cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
23-04-2024 04:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Size

5.9MB
MD5

2e059dba0c532c7a5b25c15b7d05ff1e
SHA1

c44e87fd2efcc1ffc180ef95fae719fe1e90a7f9
SHA256

cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124
SHA512

508d869f972b7a384564501995f9eed62cf0df2ef88fdaa5a92e0f293ddd54938feb1f66761510e5f892f5a36a58fd42ad20472ede3f808f2fc8955989207034
SSDEEP

98304:mn4fMJBeiJ9a3N8rP4S18frP3wbzWFimaI7dloh:iPBeiJ9ad9gbzWFimaI7dl+

Score

10^/10

adware evasion persistence spyware stealer

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

Executes dropped EXE 6 IoCs

Processes:

cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
3032	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
2588	icsys.icn.exe
2560	explorer.exe
2688	spoolsv.exe
2568	svchost.exe
2408	spoolsv.exe

Loads dropped DLL 7 IoCs

Processes:

cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.execd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe

pid	process
2156	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
2156	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
2588	icsys.icn.exe
2560	explorer.exe
2688	spoolsv.exe
2568	svchost.exe
3032	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.execd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe\u00a0 /onboot"	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

Processes:

cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exeicsys.icn.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

940 schtasks.exe
2436 schtasks.exe
2044 schtasks.exe

pid	process
940	schtasks.exe
2436	schtasks.exe
2044	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 21 IoCs

adware spyware

Modify Registry

T1112

Processes:

cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "c:\\users\\admin\\appdata\\local\\temp"	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243"	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe\u00a0"	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEExt.htm"	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3"	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe\u00a0"	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3"	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Low Rights	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "c:\\users\\admin\\appdata\\local\\temp"	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "c:\\users\\admin\\appdata\\local\\temp"	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe

Modifies registry class 18 IoCs

Processes:

cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe firefox.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter"	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe\u00a0"	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan"	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Wow6432Node\CLSID	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1"	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Wow6432Node	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User"	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}\Model = "113"	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}\Therad = "1"	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exeicsys.icn.exeexplorer.exesvchost.exe

pid	process
2156	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
2156	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
2156	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
2156	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
2156	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
2156	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
2156	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
2156	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
2156	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
2156	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
2156	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
2156	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
2156	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
2156	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
2156	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
2156	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
2588	icsys.icn.exe
2588	icsys.icn.exe
2588	icsys.icn.exe
2588	icsys.icn.exe
2588	icsys.icn.exe
2588	icsys.icn.exe
2588	icsys.icn.exe
2588	icsys.icn.exe
2588	icsys.icn.exe
2588	icsys.icn.exe
2588	icsys.icn.exe
2588	icsys.icn.exe
2588	icsys.icn.exe
2588	icsys.icn.exe
2588	icsys.icn.exe
2588	icsys.icn.exe
2588	icsys.icn.exe
2560	explorer.exe
2560	explorer.exe
2560	explorer.exe
2560	explorer.exe
2560	explorer.exe
2560	explorer.exe
2560	explorer.exe
2560	explorer.exe
2560	explorer.exe
2560	explorer.exe
2560	explorer.exe
2560	explorer.exe
2560	explorer.exe
2560	explorer.exe
2560	explorer.exe
2560	explorer.exe
2568	svchost.exe
2568	svchost.exe
2568	svchost.exe
2568	svchost.exe
2568	svchost.exe
2568	svchost.exe
2568	svchost.exe
2568	svchost.exe
2568	svchost.exe
2568	svchost.exe
2568	svchost.exe
2568	svchost.exe
2568	svchost.exe
2568	svchost.exe
2568	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

explorer.exesvchost.execd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe

pid process

2560 explorer.exe
2568 svchost.exe
3032 cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe

pid	process
2560	explorer.exe
2568	svchost.exe
3032	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe firefox.exe

description	pid	process
Token: SeRestorePrivilege	3032	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Token: SeDebugPrivilege	1628	firefox.exe
Token: SeDebugPrivilege	1628	firefox.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

firefox.execd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe

pid process

1628 firefox.exe
1628 firefox.exe
1628 firefox.exe
1628 firefox.exe
3032 cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

firefox.execd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe

pid process

1628 firefox.exe
1628 firefox.exe
1628 firefox.exe
3032 cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe

pid	process
1628	firefox.exe
1628	firefox.exe
1628	firefox.exe
1628	firefox.exe
3032	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe

pid	process
1628	firefox.exe
1628	firefox.exe
1628	firefox.exe
3032	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe

Suspicious use of SetWindowsHookEx 24 IoCs

Processes:

cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.execd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe

pid	process
2156	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
2156	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
2588	icsys.icn.exe
2588	icsys.icn.exe
2560	explorer.exe
2560	explorer.exe
2688	spoolsv.exe
2688	spoolsv.exe
2568	svchost.exe
2568	svchost.exe
2408	spoolsv.exe
2408	spoolsv.exe
3032	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
3032	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
3032	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
3032	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
3032	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
3032	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
3032	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
3032	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
3032	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
3032	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
3032	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
3032	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.execd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe firefox.exefirefox.exe

description	pid	process	target process
PID 2156 wrote to memory of 3032	2156	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
PID 2156 wrote to memory of 3032	2156	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
PID 2156 wrote to memory of 3032	2156	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
PID 2156 wrote to memory of 3032	2156	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
PID 2156 wrote to memory of 2588	2156	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe	icsys.icn.exe
PID 2156 wrote to memory of 2588	2156	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe	icsys.icn.exe
PID 2156 wrote to memory of 2588	2156	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe	icsys.icn.exe
PID 2156 wrote to memory of 2588	2156	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe	icsys.icn.exe
PID 2588 wrote to memory of 2560	2588	icsys.icn.exe	explorer.exe
PID 2588 wrote to memory of 2560	2588	icsys.icn.exe	explorer.exe
PID 2588 wrote to memory of 2560	2588	icsys.icn.exe	explorer.exe
PID 2588 wrote to memory of 2560	2588	icsys.icn.exe	explorer.exe
PID 2560 wrote to memory of 2688	2560	explorer.exe	spoolsv.exe
PID 2560 wrote to memory of 2688	2560	explorer.exe	spoolsv.exe
PID 2560 wrote to memory of 2688	2560	explorer.exe	spoolsv.exe
PID 2560 wrote to memory of 2688	2560	explorer.exe	spoolsv.exe
PID 2688 wrote to memory of 2568	2688	spoolsv.exe	svchost.exe
PID 2688 wrote to memory of 2568	2688	spoolsv.exe	svchost.exe
PID 2688 wrote to memory of 2568	2688	spoolsv.exe	svchost.exe
PID 2688 wrote to memory of 2568	2688	spoolsv.exe	svchost.exe
PID 2568 wrote to memory of 2408	2568	svchost.exe	spoolsv.exe
PID 2568 wrote to memory of 2408	2568	svchost.exe	spoolsv.exe
PID 2568 wrote to memory of 2408	2568	svchost.exe	spoolsv.exe
PID 2568 wrote to memory of 2408	2568	svchost.exe	spoolsv.exe
PID 2560 wrote to memory of 2864	2560	explorer.exe	Explorer.exe
PID 2560 wrote to memory of 2864	2560	explorer.exe	Explorer.exe
PID 2560 wrote to memory of 2864	2560	explorer.exe	Explorer.exe
PID 2560 wrote to memory of 2864	2560	explorer.exe	Explorer.exe
PID 2568 wrote to memory of 2044	2568	svchost.exe	schtasks.exe
PID 2568 wrote to memory of 2044	2568	svchost.exe	schtasks.exe
PID 2568 wrote to memory of 2044	2568	svchost.exe	schtasks.exe
PID 2568 wrote to memory of 2044	2568	svchost.exe	schtasks.exe
PID 3032 wrote to memory of 1520	3032	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe	regsvr32.exe
PID 3032 wrote to memory of 1520	3032	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe	regsvr32.exe
PID 3032 wrote to memory of 1520	3032	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe	regsvr32.exe
PID 3032 wrote to memory of 1520	3032	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe	regsvr32.exe
PID 3032 wrote to memory of 1520	3032	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe	regsvr32.exe
PID 3032 wrote to memory of 1520	3032	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe	regsvr32.exe
PID 3032 wrote to memory of 1520	3032	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe	regsvr32.exe
PID 3032 wrote to memory of 2356	3032	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe	firefox.exe
PID 3032 wrote to memory of 2356	3032	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe	firefox.exe
PID 3032 wrote to memory of 2356	3032	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe	firefox.exe
PID 3032 wrote to memory of 2356	3032	cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe	firefox.exe
PID 2356 wrote to memory of 1628	2356	firefox.exe	firefox.exe
PID 2356 wrote to memory of 1628	2356	firefox.exe	firefox.exe
PID 2356 wrote to memory of 1628	2356	firefox.exe	firefox.exe
PID 2356 wrote to memory of 1628	2356	firefox.exe	firefox.exe
PID 2356 wrote to memory of 1628	2356	firefox.exe	firefox.exe
PID 2356 wrote to memory of 1628	2356	firefox.exe	firefox.exe
PID 2356 wrote to memory of 1628	2356	firefox.exe	firefox.exe
PID 2356 wrote to memory of 1628	2356	firefox.exe	firefox.exe
PID 2356 wrote to memory of 1628	2356	firefox.exe	firefox.exe
PID 2356 wrote to memory of 1628	2356	firefox.exe	firefox.exe
PID 2356 wrote to memory of 1628	2356	firefox.exe	firefox.exe
PID 2356 wrote to memory of 1628	2356	firefox.exe	firefox.exe
PID 1628 wrote to memory of 1168	1628	firefox.exe	firefox.exe
PID 1628 wrote to memory of 1168	1628	firefox.exe	firefox.exe
PID 1628 wrote to memory of 1168	1628	firefox.exe	firefox.exe
PID 1628 wrote to memory of 2056	1628	firefox.exe	firefox.exe
PID 1628 wrote to memory of 2056	1628	firefox.exe	firefox.exe
PID 1628 wrote to memory of 2056	1628	firefox.exe	firefox.exe
PID 1628 wrote to memory of 2056	1628	firefox.exe	firefox.exe
PID 1628 wrote to memory of 2056	1628	firefox.exe	firefox.exe
PID 1628 wrote to memory of 2056	1628	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
"C:\Users\Admin\AppData\Local\Temp\cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2156

\??\c:\users\admin\appdata\local\temp\cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
c:\users\admin\appdata\local\temp\cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
3⤵
PID:1520

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
3⤵
- Suspicious use of WriteProcessMemory
PID:2356

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
4⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1628

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1628.0.128420502\570364049" -parentBuildID 20221007134813 -prefsHandle 1220 -prefMapHandle 1188 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c02b111d-f391-415d-a7e1-7c3bcec6aded} 1628 "\\.\pipe\gecko-crash-server-pipe.1628" 1284 114d9d58 gpu
5⤵
PID:1168

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1628.1.370748496\1622797372" -parentBuildID 20221007134813 -prefsHandle 1472 -prefMapHandle 1468 -prefsLen 21610 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {516e47d7-c86d-450b-a09f-a5c93fcde739} 1628 "\\.\pipe\gecko-crash-server-pipe.1628" 1500 11403258 socket
5⤵
PID:2056

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1628.2.197205309\1438928532" -childID 1 -isForBrowser -prefsHandle 2044 -prefMapHandle 2040 -prefsLen 21648 -prefMapSize 233444 -jsInitHandle 796 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {113b18cf-e878-4e8e-9028-cfedbbb37477} 1628 "\\.\pipe\gecko-crash-server-pipe.1628" 2060 1145c658 tab
5⤵
PID:2372

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1628.3.1110826482\1229535708" -childID 2 -isForBrowser -prefsHandle 2632 -prefMapHandle 2628 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 796 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e942d30-83a9-4966-8b68-17cfcbb33872} 1628 "\\.\pipe\gecko-crash-server-pipe.1628" 2644 1cdf3a58 tab
5⤵
PID:1072

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1628.4.139603974\931468175" -childID 3 -isForBrowser -prefsHandle 3668 -prefMapHandle 3664 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 796 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {896f19bc-a1cf-4f4d-ace0-9479052e2426} 1628 "\\.\pipe\gecko-crash-server-pipe.1628" 3680 1af29d58 tab
5⤵
PID:2972

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1628.5.123485478\1122229478" -childID 4 -isForBrowser -prefsHandle 3792 -prefMapHandle 3796 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 796 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {73b9939b-1da1-4bc9-b8e2-7ecd7fcd48b5} 1628 "\\.\pipe\gecko-crash-server-pipe.1628" 3780 1e87b258 tab
5⤵
PID:1924

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1628.6.2036017504\1017423218" -childID 5 -isForBrowser -prefsHandle 3956 -prefMapHandle 3960 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 796 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc707c4a-047f-4abd-b55d-4710f80c20ff} 1628 "\\.\pipe\gecko-crash-server-pipe.1628" 3944 1e87c158 tab
5⤵
PID:2632

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1628.7.906864783\300385766" -childID 6 -isForBrowser -prefsHandle 2572 -prefMapHandle 2720 -prefsLen 26251 -prefMapSize 233444 -jsInitHandle 796 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e900c18b-e86b-43e4-8a97-e84e274a9609} 1628 "\\.\pipe\gecko-crash-server-pipe.1628" 2092 20da0058 tab
5⤵
PID:2528

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
3⤵
PID:1740

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMIECC64.dll"
3⤵
PID:1004

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMGetAll64.dll"
3⤵
PID:1668

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\downlWithIDM64.dll"
3⤵
PID:1952

C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2588

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2560

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2688

\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2568

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2408

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:04 /f
6⤵
- Creates scheduled task(s)
PID:2044

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:05 /f
6⤵
- Creates scheduled task(s)
PID:940

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:06 /f
6⤵
- Creates scheduled task(s)
PID:2436

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe
4⤵
PID:2864

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpaddon
Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u7g6zvo6.default-release\datareporting\glean\db\data.safe.bin
Filesize
2KB

MD5
1ae598f71cc21d40c8003c61c8c7e347

SHA1
fb5d15227d96cc2e838590d954df31bdef30c461

SHA256
321bc0b05fbaa55732aa811002a974d80865491a351123336692bad6cc9c85a5

SHA512
b6bfef9ff6f6f8ed0e5e37ef1b7157eafe099f129ff9db3d4ecfe44eec92f4c51cb0ac97a731288a4ff8007924a22d3be2230b081af3f1ea3202c56ad6e941f8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u7g6zvo6.default-release\datareporting\glean\pending_pings\04ae9fcc-4f24-4f1e-bd06-1afb0ea79d2e
Filesize
745B

MD5
ed1871f839246692b2248fbf7ca7270e

SHA1
2c3e5114421d717373f335c769bc1315332a5275

SHA256
9a2d84c0c3f8ec0a99f1f413a26023aa0d4ad8c860e9ff504c872644a9813454

SHA512
a132235a3f3037eddb3d5d1b990a283b5fdc69d352bd24f4adce9c9cfcf45b59e1bffc5f877c7c46e0b4d1a5a122eb0c54c6ae4ffc0633f4b82e923ab67d7164

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u7g6zvo6.default-release\datareporting\glean\pending_pings\a169ee17-46ae-4b03-82d3-5450efcc661a
Filesize
12KB

MD5
3e9ca7060133335df7faa26ffcdd1986

SHA1
7b5961969882db74f879159cbb6c6f7073685677

SHA256
3e30bf0b26b0807eb871fe19e26eb731b65c8f8af795f2b5624ac0f02e51098a

SHA512
1c9c104f005a06c3f17b8a3bef1800b85f989264cf2f4f0038dadf3d399ce6296530c2e53d992bf761778d165724f870e53021e6bddd9642a6690888d397863b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u7g6zvo6.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u7g6zvo6.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u7g6zvo6.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u7g6zvo6.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u7g6zvo6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u7g6zvo6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u7g6zvo6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u7g6zvo6.default-release\prefs-1.js
Filesize
6KB

MD5
2f1efc8c8854b920f88bfddb7896c5c2

SHA1
5edba5424d384b202400f72afe258c0c6350ae3c

SHA256
a72bd80834540d8bb4afaebd8d8a467c55223f819deea051bae1e8e90d472f1c

SHA512
cf9552fcbce8edc8e499c885e9cb6391bd1376e6d47cb6073cf4637335ede1a0929dec0fed2abe5bb3634f5e4c200068d6a43fae866ee0556f52bff886ab636c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u7g6zvo6.default-release\prefs-1.js
Filesize
7KB

MD5
27eee82945aeb8fe4fe737c0f1cfd08a

SHA1
2d25b7a92d7dd78f4dead0aec85fbcbfe8cd9c2d

SHA256
d3e2a2333e1ebcc66e60544c7f6c200238884fac0de6d50e4a0c0a37094f561c

SHA512
f64117619a52b81ac9837d4c24e009a98e1f9fa3df6e03add743843e591b6e64c479fab425b9b606eb1621d9c9913ddaff05d619d41cc9cef617f216cc259222

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u7g6zvo6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
65371f728ff56dddf53b63e6d0964eef

SHA1
fe3f3a1ba840660a88c2676390741d761f2ad582

SHA256
f7b1e5347c1b951463451fc075c3209eb97b348fd92cf086a9f9f319f1b3a465

SHA512
3d8774fc587d559142ad35233bad7a7461f8cb19b2de1ae93d7275205e5cea9728562ec930ad446a42fc39c075be1f8c49600c6befdbd07fd61f269a8deef96c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u7g6zvo6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
db5fd0a2c80c7e220753d44d5169a8c3

SHA1
01439820695078e46fdd3a6d54c142b9fc7fc08d

SHA256
36337130e0c979ba6ba1ce2b46fb4286bd746b42c74ec607fd95687883718e2a

SHA512
575ba7dbf007fc8d036e5d55e48f474b4a0172e27a30824e6c5cc91adff1e0fa577c4dddb93e27d6d27780974001b923b98b2299a22c715e9be74d6ad7886d4b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u7g6zvo6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
184KB

MD5
d950025355e38f205533d2b98522b41e

SHA1
97dd6d03edaba4322a86ba5e7eb5228c18b2029d

SHA256
a15cdf2fa5315c10eaf35daf9665479685d71ce8e3ef37e466fd98cabf81e863

SHA512
bbc0d5d7d31431538d8ffd4222c3a792d13f38d1ecc22f473d68e59d5fc8b342157a324412e09ae09cfc6a6dbfe711efe844e7dcc49fdb097797d032da705530

Download Submit
C:\Windows\Resources\Themes\explorer.exe
Filesize
135KB

MD5
6b27bbb90e34ba1c8699125cdde8f5b2

SHA1
87aac4c22b028146e5627c7969db2318ca143a86

SHA256
f01418aac5831e0864c96363ae631aa8db5e08e80084b866b5a59e6fd9bce590

SHA512
c42a3eb288c568f58c748bb264957922809f0d3c8aca604e8a5fb2a927f920917cedeafcae4b7b19b391018711606503dd691e6c45013512849b55a51669700c

Download Submit
\Users\Admin\AppData\Local\Temp\cd7c18a8df57946a2e161a8b9f2e45d8d1a98377298dd4cc678e0faba8357124.exe
Filesize
5.7MB

MD5
0c889b8415364665b7bc6e5fc62725af

SHA1
a93e0c73c53b5f80d9d62b403999794479fab716

SHA256
1e273066687517e46447b352dd2f6c836e7c8109ef7053d286c0dd3432eb8cca

SHA512
922a89714e7cd86e05c62579344cda82cdd531556ab5255ff41a85a58c9cbfe294f9dbb00d4a9cfd94420993587920eb04ef850951cb961612980e049e40f618

Download Submit
\Windows\Resources\Themes\icsys.icn.exe
Filesize
135KB

MD5
a62fc56abb4fd9bf87c0ec9c26907294

SHA1
c8ff2b48983208d96c996ddd8eea972e4d3329fe

SHA256
b8298629e3c2de9493dcc939f45c31e8e5a254bfd8a987c12efb5e05541046c7

SHA512
e211161a423605c7f129c075ba9c4a9476e01e18d26708663281a9566ff7b73516e7a8028bf15c5b377e7865860d0497607cf478998e6af14405af87cd963b10

Download Submit
\Windows\Resources\spoolsv.exe
Filesize
135KB

MD5
b7940ef0d7c252610e444c1e395f300b

SHA1
fde606a56a96b93adc156065aa5e908d0dcb70f5

SHA256
e0ae1be0d38a6da37ffe7737d9bf1589d355b96aa9780cdb70e3e675884ae7dc

SHA512
dc536a7148068d5b74c376f78c1bc9e208bc01da46734172c1e6b84136660033ff4f90e40142b63442c901f2156520afaef4f31ed55f3e482b8a0353d85c21ca

Download Submit
\Windows\Resources\svchost.exe
Filesize
135KB

MD5
7ff79a7d3726c66b75a345d06070416f

SHA1
80823df30f49f841aa9a1262ca794c7711f73d10

SHA256
e44dbfdc5bca8e8096693f6360b16e0ed56e9278dfa216052fa636493ddf94fa

SHA512
dcace87109e10c0678552d67d0437fbd864a8da42dbf6c4e25655486989dc8c8cade618d7aaebe8b1face675982ff1bbbc41d62ad883e001cf4cf497fd3fba45

Download Submit
memory/2156-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2156-59-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2408-56-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2560-325-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2568-48-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2568-328-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2568-329-0x0000000000330000-0x000000000034F000-memory.dmp

Filesize
124KB

Download
memory/2588-24-0x00000000002F0000-0x000000000030F000-memory.dmp

Filesize
124KB

Download
memory/2588-58-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2688-37-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2688-57-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download