93ca5549b18737699deb942e2404bd373b88f72d2b5d4693bb68456c6d84da02

Resubmissions

22/11/2022, 10:23

221122-me2xbadd8z 8

22/11/2022, 10:19

221122-mckj9add2v 8

22/11/2022, 10:14

221122-l9ql4adc3w 8

Analysis

max time kernel
148s
max time network
168s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
22/11/2022, 10:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

StupidIdiotCafe - Linkvertise Downloader_u7i1-f1.exe
Size

4.3MB
MD5

19079710e724d00ec52a979335797a6e
SHA1

d28f13775018622f1f3d2a7c721d2fecfee18998
SHA256

93ca5549b18737699deb942e2404bd373b88f72d2b5d4693bb68456c6d84da02
SHA512

ecf31d9366f8cd66759dc15daffe7ea3a0538e07ef13c36bad45db24b0833a2ec8e5b5e36bb711b3209227b8371486c051f0a65ebbf1f47a6b6707df4a0b32e7
SSDEEP

98304:tkLt6hB0m9WZXk8a7EdrL143hPZmKAdKwcNtDGdPBmM:eQBf9WO8amCRPMLKwcNcdPBR

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1720	StupidIdiotCafe - Linkvertise Downloader_u7i1-f1.tmp

Loads dropped DLL 4 IoCs

pid	Process
1516	StupidIdiotCafe - Linkvertise Downloader_u7i1-f1.exe
1720	StupidIdiotCafe - Linkvertise Downloader_u7i1-f1.tmp
1720	StupidIdiotCafe - Linkvertise Downloader_u7i1-f1.tmp
1720	StupidIdiotCafe - Linkvertise Downloader_u7i1-f1.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	StupidIdiotCafe - Linkvertise Downloader_u7i1-f1.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	StupidIdiotCafe - Linkvertise Downloader_u7i1-f1.tmp

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375880719"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FAF77B01-6A56-11ED-A964-C6AD45B766F5} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 106245d963fed801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbafda4d2839344b902c87c07ddf25a100000000020000000000106600000001000020000000959be6e32234ac136d26a5b92b0da7e1f693ddd2e16a33ec340b0f2fef9aee45000000000e80000000020000200000007338e74ff2ca46fe142394068eb40f8694bd579e6b106ec5a81de298b0f87e5890000000d53b8b2318acce5dec6f93a9090589e9000398f1a2d3ebf6adaa007ac7cb5a50f327d573c64fada8f59c941f04fad88e57654700c05e7552adce43f5e3713d22a5420fc8425cf323e7441bb5e252e7f42a7ed53507f378cb7d2db50a5f4b885eef9d524619cb78676b5ad9fea397453e1ccaa55065c736f4ce1adf8eb45826edebb23ebe17ddb7ef370b199c94c88ee640000000c33bcae50193fd197a85bb252cb2854a60eb6da0a1d6411d33c5546ea33ebb5dda55bede6beebf83fac6b4808233a9046ac88f24259ab8bc2d49165908f10a53	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbafda4d2839344b902c87c07ddf25a100000000020000000000106600000001000020000000baaf5aef41d4404563bc7ed0e2c0e0d7e3a89fda07c254dacce7232663c9fa72000000000e8000000002000020000000313c24c284505c12e9398da07e8b101e6caf72c16cab838d5fbce5cc7128700920000000757a2841a05972c8f7a0eff6dd5e46f7d51d968babcf7552d7dae7ea01d027894000000038a4e6b41f9fa2c8b1cc4dbd185ca8855efeb87c399c2eacb64dad5dd23fba58164827f59f1a071ad27cf8c6202e486bf31994ffa11cfb6aead56370da3e0a60	iexplore.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	StupidIdiotCafe - Linkvertise Downloader_u7i1-f1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	StupidIdiotCafe - Linkvertise Downloader_u7i1-f1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	StupidIdiotCafe - Linkvertise Downloader_u7i1-f1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	StupidIdiotCafe - Linkvertise Downloader_u7i1-f1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	StupidIdiotCafe - Linkvertise Downloader_u7i1-f1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	StupidIdiotCafe - Linkvertise Downloader_u7i1-f1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	StupidIdiotCafe - Linkvertise Downloader_u7i1-f1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	StupidIdiotCafe - Linkvertise Downloader_u7i1-f1.tmp

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
288	chrome.exe
820	chrome.exe
820	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
1720	StupidIdiotCafe - Linkvertise Downloader_u7i1-f1.tmp
992	iexplore.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
992	iexplore.exe
992	iexplore.exe
1864	IEXPLORE.EXE
1864	IEXPLORE.EXE
1864	IEXPLORE.EXE
1864	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 1720	1516	StupidIdiotCafe - Linkvertise Downloader_u7i1-f1.exe	27
PID 1516 wrote to memory of 1720	1516	StupidIdiotCafe - Linkvertise Downloader_u7i1-f1.exe	27
PID 1516 wrote to memory of 1720	1516	StupidIdiotCafe - Linkvertise Downloader_u7i1-f1.exe	27
PID 1516 wrote to memory of 1720	1516	StupidIdiotCafe - Linkvertise Downloader_u7i1-f1.exe	27
PID 1516 wrote to memory of 1720	1516	StupidIdiotCafe - Linkvertise Downloader_u7i1-f1.exe	27
PID 1516 wrote to memory of 1720	1516	StupidIdiotCafe - Linkvertise Downloader_u7i1-f1.exe	27
PID 1516 wrote to memory of 1720	1516	StupidIdiotCafe - Linkvertise Downloader_u7i1-f1.exe	27
PID 1720 wrote to memory of 992	1720	StupidIdiotCafe - Linkvertise Downloader_u7i1-f1.tmp	28
PID 1720 wrote to memory of 992	1720	StupidIdiotCafe - Linkvertise Downloader_u7i1-f1.tmp	28
PID 1720 wrote to memory of 992	1720	StupidIdiotCafe - Linkvertise Downloader_u7i1-f1.tmp	28
PID 1720 wrote to memory of 992	1720	StupidIdiotCafe - Linkvertise Downloader_u7i1-f1.tmp	28
PID 992 wrote to memory of 1864	992	iexplore.exe	30
PID 992 wrote to memory of 1864	992	iexplore.exe	30
PID 992 wrote to memory of 1864	992	iexplore.exe	30
PID 992 wrote to memory of 1864	992	iexplore.exe	30
PID 820 wrote to memory of 316	820	chrome.exe	33
PID 820 wrote to memory of 316	820	chrome.exe	33
PID 820 wrote to memory of 316	820	chrome.exe	33
PID 820 wrote to memory of 1968	820	chrome.exe	34
PID 820 wrote to memory of 1968	820	chrome.exe	34
PID 820 wrote to memory of 1968	820	chrome.exe	34
PID 820 wrote to memory of 1968	820	chrome.exe	34
PID 820 wrote to memory of 1968	820	chrome.exe	34
PID 820 wrote to memory of 1968	820	chrome.exe	34
PID 820 wrote to memory of 1968	820	chrome.exe	34
PID 820 wrote to memory of 1968	820	chrome.exe	34
PID 820 wrote to memory of 1968	820	chrome.exe	34
PID 820 wrote to memory of 1968	820	chrome.exe	34
PID 820 wrote to memory of 1968	820	chrome.exe	34
PID 820 wrote to memory of 1968	820	chrome.exe	34
PID 820 wrote to memory of 1968	820	chrome.exe	34
PID 820 wrote to memory of 1968	820	chrome.exe	34
PID 820 wrote to memory of 1968	820	chrome.exe	34
PID 820 wrote to memory of 1968	820	chrome.exe	34
PID 820 wrote to memory of 1968	820	chrome.exe	34
PID 820 wrote to memory of 1968	820	chrome.exe	34
PID 820 wrote to memory of 1968	820	chrome.exe	34
PID 820 wrote to memory of 1968	820	chrome.exe	34
PID 820 wrote to memory of 1968	820	chrome.exe	34
PID 820 wrote to memory of 1968	820	chrome.exe	34
PID 820 wrote to memory of 1968	820	chrome.exe	34
PID 820 wrote to memory of 1968	820	chrome.exe	34
PID 820 wrote to memory of 1968	820	chrome.exe	34
PID 820 wrote to memory of 1968	820	chrome.exe	34
PID 820 wrote to memory of 1968	820	chrome.exe	34
PID 820 wrote to memory of 1968	820	chrome.exe	34
PID 820 wrote to memory of 1968	820	chrome.exe	34
PID 820 wrote to memory of 1968	820	chrome.exe	34
PID 820 wrote to memory of 1968	820	chrome.exe	34
PID 820 wrote to memory of 1968	820	chrome.exe	34
PID 820 wrote to memory of 1968	820	chrome.exe	34
PID 820 wrote to memory of 1968	820	chrome.exe	34
PID 820 wrote to memory of 1968	820	chrome.exe	34
PID 820 wrote to memory of 1968	820	chrome.exe	34
PID 820 wrote to memory of 1968	820	chrome.exe	34
PID 820 wrote to memory of 1968	820	chrome.exe	34
PID 820 wrote to memory of 1968	820	chrome.exe	34
PID 820 wrote to memory of 1968	820	chrome.exe	34
PID 820 wrote to memory of 1968	820	chrome.exe	34
PID 820 wrote to memory of 288	820	chrome.exe	35
PID 820 wrote to memory of 288	820	chrome.exe	35
PID 820 wrote to memory of 288	820	chrome.exe	35
PID 820 wrote to memory of 1560	820	chrome.exe	36
PID 820 wrote to memory of 1560	820	chrome.exe	36

C:\Users\Admin\AppData\Local\Temp\StupidIdiotCafe - Linkvertise Downloader_u7i1-f1.exe
"C:\Users\Admin\AppData\Local\Temp\StupidIdiotCafe - Linkvertise Downloader_u7i1-f1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Users\Admin\AppData\Local\Temp\is-3AC1E.tmp\StupidIdiotCafe - Linkvertise Downloader_u7i1-f1.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-3AC1E.tmp\StupidIdiotCafe - Linkvertise Downloader_u7i1-f1.tmp" /SL5="$70122,3475251,1235968,C:\Users\Admin\AppData\Local\Temp\StupidIdiotCafe - Linkvertise Downloader_u7i1-f1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://paste.sh/U_bf4h9Z#aLacLL88NVkuNBDqoT8H9nY2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:992
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:992 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef67b4f50,0x7fef67b4f60,0x7fef67b4f70
  2⤵
  PID:316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1132,5866764081297506142,9330570716532657577,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1128 /prefetch:2
  2⤵
  PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1132,5866764081297506142,9330570716532657577,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1308 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1132,5866764081297506142,9330570716532657577,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1760 /prefetch:8
  2⤵
  PID:1560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,5866764081297506142,9330570716532657577,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2092 /prefetch:1
  2⤵
  PID:1264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,5866764081297506142,9330570716532657577,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2104 /prefetch:1
  2⤵
  PID:1656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,5866764081297506142,9330570716532657577,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2372 /prefetch:8
  2⤵
  PID:2116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1132,5866764081297506142,9330570716532657577,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3344 /prefetch:2
  2⤵
  PID:2216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,5866764081297506142,9330570716532657577,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,5866764081297506142,9330570716532657577,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3540 /prefetch:8
  2⤵
  PID:2364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,5866764081297506142,9330570716532657577,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3668 /prefetch:8
  2⤵
  PID:2372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43155b0425965f1031dfe37c2d8ed543

SHA1
cef2bad4714cb80b9bd6961ecf4d3bafdd2ba8d4

SHA256
b747007ebe631a13c5f546b7714fe730a99ba0309e787122853cd96ead10d923

SHA512
737fb98dfd19371f988f7daf189a0d89c5245d941c1ce08ac206aef2aeadfd9b1dd554c9f1d655b7e9941ed4a4eece543f46c104ad4fa57c6686e977df50f8e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
46e3b0447b7815c7329f31239932e20c

SHA1
9f9178fe617939611a6e871d30fb1ea167108007

SHA256
20ce88a4182de193bf71c3741ef6c7244113c73356c7ac921e1239c34fb3a586

SHA512
4f5282927e19621d239c7b46c6da1bbed93e99bea998190136da284633f017b109138bf0a5cf30f9ede8fb9b4930f45113c26ec633c5fc8c82459e52ecb0d6ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
270c34ab9abb2f88b1ab906df72307e7

SHA1
3aef476c433bd951e2a4b836b56b47f441b2b187

SHA256
a7db37f12381c59c47fcc16208759a8f35c9340023b4bd49d262dbd34bd09352

SHA512
3622860f7de6b598289048ccd5d30836147b12e611fd241ca5d61e39a225d54660d86641f64a8364fc87a3c9d84fae61ff2399f1afe89b2c974d2b34465e74a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e6b693e8a9998fb50a7158988bacecfb

SHA1
3eaf05cb5bedf404e7b107504446354dfe74b9ac

SHA256
2ae0d3063f6c69814bd6efe8ce7d8b99c84f93548a269d1a553527ff81c60ed4

SHA512
f854d237e831784049b40a4609d71b03eb234c8c442d0add488af4c67bc53ea4254987c539789ec8153777fa0c9fc8d4847d683154d7b9c9cc44a09a949506c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\1wzfztv\imagestore.dat

Filesize
1KB

MD5
279ef345f81ff98144dd1141c40cc773

SHA1
0ce53d3d4a079579c75eb3325774d755c4a6ab41

SHA256
a62b3ba3bc2796f428c60dff1be19b0c627d70e4e753a6f41e18283c8e424f8d

SHA512
3588e1a6ec4c57da83dbf3d423825eeccc77a72e7de1e2e4261cb3e5e5eca46fb24a89d11590dbc14e1566b45eadd51eb81bc73912b0b225906336cf9c488260

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3AC1E.tmp\StupidIdiotCafe - Linkvertise Downloader_u7i1-f1.tmp

Filesize
3.4MB

MD5
2d8c736e49d6c7b4739418277a32d16e

SHA1
ad2fd43457b75de6af95d1af03edc9c45c9717d7

SHA256
94e86b57bd15d1d8580cdaab9bf56cab05821598ed0c61c153d3c25da417de57

SHA512
01822b7ee33f78ac78005e4184ec67fcf062113ed853ca388bf457652948fc714ffc5d10ff122414e4d74812096b061f13087c673983420d930a108df901e638

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\MW1TMJ3J.txt

Filesize
601B

MD5
fa3d21306fe9958a60791027d82ec02f

SHA1
4ff316ee4e5755eb9330946730c033868b57a7ba

SHA256
5df63ffd68c256237a215a41ebea1239c0cb2096eb756832aa2a97644e71443e

SHA512
28d1d351d2fd669b41dbbb190f44c10eb21c8b03ce95cc62b12994c66777a729bff791f983e4f226232a39c39e989ca28c1dad75b813bcb9f95dd0944146c7aa

Download Submit
\Users\Admin\AppData\Local\Temp\is-3AC1E.tmp\StupidIdiotCafe - Linkvertise Downloader_u7i1-f1.tmp

Filesize
3.4MB

MD5
2d8c736e49d6c7b4739418277a32d16e

SHA1
ad2fd43457b75de6af95d1af03edc9c45c9717d7

SHA256
94e86b57bd15d1d8580cdaab9bf56cab05821598ed0c61c153d3c25da417de57

SHA512
01822b7ee33f78ac78005e4184ec67fcf062113ed853ca388bf457652948fc714ffc5d10ff122414e4d74812096b061f13087c673983420d930a108df901e638

Download Submit
\Users\Admin\AppData\Local\Temp\is-MCEF9.tmp\AppUtils.dll

Filesize
1.8MB

MD5
61313107f86efd528d5e0b15fcc8b8c7

SHA1
4de55bee0decf620de12ee49d8d94d6796d59721

SHA256
99c01c23b88ab7e656ccb05200fec3c12779de7e20fa20aaea034e7a12fc90ef

SHA512
7fcd8fde1ead2ee6e879240f55f3ff4db17e7f716c3fc7f28da1464ed4a1760568427584fe34cfea945c64ab9a8db7b8d50e80e3bc27b8c2c1103aa6846a9dc2

Download Submit
\Users\Admin\AppData\Local\Temp\is-MCEF9.tmp\DimensionUtils.dll

Filesize
1.9MB

MD5
21da787bf4014ee28ba649bc0335f012

SHA1
9ae7f559a3f925e533f1526722118bb16672ee28

SHA256
9f5e08b5309fde308dc9786e98e90cb3661fc06ac8dfdfbfa550b5e62b083564

SHA512
0b44ca41123d4cd94acb192e2865e4e7bfc4c0c80722efb59c40675f76eb06e042d889fb2a01caa0f371abce69c387ffe4e50b9d6fa16c25ef03f20989c3c3a5

Download Submit
\Users\Admin\AppData\Local\Temp\is-MCEF9.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
memory/1516-68-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1516-66-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1516-54-0x0000000076161000-0x0000000076163000-memory.dmp

Filesize
8KB

Download
memory/1516-60-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1516-55-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1720-67-0x0000000073C91000-0x0000000073C93000-memory.dmp

Filesize
8KB

Download