hxxps://ankltrafficexit[.]xyz/trafficexit

Analysis

max time kernel
146s
max time network
140s
platform
windows7_x64
resource
win7-ja-20210920
submitted
07-10-2021 13:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://ankltrafficexit.xyz/trafficexit
Sample

211007-qynqkscfgp

Score

6^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

896 456 WerFault.exe IEXPLORE.EXE

pid	pid_target	process	target process
896	456	WerFault.exe	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 49 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005f45a3407a6eee4cb6062dddd85478a60000000002000000000010660000000100002000000073a2b3b6dddf5e5e06178100d14fdacffad90f0702e2595a3d426c7377198172000000000e8000000002000020000000e12f5fca4bec5588637093c04cba759bce4a5f67737fd11340359113b5b4f3f720000000af1239d9f56f209e4b107e662dea87385e9db2344c3d4d66f604f72a5f925a4740000000b7b0b591d83a7c76bd498c2c2d50927a4ea0af095fba9602faf11a046b0e029298868d1705972c63806e5d705ddc6f91806bae2fc85686d4e5483c709f2ff653	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005f45a3407a6eee4cb6062dddd85478a600000000020000000000106600000001000020000000c90aa05d32c52baf90a704c8f5de997918f167d0263b8ad3d9e363d06bd29fab000000000e8000000002000020000000b73c55d3d09686f3d00c5bbaa3b9b416c103915a040aab47d54979019c5f2ef2e0040000bd0c60ad123676a44303788ba9fc069c5366f0b7911ca49b6d7fbaa8907ca478fdc16c58a15df4543227f6b3c1f5ee1612fedf5459d08c624abf14e4b5ccecbd7fa6964cc0c1865df4b30c43877f8df29d9f3596fb14297e026c83d116a9036ae948c1c6c2a724b45e4d225f7e7eb61ee451975edd9f03bb5f29b77daac74189a0e4161fd8979dfa8f58c3b663ce2a79284d2c6e21e48c03e1e46096d64d6c19e1cfc4220f934fa25b6be7986dc80805805c0f94c77f9550ce7ab34c8803664abfe71e596307751176f30c21724c61dfda908068269ce84b4602690cbf8bdbb29fd3f30d5ded7e145249e92181d0871a1b987bd012b781798ca58dd2b33239270f701a4d972fb1368f2d31daefa5e61d3e6bf9e14fae8f340eb3490db810574989b018546b64bc0b46772a375d0ed71a4360d835b4fc8bbc5792b63d67296273d8100385bb514ef7f9a1e9a866739a06f3a4fcc6df5919282b4e77f45f61509271e8b6f9e583c7e1e628ff97ad5e0595dcb8822cd7fddc5db35c652d15b5783943c8889707113d1f62c6625bb0f232ba246eb4dd5465aadac8f870f3d4cbfdf281c677602ab91b11d62f4bf8186a59b4de3873f8b9ea980b96dd28d2553e46cee5aef6f468d612f8cf4cf63d46ef21094ac469b67037ec961894d64f375babcf0dcd34e8cf015207832855945cf52f4d8cc8c2c214afb95cf84bf278a325fe6a269e6b8107c5b15dbaec8f261dcc5c826652e134eee02bdbb03507be61cfe530a076025bfa46f2b73e467fcc25d6659ede4111b839bed7c11f699019802c9ab977d3cbcfa1ffd7307f529978af1935576cc7a16be5791a1bbda1d06b9cb3c8e185308b44ad21854117005ce480c06f28b04c758a502ed8d059b6062d1e160889b6cc37ef0b5aebc4e355c52abcf8258d2269ef9cab47360d8373efc11a0c75d7151046c1f8e2c836febdffcee6a8b45a6b2de08466e0d5c3bccaca8250a849954f49edb09a5c31d156cad3ff8855d9276f3b619620b149744f5c00bf19ca8c6fe2f1f375ec5e96bdde9f174786a67a25ec33451ecf6c75c62a1b2f1e536829d3d668edf5f1e39334b2d85271e9dc892cffcccce78ca60cdc2ae52a9df0abc4964154d312bfa604692ba88c266ecc3ac20a0665d9b98fde66dc20cf2935066e07eb78bd8d7f161d30ebf6c7cb51dcb4f88c0436cc3ae65e59d85f6f9faa92af71570ddfa0e10f16ea336c076baafc00db3148fcb9d2e0d6c47b54a44fb260863eb5e19216fa9af66278079641c0c0be6d900b7a15972f547817b5568d56713043e6e5ff1076558c92813e4182afa2218125d34dcefd046822a5414e113066967b22505550ee1cb14b0802a54bd6d770545cf8e0d897b41c5f027f4214a585179881f31714951f3913cdca6d71b31ac70e613d1fc063942e869283d66749caae34554bd5dced25491fed0618d73ba814ada082ad6ee0846d5892bef7aa25dd113dbdea2f73c019307cf2bbcc5615e8f87180aec700c93f5d86abecee27f758ebf7cc2acb32e3fc21bb3cc51541a926f6fd205421fdafbb1d83503bbe7e3b14c102ad2c50b66a3828d4072da61245856c482dcf4246771a40171b1bdc11348229525c16600af9f59539bfea9a9a506f25a9fa58021c2e7e04ea5d5224208aedb4aaa9f8f9154c585a964081110d1ff27604fd8cf506340a0cd146b96125d4fd4b96466657946b49c73f70ac7d7e79ce2bd0296c2cb80331afb370c3b129aec6464140000000bd89930168ed4271bddcc164755bad574db685e2ef8ab5a9b747bec3a7a785ff3e2cb77f57fca7f9688c05d61129ca1dde8980c98218323e4493c3e8dd53992e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005f45a3407a6eee4cb6062dddd85478a6000000000200000000001066000000010000200000009738713076a01f968cd60e60e9220c6991034b48db827622d29db03f49928250000000000e80000000020000200000001399a950c9070a055da18c132c67ecfbcf7a2a3cd0ec7d8a44395037be672a5b90000000ddf3f184c0c5d34c8fb84956c5c193520928045e37ff9f401af9935b493a8b05749cb0137f485d5716c3fcbd0d7a54c2c6b1ec262282e6204ed05c99588e6524fb30bd7bed96beb449891bd6f03d7da71ccc60408f38a8eaca87118fec3eb1d9a4b3b5c6d3a5999fde52b45ff0cbcf92ca90af60733b292be667eb1b5770ea9c7bcaaab282a7a54776023e88a8e3423340000000c4a9fe551ff4d97611596a69f5aa078f0a5268a8fef679ab0de5fb73527ea478d3b8effc7a98ffb65a4e603e927123be0301b4abc4a9e8bf9f2da6960ecf3f77	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0249e0381bbd701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ja-JP = "ja-JP.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "340379007"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005f45a3407a6eee4cb6062dddd85478a600000000020000000000106600000001000020000000a2cac5d40603ecec9e35669c1b1c32d1622a06c0149b2d898e70c3eb825da901000000000e8000000002000020000000f8e0b55b027916d90ea8d66220833369c7e06b21a9fed8fc9ebab08d0a99cf3ee0040000f98a893653107ff3ffa6186b2ae25e705d4ede6e94a9227e5841881877bd80eaf2da82e0b42aaee1b558b220905902089f6744bedd61ad79f120375e597ac8affa86137b11f65e2c71e436e5da013823fe94f8c60a17177061dc9726c2a6340b1ed64f31a28b8b3b1df8273c455dba21bb29e9367ed8b8c54da42b4b446d742e80c0fbaf868fb3038866299bfa197f5246eb988ccf90f886851fe8cf2e9c246568db6d4da56b31e8939bd16311fd2b52e46660e08736e66644d34d52903a869239f451d32528d2fddd169e2810b32f293c0ebe48efb6fc0e2c1ff0d2f1387008206cbb3474e491501f7afec78373b5cfac849bd0afbbc5ea11a7679950072b4f49257069ae63eaf6e54735d006773de82defe9aee6dd38b85ef2567fb2c8c027b30e5ce1c688e4637c7f6f8eb1d5fb22d2ccc4677ccc05389b8b79f20929df6517793d93d5de1d64421427da5fd45bb1f50cd0cdbb7e851042fc49a284e8a5cb01a15288cb8ca309d7622f3e580de6376f837e095e334edfeb302f2d9d98e020c570ff085268d65ceae8eeaea432b0f3e99623ec31f37349fc6e84884362eba28d3338a0136f13fa280849e9b2359d5fc70eb14252bd57e950437ee7d866a98513091895866d1e5a051b3a0565dbe9dcff8fd0817ca3b2c9f6cde68782e4c41e06db70334c2218fb2444450588a7c6c81ddd04d34bac3a6929fd6c7eb3e86ce10b387b9bfbcd61faf7649a198ef31ded045c29e1e4fa09388ac382eebdc1b7d97ab7bd7357c62233797791ff901f5c35e5ef50f0314a6b8ce3950d01ae022db3ae0f7ab3d18b56852a42df1563049c5fbbf63c32a73ce975d652028dfb8b74ea24e4cda37056757795c35531eefdc9c935a60ecdbdbe4c8c4563482c0b318a8617b579894b96afd50e673c4ea6e9dda87079d576b385419d05570f224ffede0a72214361d4e0fbb7fd84376da6f812f11d85931f97bd4e84d429397bba04059b46e7675249746a4f2f3e9cd99db8d0139a3cef21d96bf4039a9f8c5b6d8298637f02c8d76fdf0d01db15610fc3057ee0cb6826f6ca5b425037d9aaec71726d16cf1d05c3a44b46aa53aa52cbfe3f1abb561c7f0cfb6b1cd86e30a6bef6e5ee1e99db36f9e5998e6dcb77b14b7ccc7b5da12036bd21959028e8e5a499c206554b271964a576d16d6ee0b76b0682819d486ab6d57bef7c894026ac7ad6ff7d9967ecf3dc79f0d725cb94e7d6ec4bad1a7b8ea80f5fd8a522c13cebd36e7e9ac5bc7ca00a446fdff081d7547d2f256949002c39fe9db83fc7ee6b979aa0126d241f4f64c81a3e28ab417d2f8f64e51155483d6788ad240e4f09ffb0eeb5e4183f4f52c9c494ec0611d0d6aa2667cabd2d1149c7f953a833fa9e0a20aaf9bf120e6085651d339dd066de79f1d222b31a4459962e76feccafd4d713c80306bb593c91f50500b061a159bf6cd96e58fbe9171775f8a99d331845ed3cb432d1365e34ab88014133e9fc322a1dadcb3a43cbb55949ef1699fe318a55d2005a6793d4589b5e5234980f798a1687f8070c88ea9e8f4e1e9da58b27f1935f584b4c4bac526c689d3250a5fc86e54a38d02acd44a396d60f673016a1836dd2d34034e09b369baf1d6d8934289492916bca67a023dc4bd83889d460fedd9ba67dab91c15eee84276c4879956df4af9cb556c481fd1882eef95a94eedc14705f0b49181c62bf73aaac277cb16babd7bf2bfe4ee6f31efbef7068c148f320d5e66802417c62adb24000000058ffc88cbaaef58863f0c3c5541e34269cfd344da1d91dfe75304ee04444cfce7fc171a4fb07e08f5309a24d6e837427b1320c43690c6076681358b27a291153	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005f45a3407a6eee4cb6062dddd85478a6000000000200000000001066000000010000200000007674da07476a87d97c93c8f51a7e0b6c6068138f2160bcdef866f2987afea9ca000000000e800000000200002000000019134a9ec53bec3b51bbb91263d7206cfa34cf1a4a55e5be8912be814cc7734ce00400003d0a5448942b6b775233d491e42f89d0c509698183eaf0e4c50ecfb8c9bf1eb427bc6adf51629d2bdf08e56e1da8b763afc825a5f606990bb5f972caa1f02a02707eb6f1c6b141ff39ce9145b90a78c32b1c41c9fe9a25fbb82a8b7aaf2cff725cb20777bbab53bcc557c1d20b06dad7396933b775c1bf18d4ea271e5c83a2441449000244a86bf54ade3c177a9b1cd472f53df6cdef900e8501eed38c014861d52c3b4c0e1b5cc5445e64d38990545859f7f6f9079f8e878c9670cb1025abf962adcd9fceed73f03e8126ea5b7e4dc88df0de67a6784fd2602e08ffb3db03dd19c469ac02ae8e634ab72c4c0a572721153497e92d13a98222946d72f801ce555c98379a49e06b4583a3b7eb79160a93d171d62946eb2b547c18fc56b93a098d1a84ea5709654721e473e01f5f50208f76ded0ffcdac05e04cd1add378d05edbef3d096377012a3b32ad83cb71800426fa82ce10500f0a6868a7c222c5d835edc5fe9035c1d220e68e8fd57267ffb3a637ff28a29e40ee8e6675c9ec4a5f9d7a1ed3100040699a8a32de33be5cddfb7b0e5dd5348f201d58891fae79a95caaf8ff7f9a38747fc42fdfe971f474d33f7d3144c777ff92d99339bb9f79b73a9f1e16f248578ccfebac28dbca87c666fc19fc08beb8a5833ddbd6a344be0aac1ab3b93729153efc5429b362e3e3f70c22d5a2d62ad0b9e985032f7d927fb6d130b503b530369704f957d254e72b918d6bd1540ded61d7d3df60b2a7eee58883e91138c8418172d9c5d0174963995df2962ec5fa8485f813550cc0400eb784310f5e54115da997880f8c269ea3d61ca72b6f5fb98b4076408206dce6d4a61a6245f640cc51e8c48627a4e1aefecffb7e9b35363727b5857688958da6ee4af68c7932c8f38143e4c819822201fcd3a15b1b82984702df639a577a6eb1c3e90ee1ab891607d904102d076ff442e9948a18ac4db9683782ef5f6f67c917d0a441156f181ed5b783c406f94d4c6b6efc933161365acd288a9f251f559b341f22d25a4f1d8ef908fe682ef621a08dd39c4b476d8d77a4e003919bdf53930caa773ed8675a8d8dba7218f8bcc093cd0c1401bcd3f755f6077a977058448e4ddc56cec6f1cca36e7e453df9166515e0cf5e330fe5076c5904d95953b06e0217ec13ccc4693a8bac8c620346812d3864fdb11acfc037ce90c677e5f4a4b5e621c1c050138825e25ab6e259f612da4d787e0e3ed07cb7b8ae6c09e318e8c85d15f26f74e1234c54e2c62b2ae7ea467e00aaa66ee54b195d49389e1d3fa3ef166bd36737e2105454d1b6502d7906d131e8072451fc604f0924a96e30bcf78ba0fa28c268529dbae20cd2c0e9b61ba839580b9d4406255509d0048984bd5c606d884901bbb414c4c2b6119dfeac4941269cc69b3d5ed1ff9d8e9f90a45bf595b8b6955bbb03db79bb6a2ad21c2c8bd45d074a11c3224b032db6e1555a1be2f7a6f5968791d80d58c0fafd67c49d590e234139396441f38ed82d8db03d009b3ccc5d4867119746cdcb543872d8367b81b0c067d2a674b13bc6df4cf7735a3557aa96fe7c9934305299876a84070604c541d7fc85cb165635b8c2286500bf80fedec9081e8f092128a0da4e97051bbb21edb087b43fc8375012d8725f5797459cef55f6415f5f012b90197e92179c8b6aed3322ba4c2cef64836f246fc64ee8baf0ea6c211c43fbb9c480208a69befd1857d3d540f237dce701e4fa22b48a502c03eef80c3216f4cf400000002c917e0a151e5e0355da2c0275d37179ec97561a5f7b2178994da3340ea5ac6dbe8641395de696903b319cbc55d66bf059f02d79e58b44371df88e92234933df	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{23D361A1-2774-11EC-8BB5-D613E35B5575} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005f45a3407a6eee4cb6062dddd85478a60000000002000000000010660000000100002000000033c6007f47a10259350325348f5ee3a1391542dda2caeb88117fb0ef0feb054c000000000e8000000002000020000000ac5d265dba4272581d0410a56be0244a22ed9edd0e14ed28720b89b9ec215230e00400002053b84b9da64fe0b85a258251965887f4f5e7ff9694deb00dd7ccc3f255bf00d31be6a33ec307cf494059888ed9358600990beb1da575f7a67e56066b2034207a4b3e49e164c3e368c6a18e97d20d9483be514f9efb2b6f7ee40f9f11123f9071424981575be689d3b5ddd0b6da9019d0d8188d8bf42cdcbdb2bb5ba2b5f3538bca291ac67a619d4567371bc97f1f5823397a404156640127e2a5ad1f8eda22e15d7869f8f66d671f45cf1da24e967b80f8a24543bd7303946fecbe9d7be5ab8064dda5a648293c17ebfc484190a8491dad6eca5a62e27453121e9582192a6b347c73138383d0fd12eb4967a256c2a6c0ba0189535356e85d4305aa00dfc3d63120230c3554a0ff5db627343e051d9e06374b2ba214878b40a281b90e849597e87d0d2179a70d394145aaa039bec93a31e4610eaf761e681745c905ea09b23fabd2a03e43b19f82f59ae09b61f03d1f06ceb00646cdf7a2aa28fd678875314d873692422a43ecd1317265c038ec4b02ba13bec3275dea712c2b57326ca16f0e55807ca528f1848b5bcec7e241ce8267107e66f3b4135ca0656e807c9dc00913a129aaf1ae4a2f6aecac141de1a3ab4eaede4f4c2111a1ee65941e948d585aa0471856a4a8f683f6c5cf74dfdda8fdc0a59b9a27b134908a66ff5ba7588d62238e952e4752b8c35cfd02101160aee25f0ae4603a9805e90a9dc5f75e739f3ca4a8de5fb62f6d4cbab6253ce22f0e9bdaac07a95889a216b40b1e9282f1ac89efa46630e72960d8bbdef9ba5ca7c4332b46789e8b2362cb963b7899a813ec0ab94c08d9ed4cf53f9bc9ebc6e6d99f61cca0f1577c26d743086b247efdde4581c861665e39df6e40be471f953bff38f1c67e39f5260de05b1c2c5a7b1d14982e8ca01a5e025c409e993e68421ebdcf4cccac3458e8db30ba96e5fdf72a755aaa8dc6ce15303d30910ee6916235e25b4aee4761a947d64f01686578dea5fdc309039cddf1ff2a0903914cdb7cef2aa2d6e1afb61bf3865c2266dcdc53abda53f577dbfbf9f09705b8c1ad912e57b04a0be77155512fe2801c898ef57ea59cc2fc07fd6d4be415bd36fd859f6ce9c4b833b06426e7b148827d1fc336a463b24cc1cbfb498a3ac021d3f1dcc8f0db330a5c79982b14d4759fc2afa35b382745510bdaa32bb58b54574343cb0e00b296ffbe96daeaf5b4fc8b079e072e9ad47c9c02980ed937af4fee42d7c9521cb75da451f95dbccfdac49a2940d926ce10845b6a2a44a0d010cbba6a9fea09a8fbd08b25f13cf944cb8a1ab5aeaf82f1e288829d0a0e3818b31df29cbdbf7def97e047fc2ed1c31761268ee98481860f1e7bd7880bb88a5acfaf58d9b9480fede76dc4f2287e962d11bfc7349b79edc366f5fc2d693ed2b17bf855b3f9d9a7df8c05ca8d4d1578887c5a0b09e61e4c71589111f50f7141d678f80a6b9c7b8a592638a1975436b99b10e355945c8fab3c6528cbc816bcae55ead7f78208fd3df72f182e9eb5056d78d1d628b9bfcb7227bb1145becff42a14ab845b6eefb1706b07eb7920009b1083131b228edbbdabd4d89f3972c043fa7261497b7e203921042bddc09140b847c75763917b47c43574e95b52fdeb1b870176087a2c199456984538bb2f2feaa695c507d4e4d5ac94f5369864de7ae85aef58db8b7c586662bf8311afeb47a25987c4a70c72cca2eada4286cb694f16ce3ac6c34e883c50d2daca80126e5210fa1ebe7ab5175d637f3150d3b214cc400000004532eabddc26912fc01c67814bd897580d1179ee913b11c6ebeffe2b6b625ea7b4418d43d6ae2faa7a1d77cc59bffb8dd8a03842046b103312edeeef67bdd769	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

896 WerFault.exe
896 WerFault.exe
896 WerFault.exe
896 WerFault.exe
896 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 896 WerFault.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1792 iexplore.exe

pid	process
896	WerFault.exe
896	WerFault.exe
896	WerFault.exe
896	WerFault.exe
896	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	896	WerFault.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
1792	iexplore.exe
1792	iexplore.exe
1808	IEXPLORE.EXE
1808	IEXPLORE.EXE
1808	IEXPLORE.EXE
1808	IEXPLORE.EXE
616	IEXPLORE.EXE
616	IEXPLORE.EXE
616	IEXPLORE.EXE
616	IEXPLORE.EXE
1532	IEXPLORE.EXE
1532	IEXPLORE.EXE
1532	IEXPLORE.EXE
1532	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1792 wrote to memory of 1808	1792	iexplore.exe	IEXPLORE.EXE
PID 1792 wrote to memory of 1808	1792	iexplore.exe	IEXPLORE.EXE
PID 1792 wrote to memory of 1808	1792	iexplore.exe	IEXPLORE.EXE
PID 1792 wrote to memory of 1808	1792	iexplore.exe	IEXPLORE.EXE
PID 1792 wrote to memory of 616	1792	iexplore.exe	IEXPLORE.EXE
PID 1792 wrote to memory of 616	1792	iexplore.exe	IEXPLORE.EXE
PID 1792 wrote to memory of 616	1792	iexplore.exe	IEXPLORE.EXE
PID 1792 wrote to memory of 616	1792	iexplore.exe	IEXPLORE.EXE
PID 1792 wrote to memory of 1532	1792	iexplore.exe	IEXPLORE.EXE
PID 1792 wrote to memory of 1532	1792	iexplore.exe	IEXPLORE.EXE
PID 1792 wrote to memory of 1532	1792	iexplore.exe	IEXPLORE.EXE
PID 1792 wrote to memory of 1532	1792	iexplore.exe	IEXPLORE.EXE
PID 1792 wrote to memory of 456	1792	iexplore.exe	IEXPLORE.EXE
PID 1792 wrote to memory of 456	1792	iexplore.exe	IEXPLORE.EXE
PID 1792 wrote to memory of 456	1792	iexplore.exe	IEXPLORE.EXE
PID 1792 wrote to memory of 456	1792	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://ankltrafficexit.xyz/trafficexit
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1792

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1792 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1808

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1792 CREDAT:340994 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:616

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1792 CREDAT:275480 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1532

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1792 CREDAT:406552 /prefetch:2
2⤵
- Modifies Internet Explorer settings
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 1616
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
ab5c36d10261c173c5896f3478cdc6b7

SHA1
87ac53810ad125663519e944bc87ded3979cbee4

SHA256
f8e90fb0557fe49d7702cfb506312ac0b24c97802f9c782696db6d47f434e8e9

SHA512
e83e4eae44e7a9cbcd267dbfc25a7f4f68b50591e3bbe267324b1f813c9220d565b284994ded5f7d2d371d50e1ebfa647176ec8de9716f754c6b5785c6e897fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
71808871c43ec4544a14e37bb17a8eb4

SHA1
21e3127b16b21fcb3052e3fd93867043a60b5393

SHA256
732dc3dbb0a5b5404f2dbcb9f91426a938d6e1937b0bac50e4d3241c650ea5e8

SHA512
cb5a3f6412987cca22e66b784957c7c62d58606f1a59e8ba2cf6a1b700df322adfd28264589108fd857b97159a2d321c640be02c7f545ee6254cf43e421d7dcd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
ed49d87b1bb55354a1322b0d1015dcbd

SHA1
6cab9b6315b33997f512ca337e966ea1823d8ccc

SHA256
d24bf55d1caa1c4305c066f63fdddd8d66ac250bedb3e8f2f1b3e8ba49ecc055

SHA512
ab08df4cd4e6b4a417b0037b7a5b8affe49e943b3871dff37e676f9f26955601f286dd6e63a6b33f8d270f6db30493ebf42406215c99ab6e14b99e9e900d73ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\20FS0QLA\9XG6HRRI.htm
MD5
d5900a63011c8f4bf657940b2c8440a4

SHA1
522bbf3f8444d110909eaad29ed1ff50e2676a0c

SHA256
00449460d22123fbad0c191f32b3b5d4138ab81842ac9e744daa915c54cb7d71

SHA512
7974fb2e3fea467430874b9230e200b4b1646f537827de04a2172cc4f7afa0cc9f2083da8bea81300897f18f2609805cd7b747616aaada072f51897ced1b5630

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\20FS0QLA\X6OVD52W.htm
MD5
36807e045688ea233b8e8f8e82a1bfea

SHA1
743e9e69376bb63fd1e4975f9c0e9decd9e67200

SHA256
21b6c4f86f1d6422d2a297dfaeebc07816c43021b49b188025f50378cadea000

SHA512
52e4b658062c34a5fd8b3951aa7a1d5f4abef9954186d6c5814094e62919895718425031f770ef8c296a9b8b8fd497cad32632eaa1490eae7855ff5b4d8ea013

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\GW0A9R2J.txt
MD5
6fe18011ec862894c984acbee7c350d2

SHA1
cff596461541b8472f94d823b499515bc1a9f294

SHA256
0e47ce96eed9d6669df12f836185481d66208d9ff371fb93fb2d6878d5df7f18

SHA512
6cc80408a37e47a97f3fa31e0b3e87a60a336c85ce17f748936b4c3e7314d43f317e921f44d65782fcf48c15fd9839ab4d28eb749230e675cf8e9ea7714a7633

Download Submit
memory/456-62-0x0000000000000000-mapping.dmp

Download
memory/616-58-0x0000000000000000-mapping.dmp

Download
memory/896-63-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/1532-60-0x0000000000000000-mapping.dmp

Download
memory/1808-53-0x0000000000000000-mapping.dmp

Download