8965f3fb424cac8ec9bfd132a2750a54a2bbaaebc3ff4c671bf4f54b0a89c379

Analysis

max time kernel
150s
max time network
135s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
15/03/2024, 10:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cb3035c6833d8833edbd1d7ea214a9fb.exe
Size

188KB
MD5

cb3035c6833d8833edbd1d7ea214a9fb
SHA1

5cb8bfb22bb91ad13b0247b0ff8dc82780e71bf2
SHA256

8965f3fb424cac8ec9bfd132a2750a54a2bbaaebc3ff4c671bf4f54b0a89c379
SHA512

4819de8a2af77ca86c864f51ad6144aba68477c428090644b9c286303f7f0dc31119e0d8ee92ca378cbe0318565a1a11fc3603e35d7f83be94a90777b2322051
SSDEEP

3072:Z/FDc0Cbdss/q+RxKd9u1Wb/4/8uL6suQ14Zvop4lhdPupdoK0QCcLq2XrDmQJ:fc4+RId9ui/4UuOjQuomhupdoK0QCcLP

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1924	WScript.Exe

Executes dropped EXE 1 IoCs

pid	Process
2536	Program FilesB03P1G.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Common Files\t.ico	cb3035c6833d8833edbd1d7ea214a9fb.exe
File opened for modification	\??\c:\Program Files\Common Files\d.ico	cb3035c6833d8833edbd1d7ea214a9fb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70a9eeb7c476da01	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DFFF38D1-E2B7-11EE-8547-E6D98B7EB028} = "0"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc233000000000200000000001066000000010000200000009d62bdd20806c842edaf700d39507e21033b7f7d8caa94766e8e962858ec3901000000000e8000000002000020000000a1128f397719a06c3cd4ad3023090c87a09259ffb3b2ee9fa54c717bca42eec8200000008834156074782a7b9c8cea7f8c5c77dc5943c043b1967f6779699319857091d640000000cb8d3dbcd7ffe7b7599f987ec242bdb764600e8249462f659e9f115e55eae2863c2289992e3cdc4691824cd4c21f5bb8d8e610a8edcbddb507dd8d71d1b76ea0	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc233000000000200000000001066000000010000200000009881362f62f1460fd02606681b6c47e434673e891c3afee3ba94140f28656b11000000000e8000000002000020000000b9f56ac03de17e907885c78f6e0d20d59c59e0287671f013538231599483d3fd90000000778059100e575f4aad905e979c91f48820514c30ed33a8f0ed99600cb111ab8e3291acb0232d4c2c4712e9d1ba06e1a249f0157c76c340db815c6ca234ac76feba45547906f14c2fb0a3b64066435a7cd70218f42198a6112ca4cbabd36e4ea0ebaf07701d62070e921a88a4fe9d53e29d5b67b14a89ba9a763956f844a1e49255d99df4c0934faf38192b706fe2eb9d400000000ff7b889cf5566d89c4dfb61c8cfe7818b67f90ede439c52f3d021e76762cfa38d2670585537fbf981718c13e46dab7aafd150db845ed29cbc7921502e90008b	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "416660856"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.exe

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\	cb3035c6833d8833edbd1d7ea214a9fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell	cb3035c6833d8833edbd1d7ea214a9fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell	cb3035c6833d8833edbd1d7ea214a9fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\	cb3035c6833d8833edbd1d7ea214a9fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command\ = "IEXPLORE.EXE http://www.piaofang.net/?1193"	cb3035c6833d8833edbd1d7ea214a9fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hli	cb3035c6833d8833edbd1d7ea214a9fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\	cb3035c6833d8833edbd1d7ea214a9fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon	cb3035c6833d8833edbd1d7ea214a9fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell	cb3035c6833d8833edbd1d7ea214a9fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command\ = "IEXPLORE.EXE http://www.t17t.com/?1193"	cb3035c6833d8833edbd1d7ea214a9fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE,0"	cb3035c6833d8833edbd1d7ea214a9fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell	cb3035c6833d8833edbd1d7ea214a9fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\	cb3035c6833d8833edbd1d7ea214a9fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command\ = "IEXPLORE.EXE http://www.loliso.com/?1193"	cb3035c6833d8833edbd1d7ea214a9fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hpf\ = "hpf"	cb3035c6833d8833edbd1d7ea214a9fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon	cb3035c6833d8833edbd1d7ea214a9fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh	cb3035c6833d8833edbd1d7ea214a9fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open	cb3035c6833d8833edbd1d7ea214a9fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open	cb3035c6833d8833edbd1d7ea214a9fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,41"	cb3035c6833d8833edbd1d7ea214a9fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command	cb3035c6833d8833edbd1d7ea214a9fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command\ = "IEXPLORE.EXE http://taobao.loliso.com/?1193"	cb3035c6833d8833edbd1d7ea214a9fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,130"	cb3035c6833d8833edbd1d7ea214a9fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdh	cb3035c6833d8833edbd1d7ea214a9fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hyx	cb3035c6833d8833edbd1d7ea214a9fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon\ = "c:\\Program Files\\Common Files\\t.ico"	cb3035c6833d8833edbd1d7ea214a9fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell	cb3035c6833d8833edbd1d7ea214a9fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hyx\ = "hyx"	cb3035c6833d8833edbd1d7ea214a9fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command	cb3035c6833d8833edbd1d7ea214a9fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.h35	cb3035c6833d8833edbd1d7ea214a9fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell	cb3035c6833d8833edbd1d7ea214a9fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon	cb3035c6833d8833edbd1d7ea214a9fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open	cb3035c6833d8833edbd1d7ea214a9fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command\ = "IEXPLORE.EXE http://www.henbucuo.com/?1193"	cb3035c6833d8833edbd1d7ea214a9fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command\ = "IEXPLORE.EXE http://www.d91d.com/?1193"	cb3035c6833d8833edbd1d7ea214a9fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open	cb3035c6833d8833edbd1d7ea214a9fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open	cb3035c6833d8833edbd1d7ea214a9fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdh\ = "hdh"	cb3035c6833d8833edbd1d7ea214a9fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hpf	cb3035c6833d8833edbd1d7ea214a9fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htb	cb3035c6833d8833edbd1d7ea214a9fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon\ = "c:\\Program Files\\Common Files\\d.ico"	cb3035c6833d8833edbd1d7ea214a9fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command	cb3035c6833d8833edbd1d7ea214a9fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx	cb3035c6833d8833edbd1d7ea214a9fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command	cb3035c6833d8833edbd1d7ea214a9fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon	cb3035c6833d8833edbd1d7ea214a9fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf	cb3035c6833d8833edbd1d7ea214a9fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command	cb3035c6833d8833edbd1d7ea214a9fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35	cb3035c6833d8833edbd1d7ea214a9fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command	cb3035c6833d8833edbd1d7ea214a9fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hli\ = "hli"	cb3035c6833d8833edbd1d7ea214a9fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon	cb3035c6833d8833edbd1d7ea214a9fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,139"	cb3035c6833d8833edbd1d7ea214a9fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open	cb3035c6833d8833edbd1d7ea214a9fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon	cb3035c6833d8833edbd1d7ea214a9fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.h35\ = "h35"	cb3035c6833d8833edbd1d7ea214a9fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli	cb3035c6833d8833edbd1d7ea214a9fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\	cb3035c6833d8833edbd1d7ea214a9fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb	cb3035c6833d8833edbd1d7ea214a9fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htb\ = "htb"	cb3035c6833d8833edbd1d7ea214a9fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\	cb3035c6833d8833edbd1d7ea214a9fb.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2672	IEXPLORE.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1992	cb3035c6833d8833edbd1d7ea214a9fb.exe
2536	Program FilesB03P1G.exe
2672	IEXPLORE.exe
2672	IEXPLORE.exe
2508	IEXPLORE.EXE
2508	IEXPLORE.EXE
2508	IEXPLORE.EXE
2508	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2536	1992	cb3035c6833d8833edbd1d7ea214a9fb.exe	28
PID 1992 wrote to memory of 2536	1992	cb3035c6833d8833edbd1d7ea214a9fb.exe	28
PID 1992 wrote to memory of 2536	1992	cb3035c6833d8833edbd1d7ea214a9fb.exe	28
PID 1992 wrote to memory of 2536	1992	cb3035c6833d8833edbd1d7ea214a9fb.exe	28
PID 2536 wrote to memory of 2672	2536	Program FilesB03P1G.exe	30
PID 2536 wrote to memory of 2672	2536	Program FilesB03P1G.exe	30
PID 2536 wrote to memory of 2672	2536	Program FilesB03P1G.exe	30
PID 2536 wrote to memory of 2672	2536	Program FilesB03P1G.exe	30
PID 2672 wrote to memory of 2508	2672	IEXPLORE.exe	32
PID 2672 wrote to memory of 2508	2672	IEXPLORE.exe	32
PID 2672 wrote to memory of 2508	2672	IEXPLORE.exe	32
PID 2672 wrote to memory of 2508	2672	IEXPLORE.exe	32
PID 1992 wrote to memory of 1924	1992	cb3035c6833d8833edbd1d7ea214a9fb.exe	34
PID 1992 wrote to memory of 1924	1992	cb3035c6833d8833edbd1d7ea214a9fb.exe	34
PID 1992 wrote to memory of 1924	1992	cb3035c6833d8833edbd1d7ea214a9fb.exe	34
PID 1992 wrote to memory of 1924	1992	cb3035c6833d8833edbd1d7ea214a9fb.exe	34

C:\Users\Admin\AppData\Local\Temp\cb3035c6833d8833edbd1d7ea214a9fb.exe
"C:\Users\Admin\AppData\Local\Temp\cb3035c6833d8833edbd1d7ea214a9fb.exe"
1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992
- \??\c:\Program FilesB03P1G.exe
  "c:\Program FilesB03P1G.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Program Files\Internet Explorer\IEXPLORE.exe
    "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/vplay.php
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2672 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2508
- C:\Windows\SysWOW64\WScript.Exe
  WScript.Exe jies.bak.vbs
  2⤵
  - Deletes itself
  PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program FilesB03P1G.exe

Filesize
36KB

MD5
e7cc274ebd542a756a8e9843b3e70763

SHA1
642809f48da44a7a48236fe612971ecef02f59a5

SHA256
dbd0fa64171e120dbc76ca6b3491e105861b50353feb9c3eb267df8e0034f438

SHA512
e5e04aa9d8b5c05174de15198bd6df390075dca19e95cd381e4741c5e2261e9420722184417da1d9635b123f900b4e62c17afa076e5a821b5f1fd6057d549dfc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3cdb76cb36c2cfd904011e700945c006

SHA1
cd4f570c01b929753f2569514ea57cf9d7afb87f

SHA256
61e65b0b0e41ce0f2ce0af4477ff76de4eeedcc435339ca36df31700100bd291

SHA512
5ea715c3627e34d478c667b6b5a3fe9a90a86eaed52f81007bbc3ee571de50f835672ec7e3416fb8eb74aab1768fc77b524e4d2249625bf85f7df413ee8930ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
da35dab60017ff53c0c20aae175ece48

SHA1
8554a3c581ed3e2998f026a554d556d11b6d6823

SHA256
5f196357683e896a266fd3d21644ec7d94ecd48d0973dd8b502deb643adf79f2

SHA512
c947d6f30aa80c0f84d87e993e9421a917efa0d439de57c1cc7e74e7e84581253411ecb2c3609f15a61ef784a143564150442ceee94b509378c1d88b63786935

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0a00cecf0c43292f76bee5df3769cdb9

SHA1
b2ea1af488e089dad00a9c49f9c4dbe09760bb4c

SHA256
796feb770639d6c5a060170bab02f7f72e82f02a8e6cbe4152db4dbcbdcadcea

SHA512
642332ec4d6c7a208de5855b5718933ec7c66aa1f8aa025659c4ad225ec30da58bb304822c479624425152f661439ff894f55e1b8d508dfedddb528a280ba9ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dccff7a42413eb6c27423a21316803e4

SHA1
ec039a9213a885ebde0669c246baab2dd7500023

SHA256
0508408d7618793b214e52415ff47d538c84a57bbe7009bbba6ca109c789e0c3

SHA512
b849f5d8727ca374e1f9c555415090a3ac6a5573c8e09a3a566a14c640e8f336f5167f174e2134c52451e22ff9a2e750e2b6023869498707d43f027787b10382

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
68ad0ec2495e08a7131fc52c0e970e14

SHA1
450bb73ab78f9aeacee704af6ff7b755ef6281b9

SHA256
939f874e91e4e0ef045f57a805b864e89c88689f95a67d986da672b0594dd1ca

SHA512
0cb48821077098fb49abe046c4b5baa9288d6d0c650645319b1d6d39766f5786c7dc36048e6d60a439ccb9208d240f7a9b04fa1093b8d9c2f39665f6b7e7b0a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fb2f6e41b30eefe49e0acab22634226f

SHA1
b1f7dfba214107e538b66591262d051a3ee96c2d

SHA256
f5abed7edf68735eaae8c1d4c46707b972bf80791326b3dd60f0336aec2db5ad

SHA512
e8ee6f2f3b655dd4f242337953d0e780f53eda03e2b270eecaad8efc24788b9ddf69c55be384bed58583ad583d795391c4a3aee8ec27ee8d2a51d8abc83733b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9127263a4615bf8d9b5b3596b60303b7

SHA1
48b24429cea4664c0ad19c3332cb36d736292f68

SHA256
d21366a3dfedc1d1fd9c65e45bc300713d52c2d4cc9c339aec702e1497d1714a

SHA512
3a3bc283bc75bb9fca7bfa8aa4dffd466f90c987ab35b91a6c9226fcfeb42795109524b88e03c84d53a609a07f12936b7aa350e3e14e9882829d8787e88f874f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d46de0ef9d48a5c4c50b32be0e5b694c

SHA1
2999a757fea21be97e909e21875537d6866f295b

SHA256
3c688b3559b09773b473f6357a1b89bfa98c87fd3991a777c31b36b493ea8b49

SHA512
3466972d044d14579c5bac0f002c9ae85ac3e091c442bad10ca62ff306ca56f5620be50211b0f493a435a68d393bb0308ea93d0b4521442f538875d84c8efad2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c8cf646c05253aa94fe9bbda0ddd513a

SHA1
8f4f0ccff9281abe43d6472104caeb8b0ba74b3a

SHA256
0933f2062d094f7259f8524087a5cbdf1efe6641400d800f4f9787fe98872dac

SHA512
607e47cf6004ec3d425aed7f6fe6b9c1bbf7f4e59f9d4a3832d39b78a298c46026b2bc06da9697bdf289b125a3e55258bda2a6c2ec2ed228a672d1443f8d38c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e9e4068cf7137a7428e66c106d97bc65

SHA1
7da58f3862d644eb4ebe9326cd8e869f1462c930

SHA256
8c1b2b34519a82df3f86ffc677eb66b839b93fdc66221767c98135cf918d6e2d

SHA512
caeeff4d761630c058c2adc61c1ed5376c47f7052affa4c0b09aa28f4ddb2d2d20e16136492b8104c5b3d01ea6188073fb61daf3741c0c5fea75bb5f6a7a18ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5fb62abd723d83d239fa6f7de3f1579c

SHA1
39c5eb7561a2524aafd33a69484a5a33423dfdce

SHA256
9621b93dd021701a46d20bfc4a3de873281ef13a2d2b6f33e93ca3e71b1c748d

SHA512
a1418e8ed1c89919d56439f871508726dc054e30339d5174ae4311cef81ae666f3dc64fa2a60911971f14102b2afa394a86c23744645e61ab477e28f1329cfda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
045077a442a5beeef3faff601e5e0726

SHA1
4b63c5aa95ef47c6ce906c727b581a3b08860d66

SHA256
f642b962c65c2333bc70adeb32c18bdec25d758aa7409978e6cb66a9af47450b

SHA512
54c5613bebd7968a82248757674ad924c1efe43e44f166af0b5d0964d99558629934531c7782bbf1bf9fe4c4ea780b1eed258b2ecafd22e711450975b4bf3a3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e36f811f7e49fa874e3f845fba8d1a62

SHA1
2a4fa85af29b6dcdcbccc3f4c5fd552b370b7def

SHA256
787b89834fed19ba8d9992e63347c015e52d5b6f0223465c6f905f88ce19c677

SHA512
5666ed9b5ea5769ef3db106837acc42626bcd8b3ac5f2312f76b66db5714eaa91beefd165279dd936cd89fda224080aa98e309bada0b1efe5f529c7be07eaf58

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5DAD.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5F0B.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\jies.bak.vbs

Filesize
422B

MD5
0e5f82f5b39ea5e81e7ed3b802aa0552

SHA1
daa763e0c69b9e83e7120afca6ea49b5d65a7943

SHA256
9b0f4adb5a64bb0382a1cf61f0304cb378fc0db9e8f04035c0cd83d10550aabb

SHA512
1d6fe14fe542b58aaa4b42bcac563b39d0d74cce2d0fe43094f505a3cd5531a7d1bf92eb229da2d4f8b4530e8b99b576c3bd28d243cea3e30388a387f6a7f263

Download Submit