91b67062aef7d617aac24a7497f7be41c3c80d73542f9b23d1086166b8b4f1d3

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
04/01/2024, 16:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

414d3ebb8519a39d64b2787543586d1a.exe
Size

6.2MB
MD5

414d3ebb8519a39d64b2787543586d1a
SHA1

a16979a520f90c2ed555a9c30db31f34108a1f93
SHA256

91b67062aef7d617aac24a7497f7be41c3c80d73542f9b23d1086166b8b4f1d3
SHA512

0af46f524f9c4afde3156f7b94a1cc8e13416540701668d1b5fb4958c8e773ad8f4eb328ca293e5e48be4db3f3140891723208ba930cffdfba985235f816dd4f
SSDEEP

196608:tzmNNWD0ocDlXB7SV1JCOZ1GobMsPXcS7:oWU2tGYMsPXv7

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Launch WhiteSmoke.lnk	414d3ebb8519a39d64b2787543586d1a.exe

Executes dropped EXE 3 IoCs

pid	Process
2148	CheckLockedWsFiles.exe
1160	WSEnrichment.exe
2076	WhiteSmokeRegistration.exe

Loads dropped DLL 23 IoCs

pid	Process
2340	414d3ebb8519a39d64b2787543586d1a.exe
2340	414d3ebb8519a39d64b2787543586d1a.exe
2148	CheckLockedWsFiles.exe
2148	CheckLockedWsFiles.exe
2148	CheckLockedWsFiles.exe
2340	414d3ebb8519a39d64b2787543586d1a.exe
2340	414d3ebb8519a39d64b2787543586d1a.exe
2340	414d3ebb8519a39d64b2787543586d1a.exe
2340	414d3ebb8519a39d64b2787543586d1a.exe
2340	414d3ebb8519a39d64b2787543586d1a.exe
2340	414d3ebb8519a39d64b2787543586d1a.exe
2340	414d3ebb8519a39d64b2787543586d1a.exe
2340	414d3ebb8519a39d64b2787543586d1a.exe
2340	414d3ebb8519a39d64b2787543586d1a.exe
2340	414d3ebb8519a39d64b2787543586d1a.exe
1160	WSEnrichment.exe
1160	WSEnrichment.exe
1160	WSEnrichment.exe
1160	WSEnrichment.exe
1160	WSEnrichment.exe
2076	WhiteSmokeRegistration.exe
2076	WhiteSmokeRegistration.exe
2076	WhiteSmokeRegistration.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WhiteSmoke\html\english\common\js\prototype.js	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\gui\img\Buttons\Thumbs.db	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\gui\img\Buttons\undo_disabled.png	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\gui\img\enrichments\title.png	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\dictClientDic\img\Buttons\translation_disabled.gif	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\gui\img\Background\base_fade_px.png	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\gui\img\Background\notice_right_top_bg.png	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\gui\img\scale\scale4.gif	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\help\img\Background\inside_bg.gif	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\gui\img\review-section\content-review.gif	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\help\content\style\user_guide.css	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\templates\img\screens\screen_ok_up.gif	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\dictClientDic\img\Buttons\idioms_over.gif	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\help\js\iepngfix\iepngfix.htc	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\gui\js\common.js	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\settings\img\Buttons\cancel_up.png	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\templates\img\Background\logo.png	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\templates\img\captionbar\caption_bar_re_over.gif	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\templates\img\screens\ico_complete.gif	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\gui\img\captionbar\Copy (2) of logo.gif	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\templates\img\Buttons\apply_over.gif	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\welcome\content\img\Background\splashdd.gif	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\WCapture.dll	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\gui\img\Buttons\Autocorrect-close-rollover.gif	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\gui\img\captionbar\caption_bar_close_down.gif	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\gui\img\captionbar\caption_strip_right_corner_old.gif	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\gui\img\scale\scale2.gif	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\gui\img\Buttons\summaryline_check_roll_.png	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\help\content\userguide-p4.html	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\templates\img\Buttons\cancel_down.png	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\dictClientDic\img\captionbar\caption_bar_max_down.gif	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\gui\img\review-section\opencq8.png	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\help\content\img\whitesmoke_templates.gif	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\templates\img\Background\bottom_right_corner.gif	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\dictClientDic\img\captionbar\caption_bar_close_over.gif	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\dictClientDic\img\captionbar\caption_dictionary_roll_over.gif	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\gui\img\screens\screen_bg_top_right.png	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\help\img\Background\scrbox_left_top.gif	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\help\style\welcomescreen.css	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\dictClientDic\img\captionbar\caption_strip_.png	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\gui\img\screens\screen_bg_old.png	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\gui\js\ypSlideOutMenus.js	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\help\img\Background\logo.gif	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\WCaptureX.dll	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\gui\img\Background\corner_top_left.png	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\gui\img\Background\right_input_goldold.png	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\gui\img\captionbar\caption_bar_max_down_old.gif	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\gui\img\review-section\Thumbs.db	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\help\js\iepngfix\helix.gif	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\templates\img\screens\screen_bg_top_px.png	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\gui\img\Background\bottombar_px.png	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\gui\img\Buttons\notice_userguide_up.gif	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\gui\img\captionbar\executive.gif	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\gui\img\dictionary\top_left.png	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\dictClientDic\img\captionbar\caption_translation_roll_over_.gif	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\settings.ini	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\gui\style\Contextmenu.css	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\help\content\userguide-p1.html	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\dictClientDic\img\Buttons\down_arrow.png	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\dictClientDic\img\captionbar\caption_dictionary_off_.gif	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\floatingButton_howto\js\iepngfix\opacity.png	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\help\content\img\body_bg.gif	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\help\content\js\iepngfix\iepngfix.html	414d3ebb8519a39d64b2787543586d1a.exe
File created	C:\Program Files (x86)\WhiteSmoke\html\english\dictClientDic\img\captionbar\caption_translation_off.gif	414d3ebb8519a39d64b2787543586d1a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral1/files/0x0004000000020522-958.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	WhiteSmokeRegistration.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4276FDEC-36D7-4D9E-AE46-A63FFA0E1EC7}\TypeLib	414d3ebb8519a39d64b2787543586d1a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ComVistaElevator.LocalMachineWriter.1\CLSID	414d3ebb8519a39d64b2787543586d1a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CD6A6945-EB68-4F46-A4D2-184082A0491F}\1.0\HELPDIR	414d3ebb8519a39d64b2787543586d1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20E1481B-E285-4ABC-ADC7-AE24842B81CD}\Version\ = "1.0"	414d3ebb8519a39d64b2787543586d1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Director.Enrichment.1\CLSID\ = "{03E0DF2F-5DD6-4E6D-8DD8-FDACE6DDED11}"	414d3ebb8519a39d64b2787543586d1a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4276FDEC-36D7-4D9E-AE46-A63FFA0E1EC7}\TypeLib	414d3ebb8519a39d64b2787543586d1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49269ABB-3D8A-4153-93BC-2A695B066F82}\ = "LocalMachineWriter Class"	414d3ebb8519a39d64b2787543586d1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WSEngine.FloatButton.1\ = "FloatButton Class"	414d3ebb8519a39d64b2787543586d1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE3A6465-A928-4257-8543-C89D3EF617FD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	414d3ebb8519a39d64b2787543586d1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ComVistaElevator.LocalMachineWriter.1\ = "LocalMachineWriter Class"	414d3ebb8519a39d64b2787543586d1a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92E5039E-FF1E-4AFB-8F24-87592D20C383}	414d3ebb8519a39d64b2787543586d1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{03E0DF2F-5DD6-4E6D-8DD8-FDACE6DDED11}\VersionIndependentProgID\ = "Director.Enrichment"	414d3ebb8519a39d64b2787543586d1a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7E54B049-A893-4A7F-B3EC-206E01A4F9F8}	414d3ebb8519a39d64b2787543586d1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F33928A1-8849-48DE-BECB-829D7727AAF2}\TypeLib\ = "{CD6A6945-EB68-4F46-A4D2-184082A0491F}"	414d3ebb8519a39d64b2787543586d1a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface	414d3ebb8519a39d64b2787543586d1a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{537E23DF-DF2A-46AC-AC4A-F1E40E0CDC02}\TypeLib	414d3ebb8519a39d64b2787543586d1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ComVistaElevator.LocalMachineWriter\CurVer\ = "ComVistaElevator.LocalMachineWriter.1"	414d3ebb8519a39d64b2787543586d1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49269ABB-3D8A-4153-93BC-2A695B066F82}\TypeLib\ = "{CD6A6945-EB68-4F46-A4D2-184082A0491F}"	414d3ebb8519a39d64b2787543586d1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20E1481B-E285-4ABC-ADC7-AE24842B81CD}\ProgID\ = "AddInExpress.OutlookSecurityManager"	414d3ebb8519a39d64b2787543586d1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49269ABB-3D8A-4153-93BC-2A695B066F82}\InprocServer32\ = "C:\\Program Files (x86)\\WhiteSmoke\\ComVistaElevator.dll"	414d3ebb8519a39d64b2787543586d1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92E5039E-FF1E-4AFB-8F24-87592D20C383}\1.0\0\win32\ = "C:\\Program Files (x86)\\WhiteSmoke\\osmax.ocx"	414d3ebb8519a39d64b2787543586d1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0194532A-A99C-4337-937E-2A452C8957BE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	414d3ebb8519a39d64b2787543586d1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AddInExpress.OutlookSecurityManager\ = "OutlookSecMan Control"	414d3ebb8519a39d64b2787543586d1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Director.Enrichment\CLSID\ = "{03E0DF2F-5DD6-4E6D-8DD8-FDACE6DDED11}"	414d3ebb8519a39d64b2787543586d1a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4276FDEC-36D7-4D9E-AE46-A63FFA0E1EC7}	414d3ebb8519a39d64b2787543586d1a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0194532A-A99C-4337-937E-2A452C8957BE}\ProxyStubClsid32	414d3ebb8519a39d64b2787543586d1a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Director.Enrichment	414d3ebb8519a39d64b2787543586d1a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49269ABB-3D8A-4153-93BC-2A695B066F82}\InprocServer32	414d3ebb8519a39d64b2787543586d1a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78F44EB2-0CDF-4b37-B211-B34F20C69788}\VersionIndependentProgID	414d3ebb8519a39d64b2787543586d1a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78F44EB2-0CDF-4b37-B211-B34F20C69788}\Programmable	414d3ebb8519a39d64b2787543586d1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{97276C83-5857-4819-B12B-0837E2234B87}\TypeLib\ = "{97FD9656-07A9-4EEA-911C-16E1375BDBB4}"	414d3ebb8519a39d64b2787543586d1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7E54B049-A893-4A7F-B3EC-206E01A4F9F8}\TypeLib\ = "{97FD9656-07A9-4EEA-911C-16E1375BDBB4}"	414d3ebb8519a39d64b2787543586d1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Director.Enrichment\ = "Enrichment Class"	414d3ebb8519a39d64b2787543586d1a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WSEngine.FloatButton.1\CLSID	414d3ebb8519a39d64b2787543586d1a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78F44EB2-0CDF-4b37-B211-B34F20C69788}\ProgID	414d3ebb8519a39d64b2787543586d1a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97FD9656-07A9-4EEA-911C-16E1375BDBB4}\1.0\0	414d3ebb8519a39d64b2787543586d1a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E54B049-A893-4A7F-B3EC-206E01A4F9F8}	414d3ebb8519a39d64b2787543586d1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE3A6465-A928-4257-8543-C89D3EF617FD}\TypeLib\Version = "1.0"	414d3ebb8519a39d64b2787543586d1a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92E5039E-FF1E-4AFB-8F24-87592D20C383}\1.0\FLAGS	414d3ebb8519a39d64b2787543586d1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20E1481B-E285-4ABC-ADC7-AE24842B81CD}\ToolboxBitmap32\ = "C:\\Program Files (x86)\\WhiteSmoke\\osmax.ocx,15"	414d3ebb8519a39d64b2787543586d1a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{03E0DF2F-5DD6-4E6D-8DD8-FDACE6DDED11}\InprocServer32	414d3ebb8519a39d64b2787543586d1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4276FDEC-36D7-4D9E-AE46-A63FFA0E1EC7}\ = "IGenericHtmlWindow"	414d3ebb8519a39d64b2787543586d1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20E1481B-E285-4ABC-ADC7-AE24842B81CD}\Control\	414d3ebb8519a39d64b2787543586d1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{96763D83-1A26-467F-8713-F8E4D58BA742}\ = "WSEngine"	414d3ebb8519a39d64b2787543586d1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WSEngine.WSGenericHtmlWnd\ = "WSGenericHtmlWnd Class"	414d3ebb8519a39d64b2787543586d1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F33928A1-8849-48DE-BECB-829D7727AAF2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	414d3ebb8519a39d64b2787543586d1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20E1481B-E285-4ABC-ADC7-AE24842B81CD}\InprocServer32\ThreadingModel = "Apartment"	414d3ebb8519a39d64b2787543586d1a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97FD9656-07A9-4EEA-911C-16E1375BDBB4}\1.0\FLAGS	414d3ebb8519a39d64b2787543586d1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7E54B049-A893-4A7F-B3EC-206E01A4F9F8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	414d3ebb8519a39d64b2787543586d1a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WSEngine.WSGenericHtmlWnd\CLSID	414d3ebb8519a39d64b2787543586d1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{03E0DF2F-5DD6-4E6D-8DD8-FDACE6DDED11}\TypeLib\ = "{97FD9656-07A9-4EEA-911C-16E1375BDBB4}"	414d3ebb8519a39d64b2787543586d1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ComVistaElevator.LocalMachineWriter\ = "LocalMachineWriter Class"	414d3ebb8519a39d64b2787543586d1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20E1481B-E285-4ABC-ADC7-AE24842B81CD}\ = "OutlookSecMan Control"	414d3ebb8519a39d64b2787543586d1a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{03E0DF2F-5DD6-4E6D-8DD8-FDACE6DDED11}	414d3ebb8519a39d64b2787543586d1a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{97276C83-5857-4819-B12B-0837E2234B87}\TypeLib	414d3ebb8519a39d64b2787543586d1a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F33928A1-8849-48DE-BECB-829D7727AAF2}\TypeLib	414d3ebb8519a39d64b2787543586d1a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92E5039E-FF1E-4AFB-8F24-87592D20C383}\1.0\HELPDIR	414d3ebb8519a39d64b2787543586d1a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5844E584-CC22-49FB-A473-BEA4F19EFA53}\ProxyStubClsid32	414d3ebb8519a39d64b2787543586d1a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5844E584-CC22-49FB-A473-BEA4F19EFA53}\ProxyStubClsid32	414d3ebb8519a39d64b2787543586d1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{97276C83-5857-4819-B12B-0837E2234B87}\TypeLib\ = "{97FD9656-07A9-4EEA-911C-16E1375BDBB4}"	414d3ebb8519a39d64b2787543586d1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE3A6465-A928-4257-8543-C89D3EF617FD}\ = "IMainHtmlWindow"	414d3ebb8519a39d64b2787543586d1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5844E584-CC22-49FB-A473-BEA4F19EFA53}\ = "IEnrichment"	414d3ebb8519a39d64b2787543586d1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0194532A-A99C-4337-937E-2A452C8957BE}\ = "IOutlookSecurityManager"	414d3ebb8519a39d64b2787543586d1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AddInExpress.OutlookSecurityManager\Clsid\ = "{20E1481B-E285-4ABC-ADC7-AE24842B81CD}"	414d3ebb8519a39d64b2787543586d1a.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2148	CheckLockedWsFiles.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	2340	414d3ebb8519a39d64b2787543586d1a.exe
Token: SeBackupPrivilege	2340	414d3ebb8519a39d64b2787543586d1a.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2076	WhiteSmokeRegistration.exe
2076	WhiteSmokeRegistration.exe
2076	WhiteSmokeRegistration.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2148	2340	414d3ebb8519a39d64b2787543586d1a.exe	28
PID 2340 wrote to memory of 2148	2340	414d3ebb8519a39d64b2787543586d1a.exe	28
PID 2340 wrote to memory of 2148	2340	414d3ebb8519a39d64b2787543586d1a.exe	28
PID 2340 wrote to memory of 2148	2340	414d3ebb8519a39d64b2787543586d1a.exe	28
PID 2340 wrote to memory of 2148	2340	414d3ebb8519a39d64b2787543586d1a.exe	28
PID 2340 wrote to memory of 2148	2340	414d3ebb8519a39d64b2787543586d1a.exe	28
PID 2340 wrote to memory of 2148	2340	414d3ebb8519a39d64b2787543586d1a.exe	28
PID 2340 wrote to memory of 1160	2340	414d3ebb8519a39d64b2787543586d1a.exe	31
PID 2340 wrote to memory of 1160	2340	414d3ebb8519a39d64b2787543586d1a.exe	31
PID 2340 wrote to memory of 1160	2340	414d3ebb8519a39d64b2787543586d1a.exe	31
PID 2340 wrote to memory of 1160	2340	414d3ebb8519a39d64b2787543586d1a.exe	31
PID 2340 wrote to memory of 1160	2340	414d3ebb8519a39d64b2787543586d1a.exe	31
PID 2340 wrote to memory of 1160	2340	414d3ebb8519a39d64b2787543586d1a.exe	31
PID 2340 wrote to memory of 1160	2340	414d3ebb8519a39d64b2787543586d1a.exe	31
PID 1160 wrote to memory of 2076	1160	WSEnrichment.exe	30
PID 1160 wrote to memory of 2076	1160	WSEnrichment.exe	30
PID 1160 wrote to memory of 2076	1160	WSEnrichment.exe	30
PID 1160 wrote to memory of 2076	1160	WSEnrichment.exe	30
PID 1160 wrote to memory of 2076	1160	WSEnrichment.exe	30
PID 1160 wrote to memory of 2076	1160	WSEnrichment.exe	30
PID 1160 wrote to memory of 2076	1160	WSEnrichment.exe	30

C:\Users\Admin\AppData\Local\Temp\414d3ebb8519a39d64b2787543586d1a.exe
"C:\Users\Admin\AppData\Local\Temp\414d3ebb8519a39d64b2787543586d1a.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Users\Admin\AppData\Local\Temp\WhiteSmoke\CheckLockedWsFiles.exe
  "C:\Users\Admin\AppData\Local\Temp\WhiteSmoke\CheckLockedWsFiles.exe" targetdir=C:\Program Files (x86)\WhiteSmoke
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2148
- C:\Program Files (x86)\WhiteSmoke\WSEnrichment.exe
  "C:\Program Files (x86)\WhiteSmoke\WSEnrichment.exe" firstuse
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1160

C:\Program Files (x86)\WhiteSmoke\WhiteSmokeRegistration.exe
"C:\Program Files (x86)\WhiteSmoke\WhiteSmokeRegistration.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WhiteSmoke\WSEnrichment.exe

Filesize
102KB

MD5
d456c8fd3bcf00c05e8975e2a8bd5e6b

SHA1
96c5392373cd552bba87cf8372d2561cee6789c5

SHA256
493773cd62f6cba1f17ab6675eefae9240802338951b12f26b72d0faac57bad6

SHA512
e8d9bfca472e03085bfcb6822bd35dcf283a1f6452d48a8a2b4e233881e641e4915f1a0133ec46f5965d5a3953253052902683ea2390ea68bdd3c0c762b9176a

Download Submit
C:\Program Files (x86)\WhiteSmoke\WSEnrichment.exe

Filesize
222KB

MD5
e179242449f4b121feb9534d63da2be7

SHA1
aa818abcc463445f908bfadf050b0dd3d9d22772

SHA256
0742441e346849311c2f847a145e5fe5d6c727687676895543f6a9db8f2c20fc

SHA512
6ab5f77b87fd2d2a26a297d2a9af298a0ecfaf6bb1ef96825b6ddfa5a6e2f2f5cbe8c02e4a0ff4d7c5d6550abba9ae7b164e922d87bd881077dc43f082519abc

Download Submit
C:\Program Files (x86)\WhiteSmoke\WSEnrichment.exe

Filesize
85KB

MD5
25b1e2797ad3926eedbd1817fdaa3eee

SHA1
c5822d4a56225dac7733a63aea0d85a0e385c8cc

SHA256
4a02dddd5d98aa5ef1b953227ac68d9f3d5058ecad4992de374015d9a06dce3b

SHA512
e617592726e30de843b91d5f13d74255fb201ee7279b000de612ec10469c995d4da1ca460601358cd1fae372d7778306ab30bd720f496c8dd03b3ad536b99314

Download Submit
C:\Program Files (x86)\WhiteSmoke\WhiteSmokeRegistration.exe

Filesize
90KB

MD5
046ff6e644a437412e55a51a7623c53b

SHA1
971179665bc27e0e5e69ed349f8d97318af27b63

SHA256
621681b67d35a747cace817e2ce5552e3f531bef5130751af3171d3e20396df7

SHA512
8237581112d9860b0104e475054a7bd93eb2fd10fd14a3b4fb60e2cec03ab26f0d9e7607cec3fabb5582c01076565a02388b63c608a13a519d994f2dc76bba5e

Download Submit
C:\Program Files (x86)\WhiteSmoke\WhiteSmokeRegistration.exe

Filesize
78KB

MD5
e7ee9dbedd0f75bbc7c3f59d190b4193

SHA1
e96fdb3c69c8fb60ea6258829ba5b9f6c9e7bf68

SHA256
cdda523cf8e59f7204e2956945a3ce7247031df02839718bfed24a73069226ce

SHA512
2898e3b84ac06607f1c5f68c4a8f2ee2251b01276f9374789e52660c21a6d0a708520165777be974f43c97bd0bf5b7ad4e568b8d99843dd09288ae62659a673e

Download Submit
C:\Program Files (x86)\WhiteSmoke\html\english\common\js\common.js

Filesize
2KB

MD5
ba2b495e5c2ebb5818f355f2ef4ce7a1

SHA1
87ccbb9d2a28fcc0a4e46198aa68788df61a01f1

SHA256
4f6c5b690d29ac0236598feae6148088b1ec8d1decbc8ac78d73afb687a72f12

SHA512
c4f45accae2009928ee7bea89d7636cb3a87b5fcbf63e69c7fb3570d967027b6d59e5830c4301c5f3024ea83206b45abe4379edf4142b1fef5c2bad357f38f52

Download Submit
C:\Program Files (x86)\WhiteSmoke\html\english\common\js\pngfix.js

Filesize
1KB

MD5
09347e40e536096c77f2e08ec40ed577

SHA1
dbd13d6b583afe8296ee602504850dc5fc7696a3

SHA256
ca0e72d69251480bdf6711f215a3a6622a3adcf50c26f37b9032e54106cdb62f

SHA512
3959f43afd77efc7a360c1868aae9f86ad66ebcedd6c4c46eb4810b4fdd9e1f231ff8968d373801b7f9e268b5df06d600552acf387c77c7c2d977bb0ca24ac72

Download Submit
C:\Program Files (x86)\WhiteSmoke\html\english\common\js\prototype.js

Filesize
76KB

MD5
46c7adec29c179f877b4ba69da17d885

SHA1
a9dd6a19bd1546c667a28eae3c5cd7ce4dde5af0

SHA256
c72ce83d6568689f947943a8295d5d0eaf1521ae37d13ff991745a700f98d32e

SHA512
003fcb180d12c8dc77ad0275e6b696b720975ff5780078acb8005a8c1a5bbf7071021c9a95e8d2695949430662408ac7a4956194937f6f0c4fbc1ef21694ad78

Download Submit
C:\Program Files (x86)\WhiteSmoke\html\english\common\js\xmlhttp.js

Filesize
7KB

MD5
bd7bf2f2b52f13245127b8d3e090c1bf

SHA1
7cf6b19603e4df7cf370a678ae3e61065554926c

SHA256
bd6efb5b0a37e2f58e8e050c5d64189bf5d80aa09c6421ff104ef233009ee34b

SHA512
ee3ca480367b417678ef9a4e1fc3f5cbfaf011f449dca87a5cc4862958e0e5e6688bc35033c92b7434872124361067408d1fbaa3875c7d730c30b248ec554907

Download Submit
C:\Program Files (x86)\WhiteSmoke\html\english\help\content\img\spacer.gif

Filesize
49B

MD5
ed280a0ea3cc38f3cbbc747acfbef47d

SHA1
6bdcb32ee75e957a5085c010f4dfd0c716bfdadc

SHA256
8f69e10876805b747a3ad08a818d46ac7e731b1af417ea6e259d9b6b7deb65c5

SHA512
4248e293bb759c3ac0ea71f545e10e85d0c3c7f1237ce8b18c6a3fd00499a11bdc0252c938be87359fa673c8e7a83c7cc6fc5d12718a68844c2615e5dca3527b

Download Submit
C:\Program Files (x86)\WhiteSmoke\html\english\help\js\iepngfix\blank.gif

Filesize
49B

MD5
56398e76be6355ad5999b262208a17c9

SHA1
a1fdee122b95748d81cee426d717c05b5174fe96

SHA256
2f561b02a49376e3679acd5975e3790abdff09ecbadfa1e1858c7ba26e3ffcef

SHA512
fd8b021f0236e487bfee13bf8f0ae98760abc492f7ca3023e292631979e135cb4ccb0c89b6234971b060ad72c0ca4474cbb5092c6c7a3255d81a54a36277b486

Download Submit
C:\Program Files (x86)\WhiteSmoke\html\english\help\js\iepngfix\checkerboard.gif

Filesize
99B

MD5
b5129f5183069e6289a7e5f6b259ee94

SHA1
13776979ace995544984d4a4ed8fcdd2d747cd88

SHA256
282ca5ea183ba817633ee1a19d849456ac904fdcd39b6ace06c761170faba29e

SHA512
cb650be9bd9b1db5d8de2a63be6fc11d6a52183c467ecfbe7102119438fb118caa07e94ed28dd98c34ace0c27e1623dfa61186cd62bfb4d7cd0d7b3998032e8a

Download Submit
C:\Program Files (x86)\WhiteSmoke\html\english\help\js\iepngfix\helix.gif

Filesize
1KB

MD5
003573f24525229cef73b654d2d7cab4

SHA1
a5db102a9461389399269737bfc00c7e469b33c0

SHA256
e0c9d484dcfb5fc640cb75b2e487a3fe2a4895bdec30d65477c5ebcb20e5fef8

SHA512
46d863ddfb64a30eb39ea5d7f75b3ce0226f7703d9690ceabef247943c946e3ad02da6cad7d97eda54eb117e583d112c2e5291a884deb685cc2a30df9524e692

Download Submit
C:\Program Files (x86)\WhiteSmoke\html\english\help\js\iepngfix\iepngfix.htc

Filesize
1KB

MD5
754f6138a981333c1469fc5a6497c292

SHA1
8ebce2377fd72eb5c4c623a42bafe7530cc4f96f

SHA256
b2de9993f8d8d2d1380ae9faee2b44dae453f2ee1c122a7c983064ac95d9cf75

SHA512
d6760b79897c7e6f0279c1dee80506838f4e5b9542a1d59e76474dd299141d11f5fddb154437f96253ade0a1dc660fce5942958f5c05adcd2a9c6ec2f37f07de

Download Submit
C:\Program Files (x86)\WhiteSmoke\html\english\help\js\iepngfix\iepngfix.html

Filesize
5KB

MD5
3b6d8218e0eee11fa727cf6e934e4b37

SHA1
a59fc037f33598eaf6cb0a17e4b2c79e568c767b

SHA256
4fa5b3e3394b34953ced7ddd1db6a9e322b517e6415304d52ea07177de2e7fc9

SHA512
9e6fb593d7642b4d3e520e79400b2a7b184609fd3c648c5e2837954b638d6a9ea087e41c6000991ed9e49f907b5daea9ec1368cb8d6095d29587f0a8d7031001

Download Submit
C:\Program Files (x86)\WhiteSmoke\html\english\help\js\iepngfix\opacity.png

Filesize
11KB

MD5
845a429bb08871be907da3e095ca6430

SHA1
f8b7a739955ff8f0b7b09902e8451c73e4fe5463

SHA256
5c923b6abd414cbac4e3c255dcafc3f3d4ea45295d8feb9f4e5751605a3d0e3f

SHA512
49382b368975cf80761f79d61a8d5142110749fe32a37f4b16a49ca7f5264b6b254037819f76aab8fc429d14997422c7dd47c88512e7956b628b95fe0d5390be

Download Submit
C:\Program Files (x86)\WhiteSmoke\html\english\registration\img\banner.jpg

Filesize
59KB

MD5
7e48f36836da22380e8f2e9228b4f294

SHA1
9e441cca24c150280046eccab883be6f30463f55

SHA256
d9ce4bfbe33881fd3dd7ade6f3c2c4824ddc258eda0f57f7ce41d2d83a61123f

SHA512
9ecf06a331bd85d675f92e64e03fa516966f1d51906edd93aa50cc565e68a1c0668757a8bebffc0a4e99b686accdaad681ddc40ec4a93bfc8c83ea4af6848ecb

Download Submit
C:\Program Files (x86)\WhiteSmoke\html\english\registration\img\captionbar\caption_bar_close_up.gif

Filesize
888B

MD5
e62deb1c78224ae64561bfa12434d285

SHA1
8914834e543ea7f7260922a5af260861b775ccee

SHA256
84c04fde127b67fc4a700b59e1e5173bfe7a973c7f353ce12f7a3afed01beba5

SHA512
d3080ed1731acfd3fc416a6f5f004618db45c2e4821f5a2f9e4fea8bd4c54516285a4c492c86a45a0e15b9718d6a4601855a3a3332bf69b2b0367a37e625477e

Download Submit
C:\Program Files (x86)\WhiteSmoke\html\english\registration\img\continue_button_up.gif

Filesize
2KB

MD5
51050a9eec809191df01aad81d4659c7

SHA1
93d463e84a5fdbca3e7f54dd090ef13348437237

SHA256
69a0f44b3fad3c9165a2c24805012a61e862d78d04fb248599b3ec44f06f3952

SHA512
49fedea138eed6573bf796471c2824afc760452e1037be42cb4ab73121b464e2f466d2bdf842ccb7fe82faac5695233b101e7946659fd5b53d9087caa13bbc11

Download Submit
C:\Program Files (x86)\WhiteSmoke\html\english\registration\img\down.jpg

Filesize
20KB

MD5
d25354115ebaaa6dcfcddd6465481f0a

SHA1
766051fe113c9ae1fb3dc9fd863dbceb757ad063

SHA256
6fffd22b8f0fa147398b6708b952411c63ed964a2af3a94702bb37877fa8fb25

SHA512
7e9f580fc22b97c87ac36089460eba68bfc675b30bb890003f3ec3d3cf9c3b6a0193570698d89b595824144d9aa73e128314ce649dd4c2d6ec3aed8f74d71aee

Download Submit
C:\Program Files (x86)\WhiteSmoke\html\english\registration\img\f2.gif

Filesize
8KB

MD5
62db3867033fc33905a0edfc7c764481

SHA1
2adf151bf6f51bfc7f049630391b4e387b50df00

SHA256
1755a88af22a99b680bae0c2a2f202b557676c39cfdee7bf0414bbfb3730aa60

SHA512
d21ba0925ab1ec7067bade37c9972808af0b5de5eba4dd290a423d588ab4f9c380511accb885c5b5ae8e0e505de1af289832f99a4154bd68b54ca7b03f44bb56

Download Submit
C:\Program Files (x86)\WhiteSmoke\html\english\registration\index.html

Filesize
3KB

MD5
dc8f4057e0398e95c20e6b32fa8c772a

SHA1
5323986c80274cc1ff629776819b1304edbf2f0f

SHA256
73753d2cf3ebc6186f85667e4f535740a48bbb7fbda0d1c1a68ecd8fc8a22753

SHA512
17e5db06d5edd4b7aa952fd136e43df18547fd59d71419f2ee1f05dc60c40029e315d29267b600e8e491ea7ca9591f1804188caee7d535c31197180640e54232

Download Submit
C:\Program Files (x86)\WhiteSmoke\html\english\registration\js\regInterface.js

Filesize
4KB

MD5
ee84ba5b400bb48fba4a3ddab63e7826

SHA1
1d9abbe275d1ed64659dafa9e03800baec34590d

SHA256
9438aba1174e98538e5a20039b5a079f70af090a7f2d2e969446d9c7d88b4d96

SHA512
7d4a1e31bd3e8191b8df811e818856a4c02e22e82912d2892cac8f2ffa976d97d8a1d3757c8bec87542fc12d289359decf36d9da16f876659ebac40f9d23e879

Download Submit
C:\Program Files (x86)\WhiteSmoke\html\english\registration\style\registration.css

Filesize
2KB

MD5
328b1c3262628e1c3910e3f8a49a4faf

SHA1
27f400e33e78d2e109dca2b21b692e3ad6c54730

SHA256
75cf85facb14e6a6822edde26b2f4d0572d3e72f295f019ee4b323fe21815e56

SHA512
0e7490003e4da0bf570228d111cc414d2ad560b20f698aad4841a5a9c9b6a5d84b23629d99a935fddee288b5b5e54dd0553549726b625bed00726debd5c3090e

Download Submit
C:\Program Files (x86)\WhiteSmoke\settings.ini

Filesize
256B

MD5
23c2c8b85da0646a7bc8ebef06946848

SHA1
6502d1e0fdf5a61c20f1d8b77b18aa130bba0cd9

SHA256
b0ef37b3c94626d3b53dc15f09369a948bcd0d594113a56ea2c0a4e2a9a6a4c1

SHA512
9b922b16001ae6d55cd8c1ac33c68152567fda688fb54809f4e5d3dc0c927aeae1724cf889791a625ad6dbd477586dc7046e68b04b4673ff2db73b02ad19ec66

Download Submit
C:\Users\Admin\AppData\Local\Temp\WhiteSmoke\CheckLockedWsFiles.exe

Filesize
56KB

MD5
c0af9f7888b4c4cae86330e68144b985

SHA1
3e84e6a263488cae755ed0c8a4018d3b525a4421

SHA256
fa69110df2dc3e4c657d935ae4e479b85948d5dfe72eb2ac20ee1ecaf9c5f08d

SHA512
b72440a820761c0f3018b7e411c7026147789402526f4fd7d3bb9be6150b2c881d079f2151758c5825bdc57f5bb7c5059b692213d633f44fc89c9e5bac8975da

Download Submit
C:\Users\Admin\AppData\Local\Temp\WhiteSmoke\CheckLockedWsFiles.exe

Filesize
65KB

MD5
c921838869cbee0a1ae978da2fb7f6d7

SHA1
019af203b8f2e2c2f13203729908fdf950273dab

SHA256
5fa359d6214aa06988d1528ab7ca2dc64e743238c963761cd48d38c9195bc2e0

SHA512
ffc32d9b010af31bb89f7dbdcf86446f7b4008e16891627a16277373feecb66cdc863b87e884c7364fb7717c0b89ec76a0a6041ff2ba5e532711f4e017018a42

Download Submit
C:\Users\Admin\AppData\Local\Temp\WhiteSmoke\CheckLockedWsFiles.exe

Filesize
45KB

MD5
da0f895a40a289a0d61a4884729aaaa0

SHA1
d44fb08f0c5f6b40da3e1206def085455e90a648

SHA256
6c87dc0c39e968ed02a1f5aaab718de8776c2e5eff0558996109c05a767bbb5e

SHA512
e544ca28e5fbd1693840fd0fde7fa8c26bf51702dfef40aed80fee38eae68a486d0f18ed6efd94d38e2f99975edf8770d1babd6f3f5ada1cbab1869ea2561cf1

Download Submit
\Program Files (x86)\WhiteSmoke\ComVistaElevator.dll

Filesize
40KB

MD5
289f66224dc2cb2c8bdabe41b7d39da4

SHA1
8fe754eb0c4c4267feeef1d734950845f7df36ba

SHA256
6a71e0f20770e45bfd6577ac68810f495774ad797c0fa4e64e1a6d05c092a3b0

SHA512
abfb48a466a235ece4fb3a4310740f6c7550ea9c8a6c24a91f6adc0dd140bcf33a33e3ba837d9dd4771ce8d33a38882ed62d6bf97cb8e7bd255ab1ccc5ce462e

Download Submit
\Program Files (x86)\WhiteSmoke\Uninst.exe

Filesize
45KB

MD5
826527fe57a725dd98a99349aa04fe98

SHA1
87a90fe77bacc224b0ab174f066f481f611a7342

SHA256
dd63911d5f095e04e99783c4e68973e80ed335cb2704beb320059c1adc395883

SHA512
6cc271cc5677d8110f131a28f58a24c979a30146790830bcbb1246f1c7c371e488b8f1316f1f428d15db62ee69a8cdbf8f6043ba60444309d26464adf3017329

Download Submit
\Program Files (x86)\WhiteSmoke\WSEngine.dll

Filesize
123KB

MD5
1cd33f8cb22b1a6e18be08ab7a7c8fc3

SHA1
c445ce01d12a2ed538068c2913e5b6b60c184f11

SHA256
4f72d50092b870cd784f15213a966ad0f8de369c89dc4e28de0150f876d3e6f7

SHA512
483535966f1bfcdf842fcf14b843fe3991e182546a301cb5c20173208080a65722bd705c0fc4ab32e2132b08331a4db0b0a4f3536418d8507e7cbd65ef62b880

Download Submit
\Program Files (x86)\WhiteSmoke\WSEnrichment.exe

Filesize
135KB

MD5
200aeb921c9bef02f0d1e3440629785e

SHA1
f9a166e3535b0f30637d1c680ee137afdc34f7e6

SHA256
964ba87edaee3caa6358bbc9781e8044db46a91241212c1ae5df54b7f82372e0

SHA512
f8a880c1e16fb1c44f2bc151e68714c16af83b0cb0fb083ed6f632356f0bae8932450c1315b458cf37a52844a5eacac7230965e33adf20b71450d57cead75d15

Download Submit
\Program Files (x86)\WhiteSmoke\WSEnrichment.exe

Filesize
107KB

MD5
14d9ddc2d8d1e903fc3268c817d69897

SHA1
d6697566ccf85bc953f1b56f25b23dce5f7cc41b

SHA256
0e1e7d77fe32a7e3cb153d28f19015ce40d62da9b01ad42ffe282265340a717f

SHA512
fa22503caa92324bbdc546843aa5d821e68a3840f52ecaf391e2d42c9764ed344456f793a8ab2f433681d9d4e15e152344b5f5154f6ebb27d58b668bd673cfb9

Download Submit
\Program Files (x86)\WhiteSmoke\WSEnrichment.exe

Filesize
32KB

MD5
9390b9d5047c7a104d2e30631125abff

SHA1
637650cbcdf2120546694387ff597dcb64103b0d

SHA256
d74d35bf5d43be38521deabedd8809ff8f09469044ad67bf72ed7d625f16df59

SHA512
733bbf2507608279f5b6a35b2f89ef27cf6f424b8f363c0316386e6ec843ae9831aa3c9605f7dbcf977b7daad1237306cc2348b06a771ee820ac8d20d31f7351

Download Submit
\Program Files (x86)\WhiteSmoke\WSEnrichment.exe

Filesize
51KB

MD5
1327ddf03bb3ebf0b9be65798d529289

SHA1
9a1be9e42abc175e52447ed9daa0b759783dbb0f

SHA256
cb88da2f92c77903851cade0d2e997fa56cd382be9a19acdea0c8a4139c98b23

SHA512
5d30f1fdb0f58146098357eb15f303d32b49d222319b2edf070e64aac5bd5bc916d820cb97711bff8081d72137446c964e51a07130547d8f7dd1dd0db4171555

Download Submit
\Program Files (x86)\WhiteSmoke\WSEnrichment.exe

Filesize
75KB

MD5
5db50bb1615e778800ac6468f2bd00a5

SHA1
e8d645fed67a458f92bb90fe8ed7780dfe32b479

SHA256
2ce948b31c7934f5820707bf6b8cca6e20d1e72e68dffbe5e5dd597c6be60df2

SHA512
d0e2f62cc5a390e060660848c3764d5f6e3159c1a727b2d2a2c2091d6c10881d9f4ee3e05235fd8e8e0ac43326bd48a524486bca93372bf9972edcb0108737ab

Download Submit
\Program Files (x86)\WhiteSmoke\WSEnrichment.exe

Filesize
99KB

MD5
c7e72913520dc4e196aea9f135a4889a

SHA1
ceebfc39b1be7357d1b82d57fef90164edd6822c

SHA256
99a13345880573417a670244bd1a96a26ab35e640647b02739e8b230b9e341ad

SHA512
7719838a7ae58f8bfc7e059b5b2257d246c4690e7800154461b50bf31841e34f8f4b9b27cbbb8ac813c8188eab1bb64211a50bd40123b6d0dd44dc4095c3ddfa

Download Submit
\Program Files (x86)\WhiteSmoke\WSEnrichment.exe

Filesize
122KB

MD5
399dc9e7914c377c27783935c1f11574

SHA1
1e747c71d0eee2442bc19e6eb3bff75d9ad07ece

SHA256
9e51341716c30591e9d74a55d2d3a8ab8546c348a494238832c775542ad0be79

SHA512
53411ffb85fc8bc2f335b018ddc557f8bc5de567fa4d5cecd4e2f2367b6afa385bc748a4fd82c2d080d7c0687d1686f33a68d0b0e9155a79ef4ceb9670c4e91d

Download Submit
\Program Files (x86)\WhiteSmoke\WSEnrichment.exe

Filesize
90KB

MD5
80dc2fc61a3e4687bb614d66fcc95387

SHA1
69e512ff49113de4e89013754efb94f32c0aee76

SHA256
46d37c292153afb7559bba108beca433c81aefd88588d6bdd20392a36edbf5f4

SHA512
7a239dc4ece269fb9a1ed2bf8dfb5c422dd983695b2a853ccc69b6728c0fba331a5fd55b40a0c0f2bb21e6a5790aa45f488e21ceed861b80485e52147401af4b

Download Submit
\Program Files (x86)\WhiteSmoke\WhiteSmokeRegistration.exe

Filesize
92KB

MD5
1ca5c66702050c00c730d79eea922a74

SHA1
4602c361edc8c5b0a7c46394483f658c7e8f32fd

SHA256
34eb18a981dc539d1c2773b86ed44316dcfd633138be370077e246aa71b00708

SHA512
b24dda1e78a0633b33037eca3c486449dbed8aeefd7e331b08c628ab6d0b59f0c2bc52510a3c5ba2318ca57be37a824b2628ae4b0ddbfbeecafe478e4d6e9f49

Download Submit
\Program Files (x86)\WhiteSmoke\WhiteSmokeRegistration.exe

Filesize
78KB

MD5
ab0dac96afa110b1ce7ad75dbd560e26

SHA1
76ff958d334c6856f49196adb6afcfe6c89cd0f7

SHA256
4e7a7a2e5619b0c61e14cf7af91fb204af4a6667cbcfe745d224f90a9c860ffc

SHA512
175c8127bdd3fcf39a5febf7532c699211994979097b3f7b39bc71def72a905d4fc71aac7a1ab1b27a0fc37b82c275e8d6ff983d4077e7e511acd28ff3375058

Download Submit
\Program Files (x86)\WhiteSmoke\WhiteSmokeRegistration.exe

Filesize
100KB

MD5
a3a4df32f34fa49f7956f5c07731f9c7

SHA1
a94d20b8fb3131f1b4146f345a943ef1a0b1d16c

SHA256
3a6eacd28cb442b04a2937298b8167cf8887a867ba66f49b9841fee53d425425

SHA512
0645d6097e4241d6f46360b33be4dad1e3b2eb26699edc5642dc29711a0fcc20a1a344b1bd8ad986b36d4eb96843b380a53c4a5ce360207e89a7528ac79975c0

Download Submit
\Program Files (x86)\WhiteSmoke\WhiteSmokeRegistration.exe

Filesize
92KB

MD5
d8e39ee7260e901df6b8aa461ec24efb

SHA1
f1b6a9597fe947c75e5201f045fae63fcd79f579

SHA256
5b7e20c632339e4db5fa586f10e7b7e69b5c1b867ca48cab77ee196c374d08b6

SHA512
f1fc21f3e85950bdf2d34996548f4c49832e9653670c7e5cc1c1c61cd970255b697db13fb473e246733a46cb73dc55884c531952940ae1113282aa801c8c42f7

Download Submit
\Program Files (x86)\WhiteSmoke\WhiteSmokeRegistration.exe

Filesize
60KB

MD5
1d0175e8ba14e2b59f12ee334badc4f6

SHA1
e7b551cef2a13bbbc1d87827a360b23fa2523d73

SHA256
b39f5392817fd690802feb33c65519e7f23275ce98e6ecac76e4783f7902eb7f

SHA512
38204449438593863c5dba0924ca9f0bc372804c3159ed49b54a034552dfcaf796d2e9c53e1f73fafa78ae9c5d54e26f3c5b47b7dc311bdb9cc5ec4ace0d8bb8

Download Submit
\Program Files (x86)\WhiteSmoke\WhiteSmokeRegistration.exe

Filesize
142KB

MD5
c980b19ee2467f0a9471a2e4ea4ccf1e

SHA1
cd67251f9d3a20e38e014306844edc705bef5db4

SHA256
ba1b8a559cedb7220467c74455979db4deda32ca32e945e4d424e5319ba27181

SHA512
7121609ee6590869ddc5d7ac671af41589d871c297ce959cbd922e89554c17733df2217540e91b997bce77320f0fd5bbaa800813ffb73a31117103bd7342a3db

Download Submit
\Program Files (x86)\WhiteSmoke\osmax.ocx

Filesize
130KB

MD5
a92ae99a62a9ec8d7edbac2e6fbb10a4

SHA1
54ff3d48bd013c680d0951912e9db5e51a4c424e

SHA256
a739706dadd627319b12e49d38b1080b8afedeaac7b88b6d6e06dedcd799166a

SHA512
a79b6a34ef0d530c680dee204bfe8e3ddf3a88a97ee4c7c86cc5432b0c36bc7f894adc31b661fe1a64a3d2b4456c247084da6ea808e415c22e47be1fdfb3c524

Download Submit
\Users\Admin\AppData\Local\Temp\WhiteSmoke\CheckLockedWsFiles.exe

Filesize
92KB

MD5
16d406b8e22698498dbe4f63ca2742b7

SHA1
6e987dadd281312e9ce78b2eb1c974eb6d3da454

SHA256
fd23419f83ffadcaa07180b441d848f6302a6b9e73dc8eb1243cca50d6b9acd8

SHA512
29c9b408dcbc85c54583959910bcfe71c0f609646cf5a914e743b5615f18102e1b784544b5025b713e55c9f4acc4843cab3b717171a74595e1926a8efda7d2aa

Download Submit
\Users\Admin\AppData\Local\Temp\WhiteSmoke\CheckLockedWsFiles.exe

Filesize
68KB

MD5
e37aa7ec42c4ff9561137ffb85def6d9

SHA1
518d7e1256df42bdd6337cae8781cb061a230671

SHA256
414eff111ae1dffcdabe645683c0206b378c4770ef11ad8239d6604eb4561820

SHA512
a5c2e09b977948f4496a7962e3e77d8422d84e46700d7197bc7b1c256f0f216e4988cf3edb1ea6c861c396fced35007fcb2fb088ca8e41408ead60645d96b841

Download Submit
memory/2340-935-0x0000000000B90000-0x0000000000C2D000-memory.dmp

Filesize
628KB

Download