f00ff26ba523a87d788d9edc941b3fbd32db78580018c31e265b8146e9d39693

Analysis

max time kernel
138s
max time network
133s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24-12-2023 20:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0feae5fe89fcae53cb0b7d60e14e8961.dll
Size

188KB
MD5

0feae5fe89fcae53cb0b7d60e14e8961
SHA1

abc217cbbf7a92308ef8788020168828eeb94b7d
SHA256

f00ff26ba523a87d788d9edc941b3fbd32db78580018c31e265b8146e9d39693
SHA512

3d0e76ef7a4ed70f6a364f2c1bc27a488c9f60d52151d6426cfb8c90a77ed0c0b13018526a3a0eb906581cfa0dc387a3d43b0c7851a966998fad5d63f48129ec
SSDEEP

3072:H3hWRZKAkdPeiASVSNyc5zxfXC/ZbWquOqfKqjJSyOS/MyEwx:H3hWDKAWPT1CB8mvCqUy7MC

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 51 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBarLayout = 110000004c00000000000000300000001b0002007000000001000000a0060000a00f000005000000620400002600000002000000a1060000a00f000004000000a1000000a00f000007000000a106000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000008caedd23796a624d80aae95d89cb981100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000124d030816ad011827400c04fd5ae3800000000000000000000000000000000	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{14A5A841-A32E-11EE-BFC6-D6E40795ECBF} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "409674753"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\SearchURL = "http://www.search-explorer.net/search_page.php"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70f1fce93a37da01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.search-explorer.net/search_page.php"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBarLayout = 110000000000000000000000000000004c00000000000000000000000000000000000000000000000000000000000000300000000000000000000000000000001b0000000000000002000000000000007000000000000000000000000000000001000000000000000000000000000000a0000000060000000000000000000000a00000000f000000000000000000000005000000000000000000000000000000620000000400000000000000000000002600000000000000000000000000000002000000000000000000000000000000a1000000060000000000000000000000a00000000f000000000000000000000004000000000000000000000000000000a1000000000000000000000000000000a00000000f000000000000000000000007000000000000000000000000000000a100000006000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\Search Bar = "http://www.search-explorer.net/search_page.php"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchURL = "http://www.search-explorer.net/search_page.php"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Search\SearchAssistant = "http://www.search-explorer.net/search_page.php"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Search\SearchAssistant = "http://www.search-explorer.net/search_page.php"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000046332ab722508540bf00312f0a24f12000000000020000000000106600000001000020000000511731326deb64ae4be67c0958534509cd7b8e61093cb526c0bbbb9b326eab0e000000000e80000000020000200000004a18ffb3b17e0b9a2c24aab497f9e62eaaadcfc182d3382cb70f8ef05bd4422190000000fbdc5ea3ad292e8069a458af8ebe21426f6264d1d5b0acd5cf00fbbb848e9a29c66ab069a338c51f4ef0599fee1ce37ce6cc0e0b89c486e769212adaa8e85a0c414aeb98df60e4f10a9850147833d6e318985dbea84798145a52623e77678b3c6c500a881e3a33644bed22320dca6f411f09426b2cb60899b2610fa4b48bd5985c7d696c128c6bafc3799f4fe91bd78f40000000dcc16a7fa260b0169f243d88d9a1e4f7069f760761cbaf37f38c0edd9c9cc9967c4ca05c719f679e98d3a2f2a61865fd59d059f2ade30c52b432d15ca19ef4ef	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Search	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://www.search-explorer.net/search_page.php"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000046332ab722508540bf00312f0a24f12000000000020000000000106600000001000020000000a6587e313294ed858e3132274fc70e9ae050ea6906164a1cf91b9a4ba0193034000000000e8000000002000020000000fa2213a240dfdb5c08004b178b1a4deb420201b0d20c01b23ae2ccd04ad84e0020000000d6061daba88e78ec671bc5c3922be667d1c88abcb0c4824297167646cb0753a8400000000bb5c42e8b1a48a0b6d604b929ac7012305ec5aac162293e3d4ea75edb172656c01b2d83248457cd5fc6ffe0aebc40d0de981b34b94c148d384e670c9f1291f9	iexplore.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{23DDAE8C-6A79-4d62-80AA-E95D89CB9811}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Search	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Modifies registry class 61 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B9A715E-9D87-4C21-BF9E-F914F2FA953F}\ = "IPugiObj"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23DDAE8C-6A79-4d62-80AA-E95D89CB9811}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23DDAE8C-6A79-4d62-80AA-E95D89CB9811}\TypeLib\ = "{7FC19C98-AC4C-4d06-96D9-49F082D19FD7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7FC19C98-AC4C-4D06-96D9-49F082D19FD7}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7B9A715E-9D87-4C21-BF9E-F914F2FA953F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7B9A715E-9D87-4C21-BF9E-F914F2FA953F}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23DDAE8C-6A79-4d62-80AA-E95D89CB9811}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23DDAE8C-6A79-4d62-80AA-E95D89CB9811}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7FC19C98-AC4C-4D06-96D9-49F082D19FD7}\1.0\ = "SearchExplorer 1.0 Type Library"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23DDAE8C-6A79-4d62-80AA-E95D89CB9811}\Implemented Categories\{00021493-0000-0000-C000-000000000046}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SearchExplorer.SearchExplorerObj\CurVer\ = "SearchExplorer.SearchExplorerObj.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23DDAE8C-6A79-4d62-80AA-E95D89CB9811}\ProgID\ = "SearchExplorer.SearchExplorerObj.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B9A715E-9D87-4C21-BF9E-F914F2FA953F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23DDAE8C-6A79-4D62-80AA-E95D89CB9811}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23DDAE8C-6A79-4D62-80AA-E95D89CB9811}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SearchExplorer.SearchExplorerObj\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B9A715E-9D87-4C21-BF9E-F914F2FA953F}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SearchExplorer.SearchExplorerObj.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SearchExplorer.SearchExplorerObj\ = "SearchExplorer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7FC19C98-AC4C-4D06-96D9-49F082D19FD7}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7FC19C98-AC4C-4D06-96D9-49F082D19FD7}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7FC19C98-AC4C-4D06-96D9-49F082D19FD7}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7B9A715E-9D87-4C21-BF9E-F914F2FA953F}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B9A715E-9D87-4C21-BF9E-F914F2FA953F}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23DDAE8C-6A79-4d62-80AA-E95D89CB9811}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23DDAE8C-6A79-4d62-80AA-E95D89CB9811}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23DDAE8C-6A79-4D62-80AA-E95D89CB9811}\Implemented Categories\{00021493-0000-0000-C000-000000000046}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23DDAE8C-6A79-4d62-80AA-E95D89CB9811}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7FC19C98-AC4C-4D06-96D9-49F082D19FD7}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0feae5fe89fcae53cb0b7d60e14e8961.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23DDAE8C-6A79-4d62-80AA-E95D89CB9811}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7B9A715E-9D87-4C21-BF9E-F914F2FA953F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B9A715E-9D87-4C21-BF9E-F914F2FA953F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SearchExplorer.SearchExplorerObj	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7FC19C98-AC4C-4D06-96D9-49F082D19FD7}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7B9A715E-9D87-4C21-BF9E-F914F2FA953F}\TypeLib\ = "{7FC19C98-AC4C-4D06-96D9-49F082D19FD7}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23DDAE8C-6A79-4d62-80AA-E95D89CB9811}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23DDAE8C-6A79-4d62-80AA-E95D89CB9811}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SearchExplorer.SearchExplorerObj\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7B9A715E-9D87-4C21-BF9E-F914F2FA953F}\ = "IPugiObj"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23DDAE8C-6A79-4d62-80AA-E95D89CB9811}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23DDAE8C-6A79-4d62-80AA-E95D89CB9811}\VersionIndependentProgID\ = "SearchExplorer.SearchExplorerObj"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23DDAE8C-6A79-4d62-80AA-E95D89CB9811}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7FC19C98-AC4C-4D06-96D9-49F082D19FD7}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B9A715E-9D87-4C21-BF9E-F914F2FA953F}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23DDAE8C-6A79-4d62-80AA-E95D89CB9811}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23DDAE8C-6A79-4d62-80AA-E95D89CB9811}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7FC19C98-AC4C-4D06-96D9-49F082D19FD7}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B9A715E-9D87-4C21-BF9E-F914F2FA953F}\TypeLib\ = "{7FC19C98-AC4C-4D06-96D9-49F082D19FD7}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SearchExplorer.SearchExplorerObj\CLSID\ = "{23DDAE8C-6A79-4d62-80AA-E95D89CB9811}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23DDAE8C-6A79-4d62-80AA-E95D89CB9811}\ = "Search Explorer Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SearchExplorer.SearchExplorerObj.1\ = "SearchExplorer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23DDAE8C-6A79-4D62-80AA-E95D89CB9811}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23DDAE8C-6A79-4D62-80AA-E95D89CB9811}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7FC19C98-AC4C-4D06-96D9-49F082D19FD7}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7B9A715E-9D87-4C21-BF9E-F914F2FA953F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23DDAE8C-6A79-4d62-80AA-E95D89CB9811}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SearchExplorer.SearchExplorerObj.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23DDAE8C-6A79-4d62-80AA-E95D89CB9811}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0feae5fe89fcae53cb0b7d60e14e8961.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23DDAE8C-6A79-4d62-80AA-E95D89CB9811}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SearchExplorer.SearchExplorerObj.1\CLSID\ = "{23DDAE8C-6A79-4d62-80AA-E95D89CB9811}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23DDAE8C-6A79-4d62-80AA-E95D89CB9811}\Implemented Categories	regsvr32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2984	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2984	iexplore.exe
2984	iexplore.exe
2168	IEXPLORE.EXE
2168	IEXPLORE.EXE
2168	IEXPLORE.EXE
2168	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2864	3004	regsvr32.exe	28
PID 3004 wrote to memory of 2864	3004	regsvr32.exe	28
PID 3004 wrote to memory of 2864	3004	regsvr32.exe	28
PID 3004 wrote to memory of 2864	3004	regsvr32.exe	28
PID 3004 wrote to memory of 2864	3004	regsvr32.exe	28
PID 3004 wrote to memory of 2864	3004	regsvr32.exe	28
PID 3004 wrote to memory of 2864	3004	regsvr32.exe	28
PID 2984 wrote to memory of 2168	2984	iexplore.exe	30
PID 2984 wrote to memory of 2168	2984	iexplore.exe	30
PID 2984 wrote to memory of 2168	2984	iexplore.exe	30
PID 2984 wrote to memory of 2168	2984	iexplore.exe	30

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0feae5fe89fcae53cb0b7d60e14e8961.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\0feae5fe89fcae53cb0b7d60e14e8961.dll
  2⤵
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:2864

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2984 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
107b8682d3350264bb140a5ea503babd

SHA1
6cc626a99d117c33cf84ce21d0495b1ca8c05c36

SHA256
43a8145786fefecaf041b06648c2e53a327197c30680a9d9e32eb4032790c039

SHA512
2b98d91ce3967576cbeca659208ec21ff3d104ac6b9d74345178fca3b1b242053162df7ad24e4e7703e5771a20e0d6d14323ec6c5f68e2c70b2def1ada18a82e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3bd6795cd395f3fade025aa96cd65ca3

SHA1
54ff82d752207708f770320e81660696312ebd8e

SHA256
8be8834027530e9b51a4f8915207e473241d2ba47ac8fee5ff6baac7a9fb3cc5

SHA512
1f9aa7889d6a9da47c93895b5250dbaf2a78629581f17db9a0f4d670b7401456756379d1aa9f49a67ec873653dbbe49e28825f51966d5ef5729f5d4c9324076b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c057c5fe5aedd88d989943c11045b99c

SHA1
6bbfb9ed47d6abb2d3f32796d4b13a76410c91c0

SHA256
b1b39a1a776cf692619594b75c83262c91bd55bd4bb56129ca4759ccddfc1e04

SHA512
3d4c08f1a088c1298b07bfcb6e2172e245c2f8ecedccb152ff7353385cb9ee4edda70847b1ddc0f1d124dfcba4edab97d13fab3c9c421db5eeea414dab64abe0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e94f378099f4dd8dda8a303f79d0dbb0

SHA1
429cc322ce5cf3d27abd7eaa59d5ac0839f26e6f

SHA256
2bfdca8811bc2482ec8d22c03aa3a803362497e855abeb00b432a38bb46eeda1

SHA512
f2b7f8689e97ad5899e5327b0bc3c1e7fdc62fc703ffd59c488138ab60b7eb0e17a1209bc7e808c2e49fe1dde6f44faf4cf0f44a3541a8414695fd4683a55d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4d0cd9880c128e3b84e18ca6aceec8e8

SHA1
8ffe8a15be2ce1f61b311ba301d75c3986890cb6

SHA256
af285eac031e944181231f907ab3f390359ecbd105ac6b97bec5d12439d49f99

SHA512
c64dbbac9d894bbbe2dbce561307dc08e0b62718b61f5d75cfc206bd008a6caf5088a7e791649e7e8ba5e10d36b86bc04fbc839f60e00236fb32a9ea572e2e27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bb68820a4d395da15f5ca850e1229845

SHA1
820cfaa149aefec85cdb08476e652650d4d69e32

SHA256
870ce7773b2ad8531409af4091d3e702aae5aaa83d5677ab504595f135c91e43

SHA512
f156ebd46184833ebb78b91de0fcac8edc45288fe820f3882d4684d5219c3c47701b3ad409b7af4aff0fef8735ab1251b76acb75b28265e2464d301798e7dee7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1cc69a76fd152eb03469cb633031f58f

SHA1
ff707e83323e2674519efff496acd9a0c64e7b88

SHA256
932a08c1ae8e46355491d2bab62d758a6f0c3bd3e75046f2d5ccef0968450d58

SHA512
c32de7654867d88e6ddeae7ece7de6f5e94b40e85318df855a40210d1c557f595c8cb25905adb1f77efdf9babc9fbf88e3663339b638ce0eee40f44b71bad7ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ef446638521420d989d71a5c2d236d8b

SHA1
3200a0cb20ccf445bfa7fd9e039576a8a526888f

SHA256
515999856983a71c7e084009bae4d4d3c35a754c9c8d4e4cd83f66f227096e4a

SHA512
c5c0e91bdc9cec97ee6e79cbce6f352fdfec9071ef2be6904a5091be33d3478ba8d7c8df41c3acde404b8512aea9c050cbf9a2dd7bd52662a2780e00c01d8eae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
816ac2ee2bd964af5e4eb82654c5635a

SHA1
3bd42a7cdab46367a6e5d9e3c77a0ab9772086cb

SHA256
1cff4b60bf4fa3680d742dacf2723cb1c5891fec8ee36c7251ebdc28eeaebfc1

SHA512
a66d65f9cdce278fcb3879f6cdfcfab8d4763fe4416f3351b15c10ad56ae9ab56380ebe9bbb647f07a0e228f8ab64dab87def59c4fed229ec92f2705e005b18a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
58d1a8e8d21e87c3fc0a6fe7f9b7201a

SHA1
70100a3a3e4b4c97196f1791e3825c0d4eb74e25

SHA256
708c82c6ea056a5bb0340036d369562247fc712e4233df31b9f3f074567f8a0f

SHA512
0e1b14449eb1ffdae0c685e88704e8365bd38617529828a2e822dad09cd0e8280eb95afdf3375f403ae215fac7b859683db22134609df0d7e3a0a09e34d2a6a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
e29aff6d5f907dadb802fccd8722f9ae

SHA1
548d2bc06b0b2b5155d87e94230f091dd49aab6e

SHA256
d0dbc046828d91f2d99c95ffef8689268656d1c67d8e9c3adf3b17dbe8edb015

SHA512
789d4c45dd90b913784c116cfdb2a5f68241f9b23ad184d49f80121c945b3767770dcb1d1919ea82b61fe9495a91e608adcb8d7d6200b9c06817c3d18b83bf11

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3A68.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/2864-1-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download