Analysis
-
max time kernel
300s -
max time network
223s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
25/09/2023, 01:38
Static task
static1
Behavioral task
behavioral1
Sample
66a6f8d4fe9b7313ad385b35623d1b9bbed2710f5cb404a1da299c0420381d8d.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
66a6f8d4fe9b7313ad385b35623d1b9bbed2710f5cb404a1da299c0420381d8d.exe
Resource
win10-20230915-en
General
-
Target
66a6f8d4fe9b7313ad385b35623d1b9bbed2710f5cb404a1da299c0420381d8d.exe
-
Size
239KB
-
MD5
3740f9e5ed7e48041efa02b0d79024b9
-
SHA1
e775e9c03e558d784a4d190172028c897a070628
-
SHA256
66a6f8d4fe9b7313ad385b35623d1b9bbed2710f5cb404a1da299c0420381d8d
-
SHA512
61fdb7e0e41514424d22561633da1b7a5bdbe7b9e30842bf6d78e8ffa643a32a51d3d892a911640d807ace9e7c17958523aa0d32e0e33035634f3a93a1fd3f3e
-
SSDEEP
6144:Kv46fuYXChoQTjlFgLuCY1dRuAOQY2mAw8y0:KAYzXChdTbv1buSmAw8y
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 1 IoCs
pid Process 2312 radusdd -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2224 set thread context of 2132 2224 66a6f8d4fe9b7313ad385b35623d1b9bbed2710f5cb404a1da299c0420381d8d.exe 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2248 2224 WerFault.exe 27 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea3dc2a7c0fe4d49bd6e8f3e7e71513f00000000020000000000106600000001000020000000dd625d7c5830d89826fa6c40b9a3d1e2987b07df2d1233bb50ce798ce3094145000000000e80000000020000200000000deaa7f7973855de2a216378ceee77f15f37fad91bcc26bdbcdbe3299bf1e6949000000002cd5de3822962d655c8bbb9c8b7fcf6037ff68340f202d5328d09e9a636e22446bd511d1b78239e50f80e7ad32c6c3fd51f9c05062c43c1bef490f18a05441cf4b1875d01b6ca7be7b3ab7af117f00ea8e325ba1835584a0636f2a7b18b4434fb62ae26888694e92ea7c86111c73b67067923946ab7eb316d7ebb1be5ba8fc730861a324b516032f58967c64476e526400000005b0f06155a0a70b66036f818eb4b70e843b0390b0b082e7011dcd0b1a4874e3da28664b25eb7ab8364458d3190a16d88c98b4ed5b9101ec57dfda57cc019a54a iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea3dc2a7c0fe4d49bd6e8f3e7e71513f00000000020000000000106600000001000020000000d88b053be3e6056341347e35ee6975c39761ee32aaf09e7483d4aaa8cb1db3e5000000000e80000000020000200000003a9f02737dbe17ac67a51160192b7d51b0b0b31e570fcfcb207008797163bed72000000051d83d9752386e0afe1e515bb25a3eee2c7a0181e376c289d68c3658533531b44000000053d8a35715b460cff095e4e029d828436a213ce497c4ec4bb6f3ae57e2cfb560586b45fb3179d189f3e759e5d45231b701631e726147d96b8daaa7b9c9eff599 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 507f0e3d51efd901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401767850" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{65EC3251-5B44-11EE-B5B9-7A253D57155B} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{65DDEA11-5B44-11EE-B5B9-7A253D57155B} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2132 AppLaunch.exe 2132 AppLaunch.exe 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1008 iexplore.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2132 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeShutdownPrivilege 1272 Process not Found Token: SeShutdownPrivilege 1272 Process not Found Token: SeShutdownPrivilege 1272 Process not Found -
Suspicious use of FindShellTrayWindow 8 IoCs
pid Process 1272 Process not Found 1272 Process not Found 3040 iexplore.exe 1008 iexplore.exe 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 1272 Process not Found 1272 Process not Found 1272 Process not Found -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 3040 iexplore.exe 3040 iexplore.exe 1076 IEXPLORE.EXE 1076 IEXPLORE.EXE 1008 iexplore.exe 1008 iexplore.exe 2856 IEXPLORE.EXE 2856 IEXPLORE.EXE 2856 IEXPLORE.EXE 2856 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 2224 wrote to memory of 2132 2224 66a6f8d4fe9b7313ad385b35623d1b9bbed2710f5cb404a1da299c0420381d8d.exe 28 PID 2224 wrote to memory of 2132 2224 66a6f8d4fe9b7313ad385b35623d1b9bbed2710f5cb404a1da299c0420381d8d.exe 28 PID 2224 wrote to memory of 2132 2224 66a6f8d4fe9b7313ad385b35623d1b9bbed2710f5cb404a1da299c0420381d8d.exe 28 PID 2224 wrote to memory of 2132 2224 66a6f8d4fe9b7313ad385b35623d1b9bbed2710f5cb404a1da299c0420381d8d.exe 28 PID 2224 wrote to memory of 2132 2224 66a6f8d4fe9b7313ad385b35623d1b9bbed2710f5cb404a1da299c0420381d8d.exe 28 PID 2224 wrote to memory of 2132 2224 66a6f8d4fe9b7313ad385b35623d1b9bbed2710f5cb404a1da299c0420381d8d.exe 28 PID 2224 wrote to memory of 2132 2224 66a6f8d4fe9b7313ad385b35623d1b9bbed2710f5cb404a1da299c0420381d8d.exe 28 PID 2224 wrote to memory of 2132 2224 66a6f8d4fe9b7313ad385b35623d1b9bbed2710f5cb404a1da299c0420381d8d.exe 28 PID 2224 wrote to memory of 2132 2224 66a6f8d4fe9b7313ad385b35623d1b9bbed2710f5cb404a1da299c0420381d8d.exe 28 PID 2224 wrote to memory of 2132 2224 66a6f8d4fe9b7313ad385b35623d1b9bbed2710f5cb404a1da299c0420381d8d.exe 28 PID 2224 wrote to memory of 2248 2224 66a6f8d4fe9b7313ad385b35623d1b9bbed2710f5cb404a1da299c0420381d8d.exe 29 PID 2224 wrote to memory of 2248 2224 66a6f8d4fe9b7313ad385b35623d1b9bbed2710f5cb404a1da299c0420381d8d.exe 29 PID 2224 wrote to memory of 2248 2224 66a6f8d4fe9b7313ad385b35623d1b9bbed2710f5cb404a1da299c0420381d8d.exe 29 PID 2224 wrote to memory of 2248 2224 66a6f8d4fe9b7313ad385b35623d1b9bbed2710f5cb404a1da299c0420381d8d.exe 29 PID 1272 wrote to memory of 2832 1272 Process not Found 32 PID 1272 wrote to memory of 2832 1272 Process not Found 32 PID 1272 wrote to memory of 2832 1272 Process not Found 32 PID 2832 wrote to memory of 3040 2832 cmd.exe 34 PID 2832 wrote to memory of 3040 2832 cmd.exe 34 PID 2832 wrote to memory of 3040 2832 cmd.exe 34 PID 2832 wrote to memory of 1008 2832 cmd.exe 36 PID 2832 wrote to memory of 1008 2832 cmd.exe 36 PID 2832 wrote to memory of 1008 2832 cmd.exe 36 PID 3040 wrote to memory of 1076 3040 iexplore.exe 37 PID 3040 wrote to memory of 1076 3040 iexplore.exe 37 PID 3040 wrote to memory of 1076 3040 iexplore.exe 37 PID 3040 wrote to memory of 1076 3040 iexplore.exe 37 PID 1008 wrote to memory of 2856 1008 iexplore.exe 38 PID 1008 wrote to memory of 2856 1008 iexplore.exe 38 PID 1008 wrote to memory of 2856 1008 iexplore.exe 38 PID 1008 wrote to memory of 2856 1008 iexplore.exe 38 PID 1364 wrote to memory of 2312 1364 taskeng.exe 42 PID 1364 wrote to memory of 2312 1364 taskeng.exe 42 PID 1364 wrote to memory of 2312 1364 taskeng.exe 42 PID 1364 wrote to memory of 2312 1364 taskeng.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\66a6f8d4fe9b7313ad385b35623d1b9bbed2710f5cb404a1da299c0420381d8d.exe"C:\Users\Admin\AppData\Local\Temp\66a6f8d4fe9b7313ad385b35623d1b9bbed2710f5cb404a1da299c0420381d8d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2132
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 522⤵
- Program crash
PID:2248
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\3997.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3040 CREDAT:275458 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1076
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1008 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2856
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {93D10484-F2AD-41EA-AEF0-78C95D3D35BC} S-1-5-21-686452656-3203474025-4140627569-1000:UUVOHKNL\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Users\Admin\AppData\Roaming\radusddC:\Users\Admin\AppData\Roaming\radusdd2⤵
- Executes dropped EXE
PID:2312
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ec5d7d0d68e56a65d7e9d7ac5361ee4a
SHA116dd9d793eb834466bdeffab9e50d8dfd6561de9
SHA2560691dcf6d3c924fd3abb3b3167d7eb2f03ec73543aca95903bf617ed82fcf99c
SHA512bac2f9542e73738fe0369c57d33d1ac3ce06684a050d4bfc4f5a46b7baf18faeb8c40bbafdb912c616f29f129d0f7beff31d8c59f70826e29d6b748104d35aab
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56e6e64a78849fdd2b2398454ac45178c
SHA1bc50dfd46cf6645779e355f12922c7360d8f00e8
SHA2564159d88511842e73c093747f7f62f5dec733f5653f9cb18a06f015ad8ae4f3ea
SHA512f769b08ff583e4c209be470fdc283fce0b8453e85394c856fa5b3feb40993168b7fb9cf7e85d0f5af5d75f8d2b241a8ca9e3c0955523069dbc3213cdd88ed03a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD53681902f45bc4c88acbe94766525112a
SHA1bc248ed7bc6667e6a9b0b7d469fd9d776dcf570b
SHA256c344bec74df1739a29c2dcfa27a8499edd089341aa86a5e8cfe3126dc6b9f044
SHA512132ef32355dabf4326c02459d9bc3e6ebed40b38c27b0954b5db555e2caa41d5831b8ca5ecc298b821d908e56db4964fc44eb5780c039d63d550c4db7bdac213
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5c8eaa31efcd52097095e9a4300a257d5
SHA1c040494450f1fb132bc831357992da043b736c18
SHA25687605df3ec4ac3a0f55ff8005924b826a1411aa9de78120ada5e3010f241910f
SHA5122bb98a2fbbdbccbf5c008dfd807f6eacb058059a44750b04d41ab0ded4d3269abdf7c66818bdf8f9d3be8f6ad89b45b55d783061f018d614fb50d8a7c233407e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5394cb0f13701ad62faa4b7a33b9343b2
SHA1426a2c1ab30374c7a08d5cd84506ec685c9aa2ac
SHA256fc7c280fc1a67fc95143369dd929d2a0bb18df5dffed9f5b43dd663328fc4906
SHA512d90bbdce112222bb73c12c8a6fea7eecf7a4da607c595dcc9482e27dd46ce62df6d447f3c1e4a9915f76ce73c16ae874d2a8e53cdfc1ace69d4a39e7cb47345c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD57a5f52ede580d2cb67f03b7a55944a24
SHA154b4d10b7e0061341e3dfc561b6c22a90b09b7db
SHA2566285007c340696669f4b6be8d8d4ed8f0edba5aa0aa0cc5c7681174f5f95bb9d
SHA512f121a424bc5d96873e113fb05344438449d9743d3e3ea90236eb9dddb29a2bb9bf8d2f815692c94ab7382f4f257d201854eb9f7cbfa2c7aef65cfe742a9bcfe0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d0e15eef1eafc977e5465465634cec0c
SHA1e6dae91d0c41bb5447ad2466a6ff1aba424929af
SHA2568bc1c10e387696eaeae5564e43951270e9618d32280f07225cc96cc8d2a9d964
SHA51285f1b6b827ad81b4118b86e2ae806eb545faa06138e4c4450a08d2f95190618ccff517a9c03135acce591a254083683b94b89ff6a22287bab1aa03df26d73ea1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD55f6885e40541f73cf9faa6bcfd5c0537
SHA1157f466e74aef14f5e5df7338dba12ba9b221c4d
SHA256705b441a78e8c5a79b08fb1b96fb499c45bd1f21f2d4d5a39b60b13f9c9cad96
SHA512e45f70eddc0f47949c4aed97da9217207f43685acbccbe7a6fc91b2deae2fc0286c28a64d90dd2013c5c896592d3d9026da6307854542147744307db72f344a2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5dff8ad7b1291c5e0afae8751d742b97d
SHA171ed25ad07b239bb24d327d35e9fd0d2c98cbd57
SHA25655638985ee8db82ebc38d09ae6174721802c83816d9a1194f552a8ee04b8ac8c
SHA5120164efd1fad2e5ed3d0a5de15afb0c69389413ba9ecedefac48f6c46250a40003ceffeb7825097bd54b1735ddd6e171a26ecfec89020339f25d9ca7520b6d874
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD55283d0bf402feb8d5dbbda7645ff7a2b
SHA16a12b0dcec2e5ddc8d192c71c66c380d30ec7a36
SHA256cab8f461ab2571f80388448eb2cabcdf7c2768331a0c0a02e21b05f296e477fc
SHA51243a28a52f003e92f51eef8ec0b6d654713be171ad4bc53c6273ac04c7d35100f71ecbab9d662a9f248d971445508a18b8d8b1d94cc058622c7d0e7683803e6fa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5c621842a1dce715dce1bc5967584f491
SHA18a5fa90b2d770996dc4a8ba31c2920f0d2aa0480
SHA2567e7d5cc805dc7b65bf3bf265043849b4f79664e74190a931ddf8ac5891425386
SHA512af3ba529c368f720b327df3436de1a78bd16a813b9b16385afa5da5226c2f51e80033399234eddb59b68354c39dcdc9b1b820a40f8049fe8589ec244cb430e22
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ba23b4857ce7df1ae9c2f71f5debfea7
SHA15a906bc7fda3fee17b117313f782e87682b03e67
SHA25638665330b8261b87a1dabce3bab9ca6020dc0035ed33a30b0924c56d081b8034
SHA51286e70b536ce52dc2d98cbc494aec2103cd512e89c3a9735bf31c49021649e253cd10bbd34949b6ada11a01da02b5c03253a5a101599e1cf3faaa526a4cb66cfc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD51247d713f97f4df672460de5fc78703c
SHA1d21d4b06797bdd25211de6ecfb1d4b92ea5e0fc6
SHA256cef11129cd2f72a7c367ad749fead70f5ddcb19b87792ba0b8a9248565a1bcd6
SHA5127868dbc401260f43123d9a3b6dc65c22bff35913975c9c5d83ddfd0cba632402f5b4b167526a30f97a52572522dd202bc0b9c4a54d2e83815be3de5f9298caa5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD57745cf3826a4439b3e5173c99e476084
SHA1366419da47182a6251b773ac72172cfe4509ae4e
SHA256c9b8b1040a66d480d08e72c8a8928b82524a74ce40e555bf94b1cfd4cd57f3c2
SHA512b23a68b66c33eb92394b000b130f92b37ec907d52f9918c7817c60e7a8266369e3a2fd968023c1b5517d3edaaacd34da781b3f74efcf67fe61fcd3a269da4eda
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e4dcb678eac15d487c1419cae8d12b24
SHA1fb80a0b9ff4eb803ae654e2602d846fe6b3c2b0e
SHA256a9398aafdb750102209587893f9fa2514a4cb785b5e1475d758e745cdb792723
SHA5125667ea16cabe50ed39fde90c9a395cfcc0e7e08825b6ff68331a27795950145b16895824d5ce5c8c44dc0e5d38a217131170a46eadd200683068df816d82edef
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5400ab4334be9973e370c5558ee523d75
SHA12bcdc8e70da7e584914c87c99edf6514f1e71b75
SHA25661b309bd7495be0151de510fb1e0fc956c732b91a6130d50ed59e6e0d3ae07b6
SHA51211ef3e987c9380c0e6a7966f3f3d25a64e2a809d8bbb75d0a9ea99f758fa17fc4bcd3dd046884c09454b365a5238205c0f335b8934a0f01cd3122c7e4ea57d6e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD541e7cb73c8113e610e51a865a776934a
SHA1ab6f419500614c83abba85412cc2023e6879ec1c
SHA256e09058276f77c77d0212600d4d4408ddc2cedfbab5da62dbca525c63f4550a6f
SHA512571213c81671f6e4967d6018ec891de3a0127f8c290ce07de08530d00d8822b533bb4a53cd3485e96994d6b398acedfb18c6879895d3122eb545c99162716b0c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ff86ba73d0a56a8b86dadc13135a52ca
SHA1d0ac70c79e0c5f7e42efa42793936a17a76c77d7
SHA256d1027a45a109f8169c9f798576caf5824f62f20ac36b01e81228c5ae6c35267f
SHA51205e033ca245e31165fa06b36e527889edd91d62712907cff75b09c3d26326b850f74aee10202c433d966f40e56838b5ee82cffb17102edea1f5fd7542b0e2c72
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD543a266f839449a841bcd7697bd2d0fcf
SHA1f4e8bf007b26c2f877e1c3d48d4afff60962e13b
SHA2568e13ce89b2955fac1e02fea6ef13986c71bc22fec4bda5a7fc75a95f5bc24ec0
SHA512f091cff564ec1f66dceac95a4b3cce42b165ecae97c81618b6b95cd55fb99a550976e75abbd9c53f035ea6b023d3fb2a01d96551d0b2d6fc556310a96c753b66
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD53bcde10c71b7c7ccd2f57d69e601a3b8
SHA1739139805c82778d76d51b27c7d14c17249977ed
SHA256346ba4d1b89643bbd1d4116601f88289b21f8a76a3e00403db82f06a4a6b192b
SHA5125fd82af2299e06cc6687915aba468d6daf4d7afc8043e852e8e4e438d86029f25a11de350eb94dd37109790ecb6acebba010f214669a4f49b217f0aaf41dbfb4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD59f3d6291f6d7bd5cafb9544af3faf34d
SHA1df28710482457da29c3d2d3df43538c2ac7bf953
SHA2560a82687d6f1ff3cfaab7324e1b8dd1e0d826ce6f4febad1c2ec8a9335ffe8166
SHA5126777e903ba88926298cdc4c9ba286fffe4de921d2f3c025fee2d90fc702b314c6052bd1342f07c9043a0223d0dbb30006dada2fa31e9c720c7b7021547372442
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD58c3f979268292ef8ded2b9b6c879eb4b
SHA1d85ba5c1f3bed088c995f5aa6634eb8171b3567f
SHA256bb8912f113db1fee7a4d5efa098143ebf9bc8d74d476f83c744752fe544c05e4
SHA51269c13432ae34065d1460b790ed52831a06c75275e67ee6f4a92f376a54e59757b8cf334b648ea2909104d6975e07905dc44b951f3578f1cf7e63df5d5409160c
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{65DDEA11-5B44-11EE-B5B9-7A253D57155B}.dat
Filesize5KB
MD568841e5c9775fa4f27d0f43b9afaffbd
SHA137faa8f97fabdc25bbdb6b9024e8af8a632f003e
SHA256438322a0c72ad65603e83fb580defaee0b71f18156f42c7a116b6dca113798e6
SHA512df43a4fbae801df5fe4a03a6761932a6faebf6e0d19f7d524d568dcb9c95b72c5f707b490bb2900d9e78f60d3efef67b1a6fe1e3c42a8dcffa17a9235d82b0aa
-
Filesize
5KB
MD56a8dd83223529a1cec60a47dbbf56d01
SHA1af42ec255befd83ba9f61a44fb3361d6f37c3eb4
SHA2563c78bf343bf03e19c2ff70a4587acf7d436cb86c59c654c212613bd2a9bb0c28
SHA5128915b5fbf8ab274337f15c4b5013c95db44632e3964c594d7d10738b13daf0b43e6a3ccd3c89d475b43d8865d384e3541554f640738fda5e58b2f68503e6128b
-
Filesize
9KB
MD5586642ac8a917eaf8386febf9b4e9811
SHA18cff3b0873a11e6d779921035ae7ad305fe974af
SHA2568b022dc5cd8150e00dbcf06f115f86193da440aed1e53a3e3f8d759e8be4683a
SHA512cbf47d424b65b2a91fc9b68cd7bc1ed08a48171c0b1b2698ae6d3388986f1221d16527b0a1ddb9373fd483ab48dacaa2148a2c81c8cb689bf115c91b2b5a6be7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\186K4QOS\favicon[1].ico
Filesize5KB
MD5f3418a443e7d841097c714d69ec4bcb8
SHA149263695f6b0cdd72f45cf1b775e660fdc36c606
SHA2566da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA51282d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\186K4QOS\hLRJ1GG_y0J[1].ico
Filesize4KB
MD58cddca427dae9b925e73432f8733e05a
SHA11999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA25689676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA51220fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740
-
Filesize
79B
MD5403991c4d18ac84521ba17f264fa79f2
SHA1850cc068de0963854b0fe8f485d951072474fd45
SHA256ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576
-
Filesize
79B
MD5403991c4d18ac84521ba17f264fa79f2
SHA1850cc068de0963854b0fe8f485d951072474fd45
SHA256ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
163KB
MD59441737383d21192400eca82fda910ec
SHA1725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA5127608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf
-
Filesize
96KB
MD57825cad99621dd288da81d8d8ae13cf5
SHA1f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c
SHA256529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5
SHA5122e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4
-
Filesize
96KB
MD57825cad99621dd288da81d8d8ae13cf5
SHA1f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c
SHA256529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5
SHA5122e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4