Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
25/09/2023, 01:15
Static task
static1
Behavioral task
behavioral1
Sample
42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe
Resource
win10v2004-20230915-en
General
-
Target
42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe
-
Size
239KB
-
MD5
2c8fc97d5d80ee9c7abc1ce63a14ad43
-
SHA1
9aedb339d299a69f7a0bd2a1dd7d96e8741324b7
-
SHA256
42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7
-
SHA512
e10c42f0910bd4d340a5dad9d788c043a381824beb600ba9410cc21bcbbe22ae287f440c1062f43e4aed60e601401cacb63d9aebb31927133f97196fe125e33e
-
SSDEEP
6144:n846fuYXChoQTjlFgLuCY1dRuAOhbCIGGQYw8y0:nlYzXChdTbv1bunC0w8y
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3020 set thread context of 2124 3020 42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2784 3020 WerFault.exe 27 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003916b9f19191c547a3cd833648cc0b6b0000000002000000000010660000000100002000000034165fa9785a1a2f4e7dc8204ab20179bfd375341d71826ffd76b8d40832f6e6000000000e8000000002000020000000413cf128fea62bc402a47eca622b9a1e63d9f4c49b490ed7674894b44ac782c5900000004039b1d0fe6482bf39fceeeb29c36e19309508f0181e143bad646d8c0d7c1cf2ebb4e2b3d2885a9fe1b0e555794da2f74dcd80110425fdbf72b822da04e207050cd76e02e70f7eeb0821ab902bfef0c32a4ac7df43467b162dd41738cdafc02b0f14c9ef927b9dd018b1d779ff92e5561465c14616f3a5a3763495012dade3eac3a056537fe37123b4c39e0262b6033440000000ad2ca8e2cb75a48b78c0172bc2a1baed595f0918bd95c5fdac1ff80b28f8b5ebf0c124363d92a5f49706037be900e5caa5ec0825211725d07050f5a41dfee09c iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{221622F1-5B41-11EE-AA35-F2498EDA0870} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401766448" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003916b9f19191c547a3cd833648cc0b6b00000000020000000000106600000001000020000000cfdf4ed48301c5474ab1c8fc8cc390133175bf503dc4d02666c61a0cc0f93bd5000000000e80000000020000200000001dc813fd1866b38ba467a659ce3fbef9c1916f098c2d14278e36dead0038ecbd200000006c1a0bb1b43dc6c94979efa498e3dc399f849f67a8f8323564d01d29685d9f4f400000006a434d320611d7c1c56ea723776d4277a64cf32c38611b5f0e5bb2e11ea57a8a8bf2a932604160bb91328632fc00cad6383eaf7875680f5d7e533ca216dd2e64 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 002128f84defd901 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{21F99271-5B41-11EE-AA35-F2498EDA0870} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2124 AppLaunch.exe 2124 AppLaunch.exe 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2124 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 1204 Process not Found Token: SeShutdownPrivilege 1204 Process not Found Token: SeShutdownPrivilege 1204 Process not Found Token: SeShutdownPrivilege 1204 Process not Found -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 1532 iexplore.exe 2956 iexplore.exe 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 1532 iexplore.exe 1532 iexplore.exe 2956 iexplore.exe 2956 iexplore.exe 1904 IEXPLORE.EXE 1904 IEXPLORE.EXE 2924 IEXPLORE.EXE 2924 IEXPLORE.EXE 2924 IEXPLORE.EXE 2924 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 3020 wrote to memory of 2124 3020 42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe 28 PID 3020 wrote to memory of 2124 3020 42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe 28 PID 3020 wrote to memory of 2124 3020 42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe 28 PID 3020 wrote to memory of 2124 3020 42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe 28 PID 3020 wrote to memory of 2124 3020 42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe 28 PID 3020 wrote to memory of 2124 3020 42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe 28 PID 3020 wrote to memory of 2124 3020 42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe 28 PID 3020 wrote to memory of 2124 3020 42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe 28 PID 3020 wrote to memory of 2124 3020 42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe 28 PID 3020 wrote to memory of 2124 3020 42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe 28 PID 3020 wrote to memory of 2784 3020 42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe 29 PID 3020 wrote to memory of 2784 3020 42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe 29 PID 3020 wrote to memory of 2784 3020 42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe 29 PID 3020 wrote to memory of 2784 3020 42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe 29 PID 1204 wrote to memory of 2664 1204 Process not Found 32 PID 1204 wrote to memory of 2664 1204 Process not Found 32 PID 1204 wrote to memory of 2664 1204 Process not Found 32 PID 2664 wrote to memory of 2956 2664 cmd.exe 34 PID 2664 wrote to memory of 2956 2664 cmd.exe 34 PID 2664 wrote to memory of 2956 2664 cmd.exe 34 PID 2664 wrote to memory of 1532 2664 cmd.exe 35 PID 2664 wrote to memory of 1532 2664 cmd.exe 35 PID 2664 wrote to memory of 1532 2664 cmd.exe 35 PID 1532 wrote to memory of 1904 1532 iexplore.exe 37 PID 1532 wrote to memory of 1904 1532 iexplore.exe 37 PID 1532 wrote to memory of 1904 1532 iexplore.exe 37 PID 1532 wrote to memory of 1904 1532 iexplore.exe 37 PID 2956 wrote to memory of 2924 2956 iexplore.exe 38 PID 2956 wrote to memory of 2924 2956 iexplore.exe 38 PID 2956 wrote to memory of 2924 2956 iexplore.exe 38 PID 2956 wrote to memory of 2924 2956 iexplore.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe"C:\Users\Admin\AppData\Local\Temp\42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2124
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 522⤵
- Program crash
PID:2784
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\6D05.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2956 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2924
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1532 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1904
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5e1bd8626a4b978d964f7e007bae61e42
SHA144534f40bda5d2f001b9af9419ad1f979a0e0e9d
SHA256f011209e44684bcc14276adf7abc5efee64cdc627995d03ab343e4e02fd554b4
SHA51216674fba30234373b2d0012755e5d806721c980ceb6f07823ae10f888245f6862e54dda39af1db452bf053377341252e6035b4e2b180e48a7efbfbe9c2511ea3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5562824dca5cf2870e1bafe7e42303404
SHA10bb6a9c7e0bc23ef992345f85db2d0e3419c5605
SHA2560def19bc8e14828918ab9eced79211a685f9fb06c1160b685a344abc409a4c7b
SHA512fccc86f1495fea5215e4bd5bf4a27e0ac3d395a39fad30ce91170fe564ec6a6c010a66465e8cde797d9565a0250c7f367bff072be0244fd31f7dab5998d0db5f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5abdf510e4c7f203f242c6c907f52b299
SHA131d725e084325164d8863619aaae46092ce11d12
SHA256bd10cfbcbebfb8a88e5e4fc35bd2182a9087b40e58a0cc3e1451e45c660fb0c4
SHA51298f06150a99326e171552fe249a6c97b8da4937d0b9752ab0eecba1b33caa5b6d456197b5fe46eed86a01f0759832b9b859d4481d71ce53d86a87d91130895fc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5dcae49c01d0a2602caf86aa662d7de9c
SHA127f985d674b79c6bfd70fc50430125ef51103b54
SHA256466a73286071d6065f806976e177cbd104f07aa2c8c15dfdd8585084ce32ac1d
SHA51241c74dd89becd6a0a244e651245c0bd9b4f0f68f7ca611ef6a2d3b3797296638c264d35143a6cf62bcff435dd8a339be00646ae77e691bdd2aae0ea132ef0742
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD50ceeaea83b578f74f7d96629bf14f381
SHA13106a5f339c863d49318faaf02782f8e0eb46471
SHA25689b2e928e3af437c7c9c29668383fbc429a7b75df2fcfdc7a17db501e44442dd
SHA512c3154c5c98fffe8eafe6bfed212fa246fa0fbb9860e01f8a2a5bd41abeafe94c96355adc1bdcde8798510beb4f29fcfe347e7a05be7d284ac3fa4fe660e20a2d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD518348dcd4fa2bb95dc179963b375a422
SHA1f7c52c6dc78be10ddc2b6ae1e1ef45e22d20a35e
SHA256dfca80a21c2d7f8846c6088aaa45147862b0636d2213f257cb9c82d3097b1d55
SHA512aaba41abdbfff486a0c72f14926659265fd39b810ee561293c96aca6db0ebaa7690979c7d1dba07f7d47c562a671c09dc07b08f8d12e8dd2c016bfef8a41db03
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD59012a1d01ed827218cfd2376ed12e41f
SHA178a074ed5474aa8b9d25af87da1ca91c2ac8b33c
SHA256b7d7b5477ce89fe807caa2b07e78d6ecf714ec2cf7382d4efd5354b51b932c34
SHA512fcc79013d6e5857825ae0d91319661fa2ed4720ccb156e85c1e45ee13dbe919ca90678b1f75d0c0ec23b6fc3f74134bf3ab383ae6ceb2fd85da0bb4569a5387c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5ad52634b5a234b8a8f138ac14851f3f3
SHA1255c3cfee070083dd3d1bd6b801306628a9df10d
SHA25650b96ebb1e47d2bcad1769b2828db55b2289776d3a471826d6e172f8bde0fe24
SHA5121f53c87f24ddd522959a1d0238b11e04a09a754c3cf9df31e12f8b742b741c5e23de5ea987d06696f991bc2a9a6ccb71ef5a815adebdfb8fdca366ea7c9eb0ee
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD50d2a252cf8fb3084c09b1d58e6a51802
SHA13f0894855d1ea720d5d1fa472f838217c3dbc7f6
SHA256682df099f58956e338c86b30b530c34aaf120883aa49c1c5d94782478bb0c288
SHA5122c2581a55107e4727a8794f854013b5b7a40632edb65bf5124e62d300bc237d0c58ea46fadae47e31723073ec982002acb2064d3c14b966f8f894b4bb1d9be8a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD503b4afc114a260a77f720ce9cff4d7c1
SHA1ac42b4aefdc4d395a4aa188be0232ccbfec55d82
SHA25688d103bdf8b51938c432ff861f188d1af981acad0a4943f921c48f86b04acb76
SHA5120be98703c2f35e444c7546cf35541a57516e6afa1d1939e60722720d896e1dfbde96c781d8e7a40ae18a8f33bccab27cf49226782db6c8016c115b9ad804a93c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5aa3f6fb2ca186000318fd8e269fe0fbe
SHA173ecde9a301ca1fbdc70c5ce32bf3a81130d5553
SHA256dc3191bae69878a421289b09bc8416f33ea206b7945e93058b22dabe679b0a17
SHA512c058b175cc08afaf84efc2b05db78e31cb9fef8e6deb543fa3fb72818099b6bc0bcf5acb764a38132d35ba6af9f04374e852f133e7d8b01d1b2642222e25c2ee
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5a630e8cc94749eea38dd8e60cd6ff4f2
SHA18c257bb3654b0f7a9a8b2c5175c064daae77d176
SHA2560cd5ab27d9028118472a33652b3a16f5c0265cab2564c8dda26348f8c01e29e0
SHA512b79d94a064555ad9959697a497cd1704b5599a9f6b5581be35e5054d8af8f807ea892335126be88dda2ba48d211cc4953d2eabcb6ff4c7e5262ba7abef2173d2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5b884a7a82076ab58c9451228aff3fdf9
SHA1ee31bc88970bc2f01a34099e2a01d948e0d793a9
SHA256febe11c877cecce4c4439649fe5ffbb936aa59b562e28c44616712851df91272
SHA512d1564386203fdfe5ec8d5cea0fac4b5ae6334649ecb97d7d7a5459597bd549d80e1aa380453fada9a42d59d8cd93cd4a37be705db1965a4ecd00d20b8d11366f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5095ebe998d14de577a1b6803e91a7cf0
SHA1857dd76357d1923265263d56b176dbc95c03c896
SHA256771490bb10d49af5fcab9ab2c8951db8e22d8941148dbb432168d39df8f71f02
SHA51207381fbf8d0cd81b0f8e997bd302133b1c40b58038dc8213dc85399ed23bd37cd77faf3e625cd56ecaa09a2c0e94db124ec77bb88c64fdf9b9e266832e235179
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD547a969e2858c6228447cccb98fc9b77e
SHA16a06a7950f2cc76e00d7e2bb929f7cadde86ef6b
SHA256bbb9f291b18050e74851e071ad57b5e9771cc42e2e9d9773689f42899f5b7476
SHA512bbcefb7f9c6b9e88b5063537ab60c1b8fd96f37acab8fb2889b823de54c5ca9f16670b59433cee9eb2b9777afe46381d0cd5a82a63d6e44267d2f8a62ce2f4b3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5680c01a55ae9ba887904460903f094f3
SHA1b936ec3181203c2c26e3492bc9e3261748f3c395
SHA2562b1f84489d3662de2b1fc340848c1adade43740d03bde76239b92ba1a276a066
SHA512d13ea3b681f5d7d4bd8404394ec79dab8a32412986334c67cf35ccaf1cbda71d8bba31c44ed32586753c9eb8481add944ca811aae2a86223ac26b936cb4c76a5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5c76f5eb0787a7560c27dfe1ddad9ad9f
SHA12909081f9bf153c2239a61c1b8e0a07ee2a680db
SHA25664690e7796734cb6a86a306ecfebb1340f4b650fa04f5ff1af1dadb0e6b2a869
SHA5125980359314c781fda086c3e882331149e01cbcd75256f467c5eec22199ba50a2d2be3823c4cd82424f943528bfff30e2b1dec3df88242c50eb4e7d1e92f02c70
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5f02ef2bc135d72480eb69bd65d2d3d3b
SHA1dc0c6347a43baca56610a84b4696feed244485be
SHA2562d5a7281c9ec79a24024ea497587ca522bfc27a92dbea051ea1829ee895b212c
SHA512dc4ef28f7abf745b4c5599a4aaa14c87f8c632a69e0360008f4756af9d1c8cdb6cb83e50f325e012618af91e37cc942dd4dad5fc03e18379c1731955085326cd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5872f190aaab04b301f07469346cda8a1
SHA1948678d52c4d8b5ac9bfccc8dc38d88db2431ab4
SHA25687be79e1bea1a1b6cd9e0b1de21dab1ab43b6da32c162fa5daa95f4b326ef3e9
SHA5123bcf49312f0c2c277cdc4113361b52bdcbf15f996b46603d5f0348a7b49e3bfd7f14f4e6d2cb848ca909fd2a4ef9ce31f5228b5d64642563e817213c63cc96e4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD596afd3a4128f0192a520383931a6fc83
SHA1f6d1a469da0e40c15b2a6fed492735e65cf8a71f
SHA2562bbf081f3b3f31c018acd826e21413fcac39086624d738acd36941d6e2819852
SHA51201056af84346fc987409fa25705094079f1ac305bed10bfa60b939fcc1f0f2632daa40b94ec4f14248a644a372e59b889a0af0ceaf104bd4e7c2ace7af2f0c2f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD545300c4c4ee616e312f0381b1ee472a4
SHA1fca749bfd63f2b3a5bd9acab25f72f54bb540cb7
SHA256f3b2aab81342eb8f7f460cd18a5d52254683f5271b944bcc19a61e772fa14512
SHA5122401ec9f7a4169a388d08a296abf1300038b6cea5c4ad7f04946044b8d8edf9f528529086381b7639b4760834bf55a35d9c55c44c06255af5e39b4ff22955f8a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5d1d7c022a38dd08bd9116832880fe2cc
SHA1cfbe9cfedbbe98b5ee564005fa76dc73f9eda6b8
SHA2564593ae6769a179bff701610429eb186838dbe884914985a9340f476915feb612
SHA512480ffe42671c8c5225dbfb9a1a5fe464f7eb0c7bb04a780eaac3f58864864ed91ff2b28d97aabbd3ede97fa3d6eb126f2b9ab88348e2999bae6d4a2a23be6a5c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5c3b8ece31d04510bca73d8f038905a0d
SHA15bc27ba3bc1374bfb50fdfafe9b323cc8369a04d
SHA256a3809d5b490165c1b789f3ebf9e47d96b1e641931f00357200762436c6a29fcc
SHA512bbfd509c508b9685533d297b32bd33bad89c0cf2d20513a9143de0514070ae5e8824dacbf68c5154b2a444f8fe76394a81608ada5d192349196384c5f0046793
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5dc3d2e14be7238b1fb9c49af0694a938
SHA1bf8d103b823c68484efbb295d950e482b6783273
SHA25643afe42ccefa5655d16fd5db74f0a7b39ae22b43949dbb071bc517615524ad1e
SHA5128923acb454c43db679747ccc436da2fcb97965f5ff2552823d43aa24f6359e04fe281373fcde822210cdb3446341418021682eb12af76f96f73b7717e7960837
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{21F99271-5B41-11EE-AA35-F2498EDA0870}.dat
Filesize5KB
MD5e8b43e142e8759e0c5ea69e6036de211
SHA1187b2a22f284705925ee29ce788c840887430d52
SHA2561092428e303ba1e4157aef7cc79a19df6b4549933b48511d188d423c2951c851
SHA5128318aef0ece6339d48b6de1fb3169b4884020c26fd291c1418813a9b85dd10d7332159ccd144be747a2763da77e04b10c15307feee9d8d099709c72282fca7ef
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{221622F1-5B41-11EE-AA35-F2498EDA0870}.dat
Filesize3KB
MD58b80e40da6d32cea93497353a144fe3c
SHA1a0bf82daf76de8fb1584b6df23a77551e62303d4
SHA256c4eec6ae0af84ad40ae990d8df55976153c8c07b1d6faeac94d0e3356298dd7b
SHA512b81aada4cbd077b9f24e5c65e0973055a09e7ea9cc12e8bdf1f5bac0c699750b0f5f600b719cdebea5933893095971ff0dec31c0c06d549b5c14d69b54bf718e
-
Filesize
4KB
MD57a1c22a98ac63b5689101a8ad44b8735
SHA161910d060c50a988d1f0bca8929b015ab4097d5c
SHA25669e88f3cc6c1efd56b640da1e42240edccde3a99b944d13e3056f39248e80e90
SHA5122b207e582234100612abd43252db44ab282089450503b277dfe8972f13ae70feedcccdaf2b7801cba7bca065dc7dd5f8ea3a5969e6865bddff2e320229eb85cb
-
Filesize
9KB
MD50b8dea06dc6a1b79ad82916170671c11
SHA1f4d4cc1431ede594c1236e130233101a6505eeba
SHA256e3b554eab8c8efe8b0dac5344b4f2a86e7dacac678800c766120ff763539b380
SHA51234d509c6e17f8dda7e6b1762a82be259a8094a1a824b441154b923ebe191a7f5b48b81e3801b8ca0dd8c5d7f6e83a5109fb365b6f1c74205ff5d2252e578249c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N1ZD8WV6\favicon[2].ico
Filesize5KB
MD5f3418a443e7d841097c714d69ec4bcb8
SHA149263695f6b0cdd72f45cf1b775e660fdc36c606
SHA2566da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA51282d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N1ZD8WV6\hLRJ1GG_y0J[1].ico
Filesize4KB
MD58cddca427dae9b925e73432f8733e05a
SHA11999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA25689676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA51220fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740
-
Filesize
79B
MD5403991c4d18ac84521ba17f264fa79f2
SHA1850cc068de0963854b0fe8f485d951072474fd45
SHA256ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576
-
Filesize
79B
MD5403991c4d18ac84521ba17f264fa79f2
SHA1850cc068de0963854b0fe8f485d951072474fd45
SHA256ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
163KB
MD59441737383d21192400eca82fda910ec
SHA1725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA5127608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf