globeimposter | 7375b2047d519fffcbe1191522efbf73dcda6073a4fc9b77f01f009c437a2fe8

Resubmissions

18-08-2022 13:44

220818-q18hrsaca7 10

30-03-2022 09:01

220330-ky21bafbdq 10

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
30-03-2022 09:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bomani2.exe
Size

56KB
MD5

cadf573e4ca120639a1e5484e985938d
SHA1

ff0d09efbb1495982073291351a81de59e2c3c0d
SHA256

7375b2047d519fffcbe1191522efbf73dcda6073a4fc9b77f01f009c437a2fe8
SHA512

a8496afe762828b23f3568c49954a7c84c2390e0b2d2bb54c141fa9af2db390fd1f0a7582a006ed2b315fd074e4a2268bfdc52a1923f1a28e706000db92015ef

Score

10^/10

globeimposter persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\Read Me!.hTa

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mails: lord_bomani@keemail.me and jbomani@protonmail.com and Bomani@Email.Com (for the fastest possible response, write to all 3 mails at once!) Write this ID in the title of your message: ��86 FA EE F8 BB CF 9F 2C 82 69 2C 41 1A 9D DF CD 0C F2 F7 EC A6 CB 19 5B 6F 97 F4 DE EC C2 2A 4A 02 83 10 CE 81 85 D5 3B 11 D6 7A 1E F5 B0 87 69 2A 3E 26 52 7D 33 41 F2 3A 20 DA 05 5B 14 DE 89 C2 88 36 71 97 EF B2 7A 6C 08 03 E0 05 01 58 E0 84 C2 E1 34 93 65 B6 0D 4B 7D D7 32 E9 F5 3F 77 33 51 AB FF 5A 03 68 80 47 20 5F 39 D8 B5 69 20 ED 30 64 D3 0A D9 0E F7 DD 47 D2 06 0C 30 B0 CA 03 0A 26 56 18 53 9F A9 47 EB 9E 6D 80 FB F8 0D EB 89 CD C0 8B C7 96 77 66 24 EB E1 C8 A1 46 71 AD F1 28 D7 B3 6E E2 A4 5A 69 AA 49 85 0D CC 87 F7 DD 39 7D 55 D0 AB 58 27 2A 60 94 75 19 C7 BB 5A 03 56 C2 69 FE C3 B3 5B A3 86 E4 6D 8B 05 FC 51 1C 1B 01 06 BB 91 DC EB B6 83 02 B0 7E 7A 3E 00 58 9F 42 D4 A9 17 C4 61 B9 06 86 BB 29 91 D8 5B A6 25 86 72 76 96 A9 3C 08 26 6D FE 77 89 6B You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 5Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. We also upload a huge amount of your personal data, including confidential information, financial information, customer personal information, passwords, and so on. Everything that we downloaded will be leaked for public use in case of non-payment or after the expiration of your key for decrypting files. Hurry up! The decryption keys for your files may be overwritten and then recovery of your files will not be possible! (this usually happens a week after encrypting your files.) ��

Emails

lord_bomani@keemail.me

jbomani@protonmail.com

Bomani@Email.Com

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter
Blocklisted process makes network request 3 IoCs

Processes:

mshta.exe

flow pid process

42 1736 mshta.exe
44 1736 mshta.exe
46 1736 mshta.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
42	1736	mshta.exe
44	1736	mshta.exe
46	1736	mshta.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bomani2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	bomani2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\bomani2.exe"	bomani2.exe

Drops desktop.ini file(s) 25 IoCs

Processes:

bomani2.exe

description	ioc	process
File opened for modification	C:\Users\Public\Pictures\desktop.ini	bomani2.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	bomani2.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	bomani2.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	bomani2.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	bomani2.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	bomani2.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	bomani2.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	bomani2.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	bomani2.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	bomani2.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	bomani2.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	bomani2.exe
File opened for modification	C:\Users\Public\desktop.ini	bomani2.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	bomani2.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	bomani2.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	bomani2.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	bomani2.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	bomani2.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	bomani2.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	bomani2.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	bomani2.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	bomani2.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	bomani2.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	bomani2.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	bomani2.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

IEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Internet Explorer Wallpaper.bmp"	IEXPLORE.EXE

Drops file in Program Files directory 64 IoCs

Processes:

bomani2.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\Read Me!.hTa	bomani2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\da-dk\Read Me!.hTa	bomani2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ko-kr\Read Me!.hTa	bomani2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_signed_out.svg	bomani2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\flags.png	bomani2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\ro_get.svg	bomani2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\main-selector.css	bomani2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sk-sk\ui-strings.js	bomani2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\css\Read Me!.hTa	bomani2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ko-kr\Read Me!.hTa	bomani2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sv-se\ui-strings.js	bomani2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\AddressBook.png	bomani2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\en-gb\Read Me!.hTa	bomani2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\Read Me!.hTa	bomani2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\Read Me!.hTa	bomani2.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_bg.dll	bomani2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_es_135x40.svg	bomani2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\ui-strings.js	bomani2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\css\Read Me!.hTa	bomani2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-tw\Read Me!.hTa	bomani2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\plugin.js	bomani2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\Read Me!.hTa	bomani2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sv-se\Read Me!.hTa	bomani2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons_retina.png	bomani2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner2x.gif	bomani2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fr-ma\Read Me!.hTa	bomani2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\css\main-selector.css	bomani2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\css\Read Me!.hTa	bomani2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\Read Me!.hTa	bomani2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ko_get.svg	bomani2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\mobile_reader_logo.svg	bomani2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\Read Me!.hTa	bomani2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\Read Me!.hTa	bomani2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\bun.png	bomani2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\zh-cn\ui-strings.js	bomani2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\line.cur	bomani2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png	bomani2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\bun.png	bomani2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\ui-strings.js	bomani2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ru-ru\ui-strings.js	bomani2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\pl-pl\ui-strings.js	bomani2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ro-ro\ui-strings.js	bomani2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_fillandsign_18.svg	bomani2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\zh-cn\ui-strings.js	bomani2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nl-nl\Read Me!.hTa	bomani2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nl-nl\Read Me!.hTa	bomani2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hu-hu\Read Me!.hTa	bomani2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png	bomani2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\vscroll-thumb.png	bomani2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\zh-tw\ui-strings.js	bomani2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sv-se\Read Me!.hTa	bomani2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\es-es\ui-strings.js	bomani2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ko-kr\ui-strings.js	bomani2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ca-es\Read Me!.hTa	bomani2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\pt-br\ui-strings.js	bomani2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fi-fi\Read Me!.hTa	bomani2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\pt-br\Read Me!.hTa	bomani2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\bg_pattern_RHP.png	bomani2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\pl-pl\ui-strings.js	bomani2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\js\Read Me!.hTa	bomani2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-hover.svg	bomani2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugin.js	bomani2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\nb-no\ui-strings.js	bomani2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\Read Me!.hTa	bomani2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exemshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a000000000200000000001066000000010000200000006f87257c70bce3f0e438052dfeae5d6dd8569912b4b174441b9c8ba1df2c5114000000000e800000000200002000000043d9c7544d55bce6e2c65f7a4ee4c00eab34fdd8b724dcf742c429c4afca9d0320000000a70a55f3c5988870359f1647fb19812dc35860c2f75176ee007475a8312e42f1400000001e04369dc2ebfec1246c2342aa8bb148ce836619c1b51ae7464c87ca8ab508c21615fc0d6405c2d48b8262027e38db50f5e3b0594b79dfb0b9c8f730de353d97	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "694866170"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\International\CNum_CpCache = "1"	mshta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5AD82F27-B008-11EC-B9A4-E620F3DF43A3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a0000000002000000000010660000000100002000000092961fac9813faae06b6dc1065b98ea6690c1424ed75b253db8ba1e8d1586b55000000000e8000000002000020000000e4b02518fa6300c27c0d557a6652de80fc4d577c68bc4b67ff23d8d3c2ed792220000000ffd2bc660a2c0c5b3252721c30e9364aca6a2caf37e39cffaa36c19236752172400000009e9ea5703568852aabd13628dde2d076c472fff17bb53bf4e99c5b1853a0a1e486a508aa465ecf0e620a86af7445a0fada040313cb41fbd1376fe40f531828d3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30950421"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpCache = e3040000	mshta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{54A1E4F5-B008-11EC-B9A4-E620F3DF43A3} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30950421"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c042222a1544d801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b06e292a1544d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\International	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "694866170"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Modifies registry class 56 IoCs

Processes:

mshta.exeShellExperienceHost.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	mshta.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	mshta.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	mshta.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	mshta.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	mshta.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000e0859ff2f94f6810ab9108002b27b3d90500000058000000	mshta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	mshta.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	mshta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\LogicalViewMode = "3"	mshta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1"	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	mshta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	mshta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByDirection = "1"	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	mshta.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	mshta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\IconSize = "96"	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	mshta.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	mshta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"	mshta.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000841e251a7208d801292e681f7208d8015d932f217208d80114000000	mshta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	mshta.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	mshta.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	mshta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "3"	mshta.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	mshta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1092616257"	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	mshta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0"	mshta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:PID = "0"	mshta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	mshta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	mshta.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	mshta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	mshta.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}	mshta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1"	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	mshta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\MuiCache	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	mshta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	mshta.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e80d43aad2469a5304598e1ab02f9417aa80000	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Pictures"	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	mshta.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	mshta.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

mshta.exe

pid process

1736 mshta.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeiexplore.exe

pid process

2660 iexplore.exe
3260 iexplore.exe

pid	process
2660	iexplore.exe
3260	iexplore.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

mshta.exeShellExperienceHost.exeiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid	process
1736	mshta.exe
2436	ShellExperienceHost.exe
2436	ShellExperienceHost.exe
2660	iexplore.exe
2660	iexplore.exe
3712	IEXPLORE.EXE
3712	IEXPLORE.EXE
3260	iexplore.exe
3260	iexplore.exe
3824	IEXPLORE.EXE
3824	IEXPLORE.EXE
3824	IEXPLORE.EXE
3824	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

iexplore.exeiexplore.exe

description	pid	process	target process
PID 2660 wrote to memory of 3712	2660	iexplore.exe	IEXPLORE.EXE
PID 2660 wrote to memory of 3712	2660	iexplore.exe	IEXPLORE.EXE
PID 2660 wrote to memory of 3712	2660	iexplore.exe	IEXPLORE.EXE
PID 3260 wrote to memory of 3824	3260	iexplore.exe	IEXPLORE.EXE
PID 3260 wrote to memory of 3824	3260	iexplore.exe	IEXPLORE.EXE
PID 3260 wrote to memory of 3824	3260	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\bomani2.exe
"C:\Users\Admin\AppData\Local\Temp\bomani2.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:2344

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\Read Me!.hTa" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1736

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1132

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2436

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\b0222.gif
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2660

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2660 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3712

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\b0222.gif
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3260

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3260 CREDAT:17410 /prefetch:2
2⤵
- Sets desktop wallpaper using registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3824

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{54A1E4F5-B008-11EC-B9A4-E620F3DF43A3}.dat
Filesize
5KB

MD5
c8ac84facaa039090407723593410f1e

SHA1
d7f76f7095a6d35ffd4da4878204a02080d08d3b

SHA256
b64bc3925b8a36cf4c0a03fcee341e433e303d11a8d689e6fa371040d594cafe

SHA512
69483f4dbe4e2f4b35d3fcc26abfee62ccfefc61863e73d3576b970df61ff3d25d0aa798a5f7f017942eb2bfe4f3a3d384c693862683e598aef25b1d44784219

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{04D6A65B-7467-11EC-B99B-7EE208A7DFD1}.dat
Filesize
5KB

MD5
851119e1952d7f854ba78717be1e6911

SHA1
b86110faea04a25631e4f6e5e950a5c765f55919

SHA256
a0f78ed7a35359ed50d2b863c6e22bc1444341c8b992338c68ab17be1fa3bcab

SHA512
0e8b73b5963aa9bba8afcd271d66bb50377a674d7f94e303b2ce64e194a0ee819dca496e4cb2ea70d6ac8932977db09b27093ea26b1d0fd60b5c387765de3367

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{54A1E4F8-B008-11EC-B9A4-E620F3DF43A3}.dat
Filesize
4KB

MD5
485ebea97b7a356706305a0156ca909d

SHA1
44601040f12a54b5e75f30586c4afd52b2c03f27

SHA256
a53895c7446104941547907bc87968e9d221d5a6d9fd14555090a19a6e986c13

SHA512
8d0609ac511966d0548c1cd721d55e7ad18057d30e913f74bcf6cf47c970fe85e0589a0a4495b54807a67a04440595db5ba6cb84ec641bbc26a1bfc67a08aacf

Download Submit
C:\Users\Admin\Desktop\Read Me!.hTa
Filesize
7KB

MD5
b9856ca79007c0533747ab13032dc915

SHA1
16edfbbda5c7d87285092064adf5f2979a7275e8

SHA256
d746d756d3ca002563d3279ce9066c3b237cea73890fc3aefc7d7fdeab66f6e1

SHA512
58a003e02f85474d4a5b1f3cf6796f1df7941e37a8bde7511b88fc6bd97458acbebf19ad99bc2d0c47c7f4e3ea0f80a99bbad74052e8b92ab9d2ffe949f5871f

Download Submit
C:\Users\Admin\Desktop\b0222.gif
Filesize
50KB

MD5
926d92c5744db1500c15fcdc8f9d47a3

SHA1
272ac3afbd17a804a91bca1cf0bb0bb03e9161d0

SHA256
25b6d9418d32d9289178b413da675ceee1ebaa9ec2b77febac61de066ea86bff

SHA512
3098fe75ddd74d6d2c37c81620fbb17d41e8f9e079b12fe4edfe71aaa8ad114658ac1f603039ba56b145dd906998ab322a6cf18a06f133b7c02a2d7b4094247d

Download Submit
C:\Users\Admin\Favorites\Bing.url.[Bomani@Email.CoM]
Filesize
1KB

MD5
7d18e42a0900278724a34ee1b10c1c14

SHA1
50d2a3a79848fd0338a335be08e245d2193612e1

SHA256
4e8b2c4396e5548ed40864cf715a37700baa91bf819653082a1f4934717b1546

SHA512
4095fcb969bdb0d49ffbd6d99ad1912152814408f05c5267319913bfb33caf5da8f6e60d15e1b4ced6f69878ef61a7e486961f2f608d8efd49fe60de738635dd

Download Submit
C:\Users\Admin\Favorites\Links\Read Me!.hTa
Filesize
7KB

MD5
b9856ca79007c0533747ab13032dc915

SHA1
16edfbbda5c7d87285092064adf5f2979a7275e8

SHA256
d746d756d3ca002563d3279ce9066c3b237cea73890fc3aefc7d7fdeab66f6e1

SHA512
58a003e02f85474d4a5b1f3cf6796f1df7941e37a8bde7511b88fc6bd97458acbebf19ad99bc2d0c47c7f4e3ea0f80a99bbad74052e8b92ab9d2ffe949f5871f

Download Submit
C:\Users\Admin\Favorites\Read Me!.hTa
Filesize
7KB

MD5
b9856ca79007c0533747ab13032dc915

SHA1
16edfbbda5c7d87285092064adf5f2979a7275e8

SHA256
d746d756d3ca002563d3279ce9066c3b237cea73890fc3aefc7d7fdeab66f6e1

SHA512
58a003e02f85474d4a5b1f3cf6796f1df7941e37a8bde7511b88fc6bd97458acbebf19ad99bc2d0c47c7f4e3ea0f80a99bbad74052e8b92ab9d2ffe949f5871f

Download Submit
C:\Users\Admin\Pictures\Camera Roll\Read Me!.hTa
Filesize
7KB

MD5
b9856ca79007c0533747ab13032dc915

SHA1
16edfbbda5c7d87285092064adf5f2979a7275e8

SHA256
d746d756d3ca002563d3279ce9066c3b237cea73890fc3aefc7d7fdeab66f6e1

SHA512
58a003e02f85474d4a5b1f3cf6796f1df7941e37a8bde7511b88fc6bd97458acbebf19ad99bc2d0c47c7f4e3ea0f80a99bbad74052e8b92ab9d2ffe949f5871f

Download Submit
C:\Users\Admin\Pictures\Saved Pictures\Read Me!.hTa
Filesize
7KB

MD5
b9856ca79007c0533747ab13032dc915

SHA1
16edfbbda5c7d87285092064adf5f2979a7275e8

SHA256
d746d756d3ca002563d3279ce9066c3b237cea73890fc3aefc7d7fdeab66f6e1

SHA512
58a003e02f85474d4a5b1f3cf6796f1df7941e37a8bde7511b88fc6bd97458acbebf19ad99bc2d0c47c7f4e3ea0f80a99bbad74052e8b92ab9d2ffe949f5871f

Download Submit