f3e50a9655e56058c63e0a403297c7edbef3e85e82b55758407a8033c72c4c93

Analysis

max time kernel
115s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 07:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

68a0b0d4db32db7b27d9a37b46f270e0N.exe
Size

3.8MB
MD5

68a0b0d4db32db7b27d9a37b46f270e0
SHA1

377d7e0e7c840d58bb020ca57f9dde83e3bab3c6
SHA256

f3e50a9655e56058c63e0a403297c7edbef3e85e82b55758407a8033c72c4c93
SHA512

fcf45553d1948deeaf56c777fddbc0a3a95dd4ec583d536cd8a0d8f7b2e5ab658717e7e9ae002357658e56a67f66746d998287d956553b1802adb78764b8340f
SSDEEP

49152:cwVJ/qUQ5F5EexZD63Wb5wSSnebipRCoBRI17fMt6v77/lClNiuHL1jGgJ6OLCSI:3/257I6GnaipRT/md77AlDL1XsO8

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1796	wmpscfgs.exe
2892	wmpscfgs.exe
1764	wmpscfgs.exe
1984	wmpscfgs.exe

Loads dropped DLL 10 IoCs

pid	Process
3008	68a0b0d4db32db7b27d9a37b46f270e0N.exe
3008	68a0b0d4db32db7b27d9a37b46f270e0N.exe
3008	68a0b0d4db32db7b27d9a37b46f270e0N.exe
3008	68a0b0d4db32db7b27d9a37b46f270e0N.exe
2892	wmpscfgs.exe
2892	wmpscfgs.exe
1892	WerFault.exe
1892	WerFault.exe
1892	WerFault.exe
1892	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe"	68a0b0d4db32db7b27d9a37b46f270e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe"	wmpscfgs.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 21 IoCs

pid	Process
3008	68a0b0d4db32db7b27d9a37b46f270e0N.exe
2892	wmpscfgs.exe
2892	wmpscfgs.exe
1796	wmpscfgs.exe
1796	wmpscfgs.exe
2892	wmpscfgs.exe
1796	wmpscfgs.exe
1984	wmpscfgs.exe
1764	wmpscfgs.exe
2892	wmpscfgs.exe
1796	wmpscfgs.exe
2892	wmpscfgs.exe
1796	wmpscfgs.exe
2892	wmpscfgs.exe
2892	wmpscfgs.exe
2892	wmpscfgs.exe
2892	wmpscfgs.exe
2892	wmpscfgs.exe
2892	wmpscfgs.exe
2892	wmpscfgs.exe
2892	wmpscfgs.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\259456214.dat	wmpscfgs.exe
File created	\??\c:\program files (x86)\microsoft office\office14\bcssync.exe	wmpscfgs.exe
File created	C:\Program Files (x86)\259458039.dat	wmpscfgs.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrotray .exe	wmpscfgs.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrotray.exe	wmpscfgs.exe
File created	\??\c:\program files (x86)\microsoft office\office14\bcssync.exe	68a0b0d4db32db7b27d9a37b46f270e0N.exe
File created	\??\c:\program files (x86)\adobe\acrotray .exe	68a0b0d4db32db7b27d9a37b46f270e0N.exe
File created	\??\c:\program files (x86)\internet explorer\wmpscfgs.exe	68a0b0d4db32db7b27d9a37b46f270e0N.exe
File created	\??\c:\program files (x86)\adobe\acrotray.exe	68a0b0d4db32db7b27d9a37b46f270e0N.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1892	1764	WerFault.exe	36

Modifies Internet Explorer settings 1 TTPs 48 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "25"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "25"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0f05f5da9d9da01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "25"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9775B0B1-459C-11EF-A39A-6AF53BBB81F8} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000082ebb0b9d6f3f0458e93e15bd38f268f00000000020000000000106600000001000020000000de7805c8418f08e43aae1cba6bfa74a9219580ec16cc97e33e4ef906aef6f4a4000000000e80000000020000200000006a51c8528fe4a03d885e63e684514178e7ec340f64bd421ac74755ed95f47b179000000015ecc1e2ee8058234043567f5b5045342adfd531546ec585d3e2dafeb1122e7560ca0a8aa5c194f86083b27952a22edfdb1830b60beaa52a9b161a7f4a08e2161a2718c98324f5290436bba43f17368b83855f1a92bfa68a3e27203eb99d423084ef969bfb9c3fadfd0bf88c05a02589329c956dca656afcdbf755c4295356fd745a77207e6e3fe2e90773c2d727864c400000007abb6f9816cfedc4c55de9a2fc3bc0e886dbc4dd166f60182c7b752a0f4bf8f36b16a3e2672b6ecd4645f06de042a0cd036d26bc8cd59f29b3839fe98fe2e5e4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "427534301"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000082ebb0b9d6f3f0458e93e15bd38f268f0000000002000000000010660000000100002000000008fb5de0a5e40ccb4577ce12faa48fdd4b4e4e63bcf2cacace0f75f578c8d66e000000000e8000000002000020000000e833ef5362554cb162290b16dddb74442f8f63766b1aa1aa3036292937a0b8e02000000042c02c427649e276e079b3e2cd8796080b8e7957b351fffff593ebeac34300ff4000000005849406885094d0251caa1d6927739e9bff16f86c2d5fce829e663654461b26f76e2a1bc4ad5d7745239fb618aaa4ecefb32da6dc9d158b9ec143edc22d363b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3008	68a0b0d4db32db7b27d9a37b46f270e0N.exe
2892	wmpscfgs.exe
2892	wmpscfgs.exe
1796	wmpscfgs.exe
1796	wmpscfgs.exe
1984	wmpscfgs.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3008	68a0b0d4db32db7b27d9a37b46f270e0N.exe
Token: SeDebugPrivilege	2892	wmpscfgs.exe
Token: SeDebugPrivilege	1796	wmpscfgs.exe
Token: SeDebugPrivilege	1984	wmpscfgs.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2620	iexplore.exe
2620	iexplore.exe
2620	iexplore.exe
2620	iexplore.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
3008	68a0b0d4db32db7b27d9a37b46f270e0N.exe
2892	wmpscfgs.exe
1796	wmpscfgs.exe
2620	iexplore.exe
2620	iexplore.exe
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE
1984	wmpscfgs.exe
1764	wmpscfgs.exe
2620	iexplore.exe
2620	iexplore.exe
1680	IEXPLORE.EXE
1680	IEXPLORE.EXE
2620	iexplore.exe
2620	iexplore.exe
1536	IEXPLORE.EXE
1536	IEXPLORE.EXE
2620	iexplore.exe
2620	iexplore.exe
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 1796	3008	68a0b0d4db32db7b27d9a37b46f270e0N.exe	30
PID 3008 wrote to memory of 1796	3008	68a0b0d4db32db7b27d9a37b46f270e0N.exe	30
PID 3008 wrote to memory of 1796	3008	68a0b0d4db32db7b27d9a37b46f270e0N.exe	30
PID 3008 wrote to memory of 1796	3008	68a0b0d4db32db7b27d9a37b46f270e0N.exe	30
PID 3008 wrote to memory of 2892	3008	68a0b0d4db32db7b27d9a37b46f270e0N.exe	31
PID 3008 wrote to memory of 2892	3008	68a0b0d4db32db7b27d9a37b46f270e0N.exe	31
PID 3008 wrote to memory of 2892	3008	68a0b0d4db32db7b27d9a37b46f270e0N.exe	31
PID 3008 wrote to memory of 2892	3008	68a0b0d4db32db7b27d9a37b46f270e0N.exe	31
PID 2620 wrote to memory of 3048	2620	iexplore.exe	34
PID 2620 wrote to memory of 3048	2620	iexplore.exe	34
PID 2620 wrote to memory of 3048	2620	iexplore.exe	34
PID 2620 wrote to memory of 3048	2620	iexplore.exe	34
PID 2892 wrote to memory of 1984	2892	wmpscfgs.exe	35
PID 2892 wrote to memory of 1984	2892	wmpscfgs.exe	35
PID 2892 wrote to memory of 1984	2892	wmpscfgs.exe	35
PID 2892 wrote to memory of 1984	2892	wmpscfgs.exe	35
PID 2892 wrote to memory of 1764	2892	wmpscfgs.exe	36
PID 2892 wrote to memory of 1764	2892	wmpscfgs.exe	36
PID 2892 wrote to memory of 1764	2892	wmpscfgs.exe	36
PID 2892 wrote to memory of 1764	2892	wmpscfgs.exe	36
PID 2620 wrote to memory of 1680	2620	iexplore.exe	37
PID 2620 wrote to memory of 1680	2620	iexplore.exe	37
PID 2620 wrote to memory of 1680	2620	iexplore.exe	37
PID 2620 wrote to memory of 1680	2620	iexplore.exe	37
PID 1764 wrote to memory of 1892	1764	wmpscfgs.exe	38
PID 1764 wrote to memory of 1892	1764	wmpscfgs.exe	38
PID 1764 wrote to memory of 1892	1764	wmpscfgs.exe	38
PID 1764 wrote to memory of 1892	1764	wmpscfgs.exe	38
PID 2620 wrote to memory of 1536	2620	iexplore.exe	40
PID 2620 wrote to memory of 1536	2620	iexplore.exe	40
PID 2620 wrote to memory of 1536	2620	iexplore.exe	40
PID 2620 wrote to memory of 1536	2620	iexplore.exe	40

C:\Users\Admin\AppData\Local\Temp\68a0b0d4db32db7b27d9a37b46f270e0N.exe
"C:\Users\Admin\AppData\Local\Temp\68a0b0d4db32db7b27d9a37b46f270e0N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3008
- \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
  c:\users\admin\appdata\local\temp\\wmpscfgs.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1796
- C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
  C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2892
- - \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
    c:\users\admin\appdata\local\temp\\wmpscfgs.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1984
- - C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
    C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1764
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 168
      4⤵
      Loads dropped DLL
      Program crash
      PID:1892

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2620 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3048
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2620 CREDAT:472069 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1680
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2620 CREDAT:1061928 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
1bfe0a81db078ea084ff82fe545176fe

SHA1
50b116f578bd272922fa8eae94f7b02fd3b88384

SHA256
5ba8817f13eee00e75158bad93076ab474a068c6b52686579e0f728fda68499f

SHA512
37c582f3f09f8d80529608c09041295d1644bcc9de6fb8c4669b05339b0dd870f9525abc5eed53ad06a94b51441275504bc943c336c5beb63b53460ba836ca8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
1ba1ff0f74181f362a55f0b5a2eda36e

SHA1
fa29e8f540f8ef34cc206b022f480fd32331c0aa

SHA256
a06ea1d507de569e1f70a13945690c91eee60482870e336583da67f4b36c1a21

SHA512
050bca2042b553a2190b92aa42f0f9a1638f4984030c5dc4785531836e56e97820374d059bce53aa79c751d1a618daccfa5ac2997950948ee2a4a42daebe4f0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
acd31864bd7555826b1e5b87ede30be5

SHA1
dfb3c0cb6fd2f2b7e79e5d72521d482c49e0c800

SHA256
095f0d8b4f90f7d7207cc7e94f2a517cc8a99c712815049906cf4d83d7f7c0bb

SHA512
fec8b707ab6d1d50e092607d89c281b8b8b9bdca2fa99054d102fb87cc657d8406b411a997c0968170eae36902a6998f4df3917f1477206cc66ac9059d2e734a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
00b4cb8a80950a50a49b33fb93ee53db

SHA1
185fe0db6e6d56e165b147ce2c967531b1fb9654

SHA256
9d9baf98a86955ea79dd86c3c1196feb494422bfa05b2fb0219cf0e6df3b6f9e

SHA512
7b895e772851b88501214eb24588cebb201dcd6db97eddeba80e16129775ab4a84a3d74eae6ba0e2452fa6fe917b32e036ab19c2c11ae7192d04ee7de23ff0ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d5f8214b8335ae2a80872b2a218088e0

SHA1
46d321ed4c8588f447c77eef5049efd7e80f1222

SHA256
96ac309545e9144b2823a0f1b1c7d5a32515ff55823a3b0b6ed26a26269840fb

SHA512
eac26ec307e813e1b3b66b17b093ad3d8db6efdaaa4e143489467bd622b8fbf32f09a25677a4a107dd03bf28c2ec1a540670130630ebbe941c5b50c6df2d3e00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6dbcd7b828ed0679de8b89f17526fcec

SHA1
ac9291eb87c0665927b676d873f9e0131a20a2f3

SHA256
0d6f375b3d828fb350351ca6835471efb2a7919c09300b2157c353b38d2b70f9

SHA512
6e49908469686b6bdf71c8b7b13505c21ad760be71150645546841ecaeb2c1621bb13b3150ccbb1d6e8522c81710c4403d52ee3c40eaeea443b1e2d27a9bbb89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f9300f8ae732add1dcede13bfaa6dad

SHA1
ca501f8d102420a23317091917e82adb6bf6c125

SHA256
b3a579538c758c1fde91aabab6f53494dc1abc7438514dd67197e3d84d369990

SHA512
5d1538f48a0a4c1e661e105b4a65189582a6856ade042cff3e209be844fc755f39fd8234b2182db7e972acfdb1cc9b752e7c32a1d10088980b5957d386ae5c12

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
78080153f50be207436bcaf4d4bb21e2

SHA1
0ad93333c03f792ee05026a0e3512e3817ae8739

SHA256
a336360f09a559acfd55cc87f4d937d0ebd4f7701147ced7d2182512b743c6f6

SHA512
37b44356e36d8a87e6ec10ac5a18b9099c80702645171aa84c2e2b77e0a5a20fa6077728f0c1b7c68c1d8401100d81f70f83a67025e1bdfcabddaae4d6e76507

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7fbac996c4ff78b9f9c3ffc5a69dbdc3

SHA1
a491e97bf8b045846a27f6fe3cbf868b816563d5

SHA256
6bf0d60131e45b975c88def453adbade6d73d193c72c60cb3abd1b6ec50ecc97

SHA512
41004dc42fbafcbeb8cf5f7fc479b62d31cfb8237881c36475a45e603ce583bf4cfefa365d83edddf9a5c7508d0d4545172430a1ee11a9bc8a2a2706ff011183

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a9d4d358f2c0a6738ee431cda4750896

SHA1
ca0a0fecfc19bc3af8f6d87b9db0d862c4ef3b52

SHA256
7a25364384374703cf53b8d3b87b78fdbd796e645d872835bccc5b961cfbe47c

SHA512
50ab1d5e10977dc19df9dda1c2b004c41699df70268be40fc95bb7daa22b8ffba507c5f00afbec1b0b83b6e08fca6be33f3e8bd5be82e3adf2c51ba54a0c099c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
442b6c11901800051089321312beff12

SHA1
d6bb7787c95227d941239bb9c8970b2138993a6f

SHA256
7ba388273dcaa83cb747887632073d4f1309ac468c228ec798dd6d04d5472586

SHA512
5ae9985836ff13225e0e45f338d6b90d71a6763012b20b5a6bf376b8a9ff73b22e6f48df079229493a8e4aa8a5a76fc99ccd7ea85dfc5c224a1fad05d317f55a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4fbe0327ee2366ace9c13efe8bc13919

SHA1
4b4748899c2e453917d82e362c49a7d204b919ce

SHA256
993865601833529d95750416c5f27682ba7a023ab8842e62c2694b05cc85e446

SHA512
d5a392175b23112351493ecd8447fb936712c5a14f6802168d13d146e1d1de8e09366e784061697b284ecd9b8e78dc53bc67919374a8c42fb324ba2e1dc30364

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
10ae76238d775544993e422bef3fed5d

SHA1
3c084c4ac5fa916668375583603a9c097ce80333

SHA256
ceff511869bd5fa71a3cd5b3344a83185a946e76d619ec67b06eb6ba01935a54

SHA512
95e03e726e336418896ab7e1543d96914d2de1668af69b615496f64b7c77a5b40ed5772e46510ebb4333349d5fda9a1886dbfe085d52fd99b2013061481e04e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1VX38S3F\styles__ltr[1].css

Filesize
55KB

MD5
4adccf70587477c74e2fcd636e4ec895

SHA1
af63034901c98e2d93faa7737f9c8f52e302d88b

SHA256
0e04cd9eec042868e190cbdabf2f8f0c7172dcc54ab87eb616eca14258307b4d

SHA512
d3f071c0a0aa7f2d3b8e584c67d4a1adf1a9a99595cffc204bf43b99f5b19c4b98cec8b31e65a46c01509fc7af8787bd7839299a683d028e388fdc4ded678cb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M7GT0RRO\recaptcha__en[1].js

Filesize
533KB

MD5
93e3f7248853ea26232278a54613f93c

SHA1
16100c397972a415bfcfce1a470acad68c173375

SHA256
0ec782544506a0aea967ea044659c633e1ee735b79e5172cb263797cc5cefe3a

SHA512
26aca30de753823a247916a9418aa8bce24059d80ec35af6e1a08a6e931dcf3119e326ec7239a1f8f83439979f39460b1f74c1a6d448e2f0702e91f5ad081df9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab19C8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar56E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmpscfgs.exe

Filesize
3.8MB

MD5
b9e94e243f77106eff0c61528d724c8e

SHA1
6d82d37aa82ba193b971213a9cdb5bb53fb83d8e

SHA256
0edb7a1ab6c45360f18af6f099e65609790a265dd47c32c32408ab5c0fa41602

SHA512
1dbf38c2a73744a1c50cfb342cde26980a3c8e0e64db101a15f0d59772e830f225e4f6bb63ec95056711df4ea53d7bf1852402a7f8fa00b4d2d1ce9e50c03200

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\2X6MV0AA.txt

Filesize
3KB

MD5
b508cbe77918e1043f8653a9284c325d

SHA1
4d75d88de915001d682b2591792501740a5cd170

SHA256
536fa3ccbad0b4d0bed322906c1f27bef4c2db7d1dd0df624f2798342fbf9926

SHA512
b4ae918f2be6dc562ec86f1b0228e57bf949472175df8e6f3d1ff505f0c96e8ff2a43f4022c0e3f7851fe96fb01268bb62a644990c970e5bc9d31c99536caa7d

Download Submit
\??\c:\program files (x86)\adobe\acrotray .exe

Filesize
3.8MB

MD5
8b015be99f796d7335e5ad47b33de65c

SHA1
bc4e536411f3a0616c3f27afb1bfc50691a1ed63

SHA256
8e29dc851be38e7dabb96bfcae82cce5dee40248b088da223dc466209283ec19

SHA512
d38745bf4247d1759f4a92a537ea965eb137fa98a7b7ba2e41d92f58c54670f1b8a2ab29477cf491160755a1abaadda6ecc53869bce7d23b34e15e116843794c

Download Submit
\??\c:\program files (x86)\adobe\acrotray.exe

Filesize
3.8MB

MD5
2b01271450c9e1d85ff3d401a907a0cc

SHA1
3f9835ba50cf530e0160726fe0670ef586379d05

SHA256
26c85e541391a41eaaed2502d54d476360a52e220f7d00f4f0ccf63610a7944f

SHA512
7959e5565d7151bffa4f09435efb3b1bc049c8eb6e204bf1dd3bd8ce19dfb1d69239b1bb3b9c1eed5c669aadd98b8543a0f17b733023de4ba272f91406fba127

Download Submit
\??\c:\program files (x86)\microsoft office\office14\bcssync.exe

Filesize
3.8MB

MD5
c750451ce0ff982a898e42c37b8bfc03

SHA1
550f01fb7d5cdc64b0867b1f939e0c058e3bbee2

SHA256
b4a40e1c4cea28e73c92929b58d1a92db54050076a526ed28a17c2703bf5ae90

SHA512
7c0675c2f1fbd51072e583f829ddd8cf31425975d9103add0566b14a9bd8cf963ff6eabd978d1f4ea359c9a8a9df4a636acd703b527ae4bc34e1c880804ff858

Download Submit
\Program Files (x86)\Internet Explorer\wmpscfgs.exe

Filesize
3.8MB

MD5
f3b1c910381e7440014a060cfc34f80f

SHA1
d730cb5ec94608036fb1f3774f4b03fd6c3263d5

SHA256
f4e7ed692e0df5a6bc7b3c9f97b1af998be6c879eced8b637dac11799f1a6a81

SHA512
be5e82dc6a1264923563424b9f2b43489f41d11e844d59e7b95b821f8048f36b53bbdf7fb3ecf9692d6d195d222dd4ba7b90982a1580771715200df30103dc2b

Download Submit
\Users\Admin\AppData\Local\Temp\wmpscfgs.exe

Filesize
3.9MB

MD5
10fba2f3325988b06c549401a11f5030

SHA1
f552e9870c716c866ab9c31a24f5bbf981025da9

SHA256
8a2e94602ae2a8d244aa3d1d212fd493148b65ccdd6cfc29048aea4cad30e794

SHA512
3bc8d08996af0600066ae12a69a753952171ee5f72d68229f79579abe13002df9f163941bff857b5573506429ea184b02cc46184bc9c175f0931d39a1188632b

Download Submit
memory/1764-335-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/1796-358-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/1796-28-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/1796-37-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/1796-333-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/1796-52-0x0000000001000000-0x0000000001002000-memory.dmp

Filesize
8KB

Download
memory/1796-56-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/1796-343-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/1984-73-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2892-346-0x0000000005390000-0x0000000005D63000-memory.dmp

Filesize
9.8MB

Download
memory/2892-31-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2892-371-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2892-374-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2892-376-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2892-65-0x0000000005390000-0x0000000005D63000-memory.dmp

Filesize
9.8MB

Download
memory/2892-344-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2892-347-0x0000000005390000-0x0000000005D63000-memory.dmp

Filesize
9.8MB

Download
memory/2892-68-0x0000000005390000-0x0000000005D63000-memory.dmp

Filesize
9.8MB

Download
memory/2892-920-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2892-334-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2892-38-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2892-77-0x0000000000E20000-0x0000000000E22000-memory.dmp

Filesize
8KB

Download
memory/2892-369-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2892-29-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2892-813-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2892-815-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2892-66-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/3008-27-0x00000000053A0000-0x0000000005D73000-memory.dmp

Filesize
9.8MB

Download
memory/3008-25-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/3008-69-0x00000000053A0000-0x0000000005D73000-memory.dmp

Filesize
9.8MB

Download
memory/3008-23-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/3008-3-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/3008-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/3008-0-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download