hxxps://link[.]us1[.]storjshare[.]io/jvonq77hr3z4phjjnprck5f3o4za/von2%2Fmin[.]html?wrap=0#sovdir@annpz[.]ru%30-3

Analysis

max time kernel
118s
max time network
150s
platform
windows10_x64
resource
win10-de-20210920
submitted
01-10-2021 09:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://link.us1.storjshare.io/jvonq77hr3z4phjjnprck5f3o4za/von2%2Fmin.html?wrap=0#[email protected]%30-3
Sample

211001-k24nbabdb8

Score

10^/10

persistence

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modifies Internet Explorer settings 1 TTPs 53 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3194190070"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30914211"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Height = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3194190070"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d0000000002000000000010660000000100002000000032b305b0d54be03ebe868773bc5b61129eb2ee893748077c99c88444549dcdfc000000000e8000000002000020000000ebf40c4c73619e4a32f48153e52de9b11d0ad4491fa962f98077c017398c8ec0200000006771650f52be58e935a63a7e2e68343418e86a7dfee36517fd4e14e1d209588740000000f2b74625414c75c08bc5db84cd6a3b0ce445f5e377c29c7183c76a27333f64d07cad46b5b6f3eb87f61bebcd123a5f2846769597eda27854d5cc321aa57fd3da	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3208704930"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Height = "21"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50f26fb0a3b6d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\de-DE = "de-DE.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "339844186"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d000000000200000000001066000000010000200000003541c79e4cf8557dd50081880b18e1533a67e145c24e3597aa6a9ee392b24b94000000000e800000000200002000000089b0079a5b69f10f33f65b2a6b2f7a9d6fa93794d3e329d8ad5b369aa85bbe2220000000600e84651d7fea1bb0c28e77dbdfae92ddaa9dab6572998f92c471f2fcb6ed41400000001e5b00288bb3cf1d92241a07644919b20acaf38c4b702702c65a6364bf5355719b7d04d31522d7b125ab2b8549d6adf9596fbfff20fe5ec04c0843b35aaf762b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30914211"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "339892771"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "339860779"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30914211"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E9E5CBCB-2296-11EC-AF2F-FA730F1BFBE5} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7083c1b2a3b6d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Modifies registry class 44 IoCs

Processes:

FileSyncConfig.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAG	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SortOrderIndex = "66"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\CLSID = "{0E5AAE11-A475-4c5b-AB00-C66DE400274E}"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\SysWow64\\shell32.dll"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICON	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\Attributes = "17"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\system32\\shell32.dll"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\Attributes = "4034920525"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\CLSID = "{0E5AAE11-A475-4c5b-AB00-C66DE400274E}"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICON	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SHELLFOLDER	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\Attributes = "4034920525"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\Attributes = "17"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAG	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "1"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\TargetKnownFolder = "{a52bba46-e9e1-435f-b3d9-28daa648c0f6}"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SHELLFOLDER	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SortOrderIndex = "66"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "1"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\TargetKnownFolder = "{a52bba46-e9e1-435f-b3d9-28daa648c0f6}"	FileSyncConfig.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1116 IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1904 iexplore.exe

pid	process
1116	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 27 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid	process
1904	iexplore.exe
1904	iexplore.exe
1116	IEXPLORE.EXE
1116	IEXPLORE.EXE
1116	IEXPLORE.EXE
1116	IEXPLORE.EXE
1116	IEXPLORE.EXE
1116	IEXPLORE.EXE
1116	IEXPLORE.EXE
1116	IEXPLORE.EXE
1116	IEXPLORE.EXE
1116	IEXPLORE.EXE
1116	IEXPLORE.EXE
1116	IEXPLORE.EXE
1116	IEXPLORE.EXE
1116	IEXPLORE.EXE
1116	IEXPLORE.EXE
1116	IEXPLORE.EXE
1116	IEXPLORE.EXE
1116	IEXPLORE.EXE
1116	IEXPLORE.EXE
1116	IEXPLORE.EXE
1116	IEXPLORE.EXE
1116	IEXPLORE.EXE
1116	IEXPLORE.EXE
1116	IEXPLORE.EXE
1116	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1904 wrote to memory of 1116	1904	iexplore.exe	IEXPLORE.EXE
PID 1904 wrote to memory of 1116	1904	iexplore.exe	IEXPLORE.EXE
PID 1904 wrote to memory of 1116	1904	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://link.us1.storjshare.io/jvonq77hr3z4phjjnprck5f3o4za/von2%2Fmin.html?wrap=0#[email protected]%30-3
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1904 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1116

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.170.0822.0002\FileSyncConfig.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.170.0822.0002\FileSyncConfig.exe"
1⤵
- Modifies registry class
PID:4316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5
4d442efa7dffdca9bdbae98348b23224

SHA1
7c37aa743f717c356ecb7547310efdcfd8871e99

SHA256
fc88e75a2b343eea340866d7eb4302688dd16729c640c2f84162952a6956e1c6

SHA512
be7a4b5b58c3c081d1f341b2d3206c9b6ef558560442eab207ad0dcc1c632d83f6b94aa8d75f46186b8c3f2719b879feedd2300af64fc1b3063aabdd9ceb141d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3B74DB976F48D720C0DD8CC3155A00B6

MD5
c9f9f03b79529612f6324b2297a44a0e

SHA1
9d6b9a4b860d329b4fbfd4e855a97c7e12177da8

SHA256
ca670bb067b37afb1b5196ab3dff97f173f4b31153ce32f46bf0a0e0dc59c8fb

SHA512
7a4c1656c55999593d86720782889d323e23cd9679853bb0e829cc941ece6482287f853fa122a316d60a0c0d0cde64e201a4d6e70faf09654c8b2a1f554ef3ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5
d302a1fb716166b280c2accd4491966e

SHA1
9eff2394f8616a4567f3eb895747ddf81fa68207

SHA256
ce29369602f384184b8fc7be24fa322fe70da4590f73921eada2cf12774a4afc

SHA512
c2b90c30f558518426cd0135a06dfc7d1c986635a9effffa34af80a8adaf566002d17288409b838452510212f774f5b75f2772e4acc20d7b19ad6f99751dc9ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5
de27664da1e04c94901fcc3880064613

SHA1
aeb52fc87f907dd40ae683c52cf3129d4b27e25a

SHA256
7e59ce8a2d7d1e1201e535a3175bfaf239b9f5da7be265c18c5ff1e1bc696282

SHA512
2d1e23a6cb1641bb1c393e404950a781cb20e5123c1e85bed129a02cc54b45e84ef49b54bd4a19a0dd48c66693fe119fd4f6b6733c71d34655d4ef67b760fa36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_20042448ADAF8552A0F71F2212C13E64

MD5
a42ee47c46edf5250d88769546e419b7

SHA1
949d33368bd5ef3d7baf38a0c78987463433eedc

SHA256
63407443627c33c08b61584713171bfe0d9d1bd08eef3e446569792747b71d98

SHA512
024c4a782d9df3c17bddf188075a570c55efb6b5361fa59139e40a118cebc0655400a1f61c5bd2dab639c9da435f19638818067e1d5aa976d2c3fb7b86ed6bfd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5
f7ea27303edde7f2c3736ce8f83a310a

SHA1
3e045894a4c9ac68087d8e6d2ba9c9163015c5eb

SHA256
3447d81e52d4c3ff7f004886c7fc328fb5be1cdbbbfae2d4517b4bef13210350

SHA512
9829b1b7b78e899b11397c3c8156351de2a991d10cc36c68b0c433d4cbb3d2231729eb8a44af8831161052339b363bc8c01beb78d1cd1ed1e46b8a00ee2a9df9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5
b419a6f758613b1ac406a2ca229ba805

SHA1
4472cc95063fc98239b3103b9070975cedf16700

SHA256
1a774cbd28b1e3021c5f434f9a6626fd13fe82cb9ee977f294aa0fbf1dffc09d

SHA512
1ff6da531f68be77e76120b52ae9bbb81ffb4c4945d356dbcd3a9d3a08329e63246fc37e67b5211ca9014b23549d1816507fbf7def4dafc5f74cbafeb8d61ab3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3B74DB976F48D720C0DD8CC3155A00B6

MD5
8409310480e6a34d1047ba3efbc23dbc

SHA1
6c2f672bc3006ce9bcf99b8a9a869e1d793071a2

SHA256
4763a73ec899f2f44224e18a528cee4ca67e708ff2042eb7e4d79e99f5c40a6b

SHA512
fa2a32e5d104baf54a0862d052a200455876b3850fe2d78c48820aa8d6b9e600fea612b810f4fcf4648205461541c0d59dee92587748c0e6509276dffa250285

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5
4e98ab667655e70871742275b9012549

SHA1
9e1f3ac5b38f7e55aabe023cbe8a9cfeda9f11ac

SHA256
e611ace064b8b929e28c4f652ed69b7a2c87cefc6079f02d302b40d72b7f8217

SHA512
a42dc7f3d918f2ba12d9e586dcc1f5e86c82fcb22396899f93249944c00ad0d96de3b7e35d8fb0ef70f2c417f430959f7ae7a0c391aa8791f5f766c5098c9d49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5
78ded57ccf34bca5b1690511de10003b

SHA1
636073b91ef553e9420274ff1632501490c99faa

SHA256
9a5069b171872bdf0db52ddc27563b3d02185e275266eaca910c0eaa3a144500

SHA512
9ade4de54960d1975d4163714b0891e95e527fa6afa4e22f55f1e6e98eddcf083f9cfed7069ae02b6fdcb9cff53ac3da6b0b91e540bda59eaf517c8a4944d769

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_20042448ADAF8552A0F71F2212C13E64

MD5
b3b362ea4e95b32cf4e0deb462244d2e

SHA1
61ccf7c62bc475586c136b6192d59a1e2de2451b

SHA256
79da1faf0d54a0306df0c1b50285e60682a80254230b3bb835be39576fef724b

SHA512
a9258e346685707a2739460643e2db19b9e72b9e2de40016f594a51486443b067a4bafc445c77e273afbc5fe6b70520ed22adeb1bd8b999baa5a1a78e2e34f3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\5QNWR8HH.cookie

MD5
a66b8082a571a36a1513b13d6a066af9

SHA1
2209ea652000ffba0534f18bad587965ca1a1326

SHA256
c3d7ae4bf033e61c0177480647884d9883019c11ca5653c2a039d880257485c4

SHA512
fb52cc5ea6a42cebb5b761e772b285217706f46610e0a2aa35529eae667d8259d8f7539b8e7db24e001f036d843596653e71d2d368b6a268d3d450d866d2ddc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\675DWU9L.cookie

MD5
4d6eb85434cc91bdc2e96d7eceac0485

SHA1
f13d86e80d64a3f9cb236212e754ffc3453ee546

SHA256
16de9e4bda71e1787da0d0f4fc5b477f89ade8d16cf0992c340e0ff3c61f1cbf

SHA512
1b013d8d75a30f243dc1caf2eb225cb373f2f4e51fd4ff8cc5ff4fae9ca4f5962ec047751363370431d189cf557969e05edcc3ed21c5af71e50ca8cc89c746e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\IDH8FHW8.cookie

MD5
c44229bbe3af3c76788f232eafd325df

SHA1
ee7450bea0ba6cdc52e6d363b6e1f477f3ce981e

SHA256
45f0f8ec131642940e9b14160460627aa9ecf84ad3f5620ab82ea2de522614b4

SHA512
25d237ea80094f2140c2f14605b38eb271f4d0e3c97f923581201f25b40661d8f07cba4c45ad2b6622859f4298d79f7929209c525330ce8714bbec97094c076f

Download Submit
memory/1116-116-0x0000000000000000-mapping.dmp

Download
memory/1904-115-0x00007FFDA9F60000-0x00007FFDA9FCB000-memory.dmp

Filesize
428KB

Download