e25580890c90ae7aab2fb18297aeb49de95b818d91ec717bfa5733cd746989c7

Analysis

max time kernel
121s
max time network
149s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a796da6a167694858aaedfd05dc0b4a.exe
Size

1.8MB
MD5

0a796da6a167694858aaedfd05dc0b4a
SHA1

97a2d0742150156e09ca5ac6192f1b9e6f20bf1e
SHA256

e25580890c90ae7aab2fb18297aeb49de95b818d91ec717bfa5733cd746989c7
SHA512

41fef0674e438c21851b202ecda8e23eee6c87d26534dba3215fb129bd50391448cedfdee8427a91ae4abeb074d4a32e88c806e950b70f1460fd838d76361cc4
SSDEEP

49152:JJmFnyeHSDKfuWnZR4EboBndcs+qtG53enzg2BzbPgTd:DWHHSDxWaD4kzDJrgx

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2568	TbHelper2.exe
452	TbHelper2.exe

Loads dropped DLL 28 IoCs

pid	Process
1736	0a796da6a167694858aaedfd05dc0b4a.exe
1736	0a796da6a167694858aaedfd05dc0b4a.exe
1736	0a796da6a167694858aaedfd05dc0b4a.exe
1736	0a796da6a167694858aaedfd05dc0b4a.exe
2016	regsvr32.exe
2016	regsvr32.exe
2016	regsvr32.exe
2016	regsvr32.exe
2016	regsvr32.exe
2016	regsvr32.exe
2016	regsvr32.exe
2016	regsvr32.exe
1956	regsvr32.exe
2016	regsvr32.exe
2016	regsvr32.exe
452	TbHelper2.exe
2032	IEXPLORE.EXE
2032	IEXPLORE.EXE
2032	IEXPLORE.EXE
2032	IEXPLORE.EXE
2032	IEXPLORE.EXE
2032	IEXPLORE.EXE
2032	IEXPLORE.EXE
2032	IEXPLORE.EXE
2032	IEXPLORE.EXE
2032	IEXPLORE.EXE
2032	IEXPLORE.EXE
2032	IEXPLORE.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}\ = "SMTTB2009"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}\NoExplorer = "1"	regsvr32.exe

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Layouts Express Toolbar\update.exe	0a796da6a167694858aaedfd05dc0b4a.exe
File opened for modification	C:\Program Files (x86)\Layouts Express Toolbar\basis.xml	0a796da6a167694858aaedfd05dc0b4a.exe
File opened for modification	C:\Program Files (x86)\Layouts Express Toolbar\TbHelper2.exe	0a796da6a167694858aaedfd05dc0b4a.exe
File opened for modification	C:\Program Files (x86)\Layouts Express Toolbar\alert_plugin.dll	0a796da6a167694858aaedfd05dc0b4a.exe
File opened for modification	C:\Program Files (x86)\Layouts Express Toolbar\mbback.bmp	0a796da6a167694858aaedfd05dc0b4a.exe
File opened for modification	C:\Program Files (x86)\Layouts Express Toolbar\CustomTabPage.dll	0a796da6a167694858aaedfd05dc0b4a.exe
File opened for modification	C:\Program Files (x86)\Layouts Express Toolbar\affid.dat	0a796da6a167694858aaedfd05dc0b4a.exe
File opened for modification	C:\Program Files (x86)\Layouts Express Toolbar\icons.bmp	0a796da6a167694858aaedfd05dc0b4a.exe
File opened for modification	C:\Program Files (x86)\Layouts Express Toolbar\MacroParserPlugin.dll	0a796da6a167694858aaedfd05dc0b4a.exe
File opened for modification	C:\Program Files (x86)\Layouts Express Toolbar\nav1c.bmp	0a796da6a167694858aaedfd05dc0b4a.exe
File opened for modification	C:\Program Files (x86)\Layouts Express Toolbar\mbsep.bmp	0a796da6a167694858aaedfd05dc0b4a.exe
File opened for modification	C:\Program Files (x86)\Layouts Express Toolbar\mbfwd.bmp	0a796da6a167694858aaedfd05dc0b4a.exe
File opened for modification	C:\Program Files (x86)\Layouts Express Toolbar\TbCommonUtils.dll	0a796da6a167694858aaedfd05dc0b4a.exe
File opened for modification	C:\Program Files (x86)\Layouts Express Toolbar\mbclose.bmp	0a796da6a167694858aaedfd05dc0b4a.exe
File created	C:\Program Files (x86)\Layouts Express Toolbar\UninstallToolbar.exe	0a796da6a167694858aaedfd05dc0b4a.exe
File created	C:\Program Files (x86)\Layouts Express Toolbar\icon.layoutsexpress.ico	0a796da6a167694858aaedfd05dc0b4a.exe
File opened for modification	C:\Program Files (x86)\Layouts Express Toolbar\tbhelper.dll	0a796da6a167694858aaedfd05dc0b4a.exe
File opened for modification	C:\Program Files (x86)\Layouts Express Toolbar\mbbigopen.bmp	0a796da6a167694858aaedfd05dc0b4a.exe
File opened for modification	C:\Program Files (x86)\Layouts Express Toolbar\KeywordsPlugin.dll	0a796da6a167694858aaedfd05dc0b4a.exe
File opened for modification	C:\Program Files (x86)\Layouts Express Toolbar\uninstall.exe	0a796da6a167694858aaedfd05dc0b4a.exe
File created	C:\Program Files (x86)\Layouts Express Toolbar\install.ico	0a796da6a167694858aaedfd05dc0b4a.exe
File opened for modification	C:\Program Files (x86)\Layouts Express Toolbar\tbcore3.inf	0a796da6a167694858aaedfd05dc0b4a.exe
File opened for modification	C:\Program Files (x86)\Layouts Express Toolbar\tbcore3.dll	0a796da6a167694858aaedfd05dc0b4a.exe
File opened for modification	C:\Program Files (x86)\Layouts Express Toolbar\version.txt	0a796da6a167694858aaedfd05dc0b4a.exe
File opened for modification	C:\Program Files (x86)\Layouts Express Toolbar\somoto.dll	0a796da6a167694858aaedfd05dc0b4a.exe
File opened for modification	C:\Program Files (x86)\Layouts Express Toolbar\info.txt	0a796da6a167694858aaedfd05dc0b4a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
2472	taskkill.exe
2384	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\SMTTB2009\Toolbar\AlertAnimated = "1"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\SMTTB2009\Toolbar\LastQAScriptCheckTime = "1703524693"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\User Preferences\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000566b58630fb3a044b91770fce5e9b2d600000000020000000000106600000001000020000000def098f853606a15fc2a4d83bd86e2e4d22916ba07710d6409e58cfe84ca7438000000000e8000000002000020000000f8539f2d980888236ff37c6832e7eb63da1c58334baf00c13d3f0d4aebd5b7ff50000000d9d7d6a4fe958ffbc4a60aca17ef1d08331587a576ec859f098bc93ce973f11595db646b1927764b160712ecd5cb335df82a515a04c41798b328e14bb7535c380dd1bc62733d6f1e9a30b765187130a240000000b35cc88e294abf8c8175d4257a8b23cf0b2840bb5515106e6478dcf69071b357dd91baf08fe7e6f9d61334762c1ff16352a85311ea94cd441b24875c09954ef9	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\SMTTB2009\Toolbar\oldHomepage = "http://go.microsoft.com/fwlink/p/?LinkId=255141"	TbHelper2.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\	TbHelper2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000020000000100001001e00000001000000000700005e010000060000000103000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000fe4d8b332c2e38439e41e176d497299e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\User Preferences	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	0a796da6a167694858aaedfd05dc0b4a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AboutURLs\Tabs = "http://www.bigseekpro.com/layoutsexpress/{5D4CD9F4-AEAC-464A-B9E8-39DCB2FDD4C7}?s_src=newtab"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\SMTTB2009\Toolbar\DescriptiveText = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\SMTTB2009\Toolbar\firstTime = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\SMTTB2009\Toolbar\Toolbar Path = "C:\\Users\\Admin\\AppData\\LocalLow\\Toolbar4\\{338B4DFE-2E2C-4338-9E41-E176D497299E}\\"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\SMTTB2009\Toolbar\TBShow = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\SMTTB2009\Toolbar\C:\Users\Admin\AppData\LocalLow\Toolbar4\{338B4DFE-2E2C- = "1703524700"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\SMTTB2009\Toolbar\EnableNavButtons = "0"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\SMTTB2009\Toolbar\EnableLogo = "0"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\{CA3EB689-8F09-4026-AA10-B9534C691CE0}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\SMTTB2009\Toolbar\basis	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	0a796da6a167694858aaedfd05dc0b4a.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\SMTTB2009\Toolbar\OpenNew = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\SMTTB2009\Toolbar\EnableNavButtons = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\SMTTB2009\Toolbar\DeskbarMode = "0"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\SMTTB2009\Toolbar\RunSearchDragAutomatically = "1"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\SMTTB2009\Toolbar\UpdateAutomatically = "2"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\SMTTB2009\Toolbar\needSetHomepage = "0"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\SMTTB2009\Toolbar\TBBreak = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\SMTTB2009\Toolbar\C:\Users\Admin\AppData\LocalLow\Toolbar4\{338B4DFE-2E2C- = "1703524690"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000566b58630fb3a044b91770fce5e9b2d600000000020000000000106600000001000020000000bfb27bba207d1414186195c3d3fd55fbc865b6b49ea77d774a536f27a7604964000000000e8000000002000020000000677223356071b411ee4d232dd5b395929d3cd59bc9b6c88ec2c449094d15f06520000000fb2cbfae6b04fbadf583c3ccc70cb8ee4e012e1d1ab3325d3f6074111ded38c340000000074ea61bac2395cf6da25a7b43eb1b0407f5d4a9bde9c7d5ab0ddc9d76c0bce8aff44c6fcfa8fc2d6040758b21e5c1e14a64f9b1b37bed98426bcfe4c6ab2f7a	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000020000000100001003500000001000000000700005e010000060000000103000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000fe4d8b332c2e38439e41e176d497299e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\SMTTB2009\Toolbar\needSetHomepage = "1"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\SMTTB2009\Toolbar\mac_id = "6a1079a24c90"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\SMTTB2009\Toolbar\CurrentLayout = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{628F3201-34D0-49C0-BB9A-82A26AEFB291}\AppName = "TbHelper2.exe"	TbHelper2.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\SMTTB2009\Toolbar\AutoSearch = "http://www.bigseekpro.com/search/toolbar/%AffiliateID/%toolbar_id?q=%s"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\SMTTB2009\Toolbar\updateXML = "1"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes\	TbHelper2.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\	TbHelper2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\SMTTB2009\Toolbar	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\SMTTB2009\Toolbar\AutoWild	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{92EC3DC1-A349-11EE-9D16-6A1079A24C90} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\SMTTB2009\Toolbar\RunSearchDragAutomatically = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\SMTTB2009	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{628F3201-34D0-49C0-BB9A-82A26AEFB291}\Policy = "3"	TbHelper2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "409686558"	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.bigseekpro.com/layoutsexpress/{5D4CD9F4-AEAC-464A-B9E8-39DCB2FDD4C7}"	TbHelper2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.bigseekpro.com/layoutsexpress/{5D4CD9F4-AEAC-464A-B9E8-39DCB2FDD4C7}"	TbHelper2.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D565B35E-B787-40FA-95E3-E3562F8FC1A0}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E67D5BC7-7129-493E-9281-F47BDAFACE4F}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{95B6A271-FEB4-4160-B0FF-44394C21C8DC}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9A56B8E-2DEB-4ED3-BC92-1FA450BCE1A5}\ProgID	TbHelper2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D83B296A-2FA6-425B-8AE8-A1F33D99FBD6}\ = "_ITaskEvents"	TbHelper2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B9F43021-60D4-42A6-A065-9BA37F38AC47}\TypeLib\ = "{B87F8B63-7274-43FD-87FA-09D3B7496148}"	TbHelper2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57CADC46-58FF-4105-B733-5A9F3FC9783C}\InprocServer32\ = "C:\\Program Files (x86)\\Layouts Express Toolbar\\tbcore3.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3BDF4CE9-E81D-432B-A55E-9F0570CE811F}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C4BAE205-5E02-4E32-876E-F34B4E2D000C}\1.0\0\win32\ = "C:\\Program Files (x86)\\Layouts Express Toolbar\\TbCommonUtils.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B87F8B63-7274-43FD-87FA-09D3B7496148}\1.0\HELPDIR	TbHelper2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{452AE416-9A97-44CA-93DA-D0F15C36254F}\ = "ITbRequest"	TbHelper2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9F34B17E-FF0D-4FAB-97C4-9713FEE79052}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4D8ED2B3-DC62-43EC-ABA3-5B74F046B1BE}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TbHelper.TbPropertyManager\CLSID\ = "{C339D489-FABC-41DD-B39D-276101667C70}"	TbHelper2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C339D489-FABC-41DD-B39D-276101667C70}\LocalServer32	TbHelper2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{01221FCC-4BFB-461C-B08C-F6D2DF309921}\ = "ICommonUtils"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TbHelper.TbRequest.1\CLSID	TbHelper2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B9F43021-60D4-42A6-A065-9BA37F38AC47}\TypeLib\Version = "1.0"	TbHelper2.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Software\Microsoft\Internet Explorer\Main	TbHelper2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57CADC46-58FF-4105-B733-5A9F3FC9783C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E67D5BC7-7129-493E-9281-F47BDAFACE4F}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TbCommonUtils.CommonUtils\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45CDA4F7-594C-49A0-AAD1-8224517FE979}\TypeLib\Version = "1.0"	TbHelper2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B2CA345D-ADB8-4F5D-AC64-4AB34322F659}	TbHelper2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D565B35E-B787-40FA-95E3-E3562F8FC1A0}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SMTTB2009.SMTTB2009\CurVer\ = "SMTTB2009.SMTTB2009.3"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4D8ED2B3-DC62-43EC-ABA3-5B74F046B1BE}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E67D5BC7-7129-493E-9281-F47BDAFACE4F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{01221FCC-4BFB-461C-B08C-F6D2DF309921}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D83B296A-2FA6-425B-8AE8-A1F33D99FBD6}	TbHelper2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{81E852CC-1FD5-4004-8761-79A48B975E29}\TypeLib\Version = "1.0"	TbHelper2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B2CA345D-ADB8-4F5D-AC64-4AB34322F659}\TypeLib\Version = "1.0"	TbHelper2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C950DE5-D31E-42FB-AFB9-91B0161633D8}	TbHelper2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D83B296A-2FA6-425B-8AE8-A1F33D99FBD6}\TypeLib\ = "{B87F8B63-7274-43FD-87FA-09D3B7496148}"	TbHelper2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D565B35E-B787-40FA-95E3-E3562F8FC1A0}\InprocServer32\ = "C:\\Program Files (x86)\\Layouts Express Toolbar\\tbcore3.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BF921DD3-732A-4A11-933B-A5EA49F2FD2C}\TypeLib\ = "{B87F8B63-7274-43FD-87FA-09D3B7496148}"	TbHelper2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SMTTB2009.IEToolbar.1\ = "IE Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.CustomInternetSecurityImpl\CurVer\ = "Toolbar3.CustomInternetSecurityImpl.1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2A42D13C-D427-4787-821B-CF6973855778}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E67D5BC7-7129-493E-9281-F47BDAFACE4F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SMTTB2009.SMTTB2009.3	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45CDA4F7-594C-49A0-AAD1-8224517FE979}\TypeLib	TbHelper2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{338B4DFE-2E2C-4338-9E41-E176D497299E}\VersionIndependentProgID\ = "SMTTB2009.IEToolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TbCommonUtils.CommonUtils.1\CLSID\ = "{3BDF4CE9-E81D-432B-A55E-9F0570CE811F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ComObject.DeskbarEnabler.1\ = "DeskbarEnabler Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{95B6A271-FEB4-4160-B0FF-44394C21C8DC}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{95B6A271-FEB4-4160-B0FF-44394C21C8DC}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook\CLSID\ = "{CA3EB689-8F09-4026-AA10-B9534C691CE0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45CDA4F7-594C-49A0-AAD1-8224517FE979}\ProxyStubClsid32	TbHelper2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B2CA345D-ADB8-4F5D-AC64-4AB34322F659}\TypeLib\ = "{B87F8B63-7274-43FD-87FA-09D3B7496148}"	TbHelper2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D565B35E-B787-40FA-95E3-E3562F8FC1A0}\ = "CustomInternetSecurityImpl Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EC4085F2-8DB3-45A6-AD0B-CA289F3C5D7E}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D8478AA-7B88-48A9-8BCB-B85D594411EC}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ = "ToolbarURLSearchHook Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TbHelper.TbDownloadManager.1\CLSID\ = "{D89031C2-10DA-4C90-9A62-FCED012BC46B}"	TbHelper2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D83B296A-2FA6-425B-8AE8-A1F33D99FBD6}\TypeLib	TbHelper2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1736	0a796da6a167694858aaedfd05dc0b4a.exe
1736	0a796da6a167694858aaedfd05dc0b4a.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2472	taskkill.exe
Token: SeDebugPrivilege	2384	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
992	iexplore.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
992	iexplore.exe
992	iexplore.exe
2032	IEXPLORE.EXE
2032	IEXPLORE.EXE
2032	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2384	1736	0a796da6a167694858aaedfd05dc0b4a.exe	21
PID 1736 wrote to memory of 2384	1736	0a796da6a167694858aaedfd05dc0b4a.exe	21
PID 1736 wrote to memory of 2384	1736	0a796da6a167694858aaedfd05dc0b4a.exe	21
PID 1736 wrote to memory of 2384	1736	0a796da6a167694858aaedfd05dc0b4a.exe	21
PID 1736 wrote to memory of 2472	1736	0a796da6a167694858aaedfd05dc0b4a.exe	20
PID 1736 wrote to memory of 2472	1736	0a796da6a167694858aaedfd05dc0b4a.exe	20
PID 1736 wrote to memory of 2472	1736	0a796da6a167694858aaedfd05dc0b4a.exe	20
PID 1736 wrote to memory of 2472	1736	0a796da6a167694858aaedfd05dc0b4a.exe	20
PID 1736 wrote to memory of 2016	1736	0a796da6a167694858aaedfd05dc0b4a.exe	34
PID 1736 wrote to memory of 2016	1736	0a796da6a167694858aaedfd05dc0b4a.exe	34
PID 1736 wrote to memory of 2016	1736	0a796da6a167694858aaedfd05dc0b4a.exe	34
PID 1736 wrote to memory of 2016	1736	0a796da6a167694858aaedfd05dc0b4a.exe	34
PID 1736 wrote to memory of 2016	1736	0a796da6a167694858aaedfd05dc0b4a.exe	34
PID 1736 wrote to memory of 2016	1736	0a796da6a167694858aaedfd05dc0b4a.exe	34
PID 1736 wrote to memory of 2016	1736	0a796da6a167694858aaedfd05dc0b4a.exe	34
PID 2016 wrote to memory of 1956	2016	regsvr32.exe	37
PID 2016 wrote to memory of 1956	2016	regsvr32.exe	37
PID 2016 wrote to memory of 1956	2016	regsvr32.exe	37
PID 2016 wrote to memory of 1956	2016	regsvr32.exe	37
PID 2016 wrote to memory of 1956	2016	regsvr32.exe	37
PID 2016 wrote to memory of 1956	2016	regsvr32.exe	37
PID 2016 wrote to memory of 1956	2016	regsvr32.exe	37
PID 2016 wrote to memory of 2568	2016	regsvr32.exe	36
PID 2016 wrote to memory of 2568	2016	regsvr32.exe	36
PID 2016 wrote to memory of 2568	2016	regsvr32.exe	36
PID 2016 wrote to memory of 2568	2016	regsvr32.exe	36
PID 1736 wrote to memory of 992	1736	0a796da6a167694858aaedfd05dc0b4a.exe	39
PID 1736 wrote to memory of 992	1736	0a796da6a167694858aaedfd05dc0b4a.exe	39
PID 1736 wrote to memory of 992	1736	0a796da6a167694858aaedfd05dc0b4a.exe	39
PID 1736 wrote to memory of 992	1736	0a796da6a167694858aaedfd05dc0b4a.exe	39
PID 992 wrote to memory of 2032	992	iexplore.exe	38
PID 992 wrote to memory of 2032	992	iexplore.exe	38
PID 992 wrote to memory of 2032	992	iexplore.exe	38
PID 992 wrote to memory of 2032	992	iexplore.exe	38

C:\Users\Admin\AppData\Local\Temp\0a796da6a167694858aaedfd05dc0b4a.exe
"C:\Users\Admin\AppData\Local\Temp\0a796da6a167694858aaedfd05dc0b4a.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\system32\taskkill.exe" /F /IM tbhelper.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2472
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\system32\taskkill.exe" /F /IM rssclient.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2384
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32 /s "C:\Program Files (x86)\Layouts Express Toolbar\tbcore3.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Program Files (x86)\Layouts Express Toolbar\TbHelper2.exe
    "C:\Program Files (x86)\Layouts Express Toolbar\TbHelper2.exe" -RegServer
    3⤵
    - Executes dropped EXE
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:2568
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Program Files (x86)\Layouts Express Toolbar\TbCommonUtils.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:1956
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.bigseekpro.com/i_end/0/1/1/1/1/layoutsexpress
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:992

C:\Program Files (x86)\Layouts Express Toolbar\TbHelper2.exe
"C:\Program Files (x86)\Layouts Express Toolbar\TbHelper2.exe" -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
PID:452

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:992 CREDAT:275457 /prefetch:2
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0787ffe190c9d17fcefac0f306189cd5

SHA1
a79cfa8b3ce59fef15fa83aa34122498ad1c0bf3

SHA256
80d24c5aa53ec3f54c353459864be1591806a6f6972e14d707ddc7293f9c5639

SHA512
19bcb09b382ebbd66f0f83b0c4ad72565160f7bc8f406ddfe688dd87be2b359d55dd4a5c6be2fe997d0d6c74f143e43b77a981e487ea61fa649da43d55ada5d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2f972c276bcc9462130d8317b6221530

SHA1
462f8e6928559e8df380db8443019e8da2f128ae

SHA256
2ae9a98178de7c3f205b2fb62b0b4b185f9492dc5ce01499786681aaab7cc4c6

SHA512
1dec5ef3367147fc507b39b0cd611d1c6471fe98edb6a2ce8fa6885fc6cc3e9d1a333b9170cdff22adf19583c00fcf10e4d3162d52a0d240901c90cb2cb407f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
db0e2817dac4d9b7860051f10e58cc57

SHA1
ec4bd51fc0095fd067138757829de68878b3b319

SHA256
64f241f3b7342fc81dca0fd5c41fb4bf3a82ba9a6d662df8126c21f66a271c5f

SHA512
062e7d927d356396d113c091784c661012562b8cfb66659a892482272270b79ec15793da99548e7f5ca61939175abc2f2d21b7bb54c92735db7c75af3835e15a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f476c105ebd788ca6d0e4c289fb7063b

SHA1
cbfcf98fad05a43b3bf3ba5ef2080e80221aef23

SHA256
3c6d8a7bd43ea477bd757f1dbb0f77c3c53f96ec78286eaadfb71895e9280f7b

SHA512
23febd03486b49799b557b85bd6cd29261c88f10c1802cc33e4bc3e8dfdbc341afeb2fa0e8ab9655eed672f9dbf65a3a94f964b1ea1aac8b1e80fd72ed9c1281

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6fd9c5793938d851adcc3b6d23904ee8

SHA1
49f8d0e9c6ab6b96fd67226aa552ef9feb25d3fc

SHA256
3105f782d6986ef475c619db4e1015a594ee78021adfdd63b9b79970baaa64fb

SHA512
bc2ea7c383557e4fe1192c884e08854ca5ea95964d59d8fc30008bad0d4b9dec492fe2f31151aa6df30910b51e9b221f52da35bc2bf2f48c845f7382179bd289

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0dcdb87854e958c5892386512e62d7bf

SHA1
0347840034f99d939d025b390547d7a493b9ac80

SHA256
9eef6483d2a3ec45eb7a9fa9b380aee6212abadb69fb67f12f9b6960d94f6e1e

SHA512
c7eebbc20bb4e1ee5e772cb9c8b704a545108bfdf15b322d8a5b61cc965337f6ccc8daf271d4bf61fc0037af546e897bd0dea4dac46de3669d0a0c2ee15e0964

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4be71a26f4d213b0b61b9017c226f7e3

SHA1
26d7764f310ed6b22aac49e599ed125edf3475ef

SHA256
044d95da576ab209fc34f67e967280e6e374532966f42ab8bbe31da55d77ecb2

SHA512
a5e5b3678f672730c99b76a6bea138cd4b61fd7e50ee89aa6438e4f4b3bc0a989997f12e380d7ad8c7b1c98804f9b5a4e2b1535b22518366c386ae793185c13a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
52b3f056e8c9a84a05cd111b6bc6f2d0

SHA1
673065496f6e985c42646db4ea903767b3ebfc67

SHA256
336c0296e496a9cb7ab7476d981b432180c9d11f87549cfef5666900ab23225d

SHA512
33d3dc0270e4875c7eac0c90c43c8d45676e65749d3f7383880352755f73429c21eeb65aafda235a08988640f18f1d6a08ece9c66c304a91659ef7c002f367a4

Download Submit
\Users\Admin\AppData\Local\Temp\nstA11.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
memory/1736-20-0x0000000000480000-0x0000000000499000-memory.dmp

Filesize
100KB

Download
memory/1736-113-0x0000000002A40000-0x0000000002A6A000-memory.dmp

Filesize
168KB

Download
memory/1736-14-0x0000000000480000-0x0000000000483000-memory.dmp

Filesize
12KB

Download
memory/2016-170-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/2016-176-0x0000000000460000-0x00000000004B9000-memory.dmp

Filesize
356KB

Download
memory/2016-183-0x0000000000460000-0x000000000047F000-memory.dmp

Filesize
124KB

Download
memory/2016-180-0x0000000000460000-0x0000000000478000-memory.dmp

Filesize
96KB

Download