blackmoon | ed6a0ff29b30ba7c7af4ed5a9cf348117e4a25785166772daaf6892b6bae5984

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
23/09/2023, 04:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed6a0ff29b30ba7c7af4ed5a9cf348117e4a25785166772daaf6892b6bae5984.exe
Size

3.3MB
MD5

c9005c1d9a58749375a27ad3682d7127
SHA1

d94ac3d7199738b1e44628093a945e120392043d
SHA256

ed6a0ff29b30ba7c7af4ed5a9cf348117e4a25785166772daaf6892b6bae5984
SHA512

1810ccd6a673e628f8f02fbd477e1a8e03080acd6f652997cfe92f6c877b9fde6bc8f1597807d81d990865793bfea047feddabe9bd3903e1bb6b0f185c4fb540
SSDEEP

98304:YROKh5VU89IrYLtWkdQZ7MVuLtInQKm0qa0V:yh5VHmrq1aZYVuAQKmwO

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 40 IoCs

resource	yara_rule
behavioral1/memory/2740-2-0x0000000000400000-0x0000000000FFA000-memory.dmp	family_blackmoon
behavioral1/memory/2740-31-0x0000000000400000-0x0000000000FFA000-memory.dmp	family_blackmoon
behavioral1/memory/2740-183-0x0000000004B50000-0x0000000004B61000-memory.dmp	family_blackmoon
behavioral1/memory/2740-184-0x0000000004B50000-0x0000000004B61000-memory.dmp	family_blackmoon
behavioral1/memory/2740-168-0x00000000049C0000-0x00000000049CF000-memory.dmp	family_blackmoon
behavioral1/memory/2740-185-0x0000000004B50000-0x0000000004B61000-memory.dmp	family_blackmoon
behavioral1/memory/2740-502-0x0000000004F30000-0x0000000004F3F000-memory.dmp	family_blackmoon
behavioral1/memory/2740-510-0x0000000004F40000-0x0000000004F51000-memory.dmp	family_blackmoon
behavioral1/memory/2740-511-0x0000000004F40000-0x0000000004F51000-memory.dmp	family_blackmoon
behavioral1/memory/2740-512-0x0000000008320000-0x000000000832F000-memory.dmp	family_blackmoon
behavioral1/memory/2740-520-0x0000000004F40000-0x0000000004F51000-memory.dmp	family_blackmoon
behavioral1/memory/2740-522-0x0000000008330000-0x0000000008341000-memory.dmp	family_blackmoon
behavioral1/memory/2740-519-0x0000000008330000-0x0000000008341000-memory.dmp	family_blackmoon
behavioral1/memory/2740-523-0x0000000008490000-0x000000000849F000-memory.dmp	family_blackmoon
behavioral1/memory/2740-531-0x0000000008330000-0x0000000008341000-memory.dmp	family_blackmoon
behavioral1/memory/2740-533-0x00000000084A0000-0x00000000084B1000-memory.dmp	family_blackmoon
behavioral1/memory/2740-530-0x00000000084A0000-0x00000000084B1000-memory.dmp	family_blackmoon
behavioral1/memory/2740-534-0x0000000008350000-0x000000000835F000-memory.dmp	family_blackmoon
behavioral1/memory/2740-542-0x00000000084A0000-0x00000000084B1000-memory.dmp	family_blackmoon
behavioral1/memory/2740-544-0x0000000008360000-0x0000000008371000-memory.dmp	family_blackmoon
behavioral1/memory/2740-541-0x0000000008360000-0x0000000008371000-memory.dmp	family_blackmoon
behavioral1/memory/2740-545-0x0000000008380000-0x000000000838F000-memory.dmp	family_blackmoon
behavioral1/memory/2740-553-0x0000000008390000-0x00000000083A1000-memory.dmp	family_blackmoon
behavioral1/memory/2740-555-0x0000000008390000-0x00000000083A1000-memory.dmp	family_blackmoon
behavioral1/memory/2740-552-0x0000000008360000-0x0000000008371000-memory.dmp	family_blackmoon
behavioral1/memory/2740-988-0x0000000004EF0000-0x0000000004EFF000-memory.dmp	family_blackmoon
behavioral1/memory/2740-996-0x0000000008390000-0x00000000083A1000-memory.dmp	family_blackmoon
behavioral1/memory/2740-997-0x0000000004F00000-0x0000000004F11000-memory.dmp	family_blackmoon
behavioral1/memory/2740-1007-0x0000000004F00000-0x0000000004F11000-memory.dmp	family_blackmoon
behavioral1/memory/2740-1008-0x0000000004FA0000-0x0000000004FB1000-memory.dmp	family_blackmoon
behavioral1/memory/2740-1017-0x0000000004FA0000-0x0000000004FB1000-memory.dmp	family_blackmoon
behavioral1/memory/2740-1019-0x0000000005150000-0x0000000005161000-memory.dmp	family_blackmoon
behavioral1/memory/2740-1030-0x0000000005150000-0x0000000005161000-memory.dmp	family_blackmoon
behavioral1/memory/2740-1031-0x00000000051C0000-0x00000000051D1000-memory.dmp	family_blackmoon
behavioral1/memory/2740-1040-0x0000000005230000-0x0000000005241000-memory.dmp	family_blackmoon
behavioral1/memory/2740-1051-0x0000000005230000-0x0000000005241000-memory.dmp	family_blackmoon
behavioral1/memory/2740-1052-0x00000000083B0000-0x00000000083C1000-memory.dmp	family_blackmoon
behavioral1/memory/2740-1061-0x0000000005260000-0x0000000005271000-memory.dmp	family_blackmoon
behavioral1/memory/2740-1073-0x00000000083D0000-0x00000000083E1000-memory.dmp	family_blackmoon
behavioral1/memory/2740-1072-0x0000000005260000-0x0000000005271000-memory.dmp	family_blackmoon

UPX packed file 38 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2740-183-0x0000000004B50000-0x0000000004B61000-memory.dmp	upx
behavioral1/memory/2740-184-0x0000000004B50000-0x0000000004B61000-memory.dmp	upx
behavioral1/memory/2740-180-0x0000000004B50000-0x0000000004B61000-memory.dmp	upx
behavioral1/memory/2740-185-0x0000000004B50000-0x0000000004B61000-memory.dmp	upx
behavioral1/memory/2740-506-0x0000000004F40000-0x0000000004F51000-memory.dmp	upx
behavioral1/memory/2740-510-0x0000000004F40000-0x0000000004F51000-memory.dmp	upx
behavioral1/memory/2740-509-0x0000000004F40000-0x0000000004F51000-memory.dmp	upx
behavioral1/memory/2740-511-0x0000000004F40000-0x0000000004F51000-memory.dmp	upx
behavioral1/memory/2740-516-0x0000000008330000-0x0000000008341000-memory.dmp	upx
behavioral1/memory/2740-520-0x0000000004F40000-0x0000000004F51000-memory.dmp	upx
behavioral1/memory/2740-522-0x0000000008330000-0x0000000008341000-memory.dmp	upx
behavioral1/memory/2740-519-0x0000000008330000-0x0000000008341000-memory.dmp	upx
behavioral1/memory/2740-527-0x00000000084A0000-0x00000000084B1000-memory.dmp	upx
behavioral1/memory/2740-531-0x0000000008330000-0x0000000008341000-memory.dmp	upx
behavioral1/memory/2740-533-0x00000000084A0000-0x00000000084B1000-memory.dmp	upx
behavioral1/memory/2740-530-0x00000000084A0000-0x00000000084B1000-memory.dmp	upx
behavioral1/memory/2740-538-0x0000000008360000-0x0000000008371000-memory.dmp	upx
behavioral1/memory/2740-542-0x00000000084A0000-0x00000000084B1000-memory.dmp	upx
behavioral1/memory/2740-544-0x0000000008360000-0x0000000008371000-memory.dmp	upx
behavioral1/memory/2740-541-0x0000000008360000-0x0000000008371000-memory.dmp	upx
behavioral1/memory/2740-549-0x0000000008390000-0x00000000083A1000-memory.dmp	upx
behavioral1/memory/2740-553-0x0000000008390000-0x00000000083A1000-memory.dmp	upx
behavioral1/memory/2740-555-0x0000000008390000-0x00000000083A1000-memory.dmp	upx
behavioral1/memory/2740-552-0x0000000008360000-0x0000000008371000-memory.dmp	upx
behavioral1/memory/2740-996-0x0000000008390000-0x00000000083A1000-memory.dmp	upx
behavioral1/memory/2740-997-0x0000000004F00000-0x0000000004F11000-memory.dmp	upx
behavioral1/memory/2740-1007-0x0000000004F00000-0x0000000004F11000-memory.dmp	upx
behavioral1/memory/2740-1008-0x0000000004FA0000-0x0000000004FB1000-memory.dmp	upx
behavioral1/memory/2740-1017-0x0000000004FA0000-0x0000000004FB1000-memory.dmp	upx
behavioral1/memory/2740-1019-0x0000000005150000-0x0000000005161000-memory.dmp	upx
behavioral1/memory/2740-1030-0x0000000005150000-0x0000000005161000-memory.dmp	upx
behavioral1/memory/2740-1031-0x00000000051C0000-0x00000000051D1000-memory.dmp	upx
behavioral1/memory/2740-1040-0x0000000005230000-0x0000000005241000-memory.dmp	upx
behavioral1/memory/2740-1051-0x0000000005230000-0x0000000005241000-memory.dmp	upx
behavioral1/memory/2740-1052-0x00000000083B0000-0x00000000083C1000-memory.dmp	upx
behavioral1/memory/2740-1061-0x0000000005260000-0x0000000005271000-memory.dmp	upx
behavioral1/memory/2740-1073-0x00000000083D0000-0x00000000083E1000-memory.dmp	upx
behavioral1/memory/2740-1072-0x0000000005260000-0x0000000005271000-memory.dmp	upx

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0C4D9601-59C6-11EE-83C0-7AF708EF84A9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbd2da6efca7814e97bd67c6ea97aa8b000000000200000000001066000000010000200000004a0e7d3e2661af06713e2db09363c446616f286e8a75fb58c3bf52bbb2bb63ba000000000e80000000020000200000009c19f06859a41cd404eb8b1dad5f4667854005d3cf3e377c3b697b95bc04852490000000d8ec6d780de1d43712a4037e65f3207d70638c61e931de5ba420a8727fd3561b83d05d6a4ffe315e201ffb90a3e110e7e394e1c7ecfafcf59ce9285118886846eb917fac4c54255845c221b8d92fa71c723d0b036abb25d2c6182b07c4a32b5c2cd40dde276d21e950a44f0ea28d885e94c9ef641d1b196c21e58326acf7363fbde0fd637b5ddd7dd908c518353d3fbe400000008f487915ddbb3251ed4841ce135a29799bf0b0f66ce7df84bea554547e1325b16f25b5971cdbf0bef64e59b5f5f4e064b50048cf354e75280734175edcc0466f	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbd2da6efca7814e97bd67c6ea97aa8b000000000200000000001066000000010000200000001f742f58a06faa83ac32183e29f8cde7573052c6f917b0160d05e8224c682dee000000000e800000000200002000000024e10aeb707413bf265a8d9ea866f37434b4101d90631350c2eb24c16780cfb120000000bd162a0cbad666f287b56770ea0f0cc9a47c71643f2818bbd9324a35c4b64ff040000000abd39099ac0f19964ed0eb85be5fa6be7b493bb90ebcef43bea2c5c6c344ded6079657e332d6dec6d6f4c1a5f51612f704e11d37775ba63ff5f5f4d78304d8b2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401603632"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 401643e3d2edd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2636	iexplore.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2740	ed6a0ff29b30ba7c7af4ed5a9cf348117e4a25785166772daaf6892b6bae5984.exe
Token: SeRestorePrivilege	2740	ed6a0ff29b30ba7c7af4ed5a9cf348117e4a25785166772daaf6892b6bae5984.exe
Token: SeShutdownPrivilege	2740	ed6a0ff29b30ba7c7af4ed5a9cf348117e4a25785166772daaf6892b6bae5984.exe
Token: SeBackupPrivilege	2740	ed6a0ff29b30ba7c7af4ed5a9cf348117e4a25785166772daaf6892b6bae5984.exe
Token: SeDebugPrivilege	2740	ed6a0ff29b30ba7c7af4ed5a9cf348117e4a25785166772daaf6892b6bae5984.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2636	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2740	ed6a0ff29b30ba7c7af4ed5a9cf348117e4a25785166772daaf6892b6bae5984.exe
2740	ed6a0ff29b30ba7c7af4ed5a9cf348117e4a25785166772daaf6892b6bae5984.exe
2636	iexplore.exe
2636	iexplore.exe
2500	IEXPLORE.EXE
2500	IEXPLORE.EXE
2500	IEXPLORE.EXE
2500	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 3064	2740	ed6a0ff29b30ba7c7af4ed5a9cf348117e4a25785166772daaf6892b6bae5984.exe	28
PID 2740 wrote to memory of 3064	2740	ed6a0ff29b30ba7c7af4ed5a9cf348117e4a25785166772daaf6892b6bae5984.exe	28
PID 2740 wrote to memory of 3064	2740	ed6a0ff29b30ba7c7af4ed5a9cf348117e4a25785166772daaf6892b6bae5984.exe	28
PID 2740 wrote to memory of 3064	2740	ed6a0ff29b30ba7c7af4ed5a9cf348117e4a25785166772daaf6892b6bae5984.exe	28
PID 2740 wrote to memory of 2636	2740	ed6a0ff29b30ba7c7af4ed5a9cf348117e4a25785166772daaf6892b6bae5984.exe	31
PID 2740 wrote to memory of 2636	2740	ed6a0ff29b30ba7c7af4ed5a9cf348117e4a25785166772daaf6892b6bae5984.exe	31
PID 2740 wrote to memory of 2636	2740	ed6a0ff29b30ba7c7af4ed5a9cf348117e4a25785166772daaf6892b6bae5984.exe	31
PID 2740 wrote to memory of 2636	2740	ed6a0ff29b30ba7c7af4ed5a9cf348117e4a25785166772daaf6892b6bae5984.exe	31
PID 2636 wrote to memory of 2500	2636	iexplore.exe	32
PID 2636 wrote to memory of 2500	2636	iexplore.exe	32
PID 2636 wrote to memory of 2500	2636	iexplore.exe	32
PID 2636 wrote to memory of 2500	2636	iexplore.exe	32

C:\Users\Admin\AppData\Local\Temp\ed6a0ff29b30ba7c7af4ed5a9cf348117e4a25785166772daaf6892b6bae5984.exe
"C:\Users\Admin\AppData\Local\Temp\ed6a0ff29b30ba7c7af4ed5a9cf348117e4a25785166772daaf6892b6bae5984.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /net localgroup "Administrators" guest /add
  2⤵
  PID:3064
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://www.626my.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2636 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0b35b63df3f6c71b349f4c4e59081053

SHA1
9fda6ea0467881178c55e27ec3191f37f31acc09

SHA256
e6a5e97a1e80dabaad630e69e0a7d7518d7d35a6889f43e2defef9d16342929d

SHA512
1420b4fe23eb9c82eb24c3dda8efcb0fca18a713e09095be1e4ad8cf267ccca358ecb19e7bd23947bfd47f8e1c08c6328c64fd225ba90cccccad05d14a28d416

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dded1dd54f859e9817807f788b3c342e

SHA1
6aa0b91edf22675c119f53d402f75c24cb6a4d17

SHA256
4dedde1a4da38b6d2b80c18884b53324c39223c756297011784ad75bf71559ab

SHA512
ee95715742a901993bacf7b7ea2d82e4f2a6d1d38a2db025fdbfdbe245e897dde2d31cca99f771aaab213b3538ed3d0dfbc71b28ed0d5ebfcb01ca006c2806fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
20094409a7c2bb224beccd0b195ad55c

SHA1
5bb35779c0726149e4ed0247fa69918fb7512c91

SHA256
59db8ee67694e7c3f665e1d5693ee5406de7e11c5056eb5f25c794b0e2e3998b

SHA512
f509a8b8a3b7674039e5bab083a4813d6e87baeeb1a96baa6949097eae85e56c34119cc7694b260bbf04eb22944e2c7cc691e2321acc0886910c1b85c163d603

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c5e7923817c5a3ab472053ac0d20aa3c

SHA1
06ef2d8db3bf820e03dfbbca15b5c0deb9c08d31

SHA256
b2654dd93090bd5c8a92d62f23811c6ad45c6342b0a0bf97f18e13ff1fb7fbb9

SHA512
4a5715eced1ea4af0b2bffcdcdbe12aab2afec8414979f2fde855f8e6700f585bf2d3724781ba1141ddc4bbedff7144773d060cd81f07d4a7432a33118a4318c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fcba00d32d169849e3f799517d33f779

SHA1
ec7c3ab4c311f8c58e7ae2e816033f577d1d3f68

SHA256
ecd2be4247fa8be1c90b01ff973c2a1c927dc0ce5987454228ac367de9d1429d

SHA512
ae7ce3fd8411d2bd0f9d03b81944e90112b6fcea24eb00c0c11b6f72b6f8dafe8adc233d0f17d4083ed3d96bd57d20acfe4f59b85457e73bc107af09d7e1ec80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e6c4588fd82ca6d89e3e310d2ead9357

SHA1
78d8e1ef87302784bb13e28ca57e6a473c253ef8

SHA256
9264132985b7e7869887b8199ba286c4148603cc3a07772d0245a99498dc36c6

SHA512
b5b5b338f3918721b56dedbef4957b28d0ee6a8e5b526f3caa03f9b26554a972ee30609c8b32c1a2db2700558b256f8564d0d1957678f5569c15831fb5c53d9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c2ca5ea8b5b610d2d5c8110dd567c5dc

SHA1
19f3e30878e384632f8428a0c2f2bd79cd4e8926

SHA256
47b4cb4243836949bbe2d2e91317e7916c010862cf4a766481ab1980c44c7916

SHA512
a61b4fc8023851d7f9023731b0dc7c9b56ccb71032c8184473cc6d533eeb92dda488bdbf4c766dd30c1e6aa8b827183f2914950c6e2628d4de5901cf69c7650b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b5cbcc85e55fe7d065494ea5074403e0

SHA1
6bd98c27825d500f49316617532b3b828d852568

SHA256
0f5a46ec9dce2a10be4e869ba190eed664d9d47c40593b7d960169bd8b7312b1

SHA512
224707c619c264675b52755b942f5ad42731c2a44118e171b14a3267aaac00eb1be800981b623ab9c20462dabb920827b6991dd32a1dffefb171cde602909b65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
be9b99bd5715149e472f799207c341de

SHA1
33fb1f10e99626398bfec870cec0147a1cbd1df2

SHA256
650612ba92527648bb14c1750368a057434606ec305a77d3670e4dce39ace111

SHA512
dba1c850e98728acd25689f1db7eb153f101913b101357967ff368245a90d049c94d63cb47453c7423d071978e3e7c29503e9a83a27a0c85dee991f63f48bf9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f949a2456c9867d8e8fc50247e5118f9

SHA1
dc96e941fc6d71645556e892b37d54f2c5a02bc5

SHA256
a92bc912f3a0d531891cd697a873892762929c44f79db9a56dceb22803f912aa

SHA512
ee50d3e286d1a6f4bab3bfdd8864473d5c06546a6de20d7fed707b2ec4b07888541803c7703d1433af6fb064a47956dce2126e9daaeeeabdf15101c5550ee509

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0bd521458f6cbaebf062872d9c4cbb91

SHA1
75c4ecafc721cfa923014c1c71e6ac47734432d4

SHA256
fdcfe91e1a987a0c9057e2eb3e76b0a4c09a95b2af46eac1eac909d951f89a62

SHA512
5f22cf4f2318b836099a677664ef37c10ffd18f2197e5543e0d3529937f2b8a35c399d9b240929192a2f9c48e128d42da12d439b7c7e5a3e9700bb36d3d5160b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d0d210cab36f3681882c5755d42664fa

SHA1
d2cb07b4e5535973ffa9ad06a3fbe717ead87274

SHA256
fdba56472f1855526efb7d7db7f81ddfc190fb8efd29a6a9c552710be344a924

SHA512
74e925353702616afba149216a0bf3b2fe78a4a2acba236ca12a0dd870f46e62370cd0c82b01e471c08ebb3b4e96044f7b12b3d4f219536d6d70cb35ad2beb46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c9d17913a020dca7460c9291db55f97b

SHA1
bb12ad56394e601240cacdb20b5080c59419afbc

SHA256
df1360b752874a9487c060de5f539d0fc833cbd4261a84544e6fb3497cfdb550

SHA512
07eea0d508c00378b8f08e07dd5e44b44957c352a6d2d9d5bcdb4ca259806080296fc833a14aa9a9e7e5e7db203aea67ea098dae817ad3bed0660cd43c360c4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
09fbf22768c7c4d979d1c8c210780329

SHA1
24e2ce7d76144a7029cfa9d26a7ba6c32035c837

SHA256
b017dcec3faf4d123a2376778d0b75e4c3bb981a9a3283a0ab1db7793cc187fb

SHA512
9df25059d5450a45dbfcc06ca3ca03509ee8f2d29d482ce147dc4a40956a55b44b2ab31ffd974399fa2e5d617400784961a0bf920c2736b18bae73f4aedf4b11

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0a5f37fda2e3dfec9ad115393a4f3c79

SHA1
2a8701a3a5a0b5a2ddbec02a8648cd1a077aa19e

SHA256
fa6d6722d78ae296dca65f380bdba253d1c42f793809eb2c14b87984a6f86616

SHA512
0ff48eea105dc9ebc142c607b3600805a5a7337f95a8d46035ee0a388ed10da69642c39b5545bb958dcb1cb3ab44be612ed1f78ce8cb9cbc744ea94220de0964

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5c413f540b5aca1f61f4ec33c952bc68

SHA1
bed8a488aa30783aa578e0b7737eda566ff5c4bf

SHA256
3ad2fdbc831df3c323bdf9d3b083e3fbaed4b95f830b1a62518b904eee87ac1d

SHA512
1b0cb847cb40964a51a25c085caebc3b27e889729fae9a8c7820d44f714d4514c8ab7159f43db78744c09ded3da0c215f2749bfe6433808132d1da28db54fb43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
939c88ca77c830e26df124c377ad6dc6

SHA1
cbaa59b8a9af42f7315324ce007fdbed5bb6e3eb

SHA256
977e47ba56de23181a89a0c6cf8bbb6e5228bd302a2cf8c5ccbaf61654981d0e

SHA512
2b1aaecaa032cdad0fe71099b12727cf1daeb9411ddc7147472f7966aaa61404c98ba7102cc2655fbac9086b7e02cb2ae00944d6a79d78bf7f9b1bdb117a0b46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ca943d79fc7d7bfce212af9ab96b2cef

SHA1
fc717f752cfddfcdb91561ea53011c7b21af8681

SHA256
880046eedcc10f946af8dd6a4f227223d9aab1c90f015c8375d6ecaed8bcc54e

SHA512
5d41b84f733824d6a5da54bf8a9e35f1c2b06d572fc387752c9328c898a53911d201e490145438c25d0676ea8da5f06758f84e57761960130cad3db2dce9439c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
427102f68d0dc75a6e1f76e0ae490494

SHA1
c2b10166b11a3756b61811aba2de086a55e32f04

SHA256
dac9e238362492dfaa84183b16cd4cf912a3278ff24306ea51ecf3330c92e9cd

SHA512
f2ccca4bba1826cfa9ff55b0d590c668b482a68d1f3ac3dc5b9d6287370d9cb6f4e185ad91676de7d0e3353121b60257aa77f1da7b25b23d0c5cae6f84f8356c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9b7c2244581259accabba52dfb4acd98

SHA1
19151c62ce165d68f92651d34b2da5f05db7187a

SHA256
92d3def66f0f613ce0a4b5cbb0f1053b87d2288cfe46a7602fa55d6cb25d7f77

SHA512
87f73af60c4558d33f306c2e8547fdd3e8d6f5ae02ebc9fd6fdb07262ff43ddae71e2f82399081a5579205e2b8997ec54e0328c749c08295d38de89f515e0a70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8d1cf5c9bb9a10e3e015234aa3443f95

SHA1
4e958e36c4b7a2d5e870093768e6067e131f32a8

SHA256
8481e0296eca23e3306228984b05440790d0a5655c5233940d121061d44b5e7e

SHA512
0b31a0221ee121324f2ffb2fa943e4655d1173ddcd0fbaedd7474083d6b248a91c1b1f17df82d45d31ce4dc6dc5884432e795847906668b10a6089331ab2a87b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6f4916c90d69aa8f6cd4e8ac14db02e1

SHA1
c6573e8e19b0e4b93440243090ed8bd08c3de991

SHA256
675b7c044dfafec21d1444b55448994d51368e4fd6af2fded91240e46482d473

SHA512
6f8302de6ee3668863ea9278d11d183b38f7d9fd234fbb8a75c9dfd264dd7a5d68079abc42181ef2ee577eefef7cc5336397a7478c37e0a5fbc78ba5377c611b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
07b937fed9f41910ab4b665746410bfe

SHA1
389177f8c6630d7fc2af1acc696943bfddb11484

SHA256
588b9749acee40561e9332b7c65ce84fa3a813d61e9a1497deef05aaab65734c

SHA512
c65ebc3eceb64d498fd2f59da69a7d90b0caaf533577ac8c31ee2361b2098388996062cc6e5969216636bc047d2f3966f2e777b75a4c8a19f3c9621806bc6c2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab81AF.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar81C1.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
memory/2740-549-0x0000000008390000-0x00000000083A1000-memory.dmp

Filesize
68KB

Download
memory/2740-1031-0x00000000051C0000-0x00000000051D1000-memory.dmp

Filesize
68KB

Download
memory/2740-506-0x0000000004F40000-0x0000000004F51000-memory.dmp

Filesize
68KB

Download
memory/2740-510-0x0000000004F40000-0x0000000004F51000-memory.dmp

Filesize
68KB

Download
memory/2740-509-0x0000000004F40000-0x0000000004F51000-memory.dmp

Filesize
68KB

Download
memory/2740-511-0x0000000004F40000-0x0000000004F51000-memory.dmp

Filesize
68KB

Download
memory/2740-512-0x0000000008320000-0x000000000832F000-memory.dmp

Filesize
60KB

Download
memory/2740-516-0x0000000008330000-0x0000000008341000-memory.dmp

Filesize
68KB

Download
memory/2740-520-0x0000000004F40000-0x0000000004F51000-memory.dmp

Filesize
68KB

Download
memory/2740-522-0x0000000008330000-0x0000000008341000-memory.dmp

Filesize
68KB

Download
memory/2740-519-0x0000000008330000-0x0000000008341000-memory.dmp

Filesize
68KB

Download
memory/2740-523-0x0000000008490000-0x000000000849F000-memory.dmp

Filesize
60KB

Download
memory/2740-527-0x00000000084A0000-0x00000000084B1000-memory.dmp

Filesize
68KB

Download
memory/2740-531-0x0000000008330000-0x0000000008341000-memory.dmp

Filesize
68KB

Download
memory/2740-533-0x00000000084A0000-0x00000000084B1000-memory.dmp

Filesize
68KB

Download
memory/2740-530-0x00000000084A0000-0x00000000084B1000-memory.dmp

Filesize
68KB

Download
memory/2740-534-0x0000000008350000-0x000000000835F000-memory.dmp

Filesize
60KB

Download
memory/2740-538-0x0000000008360000-0x0000000008371000-memory.dmp

Filesize
68KB

Download
memory/2740-542-0x00000000084A0000-0x00000000084B1000-memory.dmp

Filesize
68KB

Download
memory/2740-544-0x0000000008360000-0x0000000008371000-memory.dmp

Filesize
68KB

Download
memory/2740-541-0x0000000008360000-0x0000000008371000-memory.dmp

Filesize
68KB

Download
memory/2740-545-0x0000000008380000-0x000000000838F000-memory.dmp

Filesize
60KB

Download
memory/2740-185-0x0000000004B50000-0x0000000004B61000-memory.dmp

Filesize
68KB

Download
memory/2740-553-0x0000000008390000-0x00000000083A1000-memory.dmp

Filesize
68KB

Download
memory/2740-502-0x0000000004F30000-0x0000000004F3F000-memory.dmp

Filesize
60KB

Download
memory/2740-555-0x0000000008390000-0x00000000083A1000-memory.dmp

Filesize
68KB

Download
memory/2740-168-0x00000000049C0000-0x00000000049CF000-memory.dmp

Filesize
60KB

Download
memory/2740-62-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2740-31-0x0000000000400000-0x0000000000FFA000-memory.dmp

Filesize
12.0MB

Download
memory/2740-4-0x0000000010000000-0x00000000101A0000-memory.dmp

Filesize
1.6MB

Download
memory/2740-2-0x0000000000400000-0x0000000000FFA000-memory.dmp

Filesize
12.0MB

Download
memory/2740-1-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2740-0-0x0000000000400000-0x0000000000FFA000-memory.dmp

Filesize
12.0MB

Download
memory/2740-184-0x0000000004B50000-0x0000000004B61000-memory.dmp

Filesize
68KB

Download
memory/2740-180-0x0000000004B50000-0x0000000004B61000-memory.dmp

Filesize
68KB

Download
memory/2740-183-0x0000000004B50000-0x0000000004B61000-memory.dmp

Filesize
68KB

Download
memory/2740-988-0x0000000004EF0000-0x0000000004EFF000-memory.dmp

Filesize
60KB

Download
memory/2740-996-0x0000000008390000-0x00000000083A1000-memory.dmp

Filesize
68KB

Download
memory/2740-997-0x0000000004F00000-0x0000000004F11000-memory.dmp

Filesize
68KB

Download
memory/2740-1007-0x0000000004F00000-0x0000000004F11000-memory.dmp

Filesize
68KB

Download
memory/2740-1008-0x0000000004FA0000-0x0000000004FB1000-memory.dmp

Filesize
68KB

Download
memory/2740-1017-0x0000000004FA0000-0x0000000004FB1000-memory.dmp

Filesize
68KB

Download
memory/2740-1019-0x0000000005150000-0x0000000005161000-memory.dmp

Filesize
68KB

Download
memory/2740-1030-0x0000000005150000-0x0000000005161000-memory.dmp

Filesize
68KB

Download
memory/2740-552-0x0000000008360000-0x0000000008371000-memory.dmp

Filesize
68KB

Download
memory/2740-1040-0x0000000005230000-0x0000000005241000-memory.dmp

Filesize
68KB

Download
memory/2740-1051-0x0000000005230000-0x0000000005241000-memory.dmp

Filesize
68KB

Download
memory/2740-1052-0x00000000083B0000-0x00000000083C1000-memory.dmp

Filesize
68KB

Download
memory/2740-1061-0x0000000005260000-0x0000000005271000-memory.dmp

Filesize
68KB

Download
memory/2740-1073-0x00000000083D0000-0x00000000083E1000-memory.dmp

Filesize
68KB

Download
memory/2740-1072-0x0000000005260000-0x0000000005271000-memory.dmp

Filesize
68KB

Download