Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
04-05-2021 15:06
Static task
static1
URLScan task
urlscan1
Sample
https://www.alldownloadss.com/br/
Behavioral task
behavioral1
Sample
https://www.alldownloadss.com/br/
Resource
win10v20210408
General
-
Target
https://www.alldownloadss.com/br/
-
Sample
210504-rlaa8zb8qa
Malware Config
Signatures
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30884103" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "15" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DOMStorage\convertcodes.com\ = "5910" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DOMStorage\convertcodes.com\ = "5942" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DOMStorage\convertcodes.com\ = "40" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "66" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DOMStorage\convertcodes.com\ = "118" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "199" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DOMStorage\alldownloadss.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DOMStorage\convertcodes.com\Total = "199" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DOMStorage\doubleclick.net IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DOMStorage\alldownloadss.com\NumberOfSubdomains = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1644601243" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DOMStorage\convertcodes.com\Total = "66" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DOMStorage\convertcodes.com\Total = "92" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DOMStorage\convertcodes.com\Total = "170" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DOMStorage\convertcodes.com\ = "15" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DOMStorage\convertcodes.com\Total = "144" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DOMStorage\convertcodes.com\ = "170" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1611007743" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30884103" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DOMStorage\convertcodes.com\Total = "40" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8AED28CE-ACFA-11EB-B2DB-E2597A2395CA} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1611007743" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007c369e1f7dd80e4a838305ff88bb1ffa000000000200000000001066000000010000200000005675ea357c13555c931550977e32cc5de2db3314696a9ab33406da9429e7d480000000000e80000000020000200000007da39203b4d22d6b7f8520aea2f1d7c789cf8c80dfb803234854f23159b885d1400100008a08a279b009c7241d74ad05022cb0c55a535a5d223a7fc7b2fa232cfde0996889eb2254c0a0593b9b0e51b4127f26fc3c828d7f0bdbe9f646d492ac57dcefdbd3994f88224a6a6b17b261ae46f6d309697be13a91135d4b877ab699273b97ad9f8a7b43f456e237b0c1adbe605a4ae5454d1c1c373be27333fe700528f696fe97f9ccc308553be39d5bf5fe498142c85929e521a53a35285a011e5f3f2a2c10fbd850442ac9e93de0df2bd38fc9b24921b966cced568cd208f9ba34b88f819656a4f1e3f80d91aead334f6d2a8312f4727d7d2969262fb6cde07d8bf961ebb9a14a216c88afb888312d19b81cfc00cad202efacbf8be76e176949211fb39307895c0403b4a8317981db5edc2a2dd55c45dce7679f96d884c269cfd736ec9f5b0801c6fc6b4bab14cff8657dc5f67bf81234a9e0d713a01a6b9c0a94c0b4042840000000a0796e855659ad08a5a15108a09e3504d00b80bacbe08879b9466f8825f01d923e993511b17a10b7becdc56c803388176fb33ad5f271a07ee806274b094e0b6d iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DOMStorage\convertcodes.com\Total = "5994" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0209a920741d701 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "326912742" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007c369e1f7dd80e4a838305ff88bb1ffa000000000200000000001066000000010000200000001ac33a6a614b3367c119376bc3d78c972548025a4b2cf8302593d5488a6b7312000000000e80000000020000200000009262963b1f682fa3daadb947954bb24f1f7e5fa891f3bc58911db3f29933982020000000df42e7bce53d1dbf1b7a2e57f81f504a6f1dae9c20c36b825b20d8c98c1d7515400000002475b6d5509a7f53057e062aaef5afd9a33a31d23ccbf3fb6576ab1076fb79c47c804aeaacb7d9f34b2312321bb262b3e4076660b1353ef1ba952a1149feb88b iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "92" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DOMStorage\convertcodes.com\ = "144" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007c369e1f7dd80e4a838305ff88bb1ffa00000000020000000000106600000001000020000000d4b3ebd9179bbb1edee7c2c0d083b17e147aa92923483134146063ccdd248b5b000000000e80000000020000200000004c142214257f6bbd144711c4f608815b339ccd03eabf79c323be182fdb93d89720000000b41b7dca6d9419dc94dacc1d5d4be86e20174c5e356ecafa554fbc7dd3804d7d40000000339ece96c00b43a7a6f98aa9e7445175f2aaa1945c271ed04baed20d08e448f3f38410beee9491cddf5a5c44dbbad60268487a7163066e0bda42097926ede5d7 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DOMStorage\convertcodes.com\ = "199" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DOMStorage\convertcodes.com\ = "92" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "144" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "170" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DOMStorage\convertcodes.com\Total = "231" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DOMStorage\convertcodes.com\Total = "5910" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DOMStorage\convertcodes.com\Total = "15" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DOMStorage\convertcodes.com\ = "66" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "231" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "5942" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DOMStorage\convertcodes.com\Total = "5942" IEXPLORE.EXE -
Modifies registry class 58 IoCs
Processes:
IEXPLORE.EXEdescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "3" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239} IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByDirection = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239} IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\IconSize = "96" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000e0859ff2f94f6810ab9108002b27b3d90500000058000000 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell IEXPLORE.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Pictures" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e8005398e082303024b98265d99428e115f0000 IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1092616257" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Pictures" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1092616257" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000e0859ff2f94f6810ab9108002b27b3d90500000058000000 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByDirection = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e80d43aad2469a5304598e1ab02f9417aa80000 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\LogicalViewMode = "3" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:PID = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\IconSize = "96" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:PID = "0" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\LogicalViewMode = "3" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0" IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 564 iexplore.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 564 iexplore.exe 564 iexplore.exe 3940 IEXPLORE.EXE 3940 IEXPLORE.EXE 3940 IEXPLORE.EXE 3940 IEXPLORE.EXE 3940 IEXPLORE.EXE 564 iexplore.exe 564 iexplore.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
iexplore.exedescription pid process target process PID 564 wrote to memory of 3940 564 iexplore.exe IEXPLORE.EXE PID 564 wrote to memory of 3940 564 iexplore.exe IEXPLORE.EXE PID 564 wrote to memory of 3940 564 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.alldownloadss.com/br/1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:564 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DMD5
fa08f6463ef7be976f91339d5c800cd3
SHA18f179db874997b62c87d6da487a4b3a4db332a50
SHA256c9b2bbc388046f9e34ce5b00e7624956916650f0b4cc4db3ce9f3ee2fb024af3
SHA51280424f97f0a2b9244a378c0713de0143e7c9165a6545d706c162b6b0554b4c7d012f1f99668b6d1edf098a7190b456307e7ff88241c61c5dbad39b58369faaf3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27MD5
f0704d234d472b13e856f90d8649806d
SHA18b7a926407506c3c3741ca3ff709986d5f1a2387
SHA2566c3cf8e4e67fb4ea86c48e918d6ebdecc2b4903553798d1e0e1fcb73376105dc
SHA512a1cacc0dd2b0f4ffdf082980d288e98c493a6581f09265e13b9f94f9efcc7bb4300aa7346e533761315237038990646d267b0b43ca2e71fabd3c6a9d92ee93e7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63MD5
31490d26f782bcce7dd586072c9931f5
SHA1439e50faf905f25891c349117856afad72ea4914
SHA2569e6b7d47d6d658ae4c663fd786b238ef0272814b56ac0a82333d916a139e5510
SHA5125a921859583cb5f09c05a815e34f581673b3af8c49933832384f484c136b88e68961d6f2f8814cce85394bd0eb84c7ad83b4d7414a492af3e060c12eebf9df46
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
10987a1d727697d22e9613985bf39eba
SHA1d92fa559cdea14bdc068eb5388f4a8725d9d290c
SHA2568c026af272e0d8eae1ec8978047926e4bbdb2a7ebe0207a738307150e2ed0063
SHA51231910362ff1a6afe47a6abe7d77d1056eb1a1531cc027ae33bb34e1b4b788cd7efe2292278b02548e72b1441c86f85a3376ed46edf4c58a247febf4da91dfb87
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
21b384ab8f79242a8b66c0d2bcf28d14
SHA12c0a75ba21188dfbb1e5d26361bb7f4ccb5f1c3a
SHA2567b4888ca877ce314415b04b92dffe7acf5f656b99908c9c0e174722b2e2386a4
SHA512a3210cbde79ef024a5b17526b51f22c2ae86b03322e8cc06d8c8ad9c74d5ba7aeef792498198f21d43785b784f463126f686fe14396aef5ccecab63f61530e7e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DMD5
df2a71fecd9d60f1bfdaa9cfc5f1bd6f
SHA186e3dd63a64e6813b6d2022738dd1eaddb38205d
SHA256c9f6f9457b26b44b6b45a55652307c4e458c2fbcf3104533f0f219f3258901ea
SHA512126b81a85df9c3c85ec452ae6f3ff640de3516ee781d207c281d7558b0a2a6a053c52a705bc97accefb3bbf2c4399c56f122a00d11171f6cc0fa3c292c79e27b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27MD5
7160aebeaeb28b9f4f6576e6f59248fa
SHA1745d49a38e51e2f7f5000eaa1204885dc71b5e9c
SHA256b1410450143003da0b65b4ec7e32b0db7415f885b736161e8298ceff07f710c0
SHA51246fe4872133fd3b52d6d97fe5e88921178d4fb8ac82427222d2f088fe57a47ef70c0bfe41f5476fe0f2e9caf5c30085808e7ed41b0492680544a39575ed096c2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63MD5
e6aed4e0510f62d31cf5d639dc3a099d
SHA1473eb9943fcafc5ffa415f0d0c9d9413e1421b7c
SHA2568b8eef02cde68200f8ba03ea8f183c722d179afe981bdf88ed9d6388f0495206
SHA51265b6b87a90868e929d53ccf6eb19df74f9f2b03ebade383dec7ebfe37c6b58fa9683e29f30db2f7d43171e8ec2f5a51fdd882164530271da516fdeb69eca497f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
7b5a8c499b4849c5860c392ce000f06e
SHA16cf44505ed213a615636ffac39a4ba56b5c09159
SHA256b5eb69d22597aa4761c36e24831bdfdc23fa3b316df059c13b62501c0d9d158e
SHA512510706804ab6088a4c73e130322d492f0ee6a4e11da839a567700af4f13b9ca1ce46c2a4fd3fd8ca280cb59b119ee8e9243a4bff78fbed7655559b69680ad70a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
152956534dda796246c0ea6cc3b18483
SHA117a5e91b8a7ba311091cec0b94164618a6a84c76
SHA2566afd3d16e9e70d4ce836bbcde00526cdb3272576c863c06d92224ac971cbc4a9
SHA512fd2771d9547b5434504b461bdba7bb8804951c1b634af253cd6ebcec416bcaf903e021f38f64159be00101be28800f390a5c406739b5c23c7796293626c7498b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\24GAWDHR.cookieMD5
dafc575739546185fb81edeb0419e180
SHA11f7830ea91c2e6ed5b6cbed618307f325c1bcc84
SHA2561c0988f561aecc21d8168927f7f448db7321be625d6a1f5d67dfb2a6aaf76d34
SHA5120dec2ff8f48be250526bfafd03a2896b97da5d468b7b924fac99e857892a1f3eb287007b70b70cdf2ea281e4942ca5f6f8e7f9a965674535295f145352ca494a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\L8FJHTL8.cookieMD5
7bdb1398b02ee15fb5481995d3c1442b
SHA1dca8b0262447e9c538e95c301701b5364bcfcbbb
SHA2563b610552cbe74b1aa1980234cead00a5f699fc9167a3d097f5faa4e9277a7e5e
SHA512304f9fe8e10807ca32120a06d64e93d040c05d13f1e39bee8b4ec5d8d8cbf5bd129fd358e7592fc25c7ed24ad88d2a250c6877972912a1b4f2a76a76a84abe7f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\O66QG05Q.cookieMD5
4293a7e16fc1e24dd9e14831b9648c85
SHA18e4c2fa903d3455ebf907b7ea16eef6c964ec4dd
SHA256af489ef9d37e0b96763c2c4deecffe7893eea0fb1a5846db74b38e23686cbc86
SHA512aa05e86e26d03f2440f5a2199bae10cbc0bbf21e887b13f169cfc8f03bf84a1ed18080d92f80c6f71d70bf62c88ced410335cf48c48753481730b81cef2e6006
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\P27SNVTL.cookieMD5
449fe8b1eac09f4d3de6db3785f51626
SHA1d47125ca935db2d41dbd26858046df4ab0883dca
SHA25693b19e453a3c21f76a40a4a785546ae1502222d1a368ade9c3999194c7bba044
SHA5129b0f3381428ce59c343b448633d56a8c1a1e4897729d772e458d7c3b9a70dcb23d12d89039e78f563f9bd47b60d68c71c2c8ffb2b3f165d4b787ae33e0dcdb9b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\ZDPU4FQ4.cookieMD5
1a8662ed71093987057c427aa08183c1
SHA1195ac1085a8f92cf042487089e3c439547b3463d
SHA25655a479a66306d2f26d837ad763e49b7c5df17bbe78d3414dd84cec5f005a75ee
SHA51209c2f98f59876ccaaf3d7af11e82463449498a89630f941bce921032d4a6531f29a73fd3976fcfe810a73fc9a4c670d3872419ea8dd00093ec9db594df21ae58
-
memory/564-114-0x00007FFCBF4D0000-0x00007FFCBF53B000-memory.dmpFilesize
428KB
-
memory/3940-115-0x0000000000000000-mapping.dmp