468e1008a981a6c87dc8f4e0fe590d25fdedc8d58969705e9d1268b0ea202221

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 08:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0755ebd4a69d914a100f1c13598dbb85_JaffaCakes118.vbs
Size

3KB
MD5

0755ebd4a69d914a100f1c13598dbb85
SHA1

1cc0e094b8293092517b8da35cc7f21b2588d869
SHA256

468e1008a981a6c87dc8f4e0fe590d25fdedc8d58969705e9d1268b0ea202221
SHA512

3f78224c147a301ea6c58eed74666fddbe4983a2e0d43791be7bbcf41ce55191487b1d60413ec548dffe3d4a8f7a132eb5e1b5a3352535017502daf182b4db19

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2756	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b000000000200000000001066000000010000200000000c38e376308168f7c144786f9b1afb00b4038e2c27a0d4920487dca6d76b2da3000000000e80000000020000200000003a9b556591e37655676a42e9563ed4913778ed149389663997fc539193bb2be590000000ae5edc5192b5949f8cd3bfcd9e2c2fde857163eb8120efcacc8fbc5cc252fe074079ea1e479bd2017940804e256ba1e1d547c5536317848c224034926ba7d606374ee67374c5cbaa2274b289fdc9e9d3dd66ee8bdba8e41730afd65024b9c93f01bc4a41e2362edb019b24b8896242987d3209567556abb3af31cfe0e34bc2734ec19d3cf0e2dc769a77d7a9b54115cc400000004327aba844cb74b9bc8e49fbdbab91551802dc668917684d5e9bf8a28528aeab88f968f77939641f2c327894185819a6f780fb975c5b232767f3de1fb2160a7e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425378049"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60e474fb0cc6da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{203D2E61-3200-11EF-8962-7678A7DAE141} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000e043e706943f96d3603e7a2711d40f9b37d226b0da2e55b36c73c502b16a5f8a000000000e80000000020000200000008744974562467a86006ffd5bd80e6625eb8a4c232fe47f27a4e06f937c4ee2c6200000006326ae987e9f48fc09297af9421ce3632d151955d7b91aa0d43db2476b5ba8b14000000083e1a70b4328181bd57fc074769c044f665c5dbcc23c48d4c85ab5ea0c519d378373af09a6b630e7cbc18b258ad4fa04fd036237d2c47b6d336ea5682fa9e3b5	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{204DD801-3200-11EF-8962-7678A7DAE141} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe

Runs .reg file with regedit 1 IoCs

pid	Process
844	regedit.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2992	iexplore.exe
2992	iexplore.exe
2992	iexplore.exe
2992	iexplore.exe
2992	iexplore.exe
2992	iexplore.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2992	iexplore.exe
2724	iexplore.exe
2992	iexplore.exe
2992	iexplore.exe
2992	iexplore.exe

Suspicious use of SetWindowsHookEx 34 IoCs

pid	Process
2992	iexplore.exe
2992	iexplore.exe
1656	IEXPLORE.EXE
1656	IEXPLORE.EXE
2724	iexplore.exe
2724	iexplore.exe
2652	IEXPLORE.EXE
2652	IEXPLORE.EXE
2992	iexplore.exe
2992	iexplore.exe
2992	iexplore.exe
2992	iexplore.exe
2992	iexplore.exe
2992	iexplore.exe
768	IEXPLORE.EXE
768	IEXPLORE.EXE
2364	IEXPLORE.EXE
2364	IEXPLORE.EXE
1248	IEXPLORE.EXE
1248	IEXPLORE.EXE
1248	IEXPLORE.EXE
1248	IEXPLORE.EXE
1656	IEXPLORE.EXE
1656	IEXPLORE.EXE
1656	IEXPLORE.EXE
1656	IEXPLORE.EXE
768	IEXPLORE.EXE
768	IEXPLORE.EXE
900	IEXPLORE.EXE
900	IEXPLORE.EXE
900	IEXPLORE.EXE
900	IEXPLORE.EXE
2200	IEXPLORE.EXE
2200	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2992	2756	WScript.exe	28
PID 2756 wrote to memory of 2992	2756	WScript.exe	28
PID 2756 wrote to memory of 2992	2756	WScript.exe	28
PID 2756 wrote to memory of 2312	2756	WScript.exe	29
PID 2756 wrote to memory of 2312	2756	WScript.exe	29
PID 2756 wrote to memory of 2312	2756	WScript.exe	29
PID 2756 wrote to memory of 2624	2756	WScript.exe	30
PID 2756 wrote to memory of 2624	2756	WScript.exe	30
PID 2756 wrote to memory of 2624	2756	WScript.exe	30
PID 2992 wrote to memory of 1656	2992	iexplore.exe	33
PID 2992 wrote to memory of 1656	2992	iexplore.exe	33
PID 2992 wrote to memory of 1656	2992	iexplore.exe	33
PID 2992 wrote to memory of 1656	2992	iexplore.exe	33
PID 2484 wrote to memory of 2724	2484	explorer.exe	34
PID 2484 wrote to memory of 2724	2484	explorer.exe	34
PID 2484 wrote to memory of 2724	2484	explorer.exe	34
PID 2724 wrote to memory of 2652	2724	iexplore.exe	35
PID 2724 wrote to memory of 2652	2724	iexplore.exe	35
PID 2724 wrote to memory of 2652	2724	iexplore.exe	35
PID 2724 wrote to memory of 2652	2724	iexplore.exe	35
PID 2756 wrote to memory of 2208	2756	WScript.exe	37
PID 2756 wrote to memory of 2208	2756	WScript.exe	37
PID 2756 wrote to memory of 2208	2756	WScript.exe	37
PID 2756 wrote to memory of 2824	2756	WScript.exe	38
PID 2756 wrote to memory of 2824	2756	WScript.exe	38
PID 2756 wrote to memory of 2824	2756	WScript.exe	38
PID 2756 wrote to memory of 1552	2756	WScript.exe	39
PID 2756 wrote to memory of 1552	2756	WScript.exe	39
PID 2756 wrote to memory of 1552	2756	WScript.exe	39
PID 2992 wrote to memory of 768	2992	iexplore.exe	40
PID 2992 wrote to memory of 768	2992	iexplore.exe	40
PID 2992 wrote to memory of 768	2992	iexplore.exe	40
PID 2992 wrote to memory of 768	2992	iexplore.exe	40
PID 2992 wrote to memory of 2364	2992	iexplore.exe	41
PID 2992 wrote to memory of 2364	2992	iexplore.exe	41
PID 2992 wrote to memory of 2364	2992	iexplore.exe	41
PID 2992 wrote to memory of 2364	2992	iexplore.exe	41
PID 2992 wrote to memory of 1248	2992	iexplore.exe	42
PID 2992 wrote to memory of 1248	2992	iexplore.exe	42
PID 2992 wrote to memory of 1248	2992	iexplore.exe	42
PID 2992 wrote to memory of 1248	2992	iexplore.exe	42
PID 2756 wrote to memory of 2808	2756	WScript.exe	44
PID 2756 wrote to memory of 2808	2756	WScript.exe	44
PID 2756 wrote to memory of 2808	2756	WScript.exe	44
PID 2756 wrote to memory of 1040	2756	WScript.exe	47
PID 2756 wrote to memory of 1040	2756	WScript.exe	47
PID 2756 wrote to memory of 1040	2756	WScript.exe	47
PID 2756 wrote to memory of 2544	2756	WScript.exe	51
PID 2756 wrote to memory of 2544	2756	WScript.exe	51
PID 2756 wrote to memory of 2544	2756	WScript.exe	51
PID 2756 wrote to memory of 844	2756	WScript.exe	54
PID 2756 wrote to memory of 844	2756	WScript.exe	54
PID 2756 wrote to memory of 844	2756	WScript.exe	54
PID 2756 wrote to memory of 440	2756	WScript.exe	56
PID 2756 wrote to memory of 440	2756	WScript.exe	56
PID 2756 wrote to memory of 440	2756	WScript.exe	56
PID 2756 wrote to memory of 1856	2756	WScript.exe	59
PID 2756 wrote to memory of 1856	2756	WScript.exe	59
PID 2756 wrote to memory of 1856	2756	WScript.exe	59
PID 2756 wrote to memory of 1524	2756	WScript.exe	61
PID 2756 wrote to memory of 1524	2756	WScript.exe	61
PID 2756 wrote to memory of 1524	2756	WScript.exe	61
PID 2756 wrote to memory of 2176	2756	WScript.exe	63
PID 2756 wrote to memory of 2176	2756	WScript.exe	63

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0755ebd4a69d914a100f1c13598dbb85_JaffaCakes118.vbs"
1⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.xsp5.info/index/index7.htm
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2992 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1656
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2992 CREDAT:537609 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:768
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2992 CREDAT:472070 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2364
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2992 CREDAT:930820 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1248
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2992 CREDAT:2307086 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:900
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2992 CREDAT:1782825 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2200
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" http://www.xsp5.info/index7.htm
  2⤵
  PID:2312
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" http://www.qwxyx.com/?ta
  2⤵
  PID:2624
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.qwxyx.com/?ta
  2⤵
  PID:2208
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.qwxyx.com/?ta
  2⤵
  PID:2824
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.qwxyx.com/?ta
  2⤵
  PID:1552
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start C:\Users\Admin\AppData\Local\Temp\xf.vbe
  2⤵
  PID:2808
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start C:\Users\Admin\AppData\Local\Temp\dek.vbe
  2⤵
  PID:1040
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start C:\Users\Admin\AppData\Local\Temp\hao.vbe
  2⤵
  PID:2544
- C:\Windows\regedit.exe
  "C:\Windows\regedit.exe" /s C:\Users\Admin\AppData\Local\Temp\ie.reg
  2⤵
  - Runs .reg file with regedit
  PID:844
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start C:\Users\Admin\AppData\Local\Temp\page.vbe
  2⤵
  PID:440
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start C:\Users\Admin\AppData\Local\Temp\tb.vbe
  2⤵
  PID:1856
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start C:\Users\Admin\AppData\Local\Temp\aa.exe
  2⤵
  PID:1524
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" http://www.19885.info/?ta
  2⤵
  PID:2176
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start C:\Users\Admin\AppData\Local\Temp\gua4397.exe
  2⤵
  PID:2484
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start C:\Users\Admin\AppData\Local\Temp\pi4397.exe
  2⤵
  PID:1552
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" http://www.baidu50.info/?ta
  2⤵
  PID:2316
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" http://www.voddy.info/dytj.html
  2⤵
  PID:1364
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" http://www.19858.info/?ta
  2⤵
  PID:944

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.qwxyx.com/?ta
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2724 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2652

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2668

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1944

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2552

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2228

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{203D2E61-3200-11EF-8962-7678A7DAE141}.dat

Filesize
5KB

MD5
175e5d34f337a2245d402f2111089ce0

SHA1
452b2741187fd4bfa1e20d3d3b7d29caadd2ff85

SHA256
78a25de41e607fa0d3beb76bcb1b0d3b6b00992987e740ba91c305d0b53c2f7c

SHA512
991e1a21124098c9bf9e46f5d063a049a47e829b23a09a8d165732999e109001a802eb4a444b41df5f6707569ea0705e9297bff34cf5bb53db44f98e3219a2a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\52G8PVLC\NewErrorPageTemplate[1]

Filesize
1KB

MD5
cdf81e591d9cbfb47a7f97a2bcdb70b9

SHA1
8f12010dfaacdecad77b70a3e781c707cf328496

SHA256
204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

SHA512
977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IO0LJX84\dnserror[1]

Filesize
1KB

MD5
73c70b34b5f8f158d38a94b9d7766515

SHA1
e9eaa065bd6585a1b176e13615fd7e6ef96230a9

SHA256
3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4

SHA512
927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MEFTDE7Q\httpErrorPagesScripts[1]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SVBQZB4R\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit