7372e309c258d598f9d9e63ebcaf9fa06667ab99a0015e646d8be7211d19e614

Analysis

max time kernel
146s
max time network
131s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
07/01/2024, 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47a1dc9695e83466bdedf6d90be08f30.dll
Size

203KB
MD5

47a1dc9695e83466bdedf6d90be08f30
SHA1

89f566c6bb12ed7981338841cd1cd66b2a23449a
SHA256

7372e309c258d598f9d9e63ebcaf9fa06667ab99a0015e646d8be7211d19e614
SHA512

8a6d757d8b1a6ed3268e395135a9062a844a672a3d157bcc922ae09d84bceeb6f444ef3ee2e43927e99578e803625798b4e6288b4164e847b7d91b5f10b6a1f2
SSDEEP

3072:kljMHnFkcm2I1C/+pLPRQSr5xBJiYMpbe+eOv5d8uKU0MoutR:HHFkTW+NdXBebe+eOv5d8uZoS

Score

8^/10

evasion upx

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2936-1-0x0000000000210000-0x0000000000275000-memory.dmp	upx
behavioral1/memory/2936-0-0x0000000000210000-0x0000000000275000-memory.dmp	upx
behavioral1/memory/2516-11-0x0000000001F00000-0x0000000001F65000-memory.dmp	upx
behavioral1/memory/2916-15-0x00000000003A0000-0x0000000000405000-memory.dmp	upx

Modifies Internet Explorer Protected Mode 1 TTPs 15 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\2500 = "3"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\2500 = "3"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\2500 = "3"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	rundll32.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 3 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	notepad.exe

Modifies Internet Explorer settings 1 TTPs 42 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 503fbdef0541da01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000046332ab722508540bf00312f0a24f120000000000200000000001066000000010000200000000d9180bbd4e6933edbc7a7ad4b6cbe5fe41a41e0bc89a4701e186ed1f4ae9271000000000e8000000002000020000000bc96516183fd7bbda68eff9baa67378f0f99000f6aaeb5b2f1fa0979d26db7bf9000000095f1b36bb08014956526737242182e1b52d00e28abbaf4c448bb3366065612a5412873f84f04b750234e606b64972418a7a8848ca999811d79c28a97f334a4d421ee073cafe9377dca8025790a2fefe185fcf7b839f2154591013f67c0f925f17174b3eec6f360164547c1475fda3196f8a182b991f5ea2149eb7bc76e5c7070aae441de0457776f7d2b0e35e3d60f7a400000002258737a341d383a5b8602ce6c33fd755271bb9265de922ae40dd131ec92faec1616290fab17e501f5ebc437f17c3ce35008ba374e4a6c7c89180966390610d6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{021C6EA1-ACF9-11EE-BB35-72D103486AAB} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000046332ab722508540bf00312f0a24f12000000000020000000000106600000001000020000000b7318256fecbf42297075dd9272df5ac03d9e53346d3ebb67e5ce394105699e9000000000e800000000200002000000084546ddc1e136b999c11a902f64855b026b04f8b91dfdec285bbadc7b5c9707120000000dfbe7e2e28ed6d37f5a518b24b4abd4883f6db857ea2a16577bc4827cc3468ec400000006995dac3ddfbf1328eb8370c45792c9fd17a73fe917ad9c708893047615f2fc2cb5d7dad489db7b595132f0ad45d9fe4f486de09763d9a5b39f98ad48de1bdcb	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "410751467"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2936	rundll32.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2916	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2936	rundll32.exe
2936	rundll32.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe
2516	notepad.exe

Suspicious use of FindShellTrayWindow 13 IoCs

pid	Process
2824	iexplore.exe
2824	iexplore.exe
2824	iexplore.exe
2824	iexplore.exe
2824	iexplore.exe
2824	iexplore.exe
2824	iexplore.exe
2824	iexplore.exe
2824	iexplore.exe
2824	iexplore.exe
2640	ctfmon.exe
2640	ctfmon.exe
2640	ctfmon.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2824	iexplore.exe
2824	iexplore.exe
2484	IEXPLORE.EXE
2484	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 2936	2940	rundll32.exe	14
PID 2940 wrote to memory of 2936	2940	rundll32.exe	14
PID 2940 wrote to memory of 2936	2940	rundll32.exe	14
PID 2940 wrote to memory of 2936	2940	rundll32.exe	14
PID 2940 wrote to memory of 2936	2940	rundll32.exe	14
PID 2940 wrote to memory of 2936	2940	rundll32.exe	14
PID 2940 wrote to memory of 2936	2940	rundll32.exe	14
PID 2936 wrote to memory of 2952	2936	rundll32.exe	15
PID 2936 wrote to memory of 2952	2936	rundll32.exe	15
PID 2936 wrote to memory of 2952	2936	rundll32.exe	15
PID 2936 wrote to memory of 2952	2936	rundll32.exe	15
PID 2936 wrote to memory of 2516	2936	rundll32.exe	18
PID 2936 wrote to memory of 2516	2936	rundll32.exe	18
PID 2936 wrote to memory of 2516	2936	rundll32.exe	18
PID 2936 wrote to memory of 2516	2936	rundll32.exe	18
PID 2948 wrote to memory of 2640	2948	explorer.exe	17
PID 2948 wrote to memory of 2640	2948	explorer.exe	17
PID 2948 wrote to memory of 2640	2948	explorer.exe	17
PID 2936 wrote to memory of 2516	2936	rundll32.exe	18
PID 2824 wrote to memory of 2484	2824	iexplore.exe	33
PID 2824 wrote to memory of 2484	2824	iexplore.exe	33
PID 2824 wrote to memory of 2484	2824	iexplore.exe	33
PID 2824 wrote to memory of 2484	2824	iexplore.exe	33
PID 2936 wrote to memory of 2916	2936	rundll32.exe	36
PID 2936 wrote to memory of 2916	2936	rundll32.exe	36
PID 2936 wrote to memory of 2916	2936	rundll32.exe	36
PID 2936 wrote to memory of 2916	2936	rundll32.exe	36
PID 2936 wrote to memory of 2916	2936	rundll32.exe	36
PID 2936 wrote to memory of 2824	2936	rundll32.exe	32

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\47a1dc9695e83466bdedf6d90be08f30.dll,#1
1⤵
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  PID:2952
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  - Modifies Internet Explorer Protected Mode
  - Modifies Internet Explorer Protected Mode Banner
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  PID:2516
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  - Modifies Internet Explorer Protected Mode
  - Modifies Internet Explorer Protected Mode Banner
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  PID:2916

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Windows\system32\ctfmon.exe
  ctfmon.exe
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:2640

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\47a1dc9695e83466bdedf6d90be08f30.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2940

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2824 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
be7989bf69be0137aa8a312565d81c7c

SHA1
de0804d254e1eedb330a8dc95469327e3c7c03b1

SHA256
d95d97280ac6fc560203371b6ae5e0c7f6a4dd7809338879fa04ac3907c3ebe0

SHA512
9099c30c3860af604a76827e246e11c07024f82594fab5de7d19295b41c9aee92086ea92e8034e9d76e6f1d6f410e7a339c5d2d4c3cb17436285bbd7d9c8f15c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d9a242eebdf02a64a4089d94993a3f13

SHA1
02d499c94fe4195099915d097b0aa3291a8ead09

SHA256
64991e628bb9a13ac6dfdaa2de0640b744acc554be8a7070aeaceee43488f962

SHA512
57184d2353b1d6ea4f2fc37e9eef8aca63485a3e341b3efd13eebb6048890b3f0158f75fba112fc0725cd42de4e0f2f0b5959e648829821dd02b4361106995ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3418f25eee6cfb928af488b400264d72

SHA1
5abc8d79428da13370b8126103d0e039a7f33fb3

SHA256
7d599effbfd0a3067a9c7e6fdc8e3b53dd79b66f6de4c9464d3cc8465a3d1a1c

SHA512
e6f90349b1dfbbc49eb0769cd2d73df0e09dd6531f793a62538e0f20e218147e2c4138088591909a5debb97b60353d2efae937dd269aaba80f8ea6a173723fa1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7a660d4ae405706a0f781e7934acabe3

SHA1
3b63610c70e2ea2a2c3a6b1449d3a5a920f03229

SHA256
87dec356fe184b092559b7accc5be95d664e64fc2b601fbc731b47d56e574479

SHA512
23285321f922c04aade51706b42cd4b01f2f6cf89e48c5cb80b2f8bebf73dc531b2c4af35823dde12fee308b3e99d96d48f3f145be1653bea9524ce419679f07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3e9dc294e95d3ce2e6f021c822ec9895

SHA1
1efa33da3fd8825fd8700a1f9820401777436e69

SHA256
78a4003eda1b84d6a00311910fdcd1e00edde99a4e0c32ced3ece57c3c9bf2cd

SHA512
624da8a3a77200bb29f05b0a40b194f25b3a2c931092fafad1de9306b06392f1ba7bce68c549e1b436ba25831e9a2ec3ecfb6092705026f9d3633d886e6d4701

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
68e643dfba146dc532506779f7dd7ea2

SHA1
959700467dd9a003de68e5bf76ab4ba90b38d1b7

SHA256
d8da9e0768feed0a12fe3d3b70ec62fdd059baa82f996433d6aee2fa9927b207

SHA512
259d8ee81aae4ce5e9ca60686231dfc6846575a0a18f2af5079851bfde0880836969dd4c94f418c0c38c2c50ef53642bcca32ce32c6df54e13ad836d43333bdd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDCAF.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/2516-17-0x0000000001F00000-0x0000000001F65000-memory.dmp

Filesize
404KB

Download
memory/2516-12-0x0000000001F00000-0x0000000001F65000-memory.dmp

Filesize
404KB

Download
memory/2516-9-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/2516-11-0x0000000001F00000-0x0000000001F65000-memory.dmp

Filesize
404KB

Download
memory/2516-13-0x00000000007E0000-0x00000000007E2000-memory.dmp

Filesize
8KB

Download
memory/2916-18-0x00000000003A0000-0x0000000000405000-memory.dmp

Filesize
404KB

Download
memory/2916-15-0x00000000003A0000-0x0000000000405000-memory.dmp

Filesize
404KB

Download
memory/2916-16-0x00000000003A0000-0x0000000000405000-memory.dmp

Filesize
404KB

Download
memory/2936-4-0x0000000000210000-0x0000000000275000-memory.dmp

Filesize
404KB

Download
memory/2936-1-0x0000000000210000-0x0000000000275000-memory.dmp

Filesize
404KB

Download
memory/2936-0-0x0000000000210000-0x0000000000275000-memory.dmp

Filesize
404KB

Download
memory/2936-2-0x0000000000210000-0x0000000000275000-memory.dmp

Filesize
404KB

Download
memory/2936-3-0x0000000000210000-0x0000000000275000-memory.dmp

Filesize
404KB

Download
memory/2936-5-0x00000000001B0000-0x00000000001C4000-memory.dmp

Filesize
80KB

Download
memory/2948-19-0x0000000003B00000-0x0000000003B01000-memory.dmp

Filesize
4KB

Download
memory/2948-8-0x0000000003B00000-0x0000000003B01000-memory.dmp

Filesize
4KB

Download
memory/2948-7-0x0000000003B10000-0x0000000003B20000-memory.dmp

Filesize
64KB

Download