c50232cb8b5ff331b785c1c04cfdbaaaa7aafe5423e1b8edf06be16457628add

Analysis

max time kernel
135s
max time network
131s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13/03/2024, 18:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c68dd9ae84fd6ca45f518a486750cbad.exe
Size

124KB
MD5

c68dd9ae84fd6ca45f518a486750cbad
SHA1

70dc3b5d9afe737fb130a4b938cb08efacb1b6ff
SHA256

c50232cb8b5ff331b785c1c04cfdbaaaa7aafe5423e1b8edf06be16457628add
SHA512

7f8755e9627402797852da538b6cfa8233703fcabf4be831e2cee5c9a833ea99eaefb629d5d2bdc14d7da121caca98d67482a67a2560e1509dd60f29e47dd35e
SSDEEP

3072:9tt1+f8ko7Oh6tnhj7TezuSOhsF4OBT1g2Db8Wk:9/1eVhI/TeqsFnfBD4Wk

Score

7^/10

adware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0033000000014b18-7.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
2916	regsvr32.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0033000000014b18-7.dat	upx
behavioral1/memory/2848-9-0x0000000000400000-0x0000000000436000-memory.dmp	upx
behavioral1/memory/2916-8-0x0000000010000000-0x0000000010067000-memory.dmp	upx
behavioral1/memory/2848-0-0x0000000000400000-0x0000000000436000-memory.dmp	upx

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{161B953B-95F9-4af3-B071-D5FF5EA132EF}	regsvr32.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\hl.dat	c68dd9ae84fd6ca45f518a486750cbad.exe
File created	C:\Windows\SysWOW64\scerpt.dll	c68dd9ae84fd6ca45f518a486750cbad.exe
File created	C:\Windows\SysWOW64\mshpc.dll	c68dd9ae84fd6ca45f518a486750cbad.exe
File created	C:\Windows\SysWOW64\mp7arc.dat	c68dd9ae84fd6ca45f518a486750cbad.exe
File created	C:\Windows\SysWOW64\mrcmgr.exe	c68dd9ae84fd6ca45f518a486750cbad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DAD41A41-E165-11EE-8AAC-6EAD7206CC74} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "416515676"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{30989926-2D37-4561-B76F-65D0F89A3560}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ECEE577A-5B6F-4BDC-9210-DB603D6BEF78}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2D51E439-3AE8-4BF7-8FB2-45F768554DEC}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ECEE577A-5B6F-4BDC-9210-DB603D6BEF78}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{161B953B-95F9-4af3-B071-D5FF5EA132EF}\ = "IE Microsoft extension"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSApp.BhoApp.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{161B953B-95F9-4af3-B071-D5FF5EA132EF}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{161B953B-95F9-4af3-B071-D5FF5EA132EF}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ECEE577A-5B6F-4BDC-9210-DB603D6BEF78}\TypeLib\ = "{2D51E439-3AE8-4BF7-8FB2-45F768554DEC}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{30989926-2D37-4561-B76F-65D0F89A3560}\ = "IApp"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSApp.BhoApp.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2D51E439-3AE8-4BF7-8FB2-45F768554DEC}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ECEE577A-5B6F-4BDC-9210-DB603D6BEF78}\ = "_IAppEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30989926-2D37-4561-B76F-65D0F89A3560}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{161B953B-95F9-4af3-B071-D5FF5EA132EF}\VersionIndependentProgID\ = "MSApp.BhoApp"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSApp.BhoApp\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSApp.BhoApp\CurVer\ = "MSApp.BhoApp.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ECEE577A-5B6F-4BDC-9210-DB603D6BEF78}\ = "_IAppEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30989926-2D37-4561-B76F-65D0F89A3560}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSApp.BhoApp.1\CLSID\ = "{161B953B-95F9-4af3-B071-D5FF5EA132EF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{161B953B-95F9-4af3-B071-D5FF5EA132EF}\TypeLib\ = "{2D51E439-3AE8-4bf7-8FB2-45F768554DEC}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{30989926-2D37-4561-B76F-65D0F89A3560}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{161B953B-95F9-4af3-B071-D5FF5EA132EF}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ECEE577A-5B6F-4BDC-9210-DB603D6BEF78}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{30989926-2D37-4561-B76F-65D0F89A3560}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSApp.BhoApp	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2D51E439-3AE8-4BF7-8FB2-45F768554DEC}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30989926-2D37-4561-B76F-65D0F89A3560}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{161B953B-95F9-4af3-B071-D5FF5EA132EF}\ProgID\ = "MSApp.BhoApp.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSApp.BhoApp\CLSID\ = "{161B953B-95F9-4af3-B071-D5FF5EA132EF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ECEE577A-5B6F-4BDC-9210-DB603D6BEF78}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{161B953B-95F9-4af3-B071-D5FF5EA132EF}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30989926-2D37-4561-B76F-65D0F89A3560}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSApp.BhoApp.1\ = "IE Microsoft extension"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{161B953B-95F9-4af3-B071-D5FF5EA132EF}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2D51E439-3AE8-4BF7-8FB2-45F768554DEC}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{30989926-2D37-4561-B76F-65D0F89A3560}\TypeLib\ = "{2D51E439-3AE8-4BF7-8FB2-45F768554DEC}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{161B953B-95F9-4af3-B071-D5FF5EA132EF}\InprocServer32\ = "C:\\Windows\\SysWow64\\mshpc.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ECEE577A-5B6F-4BDC-9210-DB603D6BEF78}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30989926-2D37-4561-B76F-65D0F89A3560}\ = "IApp"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{161B953B-95F9-4af3-B071-D5FF5EA132EF}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2D51E439-3AE8-4BF7-8FB2-45F768554DEC}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2D51E439-3AE8-4BF7-8FB2-45F768554DEC}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2D51E439-3AE8-4BF7-8FB2-45F768554DEC}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\mshpc.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2D51E439-3AE8-4BF7-8FB2-45F768554DEC}\1.0\HELPDIR\ = "C:\\Windows\\system32"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ECEE577A-5B6F-4BDC-9210-DB603D6BEF78}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ECEE577A-5B6F-4BDC-9210-DB603D6BEF78}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{30989926-2D37-4561-B76F-65D0F89A3560}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSApp.BhoApp\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30989926-2D37-4561-B76F-65D0F89A3560}\TypeLib\ = "{2D51E439-3AE8-4BF7-8FB2-45F768554DEC}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{30989926-2D37-4561-B76F-65D0F89A3560}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{161B953B-95F9-4af3-B071-D5FF5EA132EF}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2D51E439-3AE8-4BF7-8FB2-45F768554DEC}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ECEE577A-5B6F-4BDC-9210-DB603D6BEF78}\TypeLib\ = "{2D51E439-3AE8-4BF7-8FB2-45F768554DEC}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ECEE577A-5B6F-4BDC-9210-DB603D6BEF78}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30989926-2D37-4561-B76F-65D0F89A3560}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSApp.BhoApp\ = "IE Microsoft extension"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ECEE577A-5B6F-4BDC-9210-DB603D6BEF78}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ECEE577A-5B6F-4BDC-9210-DB603D6BEF78}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2D51E439-3AE8-4BF7-8FB2-45F768554DEC}\1.0\ = "MSHpc 2.0 Lib"	regsvr32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2540	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2540	iexplore.exe
2540	iexplore.exe
2396	IEXPLORE.EXE
2396	IEXPLORE.EXE
2396	IEXPLORE.EXE
2396	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2916	2848	c68dd9ae84fd6ca45f518a486750cbad.exe	28
PID 2848 wrote to memory of 2916	2848	c68dd9ae84fd6ca45f518a486750cbad.exe	28
PID 2848 wrote to memory of 2916	2848	c68dd9ae84fd6ca45f518a486750cbad.exe	28
PID 2848 wrote to memory of 2916	2848	c68dd9ae84fd6ca45f518a486750cbad.exe	28
PID 2848 wrote to memory of 2916	2848	c68dd9ae84fd6ca45f518a486750cbad.exe	28
PID 2848 wrote to memory of 2916	2848	c68dd9ae84fd6ca45f518a486750cbad.exe	28
PID 2848 wrote to memory of 2916	2848	c68dd9ae84fd6ca45f518a486750cbad.exe	28
PID 2848 wrote to memory of 2540	2848	c68dd9ae84fd6ca45f518a486750cbad.exe	29
PID 2848 wrote to memory of 2540	2848	c68dd9ae84fd6ca45f518a486750cbad.exe	29
PID 2848 wrote to memory of 2540	2848	c68dd9ae84fd6ca45f518a486750cbad.exe	29
PID 2848 wrote to memory of 2540	2848	c68dd9ae84fd6ca45f518a486750cbad.exe	29
PID 2540 wrote to memory of 2396	2540	iexplore.exe	30
PID 2540 wrote to memory of 2396	2540	iexplore.exe	30
PID 2540 wrote to memory of 2396	2540	iexplore.exe	30
PID 2540 wrote to memory of 2396	2540	iexplore.exe	30

C:\Users\Admin\AppData\Local\Temp\c68dd9ae84fd6ca45f518a486750cbad.exe
"C:\Users\Admin\AppData\Local\Temp\c68dd9ae84fd6ca45f518a486750cbad.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s C:\Windows\system32\\mshpc.dll
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:2916
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2540 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1003874bbe50f431832ce52942d3903f

SHA1
ba7f9060371aef591d9daa00741b17d18b89015a

SHA256
19dc962bf95c15d4a88396108296e224fafc1275b72c6e29c8047c95be025c26

SHA512
248f50a73ac422da67b3b1fd990a390b273cf1186afb5b436671995b5c7d8328ad416ceaac4c821c75a587eadc79a8c53033038584a648f9a865f138301537fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
099b9cb8dc3b7fabf8d246fc15422db9

SHA1
439232704015119ad5c59fd83ae120bf8ad522a7

SHA256
047c99cd7053240f2ce53d6c9bf4db96b1485191e291877c6899d723e0ab81d4

SHA512
b5be75d0c6badb8abd4070d383e9f0a0babe78ce33df8166ffe7031dc79fa1648a2959fbd38718ac47df1368dd09fd2808f89992a83a25e155cd31c891f23279

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
65ddb0ffe269dc28191d43d3777af706

SHA1
67bd50a760e6ae103b0dd771cd84453cea0767ed

SHA256
2775f9ba979ae3aa819fd230109c6dc91dba1a90f8536c6e8f21b53aa0ec7093

SHA512
bcf1e3dd8307d54c807d80ef4492a1096549061cdab3e4918cc60e68a1412fccbe331c0c3638261203bc59856dacab3dcda60f168bf06efcdb6430afc9979a39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ee7ef01cee974f27e112b5095c44dea9

SHA1
5b8f17f1a9acc353e484642745eb2f797b882c82

SHA256
25d278f041699592132326b186d3d532c16c8e032a16eae6d0ed52dae995bf16

SHA512
bd036a7914957e4255b7e0186cc8477259f04db19e53f90eca5986b6a8b2fb33af650b02c05f93c187da0add9ca7692b248dffa94692a37e0a42bcc976a4171c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e284de776ae5e63848dca5d884aa2623

SHA1
91af1120da2b73b3b63ea9f0cd5cb7f7f419cc53

SHA256
976984e125c3614d0172f7a68dd58ec4fe623e3792148250284a77f13ee8f050

SHA512
9bfe8eb262b771aae99a9e3c88135e5422113f1546b41dd1cbe0f85df5175e36d0618d8a7955607c468374a99040e9fb553871344c42adf1105096c0c3b8e55d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d75bcf8a073a5314e3215e588ef4105e

SHA1
5ae842557a2121472ec10fac60d21a3c4f5c8f1e

SHA256
0053db35447a60089d20368c942cffc0b854592c3e8ebf9fc9754d14536ca178

SHA512
624147ed7b6ecf8d38c55f614a30bf460d556f288711b35c5de42e7aa49ebc260f60b9839da6980a7ed52418ef1b0d30115dcce6c065552efd578f5f99ea3560

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a01ca2319f79a3ee37146e6fd8d3c297

SHA1
2e83b2069a90b537e77e0900f3662cbc2eef8c12

SHA256
45a0b0812b98611516baf1ead15024ba064257bca82f8aad72ad85536a1f1cb7

SHA512
9bc9a6f8022b1594fe19462419334a39fe87c862e041ab96dbfefb613fc93ccafc963a9dfc47eb1beaf546514efc494ac38b3b174f30234294f35e2def68ff9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f0483bef5feea5703870fcc0af8ce061

SHA1
948f0696305053fb660e9ef5cfc8d7bcf2e5e02f

SHA256
e75504ca394e9a1c451559b3d0f12ab5ec4fff397c4f51955e3a2b4cd07d1bc6

SHA512
dcf040381c4012df1c6fd8076d08a639b82fad86d1b3a5bf98635a9d21f457214069df2e33fd3ddc2b0211c495994549c432702b62af89c2b723e7440a40a98e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
25bf4c1c081e6736f3f0d57c6c433f7f

SHA1
3973f3082b0bffa921f152500bb680df686d4e85

SHA256
c5e85ddce16cde8985f06981466d4a130716ec389fa511cb36be573ab6b7b05a

SHA512
7dc782fbfa603754c6874fab222e4388a3534af1c662d4c756c06d665601e9fa09e6d2f96d3a0050d1bec6cedad73ce1bdf397b4b727939b9d689216e38a9266

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
18f59b1bcbd56172c8040a54ab3caf81

SHA1
c9c1b7ad7d497269892a9cc0c5e550f86930ee67

SHA256
969524b88be45b651deb8d04e360195a70cd285536f52d3dac6f62bee3462841

SHA512
c468feeea97eb70634a9b6a6419fe384adc6958b2da4a1de33e6da3b59f4687583b96e6c356f1c475f9b52ee2dda65c3a60d2ff250b8dafa5e3ab3592fcab6e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f6442d1122a05beb0d35f50cd474e0d9

SHA1
16c1c9c227f69863a7aec043252cb664ae94f8f4

SHA256
1d52934c5956f8af8d805cd4189daa55c79aa4aef2f8fff5ef9e7ffa065b274d

SHA512
4ee6e3b5c8d6dbb4bd0740c29c020fe2bab9fe31c8b1fbf71960290a997ce607ba3e5cfa2a4e36c206844c07881603c46046e19bff9a6a00b67ef11cc83946e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2081ae04ae61324caceb21680ddc0590

SHA1
33ef173f646ae1fa715f80fc430a9b789bfec912

SHA256
01412a9d454f70217f26d43bdd2978ea66be70b205b1f09ea89b60cf1dac7390

SHA512
48ac9b25fa332aa8b0d08800ae4c8b18c1e3f1fea7fa158726f1e6723433fcd3509e559e54c59e232c477c13282be49df7b022f1ba35b6c65cb3d212376649a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a2dc1ced8e6aaf893bc64f91a83bb02a

SHA1
d6cb1db9bc30592e1763bb919cfe771dcea98d9a

SHA256
8062f5e8e5e8bce129f61beb781dd35ef9ac8d5a948933975256ea0d12758ff7

SHA512
c7fa9fc606778fa02ecb7f25289a803c8308c48b2d806e1ae84c449220059f048e54a60afc54a0d23f452c91879ca85ddde1826912c06993c80ca38e1af007ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2f640c98b46687a238112f1af09e6314

SHA1
f48b8f46e8e389bf78589123f3f0df6509588778

SHA256
6ea5717125d79211247149057de485c9b8f146051827fdc64795af4083413a98

SHA512
154e6afcdb6e997f624b0bf4d4428a339faf6428994fd0416925d5e97488e2dc41a954a30747bd81618406a9b9205534e4d7444339c3769b7fe889511f995f8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3363.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar39A1.tmp

Filesize
23KB

MD5
39eab1e2e6f53a970f4acd169dd5f1a8

SHA1
29033fc4187cfd51a73c3536cdfa47944770e500

SHA256
c430eb39a9720da2692ec0b42674972239dba559eaf0d723b86f1af9a19d478a

SHA512
1e1f9b39209c744528bb3570629bdd78775ad08cd68cb152a532b3e8b777cefdc237122392009c5abb113e679d00e16c5e808ff825043b1d35d3de36a65503c7

Download Submit
\Windows\SysWOW64\mshpc.dll

Filesize
40KB

MD5
be8c9af3fbe4aa28d9db48ebdb40537a

SHA1
1d491d70aeeeb2fc8953e6bf1501418940112902

SHA256
403cee7d604db23c64060e7d7541a3f4e0b184a52baea7df16d5543d85860a64

SHA512
41f6c0e73d8c0b0ae477a659e1cbc2b1230dd240931c667e3d1dd26365605222bc22a2305fed2a42e40b326f34f7fc81312836d9623b1c6bf39aa93c2a65048e

Download Submit
memory/2848-9-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2848-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2916-8-0x0000000010000000-0x0000000010067000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads