Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
25/09/2023, 01:42
Static task
static1
Behavioral task
behavioral1
Sample
34bd2ce2e8930770f19ca6e9f3b1a32d33711712eb07b54d43b2968ff251a98b.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
34bd2ce2e8930770f19ca6e9f3b1a32d33711712eb07b54d43b2968ff251a98b.exe
Resource
win10v2004-20230915-en
General
-
Target
34bd2ce2e8930770f19ca6e9f3b1a32d33711712eb07b54d43b2968ff251a98b.exe
-
Size
239KB
-
MD5
868353e2d110b3d3c6c985b1adae7de4
-
SHA1
ad9c3ae066279e2cd947f9c833a0f1cb4d182973
-
SHA256
34bd2ce2e8930770f19ca6e9f3b1a32d33711712eb07b54d43b2968ff251a98b
-
SHA512
2553800d879530261d6a40ca535cf280e824bff878cd0e902b4841d419cdbccf519d71e1fe820a4b8772ffb82d045e92265aefe588d1bd0da8fce7e0f7a72018
-
SSDEEP
6144:Mr46fuYXChoQTjlFgLuCY1dRuAOeXWaxuQNw8y0:M0YzXChdTbv1bunax/w8y
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2260 set thread context of 844 2260 34bd2ce2e8930770f19ca6e9f3b1a32d33711712eb07b54d43b2968ff251a98b.exe 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2704 2260 WerFault.exe 27 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F8C23161-5B44-11EE-A335-5AE081D2F0B4} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000918258b1c6eaef44bc85c7515db804ef00000000020000000000106600000001000020000000cb322ecc25a79c4c7ee33c13a5fb9b6d3f0ccc1639a66411391133de5f0652c0000000000e8000000002000020000000b69408990e9c7a6ec0a53d5fcb0748f967566be86eeb373d998ff9de2a48dda02000000012225c23a02cbe5e048689daee9961bc385a002a7035a83f019e1e554883572b40000000cecbe92ad8c5c221428a7b176a1280dd0bd823b295530375ff2f5d0507bcaf6b17a50c019a44c39d5c2da61f3c87bbe8e0c7305a098a19f5253dc7d0e2d1f145 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F8B64A81-5B44-11EE-A335-5AE081D2F0B4} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401768097" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000918258b1c6eaef44bc85c7515db804ef00000000020000000000106600000001000020000000f8b228001f2f1318036fbcd1409bca005b4ee61902a5812899d52ccd5005120d000000000e8000000002000020000000a066a48f0bd82fd5467da723910fcf8c0e8ab63d6c80705ca16c47101f2a7a2290000000c5c6c2ce8ce4f086f36d5ecf95f1bd4f029cd09bd8c09effa742eb46e99d087f0c82726bbd5512025b21935e175dbf96b5cb1ecb99c8fea4d8bf6c4a85a029dd3465e5a676a9c8fbdb4159b183d4f1b8a256742b0632b2ec6b3237d78c423c6118e532a25121a989bca1d99f89d220556d0d969acf95a91201a4f2cf359ee501fc31b6b73a8b2f02590d46c26b72b7c240000000e4b6797dae3e35649fa4e8ceb2d430ba2f8ec6b0d13a00552bbd1b21da810f261a181cf32c13a9cfe9120756f0113f52b2e6642b405571d7645606cab9a98da9 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0bc22cf51efd901 iexplore.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 844 AppLaunch.exe 844 AppLaunch.exe 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 844 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeShutdownPrivilege 1260 Process not Found Token: SeShutdownPrivilege 1260 Process not Found Token: SeShutdownPrivilege 1260 Process not Found -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 3044 iexplore.exe 2080 iexplore.exe 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 3044 iexplore.exe 3044 iexplore.exe 2028 IEXPLORE.EXE 2028 IEXPLORE.EXE 2080 iexplore.exe 2080 iexplore.exe 1164 IEXPLORE.EXE 1164 IEXPLORE.EXE 1164 IEXPLORE.EXE 1164 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 2260 wrote to memory of 844 2260 34bd2ce2e8930770f19ca6e9f3b1a32d33711712eb07b54d43b2968ff251a98b.exe 28 PID 2260 wrote to memory of 844 2260 34bd2ce2e8930770f19ca6e9f3b1a32d33711712eb07b54d43b2968ff251a98b.exe 28 PID 2260 wrote to memory of 844 2260 34bd2ce2e8930770f19ca6e9f3b1a32d33711712eb07b54d43b2968ff251a98b.exe 28 PID 2260 wrote to memory of 844 2260 34bd2ce2e8930770f19ca6e9f3b1a32d33711712eb07b54d43b2968ff251a98b.exe 28 PID 2260 wrote to memory of 844 2260 34bd2ce2e8930770f19ca6e9f3b1a32d33711712eb07b54d43b2968ff251a98b.exe 28 PID 2260 wrote to memory of 844 2260 34bd2ce2e8930770f19ca6e9f3b1a32d33711712eb07b54d43b2968ff251a98b.exe 28 PID 2260 wrote to memory of 844 2260 34bd2ce2e8930770f19ca6e9f3b1a32d33711712eb07b54d43b2968ff251a98b.exe 28 PID 2260 wrote to memory of 844 2260 34bd2ce2e8930770f19ca6e9f3b1a32d33711712eb07b54d43b2968ff251a98b.exe 28 PID 2260 wrote to memory of 844 2260 34bd2ce2e8930770f19ca6e9f3b1a32d33711712eb07b54d43b2968ff251a98b.exe 28 PID 2260 wrote to memory of 844 2260 34bd2ce2e8930770f19ca6e9f3b1a32d33711712eb07b54d43b2968ff251a98b.exe 28 PID 2260 wrote to memory of 2704 2260 34bd2ce2e8930770f19ca6e9f3b1a32d33711712eb07b54d43b2968ff251a98b.exe 29 PID 2260 wrote to memory of 2704 2260 34bd2ce2e8930770f19ca6e9f3b1a32d33711712eb07b54d43b2968ff251a98b.exe 29 PID 2260 wrote to memory of 2704 2260 34bd2ce2e8930770f19ca6e9f3b1a32d33711712eb07b54d43b2968ff251a98b.exe 29 PID 2260 wrote to memory of 2704 2260 34bd2ce2e8930770f19ca6e9f3b1a32d33711712eb07b54d43b2968ff251a98b.exe 29 PID 1260 wrote to memory of 2684 1260 Process not Found 32 PID 1260 wrote to memory of 2684 1260 Process not Found 32 PID 1260 wrote to memory of 2684 1260 Process not Found 32 PID 2684 wrote to memory of 3044 2684 cmd.exe 34 PID 2684 wrote to memory of 3044 2684 cmd.exe 34 PID 2684 wrote to memory of 3044 2684 cmd.exe 34 PID 2684 wrote to memory of 2080 2684 cmd.exe 36 PID 2684 wrote to memory of 2080 2684 cmd.exe 36 PID 2684 wrote to memory of 2080 2684 cmd.exe 36 PID 3044 wrote to memory of 2028 3044 iexplore.exe 37 PID 3044 wrote to memory of 2028 3044 iexplore.exe 37 PID 3044 wrote to memory of 2028 3044 iexplore.exe 37 PID 3044 wrote to memory of 2028 3044 iexplore.exe 37 PID 2080 wrote to memory of 1164 2080 iexplore.exe 38 PID 2080 wrote to memory of 1164 2080 iexplore.exe 38 PID 2080 wrote to memory of 1164 2080 iexplore.exe 38 PID 2080 wrote to memory of 1164 2080 iexplore.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\34bd2ce2e8930770f19ca6e9f3b1a32d33711712eb07b54d43b2968ff251a98b.exe"C:\Users\Admin\AppData\Local\Temp\34bd2ce2e8930770f19ca6e9f3b1a32d33711712eb07b54d43b2968ff251a98b.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:844
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 522⤵
- Program crash
PID:2704
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\4B91.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3044 CREDAT:340993 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2028
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2080 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1164
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD55bb1a9c23c2c3b671d2c9f5ecaa61ab3
SHA1a6fb8d3b468131c3b020276932e0d3015163af13
SHA256b56d7207398f00125232a19e383aaa6120e121aac49ffbba650f775c796a48e9
SHA51205089cedc68c73b6f3b83ac651f357062b71a04cee079072224fec18326a383fb0b117a3c3d4349b2f4a1863cf89553e4312cfc43f03817dcd073ff967a11d21
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5284ba88a32dc7f4de9ac2883343cb1d7
SHA1dd636ff478e9472de885b3d3e3b9a6dcfc327030
SHA256315338d683fbbf5681423163b6955c90aa3fa684fc8089776eec14067212dd44
SHA51246019e5afc5536b3ab7e56df0dd9f0396281398c397a9a8b9c81a7e9f3e1f78d10e1c67ec671233373ab489e63a251e5001fcc6fa73227d45fb24ca35e904e93
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5fbb5e13e0622c33651be4513beffed12
SHA19e5b0a9c49f911694017b0de16bf9041aab5c1ff
SHA2562cb9e6414906c57ec84324891d864e6402d07acf1710ebef29a8b53b5f6b9e13
SHA51227eafffebc97527bd1a6c6a70831e19f6ac32d963e9ca8ee1e77e53a80f93c895a2f341de02e9636b997615d54d2955b0226c7d08357e5a3938a1ee3f5fb4099
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD52058d3bc08365b36adee6d8f55bed829
SHA1288c508603e82bf9c8b737dd605d7fc9978d63e1
SHA25684bae76245bb30b17763d2cfedb1dad7e990b2c4ad103a23ee6401ffe0cccd8a
SHA512c51a28bd449ac04ab4513ce2852a4006a06b12ac1d89c68601ba8722668e0bb54d47b82813cf1b97a4e0f698e5cb39878a62ea38e374dfc1232c665ba936bb43
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD51be2bd25194e969128f0f3bb4fd47e28
SHA1c075b5139ec0a633739745b4a6c5f1e78e411e41
SHA2569fabdb91e2e525bf848bd38897e7c4eac87f52e3cf41047a2e3cb373f2459716
SHA5127c56cbc7cd6120375cbea7d5ff91cbfbf0acf53f813873b98c98b20ac7cf5fb45fd5cabf5a3386e78508393e6b442c00b348f53aeaf1d438946dacecf6920201
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD519f82bf8099c31ea451dc367dbb919b0
SHA17ac43b5782b9f1c5e559dd2170b1f6ba959e7ea2
SHA256c0f18ceb44431966df794b2c9409d971f536f4b70c6e4ec46e0524f7a8b7d3b2
SHA5120f16ce2b33ce11ccb919174bea5086aeeaf0584732e2db8a4aae38b0baeb2a22693c2e89bc21f26583a167c18731b600d741da87389e89268b112c53cc97ded3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5cfe10028615125041e1c67b542e8caca
SHA1c295d4fee2068eb3d4bdd53d5af108312c7ad456
SHA256c44c48cb19a3c31cbdd2b658cc077152ee8a45a439550390ac9418d079df5d26
SHA51267417ae8b99c79710c101d20d03621f61dcf1c0e4aca7df1e0e8b4f800f6da9acd4db888fad55dcaee16e97d585ab050e50d61fd8366866a75012b6eb1b0f93f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56826d007a19b28a9d95c2c010de19390
SHA1b6ff19a573d9821edcd0798aad2a148156361c43
SHA25682c043f6d530c22a1e2c8a78412b31f05c15809d88d3a8110c17cf35209f8e11
SHA512a2a0aba499f7f6d304c9b616b2b5e896bf98ee0706f338f6642cd4f1acecd06a88f3518e124c70b4fd760fac04ab7ad3e09654ea6082eda6e01814a6a6226373
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD587bc67172f2c5c90f0293b94ecb215d7
SHA148cf43d2e0bdde5a3e3641d3379ff1320457adb7
SHA256c4208342581353edaa5862a34b1773add300f1eb02d79a8e1faf42700b1c5ee5
SHA512544a568e96b59fb1560af9cc44df9f3ffeba7b7072718a4a86e64ad6855c6fbef28cb9a1e837e168acc8f28985809fb3c1c87a62b76f09e990cd0c092afef40e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD590f65fcd763b721e656abdad87135459
SHA14ed8b6c5a705e2caf116359222e431381cf0c855
SHA256626d69b54a8bb18188949744c8a78bcc5e511f6e2d7c6e43054919f3ec706a56
SHA512feb4dbe1da3cb2270a0c074c76c2f210bdca22fc8b6d48053533c867a440cb290b3da3daf7110ad6dff29857ad1867c39662d35684f989b0e5322618c3b44e0f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD51df7cd3e7beb93c4b9e8592289da78eb
SHA188a5405e0c99485dd91d5385c4aef21610f75654
SHA25676d579c02940c1af81d5d878602f3f1b35975dedc17a42d9f716c8be5d8cfe55
SHA512eb5a110df2f63bdfd41388601304ecf200a1010597c200e60722e51dabe21f7db5000c39d96233e486805c34bebf7a0723e805fe64efa99b66ea5fdd42da038e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d6b0e6a1b2aafd9f81ec1fa858ddd0d3
SHA1fc7943f5626a89bdaf76f2b28dab6e832e47785d
SHA256c9494e31d9262aa0f08946e9feef05f1805233bfaa15e696b92a0d88779754e8
SHA51236c8902a64b2e22cbd212c3a8bc3ded62a5ab7c21c76d98c04c5672618ed02429ef016dbed91aab92311c207ee83adbc6b57c6e9a9dc3344b766aad20608fc48
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d2f01156e8e4226dcb399b98ede5e36f
SHA1b4c704472bd58c96ff84a2baa5614f5a0c64f9bf
SHA256ac50653bbdcd79edfc4b99fac3563371b9354c1c11a8390587ae9fa464dd1c69
SHA512c17ff82ab1e224fdb950b3d28e0837c84b09ba106928af113d54f32518db2c9945f3b97affd794e831ba884d6e335013141542db1271e5e284dbbe84eea002b5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5c12b65b85015ec18ed7c64b7f8bc4ff5
SHA1280b904b7da111b333d27d4f5e865dcfdf7cbd1b
SHA2566baf331064c642c660cf37b3558b72dd683ba87629974a8bc376b6dd8a6fa4ec
SHA5124f1de66ef13c0ff3cc5348ff638bc6422e09a854ef0b62f56a0b80c7ac2d7154a4bd9c4ece8522dc6803f9d2ef472b9e098727e2fa0abb3edef2010d53ff977f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5064750ea53b2a87a26eb976321d69fcf
SHA15945bad9dc130de9672222813c3c9709b62b9c88
SHA256c6c27a42e0a9c1affa9a95c4116368e30f2c5df78d0c27fd24813c2937f4bcd0
SHA51253c02026560920f03276feff2473c10e726ed1b7929a74d7076e48fa036cf0c03605f93c61cfdad32ed816b952feeea5f13e8b9f82843b3434f0d22847ddbc81
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5eeb521471e09e0b7bf13fdd2f9f5759b
SHA11a611864e0a5b7e170e22952da5f6510e2768481
SHA256db34a9193bbc184e976d00f6cb63dea069dfce63adac0753c65b5fc237d8d28f
SHA512768baf92e8b1e84efa7031b4c60fc00cc91dcac0fefa20b3314ec88b71f3257a66b32ecc69091990d16ab1f74aa44be12311d0428f367595b34640cb97f9ad67
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD53e1dc0cfd53b85e8fae5219b53608140
SHA1baa0270c56db9857af1b778c35bf9a0fd98a9f65
SHA256597a94eff35b87da3bf5e173fe7c9af9ae3ceeb1307052207907d7b4cc88aa4a
SHA51254f8ef7355c1f9f69304cdf06e02a588c049a71827bbebfd458fdeadffe49b33bd68ac34b58d246cce42613528df1d98a08c0510882bcd94d584367826f4a35a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a8288dae5994e3e246b6807c3bd7ad4c
SHA12bc41e5bb19fcd2e862feefcdec0c253bb60f4ad
SHA256ea2d4ec452f729e78f8cea77268b9b9287b93aeadff2b65c623db722f1d0b5d4
SHA512479b1f3cf1f7fd1c9dd97a8653a7d69a87e6caafee66c3f5c43da66c82333982ce26dd9b7d0db02b0e7aae6078f3f08c9a26fcf2077c13a17cb0766cbab02ce0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5cd7f5c05ba7e1495869154428a8ef06f
SHA1e890883a681e8872fa7625873aa3199e58766ea8
SHA256c0e3630d06799ae6a3606e9281832e777c8521ab87878f2cc05f5da4e9cef054
SHA512d0abde897a2bad8697bbe284f525deb7b0105b8115dc208bf4520181a67627919fc5c632f324baac16dadc2d705f15651f7943c8df8b7aaeba8272999b9c03b8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5114e909f0f51c40bd2c66b33ef6b9976
SHA11fffb216b09ec82c19f5625c4a9fd5aa1b0a6408
SHA25649afd2a8f47e72171ca58058b914ada63add2ce143c3d7d15e85fb555fdf215a
SHA512da724f48616dd9e3045ebce72c324c1d4f3fe9d8e2bb27a849d3ca825a34ab4de851d9912c0996e1644e39b0ed4fc266f81e7a4148e79aa98a7b462c908ac1b6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD543d85d49796f84ca65e08a31ce4a4444
SHA18c186bca428e348926f385de0834ddef4b2960de
SHA25649ede50b2c97f30f12ee502ee7b90cc6bcaceb78b959a3fa13bff5fcfcc5d76a
SHA51251b2aadb9f6e4dafc9262ec9294111b113880e9f82405bbe5a036fbf3886644f0befdb2808da31368ac9b3d4758ba5ac548b8fd57750699449a4cdce4cf35ffe
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F8B64A81-5B44-11EE-A335-5AE081D2F0B4}.dat
Filesize5KB
MD53a9fc00f2ad115670cd53ce74854f547
SHA13134768356cf60d6712c6828c4648aac34e6bdfa
SHA25690974921c6c234ae306c1635af9e630a48b57854b5b0027a323e070d9a5aa159
SHA51253b9af03001561b388d13eb84f29e763bb065271d605dbfe7aed3574bc2ccdf1b9ea927e71bb045ead9ed39237885afb469201d876f80bec5a2bb48ae8d9bee4
-
Filesize
4KB
MD5d3e8851dabe5661b09a45f8724ea7127
SHA119c475b575bd7b675979e5648a5229bec068d203
SHA2560a139aa8390110e4042ba8b39406b21754f39f51bee01e0062d53b8bd33c409d
SHA512ae07b79443c32dc1470f875c8b712ce0fee9155308cf995f8d6f8df5447a0daa123932df750cf06afb722821888b9c2f97aa56c569a90f73bb8cd59171f889f1
-
Filesize
9KB
MD5e0c31690c035e9f653d60495211a894b
SHA1fe6e00b69206570594312144d3ce697a86e47dae
SHA2566f250f8213815b4e7d04ed40378b7556dbdb91775f022af6023bb769672867e6
SHA512f67e3d0a47f529b4f476302162c20e18ad0847c4d4a07248236e096f2c95c38b4c0e5c7d43805ae1cdee8e9add7e096e5132f5af24f4c470d5a9e91340d3f810
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O2X6Y6U3\favicon[1].ico
Filesize5KB
MD5f3418a443e7d841097c714d69ec4bcb8
SHA149263695f6b0cdd72f45cf1b775e660fdc36c606
SHA2566da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA51282d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O2X6Y6U3\hLRJ1GG_y0J[1].ico
Filesize4KB
MD58cddca427dae9b925e73432f8733e05a
SHA11999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA25689676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA51220fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740
-
Filesize
79B
MD5403991c4d18ac84521ba17f264fa79f2
SHA1850cc068de0963854b0fe8f485d951072474fd45
SHA256ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576
-
Filesize
79B
MD5403991c4d18ac84521ba17f264fa79f2
SHA1850cc068de0963854b0fe8f485d951072474fd45
SHA256ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
163KB
MD59441737383d21192400eca82fda910ec
SHA1725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA5127608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf