Analysis
-
max time kernel
121s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-12-2024 02:16
Static task
static1
Behavioral task
behavioral1
Sample
123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe
Resource
win10v2004-20241007-en
General
-
Target
123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe
-
Size
1002KB
-
MD5
2e69c1a7d2a987f925aaad945c2ce2b2
-
SHA1
767d326371a5e8b3e3c85d5a87d3e928364b0e20
-
SHA256
123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c
-
SHA512
77bcff731628c92d6a1888db1e05d6bc531607f0fb06f6c735ac8d46a9993bac03ba32461fc461dedcf4e7a3c786a300d981ab0362e92db2cb55453dd65405a6
-
SSDEEP
24576:50IeeyMLvMqxTE1am3NbYPu5xQBhlbeaI:WBek2TAam9SuxQBhT
Malware Config
Extracted
remcos
RemoteHost
192.3.64.152:2559
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-ZFXG9Y
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid Process 2656 powershell.exe 2544 powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exedescription pid Process procid_target PID 2616 set thread context of 1044 2616 123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe 37 PID 1044 set thread context of 2084 1044 123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe 38 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
IEXPLORE.EXE123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exepowershell.exepowershell.exeschtasks.exe123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exeiexplore.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc Process Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008d5c3e2793bd9e42982b6ccd1014968e000000000200000000001066000000010000200000009e1c45721dfe0af1d958409dbb18da8cbe99c398062314f915e2e7f319b62c66000000000e800000000200002000000002460bd8246aec4662c199fe30c788ce5a70a8629fb5fdb668095823874098b290000000db7d58455a106e57ea7c4305f3d672eb1ba9f0e9345f439a4351ab17db3a4a3532f2dd5e406cbd6c1ec970190b7fec99349a0c4b2417672a18048a89e0faf3f8332847ca38c4bdbe974e752bfc609cfe0cadb36e688f18d4ba2a0a8749b59dd490c2b1a9ce798972399e1561e7e675d4724ac151e1e28fd082b95e68ff723b7da89b7b8ae736ef474b02ed29145e3f8040000000168345b9365ad663d2d0a9c0a62226d8a6e8b947406392dd3c88808885f0d8caf30857dbea5c4e5978a05c620b8d70b9c0fe95442a0a3f0b4d3373eb81711e5c iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439440511" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E5CE3BA1-B1E5-11EF-8F1B-EAF933E40231} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008d5c3e2793bd9e42982b6ccd1014968e00000000020000000000106600000001000020000000138a6d642ad17a738585a9dc434e345ba9c8913f00465e6000fa7b2eee1ddab4000000000e8000000002000020000000d07cd1a5e6ed847df01b8e9ad0c0ab2131f0f6c17fbc778f11f8f74305cb3b6e20000000c018728ce16804050b094f2a726abacf51eca9b02dc10d3656b475fbbcfa4f2e40000000c2ae891b7b840615bbd6a215ff74c8acac4e0d3c5466f1645b37141aea89c5b7cbb899dbd7eb987c167169f6cf48598ae2021681f777a075276b0ebae6a0d35c iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0e402bcf245db01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exepowershell.exepowershell.exepid Process 2616 123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe 2616 123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe 2616 123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe 2616 123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe 2616 123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe 1044 123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe 2544 powershell.exe 2656 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exepid Process 1044 123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exepowershell.exepowershell.exedescription pid Process Token: SeDebugPrivilege 2616 123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe Token: SeDebugPrivilege 2544 powershell.exe Token: SeDebugPrivilege 2656 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid Process 1228 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid Process 1228 iexplore.exe 1228 iexplore.exe 636 IEXPLORE.EXE 636 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exeiexplore.exeiexplore.exedescription pid Process procid_target PID 2616 wrote to memory of 2656 2616 123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe 30 PID 2616 wrote to memory of 2656 2616 123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe 30 PID 2616 wrote to memory of 2656 2616 123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe 30 PID 2616 wrote to memory of 2656 2616 123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe 30 PID 2616 wrote to memory of 2544 2616 123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe 32 PID 2616 wrote to memory of 2544 2616 123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe 32 PID 2616 wrote to memory of 2544 2616 123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe 32 PID 2616 wrote to memory of 2544 2616 123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe 32 PID 2616 wrote to memory of 2568 2616 123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe 34 PID 2616 wrote to memory of 2568 2616 123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe 34 PID 2616 wrote to memory of 2568 2616 123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe 34 PID 2616 wrote to memory of 2568 2616 123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe 34 PID 2616 wrote to memory of 2000 2616 123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe 36 PID 2616 wrote to memory of 2000 2616 123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe 36 PID 2616 wrote to memory of 2000 2616 123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe 36 PID 2616 wrote to memory of 2000 2616 123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe 36 PID 2616 wrote to memory of 1044 2616 123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe 37 PID 2616 wrote to memory of 1044 2616 123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe 37 PID 2616 wrote to memory of 1044 2616 123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe 37 PID 2616 wrote to memory of 1044 2616 123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe 37 PID 2616 wrote to memory of 1044 2616 123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe 37 PID 2616 wrote to memory of 1044 2616 123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe 37 PID 2616 wrote to memory of 1044 2616 123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe 37 PID 2616 wrote to memory of 1044 2616 123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe 37 PID 2616 wrote to memory of 1044 2616 123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe 37 PID 2616 wrote to memory of 1044 2616 123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe 37 PID 2616 wrote to memory of 1044 2616 123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe 37 PID 2616 wrote to memory of 1044 2616 123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe 37 PID 2616 wrote to memory of 1044 2616 123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe 37 PID 1044 wrote to memory of 2084 1044 123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe 38 PID 1044 wrote to memory of 2084 1044 123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe 38 PID 1044 wrote to memory of 2084 1044 123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe 38 PID 1044 wrote to memory of 2084 1044 123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe 38 PID 1044 wrote to memory of 2084 1044 123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe 38 PID 2084 wrote to memory of 1228 2084 iexplore.exe 39 PID 2084 wrote to memory of 1228 2084 iexplore.exe 39 PID 2084 wrote to memory of 1228 2084 iexplore.exe 39 PID 2084 wrote to memory of 1228 2084 iexplore.exe 39 PID 1228 wrote to memory of 636 1228 iexplore.exe 40 PID 1228 wrote to memory of 636 1228 iexplore.exe 40 PID 1228 wrote to memory of 636 1228 iexplore.exe 40 PID 1228 wrote to memory of 636 1228 iexplore.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe"C:\Users\Admin\AppData\Local\Temp\123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\RNJBFdvJTXAE.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RNJBFdvJTXAE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3A90.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2568
-
-
C:\Users\Admin\AppData\Local\Temp\123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe"C:\Users\Admin\AppData\Local\Temp\123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe"2⤵PID:2000
-
-
C:\Users\Admin\AppData\Local\Temp\123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe"C:\Users\Admin\AppData\Local\Temp\123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1044 -
\??\c:\program files (x86)\internet explorer\iexplore.exe"c:\program files (x86)\internet explorer\iexplore.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.04⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1228 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:636
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
579B
MD5f55da450a5fb287e1e0f0dcc965756ca
SHA17e04de896a3e666d00e687d33ffad93be83d349e
SHA25631ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0
SHA51219bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C
Filesize252B
MD5f764a03c7b434a6c989537d0afc209f3
SHA15fec5e0bea0722a6d83c6e85882ed2306d4300c3
SHA256a5cd76b32361a7beab36b7e35633846c1b64476212b9e25153afa8e206421fb3
SHA51206b9b5fcaa7059cdd80fb0e2645fbaf6b823afaeadc01e4138328dc0ac0ecb9902cd355308d2bea060116b2ca453862718d00ddc6d1ea9ed647da87abfefa2db
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5beba89e47e73755df342ef636680f826
SHA130eb89d462a6bfbd77809f52b6f0c46a2cf92bfe
SHA2562bc4838822eb7cb924105bc5abebf77a6ec0a1539f3d39ff855275613314e102
SHA512e8629f708b6797aae26d042ce22b1ed4e83ba5433beb839ce7dd4bacdf59f1ddf9ca864d489349519718cc3c7094ccc56819091b7552498d43b8d09a34f30bc5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f9ff0343e0b204138035e3997146ea46
SHA182dba7daf0d424d38758f444c948bb2327252549
SHA25664cc91ab2bd1ea365e5a00699e54fac0dafdd395939ef03af4812d29f4a050ff
SHA512c9420d2af5e6612ad033756576debc4814988d37e5716a3d13bc6ab49067cec5125c439ae82d52015234f7e5deb4773d1283bf77a836f3b93ea0911c3c48a6dc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD572675cb2a1c8700445928900464c1c10
SHA1c7a57fcf6815bfe01d71a6a7165c7c8b477598b0
SHA2560f6a64a325517be66392cd5e57412e01503646ca5e8d4f4b101594bd3969ea6f
SHA5124b49fe2ca88ffe5028b25e457a38a735c808c0588e5a19afbd1e962aea5c65457d6797c3d681d2d9a675a18ffc58908ca5c58bcc2d70691266a78c20a6564af2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cd3e410d9b29367e3788ebd091eb467d
SHA1b0622771b73d038465e238aff8b18e8f5318b1d4
SHA256081f032e181f27057253bc68cdd36b9e2e395db6844c80da1594abd3fc05a4c7
SHA512d98e18b0f22e3c7414440aeeb631e361e06cddb2c4b0256c6eebe5f0f9f9f58e963eb6ce45d0731e500dded40249c3832fe12d7d575df03f6ca2049753d1000d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b80577276af7e041eb06cebb82b5d0d0
SHA1b05ffd229b8676f898c3aabba689f8dc55f9a631
SHA256eebb2be7b70f90dc99a543dd339519f2db0d38acb04cc801bc854a5e5e97c1e2
SHA512f21feb1f10066f6e5cb9b646c45f621216672bbd44dd229a13f784f942f9dfe6f79f3f853444396d34fd8ec4cc7555ec187496538b2465a40c6f7652331ac9f7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51f23d9c7684d179676b975400cc25464
SHA1d02a4e25dabaf40cfa5a3fc8d8962f2133356ed6
SHA2569d95748b413bd0d2208b10dbb9493bc0ea8edf357e5e4af23352ebd62db3e131
SHA512703e374059415f2501d5c0e2adedb11cc26ec66d26cb1d56a1ee8f3b5f3f3a4e2496d9445db89dad85f8bd238be3aed2a29aa7284fbeffa31bb0432881f34831
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54ec0603fbad6ea77d754a3da77ef3674
SHA1f6235784653ce8c84604a155832108759c39d7e1
SHA2560568fd134a67356dfb5148c2bfc64579065b5c79d2cd4350671fa3b508e2edeb
SHA512f0babc6fb41abc2fa8aafb7a6572b2a04d6da4a2b3ca8f97258ee0f56af42820411b7f1865d6a4c506d212e9bd8ed6098f37a06179bada49a0d851c5a295c4b6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD567cb1e111c919aee482539914a37a3cf
SHA11ca63a731c03f1269f19063ebb37e44e81c734e0
SHA2564121fc20bc09b5de3606c698166dc3918cc0ae9e568dd08903dabc91e1a9d665
SHA5124506c75fc9a8b3ffa299dac94d59d86c0806662f8514af57ac9224b45edb687473cf9a05461e1bb1613dc8821f02ee7027e543c7d267e05ce74ea42aa6644462
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD556107a2c4f29db6acb4790df63b80bec
SHA1a0848269f552983cb585ef78bb8396efed5b3986
SHA25644f2dccaff019aded1d19bbf0b9bda4a5b69ae586646c2f57b565b695b5f0c09
SHA5129689ef4bbab563c50be067116f936ef2f42a047404f17baae7f0eafabdd986f82fcddb445fd1b56701e84b8b45840fd59a748135be3d0c334bc21970f572f803
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cff04df343574a7d52e5260634696bcf
SHA1259c0ce37cffa79aa451be068742f4d66c8b638f
SHA2566e2487c21594bad0cdf4e83b287036c83424d0dbc06a48504cdb3d3f762ea0f2
SHA51268c38a2df6d263cdad696d2bf573497e0b30089978fbf0e30fcc2ef5d2d43eb127184d7548f4dbc08c2ab0286d7f6853321e56a37798e0269b6a947e4b199724
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD524c39e5144a0b42e080418054068c1b7
SHA18af735e8271defa2c5e308e4335b54382ae3afa8
SHA256a7ce77e2260834bc73beb26497942538853e079dabebd990df39f0652eea2a2e
SHA512ebe5067d932917fe995c17eada6bdfdd3c243474ee2746822b2bbaf5c67074f61dbb3c2ed65c4a68a10580bba63a28544e1f450639a96aa9cebe9a9c20632a70
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a1d8318fc114a22daf32979d75ce5bf6
SHA15ac01f9c890cba4f21f584a5cc4557fd9adbf786
SHA256bfbee9782854a65ba2e80cbd0619b7b957665f7795476c5424b81d55dce27473
SHA512bb344b331edabb32b235361f298b0eaa074e9e7b06a8cff6e825f62261458c6dd9cd2138a55b7a8ecbd5fd628dab7df67bc920bb0c5a049f8d9c91255ebf2a6c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bc2bebe2023d8610800541851d0f0bf8
SHA1695e08032954a1f99d61ba794db3c5357eb08ff4
SHA256f95f912cd5a59e1474e8d277f18eeeaa9e9b08a8818ba3f0317a61906496dbb9
SHA512b17d087c8e7dc7b129c35de977da122579beaa60e9063ec43445abd97e9e68f021ad810fb9837eaa139e1e91a8fd5eaf2325ab71fbf82c2503e51aea95bda3c2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51840c7aca3a2e86c8e72838cb9b1bdfe
SHA17a038cf3e14b3e65bdef21b14958e954d5942a58
SHA256c2ee7f029dc2eec5fdf3b6d36c3d45138dda89e0e9386d2d674eeda4efc275db
SHA5126ddfa7d14f74f22a24d6dbc68b20ff1a34b257e2430ecf9d47fce54f4161c02ab773e99be7abf423c200c4055f1acb2eb6f0c0bd5829731ba058622b1502b536
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ca47011bf621cc61e10e9723b19dc531
SHA121494c3cb90b02709842a00c75179de6224aab7f
SHA2563048f93a88eab9bd1bee98c3cbd02b0e7ccd9502feee336f8f2b632a2838daa8
SHA5127ccf5bed32948ddfc101f03aa0348bc811ffc65bc0062b2b6b799045a1019e7aebd7e4662435468f13b65c3e46d15cfea6dfd209b23a03d2f930ed97e6eb48b4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f26fb853f225d3d5b83964ba2d723015
SHA15edfda1bb6ddc00478cebfbaaafe6c5d3a6e0fb2
SHA25614385a5e4e17c8c0b028b7f2dde13e773881dd1c0a8ef605248f2cf49015a250
SHA512995ec93b67657c4e920b8f652fbe1a60fa44b84a46729a8f3cdc5907fa0339f73cb06e4cd942509be050e6f25d352e9bd452c41082687f2ca4bd113e7c2c1812
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c64542fb2bbd74e9f16877c5b289c35c
SHA13f1c95fce7c5c5fa4f8b28cdad6a83d48558cd1b
SHA256913f2dc38fec16a827aec9cfd96a5f802e9de4704af2555afc9b2b72bb900406
SHA512830e52b537dd6ee5298f54f6d444eded1e02784c1c6c2dc7cec080ef4a539dc81228772d603f1afdfae29ba8d805e8e25a40b8fc5bb227cded2ca7c8bf22a8f2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59a6fb297ea26bdb6df95f3407d4ecb9d
SHA125dd83a711dc69b8db8e46e5ff25e386f1b016fb
SHA256cc781a950be4e60d4b28dfb66e7e2feb5e9dfcb2e1aa936b07f83d9010da3f05
SHA51232e61b7972b4962d1fffabacc0abe0197325c71580a8224febad485cc7d3bd8c8839f459ceb9fafc050ac7d2bd0e9a91058e2e96ed282e22176e8855945c09c2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57643d942719e656b01b1531c6983bd38
SHA138586f7051a313078c55a6c082c6dd6a1a9a2aee
SHA256f1fbb17b899b1cc363fd14a91131272d5ec8178eb539e27877127598eab77fdd
SHA5121334db4840a7e4968add5228a8663bf84dd59119335bd53f908b4f9a801e0539019a2326ae925f6ec4ebac9d4ecec57fd1ad4c1ca480dd5e8ccc3ac7445f1aee
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f97f524d0565e0ae1d5c6f16cdd5e851
SHA1ff0330dc91ac51831b6c4a88362cdfff6df474a2
SHA2563a1d4ea0c8cdc52dd65039f9cf7d4b85addebb2a2ba34e36dbc2ee47a61ffd4d
SHA51270ff1f54237742a7ea84a8eea3b2dc63734ac9cc18e077f15a5a308ce2260b6defd02e9231cf48bb5c2210889fea80c8fd0dd4ca4bf0fa1b83570f27209b4743
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD528073cd0cc9185a5f1c96e63f63371df
SHA10f723376452cf279606380327a85a3c08e978275
SHA25632ccaef8d81218c03b6b0c1e7227705c3b7b5a4307e494804c182bcfe93f7814
SHA512a07234b824fd93146d72d74b6b0ac2588e3636c10706b41aa663361f8a1a1dba67f85e4bbe7d098789b82228ce0004a1292b2525c802c293e6e08abda159f5e6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a65e165a934d6949ee9d2521a84a11f1
SHA17fe8e2882b3830036a3d7fd7a809151b2fbf762b
SHA2566f819bbc329a81bf0a4f42c02089d0b61300a86041158b486919fa1fc7618d90
SHA512b8422e17c02dcae6371ab485b27467bcfbbb3788a3c990d73feea20007c44735af2a6e1d470ae41f27ae09a856b2db35d99b17e3fe670590191f6fea7205ac99
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b137937642841e86c0a207910f703dcc
SHA15052bcd7bc0d022b3a584eef84a9c63da4fdb9e8
SHA256cf6aded435c58f234d1d037ee3c70667d7dfc97585424b55429c4f90931adfe4
SHA5129e361ecf15a556fc50369b0136f0f145e8d645872b4ba15e1c1e44915252d413a345ef8f669dd408b50deff92a1eb60342d05fb78390f62e37832a6d44fbdd2c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51aa3f81428918db0f04872368db261a2
SHA15e625995564c7c832071da160499e179aad15d34
SHA25697d75fd656423abbc205142b7cd46d1894d86c330e854a802ef35806c62d7990
SHA512f52797ba159f50e5de0cbcd21709d57af7a5a95f013fbb354c9db7b842f51aaee4b34e109f7d433f1fa7e02088c884553c675dd9ac01b569069d3eef3a3dd3f6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d2bb4e04d85fe28984b08e804c439399
SHA1bd07be7b894f1685e072c073ee0f5b130b147179
SHA2569c93e5fbdb3e698481bc3bed54b15814328cbd1590c1ea1a58c76f01e7117a73
SHA512b5b88a091fd4210886ec401e37720399ed3df50190554508adf25c2e74f38269b50277dee318d04c4ff7e0b42ff1e10004c7376c0a4fcefe1a4062e39921748f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5efdd4894f332d8bb5333f9f5ba3bc28e
SHA1c44fd607ae2c76a158636c3aa1869a10899b12f1
SHA2567fecf2f78cee939483cc84f6ad38c3b88d6b7508b6b7496199382803af31a17a
SHA512f0fd9285c405e7706d015f618ef328c03ca79ac2b187cd5ff7ca0a9275dcabb19131a8f3864efab50a1d8c7c6b2f3a1dade376eb9f12e046302cea5e56bb8372
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ad44434f28ef31014049a58032171fee
SHA1ee2d776a85c3cf13d1ae7c9dcfdba505e0d2748e
SHA2569e958423c5fa99ded7e9233ea3a60e9e92a72e0d3cf9916b00c123c0c17a07d0
SHA5122dded492420193208acbd210fe8d83acd32e82804e4b01874b4627acbb2227de4256c0e51a88091c939d4cb725e23af1696e4c87541218e82647f8f73bec066d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD556a40de954d2b60b940b4c33299ad939
SHA11fdd2c98225806e55e4127ad98385cec076cae70
SHA256cb39038d5b496c18811add76ddfd707b10351e14e0f892dc14e0c7abdf7e80e1
SHA512705a66f3845256c77e00e67879fa5795af67ea850ad328217c6e94dd27438cfc46ff46b3fee404da95556fd01c0416785236b730e8fa8357bbae2ebabf27d185
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e514e78e617d8c6912ccab9f0cba779a
SHA1803a1bf744fb2ed4a6c1e0e1ec9db2c8cb6ca005
SHA256b7a1c076a7cbe486e8cd9cffd81c30e67b587f39cd1e876234c7b57c940a4360
SHA512bd4e38c843522d351d119cd956b39b62534f2331f08470ce63436bb24c38d915f5d412a454a82fee283be086f06cf7c6e6ecb0eb075a4f3a6bd4d3315776fb69
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
1KB
MD5ee8be1fb4a1f42befcc9891113adf2aa
SHA1c96ca28ffab727ef048c5e6230b3ae5b7d8eecdc
SHA256bafbd9519e2f41111b26cee259bfa252331f8b83b6f1d1c83178545bc40282ac
SHA51286cd75f43d93faed86b2404fba7a409f9bc24b9c1fd7b2d0b412c34ca23af77a6fee2090c37e844d47821aa37f48baee9d5f225d81736c9e7032b5187ba19450
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5f648e8a0b73006f76d1372218c5931dd
SHA13a6fb07e6e4d3c8f38a11822377cf04c5f4078d6
SHA25686ea107aaeaf3ecc790df0a09ea8c772358439f824bc2a3d0a3dd6c84951070b
SHA51212aca055e18947e583a83b094310d808aebf157cf4cb829c7dd63cc6b5e203104f6233c6fa70b8c9020bd3c687b6418913cab0e09635c5a6132ec2129e0beb90