Malware Analysis Report

2025-08-05 14:04

Sample ID 220424-mptcxshag2
Target http://zerit.top/dl/build2.exe
Tags
vidar 517 stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file http://zerit.top/dl/build2.exe was found to be: Known bad.

Malicious Activity Summary

vidar 517 stealer

Vidar

Vidar Stealer

Downloads MZ/PE file

Executes dropped EXE

Suspicious use of SetThreadContext

Modifies Internet Explorer Phishing Filter

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-04-24 10:38

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-24 10:38

Reported

2022-04-24 10:43

Platform

win7-20220414-en

Max time kernel

178s

Max time network

221s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" http://zerit.top/dl/build2.exe

Signatures

Vidar

stealer vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Modifies Internet Explorer Phishing Filter

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\PhishingFilter C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = e03a954ad857d801 C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 402ee45cd857d801 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "357568912" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000358f16e0538341458b70f68dad1eafd4000000000200000000001066000000010000200000008ec3c9a5c276a9a51745987cb512b56b566ef6fd70d3f4cbec1e4f0fabe781df000000000e800000000200002000000059cff5ae4c4afb1df28aa68e6ae30c4d7e381884aa3b2a1e64a7758ced059d172000000035897302ee51a365c44bed1759fc529150a2f99b1e227c8cbbbf2a03ea85a10a40000000ff52c472d967c202dc21d3463f6b51de7d85b3e503384832575cf037c3c3dc5073d75f2b0a88f14214e9f98b97bd9c0248d9b2b3ff863bb547904767f7071bac C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8270F121-C3CB-11EC-8B7D-62D05D50A506} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000358f16e0538341458b70f68dad1eafd4000000000200000000001066000000010000200000006867aa5c5c08beef7ea6f95ce3b267f4fb7e13d7b767094a163ebc2112bf529c000000000e8000000002000020000000b71e5a205fa0acf1840190779b89b4b359f1876bb92fcad414f05546ef24b82790000000047356d790637dee68e456a56b55acbf72dbb3930678596b83fc8e77885f1c8b170c0d0f063d1bda913fba0e4804b6dea108ed1b0e3842f3948f4943b51fe7e62722f7f7ce3ad40b43a41675cdb181d8e4493a3c8e498a7f6dba23d945ea59915613144f89c77e5e5534c006e46d9dce125490b13a9ba4e799860150ab7417bc3a372418f6532d17b30187436cdc069d40000000fe025b029d156bf0568d840329b536c42344c75153270484ddcfa5685e234d56f92627179c85495a123d178f572c30add9ff3b1b16eeb6abd036fb2c0daf52bf C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1460 wrote to memory of 1664 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1460 wrote to memory of 1664 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1460 wrote to memory of 1664 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1460 wrote to memory of 1664 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1460 wrote to memory of 1476 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G065FIJE\build2.exe
PID 1460 wrote to memory of 1476 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G065FIJE\build2.exe
PID 1460 wrote to memory of 1476 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G065FIJE\build2.exe
PID 1460 wrote to memory of 1476 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G065FIJE\build2.exe
PID 1476 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G065FIJE\build2.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G065FIJE\build2.exe
PID 1476 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G065FIJE\build2.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G065FIJE\build2.exe
PID 1476 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G065FIJE\build2.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G065FIJE\build2.exe
PID 1476 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G065FIJE\build2.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G065FIJE\build2.exe
PID 1476 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G065FIJE\build2.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G065FIJE\build2.exe
PID 1476 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G065FIJE\build2.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G065FIJE\build2.exe
PID 1476 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G065FIJE\build2.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G065FIJE\build2.exe
PID 1476 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G065FIJE\build2.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G065FIJE\build2.exe
PID 1476 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G065FIJE\build2.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G065FIJE\build2.exe

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://zerit.top/dl/build2.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1460 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G065FIJE\build2.exe

"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G065FIJE\build2.exe"

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G065FIJE\build2.exe

"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G065FIJE\build2.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 zerit.top udp
KR 115.88.24.202:80 zerit.top tcp
KR 115.88.24.202:80 zerit.top tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\70SJFUCP.txt

MD5 35522e1e46e435073309756e104883de
SHA1 2cabc7c6fa000736c2805e14c647e35a328cddee
SHA256 62069d095a8fe4c93fc13c87a72e0723e119e795158b210c68a9308d44620116
SHA512 58022b4f52c1ca10d5fa4bfca02e4311623142e5975d1b3dd03a792a7b48bb79fecc8c30c05c854d1967c1e4c83d77b9b9e4552d19813d3da914b80147f029d3

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G065FIJE\build2.exe.lcntzzq.partial

MD5 ad1b502b6714c0a374b055332018974b
SHA1 672f4e44475177ddcb1bfa73db3c5dee0f031bc2
SHA256 f2cfbc265125aca3cbf385120f7489e8044f444976ba43ee3a19e706257c9e95
SHA512 0197d74e6eb9fa11d48e6939dbd091c6896908870a59fef1d40830e43caf2539fd03ac933d47eae4c3b0ec74e2bfb0ece7f44c4a525b075fe4235ca6086c355e

memory/1476-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G065FIJE\build2.exe

MD5 ad1b502b6714c0a374b055332018974b
SHA1 672f4e44475177ddcb1bfa73db3c5dee0f031bc2
SHA256 f2cfbc265125aca3cbf385120f7489e8044f444976ba43ee3a19e706257c9e95
SHA512 0197d74e6eb9fa11d48e6939dbd091c6896908870a59fef1d40830e43caf2539fd03ac933d47eae4c3b0ec74e2bfb0ece7f44c4a525b075fe4235ca6086c355e

memory/1476-58-0x000000000056C000-0x0000000000596000-memory.dmp

memory/1956-59-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1956-60-0x000000000042118A-mapping.dmp

memory/1476-62-0x000000000056C000-0x0000000000596000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G065FIJE\build2.exe

MD5 ad1b502b6714c0a374b055332018974b
SHA1 672f4e44475177ddcb1bfa73db3c5dee0f031bc2
SHA256 f2cfbc265125aca3cbf385120f7489e8044f444976ba43ee3a19e706257c9e95
SHA512 0197d74e6eb9fa11d48e6939dbd091c6896908870a59fef1d40830e43caf2539fd03ac933d47eae4c3b0ec74e2bfb0ece7f44c4a525b075fe4235ca6086c355e

memory/1476-65-0x00000000002E0000-0x0000000000329000-memory.dmp

memory/1956-64-0x00000000769D1000-0x00000000769D3000-memory.dmp

memory/1956-66-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1956-67-0x0000000000400000-0x000000000044C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-24 10:38

Reported

2022-04-24 10:41

Platform

win10v2004-20220414-en

Max time kernel

139s

Max time network

151s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" http://zerit.top/dl/build2.exe

Signatures

Downloads MZ/PE file

Modifies Internet Explorer Phishing Filter

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = f982cdb29d50d801 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\PhishingFilter C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{806CD8C9-1E77-4738-A2D1-9C84390E9AD3}" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009ca67aad6973c147a14e4257979b09150000000002000000000010660000000100002000000042d4cd9f3ca3c52d91b2dd0438d489ede88359ca847684001ce70b5945883676000000000e8000000002000020000000ed4d6565e8fda8dcc473ac66e87f3d3fca831a1936c24dc5c3481c2a576e83bc2000000030f332d1d0e93c5de091351f89012f83dacc2442ec2cad8ba4bcbf62e8be44774000000030ca5433b1b594323c6a1a98c1f86af4c15de4a9a7e4833a2a0b99ce5ca58e0ad0c4bd7a28d0fd6865cae606cc395d263d7b4e4901371d3120b06a8411c002e6 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 400f1659d857d801 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30955480" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1477910889" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1460565753" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009ca67aad6973c147a14e4257979b091500000000020000000000106600000001000020000000474fb81d69452ebd6e5bed3235e9cf9391d59173eb5faad8f62b55a3189166e2000000000e80000000020000200000002d552dd6cd7e513285314564e1ecbe3d560e97eae8ad783d12d58bf6d057f74220000000f35d12cc35b32504447e4795c138876827d63ed60807532a105a64ca89962b6340000000351a40019f1c7695414106c9dc9b7edcb939c06e982843f65e3a9490c6a1fa3ee990eb1f8df6001522f89fb64bdce5e4de138928a4611ef2b46ad00ea9186d63 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "357568914" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30955480" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{828B386E-C3CB-11EC-AC67-7E149D876A3C} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30955480" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1460565753" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80230359d857d801 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\RepId C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://zerit.top/dl/build2.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2912 CREDAT:17410 /prefetch:2

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 zerit.top udp
KR 211.171.233.126:80 zerit.top tcp
KR 211.171.233.126:80 zerit.top tcp
US 8.8.8.8:53 zerit.top udp
NL 104.97.14.81:80 tcp
NL 20.50.201.200:443 tcp
US 8.8.8.8:53 storesdk.dsx.mp.microsoft.com udp
FR 2.18.109.224:443 storesdk.dsx.mp.microsoft.com tcp
US 8.8.8.8:53 ocsp.msocsp.com udp
US 104.18.25.243:80 ocsp.msocsp.com tcp
NL 87.248.202.1:80 tcp
NL 87.248.202.1:80 tcp
US 8.8.8.8:53 store-images.s-microsoft.com udp
NL 104.123.41.133:80 store-images.s-microsoft.com tcp
NL 104.123.41.133:80 store-images.s-microsoft.com tcp
NL 104.123.41.133:80 store-images.s-microsoft.com tcp
NL 104.123.41.133:80 store-images.s-microsoft.com tcp
NL 104.123.41.133:80 store-images.s-microsoft.com tcp
NL 104.123.41.133:80 store-images.s-microsoft.com tcp
US 8.8.8.8:53 tsfe.trafficshaping.dsp.mp.microsoft.com udp
IE 20.54.110.119:443 tsfe.trafficshaping.dsp.mp.microsoft.com tcp
IE 20.54.110.119:443 tsfe.trafficshaping.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 dl.delivery.mp.microsoft.com udp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 tlu.dl.delivery.mp.microsoft.com udp
US 93.184.221.240:80 tlu.dl.delivery.mp.microsoft.com tcp
US 93.184.221.240:80 tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 2.tlu.dl.delivery.mp.microsoft.com udp
US 93.184.221.240:80 tlu.dl.delivery.mp.microsoft.com tcp
NL 104.97.14.18:80 2.tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
NL 104.97.14.18:80 2.tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 93.184.221.240:80 tlu.dl.delivery.mp.microsoft.com tcp
US 93.184.221.240:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 93.184.221.240:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 93.184.221.240:80 tlu.dl.delivery.mp.microsoft.com tcp
US 93.184.221.240:80 tlu.dl.delivery.mp.microsoft.com tcp
US 93.184.221.240:80 tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 4.tlu.dl.delivery.mp.microsoft.com udp
NL 87.248.202.1:80 4.tlu.dl.delivery.mp.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 93.184.221.240:80 tlu.dl.delivery.mp.microsoft.com tcp
US 93.184.221.240:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 93.184.221.240:80 tlu.dl.delivery.mp.microsoft.com tcp
US 93.184.221.240:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
NL 87.248.202.1:80 4.tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 93.184.221.240:80 tlu.dl.delivery.mp.microsoft.com tcp
US 93.184.221.240:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 93.184.221.240:80 tlu.dl.delivery.mp.microsoft.com tcp
US 93.184.221.240:80 tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 4.tlu.dl.delivery.mp.microsoft.com udp
NL 87.248.202.1:80 4.tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 93.184.221.240:80 tlu.dl.delivery.mp.microsoft.com tcp
US 93.184.221.240:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 93.184.221.240:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 93.184.221.240:80 tlu.dl.delivery.mp.microsoft.com tcp
US 93.184.221.240:80 tlu.dl.delivery.mp.microsoft.com tcp
US 93.184.221.240:80 tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 4.tlu.dl.delivery.mp.microsoft.com udp
NL 87.248.202.1:80 4.tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 93.184.221.240:80 tlu.dl.delivery.mp.microsoft.com tcp
US 93.184.221.240:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 93.184.221.240:80 tlu.dl.delivery.mp.microsoft.com tcp
US 93.184.221.240:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 93.184.221.240:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 93.184.221.240:80 tlu.dl.delivery.mp.microsoft.com tcp
US 93.184.221.240:80 tlu.dl.delivery.mp.microsoft.com tcp
US 93.184.221.240:80 tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 3.tlu.dl.delivery.mp.microsoft.com udp
BE 67.24.35.254:80 3.tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 93.184.221.240:80 tlu.dl.delivery.mp.microsoft.com tcp
US 93.184.221.240:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 93.184.221.240:80 tlu.dl.delivery.mp.microsoft.com tcp
US 93.184.221.240:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 93.184.221.240:80 tlu.dl.delivery.mp.microsoft.com tcp
US 93.184.221.240:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 93.184.221.240:80 tlu.dl.delivery.mp.microsoft.com tcp
US 93.184.221.240:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 93.184.221.240:80 tlu.dl.delivery.mp.microsoft.com tcp
US 93.184.221.240:80 tlu.dl.delivery.mp.microsoft.com tcp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 2f8fab3a1f291abb53c83aeca4678801
SHA1 90ecb4334d521f5c73deafed89a1becb0e3b0542
SHA256 b536391cd57031878f5ad8e1cab78e86a9b6521cd27da48932dd6822ed9cdc55
SHA512 695b4ec2dc82482647aa449c16c0780d1446c62cdd86a9557d7742b587a62ed9e8586e5bf0861eeae80378ce7c2b2a8eabda6b5de134d9382da0f1ab316faa53

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 d88b60888c2c6845f9499375071fcd14
SHA1 c73d433d4129bce3d86c1044e06d204b5ed76313
SHA256 2490266cbf24372b19047c780b8c331dc6668a045c641d156cc4c284843fc5c0
SHA512 ecf796cbff7414c685ef6a4aebcf51858bf69d3d373f4a5c90ed35512cf09d636f114de9493aa9c3c175e120c841a43e907c42f6a8d7c89af09d753a399f2740