9a6ec9081422906eadc14c6af5bf477b73907aa414298fb29d48301219bdea63

Analysis

max time kernel
145s
max time network
139s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 19:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3898bc3b380d511d011bbd063cbb7d8b.exe
Size

100KB
MD5

3898bc3b380d511d011bbd063cbb7d8b
SHA1

298f583af688e996b1145b0aae74e9c1da016a6b
SHA256

9a6ec9081422906eadc14c6af5bf477b73907aa414298fb29d48301219bdea63
SHA512

b76adaef89edd2579197f7ad39b991909c7eb60ecc7df81a5d7dea384bf3bff38c11f50fe1af4a19cd0ef5f411804b99662b706f2d0ff7d1654fa335cd61dbbf
SSDEEP

3072:M/FaHCJaCs/kqFHmrExaRGNpo2TXaDmQs:TLFGMgmXaDmz

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2824	WScript.Exe

Executes dropped EXE 1 IoCs

pid	Process
2600	Program Files1DK6E3.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Common Files\t.ico	3898bc3b380d511d011bbd063cbb7d8b.exe
File opened for modification	\??\c:\Program Files\Common Files\d.ico	3898bc3b380d511d011bbd063cbb7d8b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000566b58630fb3a044b91770fce5e9b2d6000000000200000000001066000000010000200000003e6b57d68668d01a3a1a85e46be1f2c918dd4b8f6d8f0d18de757c38c9cec936000000000e80000000020000200000003f6a625632a37dd7405b71051718aa39ed7d73271058068c9c388ee85ebc303220000000ba0ff79c575ffbba2256d3a76a56b9b303465bdc4fd24f245e2f2a09dca804e94000000063a107c7273160b301301c864fb9030970d19617d8ef1da6f6e017b50cad689a2211c3d003be7fea4050a0bde3ef4a6dc28225c2eb954008bf79902411afdb8b	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f07b4cf3333ada01	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1C0F9271-A627-11EE-AE81-EAAD54D9E991} = "0"	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000566b58630fb3a044b91770fce5e9b2d6000000000200000000001066000000010000200000005bb09b1fa4ad54f487c6359895deb86688594be27adff12e8acdf77a04f045f6000000000e80000000020000200000006fdf88c5615ce695ea94729d62d83bf0a93cb549ce8e8746d26afe6dc7ebdffd90000000161a128e01f4abcb76c6f1e986d3b8e7abe75b72e24d3b788f4b0c61387e36dcd6781feb6628e14823bcdb53f4b8b931280d244f31cfc98fe08b63be48c34b045af7f0814f938fafd634a9322dca390fc5ac42c2e343463221232c3a545f920df756b57834883a3d67c918d255f8fd8b65db555e44ebfb1876beca9e916d9f4e46bd801685dd326ed0f61d670209a2f240000000b9e6cdee40b5f79789224211bde43e9e6a7a4e558ba21d33064fe98ce2cc9a86c166813a75a8e82ebd623c7bd9bade6587f337af228a79ec3888591b5fb466d4	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "410001613"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.exe

Modifies registry class 60 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open	3898bc3b380d511d011bbd063cbb7d8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hli\ = "hli"	3898bc3b380d511d011bbd063cbb7d8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon\ = "c:\\Program Files\\Common Files\\t.ico"	3898bc3b380d511d011bbd063cbb7d8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command\ = "IEXPLORE.EXE http://www.35yes.com/?1121"	3898bc3b380d511d011bbd063cbb7d8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hli	3898bc3b380d511d011bbd063cbb7d8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\	3898bc3b380d511d011bbd063cbb7d8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command\ = "IEXPLORE.EXE http://taobao.loliso.com/?1121"	3898bc3b380d511d011bbd063cbb7d8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\	3898bc3b380d511d011bbd063cbb7d8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command	3898bc3b380d511d011bbd063cbb7d8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon	3898bc3b380d511d011bbd063cbb7d8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon	3898bc3b380d511d011bbd063cbb7d8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htb	3898bc3b380d511d011bbd063cbb7d8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon\ = "c:\\Program Files\\Common Files\\d.ico"	3898bc3b380d511d011bbd063cbb7d8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell	3898bc3b380d511d011bbd063cbb7d8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command	3898bc3b380d511d011bbd063cbb7d8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,139"	3898bc3b380d511d011bbd063cbb7d8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open	3898bc3b380d511d011bbd063cbb7d8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\	3898bc3b380d511d011bbd063cbb7d8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell	3898bc3b380d511d011bbd063cbb7d8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htb\ = "htb"	3898bc3b380d511d011bbd063cbb7d8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command\ = "IEXPLORE.EXE http://www.d91d.com/?1121"	3898bc3b380d511d011bbd063cbb7d8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon	3898bc3b380d511d011bbd063cbb7d8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb	3898bc3b380d511d011bbd063cbb7d8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.h35\ = "h35"	3898bc3b380d511d011bbd063cbb7d8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli	3898bc3b380d511d011bbd063cbb7d8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open	3898bc3b380d511d011bbd063cbb7d8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hpf\ = "hpf"	3898bc3b380d511d011bbd063cbb7d8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command	3898bc3b380d511d011bbd063cbb7d8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command\ = "IEXPLORE.EXE http://www.piaofang.net/?1121"	3898bc3b380d511d011bbd063cbb7d8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command\ = "IEXPLORE.EXE http://www.loliso.com/?1121"	3898bc3b380d511d011bbd063cbb7d8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell	3898bc3b380d511d011bbd063cbb7d8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdh\ = "hdh"	3898bc3b380d511d011bbd063cbb7d8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hpf	3898bc3b380d511d011bbd063cbb7d8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell	3898bc3b380d511d011bbd063cbb7d8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\	3898bc3b380d511d011bbd063cbb7d8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon	3898bc3b380d511d011bbd063cbb7d8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdh	3898bc3b380d511d011bbd063cbb7d8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command	3898bc3b380d511d011bbd063cbb7d8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon	3898bc3b380d511d011bbd063cbb7d8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE,0"	3898bc3b380d511d011bbd063cbb7d8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hyx\ = "hyx"	3898bc3b380d511d011bbd063cbb7d8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command	3898bc3b380d511d011bbd063cbb7d8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx	3898bc3b380d511d011bbd063cbb7d8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,41"	3898bc3b380d511d011bbd063cbb7d8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hyx	3898bc3b380d511d011bbd063cbb7d8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open	3898bc3b380d511d011bbd063cbb7d8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.h35	3898bc3b380d511d011bbd063cbb7d8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell	3898bc3b380d511d011bbd063cbb7d8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command	3898bc3b380d511d011bbd063cbb7d8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open	3898bc3b380d511d011bbd063cbb7d8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon	3898bc3b380d511d011bbd063cbb7d8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell	3898bc3b380d511d011bbd063cbb7d8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf	3898bc3b380d511d011bbd063cbb7d8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\	3898bc3b380d511d011bbd063cbb7d8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh	3898bc3b380d511d011bbd063cbb7d8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command\ = "IEXPLORE.EXE http://www.henbucuo.com/?1121"	3898bc3b380d511d011bbd063cbb7d8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\	3898bc3b380d511d011bbd063cbb7d8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35	3898bc3b380d511d011bbd063cbb7d8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,130"	3898bc3b380d511d011bbd063cbb7d8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open	3898bc3b380d511d011bbd063cbb7d8b.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2784	IEXPLORE.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2444	3898bc3b380d511d011bbd063cbb7d8b.exe
2600	Program Files1DK6E3.exe
2784	IEXPLORE.exe
2784	IEXPLORE.exe
2936	IEXPLORE.EXE
2936	IEXPLORE.EXE
2936	IEXPLORE.EXE
2936	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 2600	2444	3898bc3b380d511d011bbd063cbb7d8b.exe	28
PID 2444 wrote to memory of 2600	2444	3898bc3b380d511d011bbd063cbb7d8b.exe	28
PID 2444 wrote to memory of 2600	2444	3898bc3b380d511d011bbd063cbb7d8b.exe	28
PID 2444 wrote to memory of 2600	2444	3898bc3b380d511d011bbd063cbb7d8b.exe	28
PID 2600 wrote to memory of 2784	2600	Program Files1DK6E3.exe	30
PID 2600 wrote to memory of 2784	2600	Program Files1DK6E3.exe	30
PID 2600 wrote to memory of 2784	2600	Program Files1DK6E3.exe	30
PID 2600 wrote to memory of 2784	2600	Program Files1DK6E3.exe	30
PID 2784 wrote to memory of 2936	2784	IEXPLORE.exe	32
PID 2784 wrote to memory of 2936	2784	IEXPLORE.exe	32
PID 2784 wrote to memory of 2936	2784	IEXPLORE.exe	32
PID 2784 wrote to memory of 2936	2784	IEXPLORE.exe	32
PID 2444 wrote to memory of 2824	2444	3898bc3b380d511d011bbd063cbb7d8b.exe	34
PID 2444 wrote to memory of 2824	2444	3898bc3b380d511d011bbd063cbb7d8b.exe	34
PID 2444 wrote to memory of 2824	2444	3898bc3b380d511d011bbd063cbb7d8b.exe	34
PID 2444 wrote to memory of 2824	2444	3898bc3b380d511d011bbd063cbb7d8b.exe	34

C:\Users\Admin\AppData\Local\Temp\3898bc3b380d511d011bbd063cbb7d8b.exe
"C:\Users\Admin\AppData\Local\Temp\3898bc3b380d511d011bbd063cbb7d8b.exe"
1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2444
- \??\c:\Program Files1DK6E3.exe
  "c:\Program Files1DK6E3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Program Files\Internet Explorer\IEXPLORE.exe
    "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/vplay.php
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2784 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2936
- C:\Windows\SysWOW64\WScript.Exe
  WScript.Exe jies.bak.vbs
  2⤵
  - Deletes itself
  PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files1DK6E3.exe

Filesize
9KB

MD5
6c87525f77b75430c2f29ec122a59794

SHA1
a3baa9f36afaf1c35ebfe60ce72f59e26d89ab06

SHA256
41ff96e6cc1044c53ea2f998f86373db931f8e5b890969e4ca17d3fac656f70b

SHA512
8be83db0b093166c5d0ba35e1398534065b5b67b0735961e895a4144b07e7e42f2faf8f08fd143cb64ab4356ca818de28984c31d6c1c39b60465c118b80989e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0f7cfc76e77b357a2941e4f2d7cc7370

SHA1
d45c18b34a72cb055bdab04642c7d3e8fe3d412e

SHA256
58beb15bdec612cbd0158c372a4b59c5ac0b0ad99c1a947b2e9f16ee46339ced

SHA512
003248f764316e99edf2d4b3c697db5cc688bd85abd7c7a4e9f1ba9b2f9edfe4069e872dcb2dfad465c22282e23b96282c03f0cfdb7b150a44e700390dd6aff6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d8e17d1cac7ce0d2eefef21bae859420

SHA1
c558ddcd12ad46d2d874b50a5dbd153aeb8d8a5a

SHA256
8ff47a95fb16a2f8daf2555e39dfa583eca493bfef9c56283da2533de7d14608

SHA512
c597765cb178a3d6c07e9240e3b06861110095e5b89b7b2fed4dcd3e577f4135f9088940527c46a7c452a8b94ca573423ba53ba6fcf60a83e2206e4cbf1a314b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a334981b7ceab334784ce38cb9a8c1a4

SHA1
5e8c285008dcd57b947ad9f69260efa3231788e3

SHA256
21982297575c600372a02461716e08296fb1101f718dcb16524050755c9375bf

SHA512
c6f18ec0f6f342674cc31f216e86048e5b28d723e9e00f451e18aeac161f21723744db42e9d8618131b7bc07d99415d2b9c523caf19f6478b82e14cb0db25a85

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0b8d68717aa99ed97d39ba177f0fbd6d

SHA1
ed6b89699322d24c5832e41c8053dc3baa6369e2

SHA256
fcd3c26ed4a34806048659faa80a58be1bc7fdf13741b00f211528d8e1848c8a

SHA512
174205cb138bc699cb50462aa17de6dab01ea5fa57ce9b5d3089a8cacfcb03911af5f6e3313bebed03311e926642dd73d747732726d414beeaccc2e17071bf85

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4f956b73f6d4bb215c5998f9db56c05a

SHA1
a58c175ffb84df23252e9ef215b4dee28e4b20df

SHA256
1be3ba0f24fe25a84c68674c64ef7f75768ede7159a9a91dc43cbd3db8d7bf8e

SHA512
e7ca6ec01ad3d485ee95a70d213f2f21765d7dfff7af778f48f18d893e69599e841c685ab4ad1157dbef87cd5c9f7df213705fd196b89c6c8f18fbb939c62039

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
20488f52a0b09519739bb4329668f807

SHA1
361c822cc4359a7f85e0b0872ca2b21e7493e6c7

SHA256
2f9a5dbe6840a651ac6e5339b97b77a952e9bbae41302f7924239ee96e9c1973

SHA512
a08fc552e59d31ad26dba718b3450c45f5b6a3010309801ea7e382e54d9881dda2539373e5a0a6cc685ae990b3200256b12aeaf6413a33422d250343c1b59fbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
683766ce8ec35f3d73fcd793e6aa26e6

SHA1
a88387443776abbc454ae48b582250ead376605a

SHA256
6b29c3d115f74b03da5226e87419acc89a4841be49419943f69011d92ef79acc

SHA512
25d22d56b33e91b5a1c9578607a83ba6bf68d0e37e6a7ba6c287f8fdbf580951c41d5d6a7c050328fd27b29ddcc8c6ae47a13875702d2777ef470860c22eeb28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d9e3b556ee590778758c5ad761ae2fbd

SHA1
e92f11a2c7408f2859491c91efc466170f4126ee

SHA256
be31d5241e5cdf0036dcee38d1b9fb60c0c0339a816a1a247317eac541768e21

SHA512
ba3356bbf7e9d7fbcf292b940872516afd426404bdb16994ddf262af31cbb1695ab5cb31bac96533d453ef2d5fe5a502d05ba41bd14677c075462bc56d99f8b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
53fc62eb6a20b09cbb9a3b4dc3590872

SHA1
12c96ac08b5cf682ed99e8de217b83a5417a54a6

SHA256
6e07e18ac19ffe5b24f25d1ed9b6460d0651b8362497d967c20dc57ddb887794

SHA512
ceb27bed7b30de1cd12e2ee2a95610847b30bbe36718f7ef57435417f96fa57e3301c8ce131dfe8b0578c02a45c64315b0b0fec3679a4dd8321aee9bcdf85ae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab55DF.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar56AE.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\jies.bak.vbs

Filesize
422B

MD5
dba6e57fd9edcd5cc6629c26e87f44f2

SHA1
ea03fb0388857b5cdce63970c4c62b43742f1c9a

SHA256
454da991a8e777bb9f46373713bb9c03c19fdb4de949997839cd714d3602d48e

SHA512
93688c26d88062ac72cd3611c410fa52cb4c3ce89ef40b367839834956305e49fe22fec441c18f7240c7754150d407e22b8f0764a423ae9474d469f337aaaf70

Download Submit
memory/2600-23-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download