hxxps://login-microsoftonline[.]ewe7[.]monster/?

Analysis

max time kernel
81s
max time network
84s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2022, 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://login-microsoftonline.ewe7.monster/?

Score

5^/10

microsoft phishing

Malware Config

Signatures

Detected potential entity reuse from brand microsoft.
phishing microsoft

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\ewe7.monster\Total = "177"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "48"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "172"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\a2c30449-7a3d-4c3d-8b2d-ffe702a6a19d-ebbb3e8d.ewe7.monster	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\ewe7.monster	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\30e3d5a8-7955-4c1e-92a2-70e820917159-ebbb3e8d.ewe7.monster\ = "124"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\30e3d5a8-7955-4c1e-92a2-70e820917159-ebbb3e8d.ewe7.monster\ = "177"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\ewe7.monster\Total = "48"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a1000000000020000000000106600000001000020000000e248e5707fa3566a2fee487c38f0e5d4a7376054a653630f9865a2e9ce68f021000000000e8000000002000020000000dba30092dafb34ed05f6797f17b144eb2d46eae50580884c1d5102fca88160d0200000009deaf58a1308f4efa38d1de73de4041c8d4afddd20680d842d382156ba99e9a14000000096b98c6b0bee135d1bbfeccd5c90e65c10a40dc7408f0172c2983cac4c4383d13df328808b5aec1463203ecbc817724e4870fdf4bf9a36bab5426098cf1d92cb	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\ewe7.monster	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30993148"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70f4cb8afcead801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30993148"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80df6488fcead801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a1000000000020000000000106600000001000020000000f747e78b90a178c64cda4fe4de0d90657faf3fac49389b8a97c7e317539c5e63000000000e800000000200002000000012972bbf41634b323a0e863a007f9dcac79b3ede197358a9f2563c4b625a62f420000000846fe2e53ff987d8ef9fe96f7bd338ab051b530f932001e616f2a3256217bc094000000098c491345bbe10f8688164daecf5c6c719a2a738169dd5ae4b2123f7a8d9fd1bf13b352cd09b9415d533250e68f516ceb961a1769e73d505765f2e05d15d0bb7	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\30e3d5a8-7955-4c1e-92a2-70e820917159-ebbb3e8d.ewe7.monster\ = "53"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "373747275"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a1000000000020000000000106600000001000020000000822bf5cca97b6d10c8da44e93a1b8cc52afcfed615e7045aa2c49e1edd035b61000000000e80000000020000200000007118c4cc928eaf24c4819da152b419a58f5e18077667338525a7b97f1f37a27720000000de7fe06f43fd369f1a5b8f926947799b0ef3e75cbcca5a504d74787041afccaa4000000066123df173c777432f29b1b2215a11459def7c58e573153eb5b44da915bd41382c0cc171ea2b76a079c7be5b915845b224011293f4fafeedf601259c7743b5c3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00908794fcead801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\a2c30449-7a3d-4c3d-8b2d-ffe702a6a19d-ebbb3e8d.ewe7.monster\ = "124"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\30e3d5a8-7955-4c1e-92a2-70e820917159-ebbb3e8d.ewe7.monster\ = "48"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\ewe7.monster\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2263790906"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a1000000000020000000000106600000001000020000000fd8d0c72367ea44aed2319a099a0ecc93cc9721ca99106877f4585c3498cf580000000000e8000000002000020000000031e35a68c4eeb3bc36fd71e50c65f47322afe63ac82425f3d352c47a67ef410200000008674202b9cf70760de109b5d8c166924c7c8d5ae86b894ded5d1029d525e30ea400000006875bcb69034853c865a836d2188ab7a8e40a81e4763d29f024dfadbaff153b6d36b10ba0a81b3637d8d23afdb85723583281638a58b9feaf98010ea26339218	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "177"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2263790906"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\30e3d5a8-7955-4c1e-92a2-70e820917159-ebbb3e8d.ewe7.monster\ = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a1000000000020000000000106600000001000020000000dcadf0812ccbe08a5262c386500ea1b335769afb88e6a7f4e8a99a6a5d917db1000000000e8000000002000020000000c536f3a4edf118547709ea60be39354651499b2c7e42c67f09b167b119e28d23000b0000b465b0aa03f3c1600fc64475f6799cc534169071974805b228caff424d53e59ed96ecc6ad26b5915f2495175aa6784b1fbc1ff2915ba4c90526f4b7af6ad8ff59a73e2cb1298a2f51e2e896f88a72ec1b527f52b2c4cd690048675eb28296b8512063f381b1356f64835403c7df71040aebee39cd5c565963e805d4d35f972e02888aca54d288e4144b8484ec28706f8fa37a1c53c7351847aa670d36b867fae8d959f2924c6d0b862da4620ce642f65d01651c63a7beae3b78fa509ef087edd8abd74256954ab90e91fb472a746e2d06c6c830a20a2f8cc89c1d1174b801ea3b8dda1ed23b047ca027616eb109daa7559d2cb9177ce98ab4646d45293cf9bd62475c40f1af5f839b6e8b445d3c2d8a4de5e86b21a1e3e6d1f2a88c9f2b7c733e8227f9e1ea8992f5f02ea44e55433b60fdca240815024a95babf8b985c73d3a73dd0cb9fb8f4fc0adc1ad713a3b28c17dc7ad80dac1e2c637e010b82e1cdd4e30b77a41070830eadd8944922e676f5637b513d7d21879222d46bd4099c5d588e1361f19acdec736850831763801fd2d8c6162e4f7ca002cc20bfa791c8e36121acf2ea0860c6334f8a7a3fafad5f2bafd1b3cf268948a48c4eb238ce3caa5e45bb8323609af9cf12d4451ffe99a238f6fd1a114ce8ae8b34336eb599dc4c3eeb756048bb3b7404998caaccb80d9f863f3904d671faf6889883021e4c581583a4027c9f9b8f78d0f02281e849abca2e94493f39b2df450cc42dd3c5a4c22ad1d535f3efa07b2bf1d478495344beeb9c03a37f001b4d755ca2838effa071deb530ca1d2fa28f55378f45aad4d21e0651e49a7bf2126efea8b6d6b090265996f7c99436e7e932459ba18def704059dcb2df71b391635df429935f7ae58701480615cb82e4160679fb00ecec687399b65c283235fd583a371b45a5bd032184e48d8d409fb045a6a47e9f3c98ff2e201974f068b40373ab8380e125dd02496320ee28c08c71497d2e0b0c50c5461b642ed9a7668ca03bb9542af0f56c1f0a03f5ef244d791249d148cd4f2feb7c05a824a79fc74b83335be03b97999bc9580d6576e26e0717056dc8761feb1da5f35689b0739500112835015d9a606a24bb93f2c30357f193739355b9ec913c51cba3391d8b8b5c3be186fc221c70533fa2721b2b30f91378a621a8340ab77c8b9767e8c6da319069dc5c0ee6355117af8aaf38c7423a0f12d1b1b9c2305880d6d38b07a3121eb343e758cdf251d4a70160a2117bdc5a7c54c3b76685374e0435e06944d1c7f48ea1da92821807a281db7b85c3ccf10a722047373a3f3887140e2679d9c000a8548d30ce0df006abd77b8f4428337b6729a42ec4d1106c7b27394f0989269baf4e8ea42f6b3a47b0348bda4d3b4fda1223567f60b60807112a6e5204d17128346f4e44a905e388e4ce402b52c672b4332ff8788b170515190e5b4fe29bf36dc54186c1c75d08f01214b38210a0b54d98a9098ad58c71619d3657418c8ed70394ff148adc1f2655516e0e00931964c8e5a71dffaf23f9c82156222769b087bd84f114dd6f2dc5d2d6d0143e36cc80427b5971d13da4cb60e2a763e2a208d048cd491fa2eba1586d4f82971863350f0f91384007f661c934f71ac12e3363f85e5b6db6b339facd67d2cc12cbc6b5defa2891de3dbab6802b67788a9f4f5f51b47d5f8784217e8d15dec73fb7c19e38f368b059600c348c071e146c207ea74921dd51b5a6a5427c956058d8ba32f337be3cb61184cd40f7ff44cd151512faff8c1d40e38c3cd4384f5bbd0b4162519fbc22e843bde173d5493bf1097fad226e2188fac927905e5fb13319d906e17fcda99d8a62d1de0175cf1d24949dc2e21d728b0c52c9aa76d2d9077b9e7d77156d1cab68c7383a7981944c7fa9c5e80a94f62ce3ec8291544283f36a9df3a3788ccb1974bdebd8407eb1dc5dec4b3ae39289515533e95fe556feb1580b48f87cddbd227f743b29b6fcb9afca3e8904bb2fb51e8a914dc0710be5ef8bcbb38228e36e4ca4e78a2e98fe21c08d848cc13472c7a7f61073e125245b0839cca6fc0aa450c85c5ef63760edf81e1265e01d561cf1b5464a3194050b807f623fdbdfa7c553e4265e723b9a493fbd0b3063eab75b2d45de6013673061598548a5b97f4956f49d2f1037d41a40fe666439f97d3815fe39073314c4aff94b9045ea88f91aa71bd3f422db3012eb6c53952fcec41ea16986c55354dcd77b9598ea14125c8fc9039d1bc20fba7ea8ffca501639df29419e156c7e39b0c1d83e41e46b9f9dcf3d37505a6d3721138099a8adf4515c8d760c19bf792d7ef6b84a80407165a84c0daca820141bb254d0983a5027129a433231d22e4f62c981ca34d3222269fdac566c7cf8f67060a2c88c6dcc23ad772f5ea728b36e54b174580f9fd547c4c02ddc0622a5ac76cd2474171babfb67003c0e486f7c1a92b8969ad49fe090eca62b7846e86b8960b56bd170a29cc7c26f36b23f418966cae4d40b0ac64d6a99d3f8c0ff47caae6dcf704d1e5823e07f7f861e09f4aa151f8a66b253625c6f0c58979f6bf7492127c5640e8b1564524b53f952982bee5b9761270c934b3aa7057e4eec78ac33485388fcde82de33aa3cd9de5939f58ef8f6de3634e0ccff8075fc0dccf6e6a8f805efd69a5dbd4a87626ac93f985ae858d69f8d29de46b008456782f3c285e7ac59b4f5808dbac5d0628c8cdc31feada353e05aa5479eb7be2021d00bac5d6ded3d7186a463ff0f53f079794a01d0ead33a4afd092ed5c94a92889b060554599af97ad64a96eb8a29bbdf22d9cb9177b02fee5e0d89ebc00a9f974d751ab2c77501c5878a6e5d0b4f7c1874a3a2933f8d3d384a12046702ec8bc3f74f5e3058b40be93894c16cb9851dce9e40536fec08ac9cf0dd71f848fb7c64877c354ca2f20dda36b741a7dfbbae3db757ab75511478dc49a338dd26430866bdacb29735be9e73edf3184d89b2173d407816918645d2c12fdefcb1cd6325eb72814a241ee8ea47a71e16b40125b360d83bbd3a7274d14c4ca4447f98de317ff9167df94870ba186cc8e2bcf5aaed22bfaa0f01154bcd39957f0cf5fb9163e73acdb6f10fb82847d3c698e19c06a9ae415389ac7f59e01d09a4e4166e6cbe273ea98ebafffaba7100516da5742e34d226822bb3e7444cfccd74ead7eb3f3ee91ebceb981562ca6474f40b64152f913fd80264f25c2dd6730fa72ad738b0d7268796b791a8bbdba1efd8294bf0e552bc3b9dc104e2026de3dc6ff2c5ebd985a436ee6245aba59970ba2610e0475e9025b3fc74ce1c239d402fe7aa830953c104389e50d1a0c2e5f3b2a1f6b94001a15929a6ec5c00603eecdfe76001c8a962c3acbc548e6e65d9aa4bb56a2951149a2900f018685728590a816ad456de39f9a8c767cfa867fa1c1d7d40cf6c86e47ff926c6fe2bdfd0107007100d1230fec4f0a89e828c236281fd5f4b72e29b5ce2e738713a856399a01b13ccb15ec7cffc1251eec1fa8e1d00d9a6ff6ba43b00792a216bed94bf1f55195b5f5059cc78fc714eeb5eb94c7b888e1bbca8dcae117de8a9a7d4a8da21956ef6590fed4e4f3ebb34e8cc3d23424c997c6cd3df2720576b36dddcd6e2a08d3805ab9b81ccf05447b949e0de83c22a1d06fe7f246eb8ee77d095866adf803247f6c1b2583104257d758cb72fff1f3b4bd870a6ac9121ae6345b6c964c203ca94b031f1150ed1e468a4fb37eeb77385dfe2a29a44e30866a35bd8e44ad7b8cfcad21091172e65df8912c0aeceaef2c6c760b55cf5aef6e6c5381d8317ec36cf84b5a5dacd57410fafd78896b07a8792fb086ba19d88c7b707ca64c217f28974ddaf24c3918f0216d3cf4757d640a3d2de2681f811eb53a5b66982ae324b03ed2efb40ae8dfbf59d39430858b93754971ea6d28f9841404b86f1fa1f3ac5c7cd60c2e2b2a8e299b647c93b040000000fbe14ad7d4f8c4a6c96006166f2e1b5601c4a94bf3e1dd621c74e8f5d76fe2973dadf4dfe5feac1232187e67ec4a0b6691740e3ac71d7e6982d78b54ff66323e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60cd5a88fcead801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\ewe7.monster\Total = "124"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a1000000000020000000000106600000001000020000000b457a1eaf970e9a7ca7e2bee073ce87af4c48b5db8c279d7d44bbf98f674eb2d000000000e8000000002000020000000e927163089b0b8934c607c1261920250c60efdcce8b2f0eaf5663a3b6d835501000b0000a2b0431ee4f1c5cc750572a1765b2d10d60d49722756ad7198aa781fe47f72e265265496f0b2317134d3c289b188fa71fd9b459b4a46369ca021354f448f26dc43273be9ec68eb1431d17819743d1fd45494f98c3253cd48f929463c68741c291b5659abe7edb4ffc8e2bcd9e71a1931929c801e946f3b50d2ca942de355da41536aff3c24462703145710daa34476a1b2a6b0960f74263da1b6d485b7d08ad629519e4b6b2b95a2a403eb4671156e4aac96938dcad6a35f8fa8a7ceca1b00cf00551254fa4d8a2af5c5274905b77fc284c7b03867ea6ce3bfc764543216aabfea035ae4813cfb95ccad8b46bea117168fcabb0ecef0b8705a8a45c0ca5c71d8ab921ae44e29ffbd51cf0a8f16303fc3c65b169487dbf110dba254d95f4aaf1fedfa633730c69b6dfef2613dfcf3e1b963e2f49eff73c313692a809e29ad4610a31dc1c375ee785795c9b08ba6a85bc42bfd9a809ecc119e495784ad441767239dafbcdb4a895769f9bc2a0eb7415c75cc320a0261d2d453dd995b55d07c0cdacbaa998e59738c9729b7a3f1960faa1164735c20b05311a791bc2c325ed1767ba7ae31743ebe112d5c68fe69d6061d78bdf0c96fc862e22cb1503fbcfe44c900dc870ddf8bc8176bafc1c91b6089a48390dca4c3d5ac4fe54d506d09f0be2d1125cc1e35b5ef6efac6dbc17df095752c6239b01c9111faa6ebfd9987f9f00c55101aca711bc8476c0eccad0c4a4f74ee9d8cfb1b732b0609510bb5e680550e9172d2046856c055d5b7e64ed38a0b4538efd1fed6ca73b0b5cd7601624c0178fcd8258e8c238bd274f95e1ea0500e5935c1a6bb0953f6ff76580b5e007fb80245c734451b8df6fa0e22d200af153d1e16317a44907fdff6426fe4ab9e6e9bb92ffb78d5ad327e7fd6ccf04e355114139a5ef6d9757545e88a79fb9f018db9a16328514a84ed84898a281cb62c92dc95b69f86ccf0bf2adaabb82482dff974714b39986790dfd52e353e155ca66e3e166f491ace7888f5ad55036ade115f48856abe66bbb58df7c5f4d074dcad1d752d8f61f93d5e9e3f3349117ce3c22a693f04d689592be51082d28033ef91cedc9a84bc22af05f0e7973c2ec344d64746519f1bc0f0318d8dc72a948a0b77a4276ac4e71053d15aa60e9fac49504d4b86a19e10113cf3b494c347bd9fc6defb9f07c6409d5ce45a6175a2df72c11d26c1e3ec9d41810bcb9954284560d3b48e5598caf1d7f30fdcc1bc03dcdc0743ea37915fc7ad9a5cd866ce79d095bc6b9284beb9dab4c713c5aa04d4695d5191dbfb730e22aabbd1a103ca13c5e2c6b5830e269e84de51c93e4ff684c0c8e9c04c38fc710d525e2dbf9c6fdb0b9ea6862b60fe78bdf4c109d98edb32af0e645ecd94cb2b547b72b373d8dd85bf15eb25a57554676121892ac7e7b42d64d42efa54dd2917b4cd2b2fed0917c2050a1474d90ed910e68cdb35b15d89d3808dc994f6eecee1ecbe02df7a1b4ede22c2f2436df1f159d95099ee9d75aa0aab3c876a83014b44760adf94220bd9841886ef335f116e86429af400f21f470bf26acf8c309a23acef453d3e1c668997743fab2c05efb332d5f4c7619dc64be2b2dc4023d819298f8d4a399bd44d78e2dd90cab94c4fade5f3eb3296cd5418a60a09e808240a3141c1b2fe1ecd43b1c6d2eddac4f0be1e3e9c7fd9f8d33044ad45b0573980c08ffcdb8f0f17fa42b078308a8b1bda55cc902684f40c0308b7f50ec1896723ea87409b6ca87330d3c57f449b3c3626b55e040d523600f9f160156744948494968665df2ab8479fc79a7add85644be408f4637ce639b03b027bbf59cf23fbea83cf01f100cc8fd24f3fe6ec92bc2acbe587dc775b6f7550ad10328296c1f20a7fa2d60985766395d16efbd4348cd921ba74c2cb7e44fecabdeea1bffdb246e20955d4db1cb4dbc4cbb48a9330678b3ac1efadff74e147bd376ffc457d20613bf295272ef2afe72941a6b526f1c830ca4ae1d5e5a2b4216e528dbe3b23a59ae7e035c7b03e5b153ddf42b27ac7d507124f42315296d635b9bb9933019b9270a7732f958ae45b3a08c08d69625ff4469df5b906aa3fd4642cf04de1169d4ea0ac8b1adb28c4972f84380e81588b1263291f1c082cfbabec28cf99339385f7030396d1bc34f1bde7bb4ff7b0b77cedf820b22cfd390ca119c6c644071220b8066cb8544a2a7b583cd6d9fd9cd1abb572bfdf6e6cff1e57e69d0e967a44a1d1deadd0804db766949f8a95681b8049432389123d8e9753b8ae16d70b5e77dc0833ab0992f7ad8425d8358c3264c02b7c47d874c78c2deec54bf285e682c50f09225135213222368174090b5819fc7d9d6731f952a7ac05513347adfd3400e3ae3ec3478085fe10a3a865e36fa3d2258b0c1e4176daa95cc338712cf660bed41fd0a50277599572029aa7ac7313fe4acf174b163d0f4a8fdfaab9854fd3b949abe447dd9fab7ea4a6585f2b33b11bc971ec345f7e386005c7b64535b75b9f71e17e83a9f71a3ef235670968c968b9d9ba3e3f060d0dd5cb39da56780f65cc22147cb8b0bd1151aa03068ca26a9a18aca8f860257ecb966be290bdbb262d6153633340df2de507cb694b87fa959c5252a6d6a072d74de017e033d4004bd947198e4d93889f75ade1779b65978bfec6a216f80de87e503900d96028cca75477c1075be719d15a097fca7f7f04decfeb2843b80c3e51c6bb1670c1d6b4342c4d5a391e3f430079b7847924d6023f2af325d6d8744a1f67c167126fc26d142989ff3111a5d914c095b7447e27c3163e50556aa5132a2a8c7afd4dcaa7dc75752fb60941c24659ecc4f0d6bd72eac54c7ad6bc9df5f906632eb3af1b4bbcb862424a08982ccefa2089c5472d987a18f751baf1c326e58697d2f596e2954f7081ae31242f70eed38e20672d87d1168bb0eb5e65982a3c1dc2fd7d61f91e10e883b04b62f35f945dc91ac049d2f64c396d3085298a07b56e6a40784a70130cf0087f48d981fb00ec56999a5592348445180735870fa88552fc58e2370673f01efb7cd5bf2bf4c75f9be25760190f029e5152332f0038b96b1eb097952ce49bc89d89382854e8b70e00001188f894a031c0e5ecb253dc4aee7b4e59e82e30b5ca3f5c56a1b231db0775785c22939c7accc117cd07dc1af56b8218cbc4b715ed2db31300db9ad8aabc3e3bb49b4a4bdb2b5380d50cb9d3986974ca9cb6fa8a52048e3978ecbd67f800fb5a20da13c3bbd766107a772920a321563e6f841be2623e08e08a3034688ac8e64f97ecf6b5e90a637cfb4a8538d5f744c79fc34e487454b6846f5f62f75c7da22bb884a315845dffe2519ad4b841e8c77ccc445bf3e2cf2c6cc19787eddd1a52fb067319edef1f0a4eb6b1b33c0524e4451f841d580c55724b1805ef72478c19e1d82ef05f55a9aa5023c0f22a760b86650576e00b33823a6ca8b3520c7a9ce101dd2b846b6cfc8680561687ea4cd5e98a98a88d4d47921274d97a01293db3a4e0ab89173ae64d3bbb4a7eec6e6eccc39777173eedb3867976f3a35f87896af5f305055a9028a7de900d335398617e110f4029d8ab7d75ea349e63ff2fdc836416e5e7ea67dbc6beba9375a4976b486eda3ee79ec70abbd5280061e4ffd3a18239f50bbedfe0917c280d905d847e02fde29ca05e148528f5437f6751e07432cb8713f5ce00eda5b0e28e53cca665ea6d7f546c5887feaca8a1699ff71830b0285944e3da8359d2520cb61d23813db3045506b6cd07e4d028994857416f7b40f443af3d90ffee06e8d3796b41e8b4ce36b27540c97813748fc1c47b27c9d4fb184c136490f0c8c21531612b7304c2221c5fa2a1f557ae8bf399cf9af50f3999fea4990409c8f57e104b472e4673175f4fe15185658953235d6c7edcf2bde5b152801dd3e215d75ed2ead5fdfce7f7941fce44b8fd449a16badd3c7877752a95774000000020584bc8c78d317c8b11b009e7f710a78d876aaa9a919fa803f56d3ece95bebf1b6778f24e501a3d0b25225a2e1a1aecb04c8647dc4fde4019d1f30a5217976b	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B23B4E0E-56EF-11ED-89AC-E23A5D90AA50} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30993148"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a1000000000020000000000106600000001000020000000f3823f2034a6728e419c4cba369d87d0f4a193232b729b01d03c16c9b11b34ab000000000e80000000020000200000008c1d58fd21621cf1a58ff206fd602509a2f7fa97d7893eb0a0eb5fac6b03cf3c20000000e5acf906aa763742656a83a92c7add99110f57cfca3ca822af092b328452551c40000000c791ad7022771513a18c5c69290ea624fc34be4a015123b75faa8dcc19a36664c94734dff1099d0471a9c7f5d3fada306be8e8cab08d779522f5881d392c5295	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\ewe7.monster\NumberOfSubdomains = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\ewe7.monster\Total = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\30e3d5a8-7955-4c1e-92a2-70e820917159-ebbb3e8d.ewe7.monster\ = "172"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\a2c30449-7a3d-4c3d-8b2d-ffe702a6a19d-ebbb3e8d.ewe7.monster\ = "0"	IEXPLORE.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2295526160-1155304984-640977766-1000\{81AE0EE1-A83E-4365-9CA2-D7B2532F8FBE}	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4280	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4280	iexplore.exe
4280	iexplore.exe
2088	IEXPLORE.EXE
2088	IEXPLORE.EXE
2088	IEXPLORE.EXE
2088	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4280 wrote to memory of 2088	4280	iexplore.exe	82
PID 4280 wrote to memory of 2088	4280	iexplore.exe	82
PID 4280 wrote to memory of 2088	4280	iexplore.exe	82

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://login-microsoftonline.ewe7.monster/?
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4280 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
4f630c01f9bf4c57d049a46ea616203c

SHA1
a2d06f097a95d9096f7e381d39e982c0c29aac25

SHA256
217bc1b6fd8b9b5987d428f164bde885ce60d24db297abd86c177e8595c30793

SHA512
1ae68ac255fe9b2c517425e8642fb630c178ea261e6e844fc27d7a9f8d3e6c92da594549284622aee09b96540e9fc6086fa32ba7f66c794c1c983ed7c526af45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
1b1f072cfc59b5d9910359fb06b1fff5

SHA1
b01248ffad5536df98aa7148daeb5d96c940ea76

SHA256
cfdbfbd242bcc0e977430af16d8d39f4ce2c070c28f891198b925a3eee7647d4

SHA512
d27452e6e4170a30593a7b257018298f23246cb64a087f58baf4c80ea4ede83c477037d2b4a89d1a9d4ca5437c9156088c39dcdcc9dfe2f9c780767d9da18cff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ru1r3yf\imagestore.dat

Filesize
18KB

MD5
74c59c6ed8622c405442ff1f24c2d506

SHA1
095b6ccad813b0b9fa13c342f8664805fd45fe06

SHA256
d9042e9615d0cbafc25ba18909c5d2553b7320296db8c681d8f4c47bc27ef953

SHA512
f7fe93975b910efa5a759f38267c9674a9b981e5ef839e19ee2865550f5bcde30e66bbf6a714a114fe786e562a27c741b68708727e7fc88566cf308afd984074

Download Submit