38ec71f08da849929d64109d3f18d2886b556e84c42f2a9ab56a2af253f00af6

Analysis

max time kernel
153s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 03:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

021b495e8d9dbc57e3ac91a3bc03f5ab.exe
Size

71KB
MD5

021b495e8d9dbc57e3ac91a3bc03f5ab
SHA1

7acd00a40dd6d1875ce4cc1e3db0e88fb2825e9d
SHA256

38ec71f08da849929d64109d3f18d2886b556e84c42f2a9ab56a2af253f00af6
SHA512

d2880b084634bc935fb7f06c15b5329d666841fad367c65ebedc1102558b1107d5a9d3ea7211a5303f62601b1cf82886b884df4de6d005d4a51149e62a026ba5
SSDEEP

1536:jvtPFPvXETo8nOnP87obBgGNFYX+t5ZKDifOqq9CngXMFU:h5XE5nm0obxNFYX+VKD+OrrMFU

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	021b495e8d9dbc57e3ac91a3bc03f5ab.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IEXPL0RE.EXE

Executes dropped EXE 64 IoCs

pid	Process
1336	IEXPL0RE.EXE
3996	IEXPL0RE.EXE
3192	IEXPL0RE.EXE
3656	IEXPL0RE.EXE
1500	IEXPL0RE.EXE
4180	IEXPL0RE.EXE
928	IEXPL0RE.EXE
4064	IEXPL0RE.EXE
996	IEXPL0RE.EXE
1528	IEXPL0RE.EXE
2656	IEXPL0RE.EXE
1656	IEXPL0RE.EXE
1632	IEXPL0RE.EXE
1620	IEXPL0RE.EXE
4216	IEXPL0RE.EXE
1184	IEXPL0RE.EXE
3104	IEXPL0RE.EXE
4700	IEXPL0RE.EXE
2384	IEXPL0RE.EXE
948	IEXPL0RE.EXE
3860	IEXPL0RE.EXE
1628	IEXPL0RE.EXE
4496	IEXPL0RE.EXE
4864	IEXPL0RE.EXE
916	IEXPL0RE.EXE
3732	IEXPL0RE.EXE
4952	IEXPL0RE.EXE
1544	IEXPL0RE.EXE
4600	IEXPL0RE.EXE
4500	IEXPL0RE.EXE
728	IEXPL0RE.EXE
4452	IEXPL0RE.EXE
3848	IEXPL0RE.EXE
2412	IEXPL0RE.EXE
2564	IEXPL0RE.EXE
2444	IEXPL0RE.EXE
4104	IEXPL0RE.EXE
2868	IEXPL0RE.EXE
3336	IEXPL0RE.EXE
3860	IEXPL0RE.EXE
4412	IEXPL0RE.EXE
3664	IEXPL0RE.EXE
3096	IEXPL0RE.EXE
1636	IEXPL0RE.EXE
4488	IEXPL0RE.EXE
3784	IEXPL0RE.EXE
3488	IEXPL0RE.EXE
4320	IEXPL0RE.EXE
2672	IEXPL0RE.EXE
3672	IEXPL0RE.EXE
3652	IEXPL0RE.EXE
2288	IEXPL0RE.EXE
4668	IEXPL0RE.EXE
1988	IEXPL0RE.EXE
3976	IEXPL0RE.EXE
2420	IEXPL0RE.EXE
4308	IEXPL0RE.EXE
4068	IEXPL0RE.EXE
3300	IEXPL0RE.EXE
456	IEXPL0RE.EXE
452	IEXPL0RE.EXE
1156	IEXPL0RE.EXE
752	IEXPL0RE.EXE
3568	IEXPL0RE.EXE

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3500-0-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/files/0x00060000000231ef-8.dat	upx
behavioral2/memory/3500-12-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/files/0x00060000000231f0-13.dat	upx
behavioral2/memory/1336-19-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/3192-24-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/3996-27-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/3192-34-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/1500-39-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/3656-42-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/1500-49-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/4180-56-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/928-63-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/4064-70-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/996-77-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/files/0x00060000000231f0-84.dat	upx
behavioral2/memory/1528-88-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/2656-92-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/1656-99-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/1632-106-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/1620-113-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/4216-120-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/1184-127-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/3104-134-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/4700-141-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/948-155-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/3860-162-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/1628-169-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/4496-176-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/4864-183-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/916-190-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/3732-197-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/1544-211-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/4600-218-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/4500-225-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/728-232-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/4452-237-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/3848-242-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/2412-247-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/2564-252-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/2444-257-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/4104-262-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/2868-267-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/3336-272-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/3860-277-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/4412-282-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/3664-287-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/1636-297-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/4488-302-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/3784-307-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/3488-312-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/4320-317-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/2672-322-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/3652-332-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/2288-337-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/4668-342-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/1988-347-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/3976-352-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/2420-357-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/4308-362-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/4068-367-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/3300-372-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/456-377-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/452-382-0x0000000000400000-0x0000000000427000-memory.dmp	upx

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	021b495e8d9dbc57e3ac91a3bc03f5ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "IEXPL0RE.EXE"	IEXPL0RE.EXE

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.exe	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.exe	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\IEXPL0RE.EXE	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.exe	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\IEXPL0RE.exe	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\IEXPL0RE.EXE	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\IEXPL0RE.exe	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.exe	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\IEXPL0RE.exe	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\IEXPL0RE.EXE	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\IEXPL0RE.exe	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\IEXPL0RE.exe	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.exe	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\IEXPL0RE.EXE	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\IEXPL0RE.exe	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\IEXPL0RE.EXE	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\IEXPL0RE.EXE	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.exe	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\IEXPL0RE.exe	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\IEXPL0RE.exe	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\IEXPL0RE.EXE	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\IEXPL0RE.exe	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.exe	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.exe	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\IEXPL0RE.exe	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\IEXPL0RE.exe	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\IEXPL0RE.EXE	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\IEXPL0RE.exe	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.exe	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\IEXPL0RE.exe	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\IEXPL0RE.exe	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\IEXPL0RE.exe	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.exe	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\IEXPL0RE.exe	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\IEXPL0RE.EXE	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\IEXPL0RE.EXE	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.exe	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.exe	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\IEXPL0RE.exe	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\IEXPL0RE.EXE	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\IEXPL0RE.EXE	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.exe	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\IEXPL0RE.EXE	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.exe	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\IEXPL0RE.exe	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\IEXPL0RE.EXE	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\IEXPL0RE.exe	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\IEXPL0RE.EXE	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\IEXPL0RE.EXE	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\IEXPL0RE.exe	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.exe	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\IEXPL0RE.EXE	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\IEXPL0RE.exe	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\IEXPL0RE.exe	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\IEXPL0RE.exe	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.exe	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.exe	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.exe	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\IEXPL0RE.EXE	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.exe	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\IEXPL0RE.exe	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\IEXPL0RE.EXE	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\IEXPL0RE.exe	IEXPL0RE.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.exe	IEXPL0RE.EXE

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3500	021b495e8d9dbc57e3ac91a3bc03f5ab.exe
1336	IEXPL0RE.EXE
3996	IEXPL0RE.EXE
3192	IEXPL0RE.EXE
3656	IEXPL0RE.EXE
1500	IEXPL0RE.EXE
4180	IEXPL0RE.EXE
928	IEXPL0RE.EXE
4064	IEXPL0RE.EXE
996	IEXPL0RE.EXE
1528	IEXPL0RE.EXE
2656	IEXPL0RE.EXE
1656	IEXPL0RE.EXE
1632	IEXPL0RE.EXE
1620	IEXPL0RE.EXE
4216	IEXPL0RE.EXE
1184	IEXPL0RE.EXE
3104	IEXPL0RE.EXE
4700	IEXPL0RE.EXE
2384	IEXPL0RE.EXE
948	IEXPL0RE.EXE
3860	IEXPL0RE.EXE
1628	IEXPL0RE.EXE
4496	IEXPL0RE.EXE
4864	IEXPL0RE.EXE
916	IEXPL0RE.EXE
3732	IEXPL0RE.EXE
4952	IEXPL0RE.EXE
1544	IEXPL0RE.EXE
4600	IEXPL0RE.EXE
4500	IEXPL0RE.EXE
728	IEXPL0RE.EXE
4452	IEXPL0RE.EXE
3848	IEXPL0RE.EXE
2412	IEXPL0RE.EXE
2564	IEXPL0RE.EXE
2444	IEXPL0RE.EXE
4104	IEXPL0RE.EXE
2868	IEXPL0RE.EXE
3336	IEXPL0RE.EXE
3860	IEXPL0RE.EXE
4412	IEXPL0RE.EXE
3664	IEXPL0RE.EXE
3096	IEXPL0RE.EXE
1636	IEXPL0RE.EXE
4488	IEXPL0RE.EXE
3784	IEXPL0RE.EXE
3488	IEXPL0RE.EXE
4320	IEXPL0RE.EXE
2672	IEXPL0RE.EXE
3672	IEXPL0RE.EXE
3652	IEXPL0RE.EXE
2288	IEXPL0RE.EXE
4668	IEXPL0RE.EXE
1988	IEXPL0RE.EXE
3976	IEXPL0RE.EXE
2420	IEXPL0RE.EXE
4308	IEXPL0RE.EXE
4068	IEXPL0RE.EXE
3300	IEXPL0RE.EXE
456	IEXPL0RE.EXE
452	IEXPL0RE.EXE
1156	IEXPL0RE.EXE
752	IEXPL0RE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3500 wrote to memory of 1336	3500	021b495e8d9dbc57e3ac91a3bc03f5ab.exe	91
PID 3500 wrote to memory of 1336	3500	021b495e8d9dbc57e3ac91a3bc03f5ab.exe	91
PID 3500 wrote to memory of 1336	3500	021b495e8d9dbc57e3ac91a3bc03f5ab.exe	91
PID 1336 wrote to memory of 3996	1336	IEXPL0RE.EXE	92
PID 1336 wrote to memory of 3996	1336	IEXPL0RE.EXE	92
PID 1336 wrote to memory of 3996	1336	IEXPL0RE.EXE	92
PID 3996 wrote to memory of 3192	3996	IEXPL0RE.EXE	93
PID 3996 wrote to memory of 3192	3996	IEXPL0RE.EXE	93
PID 3996 wrote to memory of 3192	3996	IEXPL0RE.EXE	93
PID 3192 wrote to memory of 3656	3192	IEXPL0RE.EXE	94
PID 3192 wrote to memory of 3656	3192	IEXPL0RE.EXE	94
PID 3192 wrote to memory of 3656	3192	IEXPL0RE.EXE	94
PID 3656 wrote to memory of 1500	3656	IEXPL0RE.EXE	95
PID 3656 wrote to memory of 1500	3656	IEXPL0RE.EXE	95
PID 3656 wrote to memory of 1500	3656	IEXPL0RE.EXE	95
PID 1500 wrote to memory of 4180	1500	IEXPL0RE.EXE	96
PID 1500 wrote to memory of 4180	1500	IEXPL0RE.EXE	96
PID 1500 wrote to memory of 4180	1500	IEXPL0RE.EXE	96
PID 4180 wrote to memory of 928	4180	IEXPL0RE.EXE	98
PID 4180 wrote to memory of 928	4180	IEXPL0RE.EXE	98
PID 4180 wrote to memory of 928	4180	IEXPL0RE.EXE	98
PID 928 wrote to memory of 4064	928	IEXPL0RE.EXE	101
PID 928 wrote to memory of 4064	928	IEXPL0RE.EXE	101
PID 928 wrote to memory of 4064	928	IEXPL0RE.EXE	101
PID 4064 wrote to memory of 996	4064	IEXPL0RE.EXE	102
PID 4064 wrote to memory of 996	4064	IEXPL0RE.EXE	102
PID 4064 wrote to memory of 996	4064	IEXPL0RE.EXE	102
PID 996 wrote to memory of 1528	996	IEXPL0RE.EXE	104
PID 996 wrote to memory of 1528	996	IEXPL0RE.EXE	104
PID 996 wrote to memory of 1528	996	IEXPL0RE.EXE	104
PID 1528 wrote to memory of 2656	1528	IEXPL0RE.EXE	106
PID 1528 wrote to memory of 2656	1528	IEXPL0RE.EXE	106
PID 1528 wrote to memory of 2656	1528	IEXPL0RE.EXE	106
PID 2656 wrote to memory of 1656	2656	IEXPL0RE.EXE	109
PID 2656 wrote to memory of 1656	2656	IEXPL0RE.EXE	109
PID 2656 wrote to memory of 1656	2656	IEXPL0RE.EXE	109
PID 1656 wrote to memory of 1632	1656	IEXPL0RE.EXE	110
PID 1656 wrote to memory of 1632	1656	IEXPL0RE.EXE	110
PID 1656 wrote to memory of 1632	1656	IEXPL0RE.EXE	110
PID 1632 wrote to memory of 1620	1632	IEXPL0RE.EXE	112
PID 1632 wrote to memory of 1620	1632	IEXPL0RE.EXE	112
PID 1632 wrote to memory of 1620	1632	IEXPL0RE.EXE	112
PID 1620 wrote to memory of 4216	1620	IEXPL0RE.EXE	115
PID 1620 wrote to memory of 4216	1620	IEXPL0RE.EXE	115
PID 1620 wrote to memory of 4216	1620	IEXPL0RE.EXE	115
PID 4216 wrote to memory of 1184	4216	IEXPL0RE.EXE	116
PID 4216 wrote to memory of 1184	4216	IEXPL0RE.EXE	116
PID 4216 wrote to memory of 1184	4216	IEXPL0RE.EXE	116
PID 1184 wrote to memory of 3104	1184	IEXPL0RE.EXE	118
PID 1184 wrote to memory of 3104	1184	IEXPL0RE.EXE	118
PID 1184 wrote to memory of 3104	1184	IEXPL0RE.EXE	118
PID 3104 wrote to memory of 4700	3104	IEXPL0RE.EXE	119
PID 3104 wrote to memory of 4700	3104	IEXPL0RE.EXE	119
PID 3104 wrote to memory of 4700	3104	IEXPL0RE.EXE	119
PID 4700 wrote to memory of 2384	4700	IEXPL0RE.EXE	122
PID 4700 wrote to memory of 2384	4700	IEXPL0RE.EXE	122
PID 4700 wrote to memory of 2384	4700	IEXPL0RE.EXE	122
PID 2384 wrote to memory of 948	2384	IEXPL0RE.EXE	123
PID 2384 wrote to memory of 948	2384	IEXPL0RE.EXE	123
PID 2384 wrote to memory of 948	2384	IEXPL0RE.EXE	123
PID 948 wrote to memory of 3860	948	IEXPL0RE.EXE	124
PID 948 wrote to memory of 3860	948	IEXPL0RE.EXE	124
PID 948 wrote to memory of 3860	948	IEXPL0RE.EXE	124
PID 3860 wrote to memory of 1628	3860	IEXPL0RE.EXE	125

C:\Users\Admin\AppData\Local\Temp\021b495e8d9dbc57e3ac91a3bc03f5ab.exe
"C:\Users\Admin\AppData\Local\Temp\021b495e8d9dbc57e3ac91a3bc03f5ab.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3500
- C:\Windows\SysWOW64\IEXPL0RE.EXE
  IEXPL0RE.EXE
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Windows\SysWOW64\IEXPL0RE.EXE
    IEXPL0RE.EXE
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3996
  - - C:\Windows\SysWOW64\IEXPL0RE.EXE
      IEXPL0RE.EXE
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3192
    - - C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3656
      - C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:928
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        10⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:996
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        11⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        12⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        13⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        15⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        16⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        17⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        18⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        19⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        20⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        21⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        22⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1628
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4496
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4864
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        26⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:916
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        27⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:3732
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        28⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4952
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        29⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1544
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        30⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4600
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        31⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4500
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        32⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:728
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        33⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4452
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        34⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:3848
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        35⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:2412
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        36⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2564
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        37⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:2444
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        38⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4104
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        39⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2868
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        40⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:3336
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        41⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:3860
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        42⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:4412
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        43⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:3664
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        44⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:3096
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        45⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1636
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        46⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4488
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        47⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:3784
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        48⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:3488
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        49⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4320
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        50⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:2672
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        51⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:3672
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        52⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:3652
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        53⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:2288
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        54⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4668
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        55⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1988
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        56⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:3976
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        57⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2420
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        58⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4308
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        59⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:4068
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        60⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:3300
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        61⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:456
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        62⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:452
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        63⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1156
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        64⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:752
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        65⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3568
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        66⤵
        Modifies visibility of file extensions in Explorer
        Adds Run key to start application
        
        PID:4448
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        67⤵
        Modifies visibility of file extensions in Explorer
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4564
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        68⤵
        Modifies visibility of file extensions in Explorer
        Adds Run key to start application
        
        PID:2432
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        69⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3944
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4496
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        71⤵
        Modifies visibility of file extensions in Explorer
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1620
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        72⤵
        Modifies visibility of file extensions in Explorer
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4312
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        73⤵
        Modifies visibility of file extensions in Explorer
        Adds Run key to start application
        
        PID:4788
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        74⤵
        Modifies visibility of file extensions in Explorer
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2476
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        75⤵
        Modifies visibility of file extensions in Explorer
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3472
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        76⤵
        Modifies visibility of file extensions in Explorer
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4896
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        77⤵
        Modifies visibility of file extensions in Explorer
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1544
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        78⤵
        Modifies visibility of file extensions in Explorer
        Adds Run key to start application
        
        PID:3672
        
        C:\Windows\SysWOW64\IEXPL0RE.EXE
        
        IEXPL0RE.EXE
        79⤵
        Drops file in System32 directory
        
        PID:5076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\EXPL0RER.exe

Filesize
24KB

MD5
74d873f3b1cc855660bbe1f88cf9b695

SHA1
ec5599cb82d74f88356707de6a95659c5cf5a2d5

SHA256
97c145604bace19f44f10a4d9daf17b3073322c469bf2846c8a2d5ad88272091

SHA512
23bfc3e907bfb1ad4a7c9d3fe32a30d9061bc2d620722e96ce609ec97621fdbc615618f2e47d69c0d77844c300b6d943ea2fca9bb34294a2b158130df58a2549

Download Submit
C:\Windows\SysWOW64\IEXPL0RE.EXE

Filesize
71KB

MD5
021b495e8d9dbc57e3ac91a3bc03f5ab

SHA1
7acd00a40dd6d1875ce4cc1e3db0e88fb2825e9d

SHA256
38ec71f08da849929d64109d3f18d2886b556e84c42f2a9ab56a2af253f00af6

SHA512
d2880b084634bc935fb7f06c15b5329d666841fad367c65ebedc1102558b1107d5a9d3ea7211a5303f62601b1cf82886b884df4de6d005d4a51149e62a026ba5

Download Submit
memory/452-382-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/456-377-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/728-232-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/752-393-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/916-190-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/928-63-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/948-155-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/996-77-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1156-387-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1184-127-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1336-19-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1500-49-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1500-39-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1528-88-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1544-211-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1620-434-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1620-113-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1628-169-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1632-106-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1636-297-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1656-99-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1988-347-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2288-337-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2412-247-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2420-357-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2432-417-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2444-257-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2476-451-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2564-252-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2656-92-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2672-322-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2868-267-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3104-134-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3192-34-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3192-24-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3300-372-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3336-272-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3472-457-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3488-312-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3500-12-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3500-0-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3568-399-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3652-332-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3656-42-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3664-287-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3672-474-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3732-197-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3784-307-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3848-242-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3860-277-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3860-162-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3976-352-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3996-27-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4064-70-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4068-367-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4104-262-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4180-56-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4216-120-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4308-362-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4320-317-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4412-282-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4448-405-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4452-237-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4488-302-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4496-176-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4496-428-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4500-225-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4564-411-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4600-218-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4668-342-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4700-141-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4788-445-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4864-183-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4896-463-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads