hxxps://a-qr[.]link/UckWrS

Resubmissions

07/06/2023, 10:02

230607-l26ckshe68 1

07/06/2023, 09:59

230607-lz6wbsab3w 1

Analysis

max time kernel
210s
max time network
210s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
07/06/2023, 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://a-qr.link/UckWrS

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	DiagnosticsHub.StandardCollector.Service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	DiagnosticsHub.StandardCollector.Service.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\Explorer Bars	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e01adca52799d901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1236746950"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1249976087"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "392897144"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url6 = 0000000000000000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abe61aa205a6024a88f38601cb76e99300000000020000000000106600000001000020000000e5b99f0eaebe660cae38b7756b52b0c9ce0a20b24b9905539fafeec61a4c1553000000000e80000000020000200000008d7f0917752a32fe2695055d91abafa2cdbc0ea2e1449881386b6bf413d5b8b020000000d686f88158211e6ac5d45b07c8089a89728a5ed08a30628369a63d2e9450ba7940000000b0aec1e13a212e067ee1389f71b89b48048e0d7c69eb7cbd68dffa5a1364bfa4b31d59680b27cb46426c5b0f242a65de86226e08f6925aa54b8bc940f979640a	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\SearchScopes\Version = "5"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abe61aa205a6024a88f38601cb76e99300000000020000000000106600000001000020000000fe71ee3464cb9ca40457d386d0ee59ffa70992bf6f30c101146f8ad1eb00d48c000000000e800000000200002000000067a36b239b7edc5d82fecfd30a1c1e0ea272e3da9d86804ff90357b33e15bfc8100000005a2d87fb29714145a13d3c3654f548114000000009d0515641c1f347d4a6173584d362e7480d3727e1de9d3267cac221fe1ea859ce4c20aefb7a160df331dcf80db69a61205b4c3c38d2a3c9370a600a0d8261b2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\TypedURLs	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url2 = 0000000000000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url4 = 0000000000000000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\TypedURLs\url7 = "https://twitter.com/"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c04113a42799d901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = e9d1f8769d45d901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTSuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&market={language}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IENTSS"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url3 = 0000000000000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abe61aa205a6024a88f38601cb76e993000000000200000000001066000000010000200000003d162b7a5b74ddbd07f5eceb27caf12a1ee8feb31d6d089bbda8e9d71eff54b2000000000e8000000002000020000000aaacd5061e035d58483eb6555df94095477d7b7eb8a0550b9b7652c2d37ec93220000000418116cb51008e19c6ef4df4b69371788436191841d19a42f058f94c2693bd9140000000fb21b5f9725a5c9554df7d6d3df296fc91a64c164f0970fc385cafe0a38731964ea430f6814574340f64777eefd2f30efc26411defdea41fa2e382b3f30c0141	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a064314c2799d901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abe61aa205a6024a88f38601cb76e993000000000200000000001066000000010000200000005c795639506d7f7f91a535b4543cc8f812442f0969497cb2725214e432f09032000000000e800000000200002000000067fe8a2f86aa831e0470281ec2f8dad511f0c49f73d33267745bb1f59a3580cc2000000030b0ea464a10a8c17e6e0ac0571267abf24698704e43924b22e9b0460486ac4b400000003be956667046d2d5c6943c01ce997838affe63324e2d23978e512b764535eaeac466c0d908bc505cf04e15fb7b4858e1710a9d8004568c66090e0c0ed2b46cc0	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31037735"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "392945729"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abe61aa205a6024a88f38601cb76e993000000000200000000001066000000010000200000003a3f7cbaa8c7061b4c171adf0d1f9062fdc37494f3cfcfb75f19c462d07fd79c000000000e80000000020000200000002d2b5f385cff80eefd46131a7cb4d38897f1cfd804d1b824fe2fd43f90fc5104200000001f1e8c9ebb4ab5a29e49afd60d4e620fdefea89495d5bee66989a0b97d81bbd640000000219f4e7b49eec08c0b3c3ac92e81d5151de4db7fbfa476533774192eee5b9a3b95bc1addb1c64eb1a713850614e281da7cb0536d941136d9b5fbb7070ac92f03	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abe61aa205a6024a88f38601cb76e993000000000200000000001066000000010000200000003a054ea7d17abe1098fedfc679ca058219df9c2df9af407ed5189a69bff5a054000000000e80000000020000200000009e04cc776ea9f094eb0d9cd52c266a1d1d1cd63fa45421e2081fbf57ab932d0520000000dececddeaabfd8e5c54e5ca4ef8ecc7fa1796f236d3a645eec94356d1700580b4000000006bf6b1a459abdf8c7aa1025079cdeafeed852b6476750aef5f77ac898e2a1926adbcc43512254f5007e0050cf2ad5129e5ee17d282ba5c3abcf1b2b332a2b53	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 502c4ea82799d901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url1 = e4d40da22799d901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abe61aa205a6024a88f38601cb76e99300000000020000000000106600000001000020000000a41079d8edcd41bb564fa317840732c72ee0054605732b2392bb83664d294e7f000000000e80000000020000200000003fd3872e3cb7416dd73d38b655d3b4851326b976cf997d9f5790479d00b15ab320000000a8cad02ff508d368f0277eecb4de8e4724ed3b405798b7b31887fe6e1484da4840000000cb78146f4300d766402788c2d7937d23983c0fac35c781d8789639702fd88aa48d7d86aa337079a98f1bbb57cadfef947ac639f1143297e0ea6c2c448c50a198	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1236746950"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\TypedURLs\url2 = "https://ed.obctecht.live/0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abe61aa205a6024a88f38601cb76e99300000000020000000000106600000001000020000000851fb0d7d56a8f27e20acaef382a50433ee5c2de37317debb122e2fe7d40c625000000000e8000000002000020000000db5c604755890d8dfd6c86ff611f8e8f2e912f68f1bc4cef95cf6eb0e5834c8e20000000d0301e0aec5f30e68ef8ea06097a44b28c9b28a51701c0be4ba3f2012f108b9640000000e6d417ffc42ec498a4b56f3bcce91b6bb7547ad1cc970b99824c5c062f0db0abdcec0a698ffb0266b5c07605ae267ab7e36879884b3535e50c37ede2c76b6751	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\TypedURLs\url2 = "https://www.facebook.com/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31037735"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url5 = 0000000000000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 203733a22799d901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 305294a72799d901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abe61aa205a6024a88f38601cb76e99300000000020000000000106600000001000020000000aa4af79d4c3f7bd3104489743e2a0bb01529c1ace3fa56a821d8c65495a29320000000000e8000000002000020000000035a6461937cd058c7a070112563678146fc2437528844e5026a406cc8957d7b20000000b7124e74b48cdaf368027104f380bd415be7a15e38b559dcf1a766af28e17d9d40000000e9eddd8fc86d41329074be4f89e93de59a06729f7d80b40b2ddee10d92f24b3bf69e14670652baa44dda509abd6629b728e42be4723ccff3d50a23efe040a5be	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{74FB076F-051A-11EE-B673-F67B31A672B8} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0511e4c2799d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4284	DiagnosticsHub.StandardCollector.Service.exe
4284	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3236	iexplore.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSystemProfilePrivilege	4284	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
3236	iexplore.exe
4212	iexplore.exe
4212	iexplore.exe
4212	iexplore.exe
4212	iexplore.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
4212	iexplore.exe
4212	iexplore.exe
4212	iexplore.exe
4212	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3236	iexplore.exe
3236	iexplore.exe
4068	IEXPLORE.EXE
4068	IEXPLORE.EXE
4068	IEXPLORE.EXE
4068	IEXPLORE.EXE
3236	iexplore.exe
3236	iexplore.exe
3236	iexplore.exe
3236	iexplore.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3236 wrote to memory of 4068	3236	iexplore.exe	66
PID 3236 wrote to memory of 4068	3236	iexplore.exe	66
PID 3236 wrote to memory of 4068	3236	iexplore.exe	66
PID 3236 wrote to memory of 4212	3236	iexplore.exe	67
PID 3236 wrote to memory of 4212	3236	iexplore.exe	67

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://a-qr.link/UckWrS
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3236
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3236 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4068
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3236 CREDAT:82947 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4212

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
9f40f0353257052e597cc6a63918ff40

SHA1
1c28ed248cce39532cec1a8685dbef608f1fcc1a

SHA256
71ac9b72aa96f07fc0108f5762830c2007eccf77726516bc4c31de6f619e04fd

SHA512
f9b9c9377b51d371d7e1691e46f5be78ec11745fafda0713844c6aba10c075afa8e07b9dae67794fe06a1f8d99258d016b7afd386d5a257c57e3bab3a1318713

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8

Filesize
1KB

MD5
7654e8e925f38794fcb763c2f7de8cda

SHA1
608caecdc856a93e73bc37b94ba4ec1620b61ee3

SHA256
c70b2df5153de76007130e068ea6f75d809322d262de5a4afefa039976179625

SHA512
2115d26af8148bf273a43d83cc49b10e7dd895fd9aa39a3af0d87edb296db19e0c8aeb27efb54393f352e9729b65879a07051da30f2067e3ba5fede0941d49aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
1KB

MD5
a36cd9461130c7e79c2a967f3eaa3e87

SHA1
266f6f43f0d5ef19dcfd83439f61b6e4d1421561

SHA256
7992d152cae1a3e6fe5ef4be5b527829771ea69655e8e4cd5758172895a4790d

SHA512
6863ca12e39246c8f24071d4d4de84d8fd08bc64bfa0d06a2693d652a1a8bb1a9f0b4fdf32d73dcfe804e903076f9036152cf076c21e24bae670a72f93d57c7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
1KB

MD5
0b19abb80df717b60e0fb5dc24dabd40

SHA1
f983de8f49cb21abb9017924d13c5fc41882e363

SHA256
6f76e0e552c78501fdd518fb407fac89410742141d52f6a592d99b08f697176b

SHA512
64ed6e1fda3344cda5a7696ab7c1daa8e9ef9a315c6f22fa5826d92b1351a12044d748ec0edb01c285691989f657f8e1da0beac94a1d8bea11d8da45b8add389

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D03E46CD585BBE111C712E6577BC5F07_C2C751CF1C0843D44DDFC470C6BEA00B

Filesize
471B

MD5
955680586c3034cb9bf3e8572e5ccc04

SHA1
224c8eaf1a2d126f276ad8ea846dd5586418c6d0

SHA256
472700e1a2d2e1e878eaebdf922f578e9fae0a47fdd70ffdb16bc28cad575a1a

SHA512
8c0d327b849fa4cda354623920ccb1468b09d5eb128bdcb9eec3b5d892a035814e196af569671e498983d9b41131f4251a0a3179091d1241ee332ad509a963ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
cff104d968632982b9a8ff9cda5bbc9b

SHA1
9a39ace3f50aa0c7093141062388650ff94f13d1

SHA256
e706d4e57145b7e627a83cfcf91d65ab94086818753f9fe6c04d74bcd99fe28a

SHA512
1c193b563d1f721b80078fe217aedfa3fdce01a88558f3f00b1f6d26c163fa6e6644278750be7bd17cb7df1ac180cfcf58362f48aa2a2851359980fe55900b79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8

Filesize
438B

MD5
9f2f617135fc1e66b1785e313275e3c3

SHA1
a12a6f1e38063ac2a3db563bd4b673555eb9ef39

SHA256
45f9b2ff2d94d1ee0fdcd341f4aafab1bf30958d5ff52d7e31873a2673173399

SHA512
8eeb52857af6555ab686544a2e34ea09ed2840ce083150d0c2cbf0419a242cdcf63647523382746325be861204291f654731b7ad6e6650f7b03239a9278dad55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
458B

MD5
8e292d2bf700a9dadd33beec58b01d76

SHA1
0148d3f8c3e6063be01fa1996df636fa5b6f0ce0

SHA256
1357a364d283b1d0592d89a2f61d390311e3246b86394dd97a36b2d61fa3cd33

SHA512
2523b9c9d435a7ba71ef09115dfe815a634737fc710d78f2760cfd330d82bd8af16f2f43a220fab4593d95aafe1e19a71d1358f6a2e8ae76390fadc72a4491be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
432B

MD5
6c8507f4a9fcf93d4b4a95eb09885b73

SHA1
428fbc8e3fb0abe56fee3a6c0881a865f7fd06be

SHA256
e0a5753aca19b40e94534c7db57ab6c3a369377e3d19161542619e5899be51d0

SHA512
283939322dfb5ce5cd8ae17931c3b55eb064ac40ecb0994a0f3821407215b81240a5f8bf200454b5fec7ce7814ea7d50ba5e7c7ca595aba6e578484d896821eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D03E46CD585BBE111C712E6577BC5F07_C2C751CF1C0843D44DDFC470C6BEA00B

Filesize
418B

MD5
75de9243e3930feeefd8254f47a03f71

SHA1
0712d895ee71effb8a00bbce6c19878c96d00508

SHA256
f5e329f5c41762a93798544b96e2a9e57304c86e120ea939f7b1c9edafe6ae02

SHA512
53de279757484af3a785cf660508787c7fdfeb9be54c6c12ebd0bfbcf943f2e2189569db6e27d48f47990c8a11a842fec8cc9bdd7aeceaf41ce5aafd8456a3ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\F12\network\settings.json

Filesize
3B

MD5
ecaa88f7fa0bf610a5a26cf545dcd3aa

SHA1
57218c316b6921e2cd61027a2387edc31a2d9471

SHA256
f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5

SHA512
37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FLQISSZ5\dnserror[2]

Filesize
2KB

MD5
2dc61eb461da1436f5d22bce51425660

SHA1
e1b79bcab0f073868079d807faec669596dc46c1

SHA256
acdeb4966289b6ce46ecc879531f85e9c6f94b718aab521d38e2e00f7f7f7993

SHA512
a88becb4fbddc5afc55e4dc0135af714a3eec4a63810ae5a989f2cecb824a686165d3cedb8cbd8f35c7e5b9f4136c29dea32736aabb451fe8088b978b493ac6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FLQISSZ5\httpErrorPagesScripts[2]

Filesize
11KB

MD5
9234071287e637f85d721463c488704c

SHA1
cca09b1e0fba38ba29d3972ed8dcecefdef8c152

SHA256
65cc039890c7ceb927ce40f6f199d74e49b8058c3f8a6e22e8f916ad90ea8649

SHA512
87d691987e7a2f69ad8605f35f94241ab7e68ad4f55ad384f1f0d40dc59ffd1432c758123661ee39443d624c881b01dcd228a67afb8700fe5e66fc794a6c0384

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FLQISSZ5\plugin.f12[2]

Filesize
160KB

MD5
fdf4a73ffdab93e3a0422b9d2e252ca9

SHA1
c969911ecf2414e17fc16c1a15512bab79842d23

SHA256
26c3f906421451fb7a86d275288c9ea0bd6810959812edb6564e0c23f76702e0

SHA512
569c53094876dd65556a824416bfd0016764205ebf6e61c87529445d4c619860a086895a92f735089da501b96e5fb3361279f9731f5d46c56695133bf8318b6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KIQVE9IA\controls[2]

Filesize
22KB

MD5
cf6ae18a4a5a48e497570557391d7920

SHA1
ad9ce2ad74fd0bcd5fa998cff895168ada13a1cc

SHA256
993700d10307ac3485ea71e01c49dd2abae6360a5f1406e03e91c7a6532fc591

SHA512
43e9e37f8de63d2131e3159471a8a7765a08a4efbbd1505a1fb1dce4a85ca2e7e1391a241b2e01509f69b5ffb183ab488d20341a5baace00cfd8d753d3955e8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KIQVE9IA\down[1]

Filesize
748B

MD5
c4f558c4c8b56858f15c09037cd6625a

SHA1
ee497cc061d6a7a59bb66defea65f9a8145ba240

SHA256
39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781

SHA512
d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KIQVE9IA\plugin[2]

Filesize
411B

MD5
6f65b6608be4e65166d660fdc450fa60

SHA1
91862bd34ab08e3511b7b7f1e71baefd57c33016

SHA256
7c56cbab79bd396e31a1f2a0891e23aa7d49e7a87c3bfd6d7ca445a095d73b9d

SHA512
38fcbb1e3f5ac1fc959d7509b6b1930d6ee5e3284815ca13c2976501ca8f00fa0b5661d9ebb76e5800ca126b3d0564626015e45e7beb401ba42c99f4d6230e2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KIQVE9IA\qlIcon[1].png

Filesize
2KB

MD5
a85120554c8b836a80b87091c4fea134

SHA1
0a94a6a9f3b5a20a43d5f97e79fac79c9717a547

SHA256
cf55a3602c6ea7c81442228946c694aeebe0b33d8a427b05ce9e7a92feba0007

SHA512
0b5ab72cd280dab23b23c912a72d3573068e4d1c5d6a0a8c431133582bafccab31592767259d938d208561e64d5a081dd82a8444d4d0d42c6fb41a0a019f8f48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KIQVE9IA\qsml[2].xml

Filesize
639B

MD5
17077adbfe05f1f147506eb03a76d54e

SHA1
03434e19c210e0cef10c8446814eb59290855e7c

SHA256
be262a10642fb6a59f205d3b3f91c2d45ca266ec3206426eefff046a14e2a1f5

SHA512
cb3093d4b217a657299b82a94ab6d5dd4c51554e68aa68c9fa133205e40ee311f846ab859523d39537883b48f165f80cf7139174b9b6611345c24ed9aeeb9c53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KIQVE9IA\qsml[3].xml

Filesize
640B

MD5
c4a6d79ebba30a084ad19d1e3f054953

SHA1
bd7c1a46efaf451dc3a2f2fb8bb4985673a447be

SHA256
06ca375bf1e3bc767dfa05869856ab029e80693e8a7b0f714119c82a8067494a

SHA512
056ee5b57228979ab33cc8d046db84e03ed745629d083cbcc843e3285e3d5ad12b4ec4170fd00f349eb14ef9970fa30622a0315d725cffcb56ef248f7353fc7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RIZDY293\CommonMerged[1]

Filesize
572KB

MD5
9ef197a076681c3d4c5e7a1e07cf15f5

SHA1
350d4ad02899f3838e4ce3bca3a13deb496c5509

SHA256
a24521823149886e4ebb47b4c8bdb7859985683ec302aaf941872b8d2852bebb

SHA512
6ca063a22f226421c8c901e659a38180f5198a12af7a8d380d74de1e2fcfb5bfb892cda88770729a2367f2b23e5a1bfc34cede0fade20c4dc13e0391fbd41cc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RIZDY293\errorPageStrings[2]

Filesize
4KB

MD5
d65ec06f21c379c87040b83cc1abac6b

SHA1
208d0a0bb775661758394be7e4afb18357e46c8b

SHA256
a1270e90cea31b46432ec44731bf4400d22b38eb2855326bf934fe8f1b169a4f

SHA512
8a166d26b49a5d95aea49bc649e5ea58786a2191f4d2adac6f5fbb7523940ce4482d6a2502aa870a931224f215cb2010a8c9b99a2c1820150e4d365cab28299e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RIZDY293\qsml[1].htm

Filesize
610B

MD5
f555228658e2d0de18c5571ff87d39e8

SHA1
9d40d08ba2c1491aa323b50dc6203bb1b66265cc

SHA256
701c038c431ad298cbbd1a2d7a238f2cdc6c6388946c8693f2e06943d742f349

SHA512
292120c3ee4a4b24e4f0e15514e38a6b5d8be0812f5b6707d38c9cc6700d36ee2df9fd521fe65070ac8f12e4c6f97f191f12f46a7b529a167591b6dd4fb65c77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RIZDY293\qsml[1].xml

Filesize
589B

MD5
448dfbcbfc6dfdb29fdd8c8b6121d749

SHA1
3c1da3fed0de7e4c9beb9abae65d944dc22f985e

SHA256
72dda6bd2ab8bd4281b7cb5c47f6373a2534f8bfc24d1f3bfe3c703f3da4878a

SHA512
882225a010f54118752e00a5a570df2b082ea4c96411a5fd90c6cd37183b5f0d80292eb679801c9baf2a3f85c0c6a3138a6f3977218612cf7273c03acb1eebdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RIZDY293\qsml[2].xml

Filesize
618B

MD5
ed8cd40b9c629fda8847dc531e66e1f4

SHA1
975dca9c079e2993f8ae3fbf1ad7000fc00139ac

SHA256
141e01f8d9210f8ce7c2e3843fc934e7046c2dc53bb17c6d6e1d352c0836e313

SHA512
205c8d4ed6be3215289176adb98f93fd5526c1de9b898c87d9996dc3a1642a39d0c668b59318154b14607525a6fdbfd3b1c50d3bb9c750207d8d5ab29b7d3a1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZJB0AHXO\NewErrorPageTemplate[1]

Filesize
1KB

MD5
dfeabde84792228093a5a270352395b6

SHA1
e41258c9576721025926326f76063c2305586f76

SHA256
77b138ab5d0a90ff04648c26addd5e414cc178165e3b54a4cb3739da0f58e075

SHA512
e256f603e67335151bb709294749794e2e3085f4063c623461a0b3decbcca8e620807b707ec9bcbe36dcd7d639c55753da0495be85b4ae5fb6bfc52ab4b284fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZJB0AHXO\isDebugBuild[2]

Filesize
87B

MD5
70f25a5edce5e20d870ff1c98a5ec5f5

SHA1
5fe33de0c8cb6d65f794c4dff0bfd5bdb15a7073

SHA256
ae2cfc14f884e61f693b00ad0945f372face67b1fc49c6479502cefba3b82e9e

SHA512
e4db4b122bc436edaa2dc810dbe1b0d61a5115e01a05b8e4f0874e639781b517b70ba5a80e1df7176aa612917c05ea10c06fc8114a8caeb00b38b7b01f8dc34e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZJB0AHXO\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\HUYEJARX.cookie

Filesize
241B

MD5
2ba7b9f1f9378985c202ab79f8c2ab29

SHA1
7dda174f52c81e5e69b82ef538ccce786ea3b8af

SHA256
618d0c78400d2cd6aa757a2f959288f4e06289d0381ead67ebcdd9e4add7c838

SHA512
12e64e4d24b3287b2729aad4b14ed86a624eb7a31c04a6de53c044dbfcfd6045ad0e428d53e79c66fc6407a6abe7b5e414fbbe43953bb280810ae390e44533f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\LKBXACWG.cookie

Filesize
612B

MD5
00184cc348ab5982dbd1e3fa809cf1c6

SHA1
a67787602485f31f32496ea6799c43c30a80b80a

SHA256
eacd78764cb2f30f94af0b7468575983b1b659ace0ab5106834a891b0acfed23

SHA512
6381ac0ad2d7da57dd5898467daf53cff3e29a915c67883f2f958c01d746de1c30c5af7ef1d84f430862c20dbce26f8f526e5ce3f7017f919f3aef81daaa2126

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\UF9R9E9W.cookie

Filesize
577B

MD5
97d97b609bd62dd3d8c6de7bbf8a6494

SHA1
f0755eed0c61b7369a64ec2f39f7c6a497c15dec

SHA256
6f6bf721cf63f35e2698dd0ff82df438291f6715956b81cf4799e50d60ea703b

SHA512
0efd8de838bd0f415f4e337072786ecfc078eea3611087aaa73a1dbbd01254de5fe6a9eb18518c213c9f3a329d120db689f34acbfd4f86f4d913a798a2b4f9be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kno7469.tmp

Filesize
88KB

MD5
002d5646771d31d1e7c57990cc020150

SHA1
a28ec731f9106c252f313cca349a68ef94ee3de9

SHA256
1e2e25bf730ff20c89d57aa38f7f34be7690820e8279b20127d0014dd27b743f

SHA512
689e90e7d83eef054a168b98ba2b8d05ab6ff8564e199d4089215ad3fe33440908e687aa9ad7d94468f9f57a4cc19842d53a9cd2f17758bdadf0503df63629c6

Download Submit