Temp\225e338c99557a911841324dbe5bdf547e32e1c362e68d8247c035b469ac430c.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072
- C:\program files (x86)\internet explorer\wmpscfgs.exe
  "C:\program files (x86)\internet explorer\wmpscfgs.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4928
- - C:\program files (x86)\internet explorer\wmpscfgs.exe
    "C:\program files (x86)\internet explorer\wmpscfgs.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:548
- - C:\program files (x86)\internet explorer\wmpscfgs.exe
    "C:\program files (x86)\internet explorer\wmpscfgs.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:332
- - C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
    C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1424
- C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
  C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4380

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:3080

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:832
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:832 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1948
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:832 CREDAT:82950 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4224
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:832 CREDAT:17414 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe

Filesize
678KB

MD5
fef80bdc5233a14c388dc3f16ef9d43c

SHA1
71095e8421fc297de8417c75f4e7dd46d9425fc9

SHA256
97541f8d0455e7948ca576d05747f2b913df6b4a9da9014f2e0a0c3dc3b16d58

SHA512
c0ebc011f8f1fe3c3a5b1691c50d139b4d84903840fa26971a868315a103bbe86085c2f292f65c0d9ba3c783d59294bf95c7feb6806863ff9cd55a72bb80f544

Download Submit
C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe

Filesize
678KB

MD5
fef80bdc5233a14c388dc3f16ef9d43c

SHA1
71095e8421fc297de8417c75f4e7dd46d9425fc9

SHA256
97541f8d0455e7948ca576d05747f2b913df6b4a9da9014f2e0a0c3dc3b16d58

SHA512
c0ebc011f8f1fe3c3a5b1691c50d139b4d84903840fa26971a868315a103bbe86085c2f292f65c0d9ba3c783d59294bf95c7feb6806863ff9cd55a72bb80f544

Download Submit
C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe

Filesize
678KB

MD5
fef80bdc5233a14c388dc3f16ef9d43c

SHA1
71095e8421fc297de8417c75f4e7dd46d9425fc9

SHA256
97541f8d0455e7948ca576d05747f2b913df6b4a9da9014f2e0a0c3dc3b16d58

SHA512
c0ebc011f8f1fe3c3a5b1691c50d139b4d84903840fa26971a868315a103bbe86085c2f292f65c0d9ba3c783d59294bf95c7feb6806863ff9cd55a72bb80f544

Download Submit
C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe

Filesize
678KB

MD5
fef80bdc5233a14c388dc3f16ef9d43c

SHA1
71095e8421fc297de8417c75f4e7dd46d9425fc9

SHA256
97541f8d0455e7948ca576d05747f2b913df6b4a9da9014f2e0a0c3dc3b16d58

SHA512
c0ebc011f8f1fe3c3a5b1691c50d139b4d84903840fa26971a868315a103bbe86085c2f292f65c0d9ba3c783d59294bf95c7feb6806863ff9cd55a72bb80f544

Download Submit
C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe

Filesize
678KB

MD5
fef80bdc5233a14c388dc3f16ef9d43c

SHA1
71095e8421fc297de8417c75f4e7dd46d9425fc9

SHA256
97541f8d0455e7948ca576d05747f2b913df6b4a9da9014f2e0a0c3dc3b16d58

SHA512
c0ebc011f8f1fe3c3a5b1691c50d139b4d84903840fa26971a868315a103bbe86085c2f292f65c0d9ba3c783d59294bf95c7feb6806863ff9cd55a72bb80f544

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0684275E946EA5A526A0B9446D8D1B31_8BC55A34553CE38DA9A256FD39734BE9

Filesize
1KB

MD5
89a37d9f36550581d020350fce2681ab

SHA1
50cf0ebc762f6ff3211e9377b0af85482f54166b

SHA256
c3d773e9f0af69b5a676393c02fb287f78a43700a7101405543ff30aa51c86ad

SHA512
cf9490a1e2e31be41908e4adc8e3133334d5002991437836fe1ec2c5df030fdd6cd60d7c53a6d84d6208d3a91a12e5d9bfba5e5026b3463933230f58fcfef4ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
1KB

MD5
9dc6d59c481e182cf65cfc3163301eed

SHA1
e0301b2bd910d264af8dfefb35eb4339a8182f1c

SHA256
dc9aa2ed9de9f8cccfe06bf675d10dcd4578b77d06558a1de694d225f8e0d2a4

SHA512
926721f078da9f14b6e6fc150281342782e9e9813e1b407a9fefc1c8e4b9287f5e62d2163d2d9a5ed6fc215b6e4806f68a3706bcaafadf7316ca4fa22c77dba8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
8ce5043f0586087e48c9f07b790306a5

SHA1
668cb4a62d13f5d35b9ad62c495c26cff9ca4eff

SHA256
2266d6e10bc485bf9ae6e71df2d00e05f9058f1983e10c02488ea2de5755c271

SHA512
b9486cd6998613615a91927207834801bde05e82c6753f44c8c7b280d660069af12c0613de5f2123966c9d1ec47bcae1e4c83452c86309cd5c9a15ce9d8f67fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4

Filesize
472B

MD5
1377c2956f6d4d989e6fafbe01600b49

SHA1
7a550dd67e42a8f1ba1468646af02691d0580345

SHA256
4e0206cd8e1112cdefa7f974876461a968bbcbbf016b1b1c2e3af77346507886

SHA512
0c559b1d2e6d1772aba8cc7a9dc8891522dc2df68558d4285ecaa87da4fabd81808f5ee8a599ceb7e26641029f7f9b3d27f33c2f42b0bd1f1a3fc5612083ed09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
f569e1d183b84e8078dc456192127536

SHA1
30c537463eed902925300dd07a87d820a713753f

SHA256
287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

SHA512
49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_B49B51C2F61192D2C0D20E671D9EF51E

Filesize
472B

MD5
99c6e888e109cfca37de80b29e284001

SHA1
3082cf79c611491ae64e5599f55e9e4908c457a6

SHA256
19503ecb247142c34038b8ac5e0a5ab5bc7d94ef205beb3edde394275010e15f

SHA512
aad8cfcdb8232ca5fcb2dcd3ed5d7d028001db7e50d47c5178c2894c00ad5712610aec649f4b6aae0c39e0e31b5863241a1ef685acfa6dd0e873c90319384bd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0684275E946EA5A526A0B9446D8D1B31_8BC55A34553CE38DA9A256FD39734BE9

Filesize
458B

MD5
9f0896bb68517e5349baf3784094e83b

SHA1
bf4276b5a34f8a9d2105ad886c3c9812c4fb8a9b

SHA256
9ae788a20a5510dd60ba0679ed7a51f373ed26b98f10dc46f60e315850fce4c7

SHA512
5a99652c7e4fc4bd3bb6cbe2988cee07dd65e4e7a25670dce9b69787c6aa934c049fce7df5563a3f184881d353ca0dc9e8e13cc23a70a831777a2085fb0de5e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
450B

MD5
c83204a4b53adc81a50bc39abb001bdb

SHA1
4419dcff66a3e8d0ce5794771861153bdb9c2282

SHA256
c437d04eaab2fcb55cbb56ea98a887ef327b0f4b8580bf3e9015c1eac89e26cb

SHA512
526150f02601e933acbb0036d0b53bc151d33c7839cef91520b9c12a9de0d1bf2f048d113eb5f49ac95a613d55c5aaea59d96de570d1d2850a77cb014af54c8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
c39bdf227078ab1a04c000d7ab6ed08d

SHA1
62c345e24af8f3e90d9056a08b2bfd70de5bf7ca

SHA256
506087290a494304dc81a9ca88a98983a5a92a8acaf45c79daf8218785925fe8

SHA512
25cbe9095f8ddca6aa41002ab0ebd77732ecd94dd14d40292301665b5173529f3fa81f4b0c2c038738ca24c7c9eae323b7f9155ceaf960dec1f093f5dbe61a22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4

Filesize
402B

MD5
8854660f96270ec14dfc2a117baaf5b8

SHA1
2ec231665dc6338d7a6124ee8983c0ebc616954c

SHA256
853884f59d9a2326eaa73f90c1b3e92d35c3e447ff4f4b9dccf5baf4f759ed10

SHA512
6434a8834a7df94285c95b1adac1b59f18ea0ef32df6dc1d981c680bca7868b13637c9d65f37799f5194b352a9d50cb9b0bbe48dec82d50f54237b42eab7f168

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
6869e7d159818c5b550d7033690cecd7

SHA1
fe156a4c26f72d65e6ac14930049852e4df47088

SHA256
df33c6673cf8bdb43d7750799a16e38b9580e1abd35c0720e928face11c9d99f

SHA512
b504ca67962e7e8ddbca73d5854d2356d9ffbcbb3509a2167e34eccd5cfb7b3f55b3ae2e7511c4de34f6c326bc05fe6c9665ca6770cadd50187022f17248ed08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_B49B51C2F61192D2C0D20E671D9EF51E

Filesize
402B

MD5
d0e27f73a060853517905056ad724d45

SHA1
0a1a5327b460eebedd9d5fd50fd9097406091332

SHA256
6f8f0253eddc0b4418ea87655fb3b6ff4430be9ec273e7e753e59c857b3deac5

SHA512
f92644df9b14971be5e4c4da14ff7dd245ab7d0935dc6d8d50c3d23ba5642e1c40dc335a9ee1e3d34a25ef55a0f6c0fc53546bb254918b2ea0fd383167d5ead8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G9LDH5FK\2.5940ae1c.chunk[1].js

Filesize
418KB

MD5
04bb6e8d9135d976f28e9ba68fbc6f67

SHA1
fe386efd5e23414c48e37d3dbfe340f1ae5d4d4a

SHA256
b81d40ef3e5928c7bee6ec287ecebfea17f6d62b277916f0b70d223fa4881d18

SHA512
aa21f0744d9e6d286506e425af6f1ea091ebcbe3c671fe339d5c3c18e541323cada2182fae79e3c910aabf4d225142b2bd8458b890322e07f4f9084cf686fbd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G9LDH5FK\caf[1].js

Filesize
143KB

MD5
db939a550dc25b51be452f1d53e68379

SHA1
1b1c9a3e4acbb57b320cd406a9bddb5fe5294dfa

SHA256
db21a922c25ea3759eb0b0d32a66ed9f9593467888d3bfefe1665c5b63c66fbe

SHA512
cd0401295b7529430038b1c056426bcc4e092b906c8cdbcc56fc5d81eab1fc32386b099d4ee45d3aef472194a3bd85af18ebd2cef72b42b61736b99b0aeea8c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G9LDH5FK\main.4e219663.chunk[1].js

Filesize
273KB

MD5
87b518e8e45487e774f8d47f2dc0026f

SHA1
e5da4365a7867737da9b39ef021cf9f35d12cc5b

SHA256
1ef669d1914ecf9299396df700b34839c61c6bb24297dc6b4284820eb5f2e5d9

SHA512
7b8b1c87c0eb5ab34d515df4880b88dcc5bf7c6b5089349bcf05cd2bb82a0152ba7ebd21fa45fabbc460076543e7e563f881234d3b1dbe66188e98d01a8c7d4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GMQ6XNBF\chevron[1].svg

Filesize
200B

MD5
11b3089d616633ca6b73b57aa877eeb4

SHA1
07632f63e06b30d9b63c97177d3a8122629bda9b

SHA256
809fb4619d2a2f1a85dbda8cc69a7f1659215212d708a098d62150eee57070c1

SHA512
079b0e35b479dfdbe64a987661000f4a034b10688e26f2a5fe6aaa807e81ccc5593d40609b731ab3340e687d83dd08de4b8b1e01cdac9d4523a9f6bb3acfcba0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GMQ6XNBF\search[1].svg

Filesize
391B

MD5
a6ad6e65373db8c1b1f154c4c83f8ce5

SHA1
84cc007d6d682c589e1e1f87482a5278830f3000

SHA256
920a378947204498c122722933b3a4b67788a2b6fade8bd0d47cf830eeee0563

SHA512
09b6d4711c284b1a04c9c4d874f3d1ddfc876c1491fb2aa283a13505bcdbfe90b02731d0b7ad5f492b1dda2161a4afe20040801ea634d2727cde84319adfb1d2

Download Submit
C:\program files (x86)\internet explorer\wmpscfgs.exe

Filesize
678KB

MD5
fef80bdc5233a14c388dc3f16ef9d43c

SHA1
71095e8421fc297de8417c75f4e7dd46d9425fc9

SHA256
97541f8d0455e7948ca576d05747f2b913df6b4a9da9014f2e0a0c3dc3b16d58

SHA512
c0ebc011f8f1fe3c3a5b1691c50d139b4d84903840fa26971a868315a103bbe86085c2f292f65c0d9ba3c783d59294bf95c7feb6806863ff9cd55a72bb80f544

Download Submit
memory/2072-132-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download