hxxps://trackloft[.]site/itb?sub_id1=297

Analysis

max time kernel
124s
max time network
124s
platform
windows10_x64
resource
win10v200217
submitted
02-04-2020 12:26

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://trackloft.site/itb?sub_id1=297
Sample

200402-cmljkk4pxn

Score

6^/10

persistence

Malware Config

Signatures

Modifies system certificate store 19 IoCs

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\SystemCertificates\CA\Certificates\98C6A8DC887963BA3CF9C2731CBDD3F7DE05AC2D\Blob = 1900000001000000100000008b60706d5d6718e4db563171b4c4ab02040000000100000010000000eb2f0ff332094d37434e4dbfbacc947003000000010000001400000098c6a8dc887963ba3cf9c2731cbdd3f7de05ac2d5c0000000100000004000000000800001800000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee4b0000000100000044000000420033003900380042003800300031003300340046003700320032003000390035003400370034003300390044004200320031004100420033003000380044005f00000014000000010000001400000053ca1759fc6bc003212f1aaee4aaa81c8256da750f00000001000000200000003fe338634e0510633de453ca350b15cec339b3dcb8ba9f2a2dd24d10a838feeb2000000001000000b5040000308204b130820399a003020102021008a5a246cd4b5c8c83d702b4bbab5349300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3137313130363132323333335a170d3237313130363132323333335a305e310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d311d301b06035504031314526170696453534c20525341204341203230313830820122300d06092a864886f70d01010105000382010f003082010a0282010100e52da88a1128f679e97b3a33883b71e1658b2c2965fded2dd4461e984e67f8c80fe6f89a1cbcbe5691cffa7757e43d7c20d22eb8057cc05ab6e8a17953458d219890a7a98bb485a351e5833c0dbc39eca14e58fd4cb9366decad6ed154eb2a5ba56525b66bd8e55f2782ca42ee71513428e97e70c40f6911c89ccef32a0a305cf8278244f0decd035b89c14105314bc72ecd2c70ba0f66429c7b02119b5455d80c66150c4991d7fb60df4f7249227f65e09b76f8f01667d337f4a97b12786bbce2e6bd830ce3cc8eed6d30636b24e94fefd7a56b8156fe9fbdaac8e9b8a4281f39f4e48642ec3bdd75e07ae17010f1d3211a14b64ceedff110f8bb70ce7924750203010001a382016630820162301d0603551d0e0416041453ca1759fc6bc003212f1aaee4aaa81c8256da75301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b0601050507030230120603551d130101ff040830060101ff020100303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d30420603551d1f043b30393037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63726c30630603551d20045c305a303706096086480186fd6c0102302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f435053300b06096086480186fd6c01013008060667810c0102013008060667810c010202300d06092a864886f70d01010b050003820101007e23c7f2ca356e5992515c616b3c1236e6d27cb329e642d8a395611ecff207af2b2b255a6e17a38052ccaaf6df916c278685b7ac808afd5e634b59fd9375f1b3864864ada0473f244e28708cebf0fe4c835d644581db9a0627af54717a48b999279bdfd0c6c53a490f890686ce655cda28e1ca27522889c0a6aa1fbbe1d9b6abc9df2930849a83cdc952ac9519cdad58fa4ed37dbdfc25aada4af2aafeba392323c2e954cf47577f838741ab11ec235f22bfb829271ce8006543944317ce8f19e13a91dc1242416207f710cac372ab48c40d04e47dada98e6b96b4c08d6c19e11570587a37ee6c885a51b12fd853900777426aff853e0e5e12f7974d5c8c9c6a	IEXPLORE.EXE
Key deleted	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\SystemCertificates\MSIEHistoryJournal\Certificates\5FF1348C80820F2A988D0C0C7ABEA0EA394B5E6C	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\SystemCertificates\MSIEHistoryJournal\Certificates	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\SystemCertificates\MSIEHistoryJournal\CRLs	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\SystemCertificates\MSIEHistoryJournal\CTLs	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\SystemCertificates\MSIEHistoryJournal\Certificates\5FF1348C80820F2A988D0C0C7ABEA0EA394B5E6C\Blob = 0300000001000000140000005ff1348c80820f2a988d0c0c7abea0ea394b5e6c040000000100000010000000fd42404f68fae3f0d490e8d19d08ab1d0f00000001000000200000005546bb2210de2560292e6f4610af4ffbdb453f9bf9983e62942c35959e16038d140000000100000014000000b3b30880146b0eb235e8e136e7d15c9c4847f5f3190000000100000010000000e142e209d34bfb2eac257eb76a2b61e15c0000000100000004000000000800001800000001000000100000002d581a49c8eb5b3b3c6ef9bb65314d702000000001000000e5050000308205e1308203c9a0030201020213330000016fd585f24b93e88a0700000000016f300d06092a864886f70d01010b0500307e310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e312830260603550403131f4d6963726f736f667420536563757265205365727665722043412032303131301e170d3139313231323030303333315a170d3231303331323030303333315a3081a3310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e310d300b060355040b130442696e67311b301906035504031312494520496e737472756d656e746174696f6e3121301f06092a864886f70d010901161271666265406d6963726f736f66742e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100cfb24782c35c66c63688c01ed857df9a4330b81628c86831de4d577f8cb2155b880ee41953a18ac28de644bacfa97558ec6f522490f103b7fa0092430f8e0ba55c36dd91f6f1f91baec6eb3581d89133141e1580e02ec2445e5380b178f92f81e97193be8be1223d36e5f2be070a3db6ac17987ea3b42d15994c73a10e64794da4660a5d875e179c567bb06ecfd7cbf4c1ee4fe453284e72877d746a3e178788a1bd540ba9250a931a11105bb98f1b2b757fa6c5ade16e7cc1d1628fedb716018526f5b56630b54cd5f75f938e9b4a956609cc441aac84a10a101f6429b6fceb9434a41b24f0ca9781bf72b010f14bd13dc5d996b6ed6c4d53156969dd04f7390203010001a38201303082012c300e0603551d0f0101ff0404030204f030150603551d25040e300c060a2b0601040182374c0c01301d0603551d0e04160414b3b30880146b0eb235e8e136e7d15c9c4847f5f3301f0603551d230418301680143656896549cb5b9b2f3cac4216504d91b933d79130530603551d1f044c304a3048a046a0448642687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b696f70732f63726c2f4d69635365635365724341323031315f323031312d31302d31382e63726c306006082b0601050507010104543052305006082b060105050730028644687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b696f70732f63657274732f4d69635365635365724341323031315f323031312d31302d31382e637274300c0603551d130101ff04023000300d06092a864886f70d01010b0500038202010064d81278e224099c122690412271d5f2d92ae1c00f7135d64f63663ccc0588826bf24cc6cffa0d6666b7e3f989825dd1021fd1bdc6a9d4a492c0f46198534382204d8668b0f3c8d85f9f614f7fff47e391a4fdc89dba1b423f1d2a8d4986ff42bac032a21224b246b03ffef26e7da49d3ef381ff9d669cda0234445bff395be1b70627f013ccde692280d75d690b4f4c5e3a123b379bd30bdc6cf1af0c69d97eb0aa4f580eb4e876465b2c62514a612a3971f6bc6ace33f569e0cbcbd5498caf2af949952c310221a382d0a7fbc4594b0bfe96a1c81d26639b249beea28179ead8377bf70e9a09596997af2b405c5425a1e5e6e46b065016901b7cd120e2389d47924b1f834955135461f7592c9487e3910bf0de382ad5906dd8c46b321b176698caaec19d1ee10aa6679981d8f2f5c40d69240a7075ce4341305d2bbd082e03c81c41baeb557b41904482ae88d0566f339ab517ae2f84223d567f9ec734c1c5a2be39aa24c49930b6428bbe2fa300f2369e1c8cc554c14010f1ee518afa32e4bf0a15cb251d37791338f5ade8ced4b67ca5fc56320c2c2973f9b13e250dabe4a373580becf787afd552c6b293dfc7bfb1f67739c64df74ae3d373e2db9c27090fe15e58591824e4f150602af628917a6d1353919cd0a8489596f97070833a98b34c2d3a0ebafda2f81096533b773c5914d7f05e66cb17af2bcd11ad517440b5	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\SystemCertificates\CA\Certificates\98C6A8DC887963BA3CF9C2731CBDD3F7DE05AC2D\Blob = 14000000010000001400000053ca1759fc6bc003212f1aaee4aaa81c8256da754b0000000100000044000000420033003900380042003800300031003300340046003700320032003000390035003400370034003300390044004200320031004100420033003000380044005f0000001800000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee5c0000000100000004000000000800001900000001000000100000008b60706d5d6718e4db563171b4c4ab020f00000001000000200000003fe338634e0510633de453ca350b15cec339b3dcb8ba9f2a2dd24d10a838feeb040000000100000010000000eb2f0ff332094d37434e4dbfbacc947003000000010000001400000098c6a8dc887963ba3cf9c2731cbdd3f7de05ac2d2000000001000000b5040000308204b130820399a003020102021008a5a246cd4b5c8c83d702b4bbab5349300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3137313130363132323333335a170d3237313130363132323333335a305e310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d311d301b06035504031314526170696453534c20525341204341203230313830820122300d06092a864886f70d01010105000382010f003082010a0282010100e52da88a1128f679e97b3a33883b71e1658b2c2965fded2dd4461e984e67f8c80fe6f89a1cbcbe5691cffa7757e43d7c20d22eb8057cc05ab6e8a17953458d219890a7a98bb485a351e5833c0dbc39eca14e58fd4cb9366decad6ed154eb2a5ba56525b66bd8e55f2782ca42ee71513428e97e70c40f6911c89ccef32a0a305cf8278244f0decd035b89c14105314bc72ecd2c70ba0f66429c7b02119b5455d80c66150c4991d7fb60df4f7249227f65e09b76f8f01667d337f4a97b12786bbce2e6bd830ce3cc8eed6d30636b24e94fefd7a56b8156fe9fbdaac8e9b8a4281f39f4e48642ec3bdd75e07ae17010f1d3211a14b64ceedff110f8bb70ce7924750203010001a382016630820162301d0603551d0e0416041453ca1759fc6bc003212f1aaee4aaa81c8256da75301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b0601050507030230120603551d130101ff040830060101ff020100303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d30420603551d1f043b30393037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63726c30630603551d20045c305a303706096086480186fd6c0102302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f435053300b06096086480186fd6c01013008060667810c0102013008060667810c010202300d06092a864886f70d01010b050003820101007e23c7f2ca356e5992515c616b3c1236e6d27cb329e642d8a395611ecff207af2b2b255a6e17a38052ccaaf6df916c278685b7ac808afd5e634b59fd9375f1b3864864ada0473f244e28708cebf0fe4c835d644581db9a0627af54717a48b999279bdfd0c6c53a490f890686ce655cda28e1ca27522889c0a6aa1fbbe1d9b6abc9df2930849a83cdc952ac9519cdad58fa4ed37dbdfc25aada4af2aafeba392323c2e954cf47577f838741ab11ec235f22bfb829271ce8006543944317ce8f19e13a91dc1242416207f710cac372ab48c40d04e47dada98e6b96b4c08d6c19e11570587a37ee6c885a51b12fd853900777426aff853e0e5e12f7974d5c8c9c6a	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\SystemCertificates\CA\Certificates\98C6A8DC887963BA3CF9C2731CBDD3F7DE05AC2D\Blob = 040000000100000010000000eb2f0ff332094d37434e4dbfbacc947003000000010000001400000098c6a8dc887963ba3cf9c2731cbdd3f7de05ac2d0f00000001000000200000003fe338634e0510633de453ca350b15cec339b3dcb8ba9f2a2dd24d10a838feeb1900000001000000100000008b60706d5d6718e4db563171b4c4ab025c0000000100000004000000000800001800000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee4b0000000100000044000000420033003900380042003800300031003300340046003700320032003000390035003400370034003300390044004200320031004100420033003000380044005f00000014000000010000001400000053ca1759fc6bc003212f1aaee4aaa81c8256da752000000001000000b5040000308204b130820399a003020102021008a5a246cd4b5c8c83d702b4bbab5349300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3137313130363132323333335a170d3237313130363132323333335a305e310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d311d301b06035504031314526170696453534c20525341204341203230313830820122300d06092a864886f70d01010105000382010f003082010a0282010100e52da88a1128f679e97b3a33883b71e1658b2c2965fded2dd4461e984e67f8c80fe6f89a1cbcbe5691cffa7757e43d7c20d22eb8057cc05ab6e8a17953458d219890a7a98bb485a351e5833c0dbc39eca14e58fd4cb9366decad6ed154eb2a5ba56525b66bd8e55f2782ca42ee71513428e97e70c40f6911c89ccef32a0a305cf8278244f0decd035b89c14105314bc72ecd2c70ba0f66429c7b02119b5455d80c66150c4991d7fb60df4f7249227f65e09b76f8f01667d337f4a97b12786bbce2e6bd830ce3cc8eed6d30636b24e94fefd7a56b8156fe9fbdaac8e9b8a4281f39f4e48642ec3bdd75e07ae17010f1d3211a14b64ceedff110f8bb70ce7924750203010001a382016630820162301d0603551d0e0416041453ca1759fc6bc003212f1aaee4aaa81c8256da75301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b0601050507030230120603551d130101ff040830060101ff020100303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d30420603551d1f043b30393037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63726c30630603551d20045c305a303706096086480186fd6c0102302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f435053300b06096086480186fd6c01013008060667810c0102013008060667810c010202300d06092a864886f70d01010b050003820101007e23c7f2ca356e5992515c616b3c1236e6d27cb329e642d8a395611ecff207af2b2b255a6e17a38052ccaaf6df916c278685b7ac808afd5e634b59fd9375f1b3864864ada0473f244e28708cebf0fe4c835d644581db9a0627af54717a48b999279bdfd0c6c53a490f890686ce655cda28e1ca27522889c0a6aa1fbbe1d9b6abc9df2930849a83cdc952ac9519cdad58fa4ed37dbdfc25aada4af2aafeba392323c2e954cf47577f838741ab11ec235f22bfb829271ce8006543944317ce8f19e13a91dc1242416207f710cac372ab48c40d04e47dada98e6b96b4c08d6c19e11570587a37ee6c885a51b12fd853900777426aff853e0e5e12f7974d5c8c9c6a	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\SystemCertificates\MSIEHistoryJournal	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\SystemCertificates\CA\Certificates\98C6A8DC887963BA3CF9C2731CBDD3F7DE05AC2D\Blob = 03000000010000001400000098c6a8dc887963ba3cf9c2731cbdd3f7de05ac2d14000000010000001400000053ca1759fc6bc003212f1aaee4aaa81c8256da75040000000100000010000000eb2f0ff332094d37434e4dbfbacc94700f00000001000000200000003fe338634e0510633de453ca350b15cec339b3dcb8ba9f2a2dd24d10a838feeb1900000001000000100000008b60706d5d6718e4db563171b4c4ab025c0000000100000004000000000800001800000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee4b0000000100000044000000420033003900380042003800300031003300340046003700320032003000390035003400370034003300390044004200320031004100420033003000380044005f0000002000000001000000b5040000308204b130820399a003020102021008a5a246cd4b5c8c83d702b4bbab5349300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3137313130363132323333335a170d3237313130363132323333335a305e310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d311d301b06035504031314526170696453534c20525341204341203230313830820122300d06092a864886f70d01010105000382010f003082010a0282010100e52da88a1128f679e97b3a33883b71e1658b2c2965fded2dd4461e984e67f8c80fe6f89a1cbcbe5691cffa7757e43d7c20d22eb8057cc05ab6e8a17953458d219890a7a98bb485a351e5833c0dbc39eca14e58fd4cb9366decad6ed154eb2a5ba56525b66bd8e55f2782ca42ee71513428e97e70c40f6911c89ccef32a0a305cf8278244f0decd035b89c14105314bc72ecd2c70ba0f66429c7b02119b5455d80c66150c4991d7fb60df4f7249227f65e09b76f8f01667d337f4a97b12786bbce2e6bd830ce3cc8eed6d30636b24e94fefd7a56b8156fe9fbdaac8e9b8a4281f39f4e48642ec3bdd75e07ae17010f1d3211a14b64ceedff110f8bb70ce7924750203010001a382016630820162301d0603551d0e0416041453ca1759fc6bc003212f1aaee4aaa81c8256da75301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b0601050507030230120603551d130101ff040830060101ff020100303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d30420603551d1f043b30393037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63726c30630603551d20045c305a303706096086480186fd6c0102302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f435053300b06096086480186fd6c01013008060667810c0102013008060667810c010202300d06092a864886f70d01010b050003820101007e23c7f2ca356e5992515c616b3c1236e6d27cb329e642d8a395611ecff207af2b2b255a6e17a38052ccaaf6df916c278685b7ac808afd5e634b59fd9375f1b3864864ada0473f244e28708cebf0fe4c835d644581db9a0627af54717a48b999279bdfd0c6c53a490f890686ce655cda28e1ca27522889c0a6aa1fbbe1d9b6abc9df2930849a83cdc952ac9519cdad58fa4ed37dbdfc25aada4af2aafeba392323c2e954cf47577f838741ab11ec235f22bfb829271ce8006543944317ce8f19e13a91dc1242416207f710cac372ab48c40d04e47dada98e6b96b4c08d6c19e11570587a37ee6c885a51b12fd853900777426aff853e0e5e12f7974d5c8c9c6a	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\SystemCertificates\CA\Certificates\98C6A8DC887963BA3CF9C2731CBDD3F7DE05AC2D\Blob = 5c0000000100000004000000000800000f00000001000000200000003fe338634e0510633de453ca350b15cec339b3dcb8ba9f2a2dd24d10a838feeb14000000010000001400000053ca1759fc6bc003212f1aaee4aaa81c8256da754b0000000100000044000000420033003900380042003800300031003300340046003700320032003000390035003400370034003300390044004200320031004100420033003000380044005f0000001800000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee03000000010000001400000098c6a8dc887963ba3cf9c2731cbdd3f7de05ac2d040000000100000010000000eb2f0ff332094d37434e4dbfbacc94701900000001000000100000008b60706d5d6718e4db563171b4c4ab022000000001000000b5040000308204b130820399a003020102021008a5a246cd4b5c8c83d702b4bbab5349300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3137313130363132323333335a170d3237313130363132323333335a305e310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d311d301b06035504031314526170696453534c20525341204341203230313830820122300d06092a864886f70d01010105000382010f003082010a0282010100e52da88a1128f679e97b3a33883b71e1658b2c2965fded2dd4461e984e67f8c80fe6f89a1cbcbe5691cffa7757e43d7c20d22eb8057cc05ab6e8a17953458d219890a7a98bb485a351e5833c0dbc39eca14e58fd4cb9366decad6ed154eb2a5ba56525b66bd8e55f2782ca42ee71513428e97e70c40f6911c89ccef32a0a305cf8278244f0decd035b89c14105314bc72ecd2c70ba0f66429c7b02119b5455d80c66150c4991d7fb60df4f7249227f65e09b76f8f01667d337f4a97b12786bbce2e6bd830ce3cc8eed6d30636b24e94fefd7a56b8156fe9fbdaac8e9b8a4281f39f4e48642ec3bdd75e07ae17010f1d3211a14b64ceedff110f8bb70ce7924750203010001a382016630820162301d0603551d0e0416041453ca1759fc6bc003212f1aaee4aaa81c8256da75301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b0601050507030230120603551d130101ff040830060101ff020100303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d30420603551d1f043b30393037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63726c30630603551d20045c305a303706096086480186fd6c0102302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f435053300b06096086480186fd6c01013008060667810c0102013008060667810c010202300d06092a864886f70d01010b050003820101007e23c7f2ca356e5992515c616b3c1236e6d27cb329e642d8a395611ecff207af2b2b255a6e17a38052ccaaf6df916c278685b7ac808afd5e634b59fd9375f1b3864864ada0473f244e28708cebf0fe4c835d644581db9a0627af54717a48b999279bdfd0c6c53a490f890686ce655cda28e1ca27522889c0a6aa1fbbe1d9b6abc9df2930849a83cdc952ac9519cdad58fa4ed37dbdfc25aada4af2aafeba392323c2e954cf47577f838741ab11ec235f22bfb829271ce8006543944317ce8f19e13a91dc1242416207f710cac372ab48c40d04e47dada98e6b96b4c08d6c19e11570587a37ee6c885a51b12fd853900777426aff853e0e5e12f7974d5c8c9c6a	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\SystemCertificates\CA\Certificates\98C6A8DC887963BA3CF9C2731CBDD3F7DE05AC2D\Blob = 1800000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee1900000001000000100000008b60706d5d6718e4db563171b4c4ab02040000000100000010000000eb2f0ff332094d37434e4dbfbacc947003000000010000001400000098c6a8dc887963ba3cf9c2731cbdd3f7de05ac2d4b0000000100000044000000420033003900380042003800300031003300340046003700320032003000390035003400370034003300390044004200320031004100420033003000380044005f00000014000000010000001400000053ca1759fc6bc003212f1aaee4aaa81c8256da750f00000001000000200000003fe338634e0510633de453ca350b15cec339b3dcb8ba9f2a2dd24d10a838feeb5c0000000100000004000000000800002000000001000000b5040000308204b130820399a003020102021008a5a246cd4b5c8c83d702b4bbab5349300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3137313130363132323333335a170d3237313130363132323333335a305e310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d311d301b06035504031314526170696453534c20525341204341203230313830820122300d06092a864886f70d01010105000382010f003082010a0282010100e52da88a1128f679e97b3a33883b71e1658b2c2965fded2dd4461e984e67f8c80fe6f89a1cbcbe5691cffa7757e43d7c20d22eb8057cc05ab6e8a17953458d219890a7a98bb485a351e5833c0dbc39eca14e58fd4cb9366decad6ed154eb2a5ba56525b66bd8e55f2782ca42ee71513428e97e70c40f6911c89ccef32a0a305cf8278244f0decd035b89c14105314bc72ecd2c70ba0f66429c7b02119b5455d80c66150c4991d7fb60df4f7249227f65e09b76f8f01667d337f4a97b12786bbce2e6bd830ce3cc8eed6d30636b24e94fefd7a56b8156fe9fbdaac8e9b8a4281f39f4e48642ec3bdd75e07ae17010f1d3211a14b64ceedff110f8bb70ce7924750203010001a382016630820162301d0603551d0e0416041453ca1759fc6bc003212f1aaee4aaa81c8256da75301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b0601050507030230120603551d130101ff040830060101ff020100303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d30420603551d1f043b30393037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63726c30630603551d20045c305a303706096086480186fd6c0102302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f435053300b06096086480186fd6c01013008060667810c0102013008060667810c010202300d06092a864886f70d01010b050003820101007e23c7f2ca356e5992515c616b3c1236e6d27cb329e642d8a395611ecff207af2b2b255a6e17a38052ccaaf6df916c278685b7ac808afd5e634b59fd9375f1b3864864ada0473f244e28708cebf0fe4c835d644581db9a0627af54717a48b999279bdfd0c6c53a490f890686ce655cda28e1ca27522889c0a6aa1fbbe1d9b6abc9df2930849a83cdc952ac9519cdad58fa4ed37dbdfc25aada4af2aafeba392323c2e954cf47577f838741ab11ec235f22bfb829271ce8006543944317ce8f19e13a91dc1242416207f710cac372ab48c40d04e47dada98e6b96b4c08d6c19e11570587a37ee6c885a51b12fd853900777426aff853e0e5e12f7974d5c8c9c6a	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\SystemCertificates\CA\Certificates\98C6A8DC887963BA3CF9C2731CBDD3F7DE05AC2D\Blob = 4b0000000100000044000000420033003900380042003800300031003300340046003700320032003000390035003400370034003300390044004200320031004100420033003000380044005f0000005c0000000100000004000000000800000f00000001000000200000003fe338634e0510633de453ca350b15cec339b3dcb8ba9f2a2dd24d10a838feeb14000000010000001400000053ca1759fc6bc003212f1aaee4aaa81c8256da7503000000010000001400000098c6a8dc887963ba3cf9c2731cbdd3f7de05ac2d040000000100000010000000eb2f0ff332094d37434e4dbfbacc94701900000001000000100000008b60706d5d6718e4db563171b4c4ab021800000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b5040000308204b130820399a003020102021008a5a246cd4b5c8c83d702b4bbab5349300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3137313130363132323333335a170d3237313130363132323333335a305e310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d311d301b06035504031314526170696453534c20525341204341203230313830820122300d06092a864886f70d01010105000382010f003082010a0282010100e52da88a1128f679e97b3a33883b71e1658b2c2965fded2dd4461e984e67f8c80fe6f89a1cbcbe5691cffa7757e43d7c20d22eb8057cc05ab6e8a17953458d219890a7a98bb485a351e5833c0dbc39eca14e58fd4cb9366decad6ed154eb2a5ba56525b66bd8e55f2782ca42ee71513428e97e70c40f6911c89ccef32a0a305cf8278244f0decd035b89c14105314bc72ecd2c70ba0f66429c7b02119b5455d80c66150c4991d7fb60df4f7249227f65e09b76f8f01667d337f4a97b12786bbce2e6bd830ce3cc8eed6d30636b24e94fefd7a56b8156fe9fbdaac8e9b8a4281f39f4e48642ec3bdd75e07ae17010f1d3211a14b64ceedff110f8bb70ce7924750203010001a382016630820162301d0603551d0e0416041453ca1759fc6bc003212f1aaee4aaa81c8256da75301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b0601050507030230120603551d130101ff040830060101ff020100303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d30420603551d1f043b30393037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63726c30630603551d20045c305a303706096086480186fd6c0102302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f435053300b06096086480186fd6c01013008060667810c0102013008060667810c010202300d06092a864886f70d01010b050003820101007e23c7f2ca356e5992515c616b3c1236e6d27cb329e642d8a395611ecff207af2b2b255a6e17a38052ccaaf6df916c278685b7ac808afd5e634b59fd9375f1b3864864ada0473f244e28708cebf0fe4c835d644581db9a0627af54717a48b999279bdfd0c6c53a490f890686ce655cda28e1ca27522889c0a6aa1fbbe1d9b6abc9df2930849a83cdc952ac9519cdad58fa4ed37dbdfc25aada4af2aafeba392323c2e954cf47577f838741ab11ec235f22bfb829271ce8006543944317ce8f19e13a91dc1242416207f710cac372ab48c40d04e47dada98e6b96b4c08d6c19e11570587a37ee6c885a51b12fd853900777426aff853e0e5e12f7974d5c8c9c6a	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868	IEXPLORE.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030753000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d5503000000010000001400000002faf3e291435468607857694df5e45b6885186820000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	IEXPLORE.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c5c000000010000000400000000080000090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030753000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d5503000000010000001400000002faf3e291435468607857694df5e45b688518680f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\SystemCertificates\CA\Certificates\98C6A8DC887963BA3CF9C2731CBDD3F7DE05AC2D	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\SystemCertificates\CA\Certificates\98C6A8DC887963BA3CF9C2731CBDD3F7DE05AC2D\Blob = 0f00000001000000200000003fe338634e0510633de453ca350b15cec339b3dcb8ba9f2a2dd24d10a838feeb14000000010000001400000053ca1759fc6bc003212f1aaee4aaa81c8256da754b0000000100000044000000420033003900380042003800300031003300340046003700320032003000390035003400370034003300390044004200320031004100420033003000380044005f0000001800000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee5c0000000100000004000000000800001900000001000000100000008b60706d5d6718e4db563171b4c4ab0203000000010000001400000098c6a8dc887963ba3cf9c2731cbdd3f7de05ac2d040000000100000010000000eb2f0ff332094d37434e4dbfbacc94702000000001000000b5040000308204b130820399a003020102021008a5a246cd4b5c8c83d702b4bbab5349300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3137313130363132323333335a170d3237313130363132323333335a305e310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d311d301b06035504031314526170696453534c20525341204341203230313830820122300d06092a864886f70d01010105000382010f003082010a0282010100e52da88a1128f679e97b3a33883b71e1658b2c2965fded2dd4461e984e67f8c80fe6f89a1cbcbe5691cffa7757e43d7c20d22eb8057cc05ab6e8a17953458d219890a7a98bb485a351e5833c0dbc39eca14e58fd4cb9366decad6ed154eb2a5ba56525b66bd8e55f2782ca42ee71513428e97e70c40f6911c89ccef32a0a305cf8278244f0decd035b89c14105314bc72ecd2c70ba0f66429c7b02119b5455d80c66150c4991d7fb60df4f7249227f65e09b76f8f01667d337f4a97b12786bbce2e6bd830ce3cc8eed6d30636b24e94fefd7a56b8156fe9fbdaac8e9b8a4281f39f4e48642ec3bdd75e07ae17010f1d3211a14b64ceedff110f8bb70ce7924750203010001a382016630820162301d0603551d0e0416041453ca1759fc6bc003212f1aaee4aaa81c8256da75301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b0601050507030230120603551d130101ff040830060101ff020100303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d30420603551d1f043b30393037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63726c30630603551d20045c305a303706096086480186fd6c0102302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f435053300b06096086480186fd6c01013008060667810c0102013008060667810c010202300d06092a864886f70d01010b050003820101007e23c7f2ca356e5992515c616b3c1236e6d27cb329e642d8a395611ecff207af2b2b255a6e17a38052ccaaf6df916c278685b7ac808afd5e634b59fd9375f1b3864864ada0473f244e28708cebf0fe4c835d644581db9a0627af54717a48b999279bdfd0c6c53a490f890686ce655cda28e1ca27522889c0a6aa1fbbe1d9b6abc9df2930849a83cdc952ac9519cdad58fa4ed37dbdfc25aada4af2aafeba392323c2e954cf47577f838741ab11ec235f22bfb829271ce8006543944317ce8f19e13a91dc1242416207f710cac372ab48c40d04e47dada98e6b96b4c08d6c19e11570587a37ee6c885a51b12fd853900777426aff853e0e5e12f7974d5c8c9c6a	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\SystemCertificates\MSIEHistoryJournal\Certificates\5FF1348C80820F2A988D0C0C7ABEA0EA394B5E6C	iexplore.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 3996 wrote to memory of 3492	3996	iexplore.exe	IEXPLORE.EXE
PID 3996 wrote to memory of 3492	3996	iexplore.exe	IEXPLORE.EXE
PID 3996 wrote to memory of 3492	3996	iexplore.exe	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 21 IoCs

Processes:

iexplore.exeIEXPLORE.EXEosk.exeDllHost.exeDllHost.exeLogonUI.exe

pid	process
3996	iexplore.exe
3996	iexplore.exe
3492	IEXPLORE.EXE
3492	IEXPLORE.EXE
3492	IEXPLORE.EXE
3492	IEXPLORE.EXE
3492	IEXPLORE.EXE
3492	IEXPLORE.EXE
860	osk.exe
860	osk.exe
860	osk.exe
860	osk.exe
860	osk.exe
860	osk.exe
1304	DllHost.exe
860	osk.exe
1304	DllHost.exe
860	osk.exe
1572	DllHost.exe
364	LogonUI.exe
364	LogonUI.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3996 iexplore.exe

Modifies data under HKEY_USERS 93 IoCs

Processes:

atbroker.exeLogonUI.exeatbroker.exeatbroker.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk\ClickSound = "1"	atbroker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	atbroker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk\UseKB = "1"	atbroker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk\ShowNumPad = "0"	atbroker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk\ModeHeightNavigation = "0"	atbroker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion	atbroker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk\WindowHeight = "293"	atbroker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk\UseMouse = "0"	atbroker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk\WindowLeft = "100"	atbroker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk\UseKB = "1"	atbroker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk\ModeHeightGeneral = "0"	atbroker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk\Dock = "0"	atbroker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility	atbroker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk\ShowClearKeyboard = "1"	atbroker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk	atbroker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk\WindowHeight = "293"	atbroker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk\Mode = "1"	atbroker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk\ScanKey = "32"	atbroker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk\Dock = "0"	atbroker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk\UseTextPrediction = "1"	atbroker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT	atbroker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk\UseDevice = "1"	atbroker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk\UseTextPrediction = "1"	atbroker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk\WindowHeight = "293"	atbroker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	atbroker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk\InsertSpace = "1"	atbroker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk\UseTextPrediction = "1"	atbroker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk\WindowWidth = "1024"	atbroker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk\WindowWidth = "1024"	atbroker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk\ScanInterval = "1000"	atbroker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@%SystemRoot%\system32\AccessibilityCPL.dll,-84 = "Magnifier"	atbroker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk\ScanInterval = "1000"	atbroker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk\NavigationMode = "0"	atbroker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk\ShowNumPad = "0"	atbroker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk\ModeHeightNavigation = "0"	atbroker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig	atbroker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk\ScanKey = "32"	atbroker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk\ScanKey = "32"	atbroker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk\ModeHeightNavigation = "0"	atbroker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk\NavigationMode = "0"	atbroker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk\ModeHeightGeneral = "0"	atbroker.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk	atbroker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk\UseMouse = "0"	atbroker.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	atbroker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@%SystemRoot%\system32\AccessibilityCPL.dll,-85 = "On-Screen Keyboard"	atbroker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk\ShowClearKeyboard = "1"	atbroker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk	atbroker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk\ScanInterval = "1000"	atbroker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk\ClickSound = "1"	atbroker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk\HoverPeriod = "1000"	atbroker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@%SystemRoot%\system32\AccessibilityCPL.dll,-83 = "Narrator"	atbroker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk\WindowTop = "100"	atbroker.exe

Modifies Winlogon 2 TTPs 1 IoCs
persistence

Winlogon Helper DLL
T1004

Modify Registry
T1112

Processes:

LogonUI.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked	LogonUI.exe

Checks whether UAC is enabled 2 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 74 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30804218"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3723812658"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "292651193"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\DOMStorage\trackloft.site	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 9072d6d7fa08d601	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3723812658"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30804218"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Height = "21"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0965B720-74EE-11EA-B6A1-E63AE4E9A508} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000671cc77501b1bb4a8c8ac6fabaa4446c00000000020000000000106600000001000020000000344a4eac5f6f6e1c6079a83f1bdd1835baf5679df32f40aaa21b2a7b1adf11ba000000000e80000000020000200000008b542e22dc0c02fd5ff06069681935a1e690fa5719a4f8340400156d44c4b9a120000000099662eed7fa3735d000618bf79aa28e08095cebf0a24db8ee36453ff24c5cf6400000001978991a6443d40d43214292f0327eb7ffceef2d3d7c381b5f18f270cb8e2b30e95fcb23d317ad03848f8504a87f09c1957b1cd0033aaf8006991ef8e1273554	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "14"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\DOMStorage\m.stripe.network\ = "14"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30804218"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\IntelliForms\AskUser = "1"	IEXPLORE.EXE
Key deleted	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\DOMStorage\m.stripe.network	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\DOMStorage\dailyplaning.net	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "292602607"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000671cc77501b1bb4a8c8ac6fabaa4446c00000000020000000000106600000001000020000000f2cef4a513445b7e7bd3ea65c29796c962413785106ac7f9ba0d72c58c74a635000000000e8000000002000020000000714984f3faa2cc12c9e4b24970a6fe1e79e806c39df3e284c5620d1d42f532c60001000040a739de73afc8876383a363413ac6cd453f9fd4c99abf2a96da575ad5f5251b0ab3d10a70fcf3c59889b8747fdf37855d1c1a53d3575ea3ff21cb7018f4a09dd60d41fbb921157ac6910da2a1a3f666a7fe9fa9411390e7dbdf9cf3ae6c41d8df59b5b007416ade77c752db630b764703fcbeb913dfe339104c8395209f1d4a9264cf989a9af3926ad80a2ce63e83703d2d3033dbc87513b1d998df0edb9d1c120be0b0954e83a2bf1503811899dd5bef040e2f3879e53c1102fac0591e451ffd4f96fe2a2c8684c7aa01bb829b30f253999947f0765dc378164fa54e5fddc96e2745f06900e80561f28dc1a4525d30d9fdd023725777a519223eba9d3ea8f6400000007489403c60b5120910ed47017e466713d85bf286a6ff89835aa1edf4250db53a8cb74233ef8cb3e81b8703b10e14b38c8b7ad7a782f8edbe12dd67104cce3db2	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3754822625"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c018c5eafa08d601	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000671cc77501b1bb4a8c8ac6fabaa4446c000000000200000000001066000000010000200000001bf855d30b98dfdffb883b12e463ee1ef61afc94aa41be1198796c81f11d6623000000000e800000000200002000000086481c9d55e8a11ddf554ab499e114e0e03810c317bee1bf618a5a35fab365f6000100003fe224ab8b18be212d67cac2959e740188f6cc31d46c90cdd95f8f13f9fe9bbc3e0989461e64069119ed7b4c4d932d7a8b8706bb4da6c5efd351cac084b633164e8583ef641b4c0043869ea71afa0c15a6332e20e592922b297a4aa039739bd748a225c56569b4c7b8eaee6c25b7e87a340102e41c760bbd17dc730b94c371f294dcc21b4573557de096a31ccc59d11fdd74b30a59348c267e2937fccad9e3f887fc9093e5b8846531d3f3e46567a82848a138548704d577d0cb46e276e4a62cbfcd7b2114e9e5527eb4d892bf298fb5d6d46b4b726af26ee0f425661efa1c3d1409b7b92523c5f1aa4c66759ed9c8c6a62d491c95706d71561155bc4ea8940c400000003fd60981188c725fe46d91b02c13863137d918efea46b909a088e7574346810dc5f71ce48a6e311b4e9fb6fc0d3398728c43b6dd367b7cf980bc530e467f2ed4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\DOMStorage\stripe.network	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\Main\Use FormSuggest = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\DOMStorage\trackloft.site\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\DOMStorage\stripe.network\Total = "14"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\DOMStorage\stripe.network\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\DOMStorage\stripe.network\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "292619201"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\IntelliForms\AskUser = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://trackloft.site/itb?sub_id1=297
1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
PID:3996

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3996 CREDAT:82945 /prefetch:2
2⤵
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
PID:3492

C:\Windows\system32\osk.exe
"C:\Windows\system32\osk.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:860

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}
1⤵
- Suspicious use of SetWindowsHookEx
PID:1304

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}
1⤵
- Suspicious use of SetWindowsHookEx
PID:1572

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3b3b055 /state1:0x41c64e6d
1⤵
- Suspicious use of SetWindowsHookEx
- Modifies data under HKEY_USERS
- Modifies Winlogon
PID:364

C:\Windows\system32\atbroker.exe
atbroker.exe
1⤵
- Modifies data under HKEY_USERS
PID:752

C:\Windows\system32\atbroker.exe
atbroker.exe
1⤵
- Modifies data under HKEY_USERS
PID:2880

C:\Windows\system32\atbroker.exe
atbroker.exe
1⤵
- Modifies data under HKEY_USERS
PID:500

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9749B98FBE8668DA06415B7D59E68352

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C65B8FBF5FA1FF1A814B758E452B1A52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9749B98FBE8668DA06415B7D59E68352

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C65B8FBF5FA1FF1A814B758E452B1A52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\5UPFW6I9.cookie

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads