hxxps://www[.]gopusa[.]com/non-binary-biden-nuclear-official-charged-with-stealing-womans-2-3k-luggage-at-airport/

Resubmissions

03-12-2022 11:44

221203-nv7m6sga35 10

03-12-2022 11:25

221203-njdkyseh59 1

Analysis

max time kernel
94s
max time network
144s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
03-12-2022 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.gopusa.com/non-binary-biden-nuclear-official-charged-with-stealing-womans-2-3k-luggage-at-airport/

Score

10^/10

phishing

Malware Config

Signatures

Detected phishing page
phishing

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2781964377"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\dailymail.co.uk\Total = "416"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "510"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "25"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000332"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\dailymail.co.uk\Total = "494"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 807938bc0c07d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "25"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fa57059212374044afd35d482326786e000000000200000000001066000000010000200000004e5fa00e8dccf9280ab50336634270b2491eb4ee43d0f5225ef6a880ef80423b000000000e800000000200002000000002f7160b99e62a889f51014a515eb8cf03385c165794278942c5dd6fba0a9601700200002d0e166f4c39c7d937716f4a61e091daf4c2a8e54a578ffc2d6092fe6e302d352707c53013717f38d557c0bfdf090f18e629644072d21e48d056d784dbbba54c71ba712cbd3d0cf363543888aaeabf50281253bc9f2cfe711807e831350a6616dcf376dec8779213326269eeaf3810ffea2c8d110c122a87c720ad04697a84f8cbc6192d178c2613a3e133e6622637d366a111f9230d0ec96a38e4468122443da98bf5ffb1e7c7a53dd0c563bff9fe95cbec2943eca46db47b6b4ebf25e866db194fcb822725078648cb2f875d52cd57bb874a2033f92816bf20514d7aa28a1ed046b3614ade2bb8a6b1e3965e28f9260846c03e17e70b8793fc2918a9e6556f2a9824d8c86cdef52c49f2a0da05465a0df172d8f0a7054d8e4564c84f8d373ded3c20ec322acd242086cc2b1e8ed63214f379118adc914f57c6e3326fd5a62a16fdbc298d8dad698af2f905c0bcc0e44f7433f29040eefdeefd4a250d42b168290e53aa7c07e591b9ab3b336d551558862de389d26161976b5b06952a6dfb883194bf9a396cdb223f2975f7290a564600f16dac6160d09be16957e249dcd4f07c0ce801cf3158648f75425550194051adafe08027bb6e907525ae6ccc492580b0230caa3b3fd2d9b42f6f79a6cecb7188cf2b498e60c81d08431c457753cf33787af9ac7c8bcb7479514eca3bbf15f21d3b98916ad5b25c00a23e40654f132b78e07a6abeb97eadfa753418cc52ee7d8008926aac357af4501f0eaeabe6d104aa5edf496562ea7d5c5876322bb8508788013a6e917aa4dc7d3aa48a1b2a1146e38532a8d56de16785dc41b6102bed6938c8e1af04a456ca6394e54535839ebb4bbe84698126e30b3249846cf9840099400000008a809b6dfecaec6899743faa9b5ded6c0487722eca24b45a8dbc7a71315f7d17ccdff361250f4c68b0df4b302120c7bc5db241064104fd337377262e4f6dce01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.dailymail.co.uk\ = "378"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "648"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\dailymail.co.uk	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\dailymail.co.uk\Total = "45"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "115"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "534"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "47"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\foxnews.com\Total = "22"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2781964377"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fa57059212374044afd35d482326786e000000000200000000001066000000010000200000000e14e0ffcbf52aecb2d64d0cba9a6518aea752b9fc481bd0ac20955f3fc29296000000000e8000000002000020000000a31521572032f50edbcd8ab413527282cec754928158d25bff5051998c45915c20000000ad766c793f01487ea4d71682d3350c575dcbed7b24b5048cd8935bffd0f0d86e4000000019c8a070f7f8666ab5c2a5ad4545e65115285596a6f54fbbfa77a1ffeab6e3045c9508c71286fc21bbe3bf7bee06d43a8fdb30ecc869c243ab48e4ce67ee8cbe	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 708bd3ab0c07d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\dailymail.co.uk\Total = "485"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\foxnews.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\video.foxnews.com	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fa57059212374044afd35d482326786e00000000020000000000106600000001000020000000f627f5b07b892297b6b0eb5657df694b70c713056f5aadfad37c364c6838f5c1000000000e800000000200002000000076faacb63488d76fab981cbe1302f6d02ea11ced034f49261cccd47a138b2776200000009cbbe297f3cb7659417212e1974231676c9aa46a6e193cf6c72683737a8355704000000053ec5c6882d94db8021ad99811816797accb76fa1029e33f07f099020f852d6133889ae596fefe5fba4796e534abf246e95293f129080991a8f22defe26142f0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\dailymail.co.uk\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\dailymail.co.uk\Total = "90"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\newzit.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.dailymail.co.uk\ = "529"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "403"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a078c0ab0c07d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.dailymail.co.uk\ = "241"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376832834"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.dailymail.co.uk\ = "485"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\foxnews.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\dailymail.co.uk\Total = "39"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.dailymail.co.uk\ = "498"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\video.foxnews.com\ = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\dailymail.co.uk\Total = "454"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.dailymail.co.uk\ = "586"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.dailymail.co.uk\ = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\dailymail.co.uk\Total = "22"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fa57059212374044afd35d482326786e0000000002000000000010660000000100002000000016d6ddde09624e89bc39ea936e47f5a603a62d5cf0b4a3b0ddcede67b0c99914000000000e8000000002000020000000948b16efb3a61e5c46eb09f50e19f07b24a25d38b44daafa5c09c6282ed76b45700200004a597c5e9bcb57f3cf09d4b36c9b1d59248672d19c69aa2ee86a77b92a2d0e50452930c5f5f550d06a19a79b937af2c4ecbd76f06a6ed68a3444e3d625816b57505f5f6753c5f2eb4f6a1cfa336bf2807d0022483ee9595550c811c977570c914eca899591f344ed27d2c0221047cdf71bcb14de32d161bb475fd7ee18ddfda9e74349b68150e012dde07a705a368e8c4661d750f812fc8baa02baf46cce339e29f0c948a852680d305a239fcf9f7640703cd560513ad64e5fa299dcd292aee7de7f212c82605019893d89c40e4c6784873ae1bfb2bfee3476308d41aff7d53a52e79f6f83312a968aca9d96bf9ed66d1b41b0fa707f6a650dc7f17c22cedeefb503b22068148a21249e51778d8ec0acb2cfb4dfe39391aaa11a9030528296b5a2eba02ae0d124e0b341b66bd0af1f4e90c2555116b5ef49f84fe178dc62c04acb5c49077a791be4d6230eb631973193e9fbf2c52dff06339f9321ca4292647d8c708cc67c1ea1562d00d1535707b9f1279b4d0e5a75527f7c7aef7a6631c4fe2db16c4a7d6f0c3d3e913f780fe6e1e90dd08649a5258afbfc7d62fa66856a45b8d95ade1827598abf95e409775e42b75648077794583bac2b9af1ce15f3f22826a85cc3b7021c5a0f2bada019b4f6103108397e5c433166a6ea4ac179795bbbd39f7b06f68a4467e61a8dc3e2cd36352e4df53611b7bc2b50521e97c6eb27bb6f694e437970a4f634c64ce5cc55ef6e5a52e94ff2361579dc138e56f6724831818c0022a956829340626681526867142ff772f9ee1830d990653e6508bda3bc54447ce0e412b05cc1e5424bc605ec95979cd621d8cc07d2317545d60365a5fbd16bcebee88deab2209c361fcace003a40000000650b4243edfca5f3c464da3d6f43781c94113c59ecda0cfe619bd661e59cd0f54daab149181f6790072a000e870462188892fd09c7a670c74067cf9250d22a53	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\newzit.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

IEXPLORE.EXEAUDIODG.EXE

description	pid	process
Token: SeShutdownPrivilege	3816	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	3816	IEXPLORE.EXE
Token: SeShutdownPrivilege	3816	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	3816	IEXPLORE.EXE
Token: SeShutdownPrivilege	3816	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	3816	IEXPLORE.EXE
Token: SeShutdownPrivilege	3816	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	3816	IEXPLORE.EXE
Token: SeShutdownPrivilege	3816	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	3816	IEXPLORE.EXE
Token: SeShutdownPrivilege	3816	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	3816	IEXPLORE.EXE
Token: SeShutdownPrivilege	3816	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	3816	IEXPLORE.EXE
Token: 33	4208	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4208	AUDIODG.EXE
Token: SeShutdownPrivilege	3816	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	3816	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2028 iexplore.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2028 iexplore.exe
2028 iexplore.exe
3816 IEXPLORE.EXE
3816 IEXPLORE.EXE
3816 IEXPLORE.EXE
3816 IEXPLORE.EXE
3816 IEXPLORE.EXE
3816 IEXPLORE.EXE

pid	process
2028	iexplore.exe

pid	process
2028	iexplore.exe
2028	iexplore.exe
3816	IEXPLORE.EXE
3816	IEXPLORE.EXE
3816	IEXPLORE.EXE
3816	IEXPLORE.EXE
3816	IEXPLORE.EXE
3816	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 2028 wrote to memory of 3816	2028	iexplore.exe	IEXPLORE.EXE
PID 2028 wrote to memory of 3816	2028	iexplore.exe	IEXPLORE.EXE
PID 2028 wrote to memory of 3816	2028	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.gopusa.com/non-binary-biden-nuclear-official-charged-with-stealing-womans-2-3k-luggage-at-airport/
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3816

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3a4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
1KB

MD5
b6b20fc041e2d18a5b1412ea197e75e5

SHA1
ca55c4566c5fe6317fbd11901ec9318bb0471100

SHA256
98f196ce388b7c3522e220caea4f4f54a1aad36a941a00a2192e7c0d08c6022b

SHA512
070ddfa9c09962cf0bb0bc656084dcbf487ba9d272d95990b96754669440d4273ae7a8006fb1ef906451a14ef17b31f03f0c82af8ffe93f6df8d0561cdd0b594

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
0ff2da8bfc83bec6bce38ba6a3f7bf58

SHA1
84c37df7bed08d69f040c289676735c49a9564eb

SHA256
91026f24711c435d99a44884c7239ed1265cd17c0259a6c5885f69e4309421ea

SHA512
78afdc44d7557b2f14444182085252e8456c91289511d6f2abfd1d7273d05baba9a94206d370add716b9fc30dc326a1a2e1c78f642e926759d962cf216c3a489

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_8DB596B9957E4DFDD69ACDB305306B95

Filesize
279B

MD5
b5936d197f43df03bb74d1c62a03731e

SHA1
e8072c338a22868836f2775a345561d9b4cc523e

SHA256
6962d5b1bed6e0a409bb999ac0a37b5823d7483e44561978031532c259e4269c

SHA512
477fd3ba89d6ace3be370e0168ab6a7d8e2d4be2431e0ee6d32e92a3e5a816b92dc2ac436a801ee33645bee11a42abb6f807deb5d0231713a7232aec5e297a92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
10a9f3076f6e26a27fbe42a98a87a4c7

SHA1
d2611e5324505b36890705c9886e551630db5232

SHA256
e23181b79a508fabe8cd3603fc9874bb7652f15f6a36760960334a0a50e64936

SHA512
ca9f35484afbd72ef21a67227a3059674fa46ae184b4d7d158bc36df6de70f11b29d221ed4d90683bd4d2f2b1ecb56bdbeb88d10f3273045dc7aff5dd7faf958

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
408B

MD5
1092cafc76ec79934b223c18b64eb472

SHA1
baff5dbbb37a17e7790666923cf143652ce7b06b

SHA256
678c6d98e4c939e479536af32e768168d4fa78cfe68e2b8e0c9326076c9d4d85

SHA512
f2043a60ffb21b4ef87006963596287c3e7f4fe057e05739d21be2b814a9baebb226a3ed5bf038998d8b9b45303ea965113747ab639f4c06d88c86e8fc8f45b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
c23094e0498ad2e2114fdadc0b84d13d

SHA1
758c62f5eb2eb61326e24fca8d1a288d15ac5f80

SHA256
9d809761dd3a589cdc1641eab01858b15970033bedcee14bfe21b811b772cce6

SHA512
91da365df039824663135adda7f48160ae94417491a39083cd497d41f4d2201d7e00e936050d7e218b03735039aa07775c3f89245578bfa13738f5da539d61a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_8DB596B9957E4DFDD69ACDB305306B95

Filesize
430B

MD5
1132cf166f934c7bf86c1bf4c5bd5716

SHA1
191cfd9f9782082ea089436d7bc4a7608f060e0f

SHA256
c31d98ea17499c64549fb8006cf994d860c1052f3676b750ddc02d51af23f51a

SHA512
d982939d7308feec67f52f0652b7e18d491773d09799a1fcc4652715fbee061c8c3507e58186389dd3e15d96587b18666c71595020a817fa6f81b6a6a5c6537e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
430B

MD5
1dff3a069cd60d205b22e70dee1a0010

SHA1
efe0553ab60a9d45680b8d814b8d2bc4e1b1159b

SHA256
01e1f1cc9ad54f739b98544093c9b7ba15cd28fc826def8075d1f0ac6ea2db80

SHA512
c6930e21e09dce106da384f3082f69a9a56b648215891939e5048b0b79501d96f61c55d2517eba21ed9df5806aa2be2598589abb6e2a1cbe44e2c01f92273daf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\19YHS5G5.cookie

Filesize
279B

MD5
c1fb87b327bfbc2eec0c6aab5dbfd19a

SHA1
5c305b6aa31d168211ef4daf022e530d60f48e31

SHA256
6c914aa116bc0ee297eacb4776e781c85d3d78580d48f6320d2b89ab0a7ff645

SHA512
1ce42a3933478f8499109694d9430c826b590e72712431e49fa01d68fd62173d49930c038aa2031abaf2334aeb9660eced73bcfe29d2a6a9d91368e607887d2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\1WAP0FI5.cookie

Filesize
1KB

MD5
6a10ef34181627824c60ea57f8952855

SHA1
f9f239d5436ce91f6318039f9a5bd47e65f72e07

SHA256
24ad8aefccfd256140e3df54fb40d1d997e7d790ffc4a47c7f97cae30992ea7b

SHA512
55bbaf3d1610d04f91689cff65eb10781a3ae911e3eadb8473b5d0421f48b19741973a2c81919cf8701ad1a87082e19e20981bb521666df27bc1ca11b5bbfc61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\8XXUDOJ4.cookie

Filesize
365B

MD5
d7e21c3db30cbb8e5b3240b6b5ec445e

SHA1
fc8f41d87c4f030c72573a0952287385ee43275c

SHA256
3ca39c862baac05edade90469221afcb1bd80b514e1ba0ae66c0d858e605a34b

SHA512
789968e93b1bc7ea33318b3b357f1596a12db0239f7ee6546f74a0411c1d67e24c21c1d79a47f72b5a95127643bb09d87b13cc07818bd19d2a82925817c5a0a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\CTVUQ8SS.cookie

Filesize
88B

MD5
b9339286d7eb868d8640bf717231b2c6

SHA1
39a82ef8f7690c37f363ddac9d358e0854e70d7a

SHA256
cbcfecf8e6aafe9cb38d56fc55a5911a8be9815d7318965012b083db662fb906

SHA512
f1534e1aaef83b943ed91ab01019fc4ab42483d6dff195423d7a1da5a9f6cbecc5ab0de621393235d68a95f97d3a7c8fcbdea8712dae3f7d4c62a25ab4066655

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\G8185NK0.cookie

Filesize
545B

MD5
b2b8119b82487b494e033660246311a0

SHA1
a407b7ff1b4dde0a315165219c05c8ab862c1104

SHA256
117d9de3a67caea9a1772ba1702f5a779bf5c8bc8b1979ed6bc0441afb85138b

SHA512
414b6e945a2881d894847e15b45f23313885d7dbd5fd3c4ad08fd3eaeec2d3ed3b713f55f0c3c0c6f55751a77858ba71dbf41e484874388f4b444a19f2a4e388

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\QZ7NSRKX.cookie

Filesize
1KB

MD5
e711144292de887d1ed86eba38158ea8

SHA1
94dcef3c7e76e4ebada73f83a1d8669a52575708

SHA256
c35b0d958ecb293c89051ddc70f0cf2ba503ef8ed51ffa869bc1414f4f521640

SHA512
db3c98d34e90888ac95c1d2ceb3592f7b6a156df579d271a68ccb5cd0be9a8a00433d2f2ed579581131ac75b86e26282136542457f5ca1c860de6113ae5aa073

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\TVA4DNQE.cookie

Filesize
545B

MD5
932516f5e69b3c06bbb7def103fda426

SHA1
de376627c71e5b1d8e1f774de3b8e3c71a1400e3

SHA256
66ea10509b81976cc951d79099679a897badd7297ab3abffc36c6550abd565a9

SHA512
906cf746819b4bda10e39a78397279a31bcb42d7873864d49882c389a926633eafba30778641cee27fa87b07dfb1d147338b79b72b0d9ace1d2c66cd238759ee

Download Submit