Analysis
-
max time kernel
300s -
max time network
294s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
25/09/2023, 01:41
Static task
static1
Behavioral task
behavioral1
Sample
ae5de6ed1b2f285d4ae50e6fbaf27d601f3d9248e9a2e64b2b01781fb9db4f01.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
ae5de6ed1b2f285d4ae50e6fbaf27d601f3d9248e9a2e64b2b01781fb9db4f01.exe
Resource
win10-20230915-en
General
-
Target
ae5de6ed1b2f285d4ae50e6fbaf27d601f3d9248e9a2e64b2b01781fb9db4f01.exe
-
Size
239KB
-
MD5
4dda95005c2a31af0e82e806e6beaaea
-
SHA1
42d6ba14fa10768957c4512ad5f892b86a26e11d
-
SHA256
ae5de6ed1b2f285d4ae50e6fbaf27d601f3d9248e9a2e64b2b01781fb9db4f01
-
SHA512
374d507fb60fd26b0e45f1c0d6a293ecfaf951da6cb369e05551b6757f11b4fba1e6e7127c11d111e4038f590d8e1cafb897b5a09087f229ee131ebfbf213fa1
-
SSDEEP
6144:UX46fuYXChoQTjlFgLuCY1dRuAOS7aE24w8y0:UIYzXChdTbv1bu/Ow8y
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1364 set thread context of 2132 1364 ae5de6ed1b2f285d4ae50e6fbaf27d601f3d9248e9a2e64b2b01781fb9db4f01.exe 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2720 1364 WerFault.exe 27 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f908080c5c8cf442941c5db076e34ac2000000000200000000001066000000010000200000000f35d8178bc07c170d66815a73a45a81df404dc9705d8f6a0737ca0f1363cc7a000000000e80000000020000200000007169014053a97f6eb0162b40e0cf3a07324fd8b8e87435dfc211d969cd31c2d8200000009f4041b0f6c3c20de57be012e9410c018ccbb757286ddcc4f23ba89efcb286964000000042c75995cdfdde95f56ef83a9dac7034db447f3a01e1365a08f662a078a373419a236a110be7d57f4b77502c9f30b2f5c82f49e68b8375038e222cc847d2e065 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90bb1fa551efd901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f908080c5c8cf442941c5db076e34ac200000000020000000000106600000001000020000000673fa06090a89d51998c2984517687038b0de450e4af32268a8c6369031d372c000000000e80000000020000200000007b5c021f251f8ed21e8ef44bb8ef7bf60a44c71587e4b7d22ef50b1f91234d019000000073d32524512ce0d99ba6b376fd08913925ee3dc7e0d1fba56d08d250f2d19823282070c4acc1c411e34e5819e5d7a52cf44c338d0fca4280463805d2c259ef50b4f6bd3f42c5f63d1647c7472fd3a4aa262099a75d5699d143a62ef07ec71002fc7d6d5579127650460902ba27b8dc44c9395d610d6df67dca0e7099310f4021c4e45a583dced52ca5fd6b76d327d3154000000082c422ca7e06037dd14c4b9c04cef1bdc1ae9fcc4bdf43901e016e7504a9faadf11fead4833ed810cbb1be4d81447effecc2fe4cf92d770a71f6bf8ad1e237f8 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CEFA83A1-5B44-11EE-8796-56C242017446} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401768027" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CF125161-5B44-11EE-8796-56C242017446} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2132 AppLaunch.exe 2132 AppLaunch.exe 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1744 iexplore.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2132 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeShutdownPrivilege 1268 Process not Found Token: SeShutdownPrivilege 1268 Process not Found Token: SeShutdownPrivilege 1268 Process not Found -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 2480 iexplore.exe 1744 iexplore.exe 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2480 iexplore.exe 2480 iexplore.exe 240 IEXPLORE.EXE 240 IEXPLORE.EXE 1744 iexplore.exe 1744 iexplore.exe 2136 IEXPLORE.EXE 2136 IEXPLORE.EXE 2136 IEXPLORE.EXE 2136 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 1364 wrote to memory of 2132 1364 ae5de6ed1b2f285d4ae50e6fbaf27d601f3d9248e9a2e64b2b01781fb9db4f01.exe 28 PID 1364 wrote to memory of 2132 1364 ae5de6ed1b2f285d4ae50e6fbaf27d601f3d9248e9a2e64b2b01781fb9db4f01.exe 28 PID 1364 wrote to memory of 2132 1364 ae5de6ed1b2f285d4ae50e6fbaf27d601f3d9248e9a2e64b2b01781fb9db4f01.exe 28 PID 1364 wrote to memory of 2132 1364 ae5de6ed1b2f285d4ae50e6fbaf27d601f3d9248e9a2e64b2b01781fb9db4f01.exe 28 PID 1364 wrote to memory of 2132 1364 ae5de6ed1b2f285d4ae50e6fbaf27d601f3d9248e9a2e64b2b01781fb9db4f01.exe 28 PID 1364 wrote to memory of 2132 1364 ae5de6ed1b2f285d4ae50e6fbaf27d601f3d9248e9a2e64b2b01781fb9db4f01.exe 28 PID 1364 wrote to memory of 2132 1364 ae5de6ed1b2f285d4ae50e6fbaf27d601f3d9248e9a2e64b2b01781fb9db4f01.exe 28 PID 1364 wrote to memory of 2132 1364 ae5de6ed1b2f285d4ae50e6fbaf27d601f3d9248e9a2e64b2b01781fb9db4f01.exe 28 PID 1364 wrote to memory of 2132 1364 ae5de6ed1b2f285d4ae50e6fbaf27d601f3d9248e9a2e64b2b01781fb9db4f01.exe 28 PID 1364 wrote to memory of 2132 1364 ae5de6ed1b2f285d4ae50e6fbaf27d601f3d9248e9a2e64b2b01781fb9db4f01.exe 28 PID 1364 wrote to memory of 2720 1364 ae5de6ed1b2f285d4ae50e6fbaf27d601f3d9248e9a2e64b2b01781fb9db4f01.exe 29 PID 1364 wrote to memory of 2720 1364 ae5de6ed1b2f285d4ae50e6fbaf27d601f3d9248e9a2e64b2b01781fb9db4f01.exe 29 PID 1364 wrote to memory of 2720 1364 ae5de6ed1b2f285d4ae50e6fbaf27d601f3d9248e9a2e64b2b01781fb9db4f01.exe 29 PID 1364 wrote to memory of 2720 1364 ae5de6ed1b2f285d4ae50e6fbaf27d601f3d9248e9a2e64b2b01781fb9db4f01.exe 29 PID 1268 wrote to memory of 2608 1268 Process not Found 32 PID 1268 wrote to memory of 2608 1268 Process not Found 32 PID 1268 wrote to memory of 2608 1268 Process not Found 32 PID 2608 wrote to memory of 2480 2608 cmd.exe 34 PID 2608 wrote to memory of 2480 2608 cmd.exe 34 PID 2608 wrote to memory of 2480 2608 cmd.exe 34 PID 2608 wrote to memory of 1744 2608 cmd.exe 36 PID 2608 wrote to memory of 1744 2608 cmd.exe 36 PID 2608 wrote to memory of 1744 2608 cmd.exe 36 PID 2480 wrote to memory of 240 2480 iexplore.exe 37 PID 2480 wrote to memory of 240 2480 iexplore.exe 37 PID 2480 wrote to memory of 240 2480 iexplore.exe 37 PID 2480 wrote to memory of 240 2480 iexplore.exe 37 PID 1744 wrote to memory of 2136 1744 iexplore.exe 38 PID 1744 wrote to memory of 2136 1744 iexplore.exe 38 PID 1744 wrote to memory of 2136 1744 iexplore.exe 38 PID 1744 wrote to memory of 2136 1744 iexplore.exe 38 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae5de6ed1b2f285d4ae50e6fbaf27d601f3d9248e9a2e64b2b01781fb9db4f01.exe"C:\Users\Admin\AppData\Local\Temp\ae5de6ed1b2f285d4ae50e6fbaf27d601f3d9248e9a2e64b2b01781fb9db4f01.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2132
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 522⤵
- Program crash
PID:2720
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8E3B.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2480 CREDAT:340993 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:240
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1744 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2136
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_88B06D18F336F4573DA4CD16EEF01E99
Filesize471B
MD5c1481fcd5428e1e8013edc7621812724
SHA18e86eadf871ca94477b0e469360502203eab3d97
SHA2569b9ad2ae252224803a2cc6f160d3305677ca54c8053008fd5b469574c42ac12e
SHA512364e2fc399239cc2db6dd9e1f93ca5fb4b482ffe8e1d2a05a2c81d3c1efde9ad2d51a693dcde9f1198a35fa1e0d6ed3b46048cb56ac3be34e9ceb40c4c389ae6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD524dd6ff8d263405894ad6617de400d06
SHA14b7171f092d369eec3baeff79b1ed30b06d51c3f
SHA256d582dc496389324c7448f29aacc1d95a0e1832647d8cda45fc25dc081fc170b0
SHA5126bb2c63f8f6ba6bb912426ddb63724614bd437f2da1798eaa686995ccaeb0ca9c5b10f6c3de5c14101cf36f427e0d48bee68cf90c4b275eee749b1e9bd3a7b6a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD55e2160d5462beb29d922a8dfb5977bdd
SHA1daa45c9ab5cb6f20834830fe1c019d5562486fa1
SHA256c69415b21b4624b8f8afa12b5dadbfcbcefa753702e451de30b52ab0668f474c
SHA51269e0a6194fa0af07285c905ff38aca5ed9edeb62fc92ac8ef5f7b7143c8dad44199d4ee1723d79162ce4f85e462c4c2549b8e20e70a3ed230175eb17e7fca027
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD538e28397bd8c9d2641eb1904ff7955d9
SHA1bc1f1c09ebc26fef0325079c037795fd0a0f9e36
SHA256371c1e90c865e3cd698d1b01544686c9a29ed649a737b73742580b67031ab31f
SHA5124e08080ddafb3630cfe919d9385593bad1e81803b1ab305503a72adc948ff696c5f7b2d3f9e379109f09fcec523f8f23ec6536dcf1216ff6757f6f6527e90715
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5efc622e428f19697a14631ccb0c66540
SHA1fa87367204d23dec11a788e2a518e4d05f208a8c
SHA256549a5d98423b808257f9e78c8d0b954e2b19031ace2f21126d0fc077ef1162a3
SHA5129cca0a3a6b7575c391487b82f9030958abc9e5d480f97c88a537815c83fae2e0e662336d84261b3886c65648bf2b6dcd9832baf9ca24fd9bb24f53705b3434f5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD53dda9637433fe46fac945ee83a6a5da9
SHA1c1a7873fc8d3070728d5c43a853d88bfc26d16ff
SHA256f9334ce3bf3670f2f03fbb6202be47694e8e60f7e76e751f711b725559ec29a8
SHA512c3b3a0a159b4426b1ef3e4dd5ab0d8ef038c26eaad64e4bfbb42ca2043558989d203d2fad7112c528d31fccc27e1d9a03c32210b8b66e8f55ec182afd6c93219
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD541d2e506f79c0b1308cf7227e18e3066
SHA181bfc8c09e917fdb520c0c52b1327f53516633d6
SHA2565e57fda36831cb9eb145748229f6b91a526b9147290f075dd5650b4193291d6d
SHA512e46a9e1d1b68560758be1693b159d161b6dd70f4d0db07c0d11771c3cfafa2cd38dfc8dcdb1c0be1158284d3f6287277d4959398bb0546cb65af01c8d195582f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD599de57ecc27308a3e466168965097b67
SHA12ed07d06977a43713d3efa1975c93bc4e1d9a586
SHA2562bf897cf2c5c77ef0c25142f84ca16a75c86b92e63556b2090ce69e4dbd1952f
SHA5124e1c5caea5640f728985571ec2ae94ad1522076e406bd10e83a10d0d8f534a0ce2f141cae4cce8acb9de7ba84e7bc45c5051bac70d78d97e3e0818d9de653b8e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5bf0663648599da11b83537966c2d4b99
SHA1e8f9b7457dc5b4763fd79ee035c3f640b7130ae3
SHA256f138715f770fa0b910b732e6412030163a834673525bb3e9a33c134a6e1a147e
SHA51285dc37e39e67d21ce44ef51066bf6caaf0f609d8dc213ad1201960b4912d39211de856584cb2b5ee238f5bba62cf6a9a1752be0eaf44c92e3d170e4b76d76211
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b72bb48b4ef5d906d54861319d285ea3
SHA1d78859d05513909f64aa3df471b8fd614d8fa4ca
SHA256bbd171f6a706fcbd38fc822a2e9738c13b86d9cddc911b21671644f5e1d696f5
SHA512776a3baa99d967754d8a5f16d762916edc582fafee84e28be3ff39f768c8d62566d160ac346493d741e5b0e8715ccedad52058fb1925165b065528420f7c6b37
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5cda0e1a2859e73a6be1a0c24c7d5468d
SHA15a016e9af51998a8fe735a1d41791526eb744c18
SHA256845a5e27a09426defa4b4f1aff3f6881655bdd739c13a53d665bdde4d41ef757
SHA512cf868e490a205b2ac103e7982b71f2ec7fceeffefaa717d1c40379d3caed65fb6bd68cfcec05187e70fe7d4b47f573523f1eee6e895c970ff2614644465340eb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5f2a56ea4065f22a07d6add9a27d81806
SHA178c970dda76172ae3023363d1411710286902b21
SHA256239a2a99211acefdc43c75367e57d8ac1afbd7e39dab3631a989263994f04fc0
SHA512707eea335020195245955939625b342367ea8236bd7d0da98b352bf49052b22c32df2edd52d8b7f2c139cdacafd2f91b762fb6dac8144cd08ab3bbbfe7b62b5d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a48656b951061897985e3900b4c55019
SHA1b3094cd1d491ecd0c7ca68362d92d2b4b06fa885
SHA256e705302995922f27c4c6f9c1ff52cc18f0f7319af27cb191314ba4ebba199d9a
SHA512a15b112bfaf3b218d8d3909a96315cf584f28b0df2e32ab35ddbfedae0ce158aa3a30f155b2ac1b26a4380027ce7d4c07b97e32d6d63d5507c83574389ba001b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD594dae64a99274e8b5385768595ffbb4d
SHA1b875bd99ab7a037b30339605e5907f00fda6c910
SHA256c05470413451390e4fdf2698afe2545814709832df63cae3c1d3a77ca91ae6bd
SHA512af31d6601b80ac457a06170b6062eed98b2b35dbaafd2678d4fa331e647f69219f105305c9ad4f206f501b9946d9c5a6e3d6e3ca2ef509ad376fe6790b15756b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD591831a141cf21979d40e579e7f538528
SHA1870bb0096828e8b3d914df10097709958119f434
SHA256f42f2383299f239b9a10fecb3813fa714f71b6b16e4a1c74688c73a0a4a588f8
SHA5124330513d979c067e71154a606ad4dccf0c2ecdf4635e89d696008ef3707487e99bc3c7526c816925f2ef074d5f53f66169c7e19434b18901eb9228bf94ea4e8b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5f9af5f19d1b9b49f13170db940b91651
SHA1f4e4ff5d1ee50238c48419581f30e6e05d93eded
SHA256025b9af1678efbf80955ec596f5d0acba5a00810b9cc07c8a547d7c9d38837b7
SHA51255be2e31c8d5e85106b739afc1eeeccf2055be5dbf1713a54acaa314612784c7304fa763425592514968212011500e6c96cbd8f67281e8fc7d91444425585a46
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d4fccce4fd604d74d41a32f09bd188a9
SHA19240d7f8de59db2c9e807ff14b2e8458142c3905
SHA256ed751f914e22166dfa5c30fd4c819dde70dcef4c23355b8078eb9b8627491dd2
SHA512aff7e555dd630437da420681e4debfe6bf856a3d001425340063a558db5bafee8a688d6e85127d7db3a98e374d157bd23d2c4d96a8b976b6d8d5fec6101bf782
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5fcb649a25e5db0f0efd3100967eba0e6
SHA1d7f5f01685dd055bbcf303ebcc0e2b3a25fcd456
SHA2569e9bfbd6211b5f298ecc267f9855d1ab93232a3e17381de9476a3db7026acf53
SHA512c2f726fa6189dcd1bd317fd547ed8af36e8cc13a4babdc8b2e23732d3bc879fb5f4a245896e00e418a190f12a55c90047deb73a577a97f656a9aeedfb4ed49ca
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b4a562bdb9f53a863108944c42820fa9
SHA1393ff105cc69598dd2e03c3dc58844e4cf1f9f6b
SHA256a8dca69dd5b227d86cbc501284a216bb7cda75e71c51dd51654110c48678e1ce
SHA512c46a0831545936244f78bc8c58b707175c5541692778b9bbd1b045d5e4b29b9c68b04db7cee7f6f056198ddfaee17cd72d55f0e3d7ea040cc1e6ff73bf22d994
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d8a90e48aed82e916245f54c0d8cb25f
SHA17e0ccc2eea86ebdca177381973a5553a3c17155e
SHA25685b24c8177629543e38596405dd8b5b7778eb689213e0aaeca767998f6c035cf
SHA5129cfa8a63f2f7432fd2f8f4642f60ed86920cdfe05846ba006ab2c1381cc25f5563d0932c6b3072b6815f14c1ec252dda1c817f0e9955b6c7a3ca55c09ecc7d0e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d108aa593d5a894bacc3e9647ce948d4
SHA1144945eb105b04645915c1ee1af482b6f08a8daf
SHA256ce083aafce06b6db3ceb5ee5b731a25075dca915af36fa84655540598522ab09
SHA5129705bef684f710d003b5e6cb2bf8e5167054a4f87a68be5598f95082c10b0a1a07c16532879274530a1990b5fe56d1915a9462ffbfa2be57183aa6f27f753393
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ac28ed37ab448193103204ac7fa47f58
SHA12bd037e844415b4c7d744467b8ba8976b77fe6a1
SHA2565bb6459d2fce4cf435dc53b946527d49404ce999a3831d9b777909a908da993f
SHA512aab9167352012eaa5f411c40d1db3be5b846471c6c80c30e4ced9292c16257ff4c2c5fa5722b3a4d6832379da520f3b3b50b8b2a76d0e00effc15575524c7512
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b25308ed5ee0b33382ba72a4eb581b20
SHA120c52a4b2d60082e0ba02fdabf96841e9d661539
SHA256b0448eed65cae200374b2707df2f88bd893ef14eb5ea85f01d535d343fed810f
SHA512ce1351b2d9b40d7dddcb083999e162f74c8d098dc84df1190c74aaccc0618c3be233bd7a7c6d819c22819d6f1c40464a52b8280ccdf8a2c040f7541b9fe1cbba
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5615aab69dd1404a9a73646b08eb3a9d3
SHA161331ad68404d30773ae571d6feacc2abcd01e05
SHA2566772aba6f0d51335468307bcc828ce6eb55cfaccc69dd0fe6540adab73e3243a
SHA512753bec87b124a1b4547307cabca683575ee19044f3589ed39a142d4d96b05a16fddb1c7abc9415c03695409fbe0da13408938a39c1b8bbbd6ceff4af777e351f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD54d2aa253a7d1b35913f3be46556e5e0a
SHA15cf3f0f0e1a7eef5fa2313e1f85b22414d38e654
SHA25626ade97514c6e4514f1f3d4aab7e21d1526a7ed249745b163ef7d8ad0929f481
SHA512d2936f35c1dd02a64a96855fd7b6492c7c31b55273fcfcd055d36dc9102efcefaf263470ef1e25f6d5b79b063adbbfc62c42089ddedeac0a3f5b7e2f01271afd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5f6717371c6c0858793258dcb595a5fab
SHA17da0ffdff394daa92c01e698bc7b479253f604c8
SHA256fdfb8da9aabe2a2fc3c83fa0a2d4cc24d0aed4e121c4ad36b6fd0f97d498b36e
SHA5122f3ce57fe0cf785088c3aea610b046bb1555dbc58814c3f4e4c5bce48c31d264db3eea5d337974ad9f3a14901738130a9fea3266b615a26db2327445574b3d7b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_88B06D18F336F4573DA4CD16EEF01E99
Filesize406B
MD5ade4454de25bfead035958e8877bae7c
SHA1bc55ad51d4a4195696fc726ff3ad1e98f1b2e68a
SHA2567acbceac5a57b196d64728d9f3255f05569b0504b7ae5fd28c11d0bcaa7474d9
SHA512dbc9be9469159188d7f92f470adcb86be87a314c1094e64979481bd86f3f742bed6d82445ad18352d783d5e5f5444b64bcaf0de728907b2d0ded3a062d81404c
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CEFA83A1-5B44-11EE-8796-56C242017446}.dat
Filesize5KB
MD52b1236448c8d9efee348f13ba20f310d
SHA16931cd927e92dd952ce431da652a0be51522e68a
SHA256313f9dc1d885142d376f6e8c1ee515e0c32dd7f878aff1e34a7f101ab07262bf
SHA51290c8be822659229edb5d09e5900f248bbb358c8e8f3760e1bc065c4bfa63dede0627b4a41a0a36216c7e18d866bfbe58a40e5e58b073913ff9304b7813812cc0
-
Filesize
4KB
MD5b3015a7c3d17b0d498f6aa8ae9904b31
SHA14cacffa091420c34a29ac7077f77c3d0e68cdc04
SHA25663006da87b7a09e30f1ef20c9344ea50ce73b61cb61d0d703c57186ec6f72e05
SHA5125fe47f608c1ee07372f4851904e02e532b46a538a8fed70bcda9f117c56871ad709f8c9d2477e6b2d5e1c01295976c39bb3ea69bc0c72ba6a8b35857ddd5ce88
-
Filesize
9KB
MD572c1242421fa40abc044e6a44f63050a
SHA1eca2a3b4248644d529552f97ae126de3fcdfb0d2
SHA2567befbf163b3d5c498ad98c9fd9503e74a358bc59d79158845a958c83026a5b2b
SHA512b5f48f1c26d23491b83b62f174a1ba946327311ebd47361ccc1076a486705f7d54f4058698ab986278ea6e0aaf7ae7b09e0238a5197a27e3bef4e58b764df9c7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ABGWT92S\favicon[2].ico
Filesize5KB
MD5f3418a443e7d841097c714d69ec4bcb8
SHA149263695f6b0cdd72f45cf1b775e660fdc36c606
SHA2566da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA51282d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DV38LGVA\hLRJ1GG_y0J[1].ico
Filesize4KB
MD58cddca427dae9b925e73432f8733e05a
SHA11999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA25689676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA51220fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740
-
Filesize
79B
MD5403991c4d18ac84521ba17f264fa79f2
SHA1850cc068de0963854b0fe8f485d951072474fd45
SHA256ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576
-
Filesize
79B
MD5403991c4d18ac84521ba17f264fa79f2
SHA1850cc068de0963854b0fe8f485d951072474fd45
SHA256ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
163KB
MD59441737383d21192400eca82fda910ec
SHA1725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA5127608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf