e5d93115a1ae4db537f3a0831d4ec3fd5a1dd1083a0f3f28d81dd61677ca1443

Analysis

max time kernel
152s
max time network
199s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 04:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e5d93115a1ae4db537f3a0831d4ec3fd5a1dd1083a0f3f28d81dd61677ca1443.exe
Size

1.3MB
MD5

9771007b3f21eb97ba9845557a003c50
SHA1

21a83b030f5ce4b134b0c03c2e4d2d4f6ca4b04b
SHA256

e5d93115a1ae4db537f3a0831d4ec3fd5a1dd1083a0f3f28d81dd61677ca1443
SHA512

0938c61cc6fb6b0410aaa2b1c10b4932a7086c6e1419ca89d3bff8dc2eeb7859c2f3dc6131c0984633a6bdd30307a814922849afe1164e2a5b3f46a3ec082407
SSDEEP

12288:8CyzSuwhJuXmFFgQuzZ2apvLXCko4NkAlOA54NkFdIoXNw6xXVSYfHruXN:HyTWFyQQ2apvJo4NkoQ8IiPWFN

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\safe.ico	e5d93115a1ae4db537f3a0831d4ec3fd5a1dd1083a0f3f28d81dd61677ca1443.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\progra~1\ico\$dpx$.tmp\fa42dce00f18cd42bc9a9b0aee6de914.tmp	expand.exe
File opened for modification	C:\progra~1\ico\Taobao.ico	expand.exe
File created	C:\progra~1\ico\$dpx$.tmp\e29687b6978d2a4e8dc316486e06f85c.tmp	expand.exe
File created	C:\progra~1\ico\$dpx$.tmp\b72500a8b341054e802c317dbe2c40bb.tmp	expand.exe
File opened for modification	C:\progra~1\ico\Chat.ico	expand.exe
File created	C:\progra~1\ico\$dpx$.tmp\34b3fee735f59443925397f323b985c7.tmp	expand.exe
File created	C:\progra~1\ico\$dpx$.tmp\9f8ea62115925749bca746e780efc78d.tmp	expand.exe
File opened for modification	C:\progra~1\ico\$dpx$.tmp	expand.exe
File opened for modification	C:\progra~1\ico\$dpx$.tmp\job.xml	expand.exe
File opened for modification	C:\progra~1\ico\Film.ico	expand.exe
File opened for modification	C:\progra~1\ico\Video.ico	expand.exe
File opened for modification	C:\progra~1\ico\Beauty.ico	expand.exe
File created	C:\progra~1\ico\$dpx$.tmp\46dab3503431864285caa9f89334c86c.tmp	expand.exe
File opened for modification	C:\progra~1\ico\Music.ico	expand.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3D016AA1-7647-11ED-B110-4EFAD8A2B6A5} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3E050790-7647-11ED-B110-4EFAD8A2B6A5} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377193373"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8025452c540ad901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3E04E080-7647-11ED-B110-4EFAD8A2B6A5} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1260	e5d93115a1ae4db537f3a0831d4ec3fd5a1dd1083a0f3f28d81dd61677ca1443.exe
1260	e5d93115a1ae4db537f3a0831d4ec3fd5a1dd1083a0f3f28d81dd61677ca1443.exe
1260	e5d93115a1ae4db537f3a0831d4ec3fd5a1dd1083a0f3f28d81dd61677ca1443.exe
1260	e5d93115a1ae4db537f3a0831d4ec3fd5a1dd1083a0f3f28d81dd61677ca1443.exe
1260	e5d93115a1ae4db537f3a0831d4ec3fd5a1dd1083a0f3f28d81dd61677ca1443.exe
1260	e5d93115a1ae4db537f3a0831d4ec3fd5a1dd1083a0f3f28d81dd61677ca1443.exe
1260	e5d93115a1ae4db537f3a0831d4ec3fd5a1dd1083a0f3f28d81dd61677ca1443.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1260	e5d93115a1ae4db537f3a0831d4ec3fd5a1dd1083a0f3f28d81dd61677ca1443.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1632	iexplore.exe
680	iexplore.exe
1928	iexplore.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
1260	e5d93115a1ae4db537f3a0831d4ec3fd5a1dd1083a0f3f28d81dd61677ca1443.exe
1260	e5d93115a1ae4db537f3a0831d4ec3fd5a1dd1083a0f3f28d81dd61677ca1443.exe
1260	e5d93115a1ae4db537f3a0831d4ec3fd5a1dd1083a0f3f28d81dd61677ca1443.exe
1632	iexplore.exe
1632	iexplore.exe
680	iexplore.exe
680	iexplore.exe
1928	iexplore.exe
1928	iexplore.exe
948	IEXPLORE.EXE
948	IEXPLORE.EXE
1772	IEXPLORE.EXE
1740	IEXPLORE.EXE
1740	IEXPLORE.EXE
1772	IEXPLORE.EXE
948	IEXPLORE.EXE
948	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 1528	1260	e5d93115a1ae4db537f3a0831d4ec3fd5a1dd1083a0f3f28d81dd61677ca1443.exe	29
PID 1260 wrote to memory of 1528	1260	e5d93115a1ae4db537f3a0831d4ec3fd5a1dd1083a0f3f28d81dd61677ca1443.exe	29
PID 1260 wrote to memory of 1528	1260	e5d93115a1ae4db537f3a0831d4ec3fd5a1dd1083a0f3f28d81dd61677ca1443.exe	29
PID 1260 wrote to memory of 1528	1260	e5d93115a1ae4db537f3a0831d4ec3fd5a1dd1083a0f3f28d81dd61677ca1443.exe	29
PID 1260 wrote to memory of 2024	1260	e5d93115a1ae4db537f3a0831d4ec3fd5a1dd1083a0f3f28d81dd61677ca1443.exe	28
PID 1260 wrote to memory of 2024	1260	e5d93115a1ae4db537f3a0831d4ec3fd5a1dd1083a0f3f28d81dd61677ca1443.exe	28
PID 1260 wrote to memory of 2024	1260	e5d93115a1ae4db537f3a0831d4ec3fd5a1dd1083a0f3f28d81dd61677ca1443.exe	28
PID 1260 wrote to memory of 2024	1260	e5d93115a1ae4db537f3a0831d4ec3fd5a1dd1083a0f3f28d81dd61677ca1443.exe	28
PID 1528 wrote to memory of 1400	1528	cmd.exe	31
PID 1528 wrote to memory of 1400	1528	cmd.exe	31
PID 1528 wrote to memory of 1400	1528	cmd.exe	31
PID 1528 wrote to memory of 1400	1528	cmd.exe	31
PID 1260 wrote to memory of 1632	1260	e5d93115a1ae4db537f3a0831d4ec3fd5a1dd1083a0f3f28d81dd61677ca1443.exe	33
PID 1260 wrote to memory of 1632	1260	e5d93115a1ae4db537f3a0831d4ec3fd5a1dd1083a0f3f28d81dd61677ca1443.exe	33
PID 1260 wrote to memory of 1632	1260	e5d93115a1ae4db537f3a0831d4ec3fd5a1dd1083a0f3f28d81dd61677ca1443.exe	33
PID 1260 wrote to memory of 1632	1260	e5d93115a1ae4db537f3a0831d4ec3fd5a1dd1083a0f3f28d81dd61677ca1443.exe	33
PID 1260 wrote to memory of 680	1260	e5d93115a1ae4db537f3a0831d4ec3fd5a1dd1083a0f3f28d81dd61677ca1443.exe	34
PID 1260 wrote to memory of 680	1260	e5d93115a1ae4db537f3a0831d4ec3fd5a1dd1083a0f3f28d81dd61677ca1443.exe	34
PID 1260 wrote to memory of 680	1260	e5d93115a1ae4db537f3a0831d4ec3fd5a1dd1083a0f3f28d81dd61677ca1443.exe	34
PID 1260 wrote to memory of 680	1260	e5d93115a1ae4db537f3a0831d4ec3fd5a1dd1083a0f3f28d81dd61677ca1443.exe	34
PID 836 wrote to memory of 1928	836	explorer.exe	37
PID 836 wrote to memory of 1928	836	explorer.exe	37
PID 836 wrote to memory of 1928	836	explorer.exe	37
PID 1632 wrote to memory of 1772	1632	iexplore.exe	38
PID 1632 wrote to memory of 1772	1632	iexplore.exe	38
PID 1632 wrote to memory of 1772	1632	iexplore.exe	38
PID 1632 wrote to memory of 1772	1632	iexplore.exe	38
PID 680 wrote to memory of 1740	680	iexplore.exe	39
PID 680 wrote to memory of 1740	680	iexplore.exe	39
PID 680 wrote to memory of 1740	680	iexplore.exe	39
PID 680 wrote to memory of 1740	680	iexplore.exe	39
PID 1928 wrote to memory of 948	1928	iexplore.exe	40
PID 1928 wrote to memory of 948	1928	iexplore.exe	40
PID 1928 wrote to memory of 948	1928	iexplore.exe	40
PID 1928 wrote to memory of 948	1928	iexplore.exe	40

C:\Users\Admin\AppData\Local\Temp\e5d93115a1ae4db537f3a0831d4ec3fd5a1dd1083a0f3f28d81dd61677ca1443.exe
"C:\Users\Admin\AppData\Local\Temp\e5d93115a1ae4db537f3a0831d4ec3fd5a1dd1083a0f3f28d81dd61677ca1443.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe http://www.v258.net/list/list16.html?mmm
  2⤵
  PID:2024
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\hWRCb.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\ico.cab" -F:*.* "C:\progra~1\ico"
    3⤵
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:1400
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.q22.cc/?ukt
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1632 CREDAT:275457 /prefetch:2
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1772
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.v921.com/?uk
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:680
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:680 CREDAT:275459 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1740

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:836
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.v258.net/list/list16.html?mmm
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1928 CREDAT:275457 /prefetch:2
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7fa41970359a162c9a2ed5b8fea87541

SHA1
e54cc49e19a5b83c2fe51a580fae83297c101ad7

SHA256
7f005af271ed4c2a196d296f7cacbcd52fd16bcddf5da13d42559ffe981ec2e1

SHA512
0f7a5a9d739dca90021f510b95bada7b1f231da7af2e7db680457ce5cb08d7e28f7c2b8e87215ca45d7a1cccb8b63c338351b55047ce5700ca69746b0fb4dc55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
84e260849495ef1c1119d9b12e6c9adb

SHA1
38016bc0f471aacdc282a22544afcdc0a7675a6c

SHA256
8a087ce1fd221fda89a9f775ac9b7db6657d72f07d45625ef4f768d4e650afb1

SHA512
b9ba6bec02e5196504abcb74733151b74b9b1d3a5943c279c8c25585a9a4ff2ea1f0d51e27710ed1ec225a9fc7eb74d46b4caf26a853aec1db88ef2508ff1348

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f306fef5d15b0c232efed42e469e4ddf

SHA1
e3d97eb4b6bab90012076741fd55a534b674ed1d

SHA256
7b79cc77d6067f39b2da31c1f1651ba76ad910be233841e712f01bc70730ed6c

SHA512
ae7e16e753de21c6ac420e7542d664c1123e89e2729718084fa15343a296bb34b5e4e42ea7818b07a1434c3759b7a4e25492bc25fa949f98ac85e51bf1fe4d47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
41be5a48d6d309a4229bd89e1683fce4

SHA1
6639a36b3c7d6d21536ac32fda9daa1dcf302e5c

SHA256
575cd9d5383d0a269973075d52cbd1918fabae9f5be0d4d0df9d73c138783e3d

SHA512
ae968ef7ec8fae5b159081173d6c779a71b388165bd0b67683f4c53c2a2a3871e7ff25a9d040226804b785f7726799c84a55df17614803bb3b5eb1939553cf27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3D016AA1-7647-11ED-B110-4EFAD8A2B6A5}.dat

Filesize
3KB

MD5
3d68bca90ee773a3d942b86699621c69

SHA1
469fd7fecf456f040a51dd78d04adc813f273d55

SHA256
1bd2371a59c6d3dc0d026ad1eabeced184ef484997ff7b4e6e05bd6ce9075a6b

SHA512
4fe9b7fe858c03b291cfd3ae274206ab507b7df3e7c2723b07e28b927fb4015218ec09e094243cb7726ed414c463d08808745b2a68965934c9e8fe196ba814e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3E04E080-7647-11ED-B110-4EFAD8A2B6A5}.dat

Filesize
3KB

MD5
e850d6510e4ec33bded51600bbf52f13

SHA1
a48bd30a09bc1738eb1db47719799e41d70cfdd9

SHA256
162b94a9e4230c2bd083a4144bcc0787b2b16694852d8c452f5bc312559b57f8

SHA512
62b0c39be918fe9b029c232b9e23c1b681c6762f52e9825e94dcbbc8c6f4719ad950c6bb0cb43c067cf989d10ca52b4879c765db9022cb0493981612408423dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\hWRCb.bat

Filesize
98B

MD5
ada787702460241a372c495dc53dbdcf

SHA1
da7d65ec9541fe9ed13b3531f38202f83b0ac96d

SHA256
0d0f600f95192d2d602dbda346c4e08745295f331f5a0349deae21705367b850

SHA512
c86091735b855691c89c7946145591dec6a6a6a36a2438d392587a9cc1f2d85c1ebe44fcff1cc9d94271a24ebbc2ca38639577a6f5c592e9e10517da26572708

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\T51GM0K2.txt

Filesize
601B

MD5
49e52613ff0311980eb36ea40360a162

SHA1
b106a5bdf31653c6f719d06588bd063995779f72

SHA256
3a7c8cafeaf7892d408947a964c6eb08f1b50dd4f06551728aec190b27fd0ae6

SHA512
40ccfbfc3eb19f73db08227889c7f57871e209c15f3ef377f9c47c16c2c41b8bd72fd091672ef2f7352753f3740f4e66c53e7a168ad4d89aac5627b853e5a1e2

Download Submit
\??\c:\users\admin\appdata\local\temp\ico.cab

Filesize
18KB

MD5
f462d70986dc71a5ff375a82bd9e3677

SHA1
f3d9c09a0ff51d81377e15ae4e0e2fceaede142b

SHA256
69528b0fb4e1bc3fb8d92839d98e0717b3f680d98fdfcb9809a2f557aacab295

SHA512
5bd2d67bb78dc8c4275390667c135ed10c4733e46ce58ef524ea79869f740db00d2f4a37b949896edcbf1ebbfa1ab4dd16afab4418ff637322883435bb7543ec

Download Submit
memory/836-64-0x000007FEFC2E1000-0x000007FEFC2E3000-memory.dmp

Filesize
8KB

Download
memory/1260-63-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/1260-54-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/1260-55-0x0000000075C41000-0x0000000075C43000-memory.dmp

Filesize
8KB

Download
memory/2024-61-0x0000000074FC1000-0x0000000074FC3000-memory.dmp

Filesize
8KB

Download