Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 21:24
Static task
static1
Behavioral task
behavioral1
Sample
49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe
Resource
win10v2004-20241007-en
General
-
Target
49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe
-
Size
3.3MB
-
MD5
ee54949235f4f54554ba0e0a71967590
-
SHA1
5915909319f05034d66202ece9b45a106534bcda
-
SHA256
49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9
-
SHA512
393c2a77e3556938deec9a0b5cc993c05c5cfc536587097e5e16da4fcaa85a692058b05ae6d9f218db19d4e159e12e3276f9ee5160ef1fd7c125aa078cd5e37d
-
SSDEEP
98304:SCZ9i2QPOTCUqt3T7uUlHVTKpoMhXKTRs8lZw:SCZ3QmOrp71HAnia8lZw
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 2200 wmpscfgs.exe 2720 wmpscfgs.exe 1652 wmpscfgs.exe 2016 wmpscfgs.exe -
Loads dropped DLL 10 IoCs
pid Process 1868 49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe 1868 49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe 1868 49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe 1868 49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe 2200 wmpscfgs.exe 2200 wmpscfgs.exe 1248 WerFault.exe 1248 WerFault.exe 1248 WerFault.exe 1248 WerFault.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe" 49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe" wmpscfgs.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 21 IoCs
pid Process 1868 49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe 2200 wmpscfgs.exe 2720 wmpscfgs.exe 2200 wmpscfgs.exe 2720 wmpscfgs.exe 2200 wmpscfgs.exe 2720 wmpscfgs.exe 1652 wmpscfgs.exe 2016 wmpscfgs.exe 2200 wmpscfgs.exe 2720 wmpscfgs.exe 2200 wmpscfgs.exe 2720 wmpscfgs.exe 2200 wmpscfgs.exe 2200 wmpscfgs.exe 2200 wmpscfgs.exe 2200 wmpscfgs.exe 2200 wmpscfgs.exe 2200 wmpscfgs.exe 2200 wmpscfgs.exe 2200 wmpscfgs.exe -
Drops file in Program Files directory 10 IoCs
description ioc Process File created \??\c:\program files (x86)\internet explorer\wmpscfgs.exe 49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe File created C:\Program Files (x86)\259471205.dat wmpscfgs.exe File created \??\c:\program files (x86)\microsoft office\office14\bcssync.exe wmpscfgs.exe File opened for modification \??\c:\program files (x86)\adobe\acrotray .exe wmpscfgs.exe File created \??\c:\program files (x86)\internet explorer\wmpscfgs.exe wmpscfgs.exe File created \??\c:\program files (x86)\microsoft office\office14\bcssync.exe 49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe File created \??\c:\program files (x86)\adobe\acrotray.exe 49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe File created C:\Program Files (x86)\259470862.dat wmpscfgs.exe File opened for modification \??\c:\program files (x86)\adobe\acrotray.exe wmpscfgs.exe File created \??\c:\program files (x86)\adobe\acrotray .exe 49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1248 1652 WerFault.exe 36 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpscfgs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpscfgs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpscfgs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpscfgs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437349344" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d90700000000020000000000106600000001000020000000d8c08134cccebf37d0ea6b6b4a36ba5d6fc491c746d932d1a9462463203e084f000000000e80000000020000200000000f4aeec286f3991cf50fa3a77a6eb8567318142db2bedf1fb0925c56cfbad3a4200000005bfd28084a99bcc50ed7acdeae565c0cb5c6b0c6aba328ec015211d8e38a89da40000000e613feead18b928a95ee1a1b23e61f56e9be80451b5ee5ff747d6bd902f753527039642adc0ea7ad388b44200a4f1dcf6e8f4a4f1fe24deb946d699e3799ecab iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d907000000000200000000001066000000010000200000001e3d364773b4ef897d8cee0445780c284c464da2061e7183ab5e842debb43b43000000000e8000000002000020000000d2e0bcd4d162a317c71664f7bfaf5d1636ad8abe7f18c07cd161844445f2f63090000000049332a8b00f759812a7a7fc0cd163d789f74104fc63b0a53873e22b77c0dc8e14b903edfc5a3ba37f98f9d3386697ee986e2a8afd1a80ae2f1f78e80fc8c0741fe616979e29cc3bfd159a0ef2e296ae14cc6b5d79da5d850f959fba4cb002d0c73247bb3b733c0b7fa9b0ededce635a2e16f7a0bf346b19cd0be4bb37fe3eded46c7e7c7127ff5442086b5f54cc9ad1400000003e9e4876cdae5b23546683ab605543f4523a994a8f0719bdeeaeecd7709eb8a680c77b53eefe01185c1a0ff7085ee2467a078cc758af960eaa1442e5e128a223 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e00d25cced32db01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{05C16F81-9EE1-11EF-9204-FE6EB537C9A6} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1868 49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe 2200 wmpscfgs.exe 2200 wmpscfgs.exe 2720 wmpscfgs.exe 2720 wmpscfgs.exe 2016 wmpscfgs.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1868 49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe Token: SeDebugPrivilege 2200 wmpscfgs.exe Token: SeDebugPrivilege 2720 wmpscfgs.exe Token: SeDebugPrivilege 2016 wmpscfgs.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2552 iexplore.exe 2552 iexplore.exe 2552 iexplore.exe 2552 iexplore.exe -
Suspicious use of SetWindowsHookEx 21 IoCs
pid Process 1868 49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe 2200 wmpscfgs.exe 2720 wmpscfgs.exe 2552 iexplore.exe 2552 iexplore.exe 3028 IEXPLORE.EXE 3028 IEXPLORE.EXE 1652 wmpscfgs.exe 2016 wmpscfgs.exe 2552 iexplore.exe 2552 iexplore.exe 2444 IEXPLORE.EXE 2444 IEXPLORE.EXE 2552 iexplore.exe 2552 iexplore.exe 3028 IEXPLORE.EXE 3028 IEXPLORE.EXE 2552 iexplore.exe 2552 iexplore.exe 3028 IEXPLORE.EXE 3028 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1868 wrote to memory of 2200 1868 49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe 31 PID 1868 wrote to memory of 2200 1868 49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe 31 PID 1868 wrote to memory of 2200 1868 49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe 31 PID 1868 wrote to memory of 2200 1868 49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe 31 PID 1868 wrote to memory of 2720 1868 49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe 32 PID 1868 wrote to memory of 2720 1868 49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe 32 PID 1868 wrote to memory of 2720 1868 49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe 32 PID 1868 wrote to memory of 2720 1868 49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe 32 PID 2552 wrote to memory of 3028 2552 iexplore.exe 34 PID 2552 wrote to memory of 3028 2552 iexplore.exe 34 PID 2552 wrote to memory of 3028 2552 iexplore.exe 34 PID 2552 wrote to memory of 3028 2552 iexplore.exe 34 PID 2200 wrote to memory of 1652 2200 wmpscfgs.exe 36 PID 2200 wrote to memory of 1652 2200 wmpscfgs.exe 36 PID 2200 wrote to memory of 1652 2200 wmpscfgs.exe 36 PID 2200 wrote to memory of 1652 2200 wmpscfgs.exe 36 PID 2200 wrote to memory of 2016 2200 wmpscfgs.exe 37 PID 2200 wrote to memory of 2016 2200 wmpscfgs.exe 37 PID 2200 wrote to memory of 2016 2200 wmpscfgs.exe 37 PID 2200 wrote to memory of 2016 2200 wmpscfgs.exe 37 PID 2552 wrote to memory of 2444 2552 iexplore.exe 38 PID 2552 wrote to memory of 2444 2552 iexplore.exe 38 PID 2552 wrote to memory of 2444 2552 iexplore.exe 38 PID 2552 wrote to memory of 2444 2552 iexplore.exe 38 PID 1652 wrote to memory of 1248 1652 wmpscfgs.exe 39 PID 1652 wrote to memory of 1248 1652 wmpscfgs.exe 39 PID 1652 wrote to memory of 1248 1652 wmpscfgs.exe 39 PID 1652 wrote to memory of 1248 1652 wmpscfgs.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe"C:\Users\Admin\AppData\Local\Temp\49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1868 -
\??\c:\users\admin\appdata\local\temp\wmpscfgs.exec:\users\admin\appdata\local\temp\\wmpscfgs.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2200 -
\??\c:\users\admin\appdata\local\temp\wmpscfgs.exec:\users\admin\appdata\local\temp\\wmpscfgs.exe3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 2724⤵
- Loads dropped DLL
- Program crash
PID:1248
-
-
-
C:\Program Files (x86)\Internet Explorer\wmpscfgs.exeC:\Program Files (x86)\Internet Explorer\wmpscfgs.exe3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2016
-
-
-
C:\Program Files (x86)\Internet Explorer\wmpscfgs.exeC:\Program Files (x86)\Internet Explorer\wmpscfgs.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2720
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:275457 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3028
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:537606 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2444
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e699d5e94d3a191e83854a4a57aff988
SHA1a95a3c17362c3a0f1a8c7f2cea46ffc35b4d49a2
SHA256ef5c6ae4b7282e30ff37471a33205af2fa555abdb6f9d5b214ae0c6ff4b5bb5a
SHA512cbef3b4964e51a8afeaf26897c23bf561e49c2117ac07b2bc6b64862446ac69da4f9a0e1ac2185f21929e7fa313ad39419707a99d920572960356138c9da491f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53f66bf5fe0ed001390ed1669252dbe6a
SHA15f540632bb26c951ff6db1c0899fe54d94af51cf
SHA256aa926867ee9d69c161a599c5d9bfe1b979c940b057764052ebb8ef0e4f370723
SHA512534821bfa63235249a140feca1cfb79925c80a23f4ee23e9c1b9442a470a913ef92bf82a791375636ec491b2e16a49904f044f856efdc5a2486bd92d77ccb85e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5144e39ab4fb6fe2eeff76a39f1978156
SHA1bb37ca3221fe7f7f5a1fa3b88452df153f43c1e1
SHA2569b286a6073aeadf6a1f6ea72322dd82be71cf341925fe0df72b84f0fdbea09fd
SHA5124c9c4a662eb12c096077aa68aeb69b161d51df29907313f1173c326f98866410f9c129080dbd2a5690552d7c2b29f8a1edb39d769131847782f5e0c1c84d43bf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5adbd8cfad64c4b0ed187a320c2ee791c
SHA16bd4b7a84eadcb74dfd1da199a339e9c24828c8e
SHA256571f1227dabff242e32e700b390a6c32c3585013c3b29aff9c95a4ee551d8c67
SHA512e83c33b4dc392e62c90109277a29d7491f6b925ae5f84d46339cfe5d051f975279abd5b08286a8c453821d958b26a47989912c9e90fda2f342fd3e0f496e5229
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51e847d0955d402e0092d3718e2eb419b
SHA1d5f937eb7898be4f8993071de31eb9d55a019ba8
SHA256501ab426125065d67b0a8125461e286dba1ed7dac9c20e6a43f21e0c81c905c0
SHA51237531a487ecb829958887f70478afe2bc63ff687fc182aaa4d8b7219cf7d36626aa918f3180104c6d40bd08a907947012642ac950c1720954dafd72019b38676
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c7ddba85f4b0a4c579549f16daa2fd45
SHA1e8a18be4fd3f5a6a6aed6ebd4cac6ad049b1713b
SHA2566ae4cc8f4d2053518af67466f8898963886436b8332b953cb1e6eae9061f9a97
SHA512a847567d3fd362ddf75fa593f11360e4f42f2dc05fe3d929ee2c15e333a01985a449bba30eb52e077d7e6b1a9818a721e6eecb8be824be39c676bcf1466c046e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD526e47a30a01001b7955e5b0d0a233633
SHA10f29397e01e18e59c3fd84a6878506486185fe92
SHA256deff90cd46472fc05902c180c5909dc7a4a43144546b157c2277a13d00f8a8b0
SHA512e3f554ca699564cd7a0a0195a3e36364e5c60c7f06b71fba8f0a4ac46e149707ca4f54a1a4718e640744268d5569a8c5ea4ba52bbda64e597ad4d2778accfd6c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54b98bd9e64222e21557fc81e93e9c651
SHA154b7bccf736cac381a30fd38894ac87173e862e5
SHA256c058f8c0dca72550b0859115937fce6388b111b2c7dfc05709ca4c22c0021241
SHA5121f19e3aa5d7571f5cf0d2a3e47ffbeab1915440344308e0cc9aed17939722d3f936f09312bab7462a16f0b2aade82395f794667cc0ea6fb9c0b6bd7d0d2f1a4b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a0c528677ea8ca49af8584279e242854
SHA1f336a7cc23f58bea1f1a4885caf8a4d3f2f82cbb
SHA2560bce3b14a16f090f937d4169997b751bb15cabe1c4b1ddd79f5a183f83b88e3c
SHA5125df671040d02b618cebfe7a0f7811fa8412ca53f6e9e2d257324dc0f2b9b4d66619e8df2336458157355ec851a47ee1284bf7c4122677e3ddf109b032f8e401f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD588b64a419740f39bd31ac5281601e4ff
SHA1e636357638e504baa7b3e8b69645c7f75de47a9a
SHA256cb331019861ff77d205e80ad6be78a044e02122b3d68d0afa1bed649149dd6e8
SHA512918a91ed4fa4c87c1eaa4d257b2778235fb0a2493910787852bfa2cce9d2e2c0a8b8b822994a3c774c1303faa4b7d1629b2b338ed7b458d950dc41419d5d6f6e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57be67d3d793300302822dfd4d614f8b5
SHA15546941f1f6317640c0ce8e991f59d6fbcf731e2
SHA2568d133b7801627043f7eeae4b3929e0a0da43f80f01ccfd163bf212001023f12c
SHA512b4c913c65829444cdd62cc0f47f64f176fe925a87253f865768a20e9fb59c222bcec552209ca781ba8981011c35e871606b1766ddf997738c6e6b0e9d55a858f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a8ba41b884acc73207154b8405f72ccc
SHA19bb801ff5624eae385d98cfa40f9dd41cb63a7c0
SHA2565bf03e4d7c89317d3f4fb24d6b1ad8742fc53273e35c8f6f2f056aec9ea9a86b
SHA51212e6141564f4b829934abca0b33a7934f99718950f2e9738dab7f37bd8d4c07e90702f03fbda8ee955a776b54cba2640b60d174830eefd9e421a9a9845e86cc2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5212abf52fe1abf8b936e6f824a3077ef
SHA18cf89cac85d5c546d8127940c37cf097171e87cc
SHA2565c3c2b1f6075d80f80361b15e16c9ed07112173538954749318ecd6b0edb0eec
SHA512e128399a34ceb7dc7d3bae1ace3623fb553ae4c904510abf1dc5646845918f1fe0ed3e1efc4f28757a12cae867b4f5f2840f93bc551e770cad62abd56db8e471
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5658691f73be4d39faa17a70e026d18ed
SHA17736990564c88c48bcb463a62dc1ae6a682b90a5
SHA25638059a29ee67071e54f7274ac06b152f1bc3c185058a12c45f4c4be5da8f4a04
SHA5125eaa9dbac9b9cd84965fbdbc8ad1757eb148ba822d3b5e12b3b4e0dc1839640ae933200dab31174043d524708d405594c4979f1437961bc3b09f51a8f8b54383
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b4d531a0f0a0a9e9c2520e70001740b2
SHA1e1778ec04c2a675ea6f7848351372d2e3b2337f1
SHA2563e7a20a0f8d2d9208080ba789958c8b255357acdf11d153b807dab809cf30747
SHA51278cb6b04afccce9d7793673a96e5a6cce5b7a552ddb8d8216fef5d83a9685c0e3786ffc44d19b09aa785d5494782da426d0261f0efeadf86814e895e160445a9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cf089c3ae21e934bc9db7e3018502159
SHA1aa95367914ea5206b0290f30804b9e8bb0b5784f
SHA2562585a3ab680b03e824c5544906ecc5cd1090ba2bb7e7a1c6104f91ad949929cd
SHA5125ff42b5a8d16738a68b5e2804eddb8a20982af5f0aff7cfc0ff4c37f482372bd11fff7ee08571bca07db220a6135421e6685289d5df95a72f7c847a6173af792
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD575d0cec6fa0ad974704ee2e8a447e641
SHA1cb7dfa6fbeb7c928a179bfd10abc129218fc562f
SHA25630253e763449929bb85dc32d352bedbbf1ab6fdf9a68c48f2b1c229b8b8163af
SHA5124dc55526a560da87df04f1801ff0ef8336a2bc29dbde3113d3c0ad404eefe36d60c33f17e285bf10e6a134b58b902fe343f30cb4efcbf8fdf938118094a7735a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD567af962e138fe028d5c73c05c656b5bf
SHA1ab0d90d09d9577dc5b4067736a7381ecc633a9bf
SHA2564c8e15031d670362d9bf78aa99122ad8fbf4acf4d298c65cce6cddfd99f16976
SHA512a73bffc8b9a13b95e7d73863506aeb06153755eca52fe1e398e697599cf519d824fae1f59855664d81074c8821cb2e5d6926d4214abfa1e6bb387b44e0ac4a3a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ee723000a0e259d0731d8580bff3a673
SHA13cdf6f6b58abb987cbb2f2af0fd439ccc7eb4589
SHA256d9d56ac4e3cd4a2e9b76ae86f3caac73133ae1eaac89d69e298936f1fcbffa35
SHA512c7c59cb7c24674821a9988f3774526ffdbefaf70598ad801990d05f4d280eab0a589d95e2429c8f66bcfaf5e49cda16ca4abe3272344954a2184db934eb4a189
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e73917c0b8791d4ee534aef0467ad964
SHA19bb11b65617d05b492c29fe166806acf49850b1c
SHA256bbb5870479326bc096b29f3bb24438d57f63010260fc3c34a80964aceda421e9
SHA5128c69774b435e6d05fa5ee3cac4a65926021d186f0e0bcb87e740070275ba6a8187e6a55e736d5a8735e6b0b87f70085616647bf7d1f99fe76bce5006410f89e5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\01LB6K3J\bkSlltbjV[1].js
Filesize34KB
MD5ce07affa04803b8889da4add31fd43dc
SHA10fb5a8fcee96a30571493eab29d0e2a6555a16ff
SHA2568c1495c44aec0fa67b5ea6caf921a72de269aff5387ae21fc97e22f94f4f7f3f
SHA512f79974074d4f5f991d2acb486189d8c8668dc854c40dc586836359fc20d38c66d0f98303962c072e119a4ca0daf1156cb8ff476c9b3cebf785f37ae73b88567f
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
3.3MB
MD5444f79a0afb562b59d0a340357717397
SHA166e504d673b92cb3291c5469f86130662cb03ba5
SHA256eb5bcd420b8d8db8e852cac02771bf9c85532b5dcaef03b20eaebf4cfe472fda
SHA512391def8cf6a6821ff1686962d4a6797993e70788ef280a0ce8d75e4531494f8bd2fbcc60921da5e4c439934cfd4136476d0fd5eb853e4f74a7a19aa5393dfd7e
-
Filesize
107B
MD5c6725fdf848513905aecca254ae9c9e4
SHA1d0f823395cf192ba63c2cd7a4d75b991a62f50e6
SHA256de3f3c555733da57c252c6f72dffe0cc06536bf118144a6efdc5dbf19241cb38
SHA512f65650c904981bc0f706083735cff5aace38ca0c43090410380786ccb55bdff047dc3a2336a1e148fb2f49283e96525d64fcae43d68291f6ebd99868fb2616dc
-
Filesize
123B
MD59cb045e7cec67f4fa8119b9816170e4f
SHA114a132bfdcc777a988cea1c7d00c4d6a31db56b0
SHA25649afe12c7bb4c7eb54e5651e77c118974e7f5ebb2a3bc6571bdd01e8db51208f
SHA5121a7b5927ed38aac2596da9ceb0ef237544253874a6b20c235a209f36b0d71200b3fef476ff2ef46b5ab90a922a283468f2c2d4e46953c1d0b8a5c5a4d13825b8
-
Filesize
3.3MB
MD593b4be302cb18a7513b72309fa37ca98
SHA1ccfeffe9bb8b12abf68827c46a14da6ae14e4aa7
SHA256607f0646370b167938f7381665f44c4840c499c47c157cf86536bebfa7e43644
SHA512fe7e1bece2818238a24ca7fe375db6b065775f838d9de58d2a7e1bc1bed4d5e40746c9896d8de21eda5c864e3f1a7d45ad1a1f6cdd8525de76187c6a206de1f4
-
Filesize
3.3MB
MD5efe6c111110cdd4ed1eb18af4ef09481
SHA1d49d0c2a690c76f07c1fcfa1237e9ce59e1089c7
SHA25668243cb7c1e9f51c89dc59850dba601c0d39220441e5b6c7a76e05dfde5264c4
SHA5128efee3e5a80ea8156ff0b583beab922ed14b0cc26d0fe8495f7d684bb19b9359a7db3a6b7843d2f40482abb577b427c8a001a55b4c1eba76873bf6830d993619