cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7

Analysis

max time kernel
119s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 11:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
Size

472KB
MD5

d133cbea72078419724b6f11cc0e36f7
SHA1

2b2b850902e51f39d76c5a032b431e3ed675e5e3
SHA256

cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7
SHA512

c77c247c2502be6aea421153f57939b8cd89f69c7143f97d399dbc626746126340d4713906da5a12e0541635da122d9bf804f85b76b56a50ef2436a51907dda2
SSDEEP

6144:ppMMVVbsmffCpJipqLXRTvczBZBH6wGFzfw3DThRtUA7c50M5iDcp/h8CAM:UtmfaXioLXpUzPBaws7w3vV5KV5iDZM

Score

8^/10

discovery persistence spyware stealer

Malware Config

Signatures

Contacts a large (966) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ati display driver = "ÔN@"	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\vssadmin.exe	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\wowreg32.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\System32\DriverStore\FileRepository\brmfcmf.inf_amd64_neutral_67b5984f8e8ff717\BrmfRsmg.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\MuiUnattend.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\ndadmin.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\SearchFilterHost.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\unregmp2.exe	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\vssadmin.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\dcomcnfg.exe	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\IME\shared\IMCCPHR.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\makecab.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\RunLegacyCPLElevated.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\cliconfg.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\more.com	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\syskey.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\msra.exe	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\sdbinst.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\attrib.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\EhStorAuthn.exe	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\extrac32.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\gpupdate.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\bootcfg.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\efsui.exe	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\format.com_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\TpmInit.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\net1.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\SearchIndexer.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\SearchProtocolHost.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\ssText3d.scr_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\waitfor.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\fltMC.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\getmac.exe	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\IME\shared\IMCCPHR.exe	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\IME\shared\IMEPADSV.EXE_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\winrs.exe	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\Ribbons.scr	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\wbem\mofcomp.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\bthudtask.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\instnm.exe	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\isoburn.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\regedt32.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\verifier.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\wbem\WinMgmt.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\credwiz.exe	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\DWWIN.EXE	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\fc.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\subst.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\xwizard.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\icardagt.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\ntkrnlpa.exe	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\PushPrinterConnections.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\setupSNK.exe	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\autofmt.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\cipher.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\control.exe	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\doskey.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\upnpcont.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\ddodiag.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\extrac32.exe	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\SysWOW64\ipconfig.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo.bat_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo.bat-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files\Java\jre7\bin\rmid.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files\Windows Sidebar\sidebar.exe	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files\Windows Defender\MSASCui.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.bat_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files\Microsoft Games\Chess\Chess.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files (x86)\Windows Media Player\wmpshare.exe	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\helper.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files\7-Zip\7z.exe	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files\Java\jre7\bin\rmid.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files\Java\jre7\bin\jabswitch.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkServerCP.bat_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files\Java\jre7\bin\javaws.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files\Windows Media Player\wmplayer.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files\Windows Media Player\WMPSideShowGadget.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files\Windows NT\Accessories\wordpad.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files\Java\jre7\bin\policytool.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl.bat	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\amd64_microsoft-windows-autochk_31bf3856ad364e35_6.1.7601.17514_none_4019f2b8d860ad30\autochk.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_6.1.7601.17514_none_bf4980401574a899\typeperf.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sstext3d_31bf3856ad364e35_6.1.7601.17514_none_625ebded763bbe23\ssText3d.scr-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\5f1a06c0108b2c81cde1dc491d74043d\ComSvcConfig.ni.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-scripting_31bf3856ad364e35_6.1.7600.16385_none_a45d44bd1a0af822\wscript.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\amd64_windowssearchengine_31bf3856ad364e35_7.0.7601.17514_none_d18028273214fa77\SearchProtocolHost.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-wmi-core-svc_31bf3856ad364e35_6.1.7601.17514_none_092d6b9141f16aca\WinMgmt.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-systray_31bf3856ad364e35_6.1.7600.16385_none_f327d2f6575da8ce\systray.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\assembly\GAC_MSIL\loadmxf\6.1.0.0__31bf3856ad364e35\loadmxf.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-soundrecorder_31bf3856ad364e35_6.1.7601.17514_none_fd2f4b124982e400\SoundRecorder.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..-deployment-package_31bf3856ad364e35_6.1.7600.16385_none_bac291589d407fde\TFTP.EXE-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-trustedinstaller_31bf3856ad364e35_6.1.7601.17514_none_ef3338f363c6403c\TrustedInstaller.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-dpapi-keys_31bf3856ad364e35_6.1.7600.16385_none_7da9291f2ec46948\dpapimig.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-extrac32_31bf3856ad364e35_6.1.7600.16385_none_dafff0c26538f91f\extrac32.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-photoscreensaver_31bf3856ad364e35_6.1.7601.17514_none_6dd5e8c3b6b81894\PhotoScreensaver.scr_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelReg.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\amd64_aspnet_regsql_b03f5f7f11d50a3a_6.1.7600.16385_none_dcb42ec76404494f\aspnet_regsql.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-efs-rekeywiz_31bf3856ad364e35_6.1.7600.16385_none_63df9c242588e5fc\rekeywiz.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-regsvr32_31bf3856ad364e35_6.1.7600.16385_none_d44c0ef849349ed9\regsvr32.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..ative-serverbox-isv_31bf3856ad364e35_6.1.7601.17514_none_533cd4f8150e6a86\RMActivate_ssp_isv.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..inboxgames-freecell_31bf3856ad364e35_6.1.7600.16385_none_b466b741b68bd29a\FreeCell.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sidebar_31bf3856ad364e35_6.1.7601.17514_none_2d02b12c3d47a517\sbunattend.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-openfiles_31bf3856ad364e35_6.1.7600.16385_none_e6fcbd244bb7bf74\openfiles.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-osk_31bf3856ad364e35_6.1.7600.16385_none_aa93298fbb4246f2\osk.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_6.1.7601.17514_none_632ae4bc5d173763\typeperf.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-taskscheduler-engine_31bf3856ad364e35_6.1.7601.17514_none_e7b3b71a1d1c8662\taskeng.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-wrp-integrity-client_31bf3856ad364e35_6.1.7600.16385_none_2b1523604c99c736\sfc.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..commandlinetoolsmqq_31bf3856ad364e35_6.1.7600.16385_none_851e6308c5b62529\msg.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\amd64_netfx35linq-addinprocess_31bf3856ad364e35_6.1.7601.17514_none_8ebd3037635a8b2f\AddInProcess.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\amd64_netfx35linq-linqwebconfig_31bf3856ad364e35_6.1.7601.17514_none_b532bb17fea7ee9a\LinqWebConfig.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MSASCui.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-tpm-adminsnapin_31bf3856ad364e35_6.1.7600.16385_none_d3720895f8f22acd\TpmInit.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-charmap_31bf3856ad364e35_6.1.7600.16385_none_4e4eaf05be0c2d8f\charmap.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-control_31bf3856ad364e35_6.1.7600.16385_none_f560eae4c42edb14\control.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-deviceproperties_31bf3856ad364e35_6.1.7600.16385_none_463f54aa539a0b62\DeviceProperties.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-es-authentication_31bf3856ad364e35_6.1.7600.16385_none_9db1ae483049e160\EhStorAuthn.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-lpksetup_31bf3856ad364e35_6.1.7601.17514_none_7f7f66788318015d\lpksetup.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-security-tools-setspn_31bf3856ad364e35_6.1.7600.16385_none_dbfa9310f7d4d925\setspn.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..ative-serverbox-isv_31bf3856ad364e35_6.1.7601.17514_none_f71e39745cb0f950\RMActivate_ssp_isv.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_wp.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-winre-recoverytools_31bf3856ad364e35_6.1.7601.17514_none_d7553e5fcf6b6373\ReAgentc.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-appid_31bf3856ad364e35_6.1.7601.17514_none_b57215bac8c6d647\appidcertstorecheck.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-tapicore_31bf3856ad364e35_6.1.7600.16385_none_402eca316047a0fe\dialer.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..-japanese-utilities_31bf3856ad364e35_6.1.7601.17514_none_ef38a8d0d05cc2c7\IMJPDCT.EXE-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-n..protection-statusui_31bf3856ad364e35_6.1.7600.16385_none_3d715a438950ce7b\NAPSTAT.EXE_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-regsvr32_31bf3856ad364e35_6.1.7600.16385_none_782d737490d72da3\regsvr32.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-acluifilefoldercomtool_31bf3856ad364e35_6.1.7600.16385_none_b444164f1eecd3f2\cacls.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ostic-user-resolver_31bf3856ad364e35_6.1.7600.16385_none_2129f6bd1f6002ae\DFDWiz.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_6.1.7601.17514_none_e46b048a01806891\msinfo32.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_6.1.7601.17514_none_6fb51b358e21d75f\TabTip.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-autofmt_31bf3856ad364e35_6.1.7601.17514_none_e7fba6c91d7030e3\autofmt.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sxs_31bf3856ad364e35_6.1.7601.17514_none_b0540607b5e5d445\sxstrace.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-vssadmin_31bf3856ad364e35_6.1.7600.16385_none_c453ab9392f73dca\vssadmin.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ie-ielowutil_31bf3856ad364e35_11.2.9600.16428_none_8cae83b0cdeb7a9b\ielowutil.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe-	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_6.1.7600.16385_none_9d06e2f6f1e51f98\ctfmon.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-es-authentication_31bf3856ad364e35_6.1.7600.16385_none_419312c477ec702a\EhStorAuthn.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_6.1.7601.17514_none_42d65ed50fa3c682\rwinsta.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wlan-extension_31bf3856ad364e35_6.1.7600.16385_none_55d820d53d0a8fa3\wlanext.exe_	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7BA6ACE1-A7FD-11EF-A02E-FA59FB4FA467} = "0"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438351129"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0b9a3530a3cdb01	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd3000000000200000000001066000000010000200000008acd6f653aca27b1f48bc06963601239186d4fc51c0e6e04c7e305028a51c475000000000e800000000200002000000029bc7a5c8ad5642ae1b752b6d6d4487fd440a9a4705893c86aba775dbd3b24e0200000000b9e439f147e5a5c784ec6ec0f4e77ab3fd216d42f0409ddcfed4a4f5211357c40000000f97f1f66318e2763a07cd60fc4a0fd123ca2b90f9eb2afb8fceb3557105b5cf61574d330969696cb6e4e077e2dde8b7f8c385216c8d18b51471a422332ee6c60	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd3000000000200000000001066000000010000200000005b0cc5a09fd352dd698f7941707cada807eed90c558934233bf55b8cd920c5c3000000000e800000000200002000000039402a05e80061d2f29f21e0fda1fcd5e6c04d603dc42eee22bf9a5687694b1d900000008a0ae210d461ab449d0dc87d4cea3763014d288cd83847f093039b836cd82b73bc414c4751bb1ed93b143c2e5fbcf9fca2137846c58822ac72b4d27ad1758fe430e4ec73acccf4db9c4ce1e560325ef322650edaea3e374510445874ded4e140597f780feb861ee363f044504b7f7b4f31238c2bce62f7384fb3742ada812c573f56a681f69b0a74a15e72341652e70d4000000022083ed8840fedc3b4b0d2cb051548a87ef0d768b67b4bab700eb8303ead31197214a6c6e0aff51da5a1b73a22028500ca377eea43493f52a739bd7686460d48	IEXPLORE.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1992	IEXPLORE.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1992	IEXPLORE.exe
1992	IEXPLORE.exe
2992	IEXPLORE.EXE
2992	IEXPLORE.EXE
2992	IEXPLORE.EXE
2992	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 1992	2496	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe	30
PID 2496 wrote to memory of 1992	2496	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe	30
PID 2496 wrote to memory of 1992	2496	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe	30
PID 2496 wrote to memory of 1992	2496	cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe	30
PID 1992 wrote to memory of 2992	1992	IEXPLORE.exe	31
PID 1992 wrote to memory of 2992	1992	IEXPLORE.exe	31
PID 1992 wrote to memory of 2992	1992	IEXPLORE.exe	31
PID 1992 wrote to memory of 2992	1992	IEXPLORE.exe	31

C:\Users\Admin\AppData\Local\Temp\cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe
"C:\Users\Admin\AppData\Local\Temp\cbf539751e6ef7624de831aae2f1855870b11b47b15572536749349f65e9f5c7.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Program Files\Internet Explorer\IEXPLORE.exe
  "C:\Program Files\Internet Explorer\IEXPLORE" 212.33.237.86/images/1/report.php
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1992 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
618KB

MD5
17c9d90b8820abc4df2ef7cf761d5d81

SHA1
1aa03a5ef1928b5cb32b41d222a81f35dc3d1090

SHA256
4d0ada5e25d7a7f234b25788d68a38418c9b67716af8e362c5274613526113ab

SHA512
6505061e9ee53fe1cb60d36ac4a2816aa80b8e7776a4c65d2bf32ea0dbb0183f59291d31b7fdfe1a8b521bf1d7bece56124175c0aa2a750b489e962a2c711c35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02a0957fc47fe5f4dbfca187fc0b465b

SHA1
61fe65709a03c56f15bf5f4d298145c61da0dcfe

SHA256
fde19d3db95c8ee37e74dbbf74f2830d0b720e24af48082cca41fe72dba29172

SHA512
2d58c97d2e4723439ff7c3e8db60449a146b32823d9bfd1b0166d5d6cc06c747a064c8b8efa58da9922c5e94dc90d0b88bf8e55dd5b8eda86d18dd35f2f3334b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
27f8a3cbdc9cfd65803efb3e198e5716

SHA1
1b194376d4c67a9c91d1befa1c9e4cb4fabecbb6

SHA256
c09158fc72e68be39d1159e0cd20e20b40c2986f1e188b2ebd19c1be10330ee4

SHA512
37e17b9aca7c692f463aa1645199db8a9e83022a185a2874e467c37bbc109d93757fdf3412ee784e931cf4672e570fc51f844c2ede107aa5e6ba3d3a76ff677e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f94509afd81f4c0de16ab9b6db32f9f

SHA1
e88f71badcd5ef611d043b7a6e385297362c86f0

SHA256
9b8f696b6f7075c24727446434dbad5f4a48b8bc5315a597fb3e99fe937b6f6d

SHA512
b5687dacf45b2a2e184d10c21e7d750ce2196fc7adbc2ae158eae8df20437cb4627b5d1af8e111f7a8c3d61d5144f22bf3efa7959aa32a24fa06e558c93ab80c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e1b3e6e92c378c0e56ebdaf28941e0e

SHA1
fa3aa9e62bf67bb3ca10b9f5de27d8e25216209a

SHA256
bbcae210ed5c025a30eae422c938ffb3c5e8e425f1728e78feffe9b723b0afc5

SHA512
81c49f71c65c66a07fc09a07ae935ab78a7f37450bb291e923ee8a98d411799c889fa3bb4ca8cc2d868db6e0ed6811f3ccc12ec867791745987a561173b60e25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8cfa057c827a965d82efbd151b484958

SHA1
b2dd4413f986f801cb3f22d807f1bb65b37ba562

SHA256
8fef8e18210d37941b35176f788a8cb309b439eafc05658620ef9b877abc6355

SHA512
93a73ebb5f9cfd539f9eb6f4987c9082ed5aa6b3d2e50932554eccfce44c28bc637da4e98bff90ca0c86490b42e9490aa85a882acb261ba8563adfb77c790589

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
56872973b806100242c03c5a89ebb2cd

SHA1
790523f67ff180e017dc5e9a349e9231fcd3a3fc

SHA256
86615d1adf4e793263f50d02af2c9847147156501f1e35430dc4a37e56527d32

SHA512
4cd23ffac724478df4d23719f7955600dcf01e7e3f7639da8df98a7840914b95ed215d2802e82c7d095d1936a54d085afdaae0744414bbc4940497c58055a552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ae9ac6180f63e23dd051019fb8c04a0a

SHA1
b219cd1e9ebcb9bba0ade8e69676c89f7a06a562

SHA256
d19001dde996647d748c84ac048fd31e70efc487342bf623451c25223f9bc00c

SHA512
589c250b24c09739f88ddc0441ac374db30c1408990d9d89f7c7d5403b2ef633d2c147ec7f740fd956fc3dc06a1851b2c66547fc77b631a4b6c58c444e02acf5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b50f1b770e40da8792fc8d947877b814

SHA1
56b889d0306740362b243828fafa5bccddaa594b

SHA256
bebd19f85a9fa86678b649af9b579c4403c6bda11b2cb41e42e5db60cd89c369

SHA512
a01af538750784f88bd7b80ecbdcce91027fc2e709b6ea8fcf368a5db2b1debf8c212cfb16482cbf2937d01133e8fbb7c2de491e179987c86b50c48d77bdeafb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ca26f917253106478db640f250af9580

SHA1
f5ed7fc6d506cbb6df195da42d38a2a53850e847

SHA256
3a4b03da4e7a570039a898f395b64d5c49cb974992112a872b98c5193deea665

SHA512
f2da8ebbbef4dfb705871be195cb1bb5affb336973b37d7d96514d9afaf38548294153f867e52aac227c43c993f8942a39673e7e35baae7aaf267cb4b4a6b4f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c388676dd993d7a0b32091d76e8ec881

SHA1
8e3cd61aca1d9b28c6e82a6d67002ba868c1cbcd

SHA256
9a37dced3bcf859d94b2e7974c7749652ec6569440bc59599dff499da4e84af3

SHA512
35b4151b3617b677e1a0cae01b9410c5623c540820e7ab04413a897f0502405884a026a5d4df10f7b74524e23fa19c345c5a9e19f0cbed190ed55b9b87491135

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
85ab1b8d87bad7024ed859a8369d8a0f

SHA1
910f0e2ee49ee340dc42e07d4607cd90ec5a3c2f

SHA256
1bb00c15f4736116fb43c60e3d98ef33966db7c7292274b7bff72a374c6f838f

SHA512
afb4468eea3072ef63772cfa224f438da48c999a4ec7a05187c5807b81688925c0386fe25645d0ff2791baa3e06c3be1415d6658be07038d013a992b66f567e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c0e7be7f90a2c81a8ff131d3e627647

SHA1
37b3d759d5d5d88a5c48941b1b57c6098273f954

SHA256
f4325e3d599d00e2532f9566d0837ab6afdaa82001e495589df3003de0b876b0

SHA512
a6b9e7241cc1e3f11c19f9256437a4aa2f3680bd83c049758d5534e45d02a901a565bd3e09cc29cb9b4bdb4080a5d978842c4301adcf015872a3d89b05dac7a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3150bccb6628fbfb6ab21f6e67dbeea2

SHA1
b0ee7dad2ab53a20bb618466dd5bfc48cdfbed0e

SHA256
6d5ae50f5843bfc4b294b2dc05b9c136511ac21590121a9b1dfaeab2efa9c24f

SHA512
b07161c93accaa463cde97e9f45f26c3ed70834ced55300fdca7106b7e36bbe5cd1126b06222dd3eb095c5f5cfd45ccbb276329b90e962654e54363a1b39cffc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a6a027fa5d2ae162d439cab195143265

SHA1
ab2898e6dc12c7479fa3794831dcc16bb83f333a

SHA256
15b803e36c105458de0670d104645f89f70a01d15098c1ace5080b02a996d187

SHA512
e60eec5edfe2cd5fb7a524132fc658d527d5107b7b0acc1a5bd74e0608e4a7d09d6fe84d8e1e9987f9f41d9248f852257f0ec93cc30c17e89fe6b743f651aa87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6446b77bb8ab5e8c31763e46865f1231

SHA1
d15c6333d63a8827cebc23524bfa579a65d34487

SHA256
a9b5911fb0dffcc7389cbaa3752684d15d35955f21ca723ff4fd1468a7db2732

SHA512
c479be58cd33260ce528975d8878806bc62c36707d04c627efe432620d1886cb1077af967694e3097cde549a4fd2e44da7d66e849176fadb21de98151eaef0d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2aa7655ac947402a0f4e4fed39045552

SHA1
96d41dd2eaa96b8c07bf1a99133a8bc035f2192d

SHA256
7699e04087c44fa85cd1c321eda8ba292bfa32e621bb8383bada96146ab35ea0

SHA512
6499dbcd1c1b2eb0f44914fcd79e25e27cb7504127b42a3e0bbb995a4afbbfd2904aaef0408430a9fdba8fb1cde1cf532d82e957dfe2c01ce11e7fff1fc15679

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2fbdc7c636e041a488816790da7554f3

SHA1
20c42fb1194cf4d76418523279638fb01820b1b3

SHA256
ecafeff652b1eb1642a1087c6fa1e32b631c1d7a73e325a36ecf5842b6e2bd62

SHA512
343e8e9da064c858036df1634e7ee3f6f5e4ea7bc9427d316ad9df48eab68e3e9f3fce91c627b44048ffba0039823d33702dc1559f08ea37d5236802f8c160fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43ba793502a74e3b7ae1c16357752574

SHA1
64ca34290d2cae52e311c84db0fa49fa951ae83e

SHA256
3ecfc03bfaf08a644a9fda16aa87bf566045af925e1f2323da44816842af91de

SHA512
7be8cf3bf4ad683f4d867f078f4262c51e3250be6a9aa7c5cd05c9a93419ccbace17568047518ce519ac5383555d0f2f1567f68839ee2f9fe849bdc2b98d88e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a7bf20444ec29c1442498791fdab8b6

SHA1
ca8b173f0a021de68f8fb8bcf4ef410bd62fd86c

SHA256
fbf99d8c4eb895b1d1f19c24243daa9ef14820b344b49a5b3fcd58d712df806d

SHA512
c8b0fc2ab6aa3b88df8e784f28c01198e70013ebce2b1e2d92dd1ddfcf127dc90fef325d4556a7aca12d532db26a4f11a29f9a38e368d694b2081e2094af9974

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB3A7.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB448.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads