Analysis
-
max time kernel
300s -
max time network
273s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
25/09/2023, 01:40
Static task
static1
Behavioral task
behavioral1
Sample
a5fd5752cd14b2246c0de419a27c070b4546b8eb61a06da3c1e685934f353165.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
a5fd5752cd14b2246c0de419a27c070b4546b8eb61a06da3c1e685934f353165.exe
Resource
win10-20230915-en
General
-
Target
a5fd5752cd14b2246c0de419a27c070b4546b8eb61a06da3c1e685934f353165.exe
-
Size
239KB
-
MD5
0348be358634721b3e45577d6af48f6e
-
SHA1
bb5058816e30a198cfb2bee310ca9f2655bb67d5
-
SHA256
a5fd5752cd14b2246c0de419a27c070b4546b8eb61a06da3c1e685934f353165
-
SHA512
8cfb271df4e42c9c71d853c9cadd04d594da5cad5b3ec01d8ba31ae2ea9e761a45a11629c42c023d8f1958cb0cac60db370bb49a7e5098b96ea27e8294f43820
-
SSDEEP
6144:YP46fuYXChoQTjlFgLuCY1dRuAOmVGbKw8y0:YgYzXChdTbv1buEIKw8y
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2156 set thread context of 1228 2156 a5fd5752cd14b2246c0de419a27c070b4546b8eb61a06da3c1e685934f353165.exe 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2792 2156 WerFault.exe 27 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C8CF5231-5B44-11EE-A4DC-56C242017446} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401768017" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0030d9f51efd901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbd2da6efca7814e97bd67c6ea97aa8b00000000020000000000106600000001000020000000af65637551e5317c28a41d1951148a02df5a8dfbbceda843ae5ea140c257b467000000000e8000000002000020000000d68099952a36623676f0ab92c592bf3c52d2ed3d7d47c21bda993566e20c9c1f900000006febd571331a789dbd4fe09779e3f0f3fda0abbff8fd2739b30f77262bf38948139b4e600193837577b4de73393dd52ceec3efdea57526714d7c23a3df73710d3dd009122fe75662b143978e0538d2f5b8b93b670946371fc92d97798a193802725dd531c4ebc8c50eec15cb54c6b32d57a110d810fd8981e00ca545d25d6426c33c5ad8c8790a4367e7dd8eac20994e400000003c22a8a944b3fef7c5fc8c75fb162d3ac80e4b238f7c747dfd005e1e1d048d21f89adb360da6e1e16dfac17cfcf32bf0bc49e3f9cb201a73f9c2003af43f8f3b iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C8E71FF1-5B44-11EE-A4DC-56C242017446} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbd2da6efca7814e97bd67c6ea97aa8b000000000200000000001066000000010000200000003fd5a4899a1044f2002f787485e855cc88660e4d6176f6b1657fcee48eb9f314000000000e8000000002000020000000b2ec12e7f2d0e05ba65b0b66706f321d11872f05ae28745f0ebecf4bb605bf4d20000000d23d13d42d52eb149d7664a6bbf663673de0eb1d1234a2c34c017e865c2a723940000000b4e5e5d7af298ec4ed099235ccbac099c177f0d1fe27ad758a7b31803aff4a152df76fc0867d19a5f4d26c9b5288a20c1b59c07c8d67af30b27a0da17c271ca9 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1228 AppLaunch.exe 1228 AppLaunch.exe 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2188 iexplore.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1228 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeShutdownPrivilege 1236 Process not Found Token: SeShutdownPrivilege 1236 Process not Found Token: SeShutdownPrivilege 1236 Process not Found -
Suspicious use of FindShellTrayWindow 8 IoCs
pid Process 1236 Process not Found 1236 Process not Found 1708 iexplore.exe 2188 iexplore.exe 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 1236 Process not Found 1236 Process not Found 1236 Process not Found -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 1708 iexplore.exe 1708 iexplore.exe 1104 IEXPLORE.EXE 1104 IEXPLORE.EXE 2188 iexplore.exe 2188 iexplore.exe 2848 IEXPLORE.EXE 2848 IEXPLORE.EXE 2848 IEXPLORE.EXE 2848 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 2156 wrote to memory of 1228 2156 a5fd5752cd14b2246c0de419a27c070b4546b8eb61a06da3c1e685934f353165.exe 28 PID 2156 wrote to memory of 1228 2156 a5fd5752cd14b2246c0de419a27c070b4546b8eb61a06da3c1e685934f353165.exe 28 PID 2156 wrote to memory of 1228 2156 a5fd5752cd14b2246c0de419a27c070b4546b8eb61a06da3c1e685934f353165.exe 28 PID 2156 wrote to memory of 1228 2156 a5fd5752cd14b2246c0de419a27c070b4546b8eb61a06da3c1e685934f353165.exe 28 PID 2156 wrote to memory of 1228 2156 a5fd5752cd14b2246c0de419a27c070b4546b8eb61a06da3c1e685934f353165.exe 28 PID 2156 wrote to memory of 1228 2156 a5fd5752cd14b2246c0de419a27c070b4546b8eb61a06da3c1e685934f353165.exe 28 PID 2156 wrote to memory of 1228 2156 a5fd5752cd14b2246c0de419a27c070b4546b8eb61a06da3c1e685934f353165.exe 28 PID 2156 wrote to memory of 1228 2156 a5fd5752cd14b2246c0de419a27c070b4546b8eb61a06da3c1e685934f353165.exe 28 PID 2156 wrote to memory of 1228 2156 a5fd5752cd14b2246c0de419a27c070b4546b8eb61a06da3c1e685934f353165.exe 28 PID 2156 wrote to memory of 1228 2156 a5fd5752cd14b2246c0de419a27c070b4546b8eb61a06da3c1e685934f353165.exe 28 PID 2156 wrote to memory of 2792 2156 a5fd5752cd14b2246c0de419a27c070b4546b8eb61a06da3c1e685934f353165.exe 29 PID 2156 wrote to memory of 2792 2156 a5fd5752cd14b2246c0de419a27c070b4546b8eb61a06da3c1e685934f353165.exe 29 PID 2156 wrote to memory of 2792 2156 a5fd5752cd14b2246c0de419a27c070b4546b8eb61a06da3c1e685934f353165.exe 29 PID 2156 wrote to memory of 2792 2156 a5fd5752cd14b2246c0de419a27c070b4546b8eb61a06da3c1e685934f353165.exe 29 PID 1236 wrote to memory of 2676 1236 Process not Found 32 PID 1236 wrote to memory of 2676 1236 Process not Found 32 PID 1236 wrote to memory of 2676 1236 Process not Found 32 PID 2676 wrote to memory of 1708 2676 cmd.exe 34 PID 2676 wrote to memory of 1708 2676 cmd.exe 34 PID 2676 wrote to memory of 1708 2676 cmd.exe 34 PID 2676 wrote to memory of 2188 2676 cmd.exe 36 PID 2676 wrote to memory of 2188 2676 cmd.exe 36 PID 2676 wrote to memory of 2188 2676 cmd.exe 36 PID 1708 wrote to memory of 1104 1708 iexplore.exe 37 PID 1708 wrote to memory of 1104 1708 iexplore.exe 37 PID 1708 wrote to memory of 1104 1708 iexplore.exe 37 PID 1708 wrote to memory of 1104 1708 iexplore.exe 37 PID 2188 wrote to memory of 2848 2188 iexplore.exe 38 PID 2188 wrote to memory of 2848 2188 iexplore.exe 38 PID 2188 wrote to memory of 2848 2188 iexplore.exe 38 PID 2188 wrote to memory of 2848 2188 iexplore.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5fd5752cd14b2246c0de419a27c070b4546b8eb61a06da3c1e685934f353165.exe"C:\Users\Admin\AppData\Local\Temp\a5fd5752cd14b2246c0de419a27c070b4546b8eb61a06da3c1e685934f353165.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1228
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 522⤵
- Program crash
PID:2792
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\3E19.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1708 CREDAT:340993 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1104
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2188 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2848
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD57aeee0c16137eebc376454dc3472deb5
SHA1ffc8d9a38da53dc3d50617c1bb888592e23fe0e9
SHA256b9e97724e4c28078784aa9240ad13c0e90ca62ddea2ac871a980f0f6fc281cea
SHA512ed9cc4703a5814cf80eae149f2372b3d373646a5c1f8dabaca4ca599c8b5ecb03d809194b24d79c2e1912306990462883dc00390bbff7212538ed8aba1842e3c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d79d1720238bf557b5febca983fa625d
SHA15887ac907e737ed1ff5534a62a7e484fec05cd9b
SHA2566c0c6caf6c4035385a2418e3e4e8b39ab7d1539e0af804e521a858e0f67061e5
SHA512cf8f503d24c039609b3b6776eae94bea60be2b700e5d91aeba38df48998fd424a008c9cd9dbdf52341d051d03f3defe6959d48f30a8d548498558e2edf479b70
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD51b21979ee863b03c85711b91a8b904ea
SHA132825acc84dae7cec5fefb0b4b01eb69a8187f24
SHA2563fbd86d26b414df7f11fbefb9f43808ddf68942e98fb155ba30c8576c58d0a40
SHA512a118f58b52b4f9ba6a75df97ac24a1b313cfa266b7ad652508741b20d906834b6bf4984d2156ebb50d04ca5971120dcea998f17ad478d22a37e2f549ae823eda
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD50cc08271a223304cc132459cf12f5965
SHA14cc0807b739adbb2507f0b6e2cf6591b386978e9
SHA2568c675765def0b3b5eb15fecbd25182779d5b3897675c7d9b795f700893735abf
SHA512f67b83f803c985b48854cd359b811ba167c3d44643e3cfe02b5e9ca23a873b73f9d9d1133d7910a06dd989847bd6589dc41484ec9ce0ada24006218c664816f5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD51897d382951101c78863b52ab45dd96d
SHA1e53eb0c67122b41b549e820d23e31ff7adf672d3
SHA256a6f5e09738cba6fa1f8883ab6eefd075f60d715274c8bc2fd6e883e297291ccf
SHA512827e4e140b46f8e7db3879ba2bcf5662caf80a334e8fff76fec78d737a2e969fc9c789a83050bf18a9c26154ec53c71d2eaddd7dbdae304e9d338158f812a296
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b9c6b80a8b6c91f4a18f658e19dacf2b
SHA1c4a86bbf09de0cbc983251d42af2718ee7ef9d57
SHA25669086842b8d74401123bc9c41c28a005543b9ca9c31d3560afb964d1c569f992
SHA512c44493f86020138cb4b6f7afb7a37f10131de066755284a8674af735fb35280733b7b82da3543da608ac4732a6351d66bdc7adf0eca0861f0a6e7d9bb23a0c22
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD53a8168fadb948e91cf862e7588cf3c0c
SHA1b72451226a105eb0a897282cb38874e3a98de8c8
SHA2568a27a28dbaef08f4c6d864a56d27f70cb5a31dfe7daea937e8afbbbbf491cfb3
SHA51206d7ae617d5e0a7527e45afdbfebca2cd35f495c54defcb2539d62b4d8fdc1e1c8181f737aded0f8194fb1ce86b7d05d5b7788405a390d778024392d3b79fbe3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD51c88f881a26758885bb1493819f29149
SHA1d9edb46129cf97e5a6200c3cef79af2203b5b274
SHA256a5c7cf263bcc7a2acd7a713be90dd35fc8df2408e55ff0c04f4c842a43228e67
SHA512a3ef51caeb7548a3797b91dcbeff96a86f74ec9bf96ad31593921fa858796c881d0f961dd19e171957f51ed0e1bf3684d3ccae7d68de2f070307df16674b0596
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD566a045faee36e8c30e9aad42c85b5e05
SHA137e6ef315d46c3fda7ebbbaf3f6aeeb549dd25a0
SHA256d141b1c9eb23f4cb9ed8a1bc362aed18aa23f29bb15ed1ccdc1eccaf3a179679
SHA512f062a82016d87ebeb56ce4b504a18f3a4e8a7f411b38720f25c286dedc32f32f531f00d9a74032dceba54abdbd4f076b50305cbefd93a21c250b0504caeacf85
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5f13e48df87f3979384e782bf4dda43ee
SHA11b56430260ff27609effb95b9cd2a973b84025de
SHA256a7974adba84604dc4bb4b3f078454faf2407bce9054214fe4c93eacdf19e0026
SHA512be3323e39e4db1741ab55042e69620f03c828c9c8e91a414d03c2c7c651c3c7bb44bbcb38d1582089f04777d76213cab8430e8279d3bdd54eab504119da2c5b1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD58c06188eb6c553a9a7cae94b392d2e69
SHA1c0903db3a5d60369f899c010e0d59830212ed70e
SHA2565116a9faf8adb13457f1def8b1be92faae7d4eba189e70decb5c228e267d97de
SHA51262a048eb2d2dc67600cde8002639e73b5add85d9e04166c5f55afa78182bf98e525071a52ed630e670b5d72097b4249a862cc58fba3c78b28bdb96dfcf9486d1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD52360f9306e0b55ed3f8ec9df7bce1ef2
SHA1a1fbaabafdaf31f98ff9fbbd8d2c66fd72174847
SHA256592fa0a84141507c1b1c424a4fa5a4399c1a7c114e1d83df29c557125f3b429f
SHA51275c7bb9fdfe3e49f8bf5e9eb0224a7eb037f982e6f8ba3a974b34b126ddc6b8f399a7b399face1d20cd95fc3f7320b8c24971984c4bad1012953252b23d1bcf8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5efaf7558a412aece5571b0f3584346cd
SHA13e3796cc29d555b0c74df1d20a53c1cccefb84db
SHA256a64a309e0b5d623ebe5794a2e7738e0b57bdb703134f3008454fcc8a55a62fd0
SHA512428b662379724a73e11ecb5646d5d62f52b1e2f44325eaf95cda59fba49c561b17db54a18631e255d7cdc683ff5c5866da8260249487fb962318c8369c73a3a2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD567107785a586b7f9688c529ef93b2857
SHA1b4433ca650c1fba0c2d7eaf4abcca7f70681e1d9
SHA256f4864ade9257ede5eaf69846eaa7b8ccb5c9475ee94108cdb5ae432ad15d548c
SHA512d76b9497c84121c4aa64aa61df7c10cd973ad7d79345ce78b9835c385bd4ebf1f84ae45d666a06ef731f69d29a6bd6a9f9839c95c520d10db153b8e5198cc0d7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD592d29ff68d5f1181639ce36cc77eec51
SHA1d5808ff37d3aeedf40bcbaec36237785aca689d2
SHA2563d1bef4d12c7fc644bce6bc56c9ff031e8b5ba8f005e631b03524d69d3acc200
SHA5121c27d729fb8ffa54d150cc857f74c9a7cf44117c3e8c55f29aaf08891cbea06e4b9537ab4fce032947858e1d1b5a8b25540ff6d7f4bd84edaecb4faecf9230bf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD53a58d33de8d91ee3432a45151622bdba
SHA10f50364bfc6fee534dd50f7cee68ac074d15a35e
SHA256db44e13383bb920655ea08dbf4b27cb89411fcc6856bfbc4d1ea990efeb4f236
SHA512eceaa6edbc1adbaa328d0ee9897d7a8c0385db907d3cd4ace959d911688eeef9eff31de512b965e81386e9ecc6f27c412b3c177c1f82186272d3926513726649
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD555dfa623ce45c4fa85aeca1de14b8252
SHA1a2b9bb82c847df264a87c0d16c6795cbef414eb6
SHA2566db17f86e19f9333b9f42af0667884c1520ccde28c334ed1856153321e402ec3
SHA512d2160217da588023ab7a9abb023221b3dfce325e6304fcd45bf83a059619a01457ae83a39235688a5fb95a3e8611e4c8eb83cafcb13b53e8f0e662b571cfe608
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD55b5e73c715112ea123767d66176e88bd
SHA159feec12090784af3b53962c462a6b9e108b42a7
SHA256b9a7675f2205f5d52d900b96683a52ef3551b2273366ff7d7bce3c9580c755f1
SHA512d0c9e580268dcf2b3640fe0fa78e60174a045bd1c890cf7f7ae23f453a8ed0891a9e4b9371c96b1f924646048163be592b5cc19492c07db13aedbec947a165b7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD58373335cc45cc491717938df1b60213b
SHA10fa7b0341158c71ccec6ee023d310b17d408614d
SHA25686c3c7fee72bc9fbb8d92d6394ec7bfc81c3d12880b2989db08e041c6dd1162b
SHA51206a1a153e281c5678255b07def2aa59bae386cda023cf465f1779e4f3da492b5d16fbf4ead19d7da160a53744e01b9f554af5fcbbcbf411917cf28ae53dc4a86
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ee403b89c884ac34c56e9be5277f45c4
SHA1c9e80cd3a14eb3eee8802aa2dc648bcb7ba6080a
SHA256163f35cf37763965aa354fcee53dc3847edfbc4fe5d4f2f18ef75a746a99affb
SHA51207ccf9ed8d26cb220f215e8fb12ce23624eaabcad7bb7cef4a1f8ea1109db535d53ec52a678f2bd3dcfedf57f2f8aad98e748911f4279a460b4bcc414a82426f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5af2818bf7e97160ea396397d651f427b
SHA1bc234b10595ef4561221ff049891979c21331c40
SHA256077173232864cd223f075fb21419fa3534dcd0fa441d696bb7af6a3d8b28f901
SHA51274e75c68304e2cdc05108062eb4ade7620e434c9a89e27ee214687db0fa17e08664e3eb3386cf9b81bcccb8a626f4e82f139e01750978cab0f2382b76859901a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5809d3fe78a5ee5016e9c92a1f22ea2d5
SHA11327acd2494883c45fd07efe7080932bcf6a5671
SHA2565e9c70cbaf80c20172493cea4128e45fa980595686398b4804ed66652caa5497
SHA512796ad94527d5bf40926787d3a5412d73d475c6e2071001f23ea2c7abd31bc54aabad11dd276c5886c47a1ce2f4d0b3ba9ef372f541564cc0fce0dd6882921f82
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C8CF5231-5B44-11EE-A4DC-56C242017446}.dat
Filesize5KB
MD5da12186384005b69be8ba7293900aeac
SHA13b01db2cae06e1ef094c40dbd23d4eb7ea825cc3
SHA2563bd063cc379db78a020c0fa06744d05eb61a39d87f6d640ccab16f5a9348c314
SHA512fdf24454da70a137681be9cb0d83ccff0307f1ae66fa4ba61f21a2027cf1ce98f79b3c053b2ef756f6545509744178cebf86dfe875cc9dd001c649a00479c927
-
Filesize
4KB
MD5a7613e8dc1ac4bcf4fc429166212f884
SHA130933fa850919edb53d0f9271259d71bcff6bb69
SHA256e2dc0783b26684094a7cd87ebddb68926201170a9e06d81a22f46c40a86eae8b
SHA512d3275e0ae97e22aec496f468cc8fcc5716ce53e275b8ddc86541cda797155a1e3b12fb07156affcca18a4b79a7d65c0458190b426fca186b4572787a3632a924
-
Filesize
9KB
MD5a76f8146005d182f43587c50c58d2cbe
SHA1d4969ed33a4f1a1e37108e40f61d5bab55d648d7
SHA25637e9faa6a17fed19736b148ae21ebaf17e91512660174c40a39b77404920d650
SHA512d64b061b19971f550827c1078896391b8906babcadc6cf5b7779862dd0e449185d1cf7bc8aeb65ea4720d072c8931b3685f584c6e3f05c594b3d352c6f20e029
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\27V93E5X\favicon[1].ico
Filesize5KB
MD5f3418a443e7d841097c714d69ec4bcb8
SHA149263695f6b0cdd72f45cf1b775e660fdc36c606
SHA2566da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA51282d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NO1NR40C\hLRJ1GG_y0J[1].ico
Filesize4KB
MD58cddca427dae9b925e73432f8733e05a
SHA11999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA25689676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA51220fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740
-
Filesize
79B
MD5403991c4d18ac84521ba17f264fa79f2
SHA1850cc068de0963854b0fe8f485d951072474fd45
SHA256ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576
-
Filesize
79B
MD5403991c4d18ac84521ba17f264fa79f2
SHA1850cc068de0963854b0fe8f485d951072474fd45
SHA256ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
163KB
MD59441737383d21192400eca82fda910ec
SHA1725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA5127608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf