abb1ab449ee5efa6ee8d4099eda298311af185791e65dea4eebac6277cba31f4

Analysis

max time kernel
75s
max time network
139s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
09-11-2024 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abb1ab449ee5efa6ee8d4099eda298311af185791e65dea4eebac6277cba31f4.exe
Size

49KB
MD5

07a6aad67cce406bb8a748f1e6679545
SHA1

43b534b6682d33065af519ffb032817df61f4533
SHA256

abb1ab449ee5efa6ee8d4099eda298311af185791e65dea4eebac6277cba31f4
SHA512

93a022917307c1dffc7c24b5d555b4de9b72c87fd37cd3e1694548fd4b6dad35e94679d2906e9fc0da9849d36cde51f368de3dbeb401e46f0847633bd1a12548
SSDEEP

768:/yFOenVa7xqRJCrphRZ9H++++bIXtCEC1orLzalu4P:/yFOeVaMJ6RZ9xzGzaluc

Score

7^/10

adware discovery persistence stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000c000000012264-2.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
2236	regsvr32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\crtfmon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\abb1ab449ee5efa6ee8d4099eda298311af185791e65dea4eebac6277cba31f4.exe"	abb1ab449ee5efa6ee8d4099eda298311af185791e65dea4eebac6277cba31f4.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2318C2B1-4965-11d4-9B18-009027A5CD4F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\ = "Google Toolbar Helper"	regsvr32.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2904-0-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/files/0x000c000000012264-2.dat	upx
behavioral1/memory/2236-4-0x0000000010000000-0x0000000010010000-memory.dmp	upx
behavioral1/memory/2904-5-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\googletoolbar1.dll	abb1ab449ee5efa6ee8d4099eda298311af185791e65dea4eebac6277cba31f4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abb1ab449ee5efa6ee8d4099eda298311af185791e65dea4eebac6277cba31f4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437280611"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FBE96FD1-9E40-11EF-87C7-F2088C279AF6} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE

Modifies registry class 46 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Googletoolbar.Google.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Googletoolbar.Google.1\CLSID\ = "{2318C2B1-4965-11d4-9B18-009027A5CD4F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Googletoolbar.Google\CurVer\ = "Googletoolbar.Google.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DA4DEAB2-9BAE-41DE-83EA-0916180F8AE4}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ED894DB9-2DC6-4CA5-8FDF-86763C582564}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\googletoolbar1.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DA4DEAB2-9BAE-41DE-83EA-0916180F8AE4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Googletoolbar.Google.1\ = "&Google"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ED894DB9-2DC6-4CA5-8FDF-86763C582564}\1.0\ = "googletoolbar 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DA4DEAB2-9BAE-41DE-83EA-0916180F8AE4}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DA4DEAB2-9BAE-41DE-83EA-0916180F8AE4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DA4DEAB2-9BAE-41DE-83EA-0916180F8AE4}\TypeLib\ = "{ED894DB9-2DC6-4CA5-8FDF-86763C582564}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Googletoolbar.Google\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\ = "&Google"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\InprocServer32\ = "C:\\Program Files (x86)\\Google\\googletoolbar1.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\TypeLib\ = "{ED894DB9-2DC6-4CA5-8FDF-86763C582564}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ED894DB9-2DC6-4CA5-8FDF-86763C582564}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ED894DB9-2DC6-4CA5-8FDF-86763C582564}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DA4DEAB2-9BAE-41DE-83EA-0916180F8AE4}\ = "IGoogle"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Googletoolbar.Google.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Googletoolbar.Google\ = "&Google"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Googletoolbar.Google\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ED894DB9-2DC6-4CA5-8FDF-86763C582564}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DA4DEAB2-9BAE-41DE-83EA-0916180F8AE4}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Googletoolbar.Google\CLSID\ = "{2318C2B1-4965-11d4-9B18-009027A5CD4F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\ProgID\ = "Googletoolbar.Google.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ED894DB9-2DC6-4CA5-8FDF-86763C582564}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ED894DB9-2DC6-4CA5-8FDF-86763C582564}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Googletoolbar.Google	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DA4DEAB2-9BAE-41DE-83EA-0916180F8AE4}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DA4DEAB2-9BAE-41DE-83EA-0916180F8AE4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DA4DEAB2-9BAE-41DE-83EA-0916180F8AE4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ED894DB9-2DC6-4CA5-8FDF-86763C582564}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Google"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DA4DEAB2-9BAE-41DE-83EA-0916180F8AE4}\ = "IGoogle"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DA4DEAB2-9BAE-41DE-83EA-0916180F8AE4}\TypeLib\ = "{ED894DB9-2DC6-4CA5-8FDF-86763C582564}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DA4DEAB2-9BAE-41DE-83EA-0916180F8AE4}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\VersionIndependentProgID\ = "Googletoolbar.Google"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ED894DB9-2DC6-4CA5-8FDF-86763C582564}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ED894DB9-2DC6-4CA5-8FDF-86763C582564}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DA4DEAB2-9BAE-41DE-83EA-0916180F8AE4}\TypeLib\Version = "1.0"	regsvr32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3008	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3008	IEXPLORE.EXE
3008	IEXPLORE.EXE
2072	IEXPLORE.EXE
2072	IEXPLORE.EXE
2072	IEXPLORE.EXE
2072	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2236	2904	abb1ab449ee5efa6ee8d4099eda298311af185791e65dea4eebac6277cba31f4.exe	29
PID 2904 wrote to memory of 2236	2904	abb1ab449ee5efa6ee8d4099eda298311af185791e65dea4eebac6277cba31f4.exe	29
PID 2904 wrote to memory of 2236	2904	abb1ab449ee5efa6ee8d4099eda298311af185791e65dea4eebac6277cba31f4.exe	29
PID 2904 wrote to memory of 2236	2904	abb1ab449ee5efa6ee8d4099eda298311af185791e65dea4eebac6277cba31f4.exe	29
PID 2904 wrote to memory of 2236	2904	abb1ab449ee5efa6ee8d4099eda298311af185791e65dea4eebac6277cba31f4.exe	29
PID 2904 wrote to memory of 2236	2904	abb1ab449ee5efa6ee8d4099eda298311af185791e65dea4eebac6277cba31f4.exe	29
PID 2904 wrote to memory of 2236	2904	abb1ab449ee5efa6ee8d4099eda298311af185791e65dea4eebac6277cba31f4.exe	29
PID 2904 wrote to memory of 2992	2904	abb1ab449ee5efa6ee8d4099eda298311af185791e65dea4eebac6277cba31f4.exe	30
PID 2904 wrote to memory of 2992	2904	abb1ab449ee5efa6ee8d4099eda298311af185791e65dea4eebac6277cba31f4.exe	30
PID 2904 wrote to memory of 2992	2904	abb1ab449ee5efa6ee8d4099eda298311af185791e65dea4eebac6277cba31f4.exe	30
PID 2904 wrote to memory of 2992	2904	abb1ab449ee5efa6ee8d4099eda298311af185791e65dea4eebac6277cba31f4.exe	30
PID 2992 wrote to memory of 3008	2992	iexplore.exe	31
PID 2992 wrote to memory of 3008	2992	iexplore.exe	31
PID 2992 wrote to memory of 3008	2992	iexplore.exe	31
PID 2992 wrote to memory of 3008	2992	iexplore.exe	31
PID 3008 wrote to memory of 2072	3008	IEXPLORE.EXE	32
PID 3008 wrote to memory of 2072	3008	IEXPLORE.EXE	32
PID 3008 wrote to memory of 2072	3008	IEXPLORE.EXE	32
PID 3008 wrote to memory of 2072	3008	IEXPLORE.EXE	32

C:\Users\Admin\AppData\Local\Temp\abb1ab449ee5efa6ee8d4099eda298311af185791e65dea4eebac6277cba31f4.exe
"C:\Users\Admin\AppData\Local\Temp\abb1ab449ee5efa6ee8d4099eda298311af185791e65dea4eebac6277cba31f4.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s /c "C:\Program Files (x86)\Google\googletoolbar1.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2236
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3008 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\googletoolbar1.dll

Filesize
19KB

MD5
17ceaeee355375b368bbca5b312bb854

SHA1
9d72546aaacf5d46ae123cda2fdf100b6e7291ad

SHA256
9c7578402e9802b81339df0da6fc1f05c9da047f2f2462672f1bb89230fa01bf

SHA512
9f7bd6295e49228142f0b5f3eb31eea173bbd72a5b4413e2132ae68c39593e2765d2f54b8f3b911608b84e3e66d7a7126c29abb961c1ab0618f9f35ed45f256c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7e0a28ce89d06acdfe1eb1b905bc18fe

SHA1
76fe96da27de6cc44fe92a7a6ae0e15a521c62ed

SHA256
fb0d72217c72db585be7f19f5e919d6abc34e95c32940ca244406bcf4c6acd79

SHA512
0e7ed7124409f9d4e8740a26519f00acbcfd881f6b5102020aa54f7483688e6218b05de4a53fc8f01c2ce566abae02abdfc4d35e505a074462c2323642541f26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
59ebf7b5e8b2901bf98222fbf755b579

SHA1
e584e0ca34ae0da228ebf80ff813780dc787530d

SHA256
91b3ac5a694b18c063d014e988020b55a755b81df9fd13e8ed81a2838c356409

SHA512
a625ff210cfaaeb0f89be020e95c06bde8269f66c24e323d42aa01e970acb586676d89a0b9a2772bc608c3e34586a0ec66a7f63eceecf4eeb2b539ebea225949

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed45fe9a8d542af4adcf674e930d35a9

SHA1
e692d34c3877ed6a5c215d0ac3fcde9e412a0693

SHA256
edde28e0b04a15a55cdd208fcaa9f0ef9b4cbf65b1caa476b2ccfd790e589201

SHA512
0e99af0a27a1e127997da63a5aed46a91a9775f108d496ad41696f6509679358997b8c862f9ebaf224636e9bed24a3451ff8670d3bdaaca214f590670dcd449d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7737555faf042e04608676bf11c2425f

SHA1
721529c50dace3a6f0dc0c8eb6842446acd32a5b

SHA256
e8d6479f0a27bcc436ca48916c683508ff9f95129f92630c62387096286405a1

SHA512
b0935ba8adc26b71b870f34e459cd86a4b4e64d12eacb3fd46872a6adfa116bd40eb567df4a06bec318d403655c000939b5931f4dd7ee20cd513ee467fce7a35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d654cfa22a897ec853329cfbbea20c97

SHA1
7e90006527acd8a1f897aed2deb7e7f7f0465ac3

SHA256
7574211cb289d5ccb5baaa73f38f8c30df11bc56c0e89452fac5622440aed3cb

SHA512
1e51f15323ccf46a6299f38ef13e6f1ec5f4426b827b8e8bb3d9c234c004bd30949c5e93b21aee653aac613ab5a0f0f8b82c7eee5e9dfb229f38876026cf7c78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e4434f571034a54e8fe2af880ca5e11a

SHA1
623925958dc0aaa125644954a05d2d3d3162463d

SHA256
5892feca8f0054475bf145485d56f2915aa712d271d5ac4fea25ae1e1bb5f1b7

SHA512
f5f0a8e636dc32652c84de1ecbad9f897ab998c509659da2adec7f8327c56e312ecbf62247e000d92bb763c8d94519132997fe641e1c9833c5a9576e05842feb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
928a78ce5d1f9670ea9091a5cc904b48

SHA1
f430e8025e6a433e290a8618e07ebcd79b29da5e

SHA256
ac3645291c889f3d406eaf52d5f0d5bf21ff99d72b37c2a8b5252899547816cd

SHA512
23b2c54125f21753692a97ff8ae96a48775d293e9313b231125845da3b2ffa486e44962436af101307a3dcdd670808787f8bf27050233ba2a155c1826903a9b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e284edbb4b207653c185d8ac5a58b04

SHA1
59f3d28a31e9138640343ca7067fa438b37e980e

SHA256
ce55e37e6d5e8ce019024751c14aae70fb81a55680aac94b613b54927251c3c7

SHA512
b4c55dfc40afa433b7b16e2bfe19418046162b61973488c89c283a735277593f0211def510fe89b254f3d69608a11bc2ecfd011476bbed1805d02c13604a75fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d342ff37302a598c74c88aa7b856dbc3

SHA1
db9473c4ebcf91ceb88db47a688c89a41631b3ff

SHA256
d9350d4c2d9e492bd5c96d301a19b25ab0af2db51a1cace4f6241626ccf2ddc1

SHA512
9d3147997f619469938b45211875834d49d749b4db7dd95f13782182a6e87c447d556fd4958315b0437465eaab013725144ec55671b3ec6e0342c62f2a7af56e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
62a3c58aeb4399c54d39750d2a20d242

SHA1
be486462b1a745d43e92f754f9953ef5a1c095ea

SHA256
0d1367d4e603f118c432f25fcd4cd8ab4b1987a7bf2278ba613a69add45964d6

SHA512
33027e42a02e9f2833ee17f68605bb55cd5548f2bcb2630d9b6381a597a96280ded9329bd567f71c14e9e2901364e30f90ea9b1e923e7d1bfa2340c682773534

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f9487404668c9e0d2895481fcda2c02

SHA1
21b98813a2e283724eae13c80e057002c5ffce06

SHA256
9ee9b1b5685ceebebec8ab18b161d140e0268e8b1ffa494ab196a61e97e05232

SHA512
2cba3722e12cd583eb5b776f043eccc366916690b7778f9d4db0824a24777ef6c819ebeabebadeda0bab1aa03f603d6ef769d60aff669b96a338a658b9f5582a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
13d40b329031f3281d666d3fd8eb18c7

SHA1
231914dc632cd9927db9b88519d8e783ebad6835

SHA256
70fa4e45ebb357243cec9b1e240c59180791eb60e7d96a027585e6b25b340536

SHA512
297591bc2bf61a3d782df5f23a93789dbb7c054a00e7c8bf7ecb29e1b5b4c7523173931e9309f4a06f2cfb2a7aa6f81516d10f391aa89497acfdce819596650a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d0653449643e94e65ea18440dc2d7a34

SHA1
2aff6c6bdf6197686908c4ee5e2da8d50a928682

SHA256
ebbe1f8158438cc198df55d1fb0c794fa9ee352e897303f5ac487aba911a8766

SHA512
ca4d3fda4331da4487247fd7002ec213f7f01e4fdffbf7270266638d633f68196f83a1eb929abb1b05aeb5664940bc4937047a876b248648dd420c8cab191d5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7468045cd195edf501dd8f166e9507dc

SHA1
451d849641fa9b86a33a3f464908671f1b4da5b1

SHA256
8c58872cd5c47de758f2e24b2d7b7a073a31bef258caa7a84355b873e1057153

SHA512
24498be1115e8a769bba8dc5ee5c91fb1d48fdfcc4306dcd3b640f1c3cd5db5f6a226ee72b2c57c17f4abf59f2e5984883ce4390780778704cb7ddac41f397ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0dbc26d4ecc13731968d6208059e7722

SHA1
415ed3fcd2b7a03753ef1601d6aed6a8e09348ff

SHA256
ac6190b1254f68922d81f1fd3192ae1ba730e1902844146e11854002fe1ee684

SHA512
bafdf263c785f355d61161cf6d0be40d7084ad1ca9480ca7afd9e70123dfcbe6995b4802d5eb2119b8f9e29ba0142f269919058fb247978b27389f2c580c2ebc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a76ed3fdd4301fcdad69f897341ce14c

SHA1
781a42101bd43d658f541d2b7a8a4215a143240a

SHA256
3640c50c0e93e6f37993b43dea3e0318d4a676b3bf85c91a882b6596a72ea438

SHA512
1d43a324713cd453f561b2d448f0f88dd46c2e8664be1ced58158839e2c43ac2a95fb674983794d7d9acdf826f981b1a5b8dd9d6afdf43ab1f7b2d55cf382b2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
75ec6435ece9916f6a93f7e67f44a961

SHA1
407d687cf51061620b7de117c9f93837046b16b6

SHA256
018de28a15e0c19d86b9929e1db241ff1978540355aeeddcc7dffb96436221cb

SHA512
9d2bd6e416651a8a61da1735df06498b322d2e148b8e9442442b9ebc403139d5746e51f4b813611d187601ea5023db73b8933b21edd202110b33f278de6129e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8693a707986e512a53263c3c904ec2b

SHA1
8e54740dabd9de38d56ab52a7637d6bbf7e236cc

SHA256
0a53e754752eb6d8123a66dcaed13afb587bf8519a23fe74f5346e164dbb171b

SHA512
5d4c5237d86904513b12a7b0ce3f3670a6a3eff9a5bb5dc11543d17a5859575b141c8dec4a41d324eb67e02e952d251dfb99e7b75fc907cf2b3ee992b3d9d0bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f95a36d6e0bec3b5166698c03af26f62

SHA1
1dbb4a414446bb9fa87632ceb4f580a3261b3c8c

SHA256
d47c157f58115475fc63152692bfbeb921b57b733196e3d302512f43d46c2e49

SHA512
2f3f8c5f31b3c06bd12e7668017e843525477089f94a56f22e564da024526a247de47827508231e6d97b26c65b02db67b9e4c59cc0200a91a030b1939d35b277

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2E33.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3AA6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2236-4-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2904-5-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2904-0-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads