hxxps://exe[.]io/G08l2Ha

Analysis

max time kernel
53s
max time network
57s
platform
windows10_x64
resource
win10
submitted
18-10-2020 05:15

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://exe.io/G08l2Ha
Sample

201018-1lt798wx1n

Score

8^/10

ransomware bootkit

Malware Config

Signatures

Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
ransomware bootkit

Winlogon Helper DLL
T1004

Modify Registry
T1112

Processes:

LogonUI.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked	LogonUI.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

IEXPLORE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 88 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\DOMStorage\boost.ink\Total = "41203"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\DOMStorage\pslfive.com\Total = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "17"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\DOMStorage\boost.ink\ = "138"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\DOMStorage\boost.ink\Total = "104"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\DOMStorage\boost.ink\ = "121"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "191"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\DOMStorage\boost.ink\ = "55"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "199"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008a7c315354383b4fae429ebf626bb805000000000200000000001066000000010000200000001f3bac15729aa37aa159b30d2168066656833e9baa98f6d3a4392a54e010cde1000000000e80000000020000200000002823baec2412822c12b1aef0b0e9c52b3e9ca21977982f226509683db757f6e090000000fe5f2ab7971c121f9a41ebde30c1023a1bcebbbe8afb703402e624cefa7d8fd6ddb8466ad9b4a29378e76f08c116e552af64b62f00cb97f8b46357390ca7c4d022b98dd5fb75a0b6d1626f919022ff0168dd6e817b02ddacdc04b7221581bdfe73a031729873fc0394ce382241a1020f385f688b5aecaa1ab73d886eef6c4cc2c050e37a79708ebdc9315704a1bd09824000000075a5f05d55359632fb2f856f80b8791c2f43ba94334fe22fc3cf406fc05cd74cd9ea12b8351faec4b895076a8fe495727db8cbf36ec14d5d3274eef849cf66bb	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\DOMStorage\boost.ink\Total = "35"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\DOMStorage\boost.ink\Total = "55"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30844173"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e019d23f0da5d601	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30844173"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\DOMStorage\boost.ink\ = "35"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\DOMStorage\boost.ink\ = "104"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30844173"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\DOMStorage\pslfive.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "25"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008a7c315354383b4fae429ebf626bb80500000000020000000000106600000001000020000000a1e0f7f7737debad0acdbe1747f97296fa76fe50b34e42d1129a0b3ec83c0aa4000000000e8000000002000020000000af5d6a60e4480991d5e1b980d9789bef2057b699fe934962a1e83852f982f8809000000070c63a306dde4727579c52604e1f50a26d9ff8b7928781c3869a8a25a6b4f654a71488480ac838b4784b10a359a8d7bbf269aefb9f2a080def8b5bd5b465571ced30000ad53a5cc0792c381e66f9899c1a947943ad96c7694ae5bf22618ed8542e02977d15695b6dc403e2186bbb7654b4dad2dc568c6620868af0b8728e0436d0662a7599da2e38f641a5bc2cf82208400000003d5d9bca3ad1dd0109d9700b6cacfe32d1a4267a52d47544385c311b765b7c9a323811f1b9c93845fe50f376d6d41ba7ff22ec6dcc574e9e68012a97115bb46c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\DOMStorage\boost.ink	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\DOMStorage\boost.ink\ = "85"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\DOMStorage\boost.ink\Total = "85"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1349838865"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\DOMStorage\pslfive.com\ = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30844173"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1358867958"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "17"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "55"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "191"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "60"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "80"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008a7c315354383b4fae429ebf626bb80500000000020000000000106600000001000020000000157917364fdd8d8b870008ca22db3f0a3de959735e62f4f0bce552cccfc8f3ee000000000e800000000200002000000021386ef9c4b6bb30bb700846a56cb4905aac65e5b2fbfb72afddf32e395d17922000000046e5daaca54569a1ab60dc15b7eb364a2ecaab419da14b684e9c40d1230be6a1400000002b2be1afbbcaf14bb6dfd03cbb2c502227a38f40d02fc7263a3cac47731cf9fc7b0d385e78b264c95a9c08db413098f68ed92086ccbff8381455a41c5627da94	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\DOMStorage\boost.ink\Total = "121"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\DOMStorage\boost.ink\Total = "138"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "8"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008a7c315354383b4fae429ebf626bb805000000000200000000001066000000010000200000000be26c3d5e37fa614d54aeb90ca83255484d8e757610dfb0aea45d101ee20fc4000000000e8000000002000020000000a2ae52608d75b56aeb66468c2ed83bf173a13a28f40efc7ee635c456c5e52c9f2000000037e03811a710a380b6fcaf8ff4f8a192ce1bbe8fd84f66dd53d49abed2c08525400000005dc718e6deda15ffc6dd5e66d198d4762154e836fee15dbcb2321e34c5a1dd0fb5ca83e9dc5422c726472624c8e5656d2f00c4f3addd6b44807da7c7e5f17d36	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 006d4b440da5d601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\DOMStorage\boost.ink\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0d5e0410da5d601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1349838865"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "41228"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\DOMStorage\boost.ink\ = "41203"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

iexplore.exe

pid process

720 iexplore.exe
720 iexplore.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	pid	process
Token: SeShutdownPrivilege	880	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	880	IEXPLORE.EXE
Token: SeShutdownPrivilege	880	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	880	IEXPLORE.EXE
Token: SeShutdownPrivilege	880	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	880	IEXPLORE.EXE
Token: SeShutdownPrivilege	880	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	880	IEXPLORE.EXE
Token: SeShutdownPrivilege	880	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	880	IEXPLORE.EXE
Token: SeShutdownPrivilege	880	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	880	IEXPLORE.EXE
Token: SeShutdownPrivilege	880	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	880	IEXPLORE.EXE
Token: SeShutdownPrivilege	1728	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1728	IEXPLORE.EXE
Token: SeShutdownPrivilege	1728	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1728	IEXPLORE.EXE
Token: SeShutdownPrivilege	1728	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1728	IEXPLORE.EXE
Token: SeShutdownPrivilege	1728	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1728	IEXPLORE.EXE
Token: SeShutdownPrivilege	1728	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1728	IEXPLORE.EXE
Token: SeShutdownPrivilege	1728	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1728	IEXPLORE.EXE
Token: 33	1728	IEXPLORE.EXE
Token: SeIncBasePriorityPrivilege	1728	IEXPLORE.EXE
Token: SeShutdownPrivilege	1728	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1728	IEXPLORE.EXE
Token: SeShutdownPrivilege	880	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	880	IEXPLORE.EXE
Token: SeShutdownPrivilege	880	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	880	IEXPLORE.EXE
Token: SeShutdownPrivilege	880	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	880	IEXPLORE.EXE
Token: SeShutdownPrivilege	880	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	880	IEXPLORE.EXE
Token: SeShutdownPrivilege	880	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	880	IEXPLORE.EXE
Token: SeShutdownPrivilege	880	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	880	IEXPLORE.EXE
Token: SeShutdownPrivilege	880	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	880	IEXPLORE.EXE
Token: SeShutdownPrivilege	880	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	880	IEXPLORE.EXE
Token: SeShutdownPrivilege	880	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	880	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

720 iexplore.exe
720 iexplore.exe

Suspicious use of SetWindowsHookEx 19 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXELogonUI.exe

pid	process
720	iexplore.exe
720	iexplore.exe
188	IEXPLORE.EXE
188	IEXPLORE.EXE
188	IEXPLORE.EXE
188	IEXPLORE.EXE
188	IEXPLORE.EXE
880	IEXPLORE.EXE
880	IEXPLORE.EXE
720	iexplore.exe
720	iexplore.exe
1728	IEXPLORE.EXE
1728	IEXPLORE.EXE
1728	IEXPLORE.EXE
1728	IEXPLORE.EXE
188	IEXPLORE.EXE
188	IEXPLORE.EXE
4508	LogonUI.exe
4508	LogonUI.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 720 wrote to memory of 188	720	iexplore.exe	IEXPLORE.EXE
PID 720 wrote to memory of 188	720	iexplore.exe	IEXPLORE.EXE
PID 720 wrote to memory of 188	720	iexplore.exe	IEXPLORE.EXE
PID 720 wrote to memory of 880	720	iexplore.exe	IEXPLORE.EXE
PID 720 wrote to memory of 880	720	iexplore.exe	IEXPLORE.EXE
PID 720 wrote to memory of 880	720	iexplore.exe	IEXPLORE.EXE
PID 720 wrote to memory of 1728	720	iexplore.exe	IEXPLORE.EXE
PID 720 wrote to memory of 1728	720	iexplore.exe	IEXPLORE.EXE
PID 720 wrote to memory of 1728	720	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://exe.io/G08l2Ha
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:720

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:720 CREDAT:82945 /prefetch:2
2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:188

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:720 CREDAT:279555 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:880

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:720 CREDAT:82965 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1728

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ad5855 /state1:0x41c64e6d
1⤵
- Modifies WinLogon to allow AutoLogon
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4508

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
52c8ff8b999c1449aa14a11ab1bdfb6c

SHA1
8dd131a76c188b5e5f5e6864995bdd5d56146725

SHA256
9637cae37edfa438df0ddda51c5c2deba138d8548ffc415ed56d5abb902f15cf

SHA512
bd727851f9da606eefd98665ee814c8dd268660aa6dedd65f775dc70fd466a3ff5618310724a23aaeb2388d65c883de0da302c997ba80de6ffb900e1c7365944

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203
MD5
f2219af60c38b0f20b395fe1a1b7d869

SHA1
2eadc4b73a1a4c83226a5f461e1883302a486f18

SHA256
e8c961a9213e3fffa7cd32738b71519f0942b28ee847ad8cf12a37b2d0acc8da

SHA512
a4d0c93b71f090ca12ceed826aca703e3a6b3b4d4ee12f7402d03093afded68504c42b29b5f03697363c95221e3d20c1040d2fbf73d44cbb69515b0983d83f33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\985638E3396C7EAD5DEBE19986721111
MD5
31890f5a323de0405bade6e866a15f16

SHA1
4d7dd9ddb75e947030dd102189fec9542303475b

SHA256
46c08638b7bdbfb18423876636985fbd6906cc1ab5ec7c940cb1d67d12e4cee5

SHA512
eecf463a7e0ba029a767ae8d58c18ccf1c1f79494c3206bcb38b88b59205391016e6b3bd1f0244f1243253f5e631dc122af6757800a81428e0b4fe64dae07fcf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_4CE4BB8C426519B73134CC4FDCA3CF18
MD5
06b27e980b784dec44f131ea918ba91c

SHA1
51d1294100fec3b47b871239c8ad8d312538be9d

SHA256
71221cb60083a7d82263312354eb818a8886ed1c96e15e2199e145469535144c

SHA512
69a99f2211294c4f58c9dc79863b8f145c6899980b6c90b991d116082b8de0bcab6eb4f40548e41021ca89c8cc7e91532dab7163fecf20782221acf00f1d2d60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_9AC54A53D6194487568A290CACB65693
MD5
471d0b64a27701fd06a7d606e29df33d

SHA1
6877f7894347bb4399d0c07cf6f85065c7b65852

SHA256
7127cf4c8963b84235beefcf025e8d8b7f23d791f3e8ca8daa1cf3c6a91090ab

SHA512
c53e1cfaaffbeedad1e49ab77fb2f593ba669ccce62b58934b9e8576cc0a749cccca61e17f9e0f05f8b08ac29e183b1dec7699d384ddc8a72cf7055ffe00f614

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_9B93F88D4C2BDF032D22CDB4CEF431EC
MD5
0c0469fe80a53fabe7b3836fd3ac6390

SHA1
261c68673a94db9a3f6fd6f6dfcf8c7c0f150b77

SHA256
cdf59fb94c383e7cc3949e534074c2fd32e1b96f7d0b28bd8fe07bd05e356200

SHA512
96f7c9fb2b5815a14a6f6f92988f61ea3458dfb143118da6c9a24bcbdf1656ef3f6e6af4721199899f5f34ad9acd5d9408596f0f8bcf7abf1bdd1a34231aceaf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_A1872E4030A7E59C7ECFCEAE8F309D81
MD5
b0f11abf62855b7117ba7ad926f45c1e

SHA1
02d09988eb9604a80eef94d8c4f562a41b52cc8f

SHA256
7891303c15ea5ef83849d4553fa43e3b6e6d29f3de1ad06ef24a54388b7aa0fa

SHA512
aa4d06d22d3fb18923341c132204085d4236f658a17a3f17a25c982d7aace35ae885d91537e7e96831ef0374e06253c8a5ce723848611f58dc50b224d6b4b6a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_D817018246CE39F0C5C6AF92283EC926
MD5
991abcdb90dc478c4558137ebde4d7b8

SHA1
c3956c61c065196b2d319f8e7eb56e48d085450e

SHA256
6aaa150cee590b88c8502ecd7eeab47d1f8c14238d405822c6ca75ff83d3683c

SHA512
5d4eae77e2fe6d5fb2b6756eb4fbb11093c724c8a2ebf7581316c6025f2d910d52b9c56eb34d14308364a0eb000581b0414c4f681bb3af2d864922ab21c313fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_DC3AA751EB10C4A368004D20694D9954
MD5
75588678716c8c0b5c8826da069b160c

SHA1
e3e92add8008ccd2232567cecc7551b949c428c7

SHA256
500feea2d0347fc30dd70248c868f937258c3b216aa1cfba33f942718e22d80f

SHA512
ef685a5556f130261cfbe03edbf549717d817f7a3cee1ea0fbf6c945d53702f4d1be332b05e4da4f6e671d9195a4f38efb76c6d08200ffed5b97da320c1f749e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CC197601BE0898B7B0FCC91FA15D8A69_82315E7977AD1FD70B1072657822BA2D
MD5
5d877137c4a36db5d804ec38669dd55c

SHA1
359c8dac6607345b61e630d639fadd8640786941

SHA256
2a7ca945e48de3022bd9dc31d8740405370a6f5dcea7547f76b427fb422d87c2

SHA512
75f2e9c2bd819c665eed6de2fb5403572c7b4089cbc24ccf4e57cae3fb09ea02498ccfad078ccdff4c5425d07e4b92cb2f5c9e2d72a4800cc53099ae5cb927b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CC197601BE0898B7B0FCC91FA15D8A69_8EAD27B819DF8B4C5C4FF19A4C07EA80
MD5
5d744d2df39218c6b5b5244f0cae1f67

SHA1
3c73755aa896aa3af8acc72afc0a03930d0f987f

SHA256
37b0e10bf36755ec3cd407ecb35ec2575efa3b5ab367b51aec4e4074357a9847

SHA512
fcb76dabbf6b8a6fda6612680bd2767fc3df4396da67a28e0278127ef42773c33a304f26c8cb897a01f2de490d855daac58e18112b6dfd9bb56b9978131032cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CC197601BE0898B7B0FCC91FA15D8A69_BFABC00B5A466D713C70823C7F9DE3B9
MD5
6e1388dd6fddbbffc7b450f74a21982f

SHA1
916a3f70d41fda516c82dd38ab0f39ad1c14c2b7

SHA256
1fe144e39a92af11676175e380b2a584f820c92a7fc39d209e37a51b83a5546b

SHA512
03f6618c08a8280e16c431d76b10daff21295ed088fc1d6a2fd02cd0193560357ec6a40785fb939b08a28c9aa6778e287ed18cec6fd3936911b4e02b587392c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B
MD5
48d7b88f7986388169c9f46bd8d48050

SHA1
f34113edae5d2fe7046d9250a019bc19cf6534cc

SHA256
679a3247b5f50991c3aef6f491cd5a5b0c55f11693a886f6a7cfed811f108cc8

SHA512
fb43568a8419777a45ebf4a6325e3c256ce0c464fc9ecb88fd924709aa0ab2b631c027fc258e66e1fc5616f4d252029d926d31b29c445c8af31e4aa70fb0d21c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D60B8AA3C0FFF74632FE684DBBB6CA9C
MD5
d8a42566d15d664c9b7fc6c6046cb0ac

SHA1
fbd3c6a0e693522f65ba42ba62fb6512984c7546

SHA256
a36799e05f6f5d878e647417794c09c7c54e20649473a09d749ed073707bd89b

SHA512
d0045d49afd9d489f2eda723c559d985aea48329e64f510f881b899934774fcda866595b60e78e8b541a63932e4185d0919308022f408c91c9dc7086afa26604

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08
MD5
af315fa1a389d30310d95403d7dc486e

SHA1
f72ba21e0da6f935f8eb2d15a00a0fdc06f4e9b2

SHA256
e080e402317de429dc4a761928298d49107d3d7cdcedbb0ba06aa90cc214c501

SHA512
88b1fb72d2a9801300f477cb1eb8e4eeed2feb709095b03b9e82c4efd473a4c53a744dd53902a1454475e4181f95c34d6ff1bc19253c2de0cab7724a761e24c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
4377a762aa0650862307fdef10441972

SHA1
6cba75b376d6674344e783159ac3fab940e7b19e

SHA256
0ad082c9eb4eacac4f1128fe14396dc07ee2c0423e708d534fd9680203bfff0e

SHA512
20ab7ced6f4361ddb270db3090f57901536c395a540e484d75b0d2da31ceb4fa83b55af89452e61cced2f4bd8935944a66edf462c79684f086b1e9dcb30c3665

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203
MD5
394c6832f902db0aade24211cab77e50

SHA1
ac46c6b8140f32a75b0beaa512918dc3f045a245

SHA256
5cdf28da0df0ffacda3e39e8a9d7a3bb15eeda28405d9b6798e7ec77d85b5df6

SHA512
ed2cb6028bf43acf4dfce7ea9be9fede9b09fbdbcafdae97d0b6a75d82ad27c68e1739f686e90be22152479ff919322752497fcc2754b4c252b869267a6b3998

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\985638E3396C7EAD5DEBE19986721111
MD5
75ac8d053253f36268515ec26cde9461

SHA1
4d3df5610e2d95a952ca599a07c9589118ca404c

SHA256
6ce260503b770994d130179bbe8038ecfa93454ca4a62a684117b8fad2f709b0

SHA512
5865f48f16fe8e5fa04e7da5cff417342d4cfd171523bf1823aa55c54184f74c24f84c7077e60bc3cf5c703075beb7484a499b7ed44bb9ed7f0ee1dc9c60092d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_4CE4BB8C426519B73134CC4FDCA3CF18
MD5
e68a2f86a7d3dbb39dfe1667a2eb1b36

SHA1
f429ab361b2ec62122b3404712e4585eb05a986b

SHA256
b43b6a8979848b55edca9af2541d31fbf1fe6fab4c2d6d606f6b34f47ac4c5dc

SHA512
97b12ec2752aca24e8c6b840fe1d1e231918d6a382b7ba09877772044ffc23103d999b7fac210342e7d7e83152a82d6dec7fa0edc3a2e9b8667493f56e04170b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_9AC54A53D6194487568A290CACB65693
MD5
e22662ef65e130989d39ca5f2516740a

SHA1
097db095c4d329a1266be70b4fbdc239e5057034

SHA256
57e8d5aa37c67532e98af289eb9a3db52f32b3e238a9204618cf980bfc3b8d8e

SHA512
5da26d054c6e5e0499d4fb210b1be2753ce1b541b2656605adb9aa27c0e8fe1e5f9dc77371fa59b823c7dd37569d8a1777c0aaa146a0d25f15202c57f9059ecc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_9B93F88D4C2BDF032D22CDB4CEF431EC
MD5
341b0b42211d04720b5b11b9fd2be2e5

SHA1
73c8de79eea3d809e68dc93328709b5191b3f028

SHA256
99ea85734996753e9e93e4828424270d11e757a6f21746faa5925ec57d22c5ca

SHA512
15f92e132d82e9f3a36e034cfb74c676b9c51fcb92b40cd38fcfca7f10e0bb796d3a40147fea95a0268fbea5a162e444f66045d3cd8e14d9862034c9bf109e60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_A1872E4030A7E59C7ECFCEAE8F309D81
MD5
5e0d6a702d32372139806602b6535bc9

SHA1
e5b0ba090ed34d2d7a704f3558324c6cca8d9326

SHA256
7a6fea26d3e16daf184b75250b2e454995fc9bf0cc985da594f9b4d9e4d71e5a

SHA512
cdb8894461599807c1fe914e29bf54998b675bf888b14885158b95e6b5523a56cfd874e1817c62e28fffefbff33574e9e6a10a07a2ff7ebcaf905cf1cf06f142

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_D817018246CE39F0C5C6AF92283EC926
MD5
f4c074eba13d6c74a83a95be5da7ed41

SHA1
0739b54aafea1db48f9b9e9cda5a1db2552648a2

SHA256
f328882757a89f710dd89137a70630e5dd1d04c79b5fc530e56850b7837428c9

SHA512
0c7ddc03599ec9dba8f478f1fc2b8510faa0019099aebbfab6c0276b41005c93f53c38874e04ac99d8605ef2ddc87f763d6243019462a01f590b5a7e11219752

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_DC3AA751EB10C4A368004D20694D9954
MD5
bdeb48c2526dd0af60c26e55e7fc6ecc

SHA1
f155380a93943b862a98adefab68ff7dadb60a01

SHA256
0cbd91797c504502b9d8c3567746fb9bbb12ecf0ee55ae83d119a36b428cc782

SHA512
63681db16eb6ba26e32fd3143dd0adb1b958bd8fe7b3fc9942efed3280903de8b3b1f54467130d6b2595b803b4f5135c6baff97b1fd9f70bb520de3dcf7054fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CC197601BE0898B7B0FCC91FA15D8A69_82315E7977AD1FD70B1072657822BA2D
MD5
a9ebaddce94bcd7a7d3cc24fe6dde1ce

SHA1
0de05208a43b4778dbe64dc289d1122093fa50e2

SHA256
d123e9a52f93709d7e029331e38542014ad6c367a90c8a083a20d50abdb12f0d

SHA512
28864a709ab3aa7f23d3532102b833ed1886012e3e6c816ec0b0ee7c79da49ed05a3952cce72778583e30194a2e4c07ba00d234849d37c38a2304b439d02a076

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CC197601BE0898B7B0FCC91FA15D8A69_8EAD27B819DF8B4C5C4FF19A4C07EA80
MD5
6cd206e899b5b002065fc8f8fa1ba6b2

SHA1
641602ea31cb2f12f9bfe73d224503bf8f82166f

SHA256
14d9d852d87df08135c209f9c8f8c5f5422651abd811781b8365acb52c808187

SHA512
93ceff0761fc052faaa9cf716abd0a873bbddf03a45ca5de8673fc5519b7779cd0b116f5ea94d6d10b7c28bf86170a6b740a58de1360adab9d7b0d52e3d2532a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CC197601BE0898B7B0FCC91FA15D8A69_BFABC00B5A466D713C70823C7F9DE3B9
MD5
b81f95121be07482a26035773189cadc

SHA1
952bfad57657189aa72ca8a82de5e2e0300970e4

SHA256
eb768699c1ddaf86d2f18dd78aaedad1ced8cb70fe5586fe1dec2af2abfb37b5

SHA512
bf0e9c3acc9bc5b6847d7d251b0af54d8b6809bf25df4a4cfb30544e1c415bf4c56ec66829b258e6de7ff4ed11afdfefdf90f6bd4437e8d0962d452008fcf0d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B
MD5
efa8248f898d2728b04ff0014967c3ce

SHA1
cbd5108a8361acbde56a085fab99e29dc81ebd41

SHA256
db50e8716ac844521632d4ffc7eac8527ffb5dd19768d916521dcc3a231fe7be

SHA512
a047d4835ad75c34393bfd5e863893b7c77e92d2e45b5caaa5d624501bb015a586a2920e2f8e8cc43d01ec4864d23d2fdf13c023202e84fc127fb7ebe68b28e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D60B8AA3C0FFF74632FE684DBBB6CA9C
MD5
f411dcf978531f65d69db47509c340f1

SHA1
2b5d87f6270bd2b066e7487090cce494e46f47fd

SHA256
2b508e489bb133be6fe556d1e388624a5d7ac008cbea082e63a4ebf732d9e14f

SHA512
6a53b787d0138a29a583f62fdaff91990d28a64835a9fe1bca9d8bb6980dd697b9786de0e092b3930279b1bced4a535dc7a628b95fe5ece4b9127deea209d178

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08
MD5
5ed65aa4f5772624c854bc60ec5cfb7f

SHA1
dda7ec1c3cb8c5029ad4a3435dc7d85c66ebe45d

SHA256
5797538191ebbd593283d9d2526002e70eb85e9d2f52116e8798cc813b23c67c

SHA512
3ad367b18039073edf94a5eaf507ac0108805e114d8f994e187bb4e01db296bbfeef8e26cb7a3bb7d049a53ddb224a044121204db2a13c4b08bf5a3a77951fee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7ITI1NQU\stats[1].htm
MD5
81afddb8be1b42e6e20e902917e7ef23

SHA1
4a45b30ee46e3830a61c836e585c842b331aa167

SHA256
6f81a545483073a19516640b7326b868e991c8392d34efc06cede216849065b0

SHA512
2ce37f93b4a3425a298d1b76065c6312cf18625f557d7be938af5b731f04f4113fc1872a2d8460adf63ac2b9a58f756e4ff3bd04ca0a2f937f7d0edc70d2b915

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\42FSEXNR.cookie
MD5
4f1d9f1406958ec8499ef13a5c38eaad

SHA1
f0b8199d850a37acbb661198d10420a93e316487

SHA256
55d1b8168a0a9093676861e210e0a28761a01ecd529c3b3315f1ff541d84cad5

SHA512
5751bb86b9d959e275eae4c006a692864ab1d4bf2c3baa15c97a26a0988cac30a009c81ae78ff8ff93df7f1fdcf7b3f88fd6f60d959883c47e34f64b5e2ed28c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\6FN8SWO6.cookie
MD5
d73d39c62e6f6eaf455135429855b841

SHA1
9209c3ea90b676d42251397b849f4fac0df70bc3

SHA256
30fdb537a8ef2428c10ffa96cfff46c6054aaba510d59881e146b2729d562ec7

SHA512
ee35458d4c5ed7214304ac1ab482e950802daa1a12f9f702f11f39295f03b8ed06bf9be3476f18c33c420b21b11d8b6aa12d07946606907db36fe7a5e3ec1720

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\9T8XIFKO.cookie
MD5
1efdd7e40e10e6ef94abc95613428e73

SHA1
beab7a15360e4e6e3c4b703e08740bc913057d61

SHA256
a06fc8c4749b06a9076b1999b67a579d808c55866a5a74572cfc56ca547866d1

SHA512
bb8985290e1e0062539309aee5e727e670e61b9c900dd066476a8bf85fe4f6c22d594823b84dc1ac927991a22b26bd66b3ef4626709c02c3aa04bc0396526328

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\DW13E201.cookie
MD5
371ecb1c1fb792798413eb50f9d8ddd4

SHA1
c535c2e19059e21af2079662ce616d99da1bf22b

SHA256
1fa2a76ffca9831ad2959f3e0e30c37c11c7e91d9a41e262ab3ef4b2ca182185

SHA512
d9fbb5525f6eab0d41cf8821ab49de74108dbeac20d265d44f21f915cc25e00705e70cf3e86066f250fd13162afdebf52304d77ca7b41cb365c1916b9485985d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\EG1ZL4KB.cookie
MD5
a0b945c5298225051023cbc1685c804a

SHA1
3d54b5f8f7f84550b7d270ab31994825412cacff

SHA256
a0ee8be24fc2f0768ef9fe48ad62a5754ed9f74677353828fa99cd7ded562675

SHA512
af00b871747ca7044240ea2e4d97d20451ef9c1693df76548139d89857d232734051bc53f0a89ea52954cd88b0734cb1d241f48028cf6d0529059f3a1b15d84c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\EG7O5V0V.cookie
MD5
7568021a5683948e987a46bc320c7280

SHA1
336ba810cb54e96cb1c757eeaaa6f3f30c722b56

SHA256
88cc55d740920d2e062548182d719cbb9d4655f3616ab2ea7c9d87344aff860c

SHA512
8b065d694836dc632e653781be6c388005bc9783c1977731c4086726cce7bca10e8dc99678e5421cf7093c58ba170a5c10af70e33e75bdfbd5b9f7608b2fbf35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Q5CODGY0.cookie
MD5
6d4afa7d3e4c4956a1bd7f76accffbf9

SHA1
20951f8bd73a0f6995e3f68ab4308c0a9d15fe3b

SHA256
628cc62d33681c7f5b990bf52caf4c55f06269452038a79b40612b2c758d2eb7

SHA512
09e93b8b105ceba8d6c6287329ed66460aa6b885329301aee90a8f04140ae41160998b70aaa386eea21cbcad7e5e740cb7eba9275970f405079aaa866d1fa71a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Q7NIQOW0.cookie
MD5
8981357e44bf5f87ec2a7dd90c53ab08

SHA1
f50642e56d4f41bf9002fb07139a48b94718cadb

SHA256
19b0cd89cc918b2267e2f097205cbf0d0b9040e54454ebda2ddcaed29aede5f7

SHA512
d1d9a29d351674304dfaa6182df7a6be5532fb2a86a403c14a2f32fb24e799b50992bd2cbf702127ddce693825d339fac27e4ecf91f0cfd09060ff9f15f7b2df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\SHODE994.cookie
MD5
dc95ec7673d0f4cc266ebc61acf9f6c6

SHA1
bcdbb7d621b92a8bf862999d10bf06ed7fe446a7

SHA256
886b0a25f42f4194556e12125c33ba9707d08355306524eab57cfffada9233b1

SHA512
c51df9a02f49571739f7e6999db60993b82389157d732edd614a3a1bc59436cc006e867d7dae71c26a3f04cafaa4d4779715b9b11f9099bbab97569b46fba632

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\TT80OCJO.cookie
MD5
e3aef7a6242d5d2423f34a9da8350508

SHA1
1400b0f07ba721f0e1e291deec7b6e5b311186c5

SHA256
ceb747c74e82635d953fe8a76c03b6318df37b3dfceec0094919a137244c06c8

SHA512
83993fa4da59400174ec50262309b747ee28a969dc28822ac2964aa88db345969e4398f942cb23b8dcaa3496ef4ce555ba1e436d5100172749e28a5b9089089f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\UUKIIKTB.cookie
MD5
abfec18ba22eb11816b12b8df20806a8

SHA1
f097e09fce9878e988eee2e8a40783e48747dfb3

SHA256
a9a7b9d790f01168950a93d82ef67b80257a237df3cc77c0d2bb854614d6a29b

SHA512
d08f66444e6ec24b40de920faf0b5bfdeca2a1e8759c7e4381df5c334d331f2746a5ecc6ab771c852089ce28b94d3f053edcb3b9b083aef2b9b19969a58aff7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\W9XCT4Z4.cookie
MD5
ef5cc3a87751a81414414c8e5cb577d3

SHA1
7cdaec004b27825e034c263b916bbac9bbe89ce2

SHA256
eb5458a70886cec63b216e927524e9dfe33f3b953c95d9b1092ca450bd8334cf

SHA512
cbdd59e96c3decd4a59a6d3f27b8a433df4a3ed40cdd74750da62316fd8db741bb384c7522265aa3ae4fb51e07e7c57dc5ec8b7f01586a44f0baf0896f7a29cd

Download Submit
memory/188-0-0x0000000000000000-mapping.dmp

Download
memory/880-30-0x000000000A630000-0x000000000A640000-memory.dmp

Filesize
64KB

Download
memory/880-32-0x000000000A3F0000-0x000000000A400000-memory.dmp

Filesize
64KB

Download
memory/880-12-0x0000000000000000-mapping.dmp

Download
memory/880-28-0x000000000A3F0000-0x000000000A400000-memory.dmp

Filesize
64KB

Download
memory/880-29-0x000000000A3F0000-0x000000000A400000-memory.dmp

Filesize
64KB

Download
memory/880-31-0x000000000A630000-0x000000000A640000-memory.dmp

Filesize
64KB

Download
memory/1728-51-0x000000000B7C0000-0x000000000B7D0000-memory.dmp

Filesize
64KB

Download
memory/1728-45-0x000000000B7C0000-0x000000000B7D0000-memory.dmp

Filesize
64KB

Download
memory/1728-52-0x000000000B7C0000-0x000000000B7D0000-memory.dmp

Filesize
64KB

Download
memory/1728-53-0x000000000B7C0000-0x000000000B7D0000-memory.dmp

Filesize
64KB

Download
memory/1728-36-0x0000000000000000-mapping.dmp

Download
memory/1728-50-0x000000000B7C0000-0x000000000B7D0000-memory.dmp

Filesize
64KB

Download
memory/1728-49-0x000000000B7C0000-0x000000000B7D0000-memory.dmp

Filesize
64KB

Download
memory/1728-48-0x000000000B7C0000-0x000000000B7D0000-memory.dmp

Filesize
64KB

Download
memory/1728-47-0x000000000B7C0000-0x000000000B7D0000-memory.dmp

Filesize
64KB

Download
memory/1728-46-0x000000000B7C0000-0x000000000B7D0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads