Analysis
-
max time kernel
301s -
max time network
283s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
25/09/2023, 01:40
Static task
static1
Behavioral task
behavioral1
Sample
a21a9ad00bae1a7f3bc9ae3af10e39a8dcf0d250b54471275011f46fa114f6c7.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
a21a9ad00bae1a7f3bc9ae3af10e39a8dcf0d250b54471275011f46fa114f6c7.exe
Resource
win10-20230915-en
General
-
Target
a21a9ad00bae1a7f3bc9ae3af10e39a8dcf0d250b54471275011f46fa114f6c7.exe
-
Size
240KB
-
MD5
600148d1ad2c7324ceb21a54d0d04b79
-
SHA1
65f42d3291e39faf05712c2187cfb6f4b96bd0a8
-
SHA256
a21a9ad00bae1a7f3bc9ae3af10e39a8dcf0d250b54471275011f46fa114f6c7
-
SHA512
d60eddd946b46b24d760a6b625f2425dbb3f2e973cd3aafdddf3ce69ddde77127314a601751b079687036b94b95f133dc5ee27dc01cf22d7b2aa6061cfd9e7b1
-
SSDEEP
6144:xM5frpxdonyq4zaG2u5AO8eK0hJYPP8quqp:x6rp0/9u5eelh80quqp
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2936 set thread context of 2924 2936 a21a9ad00bae1a7f3bc9ae3af10e39a8dcf0d250b54471275011f46fa114f6c7.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 324 2936 WerFault.exe 21 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C3E1B1A1-5B44-11EE-80F7-5AA0ABA81FFA} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007832999c35766c4bae1b34334b3bf8120000000002000000000010660000000100002000000086c1f914355d9ba75d2e24da749b75518378c6d131e7d52b2e4598192e6f7cba000000000e8000000002000020000000c62df8814a3adaee8c908a3811f5137096cd9526cfaab377c4d5027de023fe432000000091d73661cea66f0cfcc7d808fb3141450a23992b66b0c7f2de23ce6efef43682400000008f5dcc323082fd905e59e26aa764ad3d4cbc005879d18b8b45c3d922c1f808e20274fbdaac8e017a72b10ed27d980764e289816d3ea7601c3c4886fc4eb0e778 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401768007" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0c0f39c51efd901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007832999c35766c4bae1b34334b3bf812000000000200000000001066000000010000200000005b37901be329155254641d236461acd6c570d129129589b599b60450fb91176c000000000e8000000002000020000000bc644f82541f349147716efac36d4150d5a9d7f250a61635fe00c18ecf66aa109000000099acd98fa1b9f81cbe3abf800ea4cc9bc63f631bd33c1a908f4d18365fbd69d0d9c84da7fe71d74c6cdcebed2f566ab1387214c9ace7277ae0aeb7b2d8b5e519489b8016c53bd1f88fcb84bd94724d4aefd856939847b0e9f1d4b94a877d993989f696d22fa0378e101e5f2eb23bc8358fc1020515dc540fd21a12398e04bac7cf68332ff4ba96ee969ab80b64ed85e140000000a89e7ca1d642b5ec8e74854c111ec75135a61e8b872db35f42fc6d43a616828220bb44958e316182fa95c90a256b6e2c84d4032767819a00816b27d0734c85b7 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C3C52121-5B44-11EE-80F7-5AA0ABA81FFA} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2924 AppLaunch.exe 2924 AppLaunch.exe 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2728 iexplore.exe 2884 IEXPLORE.EXE -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2924 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 1368 Process not Found Token: SeShutdownPrivilege 1368 Process not Found Token: SeShutdownPrivilege 1368 Process not Found Token: SeShutdownPrivilege 1368 Process not Found -
Suspicious use of FindShellTrayWindow 8 IoCs
pid Process 1368 Process not Found 1368 Process not Found 2728 iexplore.exe 2224 iexplore.exe 1368 Process not Found 1368 Process not Found 1368 Process not Found 1368 Process not Found -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 1368 Process not Found 1368 Process not Found 1368 Process not Found -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2728 iexplore.exe 2728 iexplore.exe 2884 IEXPLORE.EXE 2884 IEXPLORE.EXE 2224 iexplore.exe 2224 iexplore.exe 2080 IEXPLORE.EXE 2080 IEXPLORE.EXE 2884 IEXPLORE.EXE 2884 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 45 IoCs
description pid Process procid_target PID 2936 wrote to memory of 3036 2936 a21a9ad00bae1a7f3bc9ae3af10e39a8dcf0d250b54471275011f46fa114f6c7.exe 28 PID 2936 wrote to memory of 3036 2936 a21a9ad00bae1a7f3bc9ae3af10e39a8dcf0d250b54471275011f46fa114f6c7.exe 28 PID 2936 wrote to memory of 3036 2936 a21a9ad00bae1a7f3bc9ae3af10e39a8dcf0d250b54471275011f46fa114f6c7.exe 28 PID 2936 wrote to memory of 3036 2936 a21a9ad00bae1a7f3bc9ae3af10e39a8dcf0d250b54471275011f46fa114f6c7.exe 28 PID 2936 wrote to memory of 3036 2936 a21a9ad00bae1a7f3bc9ae3af10e39a8dcf0d250b54471275011f46fa114f6c7.exe 28 PID 2936 wrote to memory of 3036 2936 a21a9ad00bae1a7f3bc9ae3af10e39a8dcf0d250b54471275011f46fa114f6c7.exe 28 PID 2936 wrote to memory of 3036 2936 a21a9ad00bae1a7f3bc9ae3af10e39a8dcf0d250b54471275011f46fa114f6c7.exe 28 PID 2936 wrote to memory of 2928 2936 a21a9ad00bae1a7f3bc9ae3af10e39a8dcf0d250b54471275011f46fa114f6c7.exe 29 PID 2936 wrote to memory of 2928 2936 a21a9ad00bae1a7f3bc9ae3af10e39a8dcf0d250b54471275011f46fa114f6c7.exe 29 PID 2936 wrote to memory of 2928 2936 a21a9ad00bae1a7f3bc9ae3af10e39a8dcf0d250b54471275011f46fa114f6c7.exe 29 PID 2936 wrote to memory of 2928 2936 a21a9ad00bae1a7f3bc9ae3af10e39a8dcf0d250b54471275011f46fa114f6c7.exe 29 PID 2936 wrote to memory of 2928 2936 a21a9ad00bae1a7f3bc9ae3af10e39a8dcf0d250b54471275011f46fa114f6c7.exe 29 PID 2936 wrote to memory of 2928 2936 a21a9ad00bae1a7f3bc9ae3af10e39a8dcf0d250b54471275011f46fa114f6c7.exe 29 PID 2936 wrote to memory of 2928 2936 a21a9ad00bae1a7f3bc9ae3af10e39a8dcf0d250b54471275011f46fa114f6c7.exe 29 PID 2936 wrote to memory of 2924 2936 a21a9ad00bae1a7f3bc9ae3af10e39a8dcf0d250b54471275011f46fa114f6c7.exe 30 PID 2936 wrote to memory of 2924 2936 a21a9ad00bae1a7f3bc9ae3af10e39a8dcf0d250b54471275011f46fa114f6c7.exe 30 PID 2936 wrote to memory of 2924 2936 a21a9ad00bae1a7f3bc9ae3af10e39a8dcf0d250b54471275011f46fa114f6c7.exe 30 PID 2936 wrote to memory of 2924 2936 a21a9ad00bae1a7f3bc9ae3af10e39a8dcf0d250b54471275011f46fa114f6c7.exe 30 PID 2936 wrote to memory of 2924 2936 a21a9ad00bae1a7f3bc9ae3af10e39a8dcf0d250b54471275011f46fa114f6c7.exe 30 PID 2936 wrote to memory of 2924 2936 a21a9ad00bae1a7f3bc9ae3af10e39a8dcf0d250b54471275011f46fa114f6c7.exe 30 PID 2936 wrote to memory of 2924 2936 a21a9ad00bae1a7f3bc9ae3af10e39a8dcf0d250b54471275011f46fa114f6c7.exe 30 PID 2936 wrote to memory of 2924 2936 a21a9ad00bae1a7f3bc9ae3af10e39a8dcf0d250b54471275011f46fa114f6c7.exe 30 PID 2936 wrote to memory of 2924 2936 a21a9ad00bae1a7f3bc9ae3af10e39a8dcf0d250b54471275011f46fa114f6c7.exe 30 PID 2936 wrote to memory of 2924 2936 a21a9ad00bae1a7f3bc9ae3af10e39a8dcf0d250b54471275011f46fa114f6c7.exe 30 PID 2936 wrote to memory of 324 2936 a21a9ad00bae1a7f3bc9ae3af10e39a8dcf0d250b54471275011f46fa114f6c7.exe 31 PID 2936 wrote to memory of 324 2936 a21a9ad00bae1a7f3bc9ae3af10e39a8dcf0d250b54471275011f46fa114f6c7.exe 31 PID 2936 wrote to memory of 324 2936 a21a9ad00bae1a7f3bc9ae3af10e39a8dcf0d250b54471275011f46fa114f6c7.exe 31 PID 2936 wrote to memory of 324 2936 a21a9ad00bae1a7f3bc9ae3af10e39a8dcf0d250b54471275011f46fa114f6c7.exe 31 PID 1368 wrote to memory of 2564 1368 Process not Found 34 PID 1368 wrote to memory of 2564 1368 Process not Found 34 PID 1368 wrote to memory of 2564 1368 Process not Found 34 PID 2564 wrote to memory of 2728 2564 cmd.exe 36 PID 2564 wrote to memory of 2728 2564 cmd.exe 36 PID 2564 wrote to memory of 2728 2564 cmd.exe 36 PID 2564 wrote to memory of 2224 2564 cmd.exe 37 PID 2564 wrote to memory of 2224 2564 cmd.exe 37 PID 2564 wrote to memory of 2224 2564 cmd.exe 37 PID 2728 wrote to memory of 2884 2728 iexplore.exe 39 PID 2728 wrote to memory of 2884 2728 iexplore.exe 39 PID 2728 wrote to memory of 2884 2728 iexplore.exe 39 PID 2728 wrote to memory of 2884 2728 iexplore.exe 39 PID 2224 wrote to memory of 2080 2224 iexplore.exe 40 PID 2224 wrote to memory of 2080 2224 iexplore.exe 40 PID 2224 wrote to memory of 2080 2224 iexplore.exe 40 PID 2224 wrote to memory of 2080 2224 iexplore.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\a21a9ad00bae1a7f3bc9ae3af10e39a8dcf0d250b54471275011f46fa114f6c7.exe"C:\Users\Admin\AppData\Local\Temp\a21a9ad00bae1a7f3bc9ae3af10e39a8dcf0d250b54471275011f46fa114f6c7.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:3036
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:2928
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2924
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 1122⤵
- Program crash
PID:324
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\C265.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2728 CREDAT:340993 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2884
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2224 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2080
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5791c64c848911ddd94f6ee9a344e21fd
SHA11e2b7850effecf6edb4eb0d572515819d0d84818
SHA256952efc8900656540402cc06db4160ac971b023a224b4c91b1b230eddefd15b5c
SHA51206e763d30869a9c5440a27cd94b8aeaa627a889ca2caa0ac12aca8470448d7ba5fe6793c7923bf0832863eec3f55b305fc7a0605b53e545c99e19eab824cb8d6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD58439adbb3c6981d4071cf422950f8353
SHA155acf45300f9cfd9dcb801622d998b008bed669d
SHA256d5a7ee385345aa7bd9f1c60b43e2907ffce119135993400fbffed5c88c125c26
SHA512d557d4a958eccb8c167a74ed9d60f3c83857deed2cd15a31a4489bf703619a896a7b5d103ede1294748eae8466618a6bfc74adb951be14d2120771a47c6349c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5308a449d75e09b516f7b4eafaa1755d1
SHA18bb4c8b3dc160131fc6dce8b02300296f3f95f7f
SHA25624026e1d46fe942669740b8343ba38ee641731d3cd654f0d73d4e426e282e08f
SHA512460d92de58d0ef449d2af2c64d1660c30f0e23bf0091f089437b7f7029dd1b14c80fdb629fc7fa01dfd9c6fb4772ba9bd3de0be4ee936db9919a9647d7eb0ae1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5589e88b59d3ee3fefb932b00feaa083b
SHA14c538e2ca1f423fd0ce2f1d660c3d395ec38f4eb
SHA256c4cd61cdfd2a0699bacd021863704bb2c2b1321cf9adaf80c1fd9be14e8b0346
SHA51248b9bc0e9342e963fca704e34a670a60d363d57a6c236fc67ddb04d707ead969d8f1bc8b1144ff851f75d2ca2069f0d80ee2cfc04a4d4bad720ae618a12596d9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD500b11b3d23ab20b6e9e2fa03c7bc9340
SHA1e5c532a13b3af7cbdfaca8b3de081e4b43904b6c
SHA2566d61b9e2d3a2e2543f99625f23aa84a550cf0da36fa0b7725d51a5d0acf1dd14
SHA5124f668754776b257196af60dda9b6a36d08508124e5c5f5409008d04be213f5bd1af1cfca09a9eb96f256c57fb3c53a104e1e5a135265bf358e5de632b5975188
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a60a347f40d94fdeccde213524350aad
SHA1dd3b6193c7dd756efaaf250527e39603133bdcfa
SHA256e60471942d6c11da6c376fb9a4f2e03ea188f3f26ae9d716b7cfbdaef20e4a3d
SHA5122ee1626ff06f478301993d7c7ee7bf891129d42da77d6ce1fddd4d53604678747055d53e0271783b47752f0ea0e19eb28f5b3743cdd6eced479aa7c961dd858b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5cfecf82ab164ee8e2e413e75988f53ef
SHA1b2d9285426ecc8aeec88054db2d8518502bdc769
SHA2562935369865e79d50613babe0baf302286536d21e1d8cf48309823b6f2059029b
SHA512c944ab4942d071c5a0f6dd3e6612650661f91f4a8d6b2e8f56b463844edf5ed4d7e6a4d11f5ea45029f664896b90048f896c2f0625350f944401b03bdce4efcf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD558162ee22b10d0c8c9a194479b77fe53
SHA13d443df940ca61c18736483b14c198840b7c71d0
SHA2566564af9154cb2eec8689fddca326a4c3dbcd0d7036ee545964f1c49d4ca0f0f5
SHA51235edba889438df60e454572384ad338ee28f766d2207dbc6a5abdc27cda7f7add773c4feda0246b7174e71dfee2c40dd1182e512327f7ff25e920d33548bbfd7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD511c25e7491290cab2cff650479500f0c
SHA1990f384fc4e2e9932c198e6f88f0a4fc90eb4522
SHA256bed394b8cdb41a4c71e487d87e1c1d9e10ccd3b963dc293e5e098ec8f2eb92c8
SHA512336dc1c99068ec9da2d1054e22fa4a70e3618882d36bf7c4ce0eabbfa2d2c0869d060ddc701fdd744320daf9b82baa949840aff5ab5199cf2ff3304e3c3cee53
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD51e0c973d908377736cccc7f55e47e08f
SHA19ffae334fb13458a0fccee9aeed6e89d8f4fb4c8
SHA2562d594def1d0c81dc79831128dfd9e9ef11b6d9e947ff1f984d9dab34f7ea037f
SHA512bac339f8f7d1dc9dcfc812604cf45a00a595a31b37ed08b02f49b3a14e3ce5e29e42408efd1bc7e538c6885bf2cac984ece4ab9ce9b76af36ed93847c71ac9c3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e86a938fd2301802de813e7a7aeb06be
SHA13b4582e78777de38fba6f26c895d6098667dc8d4
SHA256d976f0c21fdc496bd9bbad314ba03c2104e74f7cdcfdce6fb15872b5352f0a93
SHA5123c2b3c6d49709c3ece179437a3ec0e5c0b83dcd0aaf2c143830d20788d78763dacb52e06cf01562511ed78473de3c93a6f8589018e3f2404578209d589c3b8b5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d59b88085faa83aefb5216284295cabe
SHA1f6047d0f8fc0b3f2998dcbe452f91f7bfd178c93
SHA256d38d437000c2db765c657fff61fdd1209ea82e16bf25d499c01e50565669d672
SHA51246fdbe88904c321d397229d9dc5069ff70de670f2b954d03399a051fc624ab1f795194875963ebda73d82139ae21df37c7ddb23b524ddb6287aefea839c1764f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD504733a7a4256ba2b65004b484ef0087b
SHA149d36cb96a9d0181bca9f82531ed7cc49ec153a4
SHA2560a577f2862b1396d1b81f1ac425caf3111c0fc5c34c0ca1153849ebc892c77fb
SHA512b51fd2173874a43fd55f65691716c1c3dbef6616d8f74e5456b74551f7373bdf64552bab176cf20684485e9dfa548ab50c93376a91d06032bbb6156c6fc52a7f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD52e3c091b002e7994b372e2881987a5ee
SHA13bb428a49112d80c921a349d87c7d43bae0db7fa
SHA2569434f7f6f9c4beaa2f1046441a2476e7722e1e8cc33c7e804002402c541270b4
SHA51274dff6524a0a0f2d08862ef06b3a3cdf2a92f81ef705cca38277b344ca8cab218fa891729b22920270eb9255cc571c75a071c5f0f68ae005dda2a27d1738914b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5635407f763ea0455a0aa69403e45a7aa
SHA12d9916afcc76ba7b55b63332f7e862894c8f3835
SHA256b96f1f178e126476eddc67f7faec53cdb5152e6b5e296f690dfca57cdf8064b9
SHA512168610f8e2303a0c1e9295bfa2fbda734393a58ecf07a321dc15b5adf481c500107face75237c8ef2d511e257b83f18a714a3a212fcd948b59fd3b294ff0dc7b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b74c8b8dd09e7c9abc0cbb6fe51bf172
SHA12792b330353492d4fc75c1876d9420e8a7bc0537
SHA2560993fc1a892392204fd0885cf72d016b7fb66bf7369fbfd4b661de77e76774c5
SHA5129e562820d5ba18352783af82c5f4b67d3721815ab5dd8bf5218fcdc5e53d27634de95919847b438f201fade91a6a64a27c4958090349ebd7d29594a95ba221e6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5bdaf9a00e55edfb1d0d2e59d687ab197
SHA1623aebec38febc01a66273d4f5822322baf9076e
SHA2564d6bf1601ad229555f0c20f736c896b16b9c52d8bde30a8b03107a102908270e
SHA5122ec31fcfa3837e29f586f1e19c44980cc3778a141a1b27ff2e2e8435d3d4645f8f87c94eee8fb0e48d97fa069fd4723a76031ec7aca1bbe582d383a1dd5718f0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD572b6d78c3eb24d7607edec2d03521447
SHA1f0919e79ea8983f40da3f6fc7607edd38599e35a
SHA256ee0a48c54819b6eff782d38e6cbe5e2583ec41df0481f706604079511ec7e6b4
SHA5126f511b7042a5e12b6981fb775cc1035d9df819cce4bd112aa1a8e25b54cd9be94b50c17c8fa840bbfe6f76016ac52c2893f7cdd0e80d07b8420d10201b280127
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD57557cb00b3fb549bad12b3c9210acf84
SHA1887a1a675c2100255d9f2cd6034f8403b8fe228d
SHA2569866a7b232a5deaa0aeba1e48ba97ea5d1ee80c452e7849925fec7efc0df84f0
SHA5122b9fb94296a3d666fb9da1e13e30daffbb6bfa9af6fb40d217713ab38a577e8aa424d4422322661e7d15968726425f830bb3b45216e8a1af7fcbf00fe4be4212
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD58307200d3c6a4c03644c4518bf30bd9a
SHA1321269fc163c2bcb1b766a8078ae3c218036ff48
SHA256de62cf745ec1138b790a3d3c73b110f7b0e86081c180d1ea53b1a0c9423171c2
SHA512c60ae8dc7ca747149c92c7a5bcaa114f14e982cad9bcb4cafdea007ab957f732d5ce57f8b737ff494bd72526dd5c4fd9f33b36ae251b315d08c5050cee7d4bef
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD554e49b9e8269aae7b8c0f964d526777b
SHA1857fa23f69f194f5dd87ab4456c3705452ab0b51
SHA2565d4830ba0cc9d42c2699ca865d4d880a355f1cce5be42ca8a77e23f10a3e646c
SHA512043260c8ee7e427dd099c7bd5df349b206aa9e74200cc215eb9bab17870295025c0cdd2beb83e2919727ee9d685953e8e247dfb953bc7ac852c63b9768631c4c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5678d75d031068a3b9f02f249e6947ae7
SHA1e8fb5772f5081d152828a8c717b89e5c49117656
SHA2566f263818804d80eaeb68e65f193aa5fa31876100229bd3425e2ad4f0c4910a4c
SHA51256b3b19419152f74d6ca23d89bf2664d1f0282a8e64abeed8a9b3cf2a98e955b8907566b69231db67a5e7528adcc89fbb8c1c7b7ff28d72879f51574197175b1
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C3C52121-5B44-11EE-80F7-5AA0ABA81FFA}.dat
Filesize5KB
MD537cbc0a01e882c369fe923f2f205ce61
SHA13ab806ccfca2b7c78ab9314223662fafdf0544ee
SHA256e325439d50688e7707c8a1490a80bfbc98cc0603b03841b98a8a1a9f0343ee88
SHA51239d8bce60c771a7079e6408582529613e8bd10ecc685005da251b196fb84b14ae37bfb2f276c205a1476cd6a55093b61034c5547c4bc60d7a8a2508012a714f0
-
Filesize
5KB
MD52da0d7d292046b7a17bcfea7e17a5bba
SHA1b618baf5b0f423e9b0e3f770317cfc9aa9ad494a
SHA2564eea1390c53117461f9d98a14ea4b883d4dee8f33410f1e11486cbc1f8268750
SHA512beaf25988d5ec63da76308f89d9223a865e2a10d505ffc8181d2531255fbc5bcbda063886f5a7aaa92f992ac389d95131644867b07359347881ec44f0fa7a380
-
Filesize
9KB
MD501f9aa5be29b434e13e364bbc1c9aad1
SHA1d099da7292ca46e7f73252c1ce16cc2813cdb8b4
SHA25658cd37c367034b33435ef26f2e54f39263636b1b274a1e91e47da22c68863d83
SHA51254ea840c42c6b06ae9991265fa54d0dfa0db7885e6c7e1eca93d2d205bff51a55eaebd8b97acd4cc9c5d562777dbf51b97afbf54fab9188eff04fb74aa8c45b7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JXO65VIN\favicon[1].ico
Filesize5KB
MD5f3418a443e7d841097c714d69ec4bcb8
SHA149263695f6b0cdd72f45cf1b775e660fdc36c606
SHA2566da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA51282d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JXO65VIN\hLRJ1GG_y0J[1].ico
Filesize4KB
MD58cddca427dae9b925e73432f8733e05a
SHA11999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA25689676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA51220fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740
-
Filesize
79B
MD5403991c4d18ac84521ba17f264fa79f2
SHA1850cc068de0963854b0fe8f485d951072474fd45
SHA256ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576
-
Filesize
79B
MD5403991c4d18ac84521ba17f264fa79f2
SHA1850cc068de0963854b0fe8f485d951072474fd45
SHA256ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
163KB
MD59441737383d21192400eca82fda910ec
SHA1725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA5127608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf