c76d2a8c1c8865b1aa6512e13b77cbc7446022b7be3378f7233c5ca4a5e58116

Analysis

max time kernel
141s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 09:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c76d2a8c1c8865b1aa6512e13b77cbc7446022b7be3378f7233c5ca4a5e58116.exe
Size

3.3MB
MD5

376f28fb0aa650d6220a9d722cdb108d
SHA1

c7b4b97369a2ca77e916d5175d162dc2b823763b
SHA256

c76d2a8c1c8865b1aa6512e13b77cbc7446022b7be3378f7233c5ca4a5e58116
SHA512

12250e130625d863d9c4188ad85979724c1f25a2cda7e7162454002ec3b4322ce28ff9fa7c0b4db7933a860acd0e88fee63647d30f9f7a39c1f429172b8f6dff
SSDEEP

98304:npxgAPDbLLMdcWklXOFTsKVuVpwsSiqN5AcK:pxgA7I4ouf7l

Score

7^/10

evasion trojan

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2604	_wrar51b2.exe
2236	wrar51b2.exe
2944	lnkproxy.exe
4064	crisvc.exe
4912	crisvc.exe

Loads dropped DLL 8 IoCs

pid	Process
2304	iexplore.exe
2304	iexplore.exe
2304	iexplore.exe
2304	iexplore.exe
2304	iexplore.exe
2304	iexplore.exe
2304	iexplore.exe
2304	iexplore.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lnkproxy.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	crisvc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\DNSAPI.dll	crisvc.exe
File created	C:\Program Files\Google\Chrome\Application\koryo64.dll	crisvc.exe
File created	C:\Program Files\Windows Media Player\Cabinet.dll	crisvc.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\WINHTTP.dll	crisvc.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\UxTheme.dll	crisvc.exe
File created	C:\Program Files\Internet Explorer\WINSTA.dll	crisvc.exe
File created	C:\Program Files\Internet Explorer\koryo64.dll	crisvc.exe
File created	C:\Program Files\Mozilla Firefox\IPHLPAPI.DLL	crisvc.exe
File created	C:\Program Files\Mozilla Firefox\apphelp.dll	crisvc.exe
File created	C:\Program Files\Windows Media Player\IPHLPAPI.DLL	crisvc.exe
File created	C:\Program Files\Internet Explorer\IPHLPAPI.DLL	crisvc.exe
File created	C:\Program Files\Windows Media Player\apphelp.dll	crisvc.exe
File created	C:\Program Files\Internet Explorer\MSIMG32.dll	crisvc.exe
File created	C:\Program Files\Google\Chrome\Application\SAMLIB.dll	crisvc.exe
File created	C:\Program Files\Google\Chrome\Application\apphelp.dll	crisvc.exe
File created	C:\Program Files\Windows Media Player\MSIMG32.dll	crisvc.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\apphelp.dll	crisvc.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\msi.dll	crisvc.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\OLEACC.dll	crisvc.exe
File created	C:\Program Files\Mozilla Firefox\WINHTTP.dll	crisvc.exe
File created	C:\Program Files\Windows Media Player\DNSAPI.dll	crisvc.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\MSIMG32.dll	crisvc.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\WINSTA.dll	crisvc.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\koryo64.dll	crisvc.exe
File created	C:\Program Files\Mozilla Firefox\DNSAPI.dll	crisvc.exe
File created	C:\Program Files\Mozilla Firefox\MSASN1.dll	crisvc.exe
File created	C:\Program Files\Google\Chrome\Application\MSASN1.dll	crisvc.exe
File created	C:\Program Files\Windows Media Player\SAMLIB.dll	crisvc.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\NTDSAPI.dll	crisvc.exe
File created	C:\Program Files\Google\Chrome\Application\IPHLPAPI.DLL	crisvc.exe
File created	C:\Program Files\Windows Media Player\MSASN1.dll	crisvc.exe
File created	C:\Program Files\Windows Media Player\NETAPI32.dll	crisvc.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SAMLIB.dll	crisvc.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\Cabinet.dll	crisvc.exe
File created	C:\Program Files\Internet Explorer\MSASN1.dll	crisvc.exe
File created	C:\Program Files\Mozilla Firefox\SAMLIB.dll	crisvc.exe
File created	C:\Program Files\Mozilla Firefox\MSIMG32.dll	crisvc.exe
File created	C:\Program Files\Google\Chrome\Application\WINSTA.dll	crisvc.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\W32TOPL.dll	crisvc.exe
File created	C:\Program Files\Google\Chrome\Application\Cabinet.dll	crisvc.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\DNSAPI.dll	crisvc.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\NETAPI32.dll	crisvc.exe
File created	C:\Program Files\Internet Explorer\WINMM.dll	crisvc.exe
File created	C:\Program Files\Google\Chrome\Application\NETAPI32.dll	crisvc.exe
File created	C:\Program Files\Windows Media Player\WINHTTP.dll	crisvc.exe
File created	C:\Program Files\Windows Media Player\WINSTA.dll	crisvc.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\MSASN1.dll	crisvc.exe
File created	C:\Program Files\Internet Explorer\SAMLIB.dll	crisvc.exe
File created	C:\Program Files\Internet Explorer\WINHTTP.dll	crisvc.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\MSIMG32.dll	crisvc.exe
File created	C:\Program Files\Google\Chrome\Application\MSIMG32.dll	crisvc.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\AUTHZ.dll	crisvc.exe
File created	C:\Program Files\Mozilla Firefox\koryo64.dll	crisvc.exe
File created	C:\Program Files\Google\Chrome\Application\WINHTTP.dll	crisvc.exe
File created	C:\Program Files\Windows Media Player\koryo64.dll	crisvc.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\IPHLPAPI.DLL	crisvc.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\apphelp.dll	crisvc.exe
File created	C:\Program Files\Mozilla Firefox\Cabinet.dll	crisvc.exe
File created	C:\Program Files\Mozilla Firefox\NETAPI32.dll	crisvc.exe
File created	C:\Program Files\Google\Chrome\Application\DNSAPI.dll	crisvc.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\SAMLIB.dll	crisvc.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\SCECLI.dll	crisvc.exe
File created	C:\Program Files\Internet Explorer\Cabinet.dll	crisvc.exe
File created	C:\Program Files\Internet Explorer\NETAPI32.dll	crisvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31114774"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f01d525016c6da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1341001455"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000aa9cad4c9673b74c9a378d3b281cdc370000000002000000000010660000000100002000000017208723a95a41bc6104fba3abcae2efa659c6ac4e174e78799dd1e3e98e99e9000000000e8000000002000020000000b65f07acf6786e19d594b37aa25933607fdc20e6fa207dffa89da084768e0c972000000095671054a4568c7c74e503d4879cd9527b2d2dbf076f4ce07ab8ad98070f140a40000000e472296de86c52338d57b8ad569c0b5a1de987d7645aae1b3d414491779c1d3a30d769ad82f6b55c82d2b4bc33c7de08f77450cc73293c669d09c319c4120591	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00634d5016c6da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7B6320A9-3209-11EF-90FA-F671300AD8E0} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1339282694"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31114774"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31114774"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1341001455"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1339282694"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31114774"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000aa9cad4c9673b74c9a378d3b281cdc37000000000200000000001066000000010000200000003253487f4d3699b22fc817333b5050e7bb313cf6ccb2c84264e55bd6cb361e24000000000e8000000002000020000000f74184a9f4061c8c19aa722ec85e4583ac347901a94e647c2d71360fc1db005b2000000027e24cb72218e05ee538ac5dbf28c6cf33ab12ae111fd4203f2213fc631917e1400000000fa525bf25dce1cd8c1b9dc65c17ebf2391848c61bc4ff0f6938bd3ce3d5016ec88604bf85ce40f485506e87e26675168fcc85b0bf63078dba3ca1ab489b54e0	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425985152"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2944	lnkproxy.exe
2944	lnkproxy.exe
4064	crisvc.exe
4064	crisvc.exe
4912	crisvc.exe
4912	crisvc.exe
4912	crisvc.exe
4912	crisvc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4912	crisvc.exe
Token: SeSecurityPrivilege	4912	crisvc.exe
Token: SeDebugPrivilege	4912	crisvc.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2304	iexplore.exe
2304	iexplore.exe
2304	iexplore.exe
2304	iexplore.exe
2304	iexplore.exe
2304	iexplore.exe
2304	iexplore.exe
2304	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2236	wrar51b2.exe
2236	wrar51b2.exe
2304	iexplore.exe
2304	iexplore.exe
3532	IEXPLORE.EXE
3532	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2604	3048	c76d2a8c1c8865b1aa6512e13b77cbc7446022b7be3378f7233c5ca4a5e58116.exe	91
PID 3048 wrote to memory of 2604	3048	c76d2a8c1c8865b1aa6512e13b77cbc7446022b7be3378f7233c5ca4a5e58116.exe	91
PID 3048 wrote to memory of 2604	3048	c76d2a8c1c8865b1aa6512e13b77cbc7446022b7be3378f7233c5ca4a5e58116.exe	91
PID 3048 wrote to memory of 2236	3048	c76d2a8c1c8865b1aa6512e13b77cbc7446022b7be3378f7233c5ca4a5e58116.exe	92
PID 3048 wrote to memory of 2236	3048	c76d2a8c1c8865b1aa6512e13b77cbc7446022b7be3378f7233c5ca4a5e58116.exe	92
PID 3048 wrote to memory of 2236	3048	c76d2a8c1c8865b1aa6512e13b77cbc7446022b7be3378f7233c5ca4a5e58116.exe	92
PID 2604 wrote to memory of 2944	2604	_wrar51b2.exe	94
PID 2604 wrote to memory of 2944	2604	_wrar51b2.exe	94
PID 2604 wrote to memory of 2944	2604	_wrar51b2.exe	94
PID 2944 wrote to memory of 4064	2944	lnkproxy.exe	96
PID 2944 wrote to memory of 4064	2944	lnkproxy.exe	96
PID 2944 wrote to memory of 4064	2944	lnkproxy.exe	96
PID 4064 wrote to memory of 4912	4064	crisvc.exe	97
PID 4064 wrote to memory of 4912	4064	crisvc.exe	97
PID 4064 wrote to memory of 4912	4064	crisvc.exe	97
PID 4912 wrote to memory of 2304	4912	crisvc.exe	104
PID 4912 wrote to memory of 2304	4912	crisvc.exe	104
PID 2304 wrote to memory of 3532	2304	iexplore.exe	105
PID 2304 wrote to memory of 3532	2304	iexplore.exe	105
PID 2304 wrote to memory of 3532	2304	iexplore.exe	105

C:\Users\Admin\AppData\Local\Temp\c76d2a8c1c8865b1aa6512e13b77cbc7446022b7be3378f7233c5ca4a5e58116.exe
"C:\Users\Admin\AppData\Local\Temp\c76d2a8c1c8865b1aa6512e13b77cbc7446022b7be3378f7233c5ca4a5e58116.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Users\Admin\AppData\Local\Temp\_wrar51b2.exe
  "C:\Users\Admin\AppData\Local\Temp\_wrar51b2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Users\Admin\AppData\Local\Temp\Profile\lnkproxy.exe
    C:\Users\Admin\AppData\Local\Temp\\Profile\lnkproxy.exe
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\ProgramData\Profile\crisvc.exe
      C:\ProgramData\Profile\crisvc.exe /Delete: "C:\Users\Admin\AppData\Local\Temp\Profile\lnkproxy.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4064
    - - C:\ProgramData\Profile\crisvc.exe
        
        C:\ProgramData\Profile\crisvc.exe /{433a-bbaf439-12982d4a-9c27}
        5⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4912
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" /M:{0FA12518-0120-0910-A43C-0DAA276D2EA4}
        6⤵
        Loads dropped DLL
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2304 CREDAT:17410 /prefetch:2
        7⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3532
- C:\Users\Admin\AppData\Local\Temp\wrar51b2.exe
  "C:\Users\Admin\AppData\Local\Temp\wrar51b2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4112,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=3812 /prefetch:8
1⤵
PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\Cabinet.dll

Filesize
141KB

MD5
5616309ea6f509933e93a4c754f303f7

SHA1
737d2b82ecd9b55d380b0da23728fe394af89ad0

SHA256
c949fe6d64f787fc7ca7c78c51e9adf183a00f2e0b0898fddef931b1a0f882b8

SHA512
98016862ba4c1fa01df530d09523c5389d579091b4f71c33ac9a3100a7473d87795b922ce49d88b9b50da131d9d70d15913946353e2ab5de6dba3c6ad9330e05

Download Submit
C:\Program Files\Google\Chrome\Application\DNSAPI.dll

Filesize
796KB

MD5
ad8bc1f08be35a408a69ad6d2f9962b5

SHA1
cba2fc6f2f0fbec3fba6b419b1b3bd69122fbcfb

SHA256
249b27cfc39207d2033a6e195e34b5d99e5676fdcf85d7bcef44a32d4115002d

SHA512
46436c37d4a203ea4de6c82a8500a2254c70b896c63baf7da99df2690eacfebeb3792032c9f9555df1a5ca7cd8ef461a9c532ff787d68bdb2c943adbbf544e50

Download Submit
C:\Program Files\Google\Chrome\Application\IPHLPAPI.DLL

Filesize
222KB

MD5
a5f0ac8f1144fc31befd9cd8bf3b79f8

SHA1
38c370d1371a36042928abdbf142ea560817e1f3

SHA256
963494b6442e5e0ccc4b689ab3f46c4fe3cda29b547562b39a7f2ee184f70616

SHA512
03e4deff61551ab63d9f230051a444077ea8eb50f75d45bb08ac0dc1235871fa1a4c3fa28b298556889d0a91aa2ef2a6ccdbc98bdd0428f565daaf6ddb04d5d4

Download Submit
C:\Program Files\Google\Chrome\Application\MSASN1.dll

Filesize
61KB

MD5
febe8a3c7e365b3bd2a506f8d0688563

SHA1
a861f59d2ad1606cbb9e8639d3ce6f9bd94341fe

SHA256
d4262cb95253d1c43abc10a4d94b5dc33048bc5a81a339c84dc725891c6b65ba

SHA512
016f71c1926d1005cb423edb7464a4fefc8ec88727ab5f291696f0493c871e4e27e85b9f15a371567f7969062b38975437256fd52fbe35969115a803b70db82e

Download Submit
C:\Program Files\Google\Chrome\Application\MSIMG32.dll

Filesize
15KB

MD5
498e2a96b10720b886d5528b13c3758c

SHA1
cc0906a092b7d15afb2407d17bbc576f8eac8488

SHA256
8143b50b709e55d4c7961b01293ab8b7c0f08d4a2f0721c8b0e55bb1623ab61a

SHA512
a26710e1e27925550c5b67258fa88643a1e65ea0c0f4670643a5f9b065170535d3ea2a0c16efb72f6ca6f7c74dde3928774ce59319107ec4fece3c46c9ac1060

Download Submit
C:\Program Files\Google\Chrome\Application\NETAPI32.dll

Filesize
78KB

MD5
4160c4e8e7375fe73a3a830c0be0a2a2

SHA1
24ca308ac31685a7361b618fa087249fc4426165

SHA256
6ec2eebab62f622ff8f2821037d87e9e44c1e60ca22dd0b194185b2b09e64d24

SHA512
ab93d02856346932833a64a13ca7061ec89de8e863aa7c11e1373a07a824345be04a66678dbe4bfe7f8438507e4c62bb75bb251f3fcd03605ec54691c7041480

Download Submit
C:\Program Files\Google\Chrome\Application\SAMLIB.dll

Filesize
140KB

MD5
a8eb886b5d12dd0bb6651ee02ce61c61

SHA1
415cda36326d6c2d5679b836311bf24085f34941

SHA256
cdb7816671a3175ea8238afdae63fd4c05f56fbf83aeffbbb6e378ecf10b3502

SHA512
52b6c9b4953d4b034d410d6afc40f9bf158fef645925b92b072e271b53514776f19366eebc1e1642672325a459a685318abe0fffe397366aad2c9da243aefc42

Download Submit
C:\Program Files\Google\Chrome\Application\WINHTTP.dll

Filesize
1.0MB

MD5
81f5551df71ce19f7dde4517ecb0a0de

SHA1
4216a3e2c25b3cd00af0b2a1c98aee2f1348af64

SHA256
2de87e8b00fd007d597290b74a3f002f9f25dc6a882435a03d1c30c96fed0005

SHA512
72be21ca9be9381d08e68f48a7d4e481ae64db92e7be3912b6f3783fa3bc1a300a1c8db28447ee66c8f3e1361ce0803e84a70b3a189c613b26f55c567e726faf

Download Submit
C:\Program Files\Google\Chrome\Application\WINSTA.dll

Filesize
335KB

MD5
498d4b266e55f4b637fa82eae9283e8f

SHA1
e431bf8e9f470299e2651776c9620f68a477e5c5

SHA256
0bd3df5b9f78fb9ca8420e48ab9031ec9340c81d513d45edc98b366c0d0fd5d7

SHA512
edb8131daa7f5c750662b3e989e643f5b9d3d019450735f1e14b8bee52dd9164e7742bbd815fd300d9cba9e2de0aad55fe27436e99898b06be4331748f14c585

Download Submit
C:\Program Files\Google\Chrome\Application\koryo64.dll

Filesize
154KB

MD5
01629f392f67f2963e43c4306dd55a20

SHA1
091b657db981463ff5fca8cc4a077e131eb97b08

SHA256
c0ae392688e4942f5ce6a13c5afaf96f966061761f041bc51e3982c2d4f96eab

SHA512
b326b03a61e4d8c7a7b6476a97bfaadf44b820ced120c1ca6b111cd763f5d2a06b6e52ced1b309f35319ac150dbc332254df8aee3178d9b3d0c6ce4edc35cda4

Download Submit
C:\Program Files\Windows Media Player\apphelp.dll

Filesize
563KB

MD5
59f5be60e7ef395bd9b5bb14a1238c56

SHA1
212c84f902fa65be9e032e7a8aca2a4856e7ff24

SHA256
fc975128db302dcf2da2e3e618ae6adaa4f79875e81ff0e3e1865339b01c4738

SHA512
fbd5fe553f9226e4adc1a32addf32fe0f9e6dce46f552851d396a576ed0fe63a437ddc81978af61ea1a6bb81ceb73ede66353dab2499f91ffe9bc7821e6e190b

Download Submit
C:\ProgramData\Profile\diskdrv.dll

Filesize
8KB

MD5
2a0152bdc758e0a69de08d9da6862b57

SHA1
dbbc9f3891fa030fa91084f76abc9790f44f7e6c

SHA256
e20c93474d2161bd381a78b2189b256f7f52a060481850e79629448107421ebe

SHA512
b248a286a4fb0e4dc7cf3f6bfeee8822f153101da931913ad0fae585aec0699448e0e95ee62f795bee87a66dcd18d2cf65e0fed6b883f94334e57cade7eaa824

Download Submit
C:\ProgramData\Profile\displsys.dat

Filesize
227KB

MD5
eb3bbd46e33c02381c252c64e3ccf90f

SHA1
7ad1e677c17d12baec54b4cbde6f9970cf6bc1c5

SHA256
286e0b8fbf126dc1415df4f20b58c2d6c01906565ef5312b721ca268c5b0d300

SHA512
647de1a7c334e82652087e5cff3f45c4a191bfe56b3462d45bfaccffe3fcba4373707affd79bddcced8b3c02d6b78a3405328da12a380bb756a9ceb0b6973b73

Download Submit
C:\ProgramData\Profile\mssvt64.dll

Filesize
180KB

MD5
4b6d030664668224a88ca260354e5b4e

SHA1
89742f1c6a74193641b8f9a0a8db1bf403b5514c

SHA256
187fa0ec2e4f103a1fcc906b142d01226f2ccb67eb522086e9551fc47b270376

SHA512
dbce40ab6cd97e5fa9187b709979b1161037ca1f5bd2427573450be8c9681b502a4614295861daa7ec2101d1bee915713d085a9adb4b12e2c8c10de31671820c

Download Submit
C:\ProgramData\Profile\storage

Filesize
88KB

MD5
8aa1e123e4e83f77e87fa9bffb1e99b8

SHA1
0620ae9adde681cfb1541aa6d25fb581eabe93b0

SHA256
d3677fa2326ccae82086927242bc6f2bed80793e2d395991dc54a14ae1701bfa

SHA512
26c4f59332292fd3b6fbc3221878cc2a41d81bb8d6d7ae6637c460091c9b78d11431bf6cb4d0d29f3b29ed887b0e04069467b95d2a6d1c3afd9613395da997e4

Download Submit
C:\ProgramData\Profile\storage

Filesize
123KB

MD5
8c222407a51763c07b003f72040484cd

SHA1
df2b311888cd4032cf0613ebbdc017df27ce172f

SHA256
afd5ad0043cc77cd59539bb60fecf00506043baa36d5cc4155a0dc9891056542

SHA512
2f1e19c5219d28873664b7895f4b8087b91fb0a9006f63ffb71efa7885e9ca8ec05aef4fcd6d91c067f85204e1453ec7703ebbbbec7b5b4857df6ad31a6eff6c

Download Submit
C:\ProgramData\Profile\storage

Filesize
123KB

MD5
8555e59dec18d904b40c1657c44f3fc0

SHA1
da61af7c11f4d73e66562a0faf631788b1fe7943

SHA256
e9bbc65579f361277471e85374bd1989ee4db768de233557e58a3a68e0a7121e

SHA512
4e9e584a1aad1e02381d3752cc9f1d4d3db683f887d8df1d225d08a5d54dd41cab586431d6db5e4333aaaab7d6eab61705c3d52393519af4b1a379de6a575419

Download Submit
C:\ProgramData\Profile\storage

Filesize
11KB

MD5
095828110e7300888dc33c0c3589e268

SHA1
d779445eb046a8bc3ceb2f84b598f3084b28a6fd

SHA256
d2b20c7a4cb9efb21c070b04a3fa1cdd597a3c390c3d95eb8e9d6d6a9470f960

SHA512
80801cfcb868153131e81bafb820075a809ba3898778b4f68926bae395dc8d6d09ce5238fb62f3ae27d006e8ed0b04be7fbd5d1b147b4ec8429ebd8200b4efad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver9342.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SYNNS6ZU\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Profile\lnkproxy.exe

Filesize
4.4MB

MD5
1dcff300018c37a888fbe36f270f43a7

SHA1
944612a945a7af8565be2e56d7d418d557afee63

SHA256
4a05394ba0c156afa57dc4d44ee78829ee85a6d52f18c683b2f85d42a1e59f2c

SHA512
15ccc029861b20a4eaa0180122ae30d7740f86e5793b0590be0d32a67af58b98f25bebaaeac5f3cdd54cf61cf1642f220cd4631e530eade7c41bf4e84ded208c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TNQF86A.tmp

Filesize
8KB

MD5
57ed9340a306942b02fd2a59c506179e

SHA1
0eb97430b493fe8cc678357cb434e8ff65dcb0dc

SHA256
a3ea39c6c5b6bd0f534ee554efdbcadda28dcab93e95b0a2b43aa4b81fb58532

SHA512
a61b5efcb4c6be660d6130bdc479b8622bd171d3f7ac7e40f72d72c88e03673af085ad4b1599ec3d48380790c79c0860872d32cb1ac186b4234ea972ae219ca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_wrar51b2.exe

Filesize
5.1MB

MD5
003a352551acb7f3342d614b891ad2f0

SHA1
ed0ead87954a3979b96776c5beb693a981d7df89

SHA256
5e28301f895689253d97a861d66dda643fcb3893ffa0c998c745f346776f6982

SHA512
e168fdf8596b73986fbb2bef4a271c3d7887fc5006cd65a992fad43286e2810afb5fbe584486ac4e9dd7355b78f7d1edaff135a49071c8e76bbc0154fc0992f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wrar51b2.exe

Filesize
1.7MB

MD5
484a7971860abf0191cdfe6ad2d2800f

SHA1
ff3bdff6da09e62efe823185038dd9c123bae1ee

SHA256
4ef40ac52b17915654d763e5e46443445a50522a6c930b417015509f1c0a8212

SHA512
6657849a57a31baa0b845a0172edf20d88f2d4b77dd639563d412650cf297e0e98e39806271d63691b4a6388e81bb7b1432a645fec6904729289c1d2fc8ab01a

Download Submit