9a54239c504c1e30fd8c874fd61559c9d35b8a356c2fabadb73a33be60f17f5a

Analysis

max time kernel
146s
max time network
151s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a54239c504c1e30fd8c874fd61559c9d35b8a356c2fabadb73a33be60f17f5a.exe
Size

477KB
MD5

0c960891e42a023fee7e28284cb5f5a2
SHA1

49c8a96e8b4ab7e4ac73bc56f3d494ba422b5dd2
SHA256

9a54239c504c1e30fd8c874fd61559c9d35b8a356c2fabadb73a33be60f17f5a
SHA512

8e2b7f7c8c406cb633feeee3e189fd5914380ec6e0d4b84287a79eb4de67e1ed1e2c9d099aa22c8562da2ad801948e7e4db23ba8c91127633c50673c1101cc15
SSDEEP

6144:69A3485uQ+LIz5fTj7eGWhLbcVL8LLyU08xuIVbt0JHRPWAN2IlzOPfJ:eA3iQimTnbe3iL8LLyB2uIVYHRNzGfJ

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	9a54239c504c1e30fd8c874fd61559c9d35b8a356c2fabadb73a33be60f17f5a.exe
File opened (read-only)	\??\W:	9a54239c504c1e30fd8c874fd61559c9d35b8a356c2fabadb73a33be60f17f5a.exe
File opened (read-only)	\??\Y:	9a54239c504c1e30fd8c874fd61559c9d35b8a356c2fabadb73a33be60f17f5a.exe
File opened (read-only)	\??\B:	9a54239c504c1e30fd8c874fd61559c9d35b8a356c2fabadb73a33be60f17f5a.exe
File opened (read-only)	\??\E:	9a54239c504c1e30fd8c874fd61559c9d35b8a356c2fabadb73a33be60f17f5a.exe
File opened (read-only)	\??\J:	9a54239c504c1e30fd8c874fd61559c9d35b8a356c2fabadb73a33be60f17f5a.exe
File opened (read-only)	\??\K:	9a54239c504c1e30fd8c874fd61559c9d35b8a356c2fabadb73a33be60f17f5a.exe
File opened (read-only)	\??\M:	9a54239c504c1e30fd8c874fd61559c9d35b8a356c2fabadb73a33be60f17f5a.exe
File opened (read-only)	\??\X:	9a54239c504c1e30fd8c874fd61559c9d35b8a356c2fabadb73a33be60f17f5a.exe
File opened (read-only)	\??\G:	9a54239c504c1e30fd8c874fd61559c9d35b8a356c2fabadb73a33be60f17f5a.exe
File opened (read-only)	\??\N:	9a54239c504c1e30fd8c874fd61559c9d35b8a356c2fabadb73a33be60f17f5a.exe
File opened (read-only)	\??\P:	9a54239c504c1e30fd8c874fd61559c9d35b8a356c2fabadb73a33be60f17f5a.exe
File opened (read-only)	\??\R:	9a54239c504c1e30fd8c874fd61559c9d35b8a356c2fabadb73a33be60f17f5a.exe
File opened (read-only)	\??\U:	9a54239c504c1e30fd8c874fd61559c9d35b8a356c2fabadb73a33be60f17f5a.exe
File opened (read-only)	\??\A:	9a54239c504c1e30fd8c874fd61559c9d35b8a356c2fabadb73a33be60f17f5a.exe
File opened (read-only)	\??\H:	9a54239c504c1e30fd8c874fd61559c9d35b8a356c2fabadb73a33be60f17f5a.exe
File opened (read-only)	\??\I:	9a54239c504c1e30fd8c874fd61559c9d35b8a356c2fabadb73a33be60f17f5a.exe
File opened (read-only)	\??\L:	9a54239c504c1e30fd8c874fd61559c9d35b8a356c2fabadb73a33be60f17f5a.exe
File opened (read-only)	\??\O:	9a54239c504c1e30fd8c874fd61559c9d35b8a356c2fabadb73a33be60f17f5a.exe
File opened (read-only)	\??\Q:	9a54239c504c1e30fd8c874fd61559c9d35b8a356c2fabadb73a33be60f17f5a.exe
File opened (read-only)	\??\S:	9a54239c504c1e30fd8c874fd61559c9d35b8a356c2fabadb73a33be60f17f5a.exe
File opened (read-only)	\??\T:	9a54239c504c1e30fd8c874fd61559c9d35b8a356c2fabadb73a33be60f17f5a.exe
File opened (read-only)	\??\V:	9a54239c504c1e30fd8c874fd61559c9d35b8a356c2fabadb73a33be60f17f5a.exe
File opened (read-only)	\??\Z:	9a54239c504c1e30fd8c874fd61559c9d35b8a356c2fabadb73a33be60f17f5a.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\msew_02p.css	9a54239c504c1e30fd8c874fd61559c9d35b8a356c2fabadb73a33be60f17f5a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 62 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{84A86BB1-77DC-11ED-A584-DA3F1CB7DA19} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b00415c231096840b2f3b288cc74a75b0000000002000000000010660000000100002000000043ecd75b19f9f0760d0429d4bdc3eaf2561fb941eeb902cb43dcd5885ed8bc3b000000000e80000000020000200000002bef6a8e2edd54233a138c572c8697a1954e42489ae0452d2807d51b10c2c57390000000d840197c356a89ece140666bfe52830b81f0fb2aba60e4c6c29be1d56ebcce647ee71bcd5492bb7e6f2e30cc575eacae3c2e33efd228c9abe3558680fd915e19c2b77f8879afd9a97551ea6cb85438f9b8f18e4b5adf8475f67860b1dc0900ab1db44078216db87e53adfce439778fd20fd61259d5608ba859233a6519ac655508f750d937348163621e459316990a6a40000000c87aca15b198c7da9cd1e1f77f46a60896deea79568cb5e4f12d35bc864db5c32fd7db27c49d98e22aca05572d080c88b76c52f041bcfb4931916a719f023fe3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b00415c231096840b2f3b288cc74a75b0000000002000000000010660000000100002000000016fbba8d2291b7ad2522e3a1453285f2cf3ac7e6f7cf7f607c34c3e993239018000000000e80000000020000200000001bce7e0cf2914ba61eef9ac2c64f6418e06913446fcb48d3657e4c81e29d21b8200000006c22953b7bd53d927c09b3867b49fe00de5d976fc22a5ec2ab71a24a256ce98940000000a64622f224aceedc16fc0ca8a991bb4c840eaf387b03b7fa7eef488b50a8c45dac0349dc028a5382376dc6bcdb834496921451ffc3ce3b873e54e6d63f8fe3c8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40d02b4ee90bd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{84B6B3F1-77DC-11ED-A584-DA3F1CB7DA19} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377367428"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1484	iexplore.exe
548	iexplore.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
960	9a54239c504c1e30fd8c874fd61559c9d35b8a356c2fabadb73a33be60f17f5a.exe
548	iexplore.exe
548	iexplore.exe
1484	iexplore.exe
1484	iexplore.exe
1396	IEXPLORE.EXE
1356	IEXPLORE.EXE
1396	IEXPLORE.EXE
1356	IEXPLORE.EXE
1564	IEXPLORE.EXE
1564	IEXPLORE.EXE
1564	IEXPLORE.EXE
1564	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 1484	960	9a54239c504c1e30fd8c874fd61559c9d35b8a356c2fabadb73a33be60f17f5a.exe	27
PID 960 wrote to memory of 1484	960	9a54239c504c1e30fd8c874fd61559c9d35b8a356c2fabadb73a33be60f17f5a.exe	27
PID 960 wrote to memory of 1484	960	9a54239c504c1e30fd8c874fd61559c9d35b8a356c2fabadb73a33be60f17f5a.exe	27
PID 960 wrote to memory of 1484	960	9a54239c504c1e30fd8c874fd61559c9d35b8a356c2fabadb73a33be60f17f5a.exe	27
PID 960 wrote to memory of 548	960	9a54239c504c1e30fd8c874fd61559c9d35b8a356c2fabadb73a33be60f17f5a.exe	28
PID 960 wrote to memory of 548	960	9a54239c504c1e30fd8c874fd61559c9d35b8a356c2fabadb73a33be60f17f5a.exe	28
PID 960 wrote to memory of 548	960	9a54239c504c1e30fd8c874fd61559c9d35b8a356c2fabadb73a33be60f17f5a.exe	28
PID 960 wrote to memory of 548	960	9a54239c504c1e30fd8c874fd61559c9d35b8a356c2fabadb73a33be60f17f5a.exe	28
PID 1484 wrote to memory of 1396	1484	iexplore.exe	30
PID 1484 wrote to memory of 1396	1484	iexplore.exe	30
PID 1484 wrote to memory of 1396	1484	iexplore.exe	30
PID 1484 wrote to memory of 1396	1484	iexplore.exe	30
PID 1484 wrote to memory of 1396	1484	iexplore.exe	30
PID 1484 wrote to memory of 1396	1484	iexplore.exe	30
PID 1484 wrote to memory of 1396	1484	iexplore.exe	30
PID 548 wrote to memory of 1356	548	iexplore.exe	31
PID 548 wrote to memory of 1356	548	iexplore.exe	31
PID 548 wrote to memory of 1356	548	iexplore.exe	31
PID 548 wrote to memory of 1356	548	iexplore.exe	31
PID 548 wrote to memory of 1356	548	iexplore.exe	31
PID 548 wrote to memory of 1356	548	iexplore.exe	31
PID 548 wrote to memory of 1356	548	iexplore.exe	31
PID 548 wrote to memory of 1564	548	iexplore.exe	33
PID 548 wrote to memory of 1564	548	iexplore.exe	33
PID 548 wrote to memory of 1564	548	iexplore.exe	33
PID 548 wrote to memory of 1564	548	iexplore.exe	33
PID 548 wrote to memory of 1564	548	iexplore.exe	33
PID 548 wrote to memory of 1564	548	iexplore.exe	33
PID 548 wrote to memory of 1564	548	iexplore.exe	33

C:\Users\Admin\AppData\Local\Temp\9a54239c504c1e30fd8c874fd61559c9d35b8a356c2fabadb73a33be60f17f5a.exe
"C:\Users\Admin\AppData\Local\Temp\9a54239c504c1e30fd8c874fd61559c9d35b8a356c2fabadb73a33be60f17f5a.exe"
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:960
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.pekalongan-community.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1484 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1396
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://adf.ly/FT4JE
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:548
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:548 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1356
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:548 CREDAT:603142 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3991669eeea9704fafd4b69e5d8b0d30

SHA1
1ae09f93a82de3477ff23df51030a7f4dc4b8dc0

SHA256
1e5b875629530d594bbcc632ee631a5d5f4b0ceceaf929fa04ac269becaf3465

SHA512
1caa62742c087cd2e9154d036c100c1a52c56679125a0201e46f1bd8df8d27138693f4e9165c0ff9f7c5a19f1a7c7bb8a78112f083193b5ea36ab09529be93b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{84A86BB1-77DC-11ED-A584-DA3F1CB7DA19}.dat

Filesize
3KB

MD5
5eaf451875781b6d8d91fb951ce0931d

SHA1
f536f4fd2f74e0125078e514ace591583a7bef18

SHA256
9aa4430ce2cd4a19dc588b6b17c9002edbbd43289e980b0dc932a00976c7b08d

SHA512
8dce53c8ed03da070ac80ff0c6997ab34a2c549a15f42aea0c8283e516e9d464c23f18ec1e904ec6a2661fc9f4785e06ba2307f9146e0ee4ffec944932f839c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{84B6B3F1-77DC-11ED-A584-DA3F1CB7DA19}.dat

Filesize
5KB

MD5
3a29150566e77448a1438d6b077757f7

SHA1
cccd072a4438ec0a397884bdeac3ed774dc5a38e

SHA256
fa6911cf119ac40eb8e5f8732f7d32f43a0565af3eb70e55081f62acaf55754a

SHA512
9b53a05fcdfe352df74333f6457fe6bfc4c4615612ae3425c9b27b8a69ee7e94d74f1657edd70cacb6f5a8d0cae8894d972a55750caf15564c8fc5416a3b3dd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\309axvf\imagestore.dat

Filesize
5KB

MD5
cc06274ccb2aa8136d91c990f302cd3b

SHA1
356531778e82962cd1769c0a2c5a20d9d80c6748

SHA256
745d40139791a6a8a3aa2f748a8880003885ebbb3f179632f989cf732e0b6985

SHA512
0fb2168d78cac08c94e5da12a68e52cb53158df66f1929d8d30928ffa29ded7874bdefdd7b5ed8ba2366ac8d1fc037c8614549c49710b09547f48af97dccf55d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\DL1LELBV.txt

Filesize
602B

MD5
bd93ceb12af7eb90bc3b323aa59c1986

SHA1
c3954635f42dba58bad30861f8ff58d17b44c984

SHA256
5926303443eed5759dafc1907f089b685af5a26d682f25689dcd6c06de664f33

SHA512
dbb77555a1e30ba9673dc25fa0f054d090d6624a0d8c7546e2d05fd464a843d7b51bf5e6488405bbe3a99af99928e16b3e2ab1fd9f7c806c9497937e09cda8ef

Download Submit
memory/960-54-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/960-55-0x0000000000400000-0x00000000004AC598-memory.dmp

Filesize
689KB

Download
memory/960-58-0x00000000004B0000-0x000000000055D000-memory.dmp

Filesize
692KB

Download
memory/960-62-0x0000000003EA0000-0x0000000003EB0000-memory.dmp

Filesize
64KB

Download
memory/960-66-0x0000000000400000-0x00000000004AC598-memory.dmp

Filesize
689KB

Download
memory/960-67-0x0000000003EA0000-0x0000000003EB0000-memory.dmp

Filesize
64KB

Download