1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 07:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
Size

434KB
MD5

53187e898aeab830a8757bf6fc9bd270
SHA1

ff2195999cf7f2fdd963670c2c272732611b8705
SHA256

1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c
SHA512

7de9c987ed55dcaa65577c501241769705e555a2fd4b94a73540623e49d66ea9264bd90419ec530f6d898f397e9a3133b0fe205f9c5cd8033415d1c0c75858c8
SSDEEP

6144:ppMMVVbRp29RG/pOys58DDDVxnaDvnrzkmIL3E7QPQLEowGFzfws:UIAOTs58vLnabrYmIjE7jws7ws

Score

8^/10

discovery persistence spyware stealer

Malware Config

Signatures

Contacts a large (926) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ati display driver = "ÔN@"	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe

Drops file in System32 directory 64 IoCs

Processes:

1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe

description	ioc	process
File created	C:\Windows\SysWOW64\msiexec.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\sc.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\auditpol.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\iscsicpl.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\LocationNotifications.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\lodctr.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\eventcreate.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\PkgMgr.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\PkgMgr.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\InstallShield\setup.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\InstallShield\_isdel.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\Magnify.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\Msdtc\Trace\msdtcvtr.bat-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\comp.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\IME\IMEJP10\IMJPDSVR.EXE-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\mspaint.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\ntprint.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\powercfg.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\RmClient.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\userinit.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\replace.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\shrpubw.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\NAPSTAT.EXE_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\runonce.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\sxstrace.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\UserAccountControlSettings.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\comp.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\dvdplay.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\hdwwiz.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\msfeedssync.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\dfrgui.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wvmic.inf_amd64_neutral_b94eb92e8150fa35\vmicsvc.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\takeown.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\userinit.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\DWWIN.EXE	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\IME\IMEJP10\imjppdmg.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\netbtugc.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\perfmon.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\iscsicpl.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\mcbuilder.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\migwiz\migwiz.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\ReAgentc.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\relog.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\cmdkey.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\DeviceProperties.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\diskpart.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\IME\IMEJP10\IMJPUEX.EXE	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\SecEdit.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\DeviceProperties.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\MuiUnattend.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\typeperf.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\choice.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\wusa.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\setup16.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\svchost.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\unregmp2.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\vssadmin.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\newdev.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\notepad.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\clip.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\cscript.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\forfiles.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\NETSTAT.EXE	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\SysWOW64\tasklist.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe

Drops file in Program Files directory 64 IoCs

Processes:

1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe

description	ioc	process
File created	C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files\Java\jre7\bin\tnameserv.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files\Windows Mail\WinMail.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files (x86)\Windows Mail\wab.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files\Java\jre7\bin\java-rmi.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files\Java\jre7\bin\orbd.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files\Mozilla Firefox\default-browser-agent.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files\Windows Mail\WinMail.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.bat_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files\DVD Maker\DVDMaker.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files\Java\jre7\bin\jabswitch.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ashgabat	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files\Java\jre7\bin\jabswitch.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files\Windows Journal\PDIALOG.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files (x86)\Windows Media Player\wmpenc.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files (x86)\Windows Media Player\setup_wm.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files\Windows NT\Accessories\wordpad.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files (x86)\Internet Explorer\ielowutil.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe

Drops file in Windows directory 64 IoCs

Processes:

1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-whoami_31bf3856ad364e35_6.1.7600.16385_none_2a716ffd9b872f68\whoami.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\amd64_netfx-aspnet_regiis_exe_b03f5f7f11d50a3a_6.1.7600.16385_none_9f01d3f4c9ca5275\aspnet_regiis.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.2.9600.16428_none_856219b9f734bb75\iexplore.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-f..temcompareutilities_31bf3856ad364e35_6.1.7600.16385_none_009cfaa696afe78b\fc.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-tcpip-utility_31bf3856ad364e35_6.1.7601.17514_none_34ce5d95ad203bbe\finger.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\explorer.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..eoptionalcomponents_31bf3856ad364e35_11.2.9600.16428_none_e410f56f6c4ee930\ConfigureIEOptionalComponents.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..eoptionalcomponents_31bf3856ad364e35_8.0.7601.17514_none_7a9a2f07e4e23a48\ConfigureIEOptionalComponents.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-servicepackcoordinator_31bf3856ad364e35_6.1.7601.17514_none_92e727843e307e1b\spinstall.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ktmutil_31bf3856ad364e35_6.1.7600.16385_none_88604e41627c6de1\ktmutil.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-mapi_31bf3856ad364e35_6.1.7601.17514_none_097346be305f3966\fixmapi.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_6.1.7601.17514_none_dfe02de35bf41e0b\PrintBrm.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\msil_addinprocess_b77a5c561934e089_6.1.7601.17514_none_f9a5b9a7f0e068e4\AddInProcess.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-wow64_31bf3856ad364e35_6.1.7600.16385_none_ce6f64032560fa6b\user.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\x86_wpf-terminalserverwpfwrapperexe_31bf3856ad364e35_6.1.7600.16385_none_243595ae2cf3193f\TsWpfWrp.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-autofmt_31bf3856ad364e35_6.1.7601.17514_none_441a424cd5cda219\autofmt.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-performancetoolsgui_31bf3856ad364e35_6.1.7601.17514_none_fa2fc39ab7937a51\perfmon.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-snmp-trap-service_31bf3856ad364e35_6.1.7600.16385_none_2b7ff0845918e12f\snmptrap.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_7.5.7601.17514_none_1f3413afc64d10c5\wuauclt.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-m..onwizardapplication_31bf3856ad364e35_6.1.7601.17514_none_22f5c6aadf559287\MigSetup.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-diskpart_31bf3856ad364e35_6.1.7601.17514_none_6adfcf45f42effcf\diskpart.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-regsvr32_31bf3856ad364e35_6.1.7600.16385_none_782d737490d72da3\regsvr32.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\accicons.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ie-ielowutil_31bf3856ad364e35_11.2.9600.16428_none_e8cd1f348648ebd1\ielowutil.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.1.7600.16385_none_d911df4e81059b22\print.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-wmi-core_31bf3856ad364e35_6.1.7601.17514_none_21ceb2d66a98ec2f\mofcomp.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-cttune_31bf3856ad364e35_6.1.7600.16385_none_b35ae2951fd8adbc\cttune.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sctasks_31bf3856ad364e35_6.1.7601.17514_none_8c46e17f1398738b\schtasks.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\dfsvc\261c09179eae03d67c9b6f3e70b603bd\dfsvc.ni.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-corruptedfilerecovery_31bf3856ad364e35_6.1.7600.16385_none_e3aea9874278550c\cofire.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-speechcommonnoia64_31bf3856ad364e35_6.1.7600.16385_none_5e9e78a6dd413413\sapisvr.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_6.1.7601.17514_none_b656fd566c17dc3a\mstsc.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-runas_31bf3856ad364e35_6.1.7600.16385_none_5fbe9f67bec0f818\runas.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..essagingcoreservice_31bf3856ad364e35_6.1.7601.17514_none_412fcd2afecdc412\mqbkup.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\amd64_wpf-xamlviewer_31bf3856ad364e35_6.1.7601.17514_none_b43451f0938c6cd0\XamlViewer_v0300.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ie-iexpress_31bf3856ad364e35_8.0.7600.16385_none_7f0c7a3c17077fce\iexpress.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\ehome\WTVConverter.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMConfigInstaller.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-alg_31bf3856ad364e35_6.1.7600.16385_none_04de43c774cf8fe3\alg.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..-mctadmin-component_31bf3856ad364e35_6.1.7600.16385_none_672f52a8b504cbbe\mctadmin.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-security-syskey_31bf3856ad364e35_6.1.7600.16385_none_1838ef0586d5af46\syskey.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\x86_netfx-vb_compiler_b03f5f7f11d50a3a_6.1.7601.17514_none_144b6bd462e4a41b\vbc.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-bits-bitsadmin_31bf3856ad364e35_6.1.7601.17514_none_ab379671230b963f\bitsadmin.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_6.1.7601.17514_none_7a09c587c282995a\TabTip32.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-dpapi-keys_31bf3856ad364e35_6.1.7600.16385_none_7da9291f2ec46948\dpapimig.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..ative-serverbox-isv_31bf3856ad364e35_6.1.7601.17514_none_f71e39745cb0f950\RMActivate_ssp_isv.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7600.16385_none_0935b76c289e0fd5\poqexec.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_6.1.7601.17514_none_42d65ed50fa3c682\tskill.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..localsessionmanager_31bf3856ad364e35_6.1.7601.17514_none_036ad230212a39ce\lsm.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..unterinfrastructure_31bf3856ad364e35_6.1.7601.17514_none_da00ad1949e715ad\lodctr.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\IMCCPHR.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-grouppolicy-script_31bf3856ad364e35_6.1.7600.16385_none_c10c2a29895d4994\gpscript.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..mes-spidersolitaire_31bf3856ad364e35_6.1.7600.16385_none_dead260d8f002b73\SpiderSolitaire.exe-	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..up-drivepreparation_31bf3856ad364e35_6.1.7601.17514_none_ff178cca7f9d03eb\BdeHdCfg.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-cipher_31bf3856ad364e35_6.1.7600.16385_none_acecd57e066c38ac\cipher.exe_	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exeIEXPLORE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf600000000020000000000106600000001000020000000257c453b7e2e77a81f459f5777777d81a103481352f394d96f9115ab8e0f04de000000000e8000000002000020000000c309a6ac35233ff59b19e2c6ce14d208ebfd157da549a55321af276c75198ca82000000023926592874b7210ca1205912445d2183d43d4ced66064fd3dffbaa1170ba9fa40000000d3cd2c2e6ac462e841d3e149f8d300fe56274f86efbd532ee7c88103569599fdaa3499bdc9cf9407a5b931a322d755776d69ca5e52c541a5582c4026cea0af90	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F4DAFA11-A7DC-11EF-999E-E67A421F41DB} = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438337158"	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf600000000020000000000106600000001000020000000a9472e6901c8b821b7e3cf62cfae5abe580f42e96d89eeace9b20afac546fdf2000000000e80000000020000200000002b40be918c079a47ff67c2bb3bf8cde33118846e6e44efcd95d8b5c2c55d3215900000007fe10e35d7003219a6545ca347f5fb75775a0ef304593fd7ccebe4703a8a26ee827df11e0fe6924af3bd8051e44ada1882c8e228a18eef55da0c849e65cc517833577389e631d9ab8827a544aa186b7b17c72104560f82a613fb434e0f8217f705f17670b64aba77137e367fcf1f777aaa22f716a3d61289bfb1de8cfdd8f075101ed3cd50c39b82fe57fdb167c9d5794000000069bb33498b375598ca9883e4499444ff35cc7460403a3d6e8bdd6d9d049bd64640e72f92b34ef9b473b63fd84f5c464c422e6d63af0f9f500b083c6f03ed7712	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60bba2cbe93bdb01	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.exe

pid process

2656 IEXPLORE.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.exeIEXPLORE.EXE

pid process

2656 IEXPLORE.exe
2656 IEXPLORE.exe
2788 IEXPLORE.EXE
2788 IEXPLORE.EXE
2788 IEXPLORE.EXE
2788 IEXPLORE.EXE

pid	process
2656	IEXPLORE.exe

pid	process
2656	IEXPLORE.exe
2656	IEXPLORE.exe
2788	IEXPLORE.EXE
2788	IEXPLORE.EXE
2788	IEXPLORE.EXE
2788	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exeIEXPLORE.exe

description	pid	process	target process
PID 3040 wrote to memory of 2656	3040	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe	IEXPLORE.exe
PID 3040 wrote to memory of 2656	3040	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe	IEXPLORE.exe
PID 3040 wrote to memory of 2656	3040	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe	IEXPLORE.exe
PID 3040 wrote to memory of 2656	3040	1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe	IEXPLORE.exe
PID 2656 wrote to memory of 2788	2656	IEXPLORE.exe	IEXPLORE.EXE
PID 2656 wrote to memory of 2788	2656	IEXPLORE.exe	IEXPLORE.EXE
PID 2656 wrote to memory of 2788	2656	IEXPLORE.exe	IEXPLORE.EXE
PID 2656 wrote to memory of 2788	2656	IEXPLORE.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe
"C:\Users\Admin\AppData\Local\Temp\1016c7722d95db13685306204d0ffa68049ca1cda676e77537decd54012fa83c.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Program Files\Internet Explorer\IEXPLORE.exe
  "C:\Program Files\Internet Explorer\IEXPLORE" 212.33.237.86/images/1/report.php
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2656 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
581KB

MD5
ddc6dbb095b6843747423a6528be80a5

SHA1
b3e5f6f71d239cd3151db8a9884a99dbafd9eb40

SHA256
62de9eb7a8edf0217bcd1251033663cae219c9bd051e92003a6488ff8d83df0e

SHA512
b20a13872f70d8700cc118c5c953c27274006c6c9e109aa435240472347048ab3acc25e6f3817482cf55d652695583efeb74c85f740bd20bbf95902025fbfc23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47906de704f89c5f1d920f42dcce7b87

SHA1
0e022b7b03d31174d09b137e1f99c30f022862d6

SHA256
4b5afdf4d7e39f1be45b3fa29e0028d9cb4c2e09d899ff88af3be085fce3e94b

SHA512
19e53fd600132995ddd4a221bf2216e6432554540b64ab2b3c07d823b5dec15014e857edb4a05bce413960c99f47c564fc42928fbca16d2988267cd8a83c80fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab45abc1b1d2f631683c43857546875c

SHA1
c68435d943694f0c23b50ac347a2fe645357b989

SHA256
c70ead92ff9ad5a0c2535a0f3cecd40ee9c3d096b7da4c807394df3f7f36b645

SHA512
2e2340b50d9f429a9d38ffb8e9624a6657f5aa210848a58113ebe183042768b4261df6a4095136e39140fc9ebdf61686ea8180c6d2173c4d0847b131c27f6678

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
927d403f4ffd966af1f01e90096a0cbe

SHA1
60f23c83a83c1f36d58268116fd4bd09e496dbb5

SHA256
fa9fc284790511c3fd8ac543bcd43ba587f863c80b1b770cfd3fd4156450089a

SHA512
dec84301862bc20c783edec3ef905781f3e5474182c13d294801482bd0456e8dff5c2c339eafc4f83b30305ac7cebf6896d7005c65944c3fb8b6adb290f3a0fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
024ab5e94a1c0eb1e0c5ab0d850e0696

SHA1
2aab9ed9de83828f8cbe7675d3aa6175508eb818

SHA256
49b04deb33cc79d771d0c0e18608b84a3d81211f0c42ba309c86f330dc5b9da8

SHA512
3fa7e56897ae709e59c70bb4dfd7314433631ca699f3700350544a05f8b992fe13a43c7472ef1eef5e731bd9df111f93a81a3d7ec85f6bbd86509a76a732e613

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
125bb5d13348cd73e2dbbaee2e0fc91e

SHA1
8b3fdc196ff3a6b291f0a01753d3b0d32c085f89

SHA256
67c9367c8347f9c1eaf8b76549157f7448b95e4359c1e77298723f132be588e8

SHA512
f4930ca2d67556b0117004befa5d13205d556e5880cdc9396bb5a8115853dfcc84a12ae54e847d08c21c9d0290f927f6b4f71d1b832205d7855b9d9805cdf6fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ed1200cecc27b88c052c03730464144

SHA1
6212a720ae1ba13cb873d1fdc86e5112ee170e7d

SHA256
40242b1b7e7a615c8f57e6d623a77bb0725a95e488aeda2c1ad599d056f3e8e2

SHA512
de19d5b10cef019630a3e077a5391916fd85b6077ce6b8f4aac585a04c90d285ca3c48f61007af3d4b90afffca198dd84d5e364632ade168724a42a8c999ef9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
94c276f21f396460c5f5cf133f523ad9

SHA1
570a51da510369f00ff0ed91490770e78becd842

SHA256
bd2839c7da6c55eff5188ef7b68f00741beda81c37f6e9fdb3312215dac2fd9c

SHA512
75954476fe5b531637878e6798f37a04eb794d4cd2a4d264b94d6205757c207ed180fa7224c0e588ae3a146f3a9e7ad819a09140b1d337b018efa849611d0186

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
11baf1408bb6fbd7dfce2d79195156d3

SHA1
de7ac88609765ac10dd877ce91566e2a1233ccb6

SHA256
09691d8b9b3f573563517626320a6b5a609f2abcc1aca814259e08a9295768f2

SHA512
1a2190d6ed2ccc2b9c8a23bc72c757ebd569200835da6915a0df4e051e4ba83e9707cfbf7eb4994893178b9b09a4c36cfbcd18cecf1e6e44c328567d3e52bf5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eaab7091550eb25f4e1f80015c34fd2d

SHA1
65bf64113c17688ce277b3a86493bb0d0f17926d

SHA256
3a8adcef32d0d1f4d8051db097a605a160a23b6be993a40a0e75dc4860b40e54

SHA512
7b1edc1fb236e61b7e973a73ce526c092ac953a2ac74cd3ce1736aad8788760c316da3d9d15da7c395f34a0f4f1adeb9962847f1a09bd3130e5722e87ee70017

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ebfc4202e64a8a2784929307574f911

SHA1
5dcf8ff918fcc029ab3f49849b98e870766921e4

SHA256
4e6a83593d84fd2ff73f3385b07c26eb1c9dfd2bf3604dd067b86d3874b77341

SHA512
f708997058a65e0af216d1ef3342561bb36db64466d1e11062bbc95160f365698eb2a03d07b60ee0d85e68fdd00ad8c0a79357750ce2ff25c9e81a3cf21403d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d8af71ce7db7e8d20664d838e803561e

SHA1
c574db43255cefb3c9cfb0b1df301cd0f76bba06

SHA256
19fa1d8b4394b8b107fd9cd2f21d1b7337ac2d8fcef3f103bfbeaa1634eff522

SHA512
7b7034acb8282661f8706e6d1b81cd4e09c2b929de31071f35dda646b44fa4cbb5313f7d7499f69ad8fd3c67270c8551a90e521ba85f2f85f776bbbb76c3aa1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd2af296a2121ecfd739091ad2ba4f27

SHA1
e8d80df4f8f54e37d072f8ca795b15a72a3e8fe1

SHA256
bfd6a4a2046e88053c8c463f24f2da02aea350b79f2f86f1c592e4b195acb3e9

SHA512
879e095e1bdd1305d78af889ae81a215fd71556becf8fc0f70a7991a8ecf0d8ffcfd0ba66e0d9fff7c4053d3e7ade891e3317c596e2933d10c3ca790c7402ae6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
245b5fc43ad1b557192657427c4cc3f0

SHA1
02190cb0d8eca1c8bfe499c3aa40e734b47f090c

SHA256
01dbb39ce70a7832d5d83e7df6ec03871881c3daa424f93b083b19d506096b34

SHA512
a43a3354d3baacd9dd5b3935f6f0b6daa31afcdfaf81bfbf73db049f4b54547d7a8e82079fe166de303a2cf67d2a6992b7d00f1cbd11342e8d44fd69dff3955e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
294eda262d051f96a0fee0a3514286d0

SHA1
5b671ef3303995f9d1038002575c83014c46ab2e

SHA256
c7e672b587bc9af3d63c4b406b39b33050490583130e80ec76de575cfb64cced

SHA512
8e903dd07be8b03a95ba222a618f72ae86975e781d99a222d9e0e6ca74e6bd860199d7b713204d028a02497632803f708102c9fc7fab63dd320d20a78a4c179f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef21444a6076f699f8260c6652fa2018

SHA1
39b05a5e8a2ff66f0820e5abd8414bd4376cb98f

SHA256
fc865a53a2864c32e5457066e66c5b934101f0e2d28fb23c4684c17001756a30

SHA512
2848197777e43d47bacc42c416a7f5806ee642f7ef3c3679a0671eef329c1648a888967946407adc850605c353cce4e658a6983097034f4c244a9adfea15e9ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d983d605ad88b0fb15cb95a6d280abd3

SHA1
723ad46aafe23c13d6ed7456b7165b17414eab45

SHA256
72aceec2e2490e3e34ac7bdc35a0a913369b883a071d796acd51e5060db3a80d

SHA512
f38e4fb7eda6fdb1895270c978bca2ce542db0e8b01a274697391638b908d3ceefad75fc0e09b39f7105cb3eeba4fa56893357085bcd4a8e74d0255de6e03334

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a9faf32db23776e13506149b4cfcd5ef

SHA1
03fdc858f2cb60b6687261143328d5cff507743e

SHA256
0ca9adfed0e77003eead11dd127267d0159f700d6305745a4b309429e1f15f09

SHA512
dd02076fb977513254c800294f9d236048588fec491cf882179e28fcaab1f7546272db6b656554674a6b7809b735ab8f3338dfa1aa1817244c56545026dd8d85

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6cc357816d448fbecefef1f349cfb728

SHA1
65e5913cf5049cdf2aa933999bd7f1706e69bdbc

SHA256
08da98a47b7b945a9ba5b287454f854c227f13d7a71651be3bb0f829daf18b1a

SHA512
196452edaa528d257bdd4c5da85f036fe0b126f781fd65dea374f1de362338fe92739d3c992052f23d973c59493da87b1389b537a0250732c7d466a5001a29e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4297dcf894ff2193095659df83768199

SHA1
c73e9b953c33666bbf4c0b8c15b2c321660c60c6

SHA256
270356fcb171f386b103cbc5826d737fe2e3e721acd1f84d68f13b87c4be255d

SHA512
a1e3ab8c9b4865a75ab778a111d7c97177095e3d65d7071e452c25e9c0d809378ec6031fa15e085687f8f41df9ebee33580eb545c2c65c9f92770ea64ba79146

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab754.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7D4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit