Malware Analysis Report

2025-01-18 21:28

Sample ID 240321-qkaxkadh2w
Target dbb8a830f9288e1a268901c7867b3536
SHA256 bab1c0bac0b402b44d52b9b1be9f102995db318bcd1fa07f507ccbe8d3785bef
Tags
adware discovery persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

bab1c0bac0b402b44d52b9b1be9f102995db318bcd1fa07f507ccbe8d3785bef

Threat Level: Likely malicious

The file dbb8a830f9288e1a268901c7867b3536 was found to be: Likely malicious.

Malicious Activity Summary

adware discovery persistence spyware stealer

Adds policy Run key to start application

Modifies Installed Components in the registry

Reads user/profile data of web browsers

Adds Run key to start application

Checks installed software on the system

Installs/modifies Browser Helper Object

Drops file in System32 directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Modifies Control Panel

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-21 13:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-21 13:18

Reported

2024-03-21 13:21

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe"

Signatures

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\recovery = "C:\\Windows\\system32\\cmspptpobj.exe" C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\Version = "1,1,1,2" C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\ComponentID = "DOTNETFRAMEWORKS" C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\DontAsk = "2" C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\IsInstalled = "1" C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\ = "Themes Setup" C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95} C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\StubPath = "rundll32.exe C:\\Windows\\system32\\themeuichk.dll,ThemesSetupInstallCheck" C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\IconsBinary = "C:\\Windows\\system32\\ipfwcsrv.exe" C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\recovery = "C:\\Windows\\system32\\cmspptpobj.exe" C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "AcroIEHelperStub" C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\sqlpoolsql.exe C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
File created C:\Windows\SysWOW64\cmspptpobj.exe C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
File opened for modification C:\Windows\SysWOW64\cmspptpobj.exe C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
File opened for modification C:\Windows\SysWOW64\dispsqldisp.exe C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
File created C:\Windows\SysWOW64\sqlpoolsql.exe C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
File created C:\Windows\SysWOW64\objprocsql.ocx C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
File opened for modification C:\Windows\SysWOW64\objprocsql.ocx C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
File created C:\Windows\SysWOW64\dispsqldisp.exe C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
File created C:\Windows\SysWOW64\ipfwcsrv.exe C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
File opened for modification C:\Windows\SysWOW64\ipfwcsrv.exe C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\ForegroundLockTimeout = "55377640" C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c0da766f7a4aa440a3269a9745c8e18100000000020000000000106600000001000020000000793993690265817755ac3fd42ebc6dd7c23ee998d751513dc53a394efbae4ee8000000000e8000000002000020000000b7a61ea53a2da3f0c909ee5a6f7a88d91283be7254ed094dbbaa97fd16d46554200000005be1be2a4844800733a27d39a25f7a286823a831d24a4eddaa578415eabba3e040000000ab11cb6f2b3fe514f7735c6a7024922f1de80cb315b5bddba1db3abb55c11555f02c9267f812534cd2af1e00c6bb1c8bc661f903f0300deda790f9086412224b C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A88BD3A9-E785-11EE-ABF1-C2C57F2727CB} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e014a87d927bda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0f1cea7927bda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "no" C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31095698" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c0da766f7a4aa440a3269a9745c8e18100000000020000000000106600000001000020000000dda6a2704860a5500cc501cc0f44b2155a0ea4c109dfc51c868668903fbad0ab000000000e8000000002000020000000bc603e8cda4d419e9d53ffb66fd7101a333fb24d80007723c4ad986ab67592bf20000000d5450cd3ee8f2a3500da03efd0e826f0178e6f01c4d99314d02a61d25f486e1b400000009cd647cbf98d6db1e7f60b46a22a367300e6e767c38e4030b64457e8a52a2f318e7924cb717367a078d19b691426628d02af3f44367ebfd5cc0e2edd0cfd99b2 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2095674004" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31095698" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f059a37d927bda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2097549057" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2097549057" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c0da766f7a4aa440a3269a9745c8e18100000000020000000000106600000001000020000000ddcba86c17c1ab090a3252852a89c62467cf07d0900df028e37f396ead290fdf000000000e8000000002000020000000803e5abc900c2022d78d2670335372a801efdf5107bb05b3ec82dcb85e5b0dc420000000f9d64026cd1885d9c12f78dc86db7f2e2047cba39abeca9d53ef04be8d2594304000000037fdcd72f431a4e6754cb5074a53d3fa81d27f2645c1131da5c0b0d37ce59963dcd9ae0976319f348fd766e3978acfb4b9a473f1b8118411ed7831c6de09aac8 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "417792148" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31095698" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2095674004" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31095698" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ = "C:\\Windows\\SysWow64\\objprocsql.ocx" C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj" C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "Adobe PDF Link Helper" C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj.1" C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe

"C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe"

C:\Program Files (x86)\Internet Explorer\ielowutil.exe

"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2716 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 0.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 0.227.79.178.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 203.135.221.88.in-addr.arpa udp
RU 82.146.51.22:80 82.146.51.22 tcp
RU 82.146.51.22:80 tcp
US 8.8.8.8:53 22.51.146.82.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
RU 82.146.51.22:80 82.146.51.22 tcp

Files

memory/3372-0-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3372-4-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\advsec32.dll

MD5 97c92f4457dd94d678d4c9e4bdd8352f
SHA1 8d80f3cead2b0c5b2b80feb548131daf4d33297d
SHA256 eed7377eb708d163ad0e8c50ef40d8ea8d15124832904ac1318a3fd10728ffd3
SHA512 f07bc6be6a70ee28c5dddfcc036c6f3c17abc89f1240a688519c2d39a3012016b13689577dd62f2391153f837cbed5ed127568f14523ac0d6b33c516e0f51e75

C:\Windows\SysWOW64\dispsqldisp.exe

MD5 385c2f0e2cbbdb3cb198b1856acb6c2d
SHA1 2dab3d3380958cd94ece5e6c5793e4a6c3539b60
SHA256 f518a6bd499de7d8b89494172ae21ccd4fb8a63e48c9e0f44f7b6911875908f3
SHA512 f063404ae37b6047050635243190c69fd96399fc0ef869af91f710c43bee01db3888b958a6a1a7bce76a606af53d9f958b306dede77a25dd8c41bffa3803b004

memory/3372-13-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3372-15-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3372-19-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3372-31-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver5BB7.tmp

MD5 1a545d0052b581fbb2ab4c52133846bc
SHA1 62f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512 bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RXB2E2AL\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-21 13:18

Reported

2024-03-21 13:21

Platform

win7-20240221-en

Max time kernel

149s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe"

Signatures

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\recovery = "C:\\Windows\\system32\\lsacmslsa.exe" C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\ = "Themes Setup" C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95} C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\StubPath = "rundll32.exe C:\\Windows\\system32\\themeuichk.dll,ThemesSetupInstallCheck" C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\IconsBinary = "C:\\Windows\\system32\\dhcpdisppool.exe" C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\Version = "1,1,1,2" C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\ComponentID = "DOTNETFRAMEWORKS" C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\DontAsk = "2" C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\IsInstalled = "1" C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\recovery = "C:\\Windows\\system32\\lsacmslsa.exe" C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "AcroIEHelperStub" C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\poolpdbpptp.exe C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
File opened for modification C:\Windows\SysWOW64\dhcpdisppool.exe C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
File created C:\Windows\SysWOW64\raspdbip.exe C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
File opened for modification C:\Windows\SysWOW64\raspdbip.exe C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
File opened for modification C:\Windows\SysWOW64\lsacmslsa.exe C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
File created C:\Windows\SysWOW64\poolpdbpptp.exe C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
File created C:\Windows\SysWOW64\lsacmslsa.exe C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
File created C:\Windows\SysWOW64\procinfoip.ocx C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
File opened for modification C:\Windows\SysWOW64\procinfoip.ocx C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
File created C:\Windows\SysWOW64\dhcpdisppool.exe C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\ForegroundLockTimeout = "50986752" C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0d4427b927bda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a96069000000000200000000001066000000010000200000001ba556bc4ceb92bde15776b5ae0a72182114bde26f8e669d65fabb72a85f6ff9000000000e80000000020000200000002a5544b09ef746b30964e9a52614f4f5af3531a15ce7d87d17d169ff6e18ebf29000000023db2b0690b6cdabd138d4580c96f99b601788e717f6b16240e864d746b1eb71133dfd480bed0daccfddfb4ff9dbd784d347885c59762e433a5b03873d1d8fac2e57f39b9ce0c35ece7b159ddd56bb1a3500dbd0f8df18575f5876be0c70fba1bcc8288da37cf10ef5191433e09ae89197e28fa475a8e005c8666397abface87ad0c26250ef3acd625bfb0fdf23807e840000000fd3e135e58b2bafd4a21915742b06ca3eb3dc229e1bd2f5688560a708130e1d15d63f151b26d0a9671fcc72f380337f1f79c094d4aacf75576a067b8a757a998 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "417189038" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a960690000000002000000000010660000000100002000000036a117c194883b54c5341d3183214d956ef196bcbc05ec9bea239d533b7a10b7000000000e8000000002000020000000bc6a6e1fa93316c0190f100db296abaae46b8086b48d209d93d6e6e0acec077820000000e1ae7722b80e53a5a525f88ef1bf91f8e2d648e8639e93fb35c799dae3dceefa40000000e2fef3dac372082c002d4236fcb8012599d18a19131d8d1df23c3e45b82a08e45c91c72f0e330b13de93405797a99fa0556fe829103359b9524eebaade608f6a C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A68B0F71-E785-11EE-B5E8-DE62917EBCA6} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no" C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "Adobe PDF Link Helper" C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ = "C:\\Windows\\SysWow64\\procinfoip.ocx" C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj.1" C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj" C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe

"C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2712 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
RU 82.146.51.22:80 82.146.51.22 tcp
RU 82.146.51.22:80 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
RU 82.146.51.22:80 82.146.51.22 tcp

Files

memory/2196-0-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2196-4-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\procinfoip.ocx

MD5 97c92f4457dd94d678d4c9e4bdd8352f
SHA1 8d80f3cead2b0c5b2b80feb548131daf4d33297d
SHA256 eed7377eb708d163ad0e8c50ef40d8ea8d15124832904ac1318a3fd10728ffd3
SHA512 f07bc6be6a70ee28c5dddfcc036c6f3c17abc89f1240a688519c2d39a3012016b13689577dd62f2391153f837cbed5ed127568f14523ac0d6b33c516e0f51e75

C:\Windows\SysWOW64\poolpdbpptp.exe

MD5 d2e345b3340e1404b0027f561ed8581a
SHA1 2ac5df8424b4726f221361702c193862dc986cff
SHA256 3367db7f8c1bd6ac90e23b4017290969379725c0f46c7bc9ed248f87f67fe0f4
SHA512 37b1c3e901581f88ecee45d7e3bb5f6f1769ad3f25ddc7bf6c428012ac3b8db6f08c3eb2c7ad5cc73433779c20c34ea9358bd494e58a92c3a78ca61cb19d7623

memory/2196-12-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2196-14-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2196-21-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2196-22-0x00000000004C0000-0x00000000004C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabD59A.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\TarD737.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 72ee679ba76527ca0720235ffff77c53
SHA1 254b15bdc167be23fb6021841d31dc6834cc6abb
SHA256 f316b26d4af6da4285a65ff1d2c56908a2cfb18d7fb961be2e4afea5534a5fb5
SHA512 b141cb30c016a87384af068f3dbc26400b3aba36027a31aa787345ca83b27b2508a0fcec172138cbeb98c4b0579e5c4edfeb56470a79dc473bd6f25e267ac190

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 62275b8a095040767f9ef79fe6d591e8
SHA1 a8946f90dd30a3833b699a988e66ae69220def9b
SHA256 0c2649355a3788797abea529f8a4a1dd74f90cb9ea439e9b79e8c88661085078
SHA512 0fc867f56878218f029bcbba7c32b85afcb649a5b0d5b8b6d4be77410ff8a08088aebc51c4c275d478bbb5e8f1a46a314b17781a4a88dddc567bd68b740b8624

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e355651912979f2d24d8935ee11c414b
SHA1 1f6c5c53369feba7416a2b5b5552ddd5f42cfe06
SHA256 6f47c37941b25c41675894d67e8cff918dcd41bbdffa20d54b040624e590314c
SHA512 54982aec39f8775d7abf08d3c5faa4f59e809fdcf74584154aac80a8c8b9a9d1ce1660a3ad6a16313ed2f34010bd84062747c22124d5e745b31b4316aa86bf52

memory/2196-505-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2fbcec192cadd6d54d5b80bef1271986
SHA1 706516093e6b143388d8499cc97c6deb506a5280
SHA256 3c94f9393cb0c9c667e720600c4d17087b55dae5db8c0d9368b0779544f79210
SHA512 22818d2516dd50e7e4f3283a85646adce6a16ff20f7f3e8f306a7318ba7edba3e88d014ff1b834ec505acae2e55e0cf2f1920227a184ffdc071c24739c94ba8e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2fbe1b1da3f171fd24a18443a40ef21b
SHA1 b1adb2aaff0b6ec46f80ef3f98ecfa189cf2c792
SHA256 67f892932ae368aed88e6b056213c56a97198efe3f9ef0110b3ec91b47ac8250
SHA512 2c9bc9e768e2471fe16800e1390a886711c68961ace58088aebc0200135a0e3538aa6f16345ee53f8fcdf6737079d89deb7a6ddf3a931ee3de9b5564a33421af

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 73ca81ffbeb9bcaadae68bbd0af78f53
SHA1 4312fb09b152955bc642696779df7e8282eca02f
SHA256 aa9317c8b863d7d36158fe1adfe309b43eec5bc7982970829f96633d57076930
SHA512 9f3342d9876e91dfa55aa54c84f50909b4ff18f25587119cf47adbb0f5e89efa2542ca60af4aef6b365b8e6259470627644f82c32b7c29581f0d27ccb1efaed0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 79f4f9daf13fa7634e0752b306ba9be1
SHA1 748306acdbbef52dd33eeaf2fc784195973de078
SHA256 47711196b13e92ef5113e8ab93212258d38c3e93f0be5f4f13babf1c7cc65c22
SHA512 c2a76ec212fb9d646930e00ed33582065ee6117d77f6faf84eeba0441338cb7bd17804f132a75b937daef671a40a064ce3518d329a6464b4f06075dd21ac4a2b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0bddc71be663b508ed423cf91f748583
SHA1 d43d18c4aa087fbe2bd7f1f227dc95118f5faa19
SHA256 8d9e6ebe205c701e91884d8d816db7f0aed0c929d82c771f8f81c1e1d53c95d7
SHA512 20fd9ed525ff022626d4245b7346eb981d14ffae1cb5134121c2381902efb09a3e56422377161dfc82fdb18f4d7a2a08e825d01bff973df5276fad10b309866a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0596c83010524a4205b80cf4080ac5d5
SHA1 ee92bc69a45e8fb03d6f807d227e8139179eb1c3
SHA256 bce268c71b407115130471d206f737d24b889eb25fe601891e851c2aa2c3b41d
SHA512 16470e42ccf76ffaea0344c759230bccec1d79b95ef7685ca8b8898e5a4eea71e0dd7c8686f8fd1e8b4cf3a391f0db8023303b53d73d400423e73f12967c00b6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 56a75a99ceac194b7beb5fba7f674c66
SHA1 85a6eb91c5e9ad40eab8585a5f5666e295a8d6d0
SHA256 43d93f322648a9d0c82829470dfd24eacaed3bed1105af69fa99d1c633f69957
SHA512 43665c3aa2169c64939361c43ecf41acc8d8423250bddde51fa24f29db6645064ad8e7e71fcdaea61b569b9949799a0c3a0040420acca1096d960b1301c92873

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9cfc7163462c52f358d1e7388e21d996
SHA1 cda83310b6cd7ae12e21c5c50bd52bee71cb4b72
SHA256 ff369108e29a5b4ee414e0708f82aeace5be8eaf71f0f5ca0b46526479835af0
SHA512 0591c4ed4744ab13bd11453b20cde9c86d3ad6338a3817edd67f13a329636f97a8c49909ba2a8671f86b431e11a282f72c2beb3fc03efdee69f379cf79c31c9c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9d7da008b3302d3f4850125a7c85cc34
SHA1 0516b2aa5e1e04b7b2ae8cc4fdfc884a35925609
SHA256 a9eb55a026370e4a50ca968615aaf7f04fbe319ed8f0d6721c8fcf14bde44804
SHA512 f27baad409fafe0655e64469638079cbd2187609e380517c2dd02302adfebc4d8be23110e2f9ac1766e6afffdd97d20e408eeed9b09224a4fd09ede62e97e486

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d58090abad8c6f07f678d7476c3cc3aa
SHA1 59df2bf9560d8453bc787d9bfb2556143ddb26b3
SHA256 dec8fe403507d6dd7dcdb01965efa19be2f143fa51fd93153f2cd8e5ce6c7edf
SHA512 b0b7497e2dfa56943b047b35a2c944d8cf3a97c092bdac2636ae41879a2a6be12e34ac5d63d4d6d0e55e065a39217010fded675664a722c4785cf71fb540fd81