Analysis
-
max time kernel
119s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
20/01/2024, 08:48
Static task
static1
Behavioral task
behavioral1
Sample
69fefc7584266eb0fe60c83e3cfc0adc.exe
Resource
win7-20231215-en
General
-
Target
69fefc7584266eb0fe60c83e3cfc0adc.exe
-
Size
471KB
-
MD5
69fefc7584266eb0fe60c83e3cfc0adc
-
SHA1
cdf7a76db1d6e20ba9283bea90a232e1458685f5
-
SHA256
48ac6535a5b415175574538f76ac51a6ecc0bc89f6091e1ed8328f92215cfe26
-
SHA512
24dea1cd154a5e44b18a2dae6246dbec1ec70be4b6f23045601b4148fd5d65a7816b70ef6e19e79e47596d7cc5a59c859e7f5f2de52856fa8853824cbbc2a2ad
-
SSDEEP
12288:4j18JfmmwWXT/0uaogTseX0yLFl30leziGt3QNl:oCJYuLgoeRFlkkziGtANl
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe" 69fefc7584266eb0fe60c83e3cfc0adc.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts 69fefc7584266eb0fe60c83e3cfc0adc.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 69fefc7584266eb0fe60c83e3cfc0adc.exe -
Deletes itself 1 IoCs
pid Process 2592 notepad.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" 69fefc7584266eb0fe60c83e3cfc0adc.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" notepad.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2540 set thread context of 2160 2540 69fefc7584266eb0fe60c83e3cfc0adc.exe 28 PID 2160 set thread context of 2628 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 31 -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 69fefc7584266eb0fe60c83e3cfc0adc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 69fefc7584266eb0fe60c83e3cfc0adc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 69fefc7584266eb0fe60c83e3cfc0adc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 69fefc7584266eb0fe60c83e3cfc0adc.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier 69fefc7584266eb0fe60c83e3cfc0adc.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B3088421-B770-11EE-91D2-EEC5CD00071E} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000580e1c8c6faee54b80ab28599b83677c000000000200000000001066000000010000200000003b8badce54b9f1e15257ff9c6df3fd6468009ef6ecfb00e6fb711231eb6cdc76000000000e8000000002000020000000cf54e63366bf51d41e4c0d60b9ed46c0d2f134d853e763385d2fa77a7ccc1f9e20000000f6c372c1a3db028617ceba48252064045a05c83f02ed19e5f58bc95885615c3540000000ca9300b19d58bf5d263f96842189feab46081cc2b52c208d26c6d10d6788d8d1e97c7237eeb880c1cdb7d44a11827914cb44bd029186fa0da5f739af345d6ef4 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "411902384" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c09c6b887d4bda01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000580e1c8c6faee54b80ab28599b83677c000000000200000000001066000000010000200000009f502a6a0a3ed161058cdf436a7fd7eaba82b42bdb014b89cb5c8d2cc2b91c53000000000e80000000020000200000003723d3c59b34e6894c47585f6c505461a828edfe8f66faf5d64340d6c66ff41190000000038492cf70a8483260e6dc40af1ac7a0cb0606502ea9831501921b3f3ee26d52df3a02f9c3a6258eff53a43e9762a38746a4ac332124d1198bc4c98be40b678e58a96a5992df9ae262c483aea2ae9145df8e7ab2f73ac28a2e581a1b25baaacddd8a90ef4e325fa14645b560308d213e074327729e58fa4ede563e673067130dab3acb4676e1343b2644c89db2184aab4000000088034a411b81bc882df68a0f2d1758046836100f5fa2bf92bd31ba9282f4a01dd430b08ffe30711e427ae2c3d48b7b074274880e633422b54890edd6cda2740f iexplore.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 2540 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: SeIncreaseQuotaPrivilege 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: SeSecurityPrivilege 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: SeTakeOwnershipPrivilege 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: SeLoadDriverPrivilege 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: SeSystemProfilePrivilege 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: SeSystemtimePrivilege 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: SeProfSingleProcessPrivilege 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: SeIncBasePriorityPrivilege 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: SeCreatePagefilePrivilege 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: SeBackupPrivilege 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: SeRestorePrivilege 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: SeShutdownPrivilege 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: SeDebugPrivilege 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: SeSystemEnvironmentPrivilege 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: SeChangeNotifyPrivilege 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: SeRemoteShutdownPrivilege 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: SeUndockPrivilege 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: SeManageVolumePrivilege 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: SeImpersonatePrivilege 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: SeCreateGlobalPrivilege 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: 33 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: 34 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: 35 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1308 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1308 iexplore.exe 1308 iexplore.exe 2864 IEXPLORE.EXE 2864 IEXPLORE.EXE 2864 IEXPLORE.EXE 2864 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2540 wrote to memory of 2160 2540 69fefc7584266eb0fe60c83e3cfc0adc.exe 28 PID 2540 wrote to memory of 2160 2540 69fefc7584266eb0fe60c83e3cfc0adc.exe 28 PID 2540 wrote to memory of 2160 2540 69fefc7584266eb0fe60c83e3cfc0adc.exe 28 PID 2540 wrote to memory of 2160 2540 69fefc7584266eb0fe60c83e3cfc0adc.exe 28 PID 2540 wrote to memory of 2160 2540 69fefc7584266eb0fe60c83e3cfc0adc.exe 28 PID 2540 wrote to memory of 2160 2540 69fefc7584266eb0fe60c83e3cfc0adc.exe 28 PID 2540 wrote to memory of 2160 2540 69fefc7584266eb0fe60c83e3cfc0adc.exe 28 PID 2540 wrote to memory of 2160 2540 69fefc7584266eb0fe60c83e3cfc0adc.exe 28 PID 2540 wrote to memory of 2160 2540 69fefc7584266eb0fe60c83e3cfc0adc.exe 28 PID 2540 wrote to memory of 2160 2540 69fefc7584266eb0fe60c83e3cfc0adc.exe 28 PID 2540 wrote to memory of 2160 2540 69fefc7584266eb0fe60c83e3cfc0adc.exe 28 PID 2540 wrote to memory of 2160 2540 69fefc7584266eb0fe60c83e3cfc0adc.exe 28 PID 2540 wrote to memory of 2160 2540 69fefc7584266eb0fe60c83e3cfc0adc.exe 28 PID 2540 wrote to memory of 2160 2540 69fefc7584266eb0fe60c83e3cfc0adc.exe 28 PID 2540 wrote to memory of 2160 2540 69fefc7584266eb0fe60c83e3cfc0adc.exe 28 PID 2160 wrote to memory of 2776 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 29 PID 2160 wrote to memory of 2776 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 29 PID 2160 wrote to memory of 2776 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 29 PID 2160 wrote to memory of 2776 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 29 PID 2160 wrote to memory of 2776 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 29 PID 2160 wrote to memory of 2776 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 29 PID 2160 wrote to memory of 2776 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 29 PID 2160 wrote to memory of 2776 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 29 PID 2160 wrote to memory of 2776 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 29 PID 2160 wrote to memory of 2776 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 29 PID 2160 wrote to memory of 2776 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 29 PID 2160 wrote to memory of 2776 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 29 PID 2160 wrote to memory of 2776 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 29 PID 2160 wrote to memory of 2776 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 29 PID 2160 wrote to memory of 2776 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 29 PID 2160 wrote to memory of 2776 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 29 PID 2160 wrote to memory of 2776 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 29 PID 2160 wrote to memory of 2776 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 29 PID 2160 wrote to memory of 2776 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 29 PID 2160 wrote to memory of 2776 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 29 PID 2160 wrote to memory of 2776 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 29 PID 2160 wrote to memory of 2776 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 29 PID 2160 wrote to memory of 2776 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 29 PID 2160 wrote to memory of 2776 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 29 PID 2160 wrote to memory of 2628 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 31 PID 2160 wrote to memory of 2628 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 31 PID 2160 wrote to memory of 2628 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 31 PID 2160 wrote to memory of 2628 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 31 PID 2160 wrote to memory of 2628 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 31 PID 2160 wrote to memory of 2628 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 31 PID 2160 wrote to memory of 2592 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 30 PID 2160 wrote to memory of 2592 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 30 PID 2160 wrote to memory of 2592 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 30 PID 2160 wrote to memory of 2592 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 30 PID 2160 wrote to memory of 2592 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 30 PID 2160 wrote to memory of 2592 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 30 PID 2160 wrote to memory of 2592 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 30 PID 2160 wrote to memory of 2592 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 30 PID 2160 wrote to memory of 2592 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 30 PID 2160 wrote to memory of 2592 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 30 PID 2160 wrote to memory of 2592 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 30 PID 2160 wrote to memory of 2592 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 30 PID 2160 wrote to memory of 2592 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 30 PID 2160 wrote to memory of 2592 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 30 PID 2160 wrote to memory of 2592 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 30 PID 2160 wrote to memory of 2592 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 30 PID 2160 wrote to memory of 2592 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 30 PID 2160 wrote to memory of 2592 2160 69fefc7584266eb0fe60c83e3cfc0adc.exe 30 PID 2628 wrote to memory of 1308 2628 explorer.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\69fefc7584266eb0fe60c83e3cfc0adc.exe"C:\Users\Admin\AppData\Local\Temp\69fefc7584266eb0fe60c83e3cfc0adc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Users\Admin\AppData\Local\Temp\69fefc7584266eb0fe60c83e3cfc0adc.exe"C:\Users\Admin\AppData\Local\Temp\69fefc7584266eb0fe60c83e3cfc0adc.exe"2⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- Adds Run key to start application
PID:2776
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe3⤵
- Deletes itself
PID:2592
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=explorer.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.04⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1308 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1308 CREDAT:275457 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2864
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e8666807e490a2f0918560e06beb6e46
SHA1cbdcf7f8bbd8a9ef9bdf6d43a9dbd4323a0df213
SHA256fc6db485ec5add72b7f2134c2542dd7ad0a50fae1511484ca9811e05b4bf8183
SHA512ad5fafb03109ebd97b8cedc9b8bffcbb14c04e3cc099e2d0051ed6ab546e68f60f4b0b576a28c10e522b7cf1b2ada87a985ed3502fd943b506a26504934eaa4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD525e0e4d46ef1bc3c8e75813604003d6a
SHA1629a6452b775e9294d178da5ce0522e7f5a325ad
SHA256eb22d1c2f20d46821ff7eff20090f6066dee818476f0612772a96150496714c9
SHA5120f7b2c3642b956d798abb83a8c3cc5d06b3b08099c2593d49b5a54f09ed3769471d5609c1d2a4605a6cbc416cb30498520724a45350f98e002dd05e7f5947937
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD57e5ddbf7b61d706a182fae5106c6e2c6
SHA19939d00a80ed14165dec4aa3524e6bd6804e111e
SHA256fc64d15a9684d04f42fea4dc60e08ad2dac520278806d63c2d9f1dc5f917ac96
SHA5122bac0e9fb76475de3f5923af9efa903ad16cbd8812b866ee861995712a99843dbaef761f2118f61ef3873b143219ee641f6889be206511e18c2b0bf0907d93c2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD58ec2cece48fcbe41d7a8b936b83319d6
SHA1bf4b175817f7fd65c0be48ed62ed5a4f19c2a24f
SHA25674e38508a284a4b6486eca1731e4e8d9781b4053226ec5995e825bae92057d72
SHA51280d00e2137290e28fd29413ad8c93e1304a653842b99523d971e32ec4d4ae7c72d1f17b554c72eed910cbe2058b187d87af8f00c16e26f896c8a9ba9e5439a99
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD54d97b9d71e13e0a57e528cda9128ecd9
SHA1e9553d19ea8a25d7a50c25c09ce6bd4864f6c6ee
SHA256cef37db05d832f9dc343d1eaac65ef1fbee4888507f63268a9a427123d429a13
SHA512d5a1232219b41ae1976d921895f9586fb2d9c81c5097c375a55b1e678d65a72b2229147d69684a03de633a176eda617e00f1f65033d34189ddbc9cfedcc1819c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5cc189c37d601045cbe53cfd2a2a029a5
SHA199af221cc94be3255b8ccf16cf05c9e580b7470f
SHA2564dab3260088205733c3155babd80fe0d4f77d84e5dd2cd51abfd1a0ccf3f77fa
SHA51272620b08900b412648c76db9faadd6eb52e807a6c53e4d7f6277e931f5650522bc6419485fa9b1ea4c636940ec257fd291740445fd229b5f70fc37a719ce175c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD51622958d481211215b9139efaca82d32
SHA1065492c9944209e5864ece6e4ce6915dc3798018
SHA256e1ab61baf47999dd8b677e216ada3d866978e0b5e7ed39afa5d0eb96b82fbaa4
SHA512e033330e600bab8f51af4f448d0c54a3a6d54f017f6eda57d61acebb69f24da3ab3ebe0747cfc071533a056443762e51909a33877320c2a9d13d3de78591301e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d162e80db873ed20199d7e86389e7cab
SHA1f54473fab5779276e1edddc658a7be26f1e5d305
SHA256d9040ead11d5b824f903ab8c648f885e7ceda5537128e6f8baa648c22554c9ba
SHA512762037fa8dc2a7be2316a72ea2e3c50013afca97217d49e0a90b14c63868bda9a85fb09f82e8b78dd73461604bb16c7ab6e8d9bf71c6f1807e4ce3ac77177a87
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5615889a0858eef3829f43cf167fafb55
SHA1c836c79a850e604d72317c9c0654360518f004ec
SHA25679bf68c3e81974ac94b588b853632281cceaf1b2158094fd4171baa59be2ba26
SHA5128a1f0706916bc5a9eaad63bb119e050aafc5f58303e5b4a197914f1e3a4c21b1b1a3122732fa6635f38d2097bd45114aba39e9a7e2f2d0844e8daaf5849e9135
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e79b486545165afdce9d05b2314fd08a
SHA131d3112d7a582f46ef411153f6b611ae4a280930
SHA2568117d3a0616a4105973235c39902eb515556debc336a467c7280082255b9a2dc
SHA512100b07217de2e72292ac43c8f67ffba41f157ee886c56170e19db1e6fb37577007dd40c19b29d8abe51b6dd14b1c03e5c4478f69bcf73e062c9d74bee0b670c5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5025122a15140c68643fbea5cc70ee68b
SHA1314032b7e8edb1d505afe7dcdf2345b8c3e992f8
SHA2565f2951797db77159c6572474b3f48818a13be1137b22411354eb81ac03326167
SHA512de7bf0b5fe00fe83bddebb764031eba436d8c65aacfa26e42aba58f82cb24ac87030bace98c7305115c539a02807f1d6dcec96d76177a87e9fcb9fea1f8a6e57
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5fec55c16bd777a0def2f7d19260e9818
SHA13c1334531cdb819e40f5231d7ac6978f4ac8c50e
SHA256c69b24a73c4b986caa5102c4ad285ee8aa4bf1f3438f8ee9d405f1bc556197e7
SHA512201ce8dbca4f6cd74768d537800b5a3e317b52e2636b80ce66e23989cd19f0df942d71cb47802bd6404cdc5a31ef518f5303515d30bfbcae0434d6a254627582
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5089686b3c3d79824c6d19f4557538892
SHA1be9ec7233cda93e39b7eed373fe5f83d3e95f0b5
SHA256f7900ba2cb579275a544caa2dc6004b2a22ca488901b48cf40347325ac3a3975
SHA5129bdcb01db45d7e657d5d13766ff72179b74bcde192117eb7f0848c98c60a61530c9ecc6c28a1e4ea9dfce727bc6e83b87019fa680782cecaf8ce01505fc8c156
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5c51b14951f647ffb0c5d9c92156f842e
SHA132d5ab95d185e351e75892b7a7b9f04618e4ace8
SHA256d642e410e4b691263dce40ff50466503d269e266dbca04fff10dbc42b38a4241
SHA5128dccc6e687eb684151d7d8e07f4b8fc9c52bb6e669d7590b6c15c3a635cc46e465919f277a1efecd7ac6fc66c3f3c3192a938f76dd906e9eff638912e5067c5a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5fbe519749cd22105f70b4e0950521143
SHA1a96da27a54dcac66d1f7cba55c37b41a8582352c
SHA256a0027291e1490bbf624e5722621780686ad262597df07c4f1a9f2240790670ba
SHA5124e37c2ce08dab6a3e92be63da1c04b153ab03f3614f53cbc9246e159db6b377b494d96b5e49d7aa103fb3bf15e30c7505d811529ec1de5e48d19a9a7a555660e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD57323fcf04a7c308d06c8e362955c7229
SHA1b2d889236bede0e729661ea23e28296f83c4d3cd
SHA2563d7f634aa9a68c80022aae34ef195999d683ae7c105ff260199d61b14ae7f02a
SHA512403c7382ca1274d03bc5e3dca9c03bd69de8357f0d13b295f5f239ed19129855bb85c25e7d398e6579b5e5b2859411a67d432a487b13c009491a0d0eadf7a951
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD571249aa8e1567b3ac991f3ff56b8d9e0
SHA10bbab237e003571d4de59d28f38cdd01a2427958
SHA2562f559222d992ef28d11110a8ba207f92b971125d87010839f544f7c06bd42193
SHA5121dafe16b0949aaa241b37df2a43383585f55dceac8e53a4ccf5e4768aa88a765755492c13d18e437acf8df386c9cd6cfb2a7954e0451894aada47d7fc4d62c86
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD508f4578bdaac4f1e915e7d3c63857b11
SHA1eb5ff1d8331ea5fff49bdd83144e9ee228ad7349
SHA2568aa279e611ed5e1d630acac80298beb91dca28bcabcf83a7136fddb70d804dc4
SHA5127e14be1b10a45f18dcfbe6e329c7ec3f249cb8b0e817ba1dd94df7a9b705d18c82051a171bd4639fb74ac88ccf051f1a0fcb6e374547689e7fd030d4f71a3a9d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5fcc32eec1158827ad7afa371ca235043
SHA1b38985d550748c3ad12580ac3ad5c6c5f487d31e
SHA256bc536fd9bfac3f9efb35accc447e87f8cf4479d6f86ca5fa783638147b0cf67a
SHA512c5bdd65e9712ba39055d0f1e68ac79e4e7fe0213ab837dcf6d519770a92fd15c25d3df359cd1b857dec2b0961f20b13951cae85b8ceec5f37488726e808ef302
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5fa2dc0a509a5129957f4e2d2f842e6fd
SHA15af1509794f09728efbd3ae5149e6a7bdc7e6ab3
SHA2563c3e04d368bd2e54d3c0eeffba28d08e44fbc00f65b07d1f79dd5715b5585057
SHA5124fb5a42a6636909c85ff645b95ef8bd9db96ef00f7d291d11dab00fa0cdc1b76e13abcd70f2267160adf05e893042b6cc916feef9ab160f0f6bef027afc9be51
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD562315cbbbd0d1541f4740dd9665d9354
SHA1d24c4e20293610b5aa1768cf912335de47afebb6
SHA256f13c0f37d76f2274565508e3e48cbdd2c43d0a1af289d0d75d32a20e67763819
SHA5129101ea46f999c6f6a18e0d94364825db1dbfaa50f1996eb5f284f529858aae63704320eb7062d3d1fcc8d7eb61d1c5135b0e185131bbe147709a792b603a3f0f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD592c85d78ccd5fa579181cf670803d542
SHA1ea4ab8ea1964b09d1f6ba46806e64b945b94de48
SHA2565180882741a842c9fc1dc12175c5e1000aa1e056d4892f7c5de6653c098eb1f8
SHA51217ff3d23cbbea983322289f8cdc173c190445d333bcd9810dc7fdf11587c45f8a01edbbcb13adb8e5dc4592415f64c33b478cae3018f408dea63d3e929c6a130
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a300ca1389511ab1f5f88bcf1ac5b0ce
SHA10837f5d677ab0bda61d46e08e03a5566fefb5b48
SHA256fe886a1f39c36b8eec5a0fe5cf8ffcfa1a437bd92e15e2e2b2c3cb7396f9725b
SHA512c3ee4dbbfc7c0c863c358502fee981ada9307f559858ab625678841443aea40ae31845f00bfa141450493a42657dc42a17f3c43537fab5bfc037435df54d4563
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06