hxxps://1drv[.]ms/u/s!AnWE7BCdi_7hgxBogqt9g3XXAdK7?e=C53B24

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{20C9F90F-8DCD-4BC5-B37F-51688102164C}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{BD90FE57-8480-49FA-AF80-D34801D98310}.catalogItem	svchost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\onenote.officeapps.live.com\ = "413"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\Total = "4990"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2878934009"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "1598"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "9"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\live.com\Total = "413"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\onenote.com\Total = "53"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "23"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "1589"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\Total = "1780"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\International	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\Total = "23"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "64"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\Total = "4878"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\live.com\Total = "80"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "16"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "1794"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\live.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "378"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.onenote.com\ = "53"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\onenote.officeapps.live.com\ = "304"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "512"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.msn.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\Total = "64"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "4990"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b6000000000200000000001066000000010000200000009c17e6e33d0b938f1af8188d70b3f32ca7e21eda2fdb610abff91b92fb165b3b000000000e8000000002000020000000c1763b92d104fd9be9bac69d233a574380b20e0efc12ec7b992464c779032633200000005aa4f690847700ff2bf80683965423242af0b81e20c8a112ea6777fada4e15c4400000005cb72f8013e444fa3c6cebe3dd92605de6fd3f7ae8f60928f79c1c03f1237c87b31a7579a94fd47767b08f772d5e227d03322be024548a1252ecf64c165144fb	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\onenote.officeapps.live.com\ = "512"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b60000000002000000000010660000000100002000000028003cf6ac9472f33641b08d9c35f465c19951e332e09bf3e102095d2cb439ec000000000e800000000200002000000096c9ef8783ccb1d9068a00780ec9e6027c3c53f5855391acac17e42e8323265b20000000f51b777540de94eb429fcbee160686874f5a5489e2faf64aef5952f59a3c614b400000000cd3ca1c1096c8e092e5a37c839861d6e1ee72ff1ee4e050a098c2d9301a57a315f8878353634e515da86c1d2219e449da7d4fb72027b8b44449c79e309a7995	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\News Feed First Run Experience = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "6586"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\Total = "4997"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D35ADEDA-A5EF-11EC-B9E2-DA452DA1555C} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "4852"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "1605"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\Total = "43"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "4878"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b600000000020000000000106600000001000020000000ba5c6cde49fe8ca220dce8e237a20a28d64aeb4cf5982f97f43d7ee997875394000000000e8000000002000020000000787aee1b2723c91b4e523de6f2abd0d5da1724e8c50ba812a0eba62371c03ca72000000037ced82834502ba29e1b4df6556f5723b62d5af34642ed1ba620de667a58371240000000d2766a17b3bca2dfbe7a6f7938c5cd0d80409ba8ed9c432c56f6523a3782d0617a623bf01804b7e8b33528f498e0fc62f0de648f34be49f31723d6dfdddae97d	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpCache = e9fd0000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\live.com\Total = "447"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2822996150"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "360"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\Total = "4852"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "1780"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10f44dd4fc39d801	iexplore.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Property	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property\00188006A98CB7F8 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000e30f17dc8a3c5fc02bd0769a568cf00ccd0312e3a8651da0a25b46ed593d796a000000000e8000000002000020000000a32556f099a3aef099f3e88ffb3ec9bbc324d192ea789865d3cde12d6b5fafad800000004035daf151246ac3a1c5188b117cf71f591abe28e72f8dc798f5b0765d8ac674bcdf5131f3f7e223772c890e7fcab22dd09e5139e0b318088c4e3a72da87c1ded0a353bb9a3a350f4595b5bd96c8905b3904031753aef82861a6c412b0a166d4bb2bc406e04d3b356de17e68869eba8d609417728bdd8797c521952f60252d3540000000f9f777f7316f074ff457dd80e8c3a1a6d9e80826f4477c0d3cd86cbd41b197d1f5e9b13d80632d966ecaf3573eb9c7aa1d9c8884229b5c1138b4913f69449b74	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e0000000002000000000010660000000100002000000023c9eec1059e5631c68ef4d5cf425d2c2b1a43bdd6078d321fda048def5e956f000000000e800000000200002000000012e72da4e702cf044c79795c5cb6c204e0de31cd5ac72b20cac19d10fa403932100d0000cb7b79fac359a840b70e0cb66503af72c65c74cedbd60f8355ada1571d135050f18429ef36cd523772a6714e7c6141c6dcb0eabe05d641883a0fc2d1bc3b712763b598f605c755262ca844180b346452ca18a31fc98d888494dc94210113e3cfee48c3ad6d3a4574bbc653f527863acb192075ffd607b6f86ea64112f406bc3f12b686d969f2d5999d05cca69f14241bf680ef120e0734d9e418b5a48fbb3172185edcc9ee1d0a6db9dff46b597887eda4d386f2aa39e4fcb66b9e757a6e1a50e41fe87e7038bac748b7c7ec3a12dedd76cfca008ce071d8558faa4bda5b6015f3be78d2dda0280f25a8eebf9aae4bcf1a3352c976c002afd6a265f2c79937c70af51897eb392620a71fa3554f91ad3e3007a025c7835df3084940c096f036fdd27b922b80fbf59805b6f2919d9f631ee720de673e0b7615df074d40865dc12654fa1735c0a64e04d21e16447d4e10abf7aa9bb9d0565bc870e76e79bd7f6cec16398dc53b8a9acdd58c724aa156f92ef2c0cc5decfced740ec9597d8e43f13ab4c45b90013a7eb99f2ee9aa60dc2daaf12bccf623b73611c668fc8ff931fd34bf6476771f3b53b07dd992337045f4966f3f9c419a447e6fc7a866d3b1e2f6b9bd84cd78a304708a7be8cb36b728dceedcac03371543200be169a5d4cb0241bbcf39c3a006b439852c5f15ffc2db8ef20925533b8953ac5a00244f3d55d8dfb024d3d55754a98fed4d544fd6900e74424c765ca502ca259ca7d55f2e9d2ba150693a6ff282d618f714f276a36c83f370a938a048b36b9f4781ccdb4f0b9e89c5c0855e272c2ddaa762c5022d0b75e443f3318172f7857901b545b86579d7733717f6035f28cbfaba5f52250c4aba6c7897fd8d59871b2165fc8dab97662546afdcf5ff5d7c3cd3052fa7deeb44c635b52ab3ff28a13646b32342ec768c5d12298c389d9bf15ed64a85781d884883bd7d438733642e0a178f37e8c6f79a872bf1c494f4f777ffba78d94740054fe394b24c761ff86f8d5f69fe05adbd7efb88a1e1a63633fa9a572ca44abadf6a70b5cf11c292e1a6ea822db5b3bbedcf1d6d54daf78d3f579bc089ae41bda0f443616baf5cad25d275ba367d5bccb45a72b1e05056400e3bd97808c3fcbecc9413222b4b680b623f5881a21ecc300988a687634f8d8d93e356f402b0fc1484c4696808cd90fdddd5f0127a2fc5a486b5289676a1c171925748340bbf70f579a1f59fa58b0a8a3856f270b88fbaf308270a1285d121a9032b04fa385f24a11eda0333267f3164162d831fd09786b7a736bfb45fff4c9338dc5de0309de153da78e83897e41e4318b0ceb012fbe6afc211c375cb3e44d3746229db2ee48526fee431e7afbfe3135aae27536d4ae1b28e3f041781ca190b5a8db9abf9000f6888db29395a85b2adc3011a3eb2a4376869e4bd49455f996b15f92332f8cbe8fbc2f6b260767c6c92f7c6b7ca960581ad3ac9b508ae4755bcd7e52da87db43b32f767867ffbb76a6a4b57e27b39c32df3e2252682cac08d852183d7cf530352eec02ec1c71f13922df0cb3eb4514e26330114f42f234b70b625e5344552eb38b945b9015583078f6b84e0e1d5d62b0c2dcf6ce975533e9df540080bab6178a0d11ccbc3d6a9fa3e61c90998a6358db8db7234fc03c31fbf50e26bbff42e3046dda08cdcaa36e5a2184291605f667b6b91dfde14dab92235801c51d68ca9d6d57df62ac11de8459a51af80c0d2592458c759b40ad2cdbe7f19fadbd419ada771e2bd830f5a7d72871c0bf7952417c233214df06d71ad6128fbff42e34f78d1e60c21a6e8a8e60e5deab67f1b934678d427566d46d690271b065746318eeb16a82deaf28ed4dfb0a6c1d88beb6177bd254a0f28d80b585038ecf641343977fe825fcf310dc4684715f5926f8768d7632a0ae31f0a41f24cd05097b6fc4df743cea061ec808fe8980f2072afd6fd1383707cc781985ae88682b41a37bcd9017d9f1790113e55220898eff29bfb4a7d1bb062cc3c0ca4ed2c6af79c3cf9b0e7f88f17bdbc24f7b04e16016c38eb4bb1b988c636fda079149a366c3a3c64c34b3a0b7346ec44d9dde38c7487398fd170fa1ac0c54c81141cded3b105f9f507643872dbea2bf614241a5de95d5a9e48bd771160c9ce9b2993f1d82da6efe81f9e56814a5d66562aaa44e5ecf18d14e9a0991de485d23456975ee4dd594ef398e42e634f30407ae426c9a59be96a8ef8faa6a95d4a518d24b925935696a352c68d5352594f997cb3c5de7b854c9317fe8205e7329ca979df3e909d8f4a6fee2701e150f5c70b2b2e86a17cb3f02260953edceadf5432e0dba528ed6d390cb475ba0fcc0b81d0314860431303231acf4138ab0c04027c9c69feba3bf056ccf204e6baf904d7ea1ac8776ae6318085545a59bfc8c80fce5f189a782e9d2ffde9ebd159489a7dc30c258712e8eb9ca18a7516518302f8cac73469672ffc4ead8813c6b00cd12339896b84334c9e03814b4ac89dfbf1d4a74b456971ded0ede6a6ef39f46d09eaa1e09a01ede245357ce97219cc83ea3414088535e6bdd3ec6ed2f64d62c86dc3494aa43ffe18d9e0eef2922819d49b6531a01bf3d6cfad3b0f5c17e28e3ab75b9185fe2d19f9a7a35f99389d24e732614077913b75c39085e33cdabe498021a1dcdaf6d17dd4867190430c01b3ed239596cd595dc4a5942b867c982fa1759846230de1b3e285f4aaaa97fa1deabddb8f8a404112a0a0eac1632ddc7813e7547f25f6ae359188315d37212881f97a0b16243377ed1d59fcb3805cd8b552ef858b023d61947da51ce030c9f2de28a9704f16f0989b95774fdaea7c0a79ef532269e6fe41d0b4356eebd18a45af68c274bf28b9cf81b1e8cb99e2f03e4aa3e30341ab6969aa35ee0e18da9d3e341ee4db39f7a6e5ebccaccf19bad0ad370855afbb808032457f3dac508d2c816eb74e84f84d8091279fb0934553fb94aa2258a6473680edb4c105ecc3ef1896ca4e9d5db3edbbdcc9abe8777ca06f6e4187ee22cba806b3baa76c8fb01cac6bfc68ad3b2eb7c73289aedc8f47c1d6a3b1a25d2bb50fb196687a77786dedad20b428302f4966035952d61e638b6cbf424c7bf963ccbcb4509640156cfc50cb41f01a2cbc18b1af6b1e156ea8bb9e5b52972629209374f7e79b59d5e4183e7e48b592a4bd99de31c4acd9dc6acc4027c423963a0599f4e419e8310c087431b115bbba5d67fd6a1e7077bc9ff6994485fb78889991a297001daac9048603e8edb05f0ebb3dab212ff3edf66a846c7a8b8eb89587a3a69376e2f028db788ff5f58939ca69d72588c31a8e72284ff4878255c2a7638604840c7fca25193b4669f3c78185454a859b88ead73030be5da9f175dd5f68bfdc03b94d4dfb0eb994121fb71d2974f92e3b5819d607edd963ecdfbe47f100cec2dd3e18838ce6a79c638d9f7fbf86401223cd6dba2b03dba66344c9403ea09311d2e13a5d9e030ed010c33f45d18210d9f4ac8a93213397a5812a635b02bdec7eff1f1f78f171ce7ac25888e247f44135199ad898007a4086397332bd20d85e05453ee21187c980c36a9983ad8ed7cc6217468920d6235ec07a28244dce97f1960fa116930b4b7439c0e1cd455ac8fc810add189a735a4a5872d7d61cd71ffd8d04657dd0d216b4cf4971682fcf69fad1ca64e8fc47c38741a191ca1727c1504ee7708c006eb53c36173794264650c629257f2c765275dac7fcfdce36c38bde3f77d54e91aab0ae61ef4328c09d137a382d3ad72d8d922c1dd45d3eb7bdbf4c98bd50f96ad943c003b889060901820343a834adc134f052ef8d7ec1a7924f99a9cc78690c4bd959d4614de7fd78f0f95eec175fe59a0982af8281cb51995a789085457e037235e3c52c990d236934fdba8d43d94bba01d0e400cf8f6edc7c6311930bee1974ae226f9b538515050eb60371539142bc0dc8f44e2c0baeb94f8c5d5cd726682d3c7b73e08bb8b2280b860fc260783496300f7cc0a43e4fcfa42ec7af403027b8d0971c1375432b9cd7caa6a19e184d7ce37f576b9c1ef3165806c11244ec183dfa8f886920650de4342bcd1869210ddf1aa47fb87270cab1d4c6d23a9cb0f58aa3f553fdb39a9bb358eb046b324591a345daba2e4b465c2cf9f399d60671e1052b4280f8d813cd16198c84492c677eea45f9e286c58130d76db4ecaa2e61ef92edf95379896f40dfdef492edd2ee9f660893bb9f6873d091a65dec4b11b6b136fd93a91f8b7cee54e4a84cd584425e25e5367ba1ff01bf30e6f4a0783b6e8741b5ab2e3408ba0e509892e3b86c8c0def1b68716df916cd5ed5b0ae7fa30382f058457607f5098038d4c24fbb875de8dc3d487b2d90b29505da2b987fcc0fded23fddf97764eb35d839598a2a811819a70454066dbbd855ae79992a84a88f64eef5d9391cf4f0f2bf51eca193853d8779a5b69bf633262b7a628754a73e1042d69591ec52622fdf7d75c1d2fd5727256693e06796f9de2382cf6af23b7159249cf51e65461a0a8c4b6ede95db84fe04cda113c6b88330439f5c9a56a63d50c068248fb732fb01cc5bc97d2eae9dd0772cf7077626e2a76dd77accb0bd97dab39507561e4eb3b47994119003611b7e2f312b5e3ceae9a23e413fd6bf3ed58167f0b415440214592b93280e95b2ba54a94ab0c3f00dcfe31dc6b19dd6dd89aa3b400000003e0f35a8786f077899a1325b20efe033823aeae047ab263853489af6db176e7a94fda2070a4f91b22d26f7963310549b32b638a3af1e51d4a56ac14ea3153370	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceId = "00188006A98CB7F8"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\ApplicationFlags = "1"	svchost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3232	iexplore.exe
3232	iexplore.exe
3232	iexplore.exe
3232	iexplore.exe
3232	iexplore.exe
3232	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3232	iexplore.exe

Suspicious use of SetWindowsHookEx 38 IoCs

pid	Process
3232	iexplore.exe
3232	iexplore.exe
4308	IEXPLORE.EXE
4308	IEXPLORE.EXE
4308	IEXPLORE.EXE
4308	IEXPLORE.EXE
3956	IEXPLORE.EXE
3956	IEXPLORE.EXE
3956	IEXPLORE.EXE
3956	IEXPLORE.EXE
3956	IEXPLORE.EXE
3956	IEXPLORE.EXE
3972	IEXPLORE.EXE
3972	IEXPLORE.EXE
3972	IEXPLORE.EXE
3972	IEXPLORE.EXE
3972	IEXPLORE.EXE
3972	IEXPLORE.EXE
3972	IEXPLORE.EXE
3972	IEXPLORE.EXE
3972	IEXPLORE.EXE
3972	IEXPLORE.EXE
3972	IEXPLORE.EXE
3972	IEXPLORE.EXE
3972	IEXPLORE.EXE
3972	IEXPLORE.EXE
3972	IEXPLORE.EXE
3972	IEXPLORE.EXE
3956	IEXPLORE.EXE
3956	IEXPLORE.EXE
3956	IEXPLORE.EXE
3956	IEXPLORE.EXE
3956	IEXPLORE.EXE
3956	IEXPLORE.EXE
3956	IEXPLORE.EXE
3956	IEXPLORE.EXE
3956	IEXPLORE.EXE
3956	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3232 wrote to memory of 4308	3232	iexplore.exe	81
PID 3232 wrote to memory of 4308	3232	iexplore.exe	81
PID 3232 wrote to memory of 4308	3232	iexplore.exe	81
PID 3232 wrote to memory of 3956	3232	iexplore.exe	87
PID 3232 wrote to memory of 3956	3232	iexplore.exe	87
PID 3232 wrote to memory of 3956	3232	iexplore.exe	87
PID 3232 wrote to memory of 3972	3232	iexplore.exe	92
PID 3232 wrote to memory of 3972	3232	iexplore.exe	92
PID 3232 wrote to memory of 3972	3232	iexplore.exe	92

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://1drv.ms/u/s!AnWE7BCdi_7hgxBogqt9g3XXAdK7?e=C53B24
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3232
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3232 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4308
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3232 CREDAT:17422 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3956
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3232 CREDAT:17430 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3972

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:3680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
- Modifies data under HKEY_USERS
PID:4248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads