09c91862d6e40c74f6edc233440b5f691d498ede6fb00bb43d309ca24e4e67b9

Analysis

max time kernel
1199s
max time network
1206s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-11-2024 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Size

6.8MB
MD5

b5bae1ed2fde118e256ede9d86affe42
SHA1

4870df80763feae4870e674a93515a2635637748
SHA256

30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760
SHA512

00c871aaf12b9690d99ec2797758e69a7513da378cf6d7a2f7e0d3c2095267b346aee5fd7585121bdd5c3ff112f832d810367788136c5bb68758675c4eec5bfa
SSDEEP

196608:FCwwsESTbwQQ/lAL53VFOT0gLw6GfXduJvNKd:ozsESTbwL/E3VF8kduhNe

Score

10^/10

discovery evasion persistence ransomware trojan

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe

Executes dropped EXE 2 IoCs

Processes:

CANCER~93578.exeCANCER~23505.exe

pid process

1336 CANCER~93578.exe
2164 CANCER~23505.exe

pid	process
1336	CANCER~93578.exe
2164	CANCER~23505.exe

Loads dropped DLL 2 IoCs

Processes:

30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe

pid	process
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\_cancer~35739 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe"	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\_cancer~13462 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe"	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\_cancer~24582 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe"	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\_cancer~28469 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe"	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe

Drops desktop.ini file(s) 15 IoCs

Processes:

30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe

description	ioc	process
File created	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Program Files (x86)\desktop.ini	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Program Files\Microsoft Games\Chess\desktop.ini	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Windows\assembly\Desktop.ini	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\$Recycle.Bin\S-1-5-21-4177215427-74451935-3209572229-1000\desktop.ini	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Program Files\desktop.ini	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Program Files\Microsoft Games\Hearts\desktop.ini	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	F:\$RECYCLE.BIN\S-1-5-21-4177215427-74451935-3209572229-1000\desktop.ini	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe

description ioc process

File opened (read-only) \??\F: 30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe

description	ioc	process
File opened (read-only)	\??\F:	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe

description	ioc	process
File created	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe

Drops file in System32 directory 1 IoCs

Processes:

30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe

description ioc process

File created C:\Windows\SysWOW64\regedit.exe 30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe

description	ioc	process
File created	C:\Windows\SysWOW64\regedit.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\Wallpaper = "C:/Users/Admin/AppData/Local/ewwwwww~cancer.png"	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg"	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe

Drops file in Program Files directory 64 IoCs

Processes:

30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe

description	ioc	process
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\System.IO.Log.Resources.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\SONORA.INF	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099176.WMF	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0202045.JPG	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Program Files\DVD Maker\it-IT\OmdProject.dll.mui	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\San_Luis	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\MCIMPP.mpp	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\gadget.xml	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02398_.WMF	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Angles.xml	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\DELIMDOS.FAE	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\JOURNAL.INF	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\Welcome.html	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Program Files\Mozilla Firefox\precomplete	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\FlickLearningWizard.exe.mui	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\libgestures_plugin.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02746G.GIF	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00834_.WMF	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PSTPRX32.DLL	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL_K_COL.HXK	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\tools.jar	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\vlc.mo	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195260.WMF	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Program Files\Windows NT\Accessories\fr-FR\wordpad.exe.mui	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099166.JPG	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME42.CSS	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tegucigalpa	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00076_.WMF	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\settings.js	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0252669.WMF	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME30.CSS	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\RSSFeeds.html	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Program Files\Java\jre7\bin\net.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_up.png	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\System.IdentityModel.Selectors.Resources.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\gadget.xml	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2iexp.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\libdirectsound_plugin.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\VCTRN_01.MID	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01171_.WMF	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309705.JPG	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsScenesBackground.wmv	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Samarkand	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerActionExceptionHandlers.exsd	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\INTLDATE.DLL	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_scrapbook_Thumbnail.bmp	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoBeta.png	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.lnk	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OLKIRMV.XML	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Payment Type.accft	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee100.tlb	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Godthab	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18244_.WMF	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\RSSFeeds.html	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WPFT532.CNV	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe

Drops file in Windows directory 64 IoCs

Processes:

30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe

description	ioc	process
File created	C:\Windows\assembly\GAC_MSIL\UIAutomationTypes.resources\3.0.0.0_it_31bf3856ad364e35\UIAutomationTypes.resources.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.Linq\1efa0826492fcfdac41786f53d12106e\System.Data.Linq.ni.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources\3.0.0.0_ja_31bf3856ad364e35\Microsoft.ManagementConsole.Resources.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Windows\assembly\GAC_MSIL\System.resources\2.0.0.0_it_b77a5c561934e089\system.Resources.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.UpdateDiagRootcause.Resources\1.0.0.0_ja_31bf3856ad364e35\Microsoft.Windows.Diagnosis.Commands.UpdateDiagRootcause.resources.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Deployment.resources\2.0.0.0_ja_b03f5f7f11d50a3a\System.Deployment.resources.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Security.#\d660f850b373b57c4e22a7100feeb1a4\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.ni.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Web.4961ff77#\28b0b7573c3bdbc27187e3dbc4f1f1ff\System.Web.Entity.Design.ni.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.AddIn\a7bc3b42b60c8eaa28b5b62900c9027f\System.AddIn.ni.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\Read Me.url	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.Resources\6.1.0.0_es_31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.Resources.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.Wizards.AutomaticRuleGenerationWizard\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.Wizards.AutomaticRuleGenerationWizard.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Windows\assembly\GAC_MSIL\System.IdentityModel.Selectors\3.0.0.0__b77a5c561934e089\System.IdentityModel.Selectors.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Runtime.Serialization\3.0.0.0__b77a5c561934e089\System.Runtime.Serialization.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Security\d9a485330ec2708456134e4a9712a4ab\System.Security.ni.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.IdentityModel\710a5c9e16388ca7a722211f4d4867aa\System.IdentityModel.ni.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Web.188dd00b#\9de2cd2a58c9f19effe0588c17b1714f\System.Web.Abstractions.ni.dll.aux	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\CustomMarshalers\e251e07a65ea3f2a157796a054971e60\CustomMarshalers.ni.dll.aux	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Windows\twunk_16.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.InfoPath.Xml\14.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.InfoPath.Xml.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\SMDiagnostics\c7d01590f25b87c1d82c1b48e56d5865\SMDiagnostics.ni.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Transactions.resources\2.0.0.0_ja_b77a5c561934e089\System.Transactions.resources.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.GroupPoli#\06d363f8e85281d0f70f2c88d1a0e667\Microsoft.GroupPolicy.Interop.ni.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B3325a29b#\5a3b5e8dacb3f7675f8f480243680feb\Microsoft.Build.Framework.ni.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Te49ad7d9#\c73da2d72e0bbeaf6538615dba2d7143\Microsoft.Transactions.Bridge.ni.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Dynamic\ab89d3e41fb16b5f514f99804185e0c5\System.Dynamic.ni.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.1586a486#\c36d092c02b6fb0dd01a5e061d5bf05b\System.Web.DataVisualization.Design.ni.dll.aux	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.Resources.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Vbe.Interop\14.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Vbe.Interop.config	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\XsdBuildTask\90ef7c8e607fe9d71e83d747b02b64c0\XsdBuildTask.ni.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Windows\Branding\Basebrd\basebrd.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Security.#\267f03b78a9514be8c1ebd278f03e3ff\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.ni.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Comp46f2b404#\0a6fed4a3d60bba766a643e4bc2e5968\System.ComponentModel.DataAnnotations.ni.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Dire573b08f5#\817a5a762b535246cff001d4d7859bcc\System.DirectoryServices.AccountManagement.ni.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\WsatConfig\537950d9c71af966e1d8c9deb550f842\WsatConfig.ni.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\dfsvc\bb4a1994db088e84b9d383271b082250\dfsvc.ni.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.CSharp\e2e42e6b0f65a618da8ab7235c27faf0\Microsoft.CSharp.ni.dll.aux	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\14.0.0.0__71e9bce111e9429c\Microsoft.SharePoint.BusinessData.Administration.Client.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Windows\assembly\GAC_MSIL\ehshell\6.1.0.0__31bf3856ad364e35\ehshell.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\he-IL_BitLockerToGo.exe.mui	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Compba577418#\dee98e5b0e1a766ada50708c26bad1aa\System.ComponentModel.Composition.ni.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Wind0de890be#\5bf4243eccd10a06c3d5086c8a884165\System.Windows.Forms.DataVisualization.ni.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Windows\assembly\GAC_MSIL\SecurityAuditPoliciesSnapIn.resources\6.1.0.0_fr_31bf3856ad364e35\SecurityAuditPoliciesSnapIn.resources.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\4c0fa9d495ac562afcb136f3e9a87cb9\Microsoft.Build.Framework.ni.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\WsatConfig\96a8bdafba9f9d3e33cd974bfaa67e58\WsatConfig.ni.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Accessibility\b03641c39929ad202f0c3a9a64b93d86\Accessibility.ni.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Acti2661942e#\84846480d6281bf831a97d07f712d09e\System.Activities.DurableInstancing.ni.dll.aux	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1c9175f8#\7600f870ebcc661f412ab16465a64647\PresentationFramework.Aero.ni.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Windows\assembly\GAC_MSIL\napinit.resources\6.1.0.0_es_31bf3856ad364e35\napinit.Resources.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Vbe.Interop\14.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Vbe.Interop.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Windows\assembly\GAC_MSIL\System.AddIn\3.5.0.0__b77a5c561934e089\System.AddIn.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Windows\assembly\GAC_MSIL\System.resources\2.0.0.0_ja_b77a5c561934e089\system.resources.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Windows.D#\dcc11202188c9fa2ba06359a04d4b43a\Microsoft.Windows.Diagnosis.SDHost.ni.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Web.4961ff77#\28b0b7573c3bdbc27187e3dbc4f1f1ff\System.Web.Entity.Design.ni.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.IO.Cb3b124c8#\bcc98e7bf9586de018b1e89fb5b8abff\System.IO.Compression.ni.dll.aux	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack.Resources\6.1.0.0_fr_31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.resources.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Windows\assembly\GAC_MSIL\SecurityAuditPoliciesSnapIn\6.1.0.0__31bf3856ad364e35\SecurityAuditPoliciesSnapIn.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\8218dc4808b77f3585fb048c61597af1\SMDiagnostics.ni.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\SrpUxSnapIn\593c2939737f10fc236c7b4de35271bc\SrpUxSnapIn.ni.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.In#\0af51d481e7c0a48e0fb5164e38e9465\Microsoft.Office.Interop.InfoPath.SemiTrust.ni.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Narrator\0bae62c3fc6c327ed24989263988173d\Narrator.ni.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Routing\3ea902532ba499bf1260da656c900f6c\System.Web.Routing.ni.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Windows\Boot\EFI\ko-KR\bootmgr.efi.mui	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Data.DataSetExtensions\3.5.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

CANCER~23505.exe30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CANCER~23505.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe

Modifies registry class 45 IoCs

Processes:

30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.html\ = "CANCER"	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jar\ = "CANCER"	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vb\ = "CANCER"	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.doc\ = "CANCER"	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.odt\ = "CANCER"	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tmp	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CANCER\Shell\Open\Command	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ = "CANCER"	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\ = "CANCER"	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sln\ = "CANCER"	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CANCER	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.php	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.php\ = "CANCER"	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xml\ = "CANCER"	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.db\ = "CANCER"	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "CANCER"	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cancer\ = "CANCER"	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hta\ = "CANCER"	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CANCER\ = "CANCER"	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.txt\ = "CANCER"	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cancer	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tmp\ = "CANCER"	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jpg\ = "CANCER"	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "CANCER"	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CANCER\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe \"%1\""	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.docx\ = "CANCER"	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "CANCER"	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CANCER\Shell\Open	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sln	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sql\ = "CANCER"	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bmp\ = "CANCER"	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xls\ = "CANCER"	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.dll\ = "CANCER"	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\ = "CANCER"	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.dat\ = "CANCER"	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.java\ = "CANCER"	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "CANCER"	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.docm\ = "CANCER"	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CANCER\Shell	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.png\ = "CANCER"	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.com\ = "CANCER"	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "CANCER"	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.scr\ = "CANCER"	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ico\ = "CANCER"	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe

pid	process
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe

description pid process

Token: SeDebugPrivilege 2504 30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe

description	pid	process
Token: SeDebugPrivilege	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe

C:\Users\Admin\AppData\Local\Temp\30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
"C:\Users\Admin\AppData\Local\Temp\30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe"
1⤵
- UAC bypass
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2504
- C:\Users\Admin\Documents\Temp\CANCER~93578.exe
  "C:\Users\Admin\Documents\Temp\CANCER~93578.exe"
  2⤵
  - Executes dropped EXE
  PID:1336
- C:\Users\Admin\Pictures\Temp\CANCER~23505.exe
  "C:\Users\Admin\Pictures\Temp\CANCER~23505.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2164
- C:\Users\Admin\AppData\Local\Temp\30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
  "C:\Users\Admin\AppData\Local\Temp\30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Users\Admin\Shared\Temp\CANCER~54786.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1304
- C:\Users\Admin\AppData\Local\Temp\30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
  "C:\Users\Admin\AppData\Local\Temp\30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Users\Admin\AppData\CANCER~42981.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2904
- C:\Users\Admin\AppData\Local\Temp\30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
  "C:\Users\Admin\AppData\Local\Temp\30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Users\Admin\AppData\Local\CANCER~88241.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2456
- C:\Users\Admin\AppData\Local\Temp\30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
  "C:\Users\Admin\AppData\Local\Temp\30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Users\Admin\AppData\Roaming\CANCER~42854.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2052
- C:\Users\Admin\AppData\Local\Temp\30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
  "C:\Users\Admin\AppData\Local\Temp\30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Users\Admin\Program Data\CANCER~15255.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2204
- C:\Users\Admin\AppData\Local\Temp\30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
  "C:\Users\Admin\AppData\Local\Temp\30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Program Files\zzz_Cancer\CANCER~39764.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1660
- C:\Users\Admin\AppData\Local\Temp\30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
  "C:\Users\Admin\AppData\Local\Temp\30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Program Files\_\CANCER~56817.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1780
- C:\Users\Admin\AppData\Local\Temp\30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
  "C:\Users\Admin\AppData\Local\Temp\30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Programs\Eww\CANCER~15377.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2328
- C:\Users\Admin\AppData\Local\Temp\30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
  "C:\Users\Admin\AppData\Local\Temp\30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Windows\XLIN\CANCER~47749.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1632
- C:\Users\Admin\AppData\Local\Temp\30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
  "C:\Users\Admin\AppData\Local\Temp\30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Windows\D-Link\Media\CANCER~7965.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1384
- C:\Users\Admin\AppData\Local\Temp\30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
  "C:\Users\Admin\AppData\Local\Temp\30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Temp\Cached\CANCER~14187.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1908
- C:\Users\Admin\AppData\Local\Temp\30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
  "C:\Users\Admin\AppData\Local\Temp\30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\CANCER~1175.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2824
- C:\Users\Admin\AppData\Local\Temp\30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
  "C:\Users\Admin\AppData\Local\Temp\30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Program Data\CANCER~21420.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi

Filesize
7B

MD5
44f601e6b6d1113354b901483b2e624c

SHA1
f39912a200b8a49c8ea43ec7085f498cae4324c7

SHA256
4dde4c53d78e3e01233b0019370fcdba1e04acf2070f83e843f990a7f6d941b3

SHA512
98d3dcc0a164d2cc56079d38fc0fb6a1de6113bc1451f2603c187c43b265e0884dc842956327340a5299536a5fe4234b11a5aed1b48da69b62788200578cf8e4

Download Submit
\Users\Admin\Documents\Temp\CANCER~93578.exe

Filesize
6.8MB

MD5
b5bae1ed2fde118e256ede9d86affe42

SHA1
4870df80763feae4870e674a93515a2635637748

SHA256
30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760

SHA512
00c871aaf12b9690d99ec2797758e69a7513da378cf6d7a2f7e0d3c2095267b346aee5fd7585121bdd5c3ff112f832d810367788136c5bb68758675c4eec5bfa

Download Submit
memory/2164-1309-0x0000000000370000-0x0000000000A46000-memory.dmp

Filesize
6.8MB

Download
memory/2504-3-0x0000000073F80000-0x000000007466E000-memory.dmp

Filesize
6.9MB

Download
memory/2504-4-0x000000000BDC0000-0x000000000C4AA000-memory.dmp

Filesize
6.9MB

Download
memory/2504-5-0x00000000002D0000-0x00000000002D6000-memory.dmp

Filesize
24KB

Download
memory/2504-6-0x0000000073F80000-0x000000007466E000-memory.dmp

Filesize
6.9MB

Download
memory/2504-0-0x0000000073F8E000-0x0000000073F8F000-memory.dmp

Filesize
4KB

Download
memory/2504-160-0x0000000073F80000-0x000000007466E000-memory.dmp

Filesize
6.9MB

Download
memory/2504-2-0x0000000000420000-0x0000000000426000-memory.dmp

Filesize
24KB

Download
memory/2504-1-0x0000000000830000-0x0000000000F06000-memory.dmp

Filesize
6.8MB

Download
memory/2504-16889-0x0000000073F8E000-0x0000000073F8F000-memory.dmp

Filesize
4KB

Download
memory/2504-21051-0x0000000073F80000-0x000000007466E000-memory.dmp

Filesize
6.9MB

Download
memory/2504-24733-0x0000000073F80000-0x000000007466E000-memory.dmp

Filesize
6.9MB

Download
memory/2504-40754-0x0000000073F80000-0x000000007466E000-memory.dmp

Filesize
6.9MB

Download

description	pid	process	target process
PID 2504 wrote to memory of 1336	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	CANCER~93578.exe
PID 2504 wrote to memory of 1336	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	CANCER~93578.exe
PID 2504 wrote to memory of 1336	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	CANCER~93578.exe
PID 2504 wrote to memory of 1336	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	CANCER~93578.exe
PID 2504 wrote to memory of 2164	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	CANCER~23505.exe
PID 2504 wrote to memory of 2164	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	CANCER~23505.exe
PID 2504 wrote to memory of 2164	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	CANCER~23505.exe
PID 2504 wrote to memory of 2164	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	CANCER~23505.exe
PID 2504 wrote to memory of 1304	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 1304	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 1304	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 1304	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 2904	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 2904	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 2904	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 2904	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 2456	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 2456	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 2456	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 2456	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 2052	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 2052	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 2052	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 2052	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 2204	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 2204	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 2204	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 2204	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 1660	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 1660	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 1660	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 1660	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 1780	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 1780	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 1780	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 1780	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 2328	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 2328	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 2328	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 2328	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 1632	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 1632	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 1632	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 1632	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 1384	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 1384	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 1384	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 1384	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 1908	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 1908	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 1908	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 1908	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 2824	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 2824	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 2824	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 2824	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 2080	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 2080	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 2080	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
PID 2504 wrote to memory of 2080	2504	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe	30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe