cb422915e7247289b832bc2f6bf34685bc61a041700fdc6982c5d9755aec5686

Analysis

max time kernel
145s
max time network
142s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12/01/2024, 00:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

54fab8636833ff5b64f12616fb9b4e68.exe
Size

11KB
MD5

54fab8636833ff5b64f12616fb9b4e68
SHA1

70a1642903934a12b8dcf78e1172e426ad8673df
SHA256

cb422915e7247289b832bc2f6bf34685bc61a041700fdc6982c5d9755aec5686
SHA512

5de8a7c389c59daffe134867fa59972a493c1de2db9ca4f7234c14de486f7dbe72e05e92df7964f8963c5f7ca932da90bcf395c1520ff94e1f91231595f8554d
SSDEEP

96:edNoOrnck9oLuCdOLIvS+4W9R0OkoR+i9KpeUrYdFrvyb6gkUMTmx6aSUTr932SL:crn9oLuCdiIFO/bi2NUduB/6wR7n4id

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2212-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2212-29-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2212-30-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "411180831"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B38E1C71-B0E0-11EE-B6E5-76D8C56D161B} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b0720b1d8642c344adb870a2e917866400000000020000000000106600000001000020000000c49678807cfe82e6cc5008536be1e116140836605a847f95e32d3c8f98fe2b40000000000e80000000020000200000000eb6a55cc30a7147db2123c4504db39c8f9ab269296a779fb37a52b4c52e123390000000373563bd7d416948fee68914bbbf66f9c26fd3c984b3357e2453df9fd29ab3961ecc15cde37f2cae092f11f6609d06262973667c3fbc5698628e061df8489bc74cb14c818f1ed910d202a7e4f6ebe1b171629bdacd9eabe3968f136fa64ff8a79c08be7d83ebddfec95850ce3a9222ad778d917f54bddc766badc445b05576cc29f45db5fb71e9139f2c4a80d6d54f8a40000000e285323a033d1c12de83fa7520465ba14ee44605e3bee303a7d785a2da3489e6f45fc88a0b8a4ccb563ae7979ae46699510be0dfbb0162256d38d45c60faac78	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B392DF31-B0E0-11EE-B6E5-76D8C56D161B} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 301f3879ed44da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2192	IEXPLORE.EXE
2192	IEXPLORE.EXE
2192	IEXPLORE.EXE
2192	IEXPLORE.EXE
2840	IEXPLORE.EXE
2808	IEXPLORE.EXE
2192	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 33 IoCs

pid	Process
2212	54fab8636833ff5b64f12616fb9b4e68.exe
2192	IEXPLORE.EXE
2192	IEXPLORE.EXE
2192	IEXPLORE.EXE
2192	IEXPLORE.EXE
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE
2192	IEXPLORE.EXE
2192	IEXPLORE.EXE
2192	IEXPLORE.EXE
2192	IEXPLORE.EXE
2316	IEXPLORE.EXE
2316	IEXPLORE.EXE
2316	IEXPLORE.EXE
2316	IEXPLORE.EXE
2728	IEXPLORE.EXE
2728	IEXPLORE.EXE
2808	IEXPLORE.EXE
2808	IEXPLORE.EXE
2840	IEXPLORE.EXE
2840	IEXPLORE.EXE
488	IEXPLORE.EXE
488	IEXPLORE.EXE
820	IEXPLORE.EXE
820	IEXPLORE.EXE
820	IEXPLORE.EXE
820	IEXPLORE.EXE
2192	IEXPLORE.EXE
2192	IEXPLORE.EXE
1036	IEXPLORE.EXE
1036	IEXPLORE.EXE
1036	IEXPLORE.EXE
1036	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2192	2212	54fab8636833ff5b64f12616fb9b4e68.exe	28
PID 2212 wrote to memory of 2192	2212	54fab8636833ff5b64f12616fb9b4e68.exe	28
PID 2212 wrote to memory of 2192	2212	54fab8636833ff5b64f12616fb9b4e68.exe	28
PID 2212 wrote to memory of 2192	2212	54fab8636833ff5b64f12616fb9b4e68.exe	28
PID 2192 wrote to memory of 2696	2192	IEXPLORE.EXE	32
PID 2192 wrote to memory of 2696	2192	IEXPLORE.EXE	32
PID 2192 wrote to memory of 2696	2192	IEXPLORE.EXE	32
PID 2192 wrote to memory of 2696	2192	IEXPLORE.EXE	32
PID 2212 wrote to memory of 2808	2212	54fab8636833ff5b64f12616fb9b4e68.exe	30
PID 2212 wrote to memory of 2808	2212	54fab8636833ff5b64f12616fb9b4e68.exe	30
PID 2212 wrote to memory of 2808	2212	54fab8636833ff5b64f12616fb9b4e68.exe	30
PID 2212 wrote to memory of 2808	2212	54fab8636833ff5b64f12616fb9b4e68.exe	30
PID 2212 wrote to memory of 2840	2212	54fab8636833ff5b64f12616fb9b4e68.exe	29
PID 2212 wrote to memory of 2840	2212	54fab8636833ff5b64f12616fb9b4e68.exe	29
PID 2212 wrote to memory of 2840	2212	54fab8636833ff5b64f12616fb9b4e68.exe	29
PID 2212 wrote to memory of 2840	2212	54fab8636833ff5b64f12616fb9b4e68.exe	29
PID 2212 wrote to memory of 2712	2212	54fab8636833ff5b64f12616fb9b4e68.exe	31
PID 2212 wrote to memory of 2712	2212	54fab8636833ff5b64f12616fb9b4e68.exe	31
PID 2212 wrote to memory of 2712	2212	54fab8636833ff5b64f12616fb9b4e68.exe	31
PID 2212 wrote to memory of 2712	2212	54fab8636833ff5b64f12616fb9b4e68.exe	31
PID 2212 wrote to memory of 2688	2212	54fab8636833ff5b64f12616fb9b4e68.exe	33
PID 2212 wrote to memory of 2688	2212	54fab8636833ff5b64f12616fb9b4e68.exe	33
PID 2212 wrote to memory of 2688	2212	54fab8636833ff5b64f12616fb9b4e68.exe	33
PID 2212 wrote to memory of 2688	2212	54fab8636833ff5b64f12616fb9b4e68.exe	33
PID 2212 wrote to memory of 2136	2212	54fab8636833ff5b64f12616fb9b4e68.exe	34
PID 2212 wrote to memory of 2136	2212	54fab8636833ff5b64f12616fb9b4e68.exe	34
PID 2212 wrote to memory of 2136	2212	54fab8636833ff5b64f12616fb9b4e68.exe	34
PID 2212 wrote to memory of 2136	2212	54fab8636833ff5b64f12616fb9b4e68.exe	34
PID 2192 wrote to memory of 2316	2192	IEXPLORE.EXE	35
PID 2192 wrote to memory of 2316	2192	IEXPLORE.EXE	35
PID 2192 wrote to memory of 2316	2192	IEXPLORE.EXE	35
PID 2192 wrote to memory of 2316	2192	IEXPLORE.EXE	35
PID 2192 wrote to memory of 2728	2192	IEXPLORE.EXE	36
PID 2192 wrote to memory of 2728	2192	IEXPLORE.EXE	36
PID 2192 wrote to memory of 2728	2192	IEXPLORE.EXE	36
PID 2192 wrote to memory of 2728	2192	IEXPLORE.EXE	36
PID 2808 wrote to memory of 820	2808	IEXPLORE.EXE	38
PID 2808 wrote to memory of 820	2808	IEXPLORE.EXE	38
PID 2808 wrote to memory of 820	2808	IEXPLORE.EXE	38
PID 2808 wrote to memory of 820	2808	IEXPLORE.EXE	38
PID 2840 wrote to memory of 488	2840	IEXPLORE.EXE	37
PID 2840 wrote to memory of 488	2840	IEXPLORE.EXE	37
PID 2840 wrote to memory of 488	2840	IEXPLORE.EXE	37
PID 2840 wrote to memory of 488	2840	IEXPLORE.EXE	37
PID 2192 wrote to memory of 1036	2192	IEXPLORE.EXE	42
PID 2192 wrote to memory of 1036	2192	IEXPLORE.EXE	42
PID 2192 wrote to memory of 1036	2192	IEXPLORE.EXE	42
PID 2192 wrote to memory of 1036	2192	IEXPLORE.EXE	42

C:\Users\Admin\AppData\Local\Temp\54fab8636833ff5b64f12616fb9b4e68.exe
"C:\Users\Admin\AppData\Local\Temp\54fab8636833ff5b64f12616fb9b4e68.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.xtdvod.cn/tj/suying.htm
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2192 CREDAT:275457 /prefetch:2
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2696
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2192 CREDAT:603141 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2316
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2192 CREDAT:734209 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2728
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2192 CREDAT:3683341 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1036
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.mywzzj.cn
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2840 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:488
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.xtdvod.cn
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2808 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:820
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.fscegs.cn
  2⤵
  PID:2712
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.xhzero.cn
  2⤵
  PID:2688
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.114nav.cn
  2⤵
  PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e29201ce20b9ebb0cfe641805fa44105

SHA1
fa23ac0d43fcf5518c4edefbd67f3a18f26aad1f

SHA256
b6cea001ed2db75adb2887d8f8fde12f0cc3261c0d7cccc95bdc45f9957d7102

SHA512
843a4f2723362cc7fd9020a76275d0809d316391e620873c454adb17847ee1da27c052040943a3bd4429c5ae03693b1a27561c70c9bd408e39b1fcb18f07c5f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
10bb941242b8ae638b5a94e82c2d1d33

SHA1
eee358644ea698321772e6c86c2463d6be52ef74

SHA256
7089b8c196dbc4d56674e2cdd3a3fa0090814e54c0291c855f67760b2ad2e735

SHA512
b045586d76737d0bd62ab1d4efcfc152a56527065cc4b2ef671ebc73e8b741e9ee619419b97f0ff0343342c8ea409e8ef64b6fe2650db28b840efd6c4a6c73d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0d5d67d3045e0d4d0d8386a9e815b264

SHA1
44180b7add78509cfc8531ac779fc06e4df8573b

SHA256
d6be803186ade5fc82c4d4948854df103719d833d1aa18f4ded20fe2a81e5ce9

SHA512
b0f79ca72dab89a7e465be18e08399a812299bbb109737525b436e8b6a8203af868f751669244d89d651cf9ff9943df8202196bb12440b13bebcd601e97c3808

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fbc53729bfe64ad0e41b66a27b4cc4ed

SHA1
ab3c9280b575b11918312ead636933c0e68a52fb

SHA256
560b62318a7275183c6c7ec067306fc9062b95f132707c38a7cb9b688ba1d205

SHA512
666c0f58bac93f557ba075a8fbcb9fe65adae599f2f6eb8e78dfe88c61eb75ac076455f360448955ecc24df12fd64ca14897e480d41e0cf1d19118a29fe173a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f0b48603d674862ff3d0149c11264d6c

SHA1
4058710581b238ef1bc1a16b9603d2eb979d98e2

SHA256
bc476851668d33fca7c72f6a31c29b82e0b8a0d619507b5a94b30a66ec61abec

SHA512
5e7ad4311311ef18c9c6b55cde910bc2f4e59108efaeea695a386de8de9b77a9526199b0bdc49eab0d9c600fdd89d8165cc6789ed5f3135ee3a120f663d26f7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9ac6f5eaf8651924f5e5e78b68b3bbbc

SHA1
87a351688232ae45db7f3e56034d7f834c6bd331

SHA256
787cb968397b21be18b272009bb937fe41c569f88d56c30a486aff9563054c67

SHA512
46128d3383bbbeffcd5eab72cf416693434284e68e59ad0d5da2da37c0ac360296b260c0118eb7b95a11bb83068aba89def1e528308da0642f54e7cd86d14c74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
95c1d8e74895b4b33f3affa07a1e0fff

SHA1
4e8f9bcb8fc45b725a5e354dadaff05918e574cc

SHA256
281b14932bac26ea937e0afa14f5108067aa5882e4856de47dcc2672c1d7fa7e

SHA512
27c2b6f894993f8be9accf7c78dfbabf2d708dc7b5f43301fb58857375825eb8a41ef285c79b6176226ebc93ccdecc7708769faffd8bf74c76d968dd830dd99f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b364c32aa878046dc493a4496a5b1630

SHA1
8a7147997e78e8341c8d2e17dc97e2fbcc0e5e9b

SHA256
2a5dabe9a06d56750682c0f19f48a82cc94bec7e39810bc432fdf3ed7b682561

SHA512
91e3fb19ad0aa51115e843fe85acbe7327d939f902b3482b9998b17221773e0ef5962a160b206f44a7db1d0493f2850e0f41bbd9e985aacb8bb2c1faaba27d2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
deda94bd86f69f93803398a81724328e

SHA1
ed75f371b62ccef565067b9b61103d616a634fff

SHA256
f418117e08be75a96eaca533a9015f216d0b2240e8088db8ca44e817f09675d4

SHA512
d8c54f5713ffddfeaa4cad53af46d49c2810f3b82fda3fc232f4e093e646183eedd208d51bd6cd4f9c60f1ae645a01dcd47dfc8faac57ca15a056d28dac37fdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B38E1C71-B0E0-11EE-B6E5-76D8C56D161B}.dat

Filesize
4KB

MD5
31d51b011a9add2f28bd8fb36caf5cfb

SHA1
cad0c13c6c536bf2a78e20a238a2042a959efd49

SHA256
994009709b6bc9c4eaf7e116b1194182aba4661ae312ce09dd34dd1de3854614

SHA512
4a73670be621aa38b08108a6687e6e4cb3fb0702c5f763c189b34a7b71f38ba905862603e4ba28d0bbda3697c59bdb129fe66f7153353116917f366e0e9555e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B392DF31-B0E0-11EE-B6E5-76D8C56D161B}.dat

Filesize
5KB

MD5
98d3d2ddaf47d3c1520780dcc2c5e509

SHA1
91a2cee1316f4d295668e653df049dbef2faeada

SHA256
62b24d5dc26474e3935cbc6a9ce4a3b82a33c9c2a7d9690b062083d6c77ec70e

SHA512
7a232507bd53cc71a145e757af53e00d72d20df660e161cd146dccfe5ec35704fd02de3818cc234404eff24952ee582ba4ecb1ca71b1c3df2e164a7142f2e35d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E1CCB52I\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E1CCB52I\httpErrorPagesScripts[3]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U1J1BPYJ\NewErrorPageTemplate[1]

Filesize
1KB

MD5
cdf81e591d9cbfb47a7f97a2bcdb70b9

SHA1
8f12010dfaacdecad77b70a3e781c707cf328496

SHA256
204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

SHA512
977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U1J1BPYJ\dnserror[1]

Filesize
1KB

MD5
73c70b34b5f8f158d38a94b9d7766515

SHA1
e9eaa065bd6585a1b176e13615fd7e6ef96230a9

SHA256
3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4

SHA512
927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3CC4.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3D44.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/2212-30-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2212-29-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2212-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download