a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166

Analysis

max time kernel
149s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18/10/2024, 08:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
Size

2.2MB
MD5

276a186c8671f1348db97205dd28e874
SHA1

e88cb8f03005223dd2a007aafebca33fb4d26099
SHA256

a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166
SHA512

bc499ba71f599fc4dce5ec4c9296c731936e64bf81a18ce489c9fced72657dd91921c3a805f62b05c09a96469ef606c4e607cdccc48be188729a64cef81a216d
SSDEEP

49152:0Zrug17iugcy2JFUhn5GUcvawwzx48EbQDl2laGtY:00s2ug7uF+4iPEbQDopi

Score

5^/10

discovery upx

Malware Config

Signatures

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2028-0-0x0000000000400000-0x0000000000F1E000-memory.dmp	upx
behavioral1/memory/2028-18-0x0000000000400000-0x0000000000F1E000-memory.dmp	upx
behavioral1/memory/2028-19-0x0000000000400000-0x0000000000F1E000-memory.dmp	upx
behavioral1/memory/2028-60-0x0000000003CB0000-0x0000000003CC0000-memory.dmp	upx
behavioral1/memory/2028-72-0x0000000000400000-0x0000000000F1E000-memory.dmp	upx
behavioral1/memory/2028-74-0x0000000000400000-0x0000000000F1E000-memory.dmp	upx
behavioral1/memory/2028-75-0x0000000000400000-0x0000000000F1E000-memory.dmp	upx
behavioral1/memory/2028-77-0x0000000000400000-0x0000000000F1E000-memory.dmp	upx
behavioral1/memory/2028-510-0x0000000000400000-0x0000000000F1E000-memory.dmp	upx
behavioral1/memory/2028-511-0x0000000000400000-0x0000000000F1E000-memory.dmp	upx
behavioral1/memory/2028-944-0x0000000000400000-0x0000000000F1E000-memory.dmp	upx
behavioral1/memory/2028-945-0x0000000000400000-0x0000000000F1E000-memory.dmp	upx
behavioral1/memory/2028-946-0x0000000000400000-0x0000000000F1E000-memory.dmp	upx
behavioral1/memory/2028-947-0x0000000000400000-0x0000000000F1E000-memory.dmp	upx
behavioral1/memory/2028-948-0x0000000000400000-0x0000000000F1E000-memory.dmp	upx
behavioral1/memory/2028-949-0x0000000000400000-0x0000000000F1E000-memory.dmp	upx
behavioral1/memory/2028-950-0x0000000000400000-0x0000000000F1E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8003a7963621db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f5420000000002000000000010660000000100002000000051a8943b57291da08fcdb49e7d5db8aaf9de05d2f63b15cf11c60d7fb3dd7ba1000000000e8000000002000020000000f88c92adeff0206ff055a052692e6e6813a16d1c3cdcb0fab81f350cf85f2fe62000000022a10cd3fdb2528ae9415af992e14909b6990ac77030b32d05c40dc415ae6dcd40000000e12d3330885219f8e397e1380f7b5c5f23bea84aab35911d69a4ac0576b138e3e2122b5c01f49afb36f25a05211d6d02cf041599e74041527573f70892a622c9	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A77FD151-8D29-11EF-BDD1-5A85C185DB3E} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f54200000000020000000000106600000001000020000000d77b57cb88deb74f0ecb5434b7336737bcee6dabb00f227ac7a414242fd5357b000000000e80000000020000200000003e17207212c1e8b09c66450baf766e2fcd90c3f794e907cbb72709f55383e00590000000dbd1e56f360ed003bf2576c418167f3a7216277b2930b1f97257fa19d2d0de99e43cebb22af38bd578ea94278d47b4a0096e19ba3f70122a87f0690cf1f7c1c0925f75c79a50c31b148c2eff8d53c3837cc5a3e55d30562d0b449741c1cf89ac7134fb197392518aa7a369dbfabb75b13491bfd3b2a98e33335efbf29b5ebf4c8fd4c25beac9d90c10eb16987b73216f400000008f76b1026278d40482227bcf2379354c5ebb1ca4fd2e6fbc8bbf7ffa35392714ccdb59c51f9e681184821c647e58ecbec8031a414694f98d05241bfcaf5a8791	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435401419"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
Token: SeDebugPrivilege	2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
Token: SeDebugPrivilege	2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
Token: SeDebugPrivilege	2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
Token: SeDebugPrivilege	2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
Token: 33	2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
Token: SeIncBasePriorityPrivilege	2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2744	iexplore.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2744	iexplore.exe
2744	iexplore.exe
2808	IEXPLORE.EXE
2808	IEXPLORE.EXE
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
2808	IEXPLORE.EXE
2808	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2744	2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe	31
PID 2028 wrote to memory of 2744	2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe	31
PID 2028 wrote to memory of 2744	2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe	31
PID 2028 wrote to memory of 2744	2028	a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe	31
PID 2744 wrote to memory of 2808	2744	iexplore.exe	32
PID 2744 wrote to memory of 2808	2744	iexplore.exe	32
PID 2744 wrote to memory of 2808	2744	iexplore.exe	32
PID 2744 wrote to memory of 2808	2744	iexplore.exe	32

C:\Users\Admin\AppData\Local\Temp\a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe
"C:\Users\Admin\AppData\Local\Temp\a99860f6628b592c0f7b187a3aab5279723a5be8deb2b292dd62cbeabbbf3166.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://lanseyou.top:6093/txt?&ys=0&lj=%E6%94%AF%E6%8C%81%E7%B9%81%E4%BD%93%E7%B3%BB%E7%BB%9F%E6%96%B9%E6%B3%95
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2744 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
677cb542c535500ca046279310384a1c

SHA1
3314754ab2a66871668ad7b0a4065a47ef48f594

SHA256
ee7ec32be76c14500cc8475e21fecff6b4ec52d641cc9cfe6252531034710feb

SHA512
34351c797c0f1d6b9d77bb375dbe03eb61f65fdcd17f52b514b8bb03c0253117207ae895bc3c59318eeafeaf3fa63c2c756d634ff8c6fba1b42e5912ce515236

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
56eeb3c822aa9452bdc8988d8d336ce8

SHA1
91a8cabc40f4e4a87b9d2d61856e6865de48c90f

SHA256
7d4272c8f15810da472df7e7200b51efd092528ef3d2a5dd445546d8a5efabdc

SHA512
d69d0d9456917f0275addee41ff50418c5a737203ad7702db009642ba9c4ea9e28f9b4d07493040145e8960ea50cbd5eb99a562bc72086937036c3c378e4feca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a879a9e408f2fb3280c5a97216d9ffb9

SHA1
85c9baf04d2f6509450ee119955de1927d2f8c83

SHA256
0e946e2adf6d8d53c243ba0467ac1863ea12c1612cf9632f8c3b6bf3adf13b23

SHA512
56bf0d49dbc5e9f75929fbb7f6852c049b6d124da9bca81d39acf33cc1f656b4090ecef9b3929d778e6ebf6270acbfe5d6e1f84a9e2b33e8e62e67bb2b26fb72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bb2df4aeb222e2c67847a0a79a8df963

SHA1
fbe085ccfa5820fec96ec64f84e27392cd96d320

SHA256
0e10b20a9ec624fecde7e25096f1e36ded08dfa5b7921d2aea96ef57ca0fb452

SHA512
1a8067eb26d4ba399099515a67a5015a1882f7b43a500711ea46de11c7db3f5a0b82b37b4ba890ee5b1355f629ce6a41c3b6b5fca0058fb09e3acd14b9438aa3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f3ec27a0351995a26d88b3afe6c9383

SHA1
a57a1ca32ebaf8d5126ace113e8c37f70ff13712

SHA256
af344ecfe689a0fa649686f53f2cea3ed2caade91cf305e4fa57bb7041816b09

SHA512
fb7a6372e6b7fc15ad0a5ab5b37bfffdae4c9bc8a5c7ef998806d33c48da15f4202bcc698b2a4275f6c6eda1fb0f0f16c23aff2d2a17dec9a5cbcd78c0aee9e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8264584721e2f9a48c7a3e618914b1e1

SHA1
1f9a86f5714e2937052f48677b9301d09a37a706

SHA256
082dfef882aea549f1bfc6b9ce6cd68424537da9cdaed178476a087e57995302

SHA512
80f45f6b5009ebf710679d70e801e5cfe6bbaaa8688adcec9ad91fe1f0457f3f975dab2e9eb9497c3457d685c2f21e2d2167105c891bd335f0ee0504555299a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed3fe743bc10f034b58cda026de9e37d

SHA1
6a16ce6208d209575ed96bb0b567a880c11459d2

SHA256
0e50f96fc8d67cc6486daa5a56e470356623ae6c08dda8fe4a6d27bd4b32db55

SHA512
46a52d02e5667966c75ab59fee5a618d4cf86d39b8e965ccaaa379c12f306f6cf65181c63f8d66f72e4ac983067772933697f38c806499121a40df9db6086f3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5138d305023da4f7aa3ed9b7cc69fee2

SHA1
9dda24627f37a5f74024b2dc0f523761a3ca3c6b

SHA256
d43e07665ff043c22370d720b52052b22b579b463a3e413e34e41b3df7b08027

SHA512
db07c3f9d82aa5af0267b5f0827d724c63344cc208ffc4eb63f668e6e4bc6328bb372042cff8062eb97be63375934c800553943f0440fa35783a70d10a7955a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8efadeb9d96f96dd37d2f779e7fe0d0f

SHA1
78129fa77b98f49fc35c55cd9ac5f190a5c855ac

SHA256
c99dfbe4b505f9e215f8bbbd5b8db0e348b9d66894789ebc14ca2c49db51a6db

SHA512
a98035b29e153f1c62f1c39c2053e27e68ded53ae29e5a0151d3a305db2283bdfde65597191ef73135d8978a09461090741ec41eff3daba9acd2d393f8a6fdc1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9fca89657ccda9a9464b96414a17222d

SHA1
cdb7a1a2af06eff91b386d1e0e1afaeb322368a1

SHA256
5473026b39fe601e3fd0adeca709256f1ac70749edbed9ef2143e6899fda2014

SHA512
76bab6302b6deab59d0c1c4637e7fdab37401a788d1789a943640d9670b2ad8b1077a43b8c8eeb997f36489deecc30ace109e19ff6513b3ad5fd13f6d5b57947

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb37d1b54f9bd315d895cfdd7f25f498

SHA1
818ec6c829c16fc715ff71adb5b43a58781d54e3

SHA256
19b09d3f6531ba4cfc006c74df4ccdbdb62867b4589c6c502df20397c2a215ef

SHA512
84cec82288dc064f79ff3daddb4855eca1afae53209267d50936ff1d4c59c800bfcd0c552906558c7068abfaf46aa3be92d78e9f06e8f2b9a276d7794c975367

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a9b9043c8446ce760320dcf8e0a0a1f0

SHA1
6e25ca9b5f56d08b2d0afc36b65ece5096acdf6a

SHA256
a8043b0cd031b30ac3de52b8a34cc2bd2e0e84ef86b802aad64c953533e517aa

SHA512
d001fdc03e645d5e6f89ef514bf3600e003fd4b566686a6aa2e198255df8bed34f43055601ef4eaf7eb12d087f74673015cb4f5a93ec0a059e006efc883e1f3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0135bfce20f23ba6110b67b83806f1a3

SHA1
01b92ec5002d1ddcf16edd7ad0a3796ec97bc244

SHA256
1ddffae6a5870ccbc1f63756521575379ca44e497b7d493d1703bc0b8498d922

SHA512
9cce1efbde463c7dd78a626c3be62259d3db432fab7cff932e8211c1aea75d9cc626dab9c186e7c3116371379faff35e6f16ba92b9ac2905f4d026b5964a0028

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
132b1c31bc21a2e1ff6dd416212fe915

SHA1
cb422923349eaaae32eecc998f2e05c3d84e8624

SHA256
1150ff4a0e34cfa619f19b39c93d0e191c5fe4e436bfd5a53710b476143b81a9

SHA512
fb4232f47965976b2092860464694c70c32ceda81e517648ff04e447b73a97f3733933b07fcf855fa6e3afd7cd214f41eff8d130e9f1f15b62cfd7def40d6773

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e22a01db90dd8693a795ee0c89c99800

SHA1
51818b09d8b8f62fc69a77751d6faad15c037c1a

SHA256
42b16b5cac63eb800584cbcb7a0460f2f174bc6b83d2905826eb3059fce35bd4

SHA512
51ec6d5314c676461263e3b88f52f204b65960183aaea574f3819b0321cbcb9adf2e047b9116aff39afffef637d0d3400e7dc37293fc0efd75254550b851c9cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ebefdb28cc0c26eaddd9f7c9cfdc278

SHA1
bfee6a97d0eb192a9f5c1b5abd31c099a840c222

SHA256
9d6eb0ac5d492a573183eb36ab58bcf4e9df308a6b8419bb2f514e3b56d72d54

SHA512
faffb5d07f72f570d85106b388d7c3e844a2251c726863ca8bf3cc652bb256e3a9d8ba0492311c6244aa94564b69e0da9f10a53582d200183bfe56c23b530820

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e84d07a196c3386d6f880e8fb39d511

SHA1
1d281b285a3a7e76763836cc12bc452d9fcfff69

SHA256
87c8d2737c24e17134b8c6e5e1f5e87658f24a8f79b029ad02a760aabdae4673

SHA512
2526802b1b2cfd5b76ac1c8e03374210ab4cdaa0775d4333e8c2ebc98febe5665d18aad25a9215bbd96d1faae7a5d6c8976ea8ad4a8fd6c21263308a3695b8ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f1e14defa186f3c8d1789f4e4c39ece

SHA1
2ed973c9470a4df3cc6ce46c2e632bcdab692db0

SHA256
051a048b2ea48edab54207c4adc42e7b29ee22f69f937d05f5c94ddf94100fcc

SHA512
bfc83a6016d92fc3983ab8b4a5282b37ba58018e89954fb68b4a7848b902d00ba933a012718ed111adadfe6daa6b7af18121ebabff36709144a385099165bd08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
041b940e1f601c7108d19b628f114e82

SHA1
9608b3804b0ec09b20189bfdcc6aad6cd7a2ec38

SHA256
bf82144a7f6665126ded3b1c83a4fc972a0566a213bb1c06efcc069df1d39075

SHA512
e6c8c151db7ce3587d3553a2b8a7574460f810c59ebaa7e3fee0fcba86242abc96fe010b615bc67deaaf8442317854603b1e2fdcdcefac5f7915d2b6502d95b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBE9F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBF40.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\fuwuqi.ini

Filesize
82B

MD5
36b11c4a12ab512f597604d405f320fb

SHA1
c1998e7066a810e00daf78e2ea9ccec567e61bbf

SHA256
6a0b2a6204a3416594229c738bca5650b5d35f64f4d47dace98eb0ac03e8bad4

SHA512
f4c6d98a6a2224f235ed7274c2d75a2c6b87d5a1ba2aabc19ea2f4aa30e89e6b13d2f620ac8a907e9cf56966f16bb699e4b21d4ae2331c4adcba2b30d0a549cd

Download Submit
memory/2028-58-0x000000007757C000-0x000000007757D000-memory.dmp

Filesize
4KB

Download
memory/2028-1-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2028-40-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/2028-36-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

Filesize
4KB

Download
memory/2028-33-0x0000000002CD0000-0x0000000002CD1000-memory.dmp

Filesize
4KB

Download
memory/2028-21-0x0000000002CB0000-0x0000000002CB1000-memory.dmp

Filesize
4KB

Download
memory/2028-19-0x0000000000400000-0x0000000000F1E000-memory.dmp

Filesize
11.1MB

Download
memory/2028-18-0x0000000000400000-0x0000000000F1E000-memory.dmp

Filesize
11.1MB

Download
memory/2028-16-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2028-510-0x0000000000400000-0x0000000000F1E000-memory.dmp

Filesize
11.1MB

Download
memory/2028-511-0x0000000000400000-0x0000000000F1E000-memory.dmp

Filesize
11.1MB

Download
memory/2028-15-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2028-14-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2028-59-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/2028-0-0x0000000000400000-0x0000000000F1E000-memory.dmp

Filesize
11.1MB

Download
memory/2028-60-0x0000000003CB0000-0x0000000003CC0000-memory.dmp

Filesize
64KB

Download
memory/2028-77-0x0000000000400000-0x0000000000F1E000-memory.dmp

Filesize
11.1MB

Download
memory/2028-75-0x0000000000400000-0x0000000000F1E000-memory.dmp

Filesize
11.1MB

Download
memory/2028-74-0x0000000000400000-0x0000000000F1E000-memory.dmp

Filesize
11.1MB

Download
memory/2028-73-0x0000000003CB0000-0x0000000003CC0000-memory.dmp

Filesize
64KB

Download
memory/2028-72-0x0000000000400000-0x0000000000F1E000-memory.dmp

Filesize
11.1MB

Download
memory/2028-944-0x0000000000400000-0x0000000000F1E000-memory.dmp

Filesize
11.1MB

Download
memory/2028-945-0x0000000000400000-0x0000000000F1E000-memory.dmp

Filesize
11.1MB

Download
memory/2028-946-0x0000000000400000-0x0000000000F1E000-memory.dmp

Filesize
11.1MB

Download
memory/2028-947-0x0000000000400000-0x0000000000F1E000-memory.dmp

Filesize
11.1MB

Download
memory/2028-948-0x0000000000400000-0x0000000000F1E000-memory.dmp

Filesize
11.1MB

Download
memory/2028-949-0x0000000000400000-0x0000000000F1E000-memory.dmp

Filesize
11.1MB

Download
memory/2028-950-0x0000000000400000-0x0000000000F1E000-memory.dmp

Filesize
11.1MB

Download