d9a3252d8aa1ce8786fd29d68c4d77018a61c51073aaff82db00ae5355704110

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

async_modified/AsyncRAT.exe
Size

6.1MB
MD5

2e22d85e49e70fdcb2b516fc2431ed52
SHA1

dd3384e996b35c7a4f97696246b12d11d400f595
SHA256

9588fa3988ffa70c288f0566fffe1e219c0936d5af6dce5ec8b9e1b5161331bc
SHA512

27a81170f25e5f2bb2222669e00b9fc267a15b7b2a51143cec7d4af1475bed145fedeede038d82bf2d7bc197e8caba2a54ebeca741ed3d7d7d231f1c4374d6ae
SSDEEP

196608:mxeAwpZllbJwIwOA3x/6txY0h1L4EB3zDG1w:nZllnwXcth1kWjOw

Score

7^/10

discovery

Malware Config

Signatures

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/1740-1-0x0000000000C40000-0x000000000125E000-memory.dmp	net_reactor

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 45 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8BD90B11-A9E9-11EF-B954-F2DF7204BD4F} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0722456f63ddb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f00000000020000000000106600000001000020000000870e4819c92becf091d5134f170fb078322e33c6ef993f45a92f5be383831af9000000000e80000000020000200000005a385e75e04e28feb439c45c6f1426e56f4a7c15bd71fe9622fc9811c676f0a0900000004fdb1e1d7f44b712c2d668d8d9d4a78cc6ec98d8712053e941e3bdecc0ef48f555956c2775aa77952208e3692f61658ea2934190eae0d9c5de804bbda7fa2ebe4db3733387fb2c1021441ce1ad20cb085c4d2a274a945ede72cc2b8ce2fd81f145c5a2a37281ca27f3230d0000a094e9cc7122df5d7a26b39f97faf7154c4f4a560bdfab03b4f7c238bcddec5aa2aad8400000001739ca8e9378795925cb1aa59959055de0e38b6ef2648cbb4d11e7260fcb700c62b3cb120092a3e73133a003551e68d8b1bdde24409d3cd94a65b8c082ac0144	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438562469"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f000000000200000000001066000000010000200000009c0f50612dc10401983b34b3dc7aab51b3ef38ccad8aab52681e164934e9500f000000000e800000000200002000000055c71398290b7b5e96f71db82a0328553e467e7e669b4a18764e726499a81b41200000003735f0de461c724eaa27f83e7a735a824360f00d2261e7521861bb7b48628bc7400000001e64ffb0ac5af1f809ab5d031bc8aa4af64340362ee7c3cc9fb49e925edf6832f0e4ba88cee73416abaa0a7245c9a798a1e032018f3671c0770397b37fac03cb	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1740	AsyncRAT.exe
1740	AsyncRAT.exe
1740	AsyncRAT.exe
1740	AsyncRAT.exe
1740	AsyncRAT.exe
1740	AsyncRAT.exe
1740	AsyncRAT.exe
1740	AsyncRAT.exe
1740	AsyncRAT.exe
1740	AsyncRAT.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe
2296	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1740	AsyncRAT.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1740	AsyncRAT.exe
2296	iexplore.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1740	AsyncRAT.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2296	iexplore.exe
2296	iexplore.exe
2432	IEXPLORE.EXE
2432	IEXPLORE.EXE
2432	IEXPLORE.EXE
2432	IEXPLORE.EXE
1160	IEXPLORE.EXE
1160	IEXPLORE.EXE
1000	IEXPLORE.EXE
1000	IEXPLORE.EXE
1160	IEXPLORE.EXE
1160	IEXPLORE.EXE
2972	IEXPLORE.EXE
2972	IEXPLORE.EXE
1000	IEXPLORE.EXE
1000	IEXPLORE.EXE
2432	IEXPLORE.EXE
2432	IEXPLORE.EXE
316	IEXPLORE.EXE
316	IEXPLORE.EXE
1160	IEXPLORE.EXE
1160	IEXPLORE.EXE
2440	IEXPLORE.EXE
2440	IEXPLORE.EXE
2440	IEXPLORE.EXE
2440	IEXPLORE.EXE
1000	IEXPLORE.EXE
1000	IEXPLORE.EXE
704	IEXPLORE.EXE
704	IEXPLORE.EXE
2972	IEXPLORE.EXE
2972	IEXPLORE.EXE
2972	IEXPLORE.EXE
2972	IEXPLORE.EXE
2368	IEXPLORE.EXE
2368	IEXPLORE.EXE
2368	IEXPLORE.EXE
2368	IEXPLORE.EXE
316	IEXPLORE.EXE
316	IEXPLORE.EXE
1672	IEXPLORE.EXE
1672	IEXPLORE.EXE
2440	IEXPLORE.EXE
2440	IEXPLORE.EXE
2496	IEXPLORE.EXE
2496	IEXPLORE.EXE
704	IEXPLORE.EXE
704	IEXPLORE.EXE
704	IEXPLORE.EXE
704	IEXPLORE.EXE
2368	IEXPLORE.EXE
2368	IEXPLORE.EXE
2748	IEXPLORE.EXE
2748	IEXPLORE.EXE
1672	IEXPLORE.EXE
1672	IEXPLORE.EXE
2748	IEXPLORE.EXE
2748	IEXPLORE.EXE
1672	IEXPLORE.EXE
1672	IEXPLORE.EXE
2496	IEXPLORE.EXE
2496	IEXPLORE.EXE
2496	IEXPLORE.EXE
2496	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2296	1740	AsyncRAT.exe	33
PID 1740 wrote to memory of 2296	1740	AsyncRAT.exe	33
PID 1740 wrote to memory of 2296	1740	AsyncRAT.exe	33
PID 2296 wrote to memory of 2432	2296	iexplore.exe	34
PID 2296 wrote to memory of 2432	2296	iexplore.exe	34
PID 2296 wrote to memory of 2432	2296	iexplore.exe	34
PID 2296 wrote to memory of 2432	2296	iexplore.exe	34
PID 2296 wrote to memory of 1160	2296	iexplore.exe	36
PID 2296 wrote to memory of 1160	2296	iexplore.exe	36
PID 2296 wrote to memory of 1160	2296	iexplore.exe	36
PID 2296 wrote to memory of 1160	2296	iexplore.exe	36
PID 2296 wrote to memory of 1000	2296	iexplore.exe	37
PID 2296 wrote to memory of 1000	2296	iexplore.exe	37
PID 2296 wrote to memory of 1000	2296	iexplore.exe	37
PID 2296 wrote to memory of 1000	2296	iexplore.exe	37
PID 2296 wrote to memory of 2972	2296	iexplore.exe	38
PID 2296 wrote to memory of 2972	2296	iexplore.exe	38
PID 2296 wrote to memory of 2972	2296	iexplore.exe	38
PID 2296 wrote to memory of 2972	2296	iexplore.exe	38
PID 2296 wrote to memory of 316	2296	iexplore.exe	39
PID 2296 wrote to memory of 316	2296	iexplore.exe	39
PID 2296 wrote to memory of 316	2296	iexplore.exe	39
PID 2296 wrote to memory of 316	2296	iexplore.exe	39
PID 2296 wrote to memory of 2440	2296	iexplore.exe	41
PID 2296 wrote to memory of 2440	2296	iexplore.exe	41
PID 2296 wrote to memory of 2440	2296	iexplore.exe	41
PID 2296 wrote to memory of 2440	2296	iexplore.exe	41
PID 2296 wrote to memory of 704	2296	iexplore.exe	44
PID 2296 wrote to memory of 704	2296	iexplore.exe	44
PID 2296 wrote to memory of 704	2296	iexplore.exe	44
PID 2296 wrote to memory of 704	2296	iexplore.exe	44
PID 2296 wrote to memory of 2368	2296	iexplore.exe	45
PID 2296 wrote to memory of 2368	2296	iexplore.exe	45
PID 2296 wrote to memory of 2368	2296	iexplore.exe	45
PID 2296 wrote to memory of 2368	2296	iexplore.exe	45
PID 2296 wrote to memory of 1672	2296	iexplore.exe	46
PID 2296 wrote to memory of 1672	2296	iexplore.exe	46
PID 2296 wrote to memory of 1672	2296	iexplore.exe	46
PID 2296 wrote to memory of 1672	2296	iexplore.exe	46
PID 2296 wrote to memory of 2496	2296	iexplore.exe	48
PID 2296 wrote to memory of 2496	2296	iexplore.exe	48
PID 2296 wrote to memory of 2496	2296	iexplore.exe	48
PID 2296 wrote to memory of 2496	2296	iexplore.exe	48
PID 2296 wrote to memory of 2748	2296	iexplore.exe	50
PID 2296 wrote to memory of 2748	2296	iexplore.exe	50
PID 2296 wrote to memory of 2748	2296	iexplore.exe	50
PID 2296 wrote to memory of 2748	2296	iexplore.exe	50
PID 2296 wrote to memory of 2244	2296	iexplore.exe	52
PID 2296 wrote to memory of 2244	2296	iexplore.exe	52
PID 2296 wrote to memory of 2244	2296	iexplore.exe	52
PID 2296 wrote to memory of 2244	2296	iexplore.exe	52

C:\Users\Admin\AppData\Local\Temp\async_modified\AsyncRAT.exe
"C:\Users\Admin\AppData\Local\Temp\async_modified\AsyncRAT.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://t.me/crypt_3losh
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2296 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2432
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2296 CREDAT:275474 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1160
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2296 CREDAT:537619 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1000
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2296 CREDAT:603156 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2972
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2296 CREDAT:1520667 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:316
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2296 CREDAT:1651752 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2440
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2296 CREDAT:865331 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:704
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2296 CREDAT:1061974 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2368
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2296 CREDAT:2044971 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1672
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2296 CREDAT:2503751 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2496
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2296 CREDAT:2831421 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2748
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2296 CREDAT:3683409 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2244

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4966686ea3d51e664c741a256477c0e3

SHA1
915cd39c3dd057020d9ca9702a0e1698243baf68

SHA256
1b174268f6e8f4ee52e1751882b39c33f24aa4a9a0bfa9395b4d64990f0fee6a

SHA512
e23616a672edb6fa6684ae55f4eb6d6613fed623e91c10f2cb058be372a4b8e307886353ac676f91148c5636fa7e4a8f10d88514a55475c7f0e047624eb768d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd307e26beec4904b0201e1e646965c6

SHA1
ff1d6a4017019505f7bae51332d66ba1507fbecb

SHA256
a5e0d19e87bcc32b5cffa202a537e1e1e17bf155ef52e8e2d6c2270ed45f293c

SHA512
2a2e5000ef29f1a823e9555c9834e35ac921b8c838e57f0d4e46103668bb40b1a891541e05dfe241f91ba10c4e007eb910d8a4291ab687ea35d5b9222ab801f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53cc7dd06e98bb5919a390779625c863

SHA1
bb4647940db9d362c1bf44012b8789d2c9aa12c5

SHA256
f250c4a22bf552980de5913880b4bb615611ce20d9fcbdcba4becb78474580de

SHA512
051e35945c0c4ab64daa04f31c68a122d3ec82ce71cb4c669a00554ac52357554f1e21595b1c07dec09f3980e33378d43ce59a929cdd3ddd5905c2876aeaa82d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ba64a4364e3498656f2fe2f353667f00

SHA1
853a417dcf25af0d4c30793b1c9e57cac14ff83a

SHA256
23bca1b7f6c1f21c4ebbb27db3b1feaf1fb93fba0f7d41d4fa087148f81eaf6c

SHA512
d157cacc8922b777bb749007be0a51fa35d4778d867ea5c69af0ac31b78c69cf1182465f15a6c8c0de4ef0f04c47c718591603ae798e57b367b3574fc515923f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bfc843acb8a0abc1b456988f8c8abab0

SHA1
4b2a1c0928d9dbf36b5d416524550f08e01fc1f3

SHA256
8b59db462dce80d5664accceedaed37f0b1886d4fdba991d5d119ec6eda24dfe

SHA512
5c9c1adf887530be47178eb85de82ce24929860deebaac73732a136b8977f783b61508a5dab5b7d08fa95affc33666a27c5c05166bc0e40eb6dc3417a58f9b2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
56f67af4832df812f10271e46651b338

SHA1
6d80f551d8474b66e3ec14fc523a8ccad58a0134

SHA256
b100b2979aa27adf84f03aae95904120d080f13883d8fabdb96ff90a1272dd4d

SHA512
71137cd903b416ebc073a9afb60d17b5ebd4cd79e2a7e346de97081a3582a8e427340b8d6cdc2196fb578618c3f8edda9d699f96c045a01056422f5a681db70c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d167cce1f4b7dfc10b90912427e6dc44

SHA1
b6a0687685ce4a348fb9faffe1d4b7f1807818f3

SHA256
7a44e61e34e45025d2c229c6b4f901664fa6f617f96fcba9056cd6b0e1cc49c5

SHA512
1525bceb1badcf41e5931e62b81d1fbb258e4815f2abcf370fb6400b912d2274eb8d21a8d6432e2381ac4c58c1d08b5456bfcdcc32bbec4adde39e6630eb6c08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
020eeb24682f4c977e3467fa1f1f7e2a

SHA1
362b53907d57860a47eaade15ec502d5c9621f3a

SHA256
21647323f16531c41be8353ebc1ddfb301c1350b4ea388482e078cb6b6333ad9

SHA512
5cac5573c7db39914a86c54524c8e86688e60d55ce7364d6c9ab3f24fdbf651c8135f2c5b0690edbb41ba64d8fb45b458f7fdded3509282590ddc8a9e2d04d31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
76e0d03c45759980b3727687bf371812

SHA1
6c4c827a8ce3e2d644166c2eb7a75b73822af895

SHA256
129fe682b006a595a6e33e2f93b17bf938a142f8e846368f5c4ad91c38bfdcb2

SHA512
09b85b2ad71abbed12926b392fe6200179202ef6f5ec44f0e781483ad729b4940109ac2909a92364f07cb3e6b42e6706de358bbfa42d0f51bea78c718f09acbb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5266cbae84f6e35749612958a2dcb975

SHA1
e45b14fa0dd0a806e4be14ade69f75aa690d687c

SHA256
9427e81f104470e80a1b1b3ccc369c600b3eb79299c6c044d6d58ec004cd3107

SHA512
251535a14c1e844cf681a597140fb1075121b5c817c52f242146df0e0f931ea39bc3d08f4eec0760ca145a2fd478e2b3885c275704ef4b61c2f0f89ffdafdce5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
31c73cb73d310b5751c657759e0fa738

SHA1
3e24708ffd31e8ba119b5bf08a1b32db9824921e

SHA256
0ef3369ce7a5f063800a8b737adc679642015e5c929f5e9d552678d97f013142

SHA512
8c6f4df5c52ac0abc98ab66ee54a8556d11d59abfaabdf1bcdbc2d0a351eed7379f14d14b4974480b9119ae79c2c06ee11bec7485ec648ae4f781283eb7e6f22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dc56b455e14e348a14df2683a86bb404

SHA1
aa69c308b9efa394b545bf774066630503e96b93

SHA256
9dd975f74cc50833e3e4eff3b7bbccb1e277f0c084ff2ca3fb4a0abd2a2c59fc

SHA512
c10db9e7da4cb08954391c8ddd8884e2a6f43214bacc0af6d2f9483c49952960dfdce98a63c90c0601337de734dea2c14429ff87dd06fff4e18c9fb86a4034eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
05b222c66293a1f9f6b1be58d0d667b8

SHA1
e2363bb2aea536231155e3786e7eced4a23deb76

SHA256
5f5f228677b0922278fc828d5b2b3fbdb41ec57b07e3341089c5555d67e838f4

SHA512
e6f780dcebccc4696396a476840aab29bb09c0258b754b9194fd9cd00847d4c924e911de5d18d2ced391747be2732c300b54201f061d397927e5c7d88b2c47f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b3a07ccffabfded5635bb44b12c89b0

SHA1
aa1969ec3bfd32efb2601b2609a11a853b9a01bb

SHA256
978b37da596f2b19c3ef4c8051f7134907e0a891a38687f91dd70e3923788cb4

SHA512
ea6cdb8bc0932bef0360a0120e5dd60ae47378ac5cae17b3d44c76e2b06d024fe88795666e353bc37e2a1ecebeec1919ce5a14a752ae6e9e0997e5ff5d8335d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f3c4a7c8cadf40ffcab5ce7132e7bf8

SHA1
43ba912f89c63b9b7440ac196f9d567c3fc36ff3

SHA256
afa108d49d4d73ce70db1f19fa17fabd7ddfe3cc53cad315692ddc0337d7f63d

SHA512
1b8054ce12464f6aaf601062e6266ca034ffc08d3f50cfdea66f444a39ff75b861b46893502ce5329f1b7c05657c6199c1db10da9ff42b43d3c9cebea083b5f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c6e29c9f14ac990f70c065b23ac10564

SHA1
085d013126373c50b1b1f3ef168ab7cf7f71e421

SHA256
8772cddded53fb04fccb51fd2717d17f7a3a3fca993fcd7aa836e7c43c5127c3

SHA512
f20963f7af43446847de45547c4296b3dd614ef200dba4903d619cf5ff319a12b7e68a467b904141333ebcb11af78595b8de72df5554861c7cfbec2a37a24ede

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
06211b7ffde31e2d24b7dc287cd496dc

SHA1
ab141892551e870ea9bddd727f1e8b63f9a7f34b

SHA256
6a590219fa0885835064bc5a950b36e2091a5732470ca7f66eb9939f1e0e967f

SHA512
1c905eb6036b20c96a4822b10378055139da68ecd128139375f940cca8fbd8f0fff1d66595a84a7e2b4b614197eb676c1dfcf93aebf2bd1a61d8cd2678da4596

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7cc8e10c5847d11db6ae4cf4272f4d13

SHA1
2497b55c2ac968eaf2e88084795aa83f8f155e39

SHA256
64468727f1142526a0d41999b0f4c8969b68adde9d06ec466c23a4b2eb6bef2c

SHA512
ba15221e7b72396fbd443ffbf97999e6cb3f11333062aa1c1327fd17b78400b2f52429defd14d76a702b6dddfa181cbf9045d1bf73a533aaf28aa093bd9e3901

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BQQODH7V\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q4648X1K\dnserror[1]

Filesize
1KB

MD5
73c70b34b5f8f158d38a94b9d7766515

SHA1
e9eaa065bd6585a1b176e13615fd7e6ef96230a9

SHA256
3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4

SHA512
927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROLMKJ86\httpErrorPagesScripts[1]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\NewErrorPageTemplate[1]

Filesize
1KB

MD5
cdf81e591d9cbfb47a7f97a2bcdb70b9

SHA1
8f12010dfaacdecad77b70a3e781c707cf328496

SHA256
204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

SHA512
977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3768.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3836.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFE4C0FFFCC53BA759.TMP

Filesize
16KB

MD5
12f5ed80970dae2d1fb197a78395b3cc

SHA1
dab764d11a6c1840840eb036212354ab87c431a2

SHA256
d737041265c5e953280bb74f4c99dc1bde17641a563684f32cf86a3ab481c7f6

SHA512
e168ad0eb9a46ce4fcafe58e62216054d089b9def9692212fe78d064ecb402e7e91995096cf045ca1a801b6d41dff761e5b7e0428c221c52e2d20b392ce0799f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms

Filesize
3KB

MD5
51240ccaa2c8d81ab54ef4193d8e24a3

SHA1
fcc7043443055d5def3462c7fe43ff925c6e8c4e

SHA256
4fe078629cef845739ea2ae93bc6cc4890696184c1da60a88fe5671d89a4d499

SHA512
3abe2f0919f7ffc60d7278f64168fe867b82373731e648efb8aabc47cdb9d50060a9bc40cef7b38b09d17b30234e2ecbac85a0be1d80e460ea548287d03d4eb4

Download Submit
memory/1740-5-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/1740-0-0x000007FEF52E3000-0x000007FEF52E4000-memory.dmp

Filesize
4KB

Download
memory/1740-12-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/1740-6-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/1740-9-0x000007FEF52E3000-0x000007FEF52E4000-memory.dmp

Filesize
4KB

Download
memory/1740-10-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/1740-11-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/1740-1-0x0000000000C40000-0x000000000125E000-memory.dmp

Filesize
6.1MB

Download
memory/1740-2-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/1740-4-0x000000001C700000-0x000000001C952000-memory.dmp

Filesize
2.3MB

Download
memory/1740-3-0x000000001C030000-0x000000001C6F8000-memory.dmp

Filesize
6.8MB

Download