Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
25/09/2023, 01:09
Static task
static1
Behavioral task
behavioral1
Sample
d1be7f5d28a5c648ead43ea2cccc6221251f638457879502560a3c9b62f7fee8.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
d1be7f5d28a5c648ead43ea2cccc6221251f638457879502560a3c9b62f7fee8.exe
Resource
win10v2004-20230915-en
General
-
Target
d1be7f5d28a5c648ead43ea2cccc6221251f638457879502560a3c9b62f7fee8.exe
-
Size
239KB
-
MD5
25583a13f8e47e6775ffefc2897d9176
-
SHA1
dacb21dd53eabc6af67460d6b405f68fcfb1f4d2
-
SHA256
d1be7f5d28a5c648ead43ea2cccc6221251f638457879502560a3c9b62f7fee8
-
SHA512
377596f0ff6192d58b3e000b45dc0b709a11ce3717552fc78db143e18fc19683de0f3503e1ad0e3d040777bce683adf0b9d8e8cf11be606571c907d1c8688d40
-
SSDEEP
6144:xJ46fuYXChoQTjlFgLuCY1dRuAOLJ8Sw8y0:x+YzXChdTbv1bu/pw8y
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 1 IoCs
pid Process 2620 vfibrge -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2224 set thread context of 2416 2224 d1be7f5d28a5c648ead43ea2cccc6221251f638457879502560a3c9b62f7fee8.exe 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2820 2224 WerFault.exe 16 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{53923F41-5B40-11EE-8DA3-C6004B6B9118} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401766101" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002bccc567d90a0b479b49b1b2d43318c3000000000200000000001066000000010000200000003cd9261ffed8f6f3136f486958fd34df6c164c6c6ea37c26b4f38aaa4f07149c000000000e8000000002000020000000cd53d219e013710c75fcfd4d3fa0214a3c419b425a468bb2d4a7ae9dbc23e44c200000000fe0ba01cad57e7292a05b6cc67c29db4f104c144fc7e07a739423d8c4c4ac414000000052410e8fee0dc4d0b3e1004187388c24416ee90fa351531b98cab6feebd23464ed9945f33cfe50e9059192627ff6456f6731dece718dc537197abc2456fb507b iexplore.exe Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002bccc567d90a0b479b49b1b2d43318c3000000000200000000001066000000010000200000009bba757d73d26214146678774f1818ec6da5d7e0b1535b958bd1b03ed6af0efe000000000e800000000200002000000083750296fc838299562c5f2f7de23123d5d1df28ad1f1b2c400cb3c8d463822b90000000b6bf6fb542152df59c5e99011d3a352952cc571adf058fe1969364dac90f48f3901bac0bb479947f965c7f7442022d94873e5ab64db87549058259c4d1667ef6d8ca8ac952ff7bf34f853c1feae70c0f2724360af7c54b652cf6874c019d0b42ef406a19b7127c764dba3902d373f4f7d6554f6d616515622706076909502ec4aa4d20ecf36b0f59d63b5e578bdad77240000000ad3d7a3b1d79f0e24d1a4e82dd2df970a0e93515aaddbc2a4bc85afac21030f1bae92c981ad331693921f6d88b9b5bb7637aee4913f28384f627182107d7175b iexplore.exe Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{53781021-5B40-11EE-8DA3-C6004B6B9118} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 605b67294defd901 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2416 AppLaunch.exe 2416 AppLaunch.exe 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2416 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeShutdownPrivilege 1268 Process not Found Token: SeShutdownPrivilege 1268 Process not Found Token: SeShutdownPrivilege 1268 Process not Found -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 2556 iexplore.exe 2512 iexplore.exe 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2556 iexplore.exe 2556 iexplore.exe 1960 IEXPLORE.EXE 1960 IEXPLORE.EXE 2512 iexplore.exe 2512 iexplore.exe 2280 IEXPLORE.EXE 2280 IEXPLORE.EXE 2280 IEXPLORE.EXE 2280 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 2224 wrote to memory of 2416 2224 d1be7f5d28a5c648ead43ea2cccc6221251f638457879502560a3c9b62f7fee8.exe 28 PID 2224 wrote to memory of 2416 2224 d1be7f5d28a5c648ead43ea2cccc6221251f638457879502560a3c9b62f7fee8.exe 28 PID 2224 wrote to memory of 2416 2224 d1be7f5d28a5c648ead43ea2cccc6221251f638457879502560a3c9b62f7fee8.exe 28 PID 2224 wrote to memory of 2416 2224 d1be7f5d28a5c648ead43ea2cccc6221251f638457879502560a3c9b62f7fee8.exe 28 PID 2224 wrote to memory of 2416 2224 d1be7f5d28a5c648ead43ea2cccc6221251f638457879502560a3c9b62f7fee8.exe 28 PID 2224 wrote to memory of 2416 2224 d1be7f5d28a5c648ead43ea2cccc6221251f638457879502560a3c9b62f7fee8.exe 28 PID 2224 wrote to memory of 2416 2224 d1be7f5d28a5c648ead43ea2cccc6221251f638457879502560a3c9b62f7fee8.exe 28 PID 2224 wrote to memory of 2416 2224 d1be7f5d28a5c648ead43ea2cccc6221251f638457879502560a3c9b62f7fee8.exe 28 PID 2224 wrote to memory of 2416 2224 d1be7f5d28a5c648ead43ea2cccc6221251f638457879502560a3c9b62f7fee8.exe 28 PID 2224 wrote to memory of 2416 2224 d1be7f5d28a5c648ead43ea2cccc6221251f638457879502560a3c9b62f7fee8.exe 28 PID 2224 wrote to memory of 2820 2224 d1be7f5d28a5c648ead43ea2cccc6221251f638457879502560a3c9b62f7fee8.exe 29 PID 2224 wrote to memory of 2820 2224 d1be7f5d28a5c648ead43ea2cccc6221251f638457879502560a3c9b62f7fee8.exe 29 PID 2224 wrote to memory of 2820 2224 d1be7f5d28a5c648ead43ea2cccc6221251f638457879502560a3c9b62f7fee8.exe 29 PID 2224 wrote to memory of 2820 2224 d1be7f5d28a5c648ead43ea2cccc6221251f638457879502560a3c9b62f7fee8.exe 29 PID 2728 wrote to memory of 2620 2728 taskeng.exe 33 PID 2728 wrote to memory of 2620 2728 taskeng.exe 33 PID 2728 wrote to memory of 2620 2728 taskeng.exe 33 PID 2728 wrote to memory of 2620 2728 taskeng.exe 33 PID 1268 wrote to memory of 2504 1268 Process not Found 34 PID 1268 wrote to memory of 2504 1268 Process not Found 34 PID 1268 wrote to memory of 2504 1268 Process not Found 34 PID 2504 wrote to memory of 2556 2504 cmd.exe 36 PID 2504 wrote to memory of 2556 2504 cmd.exe 36 PID 2504 wrote to memory of 2556 2504 cmd.exe 36 PID 2504 wrote to memory of 2512 2504 cmd.exe 37 PID 2504 wrote to memory of 2512 2504 cmd.exe 37 PID 2504 wrote to memory of 2512 2504 cmd.exe 37 PID 2556 wrote to memory of 1960 2556 iexplore.exe 39 PID 2556 wrote to memory of 1960 2556 iexplore.exe 39 PID 2556 wrote to memory of 1960 2556 iexplore.exe 39 PID 2556 wrote to memory of 1960 2556 iexplore.exe 39 PID 2512 wrote to memory of 2280 2512 iexplore.exe 40 PID 2512 wrote to memory of 2280 2512 iexplore.exe 40 PID 2512 wrote to memory of 2280 2512 iexplore.exe 40 PID 2512 wrote to memory of 2280 2512 iexplore.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\d1be7f5d28a5c648ead43ea2cccc6221251f638457879502560a3c9b62f7fee8.exe"C:\Users\Admin\AppData\Local\Temp\d1be7f5d28a5c648ead43ea2cccc6221251f638457879502560a3c9b62f7fee8.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2416
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 522⤵
- Program crash
PID:2820
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {983D69CC-F01B-483F-AAC7-202DCA87B4E2} S-1-5-21-607259312-1573743425-2763420908-1000:NGTQGRML\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Users\Admin\AppData\Roaming\vfibrgeC:\Users\Admin\AppData\Roaming\vfibrge2⤵
- Executes dropped EXE
PID:2620
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\5909.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2556 CREDAT:340993 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1960
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2512 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2280
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD57c3e196207f4b371d91a7f318e0ccae8
SHA1ad12baeca29c0b14a1473fbaf457b7b80145fef6
SHA2568390bb7ea99903230d291584f4f53bdbdeec25c3314d94cfbc93f246b7ff15cf
SHA5128947d6a8acd057bff193402e32c247aaab90d425243fc41010f555d8d820fe6ccedcd4caa1ff67292219a07247ce6958dc0d182e6926b7d87f1afd922d18057d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD52cbf78c26188574ff65192695fe682c2
SHA1b4353389703761641e2b369b942d75ffd47538ce
SHA25670a6eed21fca3dd6b4128713e4111da5be3af58e21d93f85b9e46745cf37f8c8
SHA5126ff26e145f657a8eaf9607273b3ffb5ec1a28df44279038bdb2f172869786b2a4525d2d5875fea61c92cc24de91540f14cbcd2743108fdb57aa952588ff168aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD560b95e8da5331190018092a9e4d80615
SHA175ec0270c7efb1615aa993fb67f01f39f5c63d0f
SHA256648797c83b0800f62e6815d0507c8bb58c8e7e848c4487b71a6bc68bff60158f
SHA51242f3b883ec2a7da06133466da17968c76ad165d401e19fbc54c8381cb8ffcedb9bf54b352b9fe76054f9e53c8f6790faa637ab8cf6c75b36b5f8f485571bce88
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a8f6ff91692dbdb169fdfb0713d6cdaa
SHA1a05b0a1040f5f3ae1e271058f59332d9c4e1a41d
SHA2566ede923e81c602e6e73a8e70aeb73d0bb6c64faa7689b2a03ecc4f0545f7fbcb
SHA51280bce97ac2393e3bda258146bfe2226c217f535c020a48904702406bce5d2688d7bec435147002b64a5e1ab48700b43f5e068bf5275ed3dc210fd783ce2a4bb4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ae9591e514af00f84f593329b74bcda2
SHA170a8bbefa3de64d0ae118b56d662325cce863d85
SHA2562e586e81c76ac9fbde8ad5a6441a69bcb9bbf3250c17888c13c92db9394382e7
SHA51230badbaa80293e944fed6caba0e0a14813f9c0993c9faaca8cc94408752ebfdcb9048725fde4fdd210458822270a91717a21e200ec46914fb3199f914a13d36b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56117c366a97e52586f3fa0026a9d7ce6
SHA14c2e6f082893b0c9e224cd1ec4ded6bf3565033e
SHA256469c02cf5c040b29b207a285f5d32eae6f0771797688f8adfa7e4c1b83dc414a
SHA5127954e4297d3902ebf6e7f8198721c8805886552f0a68f7ee6cf2a029638f474d55d255d0671693608c2dcbdeff4065ac65b2d648e86f9dda03aeeaafe082238b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e152665de2699386b560d48b21abfbd6
SHA1d753c1e9381d344c14fd177a93159bff2a9fca6b
SHA25619e1075acb64e3ddb89171e9819d6535e51b9d12566db360ba365e34fbc6a4fa
SHA51211d2d584f6fad1426845237ccc6b25eda95498d38d2ebbc27fab05408c4bf876f6eb1c4b0881b845f7726fa92414d08783c20d1ae30c647a0902a90bca1ce1f4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD57aaa227c87c259a1dc29bd01fbf3ae10
SHA1828d6bca158c2ca9b50867a35239096f70eb2c8b
SHA256efbe51558ab235c4568ef7ad50b3ee3b5691231400e477e2c63385be7648acc1
SHA5129c3e485eea4b27f0a0592158f6ea851f63ce21e6bcc90ecb49f92342ceea5f2c69966849a1f5607d3cb09ac2d29080edeb748105680d3903799a33c74938cfb7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD55c68bbc001bc2ddb23971dac792b3cdb
SHA1a6fa567aa08e4163e83b363d54b034382da33af5
SHA2569648e6a0f4b43298a7f55a12bda28d61fc1faf5e834e673c45ac7f90c92856f6
SHA512da6160bf2959943a74d1319f69661af8cfefeec119f6290ecabd7381bd1da2223b14bb3549c4b40fa83afca589013e65a522932f708e0e6ef5761fafce3cf432
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5728cd507ab0db8b2c02a9a65812ca241
SHA1812a728a0c367266a93b82e65d861775dbec423b
SHA256e797d04ef85c6726d5d07923aa66ec12ebac61bab1ff543628ef60496534d1df
SHA512b9d509879c8988875290a4072888840f724721a8cfcd531249c7b2a76089ecec1cd4be60da57978812efe47c2cf4ada273d35da3a0b109b4ea271b4a84855666
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD59bc794012f2ec9f527845ecde482c05d
SHA191765ef0663460c1fa44a713f285b164e2e0c895
SHA2562aaea90538e646aeea25eaa6484ee5b844de2ed1343662b25a6fb296a0f312ad
SHA5124d2df62da0a969afb6176e87a001df63688ce6d9987b73325800290881a156f3a6d6dc4b5f9b53a7fab5fd9229c007db43f0cb49f037e410e341e51c7264d0c1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5dbe0db3b2838b0ca8f52a2bd1726370c
SHA18825f85ac5ee3b781123807904aafbd284505271
SHA2560794e3fbdbdd7fbcdf779f0a2220c46809e9c4228c5ce95e5373b4a9352a2645
SHA51281dfc6e0bac058c16a1ebf1cd1c3872ebd65708beff6ca39aa643f78d6a5f36b6b12541850ca35aed8ee27ea2769ab7b6336cc1dfb2c2c8d98c4fbe80997f3cd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD572f744f6805fe6f1e25b58a5ddea9fa7
SHA1c05b45373059a8e14844c12a6b126be4a79c64e3
SHA256faf55a89bb9109d2dcad1c2a1d4f4cdc1991acb59d190ec17092cddc59ff19c3
SHA51273a4b24f0e0ad2cf26a8893e71326d3efe525367a03b178b2a0da085436284c90edd3dd036cc176db263d47fd99210ee799774ddc1e68ffabbb5c525dd926410
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5c9d3f2839db57325abbb1243aebc3af7
SHA14131df977c1ab9844ea2fe907feea7994f6ae0bd
SHA2560ca85da83d25162e1c7e035ad4b38b88290944090e60e9dc0de313af97e01073
SHA51206ec78f34ab4fb466b24cc2199f1ad039119bef97382d347643edb560b5ed89c5bc99ca5b83a889387515b3dbfca2d95d0693eab88932273aa9c116217839621
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD507699cf02d3f1bdb7c23d0f1bc1801ce
SHA1820d6376693edb3b89af732273125037d53af0c3
SHA256509c260c79e5f4cc614a1b0a2e379882bed544536f8b7c52552ad2f9c4b22010
SHA5120340e890456df2447239974b2d340d3a7fb47b44b64d79a3eab4253ec87a8d1c96f545dce5292777718a870d53f3d755c21af81ce7b50081e7fe1d0807c3d7d0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e9fe6320bfc81a22cefe77b6d3a01862
SHA152a30364e55e9f195be211a20c165a99c88b2c0c
SHA256a6f398a82f5a612e1fe174567a364e8a56516ef666ec3d4a876ee3c93571f03d
SHA51280e184a600901837cccf51032388abdf26fc8d5b127d2a776093456d94d22c7a6ec29ffb73728e5f835ff2a2c0cb45098dff2249fc46181cbe9996f9e6eb55f8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e427b13ac7d1f000aa8aad5b9fe41298
SHA1a82cb48bb3c2794c6127a2c80e240622bc6cb271
SHA25671e298db5ce8e2b37ab4bab1e5153c9bd6fcb8b5a6aa38ae9cdd69af1dabc09c
SHA51217f69928eb838df58dc4617342b4f32c70d40b7120e982e66aca52ff18c0d7568b3c7c6ad36b48ab783fa88566cdd090477f61de15e7262ef0d2094e30bb6f21
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ebc6bcdfdfd4d035713387e8ac680bc4
SHA17e1d75587b5e96d782d18e68f46459c5a91a22c8
SHA25654274668d00590fb19dfd20081f276d2735ef7f6db47155bb86a459a114caa40
SHA512c5a2f909bfe4988d1decd558204104b6bdce4fbf440a96d1a67c054ea8250b9e86684bcac384308aaaca8af43841864613afad34fff90d4cbed6bbb2f8f8b516
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD527582aa861868bddcf13220dbe1217d1
SHA10ecc1bc502ab0c18517d15031ddc660f12fda12a
SHA2564c2bf9007aa7600045ceca13c429cb1161a5563e57a5d6ebf56e5600e64099ef
SHA512307fbbee1cf31b0dc792ff6a044fbf5a9dd164c3f8661dba3adc5d3fc03f0829f01f2f22247314ec8e7996d11c9d346b9bc8deefc5566db59c5eda0de7309eb4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD515ed15913db60dff5dfa9c3bb2085500
SHA1a966c14f240c2ee925a769267dadfbe0c62abc4b
SHA25663352d593157b006a83edbb8c1bc54e9182e45f6522b730e86c5469acf0aee55
SHA5125fdcc54315d902201443f3571b6b5898f2ae5dc624ac529a4e09b9b6cb68d603850e60a0a2f2ab5db8027cffa9304fbe3159812d47b424fa4a62770cc9eeda41
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5690703ec966ed36b65d8767bb82c7adf
SHA15cb38552b94b2f4aba39fdc9a3d145a051d2b853
SHA256820b482399c405942f7ad596c7466c8074e22b14d36c2c50ccb18260c06de0e6
SHA5124f43c6727461ad65b9dcf4d23882d8f39ff1f4df71782b6fd6c9b308cad87ed4122726dc78279feb22e2ca107dd9bf1d19afe61268cfef71298f3c7f68ed327a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD510bd63ca3e229163769ed10177f0aea4
SHA145e859655f8c6f08f8c8bd17f194ed3d3abbe0c0
SHA256c2ff2df875017f630a69381f505deea9690d9415d035102ff8b8575c98e746a6
SHA5121bdca0856fb5b19b9a4e7e650aaaf322d314b67d5d557a720b659911a4e231fdabac420e6ada8d108aada4cb7b48cc300e5033c880fb5a69ac48bfa92e5ebc8a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD50e2f1083853f64c0608ac555d21db058
SHA19c7be4135e362ddb8657f23b591ae2a1a03970a2
SHA256c472163e29c7f541fd6743588bba168d0f3220c89084de8c60da669596c20727
SHA51265ce13a76ecb73ffea3447c27e969cb2dc84caa8f1cd0d26e6bf3bdc13b05bc6316614198748b76bb9eeb60db95ce4a2339e1acf95cf58c7a1afbe472e78c531
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{53781021-5B40-11EE-8DA3-C6004B6B9118}.dat
Filesize5KB
MD57f2a476bb22530f3ba232dc17510d9f1
SHA1bfc5ce225bda40eda79bbf0458b1568216e36f23
SHA256d08ad51fae2b126088f5b75fc01ab5e28a24f385197e11c8093f45691663e287
SHA512953a3168ad67c109af24482b579387965747009ecfc413f3df8de661ef2c84210bf43add6393833d17a98eb6f0f90f13d2ae5210b77c90f88b8cf660d61312fa
-
Filesize
4KB
MD5c01f7d558aa4ab233c8e3497f34b4b3e
SHA12a796dbd0db6057b4011966a8c266b89bfd79069
SHA25657e5c581fdba563237537f7fef1214e191d817766cfa828cd154bb0b3f3b27d0
SHA5127d78aaac966f2842947d63914d7276021a48597e6acb88a7bf98316f3a7dea9d3f050d77b71f58adbf7632ff3800ec56bed48270e8e13b393dc647c575d28a20
-
Filesize
9KB
MD5ff50c8842cbf56ef6c0654cdc341a6d2
SHA127ac485bc8a0b76e64638af9d6c0d12bea4f119c
SHA256a2bf332616d119b600972b1690fb16c910106893823a7515e81555e983256ce7
SHA512d69857c52b7561a9db881f63414590964fc0e62f1b3f2ceee8c781bdb473771dad3f80de63d5ff7e3a52b22f01c5e3695f50c6e25cf9e603f59e5e599d296455
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8E7WD55\favicon[1].ico
Filesize5KB
MD5f3418a443e7d841097c714d69ec4bcb8
SHA149263695f6b0cdd72f45cf1b775e660fdc36c606
SHA2566da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA51282d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8E7WD55\hLRJ1GG_y0J[1].ico
Filesize4KB
MD58cddca427dae9b925e73432f8733e05a
SHA11999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA25689676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA51220fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740
-
Filesize
79B
MD5403991c4d18ac84521ba17f264fa79f2
SHA1850cc068de0963854b0fe8f485d951072474fd45
SHA256ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576
-
Filesize
79B
MD5403991c4d18ac84521ba17f264fa79f2
SHA1850cc068de0963854b0fe8f485d951072474fd45
SHA256ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
163KB
MD59441737383d21192400eca82fda910ec
SHA1725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA5127608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf
-
Filesize
96KB
MD57825cad99621dd288da81d8d8ae13cf5
SHA1f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c
SHA256529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5
SHA5122e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4
-
Filesize
96KB
MD57825cad99621dd288da81d8d8ae13cf5
SHA1f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c
SHA256529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5
SHA5122e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4