Analysis
-
max time kernel
300s -
max time network
300s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
25/09/2023, 01:36
Static task
static1
Behavioral task
behavioral1
Sample
2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe
Resource
win10-20230915-en
General
-
Target
2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe
-
Size
240KB
-
MD5
c99ade101a406e968eb527b7bb77d008
-
SHA1
58b3eb540ec766bc3c4ab0003d842b176318afcd
-
SHA256
2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30
-
SHA512
c75426e1da47575f0e6e74ecf5662443aba744876505d634eca6e2647643c8f5288cb21ce7750ef9053da1bfab66706aa223f1369f149f9a93bad5150bd6cd64
-
SSDEEP
6144:/f5frpxdonyq4zaG2u5AOieKW1l7fquqp:/Jrp0/9u5Mex1lTquqp
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 1 IoCs
pid Process 2316 hdtsiiw -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2332 set thread context of 2128 2332 2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2844 2332 WerFault.exe 27 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30eeb3fd50efd901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000918258b1c6eaef44bc85c7515db804ef00000000020000000000106600000001000020000000713e6fc5b9e4840e8d4471de939b272167b3a591a77f8f5254606cf1495611f0000000000e800000000200002000000044fc3aabfcef7ef85579d36884f31b3570c01b083f3ca3b5185e0333c07d3bd42000000063b59d5eb91b0894cbf5b2997ba9aa1076ee35f26c0ce3bcb704b75e094c2be74000000065b62dcbe021859e7455e4f959fc01b1e52d20c2254550e6a3e3debf4f56e24190dbfaee17b0881751f7a5d2477c0e216c3c0297445264e8285d8a79023b873b iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401767746" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{27CF60F1-5B44-11EE-8B8C-7EFDAE50F694} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000918258b1c6eaef44bc85c7515db804ef00000000020000000000106600000001000020000000881fec66623c6507787893ae750b5ecf450e3d8b21ef9983078dbffadbc2c772000000000e80000000020000200000005a4e9bf92722dd687725d3c7701251aa3c1c213ef5b862e1cddd7ff2037ccf43900000002aa8133b4f9378967804c22759df9a8182ae51f175bf1b6c9f9d867c50f37c50358b77fca23c53db1feab1afdb1bd205479205f28e13d4c1a4a9088bd31ebaf1743864f8962e49a667167a9c3d5d18a1cb9497b21af4d13a79e1e245badd240cd893366589c409bb2727528b9a4f07cda905fbbface764eacbf9cfb92277fd33677c1fba3acfdd65bf33bc45c81e49154000000091a8148ad33ffe7393c9593574ab8e640ceb572c4e89bf2d6c3b55cfa69f606eed8d902a1bfa7c7c15cf51e9acfa9b68e3e32e227132d18485ae725735261560 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{27E72EB1-5B44-11EE-8B8C-7EFDAE50F694} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2128 AppLaunch.exe 2128 AppLaunch.exe 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1276 iexplore.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2128 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeShutdownPrivilege 1212 Process not Found Token: SeShutdownPrivilege 1212 Process not Found Token: SeShutdownPrivilege 1212 Process not Found -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 2996 iexplore.exe 1276 iexplore.exe 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2996 iexplore.exe 2996 iexplore.exe 2480 IEXPLORE.EXE 2480 IEXPLORE.EXE 1276 iexplore.exe 1276 iexplore.exe 1956 IEXPLORE.EXE 1956 IEXPLORE.EXE 1956 IEXPLORE.EXE 1956 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 2332 wrote to memory of 2128 2332 2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe 28 PID 2332 wrote to memory of 2128 2332 2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe 28 PID 2332 wrote to memory of 2128 2332 2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe 28 PID 2332 wrote to memory of 2128 2332 2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe 28 PID 2332 wrote to memory of 2128 2332 2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe 28 PID 2332 wrote to memory of 2128 2332 2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe 28 PID 2332 wrote to memory of 2128 2332 2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe 28 PID 2332 wrote to memory of 2128 2332 2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe 28 PID 2332 wrote to memory of 2128 2332 2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe 28 PID 2332 wrote to memory of 2128 2332 2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe 28 PID 2332 wrote to memory of 2844 2332 2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe 29 PID 2332 wrote to memory of 2844 2332 2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe 29 PID 2332 wrote to memory of 2844 2332 2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe 29 PID 2332 wrote to memory of 2844 2332 2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe 29 PID 1212 wrote to memory of 2812 1212 Process not Found 32 PID 1212 wrote to memory of 2812 1212 Process not Found 32 PID 1212 wrote to memory of 2812 1212 Process not Found 32 PID 2812 wrote to memory of 2996 2812 cmd.exe 34 PID 2812 wrote to memory of 2996 2812 cmd.exe 34 PID 2812 wrote to memory of 2996 2812 cmd.exe 34 PID 2996 wrote to memory of 2480 2996 iexplore.exe 36 PID 2996 wrote to memory of 2480 2996 iexplore.exe 36 PID 2996 wrote to memory of 2480 2996 iexplore.exe 36 PID 2996 wrote to memory of 2480 2996 iexplore.exe 36 PID 2812 wrote to memory of 1276 2812 cmd.exe 37 PID 2812 wrote to memory of 1276 2812 cmd.exe 37 PID 2812 wrote to memory of 1276 2812 cmd.exe 37 PID 1276 wrote to memory of 1956 1276 iexplore.exe 38 PID 1276 wrote to memory of 1956 1276 iexplore.exe 38 PID 1276 wrote to memory of 1956 1276 iexplore.exe 38 PID 1276 wrote to memory of 1956 1276 iexplore.exe 38 PID 1316 wrote to memory of 2316 1316 taskeng.exe 42 PID 1316 wrote to memory of 2316 1316 taskeng.exe 42 PID 1316 wrote to memory of 2316 1316 taskeng.exe 42 PID 1316 wrote to memory of 2316 1316 taskeng.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe"C:\Users\Admin\AppData\Local\Temp\2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2128
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 922⤵
- Program crash
PID:2844
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\276E.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2996 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2480
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1276 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1956
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {9175621F-EC96-4FE4-8384-E9EB3DCD2CFB} S-1-5-21-3750544865-3773649541-1858556521-1000:XOCYHKRS\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Users\Admin\AppData\Roaming\hdtsiiwC:\Users\Admin\AppData\Roaming\hdtsiiw2⤵
- Executes dropped EXE
PID:2316
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_88B06D18F336F4573DA4CD16EEF01E99
Filesize471B
MD5c1481fcd5428e1e8013edc7621812724
SHA18e86eadf871ca94477b0e469360502203eab3d97
SHA2569b9ad2ae252224803a2cc6f160d3305677ca54c8053008fd5b469574c42ac12e
SHA512364e2fc399239cc2db6dd9e1f93ca5fb4b482ffe8e1d2a05a2c81d3c1efde9ad2d51a693dcde9f1198a35fa1e0d6ed3b46048cb56ac3be34e9ceb40c4c389ae6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56ddc9f2faa1c5d46e4c3818020562119
SHA1bbe240f49fadf0c5f72c6b582d175b9a1f8c69f0
SHA256192ca3130291b695abef81fbe5d37d8eb220306783cef7528701dde6bba2c53c
SHA5126df786f1c0896d10852c63db33b84ec73bd30cfd8189b26562485ffe76d18c544ff341c5e91af421f9600a74cb8bdce811d7d85808ad50ffb68b6bd6ce8f7aec
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ffbfea997200e49b3fc5cc3a050fcd2b
SHA13c8d4910f1ed2e72c7e8a4f47d615e767071935f
SHA2561f7e2626f105c4cb6b21a3e4bd9b13fac9fea5d8768f155e18ba5310599ff8b4
SHA512dc88479988b6c480ccca568505fb3e7176527d0abb889e81fc72d62639f42cb43e90fe9267477a5474511e134bac986f35255b0a2fdff973a70df3184007b775
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD501c02053340c4759f0c50320e5adeb40
SHA15a17820b867f31506154b6717c3f9517dbc8a89c
SHA2568996474482d9c8fb1def5a3d3f6501d639cb770bd100f7419baa9fb8080b8680
SHA512b7a2dbb68822fc7319007e117a51f12b01bcc863f59ba4c1c784298fd436fc01103708cc4a9f715a11aae382fd4848414a9915152a8568502538e990d5b7bffa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD54130c69a258b374745ae9a2c8baca563
SHA1353f28cf97dc81da967d989128b8ae933c56c3b5
SHA2566bc7111f3a88b2c56f75b1532c090991d295f1d87d5ed894b1e87bcdfbb3531c
SHA512511b5432cd80e672afaa01f8c24f84d49703698e5f49c552b29a7a29701f4ffb0a9c021e90211b4625ca06770dd17af6c505acfa24466c6cc2f2a329a3892a38
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD581a4728136d8fd9f27e9064091fc6232
SHA14a5190ad90d1376e5af53be209fc8fe69f3979a1
SHA2565f162820b59eaf9ddcb9b46e3caacea2988e1cb00095d7472caedbb64d38ef7a
SHA512b95522e83c9e287da9c44e18701aff57a6957dc62f90bbf52b52c907d7cb97609c22b4fa99cf9f4b240e88f5d58430780bf113d2b99b01c749e8788ba57ccd88
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e1b66bc3673c775e7f26f478ab7830cf
SHA1da43c209ac2c52dcd103cab65de9043f78cbe0e6
SHA256a87093b67902819b5e9d6f520f7b65f6e9e8c081451fa23d4db809cbd9b31cbc
SHA51298e12db7a942fe2c2cba830cfccf7255b4967401757c1b4b8f41babe0ca8e030091c97c4674bab455e40f1317a46446977ab8c680be548dba784f94770bec9ff
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD562ae4a8ed6838e375281687718ec9e42
SHA1e52a19c2e1af60361284e110d3e3e6e1ee18f33a
SHA25629b9abcb33fec28be93304a86f3e9407bb16ff7b115d660beab902579d097b41
SHA5127fa1bfb7fa0f11fd630203ff95f247773331909d70fb044f54c6bd0e82f27c4d381ae4a29c9c466608d11b2e951364dbca2b929eaab0006d46445ac175abcbec
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD54d0b99476c6faee2250c84e2a1531403
SHA1ac435f7fbef16556839cbf5691671deb0703ff19
SHA256cbcd86f6d67691353b348912d63e385bbe0fe4026b951379bb89e13a964d118b
SHA51257f181bba28a3bef4afc236583235a2e637ebb28360701ce9d3f01f8ada104de5e6056f117c2af5ca7d8dd985eccca958bfd311589068cc6610d97ca513dd963
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5dc2b6ce2841a2090e66d398aaf611894
SHA19c6c9218c7f57b42b2a3fdd42fbd98db84201a3e
SHA256c14336e277ce7c4296edcc07a3f45eb06010b8b1d5228e10a8626cb322f3c6fa
SHA5123dcb58efc5b9ca9f484c0f67b0fdcf3013f696e7107072c588cad70a41a9580510e44a9728f3479049dd8d65828e77c7b9a8e5cbbe3ade38fdfda9198f5e029e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5dc2b6ce2841a2090e66d398aaf611894
SHA19c6c9218c7f57b42b2a3fdd42fbd98db84201a3e
SHA256c14336e277ce7c4296edcc07a3f45eb06010b8b1d5228e10a8626cb322f3c6fa
SHA5123dcb58efc5b9ca9f484c0f67b0fdcf3013f696e7107072c588cad70a41a9580510e44a9728f3479049dd8d65828e77c7b9a8e5cbbe3ade38fdfda9198f5e029e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5cff9a5c2f57c366140fd2ede1005564e
SHA18a9ceb8b8164841ffbdfe425df8659d98126384b
SHA256641451624cc3d330e8102875ad4324535b7448344c32c00c9fc0475298c4810a
SHA512a91dcf1196a11325b1d851cde87a4005575f7cac237f1533609c5cd8dab0253b5cb80fc7b908dba0788c135d070975fb31c38f1bc51a612de074e5e68f1b0c86
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD58c23af0457fef98a9c9d10959c0d5a28
SHA1c223abdcaeac475493079895ffea4d4f5434cda3
SHA2561178a364801577200f5314c7d55f221cacce50d6b18262f7a248a0f806571a7f
SHA512d9d6683f23349b991b3f60e45baebdebee4186c9cf4e98cae61e04d8302fd7f30e379c354c169bb5ef8f1c2b1d01df8596b555cc06a1b611c0ce3e71c482581c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD51274076afc91cdae6baf39c28ada61fe
SHA16121793a896d8b6384e23611e9c56579944b2ee7
SHA256984235d545914ce481431433e9ae5f7ed7cc7b55c163f9a6adecdf967c757c7e
SHA5123bdc83f7c8cacebccb92a71bfdbd88bcf632b0c70d8d08e0c06cea51965e30f46b66a6c88e54e3ce5686439a601fe4a6404e4ebac9ab148d695c26f4f1b19797
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD546c182fc44a96f31b6e0863e685c3930
SHA138e0ffe4a20a09ac2a93e132799506eb4bcca2a8
SHA256e14583250817b4e41ceef45904ecc2b4fd610853dbf8e2cb2031f9c9c16cf63a
SHA51219016196554660e4e8ab18accb45441daaf6caa484c4d55b47a1118dd632a89f5089fc61f2cec42b3193690e2afc50ca06c020d7aa5d4932dbdb91e2eca3f306
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD50a3b80d56fc86dc014c0e33b3f531d56
SHA1b07f21e35bafcb55855b7a2ae5f1cbee1985c692
SHA256bd94091f54d73dcc3de2fa5029536ddf7677db3da01e3d606ce4093a7cdbf0c8
SHA512f7c8df5929a53ddc43dc61c8d8703a259279d39e43a4e249cafc038451b22e894d1c0eb3f7e0b98de9dda5a8b1d7422dde0a3a809c0a1f057609177707528d3e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD529f2d4ad0aa3f6928b24300266d52b5e
SHA18fbcf74bf6aa60ff845ea0adcbdbfaeefc1ec147
SHA2563358a5272e515774fc67fac9a6118b497497ad9b2e7a5d46bcac5797a9c3213f
SHA512316b83667c1e173f26dce63e580c24fdeda322b11e4fc91eb82fd931ac961ea2c55d000c5f43fcfadd7903676dd010f2384daf723ef307da63c907e012d22ac0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5986ef64f528308b46f4fca98c11993cc
SHA15ea9f7fc3aecf81757ad7bfaee1ca48e6bfe1501
SHA2566705951dd2c229ca6efbf67dcbbb42e2bee9b77d8e8eb87ac69d231f5fc11c83
SHA512fe69649ded582da4fcff21fefa5258ca3bc84667a4c44d4bd47dd3f854b2df71380da9ba1392a1b6beccf0121a65f9b2a71c9aec65e69c0931dd92a35cc87c03
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD504911383420d317fd5cd78ea14912d14
SHA134edea2719cbb4b703df869bfba150d8680828da
SHA2564e2f2034217cb3207389b3196fc5ccfa494f359af7df8f50a9c1dde1d4bf1b6e
SHA5124b0af72dbf10cd4c748e47765f39124ac59b9cbe85bd1f9fb6799e445547219e76c9f6d505baa7aa99a83f26bc482ab8195f795b63676d1d290c5b4141d2d18d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5eec2ed13671ec2e721c890e48734e472
SHA1800f3813bb42310480ff525187c0eb9dd97f6b24
SHA2567baba5abfd7714b2d004b54e846f0b129f43aa8d8f414f3cbae36f4921b6f20d
SHA51297334534544e1e8d9f66400683edb0ae5249c411e774f3b4e83015bc44afe638e89a33fc8143085ef7f53fef742bdadccdbea50abaa087625dda315a612405fc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_88B06D18F336F4573DA4CD16EEF01E99
Filesize406B
MD50f3dd64317d6e0d9aa63cf746797069f
SHA1a39cbceb882091f356d7a76dfd528d106878d53a
SHA256442c9fe03ebb5914c5b0e13d4cb3355ac1737021fcfe2345b3e641e11bde3e92
SHA512f4e5ec2a96d8f4e8f0423eb0fad676894d15e8acbefd2a281bc5a3cbea704d28afc330fa7caa7cc77d54d13ac636d720498943e947215f9bd075f767679ea860
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{27CF60F1-5B44-11EE-8B8C-7EFDAE50F694}.dat
Filesize5KB
MD58a68f5659292f11f27b5410b8774f8be
SHA158e64576fa01e484280f96ff3ef43597e737173b
SHA2566333493d6abd57c28d7d691bb39f44e5a9ef4d84c244961d47cb0cc134545e90
SHA5127dd055a7ed210e517d5556a82e2f21ee9a80c17b267f9f25033efd7500cac30466efb0e8e3dbdb0fd3afcd22207d3bddfa70f61b853db000d7222ea2d8ffe8d6
-
Filesize
4KB
MD56c5f11718f309a31cc5d49480bbac531
SHA15fe297517616b58b39a2f98383120d47691ea62d
SHA256ccae3336bc867908f7829109321946d10679cf450c47cc5e09f0e26f54af70d2
SHA512168fe88f09969041b6e196539a2b6d1ab4cca82c89a8e09e60eac849270444ac571995a6f0515ed87831861821c58fd94c4583e7cf2d56963b84112e3c9c23fe
-
Filesize
9KB
MD5515b1edf39b2839dbc61928ea978a214
SHA1a9fb1235a1323b7282e8ab32f3310d42e8c78a39
SHA2564ac266367d91f2d40c07a4b6c62eb7eccd677e77fb826f59b1325d1e803e3b4a
SHA512923aab5ebf7d7c2f48e5deec4bc7d6607d55fd1c9d801c55cdb97be66b4ded304b7e488abc3c1f55916b2420d37a56be22e8bb012d9eeef8d8f94a8dfb147821
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2P314ZXV\favicon[1].ico
Filesize5KB
MD5f3418a443e7d841097c714d69ec4bcb8
SHA149263695f6b0cdd72f45cf1b775e660fdc36c606
SHA2566da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA51282d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JORLV5PC\hLRJ1GG_y0J[1].ico
Filesize4KB
MD58cddca427dae9b925e73432f8733e05a
SHA11999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA25689676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA51220fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740
-
Filesize
79B
MD5403991c4d18ac84521ba17f264fa79f2
SHA1850cc068de0963854b0fe8f485d951072474fd45
SHA256ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576
-
Filesize
79B
MD5403991c4d18ac84521ba17f264fa79f2
SHA1850cc068de0963854b0fe8f485d951072474fd45
SHA256ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
163KB
MD59441737383d21192400eca82fda910ec
SHA1725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA5127608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf
-
Filesize
96KB
MD57825cad99621dd288da81d8d8ae13cf5
SHA1f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c
SHA256529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5
SHA5122e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4
-
Filesize
96KB
MD57825cad99621dd288da81d8d8ae13cf5
SHA1f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c
SHA256529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5
SHA5122e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4