hxxps://onedrive[.]live[.]com/download?cid=FDBD3A4468B38F5C&resid=FDBD3A4468B38F5C%21104&authkey=AMAZHJllixGMXtM

Analysis

max time kernel
133s
max time network
141s
platform
windows10_x64
resource
win10-en-20210920
submitted
22-09-2021 23:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://onedrive.live.com/download?cid=FDBD3A4468B38F5C&resid=FDBD3A4468B38F5C%21104&authkey=AMAZHJllixGMXtM
Sample

210922-3vw9rseaf2

Score

5^/10

microsoft phishing

Malware Config

Signatures

Detected potential entity reuse from brand microsoft.
phishing microsoft

Modifies Internet Explorer settings 1 TTPs 56 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50fdaef90cb0d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 409ab8f90cb0d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d00000000020000000000106600000001000020000000df2df39a3b30eb5ec044bdb46d4b6310be2f9e6babd1ba98e1fce607483776e1000000000e800000000200002000000055f9f226f11bc5286e0b993f4879efe4ab40286edcd8fd203b463b3cbab6486560030000d241fd3d501997d9df9b2c5d38b249506284b0214923214468e3836d50bed07801f273d1e316fea42579d98ccfdd02d91e9b5a18d5176ef0b368b5e8641783b710505470073458b0163d951c73d2550d28779fb06eb47abc8ea55d018149a5595f3c7de8261275dba4b8f7175b51140ad1160114a60e174f4df316946f7e1b00beef533d18e239e8bcec03c9b33727b4516abd5b8e7f7c98229b20825844f3093a7d3c6500ce72be0cfab67ba36a8ac4bcf7ee7471ede8508ef8ab57b9da6c67f2b84517f6d6f007e831d57fd5892e4087e828c2cfb7d657512dcfce94a5bc96c45c01be27754874cb3da851e6d7c887e106788c4373ee9f286c013ef2f111c4d50003ab52944cbbd3cda5cad6dac3d46873dff40e316d68388c58f6df918b05c127bfa333a8376fd1aa23ab4cf9bd14e3025dc774f4fa72b432aeddb0a911297f19140a0fd3c72efc422f060def9f0f56c9f4570db956a7f461537e8717f1d628466abdb80248a0e72db2fcbc1f9aa012839b9fd094775b0912eda87a3fb5794e2e02c943c02a9616f488cc27ba99c1b5df66533dfe7977d9be5a2b91d2d1fb62d030a0569e8324a7db1087d53829bd815ad51a6e8d156f0e3a64fb8bbce70f64782e141cfa44ee21b633fe6dbb04e8b43fc510a7e65ac2d8f5e4cc8dec80bc8668bf1c800036401bee663d6242997b4e29df65ce77b5f0677fdb9ab8becd1ba7665cdc7b028bb35b20b57951885fd91617a724edaddb8b909303912df0db73ed7a15d94ea3314f2d16ec58f53146ffe7ec940c2d77c03f3c14d798d5497b678c4012066714b1cb04f286edd21d7890b1d8aca1a97d4d38722fdadaddb39df6e15049e2eef18a16b942a031d726731640b6bd8846c0704440d26d833bfd3cec9177ec6abfd9a94d329ca3586f150f90e802c3c1a26292ee76ce61027c000f2b978e244bb86a0a1f62d5f237ff74edb6b293ca90af95972a64d3d5e80f4798c84bb28b16748e3a162c0a7abc3624cbf78194c3348fa33f468f2787b8e0dd18acd01db3c4e3d1c2b76d10dffbb20e255dae88abff0e9da0d45c94e3fd6c2dfe46c034a16e5a44246e028f8a193ff980a00de11e9dafcc3d73f0e5fca8212e19f46bde9a1a5fe1b7151d7eb4944ee19676377f526bb6a497bbbfc6569a96329f58a0386e56d349c2122378caf45a207951a36fc5eedb498a1a3243d2178719e59640000000663482a7f1e5c063efd15e0e9a4085526f65d5a94717a7235f4dc581eb29f33de82fd16bcf73eb0f6664ecc51bda01d11ab7b6baf24c07786754534d48f57027	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4153375354"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30912524"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4153375354"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "339136314"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "339119720"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d00000000020000000000106600000001000020000000ed8be04a1a1a8ff8d48ab6208fcad8210e270a9a91a686e952ec1973959787bb000000000e8000000002000020000000432de4229e9f7b84df4eae82e1227f9afb8cc63488219469daa6814670ea98232000000049c1809a56b75070604e34576cb4cdd001e7f3a0357c8d53e3f657b3cb21e90840000000aa742d9814343df93a2426ff3f9267797ebfedab451d10bc230293cd477c082a345f906b8424072967f1043a00eda0c95752f2bd0e0d0b13b30d821b0228b81d	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "339168306"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4161812700"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d0000000002000000000010660000000100002000000048a92e9a00deb4aa864d40ab8fdd564520adaf242543f3a4ad51628161f20000000000000e8000000002000020000000b26e605f63b69b8d623a1ac61a66ec640e28adf7ad5e7e3adf9e390cb3ab850920000000ace3ebca2e08cff2bf89858040d0935316fd0e9fd7fc4641c9aaa0f7e15f16ea400000005592d614102812d5baedeb2ef1ad92141b6c482c302bb159ecfd0dde384e4e0f7585bba077df7101f17d7456301bf070f4f3453faf53f5450a4985d7c45cbb63	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d00000000020000000000106600000001000020000000f2e7e3de4954d25e562d79f5162d26c734fc3b0fed25e9a61639104cdc939ea4000000000e80000000020000200000008675f67b66a76ed51e4888c7fe46f92acade487f1ce2038a0b1f50683d4b593b300800008d7e8b8f11f4c1d8ffda4734ea2d8f6ed23e72eb3e3375abb9e5210947737707c1cde0ce3fb39ea75a165b311d5cba8c4c3d037a76f7989fd8856f7c762f37c442915b9006be72c302a7578aba89a807bfdd9555996ede2a4e57ed2374befa34a14d90c2ab4c1e71ef8b15dc835d369fd78026294b0a7710b05a679874c222c4c66d8ac66ea733ee5085255f1b5c62e2b569641cc7232ba3b11a56d7d561bddf3fa57f53b1534e5c92e8436a22cf39314fa1d4e0ac9aa9781211d40beea47c9cd6c30c7f96bbe20ccc6a5d359e1fea4ab10deeb6c586bbcace9dc17fcf9d59f6d262ec70007b4d553213f224b7e8d0287540b3051ae3556aff324d4212235a68ecf53419948d46072192a542012769a3992c6b2321dc085be193621fe2e284d8cdce768aa411b022dcf2779d8d53f58c727c420fba429ecf9dfd98e03a00d2300d0cd561427eec7293850a06e36be2d2a673a9cb8016c1408b45fabee3043edbc4b8d2a7c16077a9a8643c3d7847f12d777e4cde1fbfb123dbc65d0aacabb51e59154f1b381150375fac23bf895b877eb18f48cbf3ec7f172968789106a05052660e4301abd54069481668d7f796f27b39904d89ccd4231de5c7027308a93e25e093ff76bd8af5ff1625a689d1b617accb0523b13938da7bd0446c3588b91ffc53abc7dd5f3a0ea3f45474efc7c8fb7ef60e76ce934b9827b2200cfd1bfa2bccf66d16d53b06472c4aec3473a8236c40e9eba1e47bf69d093aac0e1b588d013a795698943a68cb471bec7258a239253bd489cf08c92e6a43d9ec69892b59dfef151ce0491d0706bb9ccc09d12fe72b920b074536ca8f2315cea2d9633aa4acc52836fd354c8bbac98a0f65527526c023919d62883e944fd3337ed38817532e810aa227968c3f8d884cdec4b7a252257062dc02fc0a431a3af23e9d336ddf22fe27be1602d9fd7c00cfe7e5134dcf5f7d916dbd41d97ba45062401f1e230d0e00a20c325fc88f35f4e27a5a8ae4141633e6acfab9d63070cc58b083f10060cdfbe15721f67190f2382407e755e50acf152e9d88cb3200d48e0828b49155595c6bc91b18972f644b60195b808248fed06f758a8c5e500eec72d978c0e360d966d1808794b91abd98f3517ec87631efe0aa23871edd88cec0633fd20f6a8e04334cebad8aca0bf25ac01aaaaed6bfe48789835c1c145ed04d863ec8f7ef673e0b4c3a744fec51bb59b889630076c8170b393740403fb1022a831679751f2a02774fbe7d9699351db6e14db68f8c09850baf1d6e68c8bb31396a91849c10e8c3f68644ddbccde0b6f228ba757103e66bffe4cedd2b60fbaa2592c04ef263538c08102a5efa72d4f0f95cfed66c4bf7f0a46e0a402d403f19fca25273eec6c270cf66ce48c0ee665d7d7695091cd6a3f2564e46aa8808fa43a22d8ebe418c17cc7ad84bff1f717d0665351b7eafef8f85beb585f262137034d03257bcadc0ad47e12c3679c9d7a0327205a6be33c6fbd26f95ab6c345f1a387d00df9c5f5ad34523756898e730e2dc40bd693d8f1ca3e5b499a45c6642c55b2dd4d4192fd5a2505dfe700af5c12fb8af6690b8c9c67a23420ca7f953124a0136beed5a55522852b4f16edf0cd8ef289fbfbf1b2be90b548903afaa7b1bbb36b8c998a177928e737de69001669b2b79b0190a8839336d06a082df8120f34c9fb294d04c7119d793e498668a19aaf533e63948f56f4841cd4379802f68c0e162dd23ef7959bdcd72a2aeb18fbc57471a0b85ad39761255a867b0297eb680b1ea9e8d560c6cec00c7511cba8f18e95621e132ce1f5c651d91a98e709bcb1577dec1ce2fc2a29041a038cdba980f0320b6610c94d5ed6b1867b46f22839643991fdccd0fc710df69cd518633de98dc835dce107a6b579b08f0eda9f853bdc8ee44f6c4fea6100eb3fce099b5e3745b8a7c08f71dece223b915e8f8b14e4fa219354474d9afed598adf83820ed6544a59ffb1880aacbe3fd27645b74d1cd7c8867eef7e4f67d35f998e08f7499b74a761f691d895a22d1b4c74bfcbde8d7ca46aa30e0e1327393dd4a32bb28634ab34fa0f1be754aa5a49d3f1fc3ded25d112dec501483c452241bf80cfcad60df699d26adf82051c334d3d8ba605ed5ec2a6e8a887e5add366cfe06210b204b5cf444df750413d208badc42504cc2b42ab245c6dd1ccc60cf0d09af1c18d4326f6cc72848de69f9c0205c81ce50bca4800f69711af6f81cd55d8cac65eefd52a5792ac054484c8c38ce8c2a2ab8410bbff90ba7a1d857416b850744469c96c0e1127784cf03bea9012593445ada04023e9a4413a54a412e08f11e059c0ff12312cc6857820735db5afdec55770ebfce928a7ef34620573e296ee80c9a392a751a0c77ac9eff21f6b61255ad00694f77a46946b02e4219eaa616fd88fddf64f17ff807c732b66e84d8d92953bc170ed48b176b687fa8520aae5840f4f0db110df045432b1d27068daa57af5039b8ae877dd065fca3dca08c5e21e651633030bab9475de97a82d7d4e2c4768ec597cfc688f4f882d1fb95873d177a91df8f57c208beb715d40b6cd0ef19b84a26e76943c84726b722a8e2a7246acc3c99fdec2e282a2449f1d01e45f6892cf5adc24301c039bc6a2c9255d6a65182e41a9f13cb48254376b46deca4fecdea2203b8633ca3bf1af8815299308032358040991171bada0ac7d1f9e39411b92eb3e7742175bd396feadb6f901f2606412f554355831eaf8763ed2f35d768d4fc5d6826e96c7ca7e03aebbb145cd5b03a77b67a67819e77d9239f10477dc46d4ae0831e328ba1ab68644aee93f781684e5a2e31a4085dfbb8d4d555b42c191b8120cd8568fdfef506749fdd7c0b99008bed26ef794963b7d998afcdd9d4ca02592101db32fe4c42d13a87b877616b51cb16ebcbca28a28caa6ffb1c6ae30e00e74ba0925400000006a7384bb95708f301f667a91b1f7c9d6ba286d454fe3b2a2ebb71eee4beeb53bf0a6d105a476681319792e8b3e6b1476309ff5ed35c4f456b0b406632d86040f	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30912524"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d00000000020000000000106600000001000020000000952e9bde85026b7190c0d6160fd7b3145d000d1ac61b22c027fb97f4573a7f18000000000e80000000020000200000007fed55486ed6fe61bfec9499b6c5fde8bcd1ced09f534335ccf6d7f8665a9e3960030000d7f257d55df026b9575574f042d8b330c9e50ff0970a30602df17b6ccde5810a45cbef2d0a233eb705e10b7210141b4d83f955a37b14f81bffef9e7811bae25b2e2409ab844075366fa81cbd5f6544c96ccb806471a85ea8265a28da1374d7ad3301a0c514c5e5b895a355ca07c1598f1e811c08b9dee86e4af2302cec1e0aab171edb9b6e8106fd1c1e5a6eb6c16632306fde4970f63be5b28d4b26d199f5f2f5633f0df5c07658091d43ffbcaf494a3373097244c6cc8309c3ba841c75078d4b6636f3d6875ff6bc4681e303368548fd974c2bd37a0d24ad5fbd50a572fe96d533ba9e8bf65e087614963f746db5563927f201e1d48d138ac17c07a357eaea99619ef0e024aae3e1916a05c823c781ad2c68b33a821a3f5941892d2c6dcaaa5e428705e5f6666f553b6739adf9c32813e06f56d2220d1c19283a85e4ef8d2cc67cf0b27b678884165970b55408a9d5fac3e6ac31c44bd6381474f5248707b15e80a2639fee925c4819d284434088ccfd90f236aaf87f953c9def345b6315a3b91649e495eb979cb2fa6fa9fa0d79490c1b8df12f62411345fc9e4370e2576ad6ebaadca86f5014a9d0f12f83fe2b66a0aa5dd4f67b2d77c27187506fac2def485ed4bcb8b4651a227624782e288f2db1a1b7e29fb27837d21afe99a506dee93f881d9bd0aed449e661b7d60b1aa02ee40fb315fe11aaf550f0a72face77bb4ece6f0fefb354f2ae2f63feb385e612d630f99e2907abfb71832ad592a54bd674816c747c2d0ade0493b31ece86a4ecd0ea7da81d5d51c615f6240144bbd05f610d504154aa532e89adae171038fbb5bb1c58db1bfd8d65960bcfa286779a6f16af1b4626a7f969da47a060e7dfdbb817d5ea0c406e50b9c76f62a5711a567656f75d6099651d74501db05198899e43f16953af4146e25474756de22f8299a505dbd7f742edfadcea5e6d61e39e18191f36519b3fc35d1c6f7cd7c0d8c5eb48be8e1fde6902402d1437fe05c7d35ee4b9d7c865c289680ee24125a7f2973107bfbcc63ef8d52782e2015b1b8b58bef66fd5be892d0d763c06538d0a6ba05603e5c05a5e4e9c8f87dee0ecf1924f59f60ea0fbad6471e1abeb1e7d8ab01854a548f19294ec4e3161efcbc290ae85caf2612d41bdc2b2de79a7723d6bb62a77221b5ff6bc62746054286280f39cf221350f7d3e8cfb1930083155a818636d2c45a40000000eaad25a3e37937946e5762ac79a28bbe086a5979a371b0674c7f726afde199d90e58d04ba69c4e0771e4ba4e5ea67c3425053c6fdc550b3b61c94598466064a3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a09f34040db0d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d00000000020000000000106600000001000020000000136c4813f1cb72303525fb3ecff58db8d7f0ffaeb45bf1774729b6ad2fcf8539000000000e80000000020000200000009dffa78521a1e95fd0ae3fae8e4a4a4d39bafa15d3fca2676e51df6ed6d34bca200000008e287ab90a511592eb8a611e7e436cef20b5b5c61f866a0faaf4e4f46f85160f4000000079fcdc158ffccdd98eafa32de887a9e12ee9aab032042582c7ece049ce210793d3ff57d2206086a6e7db71a71dca1ad2dc1c8a86b1c705094d8b97cf1fa086a4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\IntelliForms\AskUser = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30912524"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{233D9372-1C00-11EC-AF2E-EE15F61CCFDC} = "0"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2396 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2396 iexplore.exe
2396 iexplore.exe
2680 IEXPLORE.EXE
2680 IEXPLORE.EXE
2680 IEXPLORE.EXE
2680 IEXPLORE.EXE

pid	process
2396	iexplore.exe

pid	process
2396	iexplore.exe
2396	iexplore.exe
2680	IEXPLORE.EXE
2680	IEXPLORE.EXE
2680	IEXPLORE.EXE
2680	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 2396 wrote to memory of 2680	2396	iexplore.exe	IEXPLORE.EXE
PID 2396 wrote to memory of 2680	2396	iexplore.exe	IEXPLORE.EXE
PID 2396 wrote to memory of 2680	2396	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://onedrive.live.com/download?cid=FDBD3A4468B38F5C&resid=FDBD3A4468B38F5C%21104&authkey=AMAZHJllixGMXtM
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2396

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2396 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
6184b0e7016067db51a6ecf5f3fec69c

SHA1
d95dc8253b3f7ee8eab391a9933de56929b7b9a8

SHA256
f0310616d9b89c76451b430a7849df7d6de967e7be98d4db98b18b13fd0d4c24

SHA512
1d5a39ff7c1a9896999b5a571ac198c8c7c667737f9970d1b81c49b6d20925bc800df7b5f2cc890a079646bcf8e7aba25934018e55cf555d1873f0f19dbf05c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
MD5
cffb804ecaef374e696cbca3f03d45a1

SHA1
a1ec79a148bc5c36863ebad8fd3f0a6ea2c238b5

SHA256
a372f1bdb6508f1cf52adbdd74932b5ec96237247479165b17215aa712a8645f

SHA512
c5a864f7f300bc84d3672e5ca5ff567b4fd9c7c5c92f99d2211514231abceb0755d33ceff0c75a9c17ae3f817e6651d2287b0165dbc37b79d03d9d6211db31d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
c35f5ce6d238a18415566b943d0ddcb9

SHA1
26f5c7a89cb1df82ad8c5259b13b7c149cd9cdf1

SHA256
5a2aa915af11874538b3762124208c2b8f9a45e0042d6290806f5deeca107718

SHA512
5d598d01dede2c63fe90eb819f83fb3af81b8775b66050bd62817f9a47ae0f391389111ca8b10af8623cd045ce1c6b262d05df0c775082fd0c83374ac52dcc0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
MD5
5593bff972b05ddc8fd2f7ba87c12600

SHA1
cbca96cf1c706ad54290c8feebc9022b86609bf7

SHA256
5fd85682175feb061d16f048584e4bcc6401fdeccbdb0d66e0d0b0947a99df0e

SHA512
d755419120fc85d359b6497ce424a277bc4eef7def8ae3ed6c53fea5bd91fee865ac29a7bb27317f5f28e645fb26394aabe9ad665ec9bdee8dcc2bfaca53574e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\EDMHYVSR.cookie
MD5
97d1ba8e4b3d9165cfc2dcb1be5019f8

SHA1
b7c2f724798ab87ddbeef9917efaaf9a2ea2657b

SHA256
5df7e5d51e92d8b1781d347440b842b46b72b8e309dab096a90d2545cff8a9a2

SHA512
84673258d271d7d7b5cb236818e046fe7b8dc8e71ee0848087467603078ddd46e0fb2d97f7b5579a547e8187aec6a0084d367cfada6491a043222d9a6629bf7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\JTX25RDL.cookie
MD5
a2fc4fa39df6f2568094666b1f934415

SHA1
7fbff90df62a8095dafa943932e6849ccb9e62ee

SHA256
9dfa8ebdb08e449a5be9ac95c0bab3c6cf2c3addd4760be1aef1a32556f5df8a

SHA512
b2babb230a405a3dfff3461cf2421cc0713ff91d362c24af0471f4f5042d761c19153c0375c8fbfbae5a5c1506970fcc5b4185033dceece2a4c99d2958ee329c

Download Submit
memory/2396-115-0x00007FFDE8A50000-0x00007FFDE8ABB000-memory.dmp

Filesize
428KB

Download
memory/2680-116-0x0000000000000000-mapping.dmp

Download