hxxps://exitmagall[.]xyz/iduew73

Analysis

max time kernel
241s
max time network
264s
platform
windows7_x64
resource
win7v20210410
submitted
11-06-2021 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://exitmagall.xyz/iduew73
Sample

210611-9qr8m4rems

Score

6^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1236 1800 WerFault.exe IEXPLORE.EXE

pid	pid_target	process	target process
1236	1800	WerFault.exe	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 50 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051618adbbbd0f84eb34ff59fe7045e8f00000000020000000000106600000001000020000000a2d7b068fcfa69aa23a379e8c9fd629bdae454e1718e495733fc65af5a4a7d96000000000e8000000002000020000000713c33b544057c2f5c967164ef210fd91c4025386e7e411076d73c82558044aa9000000027681965e183be23bdaa68ddfd85dcb3a6b29eb9efe5945cb07abccecac908a5b102c81cde4216d3696521f30cf74984fc64e3bdb3725bd789fb203171c85a7fc1c3060061aae10238d8c32e23d254f8b665bf43e25155d3f734a5d4fe6f43f0312648f97265dd8d5f9a9cef403336f5f8b142bbbf04cd7c3fd2296ac43e12ebdb26e3a392f8a6c06d3fccb3696c080d40000000f81c99b5c7ad2a3ad570352c2b46760a6c7ec348410614c2a0b9800256c9a17dc2a177518b341fce7e1836af90f8ba695a4f35c1d0b6873e91fb57b6870922b6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051618adbbbd0f84eb34ff59fe7045e8f00000000020000000000106600000001000020000000aab1735c179b986442ab86a729caf74810209791c892298a30e0f353b3167cd5000000000e8000000002000020000000ddc54321cef18592badebe30ee17fbc0bf384d13b69d2e628cf82b87f7e00555d00400000d4fcf9e5646929a29e69cf66de5c66fb11cdf26e58cd2eb1817dc73d6eaf3c67cf4cbf16edb140ee3b33d712cfa0ce528579fed8fb30eff4da3b7000a0ce0afec92475095ac8ab741fb06ee9932c4e764076d493381e86b5bbfcbc4ee384773704aa3119ce1a0a8c2929434d15dc875559235ab5840c4b8df679671354e2e85eefdcb80e7336431fd3a9382f3157e064d7cc61deec4f7cd4ba09bae66a69534ebceff35c67a847ae5b8f35c3e51fb91890a1e1b483f897391d7cd3af2a6433025e0e976113e4c5687f0c0e6767d8b31365142d6ca022196195344f5ace90191fe4f591cb3e5d245beb4d39ed20eda939835493fdd3ad9cf6f390a46babb67d56c19fe7c5e05ba378600fb7366974c31b0c0404638d4cc41c4758683f1dbd52a8187b1407bf4fcfd75619cd77a7cfc8670f8b0b509bfffa755bd0b9f11e6305427513a1101f29d8dc6b6db0fdc4194ae9eb2b374a064fafe1579d3bed7c36cb73a11655ebb7def066f6d26d134d949f7f692e4c9ab23494e9d97a2cb1cbbb250b09e6d19196484633ef07fd957754735ddcb804cde783c3b0704a268636e01306cf0eeec39e2a9d65ebd7eba3576401c52bc930eac2e42062853c85b3c5b547fa6a3ba19a2d0fdc3d54d9696ae5b3ebd3757e4cea3dac7012ce94e125e1c3a1edb361b5a15b3534cc6b5120fb9ce57343e2a9807b5b8dd30d4c8acf7cda7c0b44604f893a5c8d151ffc281e86e736b3bf7ff5a1c1405585dc69100d431b4fd3d5f92cf2906463df79a0923431103d221f43edf020cffc9573a0bbbdf37f1bbe400c9a9e82727aded1b33f130be703afebe3e3be58ed41a7465de38ad5e4056fe4dc650035a1638addf1e905a0ddfc8d82f1ff1632ed26ae7ec482be3a62079417aa62d37e11b8e7cbca1fea51e282affdb7bc3a26be5495e0a843efd1f0df9d1f0b2209baa5ac894968d9bd5726ed528aa25b2e01e74bca571c9a39e2fdff5127e6f633fd0697c2443f4af43351afa794a693bc2381294a78e4a7a515b6580a6b3f119a177f878d62ca8bb89f56b3ff45baadea9df563f205b57852819a039a729a4c0af052925fb6e9906672a6a2b71604023a2bb06eed330f6efe7cbbfa79b2f490288fb04ae387479134dc13ae5aaf32a75dbb02c45fc35034047e2fc155e60bc66c8a1d005c306e742442ea85362af131673582f6a63b0deca9d5ca563839b9ddaac59732025192bd083fce209e0f673e2ac0b79e48b730836272622f7e5c462a8b4cec99613575faa4b4ecc5bdeb86829177df5a8ccc5d01ca1a0a84e764a33af3aa515ab138b7099300cbf9969610304197321572736a27c43cd640463b026e58fee8e0d9dad39dc8629d2f2a4ef4f1c5700be5ec26360e81c8a9582dd29b19ab5e6aa407dc28599a7b7ea947fe8e30271de0e8fb6bbad48cbd7db830dd854f36ce1195133b1283b9866bc41ffc4d9dc1a1fd18a05c5e60aae371319421b715d98b5a0561187bceca63b84f42a3b1080e7efd164dd9f12c821edc2dad532378ea1364869482df211e448cfc7b4aa117c21474e1ab46288c1e3f22c8787389860cc9891eed95c383a1941655ac0e496e62198aff277b05cf8f913896d02a0039f646831f96d8c45bda9a10a6e2c958572526f07874183091f0abc7260927a51264f52e83805fe9203c3f4ef50f16489c6760275deb11122121c04b0c214f1dfe7cbe44fd69d90344c2ecc0651db40000000bf9fc3166d644856a54d78b14bad2804607bc08c5768dee170b3edc095a8468c839663380f3152681930e8827007868c5da05a38ff5ca0a339653096dc622e73	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051618adbbbd0f84eb34ff59fe7045e8f00000000020000000000106600000001000020000000f77872e6c9ce15c7f1f2bc99950347440ad77868ddb1b64ec66a863005f9e667000000000e8000000002000020000000ebbf92fc184e9f1bc711279d8f6e75e8d80077710ba18ce656c5fb48c138aff720000000470a842af9152632540c69fda51b0d5ea77065bce79381a0d009fed77124f55b400000003ff6c0cc1ddde6ad9a8e3bda941218e95d00d6a7cf8cbc4ca3ee509df726ce5c370344f52ad4709a78fff50628b0341e67e93cb3b1f939b4fb8c1d213713feb5	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 6068959bc45ed701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CDDA47C1-CAB7-11EB-B85A-F2B989C9245F} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051618adbbbd0f84eb34ff59fe7045e8f00000000020000000000106600000001000020000000b8e45081ca301186f5d83332b3d110e97ecb2d96f614a3318a9c641f8607146f000000000e8000000002000020000000a5b8a73d3c0b218a25eb82865fd63c9c565dcefd2ce34454cf6b68fcf9285046d004000088e6dccf30660ccfa5e2bbeb0bb03993ab24f01d65d7a00b56dacec136014581b40061b21dae7e87a4637a160562c3e1d7261c8e9d59f016c1439202dd0a6a2470cf5883d2c0943ab8bdf9f47c8c3cfd8712c96a91cbf9eb786c0acff24e759a43d40fefc68c675a84d9e045d416474b840f3fea8eab5d5e0038872693d873ca17b5fd407d3ee59f4d62ef190ecf40ba54678563880a66d7e09fc74da9b0117099d53f43f2696a20475dee86a32ab0e62a18b9cd49e1c5934ec255d3de15f9c7982950be735ae8382f55a552ad813db32dbab22ecacb72f475a94d1b14dd2e2e15c784f3efe70b100f6095d93f20d33c2049b6a9655b311caacf4d773760f3e6be97dd1cd6eff20e53f180804e71145e41a0a9ee4761fc25f9281ce82a4ec3bb3e1eb8afc6ff69435008360f13cd73ead23d3e22717b4925a2dc013c821aa78b6d7b1e855bff9fc2eed9b83421cebebf563e87737c1f81abcdcc138a821bc259515e08b708b759a7da875caf63ec7cd20c1c6f11d1ddb89a0453cdec23c00dde8a2daadb460bb39ea5ffdc467f02ded5f0ca22a10a024affa43c9750e46ec709e351a26f5cd9c05925cec321a7328312de677ae40ac61dce2390deda1474ec96101728af7f0ac0d806b7f1ba03997f7482b59f18dac3bc8c74a7661e37d548104e26721ca4264b58579068d7e9ff348b7ce83a75fb18ded0771d39e87dcee9a0a53d4fb1671c11276ab7652537b832ca45f084fb72c745af80ea7a7429d9c16e383ab5e67e5a8cbc5666b76cee16de5af1410c1c44813624f2b90ddecf4405b6c56e38448854221dabf674e2ea58330e0453e3eb8ef85bc8a4383f5a88d4374761a80f810d033ac61a842b5e98d251181fd34d87f204dfe5f222dc61033db26caea2314c2abaa3b10e5cd503eab42b7c3c8c7b8ce90634472ea95d2206a64bb2c26a5dc601ccb83d36597a4a7657106b282e0e78c16dc751eafa37abaa5fc4fe2020f551a2cec205443b9e48fbb64ed3c26302204dd202250b54a9f2eb9bbafafa410a0c00c996fb8e43ff168b292acf417bd3193e0c89718972b986ac9731ee7d050f0842a2e08008f476b6112eceaa5e803193395cf952faee29e4879f4119a5c86c5419b4688b4aa2a0e7895ec89c15177c8ee854eb9f0c767d47e9da08fefcd2173c2594b3fbbb82b6e4cbafd7bba1cfa774a677486de9724ee69bdbeac42c45ba945ef70a4e4ab177aa1241f114e1fb5aa9d88d797362d72692a1be8a8d1769fccca0916726f7b2c0b5e4de340e76a6afd6468a63d5f3a5443d20388f2b04a9157b63b4f8b6608a08659ed9a0a1cb0b39b0e128e7b3f72a84beb995604a7d42f3a41b85e920ed98fca7746a54c12238af0c31f756ae5bbd753f5a75d3202de8bbc74e463959e3338aa2315e16ebb5e132d96eb34c3c65d8d58d42b2c833847f2c194ff8538051563963d21f6d05af9377e953b1c1ff23aaf1a3b3d1dad7da3775398731774efcc5879beeb4ca260c6043a163ef641d9cad7104d3585fc626e07726174501c4d208b5837c53dd36bdf9a5b7dfa4d4171c3313767f22e82839dcc7a9c3fa893a04feb71f7b9f0546d8b15b0022d4e57c0f0b07c6d29625f4ba0ea862ecb75c6f73ea5d70b7f7b6a409101e93199fd68fb947728a1b27df12edeec9f539823fbc54674aef22b915975d13127a9bb5621e9e34fdf82bbd54050bb8004b6adacb8236d0647cf1624629400000007bcc8434d103212045310bc2d92f68cb03733af5ace508086cbda31467f73ae4360b6299d71a70394c4f0fc7e4116b0c8f51b009da69a644d1c4eec2b59e3235	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051618adbbbd0f84eb34ff59fe7045e8f0000000002000000000010660000000100002000000000d94fd5f9e581b07c14d970856121a80a4761c1ef5069b9f395b32ec2fcabbe000000000e8000000002000020000000624e077e5db0a4efc5d2f0fefbc29702399e82fec5fcd127d838192b9e54bb20d0040000d4f091812316c67836a15eb6f7b83287296211e02c664e795ca196c70f2b89a60c14c960e3e4251c3cf7cba62aedc92557c2cf01a5a525b2acb541beb16c282ba99f64dd19d67fb4110b938c62447f37bb76fbb7d2c25e2bd0a1212db4121d524e1d778e8c77541b7efbc0fdc7016b766e2c693b35f38cd11e0415b62ddddd6d9ce558f69965b1281d28c08c24ad0091c5031ab71166f41041bef4b0e6b669665d3a03465258aedd716dd3f8f1e62b4aa763d0350c0720ffced06800250d9449e3c7fc5da19fc13255c941a2b421df19658c41ec1f3d33c0499b5494a3a9997159602f048d6b613cd352a441546acacac0ff39c0da15626b456b943e2d3dcb2f026abfa26da44be038d0d36ef8d8837e7ef8728a39b1e3bd45c570ee230381164c3a7c885a444a45ed6a8406df4317f145b7545bcdb5bccac944e960fefa6353caaa1e0bfc762f96ebe5871a6ded64e6f64e07cebed511717efb8c345b7d2e481eff142884890a064f18783fab153af5e58fbbe1bf5aa02c879826b660ef021379e420a81942b549265e9317843accafe5580c4b70198b719d09aa49cc90e153f04dc2976c3df1effee841aa8bb95ea0506571ed2ee927478d33b6f2ec6a48f9b495467dfb56c8e5bc984c86da8eaf2b06f798c63d6ffe9ec0039abaf7e96c0288eac054c35fda8bea3d759dcd1e45fa7c236b04d3e86e5aa0ddc7a0f3df9befe1cc68b150f3a291991c4fbb9b7ecb089e583b8f5e9c78bb68a694a26cec7b5316df38017085611e730ce476ebfa73374abd214de2938f0e5fb435a2f41d74290a7678231ebe2ead96d124c2abe59c9fb49265badfcac264ced058ec1b18396dc3c4edaeda390b46da6454bf23acadfc7989cab0ab1cf20cddbf65d0faff8bbf2991fb45e096178f1422ba6e589e707b94dfd92d4eef1f84769bc765e5b6eb0f05f260ce7c6ee96ed3da37defebfb3b17f182881441d90e25dfa108156172b2c244a32f6dc537436d1a4aabe05197eade3f9b9ff300c04e8987e5b661b77856c63d162d2111dce74abf30421457de3434f0e371ccb2a6ce6fec29bc670880c175654f78499aa2761f992d787e6e8138b73473686bd1ab64f573bcd6b9acc1821fe9740fcd6d95fed5613b2b246f45c8fbe6d0c428bc0a3bfdb457a1c599e8dc3f3dff157ca69f210504747dcdcc5048f3d6200a730a4981c577abb2954c8e24ea5868c145a626ccb1285cfc53bd4a7313c9a04c53207a4c660f73ddf5292a2d2939a4225b1a979debcf8b482037e80a9769b91e8568624075d6feea6ee6feed2635ab969e2c67d91c9a38155d476013037a8b42462eda4957d9379d49ec2faad15c55e1031258a31781564688bf941f6e0557eea0c7dabe6d0d57e00b66d92c037f3bc4b200209e4bd091eaa0dc39218ce3236002bb742be41356583c71ad5d033a4a4b0c2b0eab2e24d29580dfd9ad6847292d8751d0629e81f217a441947cce647f6820193b7f09e78befa15f48dbaae42b108f23cde8f3f793444f990ea16e0fbdb56171519612afb2f665fb57ae50b1f098ac9088f58c4a418a9fb7d9ee451611ee47832f01a748d92667e4467dbe64760d7204d76ffa76c8ca493237f0c30718b3258abbdb191292da5b74e10e78aa7e04d62db4be4565c106777ae3ad0bc328edc86efc86ace3f45d1ce2ab62070d499570c251d8fee280579bb362b3bf77376ab9ba1f98befe43565f1d7dabf4000000033a8341b558c12f1e18ec0426b2836fcd1fb9e9fa01925989ada6b22478486ccdadf1016979b84270d367d62d2ff8957c834fcfe02a9e0b0e8a604db7c06b8c8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051618adbbbd0f84eb34ff59fe7045e8f00000000020000000000106600000001000020000000d861f4cbe51bb7494a90909ae517a5349815c1a6663f13acfa028d9b554bd064000000000e80000000020000200000009069064765269854a2f74b571a09c648b6f55481654cacf9a10eead8e103a79ed0040000b53963442f37667f2e20a1b40e0e695885e1dca9f087de0884c7468f83dd7d84700d51cd493bbbd5825afc82a1af2afde1dc38c4ec9d3b91951bc476b66b1195731b88c6c59fbdf855e1733597b62bf56b1dcdbe4c3d82a086513f6007248a1775745c64b02097792df34d583d71ee20b2162e5d9d2211169c46e068858dcd8b292d9e15d5d812516a3d14aa3c4290b895e4e92bbe81dda2b35fb2479b3190a2327d2db8a1d872095d2e62a005707ef0d3035e3bcdf7d258576afa506554754942278f68f26f85d0b584ab5f38b9e65ee7939ca17120aa0975280c5c7a7e5ab626f014b89550d7ec72f0e42d3bd15e6e26f5d93732d254303b1b1e46894ef13ce332000d9b4dd99c5e98e2023a1e650a5ef6331d12a3fe18255ea54e7ca05dd13eb59efafedb79b13d5a620d8501c7815d180adabf2922267bb897047eb3b92136c44b025c5bb84268ecd16811ec1ad46add5a149efa6cd074451efa7f2f2624c8695f9b53b6fd669eaabbc813fcaecb9d54341bb5beb44b1e9c0ef181f6c5d2fcae79270c306983a0750f88a3e07f92e7b13ca7702023bbfd5fe6304c22daeae8644304a42aaeffdd950cd0a9fb3b27525130c6c2b71e1fb282df8f479cb12049e89cbcf8c30def2b8fcf6f4130a7fc7efb6dee7c527a6364b1a11f06596d1724291d5de32fb153433dd56e87ac47166403f824e8021ecfbb483b6ab8b6baf2c8cd1e275e52c5de9caaaffdeb4988ab6dc1cc8d8649705c5e1a9237aa0e0ba555ce001707e74110cb8f0984e701964bba1f4dcee0f33e25999924499fa45612fdffb426300dcdf9ffda84f09b0dc404302809ffa2971358f3f16cb490d7e9dd5622551d6e259ee825a02dcf5ae46b67a8e73c5508a00b668d92051e1c836ffe5b6b1a4fa7db8b9a0e38d4f3f1185487a0cbc0365ee5d10647b5dc208518375cb23df5f5b024fa939684a28e8b7063bc5f497320bc7b95e6c0844373706f4862665b53285867d2cc71a51febd12234f8783bcce73f9d4de0633f48ec8ec685dc14d17490fd18941f591f4aa14085cc9f2c9e55e6ab08b6e989f44eedab66149c42d4c6af96b57ad57376c176c39c82785ff8edd10247bfe433af9bcb3478a321a2512c692706f2a3d0b431a4b6caf0543a1333ee88de4031df05c16cbd9bf88e9136f71a4afe4daa630884e9eec6423bfceccce87ca72e7219611006e9ed1407f58fdd1b69859f2e75f2d9ed00967e4194c2bb2cf454d4afbcd94f65ec0e75bda3a024c0ddc2fc39a07b741706cba98c42be304f527b62e79f9c27b03952efe658af69e33b9aacbced4e5f194617855ed27516f9985d4a663cb6689f88c6bd0d594131f47c268f586af4ffb1635b160d689ce9280a2dd3e2d32fee2881b18aeb3b4ae73dbf714afd4af2804a6b8f939a8e6830e29242f2f6f04c6c6fdb42a3eb7c3c42e2bdd176ea2ac7351588c15d851e9b4679834fa703b1171fc4ccdc75a2ee6d5a7b10e086260f78e9bdd3b72dc19931e9971712162525cb76185d8e9ad490d735b58074304490cac944de6958c6db1120e8ed687e24338633255f7c8621f1ddfad0b253bd3df16e1cddaaa55808a15826f340f5fec70211e1396f6df358f6367755b33faf63243d9f24d5969402771cd5446758ecaf994eb71fbf6f6612ef4c56c2b10f695c740528c33e86154b7750201bf32edf44fb45317056beefac2041c935ab994c59c1c83d9bf811bce640000000a3cee7ce55fde33b8309a7f769b6c05f8652758d973d6cb88110a5fded14a7619250e91f76918da7617670aa741a968814dac49cabad34e6ccbd8bd5fd24add4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "330182609"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1236 WerFault.exe
1236 WerFault.exe
1236 WerFault.exe
1236 WerFault.exe
1236 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1236 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1236 WerFault.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

916 iexplore.exe

pid	process
1236	WerFault.exe
1236	WerFault.exe
1236	WerFault.exe
1236	WerFault.exe
1236	WerFault.exe

pid	process
1236	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1236	WerFault.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
916	iexplore.exe
916	iexplore.exe
2000	IEXPLORE.EXE
2000	IEXPLORE.EXE
2000	IEXPLORE.EXE
2000	IEXPLORE.EXE
704	IEXPLORE.EXE
704	IEXPLORE.EXE
704	IEXPLORE.EXE
704	IEXPLORE.EXE
1624	IEXPLORE.EXE
1624	IEXPLORE.EXE
1624	IEXPLORE.EXE
1624	IEXPLORE.EXE
1800	IEXPLORE.EXE
1800	IEXPLORE.EXE
1800	IEXPLORE.EXE
1800	IEXPLORE.EXE
1972	IEXPLORE.EXE
1972	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 916 wrote to memory of 2000	916	iexplore.exe	IEXPLORE.EXE
PID 916 wrote to memory of 2000	916	iexplore.exe	IEXPLORE.EXE
PID 916 wrote to memory of 2000	916	iexplore.exe	IEXPLORE.EXE
PID 916 wrote to memory of 2000	916	iexplore.exe	IEXPLORE.EXE
PID 916 wrote to memory of 704	916	iexplore.exe	IEXPLORE.EXE
PID 916 wrote to memory of 704	916	iexplore.exe	IEXPLORE.EXE
PID 916 wrote to memory of 704	916	iexplore.exe	IEXPLORE.EXE
PID 916 wrote to memory of 704	916	iexplore.exe	IEXPLORE.EXE
PID 916 wrote to memory of 1624	916	iexplore.exe	IEXPLORE.EXE
PID 916 wrote to memory of 1624	916	iexplore.exe	IEXPLORE.EXE
PID 916 wrote to memory of 1624	916	iexplore.exe	IEXPLORE.EXE
PID 916 wrote to memory of 1624	916	iexplore.exe	IEXPLORE.EXE
PID 916 wrote to memory of 1800	916	iexplore.exe	IEXPLORE.EXE
PID 916 wrote to memory of 1800	916	iexplore.exe	IEXPLORE.EXE
PID 916 wrote to memory of 1800	916	iexplore.exe	IEXPLORE.EXE
PID 916 wrote to memory of 1800	916	iexplore.exe	IEXPLORE.EXE
PID 1800 wrote to memory of 1236	1800	IEXPLORE.EXE	WerFault.exe
PID 1800 wrote to memory of 1236	1800	IEXPLORE.EXE	WerFault.exe
PID 1800 wrote to memory of 1236	1800	IEXPLORE.EXE	WerFault.exe
PID 1800 wrote to memory of 1236	1800	IEXPLORE.EXE	WerFault.exe
PID 916 wrote to memory of 1972	916	iexplore.exe	IEXPLORE.EXE
PID 916 wrote to memory of 1972	916	iexplore.exe	IEXPLORE.EXE
PID 916 wrote to memory of 1972	916	iexplore.exe	IEXPLORE.EXE
PID 916 wrote to memory of 1972	916	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://exitmagall.xyz/iduew73
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:916

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:916 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2000

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:916 CREDAT:340994 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:704

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:916 CREDAT:209941 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1624

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:916 CREDAT:275488 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1632
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1236

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:916 CREDAT:603159 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
38cf03c4f1be5fbed07333b65d3b2083

SHA1
b7ca44fbb0260f7a2e7741239ca31da893f431fa

SHA256
dcda4562eab507eb52ab400e6da0baaede02208768720e4a0fa24711f2801270

SHA512
3a7877e444546786dfea6b548847efb1210c2626dabc9d2bc12244cfe556c97f9c917d0a09e1037403c2f9c8472378cdc17afadee1468ed4847ed3c4b6826768

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\V13U08N9\Z6EZZZR6.htm
MD5
4de41d0993ad88b15a4e261da1a3da5c

SHA1
ffd5a8f23d028a3714cdd5c71df9d391ec351848

SHA256
12f7d794e1565a9b81441688c917873183702c12c4bdea8840794a6dca2cf1fd

SHA512
40ede09118ca43e5c14bf921cc7f3d136309bf4ac7583919440d60043ec8f5030aff559df47fde076e8917cadc76246064f2cc6d7e8331b4680dada5207976af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZJL1OKS0\E86OKLN9.htm
MD5
6bb1c841e6949e8230cfb1f31bc6c7ac

SHA1
954a9f8fcc7572ad2532c900e22d950a6720ea5d

SHA256
64bacecf05232b18ad69df5f2ea552f7de801bb28bb318b33c551e8e76045b8a

SHA512
13717a0d9e312e02b022398bb7630cc1b978c39e2ac64c0a2d94a7a1085bff0054275de475ec3bf6b81885865464eef1ee847bb9ad24bfa5b9253c02a9fb1f2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZJL1OKS0\U8AEULKT.htm
MD5
ef812156f738f784bbe7ad4f768af633

SHA1
b95340bde9627f781d3a79f8a1fef59eca1ceb95

SHA256
93a10799724012b8f4becd2d7a9230e4cbd1da7af21a5fb1a20c91bfb609b83c

SHA512
64ffb14835651fbb2833748dc81f134b8b1ffedc9e7c2593aaed0af84f2ec029c2a688a75d7e6bd6eeee1450734b4cc11f21a1b008131c6a267a6d55d4250952

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4G473GLU.txt
MD5
c3632183e8f4171dea273a1db3e349a0

SHA1
74f2f2eba7c961c7caf11f9239e7c5467ae7b106

SHA256
5899dbdb7c53e10b8dcca92aaf0bffea2ded80e73e6460b11b9f3697a5b84a49

SHA512
f62e3da5805c365f7eb9894af22629e248529a679f5457c50587cdadcdd265a81ad0ab0d8c8ae7ab85b269e0ed202bf416dbbc483c139f906f5bac7582276d20

Download Submit
memory/704-64-0x0000000000000000-mapping.dmp

Download
memory/916-60-0x000007FEFBB51000-0x000007FEFBB53000-memory.dmp

Filesize
8KB

Download
memory/1236-72-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1236-71-0x0000000000000000-mapping.dmp

Download
memory/1624-66-0x0000000000000000-mapping.dmp

Download
memory/1800-69-0x0000000000000000-mapping.dmp

Download
memory/1972-74-0x0000000000000000-mapping.dmp

Download
memory/2000-63-0x00000000005F0000-0x00000000005F2000-memory.dmp

Filesize
8KB

Download
memory/2000-62-0x0000000075011000-0x0000000075013000-memory.dmp

Filesize
8KB

Download
memory/2000-61-0x0000000000000000-mapping.dmp

Download