b34dd74c6dc826efff4334860757369476105c19a4d4e3f1e217e5c0f9759abe

Analysis

max time kernel
177s
max time network
202s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b34dd74c6dc826efff4334860757369476105c19a4d4e3f1e217e5c0f9759abe.exe
Size

1.7MB
MD5

99331247e1309357488aad9f724832cb
SHA1

0f9bb543716dd4586c1bf900f88bbbcf470f136e
SHA256

b34dd74c6dc826efff4334860757369476105c19a4d4e3f1e217e5c0f9759abe
SHA512

9f57e49efee6d21547a3976d3fc012dae206ae8c584ffa383608550d6b5a8e5111d0eba8a67cc8c013604d2ec74cd9843f353d3da8a9d891932f6103382a6a60
SSDEEP

24576:0ZE3QpzG6QICxXmFu9Gv0DCHV9eWfQJ3KJlNdjJuLFkEEap6qLVooLh5xkYqLVoM:0mXmb0DIsW6anjZU5HS5eQ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	b34dd74c6dc826efff4334860757369476105c19a4d4e3f1e217e5c0f9759abe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\youku.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2851626606"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31000389"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2752094166"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2752094166"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000389"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000389"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C430C716-7338-11ED-919F-DE9E83FE850F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2752094166"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2752094166"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C42E3D6E-7338-11ED-919F-DE9E83FE850F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DOMStorage\youku.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2752094166"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31000389"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000389"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000389"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C437C6E1-7338-11ED-919F-DE9E83FE850F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000389"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2752094166"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2849595866"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\youku.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000389"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000389"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2851783131"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31000389"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000389"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff720000001a000000f80400007f020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2851626606"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0278cbc4507d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31000389"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2752094166"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2312	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2312	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
4288	iexplore.exe
4728	iexplore.exe
32	iexplore.exe
3128	iexplore.exe
2436	iexplore.exe
4196	iexplore.exe
224	iexplore.exe

Suspicious use of SetWindowsHookEx 34 IoCs

pid	Process
1236	b34dd74c6dc826efff4334860757369476105c19a4d4e3f1e217e5c0f9759abe.exe
1236	b34dd74c6dc826efff4334860757369476105c19a4d4e3f1e217e5c0f9759abe.exe
1236	b34dd74c6dc826efff4334860757369476105c19a4d4e3f1e217e5c0f9759abe.exe
1236	b34dd74c6dc826efff4334860757369476105c19a4d4e3f1e217e5c0f9759abe.exe
224	iexplore.exe
224	iexplore.exe
32	iexplore.exe
32	iexplore.exe
3128	iexplore.exe
3128	iexplore.exe
4196	iexplore.exe
4196	iexplore.exe
4288	iexplore.exe
4288	iexplore.exe
2436	iexplore.exe
2436	iexplore.exe
4728	iexplore.exe
4728	iexplore.exe
5024	IEXPLORE.EXE
5024	IEXPLORE.EXE
3140	IEXPLORE.EXE
3140	IEXPLORE.EXE
4264	IEXPLORE.EXE
4264	IEXPLORE.EXE
2936	IEXPLORE.EXE
2936	IEXPLORE.EXE
1748	IEXPLORE.EXE
1748	IEXPLORE.EXE
3936	IEXPLORE.EXE
3936	IEXPLORE.EXE
1440	IEXPLORE.EXE
1440	IEXPLORE.EXE
1440	IEXPLORE.EXE
1440	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 4288	1236	b34dd74c6dc826efff4334860757369476105c19a4d4e3f1e217e5c0f9759abe.exe	82
PID 1236 wrote to memory of 4288	1236	b34dd74c6dc826efff4334860757369476105c19a4d4e3f1e217e5c0f9759abe.exe	82
PID 1236 wrote to memory of 2436	1236	b34dd74c6dc826efff4334860757369476105c19a4d4e3f1e217e5c0f9759abe.exe	83
PID 1236 wrote to memory of 2436	1236	b34dd74c6dc826efff4334860757369476105c19a4d4e3f1e217e5c0f9759abe.exe	83
PID 1236 wrote to memory of 4196	1236	b34dd74c6dc826efff4334860757369476105c19a4d4e3f1e217e5c0f9759abe.exe	84
PID 1236 wrote to memory of 4196	1236	b34dd74c6dc826efff4334860757369476105c19a4d4e3f1e217e5c0f9759abe.exe	84
PID 1236 wrote to memory of 4728	1236	b34dd74c6dc826efff4334860757369476105c19a4d4e3f1e217e5c0f9759abe.exe	85
PID 1236 wrote to memory of 4728	1236	b34dd74c6dc826efff4334860757369476105c19a4d4e3f1e217e5c0f9759abe.exe	85
PID 1236 wrote to memory of 3128	1236	b34dd74c6dc826efff4334860757369476105c19a4d4e3f1e217e5c0f9759abe.exe	86
PID 1236 wrote to memory of 3128	1236	b34dd74c6dc826efff4334860757369476105c19a4d4e3f1e217e5c0f9759abe.exe	86
PID 1236 wrote to memory of 224	1236	b34dd74c6dc826efff4334860757369476105c19a4d4e3f1e217e5c0f9759abe.exe	87
PID 1236 wrote to memory of 224	1236	b34dd74c6dc826efff4334860757369476105c19a4d4e3f1e217e5c0f9759abe.exe	87
PID 1236 wrote to memory of 32	1236	b34dd74c6dc826efff4334860757369476105c19a4d4e3f1e217e5c0f9759abe.exe	88
PID 1236 wrote to memory of 32	1236	b34dd74c6dc826efff4334860757369476105c19a4d4e3f1e217e5c0f9759abe.exe	88
PID 224 wrote to memory of 3936	224	iexplore.exe	89
PID 224 wrote to memory of 3936	224	iexplore.exe	89
PID 224 wrote to memory of 3936	224	iexplore.exe	89
PID 32 wrote to memory of 4264	32	iexplore.exe	91
PID 32 wrote to memory of 4264	32	iexplore.exe	91
PID 32 wrote to memory of 4264	32	iexplore.exe	91
PID 3128 wrote to memory of 2936	3128	iexplore.exe	90
PID 3128 wrote to memory of 2936	3128	iexplore.exe	90
PID 3128 wrote to memory of 2936	3128	iexplore.exe	90
PID 4196 wrote to memory of 1440	4196	iexplore.exe	95
PID 4196 wrote to memory of 1440	4196	iexplore.exe	95
PID 4196 wrote to memory of 1440	4196	iexplore.exe	95
PID 4288 wrote to memory of 5024	4288	iexplore.exe	94
PID 4288 wrote to memory of 5024	4288	iexplore.exe	94
PID 4288 wrote to memory of 5024	4288	iexplore.exe	94
PID 2436 wrote to memory of 1748	2436	iexplore.exe	93
PID 2436 wrote to memory of 1748	2436	iexplore.exe	93
PID 2436 wrote to memory of 1748	2436	iexplore.exe	93
PID 4728 wrote to memory of 3140	4728	iexplore.exe	92
PID 4728 wrote to memory of 3140	4728	iexplore.exe	92
PID 4728 wrote to memory of 3140	4728	iexplore.exe	92

C:\Users\Admin\AppData\Local\Temp\b34dd74c6dc826efff4334860757369476105c19a4d4e3f1e217e5c0f9759abe.exe
"C:\Users\Admin\AppData\Local\Temp\b34dd74c6dc826efff4334860757369476105c19a4d4e3f1e217e5c0f9759abe.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://user.qzone.qq.com/1052260930/infocenter#home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4288
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4288 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:5024
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.zxf6101.cccpan.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2436 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1748
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.zxf6101.cccpan.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4196
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4196 CREDAT:17410 /prefetch:2
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1440
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.zxf6101.cccpan.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4728
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4728 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3140
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.zxf6101.cccpan.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3128
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3128 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2936
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://v.youku.com/v_show/id_XNTc1NzM5NDg0.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:224 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3936
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://v.youku.com/v_show/id_XNTc1NzM5NDg0.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:32
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:32 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4264

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x40c 0x300
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A053CFB63FC8E6507871752236B5CCD5_89288FB8F75752C62214E2DDBF985755

Filesize
1KB

MD5
f609891d140f6dd92c6776e6e130bb1a

SHA1
a5bbfdc89876bc31b7b969c8c3765a5f704e55e0

SHA256
f452008e384d3adcc0da3df9116995eb4f3b184318cab73c2fdec34d1ab8362b

SHA512
8d9aa0f7a9c50df0550cd0c155e57c987db9f362ed94dbaf559a802acf90094227d5e985bee7c8a57e57f8cf096e2413eb6d9c6d89adc115729f32309a269162

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A053CFB63FC8E6507871752236B5CCD5_C5506A6696391AD9CEBED269904EFA9E

Filesize
1KB

MD5
a74da3e56dc21e7e37f081517e3ee11e

SHA1
e815971ea65c1a3d1bdf548d7b7ee715ad1c5a4e

SHA256
16bcc9fdb0e5096d5e5277b55959e55a523c1f64d0e7f704031f525785800bd0

SHA512
d1283d573ca9b49f3b3b3d017d2cbf59374db1b6ea76f02c1a21d84d60c2f7f0998d82296871ac8bc24495ce2dec517233e23e91f109e947b4316ab45bd54233

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A053CFB63FC8E6507871752236B5CCD5_E415CEEF5F3C45D0FAECEBC57258EF8D

Filesize
1KB

MD5
66b36fb3a62522db85fe223500e551a0

SHA1
4eb408f100b3d63a06f369e1fa4a94edaebcf88e

SHA256
98ece3ecb58a4f4d1b960b2b592d45c7e3579e1411bddb71de4a9dc4b5ca580c

SHA512
e1ce254022228bacfb5111ba514c9f0201ce719b234f7fcad4260371e943c47cca6df9e74abc93c15e15e9ef532e1c8707fcf8dced2effe087fe597c741abc36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C

Filesize
1KB

MD5
e9e7373e05cb8f0f4f021798092f3b8c

SHA1
b3507a125c80cf9dc6fe12cfbe29c7282bb33422

SHA256
d197aaddce315f4e06b014f798ca0fb1982a978cc606cc77d7bbe7d15248e8df

SHA512
de5f260320f5db3fc88e8427103f391a65abd9fae0f0640c6fa072c4e9a63edab56f11bc071a093a5ee9f5109e46fcb67dbbdce5bf1e9127f535d40f79ab12bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A053CFB63FC8E6507871752236B5CCD5_89288FB8F75752C62214E2DDBF985755

Filesize
536B

MD5
ebd90a3f443169a2f6514456fdd90f6d

SHA1
d0e811464cb5ac4b1700675de84c59c8be05093a

SHA256
0d0894db9f5b275223307cf6178375167ba1f15c06173eaa9f56207d7f5cc9e8

SHA512
b8e571aa3fb86671b2892b91508d5aad23c09d0fc91755a511ea8ca59b084e7fd41cd439c827ca169f7d8f35e7d9c3d48fa113d83208392671eb06b397ab54e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A053CFB63FC8E6507871752236B5CCD5_C5506A6696391AD9CEBED269904EFA9E

Filesize
536B

MD5
aee5a976461cbf67c55a27c50cd11eec

SHA1
4bf3ec23ba21cf6641dc3ec6eebdcd88a33597d8

SHA256
f092516efd150d4693284b384adfd59fa48458a78c224e0a0ff790b055ae1c79

SHA512
0ea94b6e132336bd0e9ddbc10094047f679d85bc783d5e597a408fc742963488d8ff5bedb707fe59e0e474a1c9aef8a98da73b4581b799d4c3ec737933502220

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A053CFB63FC8E6507871752236B5CCD5_E415CEEF5F3C45D0FAECEBC57258EF8D

Filesize
532B

MD5
558ff48b78cd06220fd1bae88a3f6049

SHA1
004976af1f5d42f202dee8c53df40c596acedb10

SHA256
a2b8019114f799611dd363bef968b336e01e4f42c5aed33ab4333ae88072e864

SHA512
6ad4313319a8f25dd10263ad50bfc4abe465224a8dbadb38ca8a78a5394f1d6474785675c67e0b36306f903ed988fbe9960989ae281857245824b8ab3b7c49cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C

Filesize
492B

MD5
c27d3ec91435f0d3381c09c76cab899d

SHA1
7f3341da3a1881c75400a07484a00b3385ffdb1d

SHA256
fe7b871f3d1bff39c726036677e757a3c11453aadbb34e1f7a869356c4bdb2f3

SHA512
ecab00615f5e776369331b8328d3cf09129e51d3d8f38d1603d455b1362378cbdb8e664a1cd6a63543f8a3d8d2248019f53381157f1c67cfeaadc071d68061b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\GIRA5MFZ\v.youku[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C430A006-7338-11ED-919F-DE9E83FE850F}.dat

Filesize
4KB

MD5
f05438a9debb8eeb18b82e7ff1f62f65

SHA1
1e28ee34d54c40a0ac50c8a1416921f7e5c2f7d8

SHA256
aa958a493e5e6e964714cd64688f458894c8bd698364682e3eb44705d6a7e950

SHA512
a664c1d883e3fae9b1e000dc371e4bc345baa363d3f7df16d4a8b4d57b65327b45cbe00f8cdc780ba20254b5c197438e76e6699d8ce8583aebfd5a81024cec13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C430A006-7338-11ED-919F-DE9E83FE850F}.dat

Filesize
3KB

MD5
1b83dcfc0c5d20e82ac72b9e3999ed11

SHA1
4c437bf2716a365c4e154d1188d39c1c9675cf78

SHA256
a93102cd31b31ea6d26539aaca458c22038dc90bdaa95399f7787418e0b77638

SHA512
25960b34aec846a73fd60959f79d66c942536d5216e2829d5766b7e93dbe8ef7fe1cfb3471c24c49e487a2ec12d8419fd4e74ce4348a170a97b54d95da66fdb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C430C716-7338-11ED-919F-DE9E83FE850F}.dat

Filesize
3KB

MD5
c0384c4f8edcfb2c1c5ae46c03fe3958

SHA1
e0804014b4eba73f22310ce554d139c0136d73a4

SHA256
a9cc6f47e2b75130916cd01fa661376552ac7837ab431dd8df14be5876bdd23b

SHA512
62764bfbd9589a2480062ceae94ddd57b805b0282b9aab81df7926c6a65842ae9ec3ef2d7886b8e80ade07c385830f0306f91713ce402c7cdb1e2f4fe01c3320

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C43CB253-7338-11ED-919F-DE9E83FE850F}.dat

Filesize
5KB

MD5
830780442a669c7bbfd1dda5139dd39d

SHA1
6a6a7e73b143c4cf844e35bfc9a0a3439b16fde2

SHA256
cb3f635a99b1cd5e20fae7452f94ee8995674dc856e40ef9a1174a1c36b5c13c

SHA512
b9fbbda83f7b573a52789d8e35ab29ff0b516d69f2242766e0e349b762a71759cebe6a0a96692f3065b5efe0b0cee60c217fa23ffb98887bc5c199021b448a36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5L546K0V\flexible[1].js

Filesize
1KB

MD5
8f16100cba812176880b063577711755

SHA1
56f94b7f150ce8926a3e77a51622910843e3dcea

SHA256
e1dbb2115ee1deca2ad6e503e132e9429722f04c3bca42f3d4b87439f9f8ad86

SHA512
8c8f5252c16b21332de9ca1cd4180e10b83f68d15ad0df533d3ab8b570fc7961aabcedad9b8959161dc538ecbf8a5e686843da47308bf39ecdd5afaf7537e2f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5L546K0V\index[1].js

Filesize
4KB

MD5
f610efda5eadbf6804ef87b08cf61914

SHA1
07d39ba7fa9a2f803c430ed1c02de745495cc300

SHA256
a23ac114b772a4bae1498d203e5dd2beac4292777bc5689091a30d6083c151d3

SHA512
54864e70ac193159c757720dcc606af0f6b5b4e7f291c4c2139fa3f5e8d6622991ad9686d2fa20fda86fc10971cdd558c7095ecc93d9b28c40f15139ab84a766

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5L546K0V\index[2].js

Filesize
17KB

MD5
0ad4251158abb9d73a55ab7dd24fbf66

SHA1
350d23bc2e5036ac20a9513d7d30a8e7391916c4

SHA256
8a978233505986e37cf952a7656e6c31f4a8d13902d76c68f28de30bf9f1d57c

SHA512
193d027c8680bb5fc8e0324d45cd460e968a8b4d04455b61fa4dd23af35706bc9d1b070c44f182bdc74314ab7cff88765501141b3458d4b914643462e1554602

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E3KT0FLH\aplus_v2[1].js

Filesize
16KB

MD5
6b9f60df520892ed74c0269b7a889d8f

SHA1
b1d48a016863f1091d7bdd3ddc362f414531cea9

SHA256
8d2f36dc4a8342a131cdb45770b5280375fa26d7ff4dffd782f7e9b727c423b6

SHA512
655db2e1ba60043c7289f3fb81f776aa91b9819ba7e4913da72d6d94c2e92eed109c2943c9c5fd253db24c69cf5004b65819c7f43feb31ad19c3a9353881998f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E3KT0FLH\main[1].css

Filesize
10KB

MD5
41fb1e1de30f7a120a79d470312f2fb1

SHA1
c8801b4b6b2d9602171f6c474154dedda20bb83f

SHA256
b52046f8f692681e1bc8384c1f78c58a587cab9568264d8fefe9a90d4327df4f

SHA512
78c6f5586c34460be005df420f5a310b808ba554a87dc836a64475d836ffe332eb403a16e68cdb4d75523c529283b76e273239591a03e222e026a0e7d7aeaf59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E3KT0FLH\windvane[1].js

Filesize
4KB

MD5
373769215f3e5897427add29b6e4cbe8

SHA1
6189c92ca2e4fd75c320634c0f81bfffe3e3c22f

SHA256
4511bc1cea24dc32d06ac80351921246ecb0f61014fbeb07ec627442df296d18

SHA512
adbdabc3b779fc2b84595baa94a0c064a24887737953e341785c4fb3e0e2fbc9bbf60e586b801fe80ab773b0ca79c4fbdae80846ffacb1542a68b9dc761ebf30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NMSO4O58\4.0[1].js

Filesize
23KB

MD5
8278f7f8302be776c6d455efc2441314

SHA1
9248715071d9abd90614c1045bffa112d358a8da

SHA256
ef414b84f50c2220f2bf36bd0378f02a70b15be9b1e92e4cbf75a056d0f6162b

SHA512
c7c784ea84ce950a478959c99f545f720e8bf7ad93a1ed9e973117eee0775932de4927ad7cc5d53af70714442f161baae8f22cedf3b505542c2612c1e0296779

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NMSO4O58\et_n[1].js

Filesize
109KB

MD5
97b6c61e26db08c305205b68cdf68ac8

SHA1
ae0a900042897de3cdb8a6e8317bc19686bcea6f

SHA256
23efaab0233a71426cdfe8398921fae6c9d19b43db05f5e61800141dc90d449d

SHA512
de76bfe377d92322613066424af031815b1930a97cca42224975e4c40b99cc63593f7360b1a7fe6ee29319a485c6cec7335c53579fa0d0cbef2442dd161bb64b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NMSO4O58\mtop[1].js

Filesize
25KB

MD5
e8eadbac19c1730c88ef6a91ed7bbb60

SHA1
8f734f5183135bb4be0e88599c073ffe5b2b54c5

SHA256
094bcd47a37cd9cd07ff462821c897ba1dbc277c4e7dbfce4b0c89b44bb9566f

SHA512
a032088c2f5cd15dd5bc7f99a3b33ce2b28076daff4610b1841fe86fc01336e68d6d16260840791ccafc7482aea64aa919e489ea98996de1a6059c07e8f757a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V0JOWNXB\LNUJ6KRI.js

Filesize
147KB

MD5
2033d8acbdd8bd51fdff71594b250adf

SHA1
5bd1e4e857471258dab3b1e0e068607f7e1891f4

SHA256
894e4398b9e3e379c26b07fff7c048b2e30b486151a8c456c8f9cae14467f177

SHA512
17ad6b8087e9797912f184906effe51083a7b6698f9cc8a2bf4bbefeec09264086c4cb5458d182a884e4b8d3d4c3659a29ee8a874831c6c517cb8ce2797f6308

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V0JOWNXB\punishpage.min[1].js

Filesize
72KB

MD5
9ae61abf9de7510154ae05b8303b5402

SHA1
79986199d14e9c958814ce89eb1e905c258a26e7

SHA256
7f1f2f0a26b4f0215cd2e6dfca2215b2d31dd191f132e25800cf2ade1a13c681

SHA512
27ec370dc088d5053d04542bcf2c6acbdb7014e6be22b96590142fc7b6c7d8afaa9befa042ca0572b0e2c03a714c9f595add1c4acb09aaa70771fac11a885d0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V0JOWNXB\qrcode.min[1].js

Filesize
19KB

MD5
517b55d3688ce9ef1085a3d9632bcb97

SHA1
2d06c1f823f34c19981c6ae0b0eb0f5861c5e14b

SHA256
c541ef06327885a8415bca8df6071e14189b4855336def4f36db54bde8484f36

SHA512
08d80845e706a3b9e985b799d3849cd7791ad3ba5aa9d793bb4591d4833890d7299810144874905f416c94d8530da74be0ee520066a91ade05a1da8bf0ccb498

Download Submit