09c91862d6e40c74f6edc233440b5f691d498ede6fb00bb43d309ca24e4e67b9

Analysis

max time kernel
1199s
max time network
843s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-11-2024 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06d6f22d02443afd6d6880ead6648ebc.exe
Size

533KB
MD5

06d6f22d02443afd6d6880ead6648ebc
SHA1

29ef56aa5cb2cce284c91ab9ba8846b47b704028
SHA256

d3c3ea95931fb3556b515ef829bec48e8e387dd94b39a697b736b59f75097ef2
SHA512

27cf6e0d4c7d968f7240338847bf89a2d5de917e73adb0f862c1db5f96b4db41457308ce6c6091c67ab971c164c120a9475174d2e839fca1cd06cd35a8312e07
SSDEEP

12288:djkSKd9PiZSkv8mnthG6Voysfsa+T+R0s+R0zBzsd0Da0G5cXgK6F+eeS:iVmSyjesh+R0s+R0zBzsd7J5cXg5e

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

taskkill.exeIEXPLORE.EXE06d6f22d02443afd6d6880ead6648ebc.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06d6f22d02443afd6d6880ead6648ebc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1560 taskkill.exe

pid	process
1560	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc50000000000200000000001066000000010000200000003cbf541da835a69ace23ffd9b1870da866043805d762faa86932fca5fd8c8ac8000000000e800000000200002000000063da234bd8f5d108fcba813cbb6f9a3652d598c87d875e24244fe6e1547b9e6a90000000468f605e313a7305038c28f727789c215e767579e1cb83966ab0912df4840e6dfa0cffc89db8b4b5993e405f956cd92a67c167a196d1b1376033d24101b69a45f3e45b2b31389d2ae9104bdd1411b11fc57881190b899ea01da7046b1dd7a37c925b414ac9599617d03f1ac7e12b3f0d5a4aa77e24b57da868eb2235d31cbb0ca228d536f024ca0524ab39755f64a6ab4000000035ee285ce9b6e9bc9411784efdb1df582331c6d92d004ed9354284432fd2432a873988778e694a1168798ceffe2bf9d0e55a2af7badbb744b3dc90412d163157	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc50000000000200000000001066000000010000200000001ccc1571f757be248d4d4831f7d419c3a25686807379be14042dabc3d8c05b61000000000e80000000020000200000003a6e417f2127dbb41c891e87136df30d3e43220e78b2372bc13a7104ded22d8620000000aab4bfef7d392d7c196a73eb7a6beb7239e45edfc6023b5b9fb4932f65a5957840000000a099f52b416aed37bebe66d13451b890ab4ff5670b468bad6fe5d195898b110ccb4b1f2392012de28627b1065f7974ddfc4e0afc71b8ea3e8ba0ba7df73b8d9a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437601632"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50ca6b423935db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6B256321-A12C-11EF-9FA9-EA7747D117E6} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe

Modifies registry class 5 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

06d6f22d02443afd6d6880ead6648ebc.exe

pid	process
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2256	06d6f22d02443afd6d6880ead6648ebc.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

06d6f22d02443afd6d6880ead6648ebc.exetaskkill.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	2256	06d6f22d02443afd6d6880ead6648ebc.exe
Token: SeDebugPrivilege	1560	taskkill.exe
Token: SeShutdownPrivilege	2976	explorer.exe
Token: SeShutdownPrivilege	2976	explorer.exe
Token: SeShutdownPrivilege	2976	explorer.exe
Token: SeShutdownPrivilege	2976	explorer.exe
Token: SeShutdownPrivilege	2976	explorer.exe
Token: SeShutdownPrivilege	2976	explorer.exe
Token: SeShutdownPrivilege	2976	explorer.exe
Token: SeShutdownPrivilege	2976	explorer.exe
Token: SeShutdownPrivilege	2976	explorer.exe
Token: SeShutdownPrivilege	2976	explorer.exe
Token: SeShutdownPrivilege	2976	explorer.exe
Token: SeShutdownPrivilege	2976	explorer.exe
Token: SeShutdownPrivilege	2976	explorer.exe
Token: SeShutdownPrivilege	2976	explorer.exe
Token: SeShutdownPrivilege	2976	explorer.exe
Token: SeShutdownPrivilege	2976	explorer.exe
Token: SeShutdownPrivilege	2976	explorer.exe
Token: SeShutdownPrivilege	2976	explorer.exe
Token: SeShutdownPrivilege	2976	explorer.exe
Token: SeShutdownPrivilege	2976	explorer.exe
Token: SeShutdownPrivilege	2976	explorer.exe

Suspicious use of FindShellTrayWindow 38 IoCs

Processes:

06d6f22d02443afd6d6880ead6648ebc.exeexplorer.exeiexplore.exe

pid	process
2256	06d6f22d02443afd6d6880ead6648ebc.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
1984	iexplore.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe

Suspicious use of SendNotifyMessage 22 IoCs

Processes:

explorer.exe

pid	process
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1984 iexplore.exe
1984 iexplore.exe
2040 IEXPLORE.EXE
2040 IEXPLORE.EXE
2040 IEXPLORE.EXE
2040 IEXPLORE.EXE

pid	process
1984	iexplore.exe
1984	iexplore.exe
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

06d6f22d02443afd6d6880ead6648ebc.execmd.exeiexplore.exe

description	pid	process	target process
PID 2256 wrote to memory of 2348	2256	06d6f22d02443afd6d6880ead6648ebc.exe	cmd.exe
PID 2256 wrote to memory of 2348	2256	06d6f22d02443afd6d6880ead6648ebc.exe	cmd.exe
PID 2256 wrote to memory of 2348	2256	06d6f22d02443afd6d6880ead6648ebc.exe	cmd.exe
PID 2256 wrote to memory of 2348	2256	06d6f22d02443afd6d6880ead6648ebc.exe	cmd.exe
PID 2348 wrote to memory of 1560	2348	cmd.exe	taskkill.exe
PID 2348 wrote to memory of 1560	2348	cmd.exe	taskkill.exe
PID 2348 wrote to memory of 1560	2348	cmd.exe	taskkill.exe
PID 2348 wrote to memory of 1560	2348	cmd.exe	taskkill.exe
PID 2256 wrote to memory of 1984	2256	06d6f22d02443afd6d6880ead6648ebc.exe	iexplore.exe
PID 2256 wrote to memory of 1984	2256	06d6f22d02443afd6d6880ead6648ebc.exe	iexplore.exe
PID 2256 wrote to memory of 1984	2256	06d6f22d02443afd6d6880ead6648ebc.exe	iexplore.exe
PID 2256 wrote to memory of 1984	2256	06d6f22d02443afd6d6880ead6648ebc.exe	iexplore.exe
PID 1984 wrote to memory of 2040	1984	iexplore.exe	IEXPLORE.EXE
PID 1984 wrote to memory of 2040	1984	iexplore.exe	IEXPLORE.EXE
PID 1984 wrote to memory of 2040	1984	iexplore.exe	IEXPLORE.EXE
PID 1984 wrote to memory of 2040	1984	iexplore.exe	IEXPLORE.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\06d6f22d02443afd6d6880ead6648ebc.exe
"C:\Users\Admin\AppData\Local\Temp\06d6f22d02443afd6d6880ead6648ebc.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /F /IM explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1560
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://www.microsoft.com/en-in/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1984 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2040

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
117da4e437419868db869412ff718765

SHA1
e1a1e20bc7295eeeb35205345e6ad80c3543f4ae

SHA256
659489de67da3079bcf590e3d94aa63798126f51902d70f4dc7c9a56a8a60ae3

SHA512
ce0a280abeb3ae2822d9357f3eace5e65128429ddfafa5bc86fce4f5ad53055f7c743abd82b8f10c075c353a15dd08cfec546f7790e9b6f42136d012dcfaf285

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
102f474c5c7df5426aa10cab3281e509

SHA1
8ae2673808beb0497078954b4038e3ae4b2300c1

SHA256
e3b1112cd52eb3c66feab8debf93d40f841640bcc69f087743ea6747b0be8258

SHA512
d7fd671cd61370cb789b9707d6c7e4c1a3ca6aed2b54043f0cfe9318340f6574e765f8a168f795d024934127fbe1d040a8ba20c8e4f742d766eba15e58eeef98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
39e577f24825b2214b565f891a7bf3bd

SHA1
7f51ec342d641714dca72f56be067aac1c01a3b0

SHA256
98f7104f33da92f16b9b830c17ebf65be27c409d8cd66d09c929b47297f3f4dc

SHA512
c4d0baa1e1a22e229a4ba2f6f0ed15d6d0ed0104a7d2372ea06409d947dc3ecff41f5aab91f87bade6b21703295f6ca08365bfa9c7e507edb2430d72404a013e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd5ea9803fa45407aac411547e08af8d

SHA1
47bd6d86351c986ffcf0a83b894591cdb84720af

SHA256
bcbd7b3ceb7de8aeedbd81feb33f8afa4db323f00ab28e4048cb19ec99e6bbad

SHA512
6808a83c8506adcb29ad635ed886f00aa588ced079124dc8ef10228cb148d8ee75dd6547127d331a64cd9d0bd067bd67c3dbb74835a09560a39dd37197c5f01a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a2a45ecec151c4842b960c58dd06516b

SHA1
70db2ac0371cf5262a59a4f7f16f2b6aba67c790

SHA256
cefe6c410938b4ae65dd5da6f65d44ddf14b733b07438e9d1bb8f1654150eb85

SHA512
e0d4283c363a47f06f5d7f961cf51eac4ce988e9fded4da990f3d4a038c22294b5cfd8e0e9b0164c70d43ecdf1e4052a3bf86e1db2644178623fd2c14ad5062e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a03f775e92e11c6344ddf17157fa624f

SHA1
ce271baa7f1bec76b9e94565202b95ef8edbe155

SHA256
d80b7bf4b33e03594473709a64a48e9a8c884f06d9eacf9048d517200ade8a68

SHA512
73285d359e981a91cf6d76c4e30d1cb008de4287d45a06060de89da0c72c78970202864fe55aa844f5af37d6aacd4ba99c6af33cbe839b55797242c7cfbf07d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2003ad59a68ec699ca024c57dfc51782

SHA1
14d3dce8b4a9ba3c2cfaf0552f016407f718dcc5

SHA256
703aa3214613145dfe559ea97da01724b331bb08e17258e8b72ead7ceadf0f58

SHA512
edf7fe8fef408941835e6b2b5714b4b473d509fd04b8e5fcc64dc8bd7c16c9bd7e4576720380fb0e41f8e0ed5523a2ba48a12083af48430dcdedb3c5dc689005

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db4d7cb4fbb08ceffd555f5bdd5f7e11

SHA1
c7e1e1e097f68b39b781ebccd4b6ca4fc3ab2315

SHA256
75fb9f60e958b089b16175b622e229d040dc302e31f05f3e85550efee33e4277

SHA512
8965623477c4c22c3a6d18094d9f1e3443b70c219ffa650dd54f79425d038cd1a20ba87cde5d146ba7396475b5650cfeceaa1286ab2a4e18144d00685af5dae9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
687f7b2ab5aa8680af79e16b92397338

SHA1
c0a5aaee3f7235be2db98639afeb97e05748bc9e

SHA256
b355ce65d585ae8815ebae700fe359c4e12bf80c379e2b960b4a700656529477

SHA512
0d2237c77ae09a63626b6f74608c61f5b6d38dd924abc611416991912b621941fcea3737e194bbd2f8074cd68395f1f57e04229eb537a98b83875f7d9f46ec28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
05562b46008eb069290bea590aec379c

SHA1
dc93b04d16217db8ef5989377bbc7bf9a17651aa

SHA256
124a7f43c4dc85a0eede3c66b35089a54c9b710955ec72ff0bb2ec52afcf648d

SHA512
708f8fa6ed3be52a99bbdcb51673da701f24eaac5d841e888ac9d9533c0e730263547c089e8504ea4a9e97126a6bf2f06f6c2f35970177e66bec28f1fa945d14

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
700cd3092ed0a49ce0e1a303f556874a

SHA1
f5efaa88457a8e77489c4cf016ea481c215b5914

SHA256
3ce607ff871aabe13d6121dbe2842077138d8256fcc0fb28618b60d25a5c88cb

SHA512
3b50871c1ac7859637c022d879cc56acdf36d5289905b636adadc0b104311026041f5adf427d3c6598a732c51106beae3eb6590f422c2b39752de8917e66b90c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
277843240af6df6acbfaabe42ce0fa92

SHA1
daec4cfa3c410685ffc8401804184804f66d5e89

SHA256
5ac4c65b86b3475984e4ac8f66def4a0bd745bbd7e33a541f5727de4ec3232ab

SHA512
9ee6c31214d4685c5c8e68450422fdde0f059a660834c9d3c7cc8d3db33bd4f403c1ea067dad8c19887b9a226d693bd5187c255533a282af6c188a23b7e47b42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1405232ee8a7c957e8a4179c4cb9a975

SHA1
14e13d4ee7cdc370343dc55f1ecc20b4b069642a

SHA256
9bcdc07b3eb0ae4cd277af38503ba9e2b840e51f11691ef211e6cab689d44cb9

SHA512
5b1f0860145cd2d10fa40e1151fb9758378d0722ad2cb985c0e57b7d3cc108f758b2fcb22cd461d10f11bba55096a8d469c7b645772d0ae71e18fca05ddbb5e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
12636bd63a8327d11a86519e541ef089

SHA1
173fe96fc0d561fe0dbbb1dde560bcb8d142b5f4

SHA256
5fdcf71951a3ae0e516169ca9621494b7ef5719a5ce4b30e53e8a5e0a5650df0

SHA512
4399ad8c866eb4e76d473b6b47e9314557a061652bbbdf97efd03d705d46589b88a280a695719daa76e00d47371aa2acfcbc5436f720928010a53db3e6f642c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
39406b4fdc98db2de0417f7c3e305ba6

SHA1
e143403ad4dd16920630d2ac33e8c912d53b1657

SHA256
e1effdd2a5c9e737a85e3c0d8f47fe0d74259fe35933cf708b732b59b021d098

SHA512
3f834b92d6e226610fe0e0d8f8e50ba7b178c4f2e66deae1c5a0ae13d0d9e70edb9606fc72e3300ee335ae2348fc3cac471a3c4983db39029c1eed9277e95a91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9fd64b42fbcf0534bf2a09e53713776e

SHA1
f9e8af96a507aacbcbefcd4ffc14714ce1e7245f

SHA256
1b1bea38bb64cb1940e245e03ad66bac96525b72665b2e16c7649165aa57cd04

SHA512
27689ddb58f6c08580c7e7188004d377fd61038e29036fcf60a7abf5e3650d358abae8105550f9cec70304450a5c49eb50ce086070cd791192400ea30eaae031

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3975fdf053f7ced9d244210e2be5f338

SHA1
a9d91a3c36b6f98827113ede3b28d70271dad365

SHA256
aad14e6e33fb6a601d4f8f5cd1d24800ea30ab583b9b29326c6db32950b8cfe9

SHA512
4ae38db7c8cdf2e6342e0c4498dbfd045b173c65df996a66e03da1189bbce3ff4042039f76f7287bcc678d63bd1213058b53410cf2616d2d7ba628588fbc37cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2b34ef63eb714d0927cd61e378906ac

SHA1
df5b08bb15823e476d05e13475b13a539d7528c9

SHA256
d95b8c667b6d2e8498e91407e09023286d5caf316d4e211eb32493f911f67c38

SHA512
674558578b2157e6ca720f99b8307bdde745c16df545871e2e021424578c74931412a51497592b7393cd80cb6982e2e983c08d5ede34211d9924979370a64618

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
335da2b0c2f38830388b35aeb87b91f3

SHA1
15d0e0dba8a68722f6c0ca3956745ef69d99809e

SHA256
74c44ee6810f7c7a708d3885ba79bb75eb80aaccc40c31dff52aed736c4fb1fc

SHA512
28a88179121e231b28baaed42bd5523424b89601ec4ea7bad9655daf6560d800c820c888d9219dec3da2d0b80994a69d10c86a6672a893f97a4a2e403c3a32bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
906c579e19db44cc465861f5f63fca08

SHA1
23f6041c98d7cd5b3049be61efa45855bc798e15

SHA256
c2c51746cf62210cd9106ea6df3138603fb61972141cc60a68875b80c9eda32b

SHA512
ac9b3bff037f5f66c74488610bc0ab9f461243ac1b90c86b0932c9c646096e256eb6a864f3842c6ebd2ef591d03cb6c36e40a341fd4fcaf581bbb8232db20887

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
426ede474d9b9b5deffacbb9ec841eb7

SHA1
ca6aea74f2ba48a21108be8e3c498ab0a260e3bc

SHA256
ab96880301ea4646ef88950c0026743d97ec2879b7ed571fab9cb3e8e46f27b9

SHA512
4ef0ce0aac548858e307e9eab477ba884e919553ea8ea0455e0d30fb5e9ff3aa6c7b738e4c602d2abd85c958f1d64928c81737e7e4ef4a27fff7b20a8d859ec1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2aec7b5a26d3b82fb66d8d300fb8416e

SHA1
e1ff4138df6c1e7d4bbf7143f0fd1f032eba937f

SHA256
9938bbb42bcb83a1ebd4dde51519befcce9b108012f8ab2b5eb7de54d5b2d752

SHA512
8739b42291c5f907695c285503d87d82977b036af46bbf83aafc002af0303d8cac52e0131be092dd18e1e155f758ad12cff2fdec752ea553b5e2cafccf39b902

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cfeb0df22ae4886061769bafa169b950

SHA1
fe04f8d980032869c1dc0d03d2e7b6a1467e1b63

SHA256
b55f1f88e72f9f28fe32f140df767e812686b08988c89f9cf38451e1d494bd29

SHA512
77d52abbc01ade9113c5d921c75c778069d6b19c66964247aa6b85b555833e01b8a6eb3f1dd417d5e6742ebed3340da31318d6f635009c501a5bc9d18f7926ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5755.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5814.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2256-8-0x0000000074120000-0x00000000746CB000-memory.dmp

Filesize
5.7MB

Download
memory/2256-3-0x0000000074120000-0x00000000746CB000-memory.dmp

Filesize
5.7MB

Download
memory/2256-0-0x0000000074121000-0x0000000074122000-memory.dmp

Filesize
4KB

Download
memory/2256-4-0x0000000074120000-0x00000000746CB000-memory.dmp

Filesize
5.7MB

Download
memory/2256-5-0x0000000074120000-0x00000000746CB000-memory.dmp

Filesize
5.7MB

Download
memory/2256-6-0x0000000074120000-0x00000000746CB000-memory.dmp

Filesize
5.7MB

Download
memory/2256-7-0x0000000074120000-0x00000000746CB000-memory.dmp

Filesize
5.7MB

Download
memory/2256-9-0x0000000074120000-0x00000000746CB000-memory.dmp

Filesize
5.7MB

Download
memory/2256-2-0x0000000074120000-0x00000000746CB000-memory.dmp

Filesize
5.7MB

Download
memory/2256-1-0x0000000074120000-0x00000000746CB000-memory.dmp

Filesize
5.7MB

Download
memory/2976-1315-0x0000000003DE0000-0x0000000003DF0000-memory.dmp

Filesize
64KB

Download