d294856177658df0159cfe937e5ea95a8ee8a2ca85754d897aea3bb5d0d962c0

Resubmissions

19/08/2024, 11:06

240819-m7hn5stfml 6

19/08/2024, 11:05

240819-m639fszhlb 6

Analysis

max time kernel
33s
max time network
34s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 11:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

CrackLauncher.exe
Size

102KB
MD5

c137c5f5287d73a94d55bc18df238303
SHA1

95b4b01775bea14feaaa462c98d969eb81696d2c
SHA256

d294856177658df0159cfe937e5ea95a8ee8a2ca85754d897aea3bb5d0d962c0
SHA512

ba595d185ae98152658ce95964fd6bcce7e970896b0b1c674a142d126cf0433094debcd25527d9b4f5a6568cc5a8a42aeaef536166748eea3973f8b694564aa5
SSDEEP

3072:+5OYpgK2+49WqfOIbA099oey1r45340VJ:+jpgFP9W+bAWoesrU40

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
26	discord.com
27	discord.com
28	discord.com
29	discord.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 55 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1D7D46A1-5E1B-11EF-95E0-F67F0CB12BFA} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\DOMStorage\discord.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1D7D6DB1-5E1B-11EF-95E0-F67F0CB12BFA} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\DOMStorage\discord.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\discord-1199748644409184347\URL Protocol	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\discord-1199748644409184347\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe"	CrackLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\discord-1199748644409184347\DefaultIcon	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\discord-1199748644409184347\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe"	CrackLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\discord-1199748644409184347\shell\open\command	CrackLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\discord-1199748644409184347\shell	CrackLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\discord-1199748644409184347\shell\open	CrackLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\discord-1199748644409184347	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\discord-1199748644409184347\ = "URL:Run game 1199748644409184347 protocol"	CrackLauncher.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2328	iexplore.exe
2768	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2328	iexplore.exe
2328	iexplore.exe
2768	iexplore.exe
2768	iexplore.exe
3064	IEXPLORE.EXE
3064	IEXPLORE.EXE
2024	IEXPLORE.EXE
2024	IEXPLORE.EXE
2024	IEXPLORE.EXE
2024	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 1952	2120	CrackLauncher.exe	31
PID 2120 wrote to memory of 1952	2120	CrackLauncher.exe	31
PID 2120 wrote to memory of 1952	2120	CrackLauncher.exe	31
PID 2120 wrote to memory of 316	2120	CrackLauncher.exe	32
PID 2120 wrote to memory of 316	2120	CrackLauncher.exe	32
PID 2120 wrote to memory of 316	2120	CrackLauncher.exe	32
PID 2120 wrote to memory of 2080	2120	CrackLauncher.exe	33
PID 2120 wrote to memory of 2080	2120	CrackLauncher.exe	33
PID 2120 wrote to memory of 2080	2120	CrackLauncher.exe	33
PID 2120 wrote to memory of 2088	2120	CrackLauncher.exe	34
PID 2120 wrote to memory of 2088	2120	CrackLauncher.exe	34
PID 2120 wrote to memory of 2088	2120	CrackLauncher.exe	34
PID 2120 wrote to memory of 2132	2120	CrackLauncher.exe	35
PID 2120 wrote to memory of 2132	2120	CrackLauncher.exe	35
PID 2120 wrote to memory of 2132	2120	CrackLauncher.exe	35
PID 2120 wrote to memory of 2552	2120	CrackLauncher.exe	36
PID 2120 wrote to memory of 2552	2120	CrackLauncher.exe	36
PID 2120 wrote to memory of 2552	2120	CrackLauncher.exe	36
PID 2120 wrote to memory of 2392	2120	CrackLauncher.exe	37
PID 2120 wrote to memory of 2392	2120	CrackLauncher.exe	37
PID 2120 wrote to memory of 2392	2120	CrackLauncher.exe	37
PID 2120 wrote to memory of 2396	2120	CrackLauncher.exe	38
PID 2120 wrote to memory of 2396	2120	CrackLauncher.exe	38
PID 2120 wrote to memory of 2396	2120	CrackLauncher.exe	38
PID 2120 wrote to memory of 2828	2120	CrackLauncher.exe	40
PID 2120 wrote to memory of 2828	2120	CrackLauncher.exe	40
PID 2120 wrote to memory of 2828	2120	CrackLauncher.exe	40
PID 2120 wrote to memory of 2168	2120	CrackLauncher.exe	41
PID 2120 wrote to memory of 2168	2120	CrackLauncher.exe	41
PID 2120 wrote to memory of 2168	2120	CrackLauncher.exe	41
PID 2120 wrote to memory of 2312	2120	CrackLauncher.exe	42
PID 2120 wrote to memory of 2312	2120	CrackLauncher.exe	42
PID 2120 wrote to memory of 2312	2120	CrackLauncher.exe	42
PID 2120 wrote to memory of 2752	2120	CrackLauncher.exe	43
PID 2120 wrote to memory of 2752	2120	CrackLauncher.exe	43
PID 2120 wrote to memory of 2752	2120	CrackLauncher.exe	43
PID 2120 wrote to memory of 2576	2120	CrackLauncher.exe	44
PID 2120 wrote to memory of 2576	2120	CrackLauncher.exe	44
PID 2120 wrote to memory of 2576	2120	CrackLauncher.exe	44
PID 2120 wrote to memory of 2760	2120	CrackLauncher.exe	45
PID 2120 wrote to memory of 2760	2120	CrackLauncher.exe	45
PID 2120 wrote to memory of 2760	2120	CrackLauncher.exe	45
PID 2120 wrote to memory of 2816	2120	CrackLauncher.exe	46
PID 2120 wrote to memory of 2816	2120	CrackLauncher.exe	46
PID 2120 wrote to memory of 2816	2120	CrackLauncher.exe	46
PID 2120 wrote to memory of 2856	2120	CrackLauncher.exe	47
PID 2120 wrote to memory of 2856	2120	CrackLauncher.exe	47
PID 2120 wrote to memory of 2856	2120	CrackLauncher.exe	47
PID 2120 wrote to memory of 2804	2120	CrackLauncher.exe	48
PID 2120 wrote to memory of 2804	2120	CrackLauncher.exe	48
PID 2120 wrote to memory of 2804	2120	CrackLauncher.exe	48
PID 2120 wrote to memory of 2832	2120	CrackLauncher.exe	49
PID 2120 wrote to memory of 2832	2120	CrackLauncher.exe	49
PID 2120 wrote to memory of 2832	2120	CrackLauncher.exe	49
PID 2120 wrote to memory of 2328	2120	CrackLauncher.exe	50
PID 2120 wrote to memory of 2328	2120	CrackLauncher.exe	50
PID 2120 wrote to memory of 2328	2120	CrackLauncher.exe	50
PID 2120 wrote to memory of 2768	2120	CrackLauncher.exe	51
PID 2120 wrote to memory of 2768	2120	CrackLauncher.exe	51
PID 2120 wrote to memory of 2768	2120	CrackLauncher.exe	51
PID 2120 wrote to memory of 2492	2120	CrackLauncher.exe	52
PID 2120 wrote to memory of 2492	2120	CrackLauncher.exe	52
PID 2120 wrote to memory of 2492	2120	CrackLauncher.exe	52
PID 2328 wrote to memory of 3064	2328	iexplore.exe	53

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2832
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://discord.gg/SDxDej44bY
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2328 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3064
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://t.me/sk3d_club
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2768
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2768 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2024
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2120 -s 176
  2⤵
  PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
63b20354fb7ab36d7ef3ce9b74fffe2c

SHA1
5a1a32d849100311be6528338b3962ea9a9ae94d

SHA256
88821c5a0931633bee172f42c8f273760d8209ec6dc27550af93625514d1dde8

SHA512
12a10782d941ca0ca23c83d5be2b04b59d16ca59e8e463935e51c2a616f8672d39a46073ceac5a38498c1b0ab1926d464deb8adb5a585d67df930ca27889644d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa70855fd57f70bb87902a663587b58c

SHA1
c878729bc0e2caf7581596c9507ca306bb531999

SHA256
75ba4c15b23e55490b1d8f82722465600c1e4776d8a14e149e8f99ec81e6741d

SHA512
603a480a313ed3959a4fdbf1e2f8a34f14e6681cc472ff54a1660c89f2df812142c93e847ed97d4e16580c211f88c7af4f403a3b4674c8638e75db693514b7cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e0042f50d565af3fe9e77845c15bf509

SHA1
1f567dcbf9f845712cd97ca6494f6e2f2b8dc9c6

SHA256
70b4908279af02d76ed2a79ad6b9df6d8ea7123a3b691dde05198f1f05c9e649

SHA512
f45e623a347ca0306940ecaca56813204f6105302a7a9c0ecaf613cbec67911cbf28d9f4f8ce7e613b782a6e0a300a84fda3e82667196421bb91ceb0c8bfa89e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
06c72ea4fff01a70143b1725eb34fb6f

SHA1
3518eb5f081ec8080af21535e2860c50f3f420d4

SHA256
813368ce640ff91f80a50b660638ff29a7b69ad1b8e1b4165d62edf5bd9ef8ad

SHA512
0867d3a857fbeed426a675ae06962546734d0f13a905cddafab85e3ccd6cfd95f3b258d8c1c55e276e1eb4737e295c8ade186b14d27dc5fd3c6f275addc3bd80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a30dee34badbf14ca5545af54f9a1ec2

SHA1
1d1b7e7f641a7da97e010c77d6ed890805a1cf6c

SHA256
480d3d98dbaa96bbc5b7f8a9e5c39a3183140f70f885806c0c88c2df9c610079

SHA512
3934ae72ab38bf810efc0a8c04a421eacf1f3119fa785bd640d36bbca8882a60f02367b9aa4783ecc1813c53f646ed087e536e1f22614a3b222b71b792d1bc1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bb5e15a61450496070b22ba2b8d3c4aa

SHA1
a0a15c029d5964ca32b67b221012cba9642c7d26

SHA256
0b8c67a9e3eefb9349f993d5ece10a9746477e1f184af7e85f3e614b0f30e1bb

SHA512
7ee6f2d05f724b21ba7956bbb42ba5fe1f872233e71307a58bc0880608cc5c543251227b62bbb99a1f3790f9e68dff83d58e06918003a0735370fe6b28b3959d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
973117ff477a432336436b15a81e8e74

SHA1
2bbf17cbd6de11caa8d58a85e281fbffdce44043

SHA256
716e2e55b7d70b884b235eb22f4b65a5e75d2caf9f6493d87ae01f52d1fcaf55

SHA512
1e9f547b2fcf8275774737bcca8a9b0c813816728fd560892d3a891f70bd1eb8d7b6eb9e8e3b7a69109b6142d092730df397d179de97422b65397e4ebec92d29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1D7D46A1-5E1B-11EF-95E0-F67F0CB12BFA}.dat

Filesize
5KB

MD5
09f50edcd62214b04c8974332babc989

SHA1
5ac2baf757af876882fd84d7112390a3045af4a6

SHA256
259548fdd464bf89ece0a4668dff084e4a3337ef7c763ba3dd235b2b6da95f93

SHA512
7b6db5bfcda28456b36f2748fc39620847f799d3e0a95ccb46e5b552b1c4a5339d35df27d81ca1e03b0b3cc7694222b5c80a81f72a64f75cd98e09d425103a4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1D7D6DB1-5E1B-11EF-95E0-F67F0CB12BFA}.dat

Filesize
4KB

MD5
5cec81f097e4714eb2bb37dfac5d889e

SHA1
061f1ab206f7d6d9004417fd6801a3fb07e39ba3

SHA256
4a28ffbc147d039e497b265fbc2bf113fea0100cbb0653dd6dbcc21a1a2faa75

SHA512
9577c9218e4842754d11ef61a25836ee1293141f0fbea766e871e9a25853bdf5041a93294982fb313350dba9648cbbbdbdce73e84526219eeea6fe7354c26ecc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\5f5nsah\imagestore.dat

Filesize
24KB

MD5
3e303c8635b66b73a4ebb25188dfab94

SHA1
a0e70bf7aa9f6c31692b028c416f6334c91a8f4f

SHA256
868660c9dee6d4295e6331ebc35f74f91ca3df8e35f4ac95d4e886439d7fb9f4

SHA512
025e744005fa895faf599252f6d2e5e1a6a44a8d3272415d754efdfecce6824f667d40e65e8a4c8ec854bbbc074961e3bc758883276e230f8c42287e15b00b71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M7H6XY0V\favicon[1].ico

Filesize
23KB

MD5
ec2c34cadd4b5f4594415127380a85e6

SHA1
e7e129270da0153510ef04a148d08702b980b679

SHA256
128e20b3b15c65dd470cb9d0dc8fe10e2ff9f72fac99ee621b01a391ef6b81c7

SHA512
c1997779ff5d0f74a7fbb359606dab83439c143fbdb52025495bdc3a7cb87188085eaf12cc434cbf63b3f8da5417c8a03f2e64f751c0a63508e4412ea4e7425c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFF38.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFFC7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit