Analysis Overview
SHA256
4bd40978ef887eb143a1df76013d41165fc51feb53abdb5271f827ae2241fdb5
Threat Level: Known bad
The file YoWhatsApp-08212028-626.apk was found to be: Known bad.
Malicious Activity Summary
Gigabud
Loads dropped Dex/Jar
Requests dangerous framework permissions
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-30 04:44
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows read access to the device's phone number(s). | android.permission.READ_PHONE_NUMBERS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Required to be able to advertise and connect to nearby devices via Wi-Fi. | android.permission.NEARBY_WIFI_DEVICES | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to access any geographic locations persisted in the user's shared collection. | android.permission.ACCESS_MEDIA_LOCATION | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to write the user's contacts data. | android.permission.WRITE_CONTACTS | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read audio files from external storage. | android.permission.READ_MEDIA_AUDIO | N/A | N/A |
| Allows an application to read image files from external storage. | android.permission.READ_MEDIA_IMAGES | N/A | N/A |
| Allows an application to read video files from external storage. | android.permission.READ_MEDIA_VIDEO | N/A | N/A |
| Allows an application to read user selected media files from external storage. | android.permission.READ_MEDIA_VISUAL_USER_SELECTED | N/A | N/A |
| Allows an app to post notifications. | android.permission.POST_NOTIFICATIONS | N/A | N/A |
Analysis: behavioral18
Detonation Overview
Submitted
2023-08-30 04:44
Reported
2023-08-30 04:46
Platform
debian9-mipsbe-en-20211208
Max time kernel
61s
Command Line
Signatures
Processes
/tmp/l3ce7c8df_a64.so
[/tmp/l3ce7c8df_a64.so]
Network
Files
Analysis: behavioral23
Detonation Overview
Submitted
2023-08-30 04:44
Reported
2023-08-30 04:47
Platform
win10v2004-20230703-en
Max time kernel
122s
Max time network
157s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE |
Processes
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\stella_e2e.xml"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 368 -p 2164 -ip 2164
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2164 -s 452
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |
Files
memory/2164-1-0x00007FFB71A70000-0x00007FFB71C65000-memory.dmp
memory/2164-0-0x00007FFB31AF0000-0x00007FFB31B00000-memory.dmp
memory/2164-2-0x00007FFB71A70000-0x00007FFB71C65000-memory.dmp
memory/2164-3-0x00007FFB71A70000-0x00007FFB71C65000-memory.dmp
memory/2164-4-0x00007FFB6F7C0000-0x00007FFB6FA89000-memory.dmp
memory/2164-5-0x00007FFB31AF0000-0x00007FFB31B00000-memory.dmp
memory/2164-6-0x00007FFB71A70000-0x00007FFB71C65000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2023-08-30 04:44
Reported
2023-08-30 04:47
Platform
win10v2004-20230703-en
Max time kernel
124s
Max time network
135s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE |
Processes
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\stella_wa.xml"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 4140 -ip 4140
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4140 -s 448
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.148.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.177.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |
Files
memory/4140-0-0x00007FFDBDED0000-0x00007FFDBDEE0000-memory.dmp
memory/4140-1-0x00007FFDFDE50000-0x00007FFDFE045000-memory.dmp
memory/4140-2-0x00007FFDFDE50000-0x00007FFDFE045000-memory.dmp
memory/4140-3-0x00007FFDFDE50000-0x00007FFDFE045000-memory.dmp
memory/4140-4-0x00007FFDFB970000-0x00007FFDFBC39000-memory.dmp
memory/4140-5-0x00007FFDBDED0000-0x00007FFDBDEE0000-memory.dmp
memory/4140-6-0x00007FFDFDE50000-0x00007FFDFE045000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-30 04:44
Reported
2023-08-30 04:47
Platform
android-x86-arm-20230824-en
Max time kernel
1153606s
Max time network
127s
Command Line
Signatures
Gigabud
Processes
com.gbbwhatsapp
chmod 755 /data/user/0/com.gbbwhatsapp/files/.ss/l3ce7c8df.so
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | digitalassetlinks.googleapis.com | udp |
| DE | 172.217.23.202:443 | digitalassetlinks.googleapis.com | tcp |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| DE | 172.217.23.202:443 | infinitedata-pa.googleapis.com | tcp |
| NL | 142.251.39.110:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.251.36.14:443 | android.apis.google.com | tcp |
| NL | 142.250.179.170:443 | infinitedata-pa.googleapis.com | tcp |
Files
/data/data/com.gbbwhatsapp/files/.ss/l3ce7c8df.so
| MD5 | 030d3e22746d32c1c7b1678033802361 |
| SHA1 | a80c4afb3ef027846092644ea43765efee44c659 |
| SHA256 | e7fa64c1b8b263f083c05ace45e799bd043b09052a77fafe540049b320128f3b |
| SHA512 | daa7e0cbe3e2e89c5447f65553b3646f711e163e1fdbeec9729d671cb12ee473c49524a9adf97d1b81d73369a309c043cc61aa1b44ad9c7890d0fff02da9469e |
Analysis: behavioral4
Detonation Overview
Submitted
2023-08-30 04:44
Reported
2023-08-30 04:47
Platform
win10v2004-20230703-en
Max time kernel
138s
Max time network
156s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE |
Processes
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\clockDarkTheme.xml"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 4012 -ip 4012
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4012 -s 472
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |
Files
memory/4012-1-0x00007FFF13010000-0x00007FFF13205000-memory.dmp
memory/4012-0-0x00007FFED3090000-0x00007FFED30A0000-memory.dmp
memory/4012-2-0x00007FFF13010000-0x00007FFF13205000-memory.dmp
memory/4012-3-0x00007FFF107C0000-0x00007FFF10A89000-memory.dmp
memory/4012-4-0x00007FFED3090000-0x00007FFED30A0000-memory.dmp
memory/4012-5-0x00007FFF13010000-0x00007FFF13205000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2023-08-30 04:44
Reported
2023-08-30 04:47
Platform
win7-20230712-en
Max time kernel
118s
Max time network
126s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\strings_ca.spk.ps1
Network
Files
memory/2280-4-0x000000001B330000-0x000000001B612000-memory.dmp
memory/2280-5-0x0000000002220000-0x0000000002228000-memory.dmp
memory/2280-6-0x000007FEF5A20000-0x000007FEF63BD000-memory.dmp
memory/2280-7-0x0000000002620000-0x00000000026A0000-memory.dmp
memory/2280-8-0x000007FEF5A20000-0x000007FEF63BD000-memory.dmp
memory/2280-9-0x0000000002620000-0x00000000026A0000-memory.dmp
memory/2280-10-0x000007FEF5A20000-0x000007FEF63BD000-memory.dmp
memory/2280-11-0x0000000002620000-0x00000000026A0000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2023-08-30 04:44
Reported
2023-08-30 04:47
Platform
win10v2004-20230703-en
Max time kernel
124s
Max time network
156s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\strings_ca.spk.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.111.26.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.16.208.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bf0wvsqs.4r0.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4404-8-0x00000125041E0000-0x0000012504202000-memory.dmp
memory/4404-12-0x00007FFD205F0000-0x00007FFD210B1000-memory.dmp
memory/4404-13-0x00007FFD205F0000-0x00007FFD210B1000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2023-08-30 04:44
Reported
2023-08-30 04:48
Platform
debian9-armhf-en-20211208
Max time kernel
1s
Max time network
158s
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-30 04:44
Reported
2023-08-30 04:48
Platform
android-x64-arm64-20230824-en
Max time kernel
1153608s
Max time network
146s
Command Line
Signatures
Gigabud
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /system_ext/framework/androidx.window.sidecar.jar | N/A | N/A |
| N/A | /system_ext/framework/androidx.window.sidecar.jar | N/A | N/A |
Processes
com.gbbwhatsapp
chmod 755 /data/user/0/com.gbbwhatsapp/files/.ss/l3ce7c8df.so
Network
| Country | Destination | Domain | Proto |
| NL | 142.251.39.110:443 | tcp | |
| NL | 142.251.39.110:443 | tcp | |
| NL | 142.251.39.110:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | digitalassetlinks.googleapis.com | udp |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| NL | 172.217.168.202:443 | infinitedata-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| NL | 216.58.214.8:443 | ssl.google-analytics.com | tcp |
Files
/system_ext/framework/androidx.window.sidecar.jar
| MD5 | bdf3529e80318eb14e53a5bf3720c10d |
| SHA1 | 25c9ace4b1af6e80ebb2572345972c56505969ba |
| SHA256 | bbc8300dd1e9cd08de8f66560c1ac2c928615b72b51cef9649f88974f586d64b |
| SHA512 | 48b9c2d01171bb651b9b54826baa51f4add48431a3efd8ceb5f7cc3bcd6f8f37edf47fabb24349dd15b3a02329cd450f90a8d164bf4f8dfae554bf3b35a8a55b |
/system_ext/framework/androidx.window.sidecar.jar
| MD5 | bdf3529e80318eb14e53a5bf3720c10d |
| SHA1 | 25c9ace4b1af6e80ebb2572345972c56505969ba |
| SHA256 | bbc8300dd1e9cd08de8f66560c1ac2c928615b72b51cef9649f88974f586d64b |
| SHA512 | 48b9c2d01171bb651b9b54826baa51f4add48431a3efd8ceb5f7cc3bcd6f8f37edf47fabb24349dd15b3a02329cd450f90a8d164bf4f8dfae554bf3b35a8a55b |
/data/data/com.gbbwhatsapp/files/.ss/l3ce7c8df.so
| MD5 | ef543b742269b5d7f1f065f840450ace |
| SHA1 | 974d006057256da4ac28a4186619ab2d0905533d |
| SHA256 | 5d95fcb5ce0f716deb8963cbb13a47c3df8171fc7353c401b5cef3bd2057bff2 |
| SHA512 | 3afc2ed3132512bd7e138d6b95a4ec928ea093e52adcdea349d7766939a6576bd3c5938201d228ee5dca101ca9a7c2f37572d4b450f0cd805e303241f06311d2 |
Analysis: behavioral6
Detonation Overview
Submitted
2023-08-30 04:44
Reported
2023-08-30 04:47
Platform
win10v2004-20230703-en
Max time kernel
138s
Max time network
149s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE |
Processes
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\clockLightTheme.xml"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 368 -p 220 -ip 220
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 220 -s 448
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
Files
memory/220-0-0x00007FFC34410000-0x00007FFC34420000-memory.dmp
memory/220-1-0x00007FFC74390000-0x00007FFC74585000-memory.dmp
memory/220-2-0x00007FFC74390000-0x00007FFC74585000-memory.dmp
memory/220-3-0x00007FFC71E70000-0x00007FFC72139000-memory.dmp
memory/220-4-0x00007FFC34410000-0x00007FFC34420000-memory.dmp
memory/220-5-0x00007FFC74390000-0x00007FFC74585000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2023-08-30 04:44
Reported
2023-08-30 04:47
Platform
win7-20230712-en
Max time kernel
137s
Max time network
138s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000dfff1b3a562844db5bcdd926cd8279400000000020000000000106600000001000020000000b1eb9d2c98afcfde65837603d606bde441afba05a3816963ea3174f893d98376000000000e80000000020000200000001a5772e68034a0975e6f6214879c16cdd0a8da2ee8309daa3f56b0e31d4de0d590000000fd42b252cacadb2eecf44fc5393e1848f42138e702a9867568961afb2ded1a1617d4b854ba92ba8481575952d8b85b9e7b7702ce7fbb479c81c64f2705716f827a7f828de8679e6dcd80408701e0247fbac1b1e19799c2393e342b981fc76ffbd7779dc9f93f1f06f310cd3762669c379c8a6fce05759f6ced297c9031e644d7b1467baa05655f6f0934ec37e765f4264000000019d5e8d62e352b15705fe4d20c97793c2266dc2f3ea836e8a46488c15c55cb000ee34a07f910368effc161023b465ad4f92f02709e9c5f0c0796b25541914c67 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b03e6adafcdad901 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{054E77E1-46F0-11EE-A1D8-E66BF7DF47AF} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000dfff1b3a562844db5bcdd926cd8279400000000020000000000106600000001000020000000ff760ef6b8aae162c97f8c9507ad9a64b59b2e2a048c0564d63c86ff0728ef22000000000e8000000002000020000000f90328601e4ef170ec73a95820217d8c605bf404376df86f52ab3459fce5c050200000008c05193243560e28a85b4369b2a14ecf9f2023c1752ff21769e5f64695ece065400000006d5034344612630acc19eec61c050f07a0ce34a7219719eda2dc1265a6f586cbfb94d8a15f49884db2eb94bd10065bc0c25cdf7ac28add94ac03ce1ce9405d58 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "399532587" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ic_content_sticker_location.xml"
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:748 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabD79B.tmp
| MD5 | 3ac860860707baaf32469fa7cc7c0192 |
| SHA1 | c33c2acdaba0e6fa41fd2f00f186804722477639 |
| SHA256 | d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904 |
| SHA512 | d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c |
C:\Users\Admin\AppData\Local\Temp\CabD80C.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | eed5dd527d3d693f27d0a877a9284c19 |
| SHA1 | f150eb217626a6e00495890e9f91029b461e2811 |
| SHA256 | be64f7ed53950d230f5408eb3ee2965ac182c3af27642a9d9b345fee924d7ae9 |
| SHA512 | 888ddc467023853623ceadabfc02144cdb73f2bba669a2b6ab5d48491e2e77afb88f968ccad70013d2f1e2c572e5eb6e54a5faaa542badd82f149b46ee43938e |
C:\Users\Admin\AppData\Local\Temp\TarD88E.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c8696fe3e560e9a48138fa652ca84e99 |
| SHA1 | 4dfc41cde1b26b0753093c2c6ab135b2c8826067 |
| SHA256 | fd6646f62df70185cf3b2cc08ee33620108f260a92fe4f64274e936706e6c6f3 |
| SHA512 | 2cbf5f11297579efcf84b2696eb58ed798b0db5abb3865268d1c20fc93562120ae05e0f6171213daa775479844fb3b9d73b95094c057b6aa736d5f8de2ef1dc0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 072d1e31c6ca1e2ba5f0664c79830869 |
| SHA1 | cd22969851f8d73b6f607b08de435051d9f09741 |
| SHA256 | 9eb6be1042ecdb81d93e10f034c1f8c30702baa3092296cf356f38bb54bd9151 |
| SHA512 | e7f1b067a14c79edaa3c3aae4c0f600019dbd00decfd78300f256004e7a436c88dacd297846a56b6a046f923e90e7d95e30414b2eacb0c82627ea325f0c36129 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0b7bf4935b38e8dfc14db7fb3d7caf91 |
| SHA1 | c2b1c5b74dde7d3b1268f9bc90fa8dc039f93ab4 |
| SHA256 | ad4215987e1ac5d31d6ab9fd7060aed3868cb8440bf957146214ba1da9a6c8a2 |
| SHA512 | 59699a670e6305b4ef61e0eef5548c322ff6afd896c6de22177470b6439ebd4039958d03f3870934d568373c3e5c76817723477c93148aa803b4c8c6bdc9f186 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b9374f756f004310eb00d62cc3c88480 |
| SHA1 | 767c70a3c43883d9105bf8f981173cc5f04d1778 |
| SHA256 | 42ce45282c4fa14804a7ac268b235b8ea880e7f0ebe65058be37e5b7e514e387 |
| SHA512 | a650a6d98d546967a445756360a1e757963f37e36b0d3de2846c793cd7fb6a4bf3c289a4f3313ee89754d7a9a23a484b429999c00a4ef5bd420a790045ff4bc3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 732efda432dabf760b5635aaff69557a |
| SHA1 | f853a8f64188afb35c1afd52f40f4d5d0ae1792c |
| SHA256 | 037d6382a1d08dc44e7c4ced4279a19952dff3e976dbc210121a3b55a38efd24 |
| SHA512 | e026d1973b32f5a113dc3e4f66dc00eb382805d7711f23d81d900802dda4ed3907af25d926ecf8baf3038129e54e76e06649fc715b0e68d902745d55e4fb5258 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a3c1c49cadb844da12c8c5647527b534 |
| SHA1 | f7a9bcc19cde4ca7c29197e090acce7699380dcf |
| SHA256 | c80200aa4d5edfa522e97f34ecf1f0cb753ef7b1c348acd960b7453b1417f69f |
| SHA512 | 764f3c63f19c9eaa8c0caa5fb1741bda772ecff9f1cf563eae0e56436d7be29daa606c13b0a40de5101d9e9ec293e50e9c7c448ffcdb40e4cb6d57c49ac3ee64 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 41e02f0facbdfb60a0ddd845359290ce |
| SHA1 | 4efbef61c57020695e784a1bbe6c35aa5653df44 |
| SHA256 | 4c0e473a4f030e68c7686bc74e54956f50c51e69c1237a5aa5331eff432622ca |
| SHA512 | 965a199df4138a58f589bfbe7c4c76a134a0c2aef14d60b5bd906b888b2b4128ced9232586634137a327b75e34e854b39aa0bb322be330cba3b427054596c1a5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4393093c3dff3fff659bd9f0d9ba2450 |
| SHA1 | 50f87485de64236926ee2c010d9a1c4ff666d28b |
| SHA256 | 2fdcd2fc938c686e2d9f031aacc56eafafbd3bda0b4335171c610bbe0f344e7f |
| SHA512 | 345c44750bd72cbaaaff64d552c8abfb3783fbc21d1bb1258d657fb9a88308944e7c6f5ac8b2d0a4b994a11428a7641a85f98b318f31334d9a86ea93251e2e27 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c5f622171a115595c255be5f29dc19b0 |
| SHA1 | 42d8b79b7d315e508e2aa888412781baef1e5534 |
| SHA256 | 2d557963a173baf0ff9adc4571cc273ca8c2cc8d83aa9458774fb31b3e155bce |
| SHA512 | 3fdc15acc5284da328fd09bd5f93646937252a1bd1087aa26de870166593141ab4d9cf870ed800fed1d31d59d07a5bcc5edfb41599c078b1f37360509935f963 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 08862b99e659d37cd0211ad33aa67c97 |
| SHA1 | cf23a456357be2842ad1d773b33d4008bd920739 |
| SHA256 | b59eb8939cbc30ce37c25af3aff2ec5ef3b6d4bfb24cc90764c812dbde527421 |
| SHA512 | edb222b18cab607a2ca2cf246ebed1d1775ff2cbd7a20c8b8ac777b2a3fb09a1885ed9efa9a4519f75e7eeacb6ad1d6e2b3fdcd6e3f9c5c442c1e080aa4dfadd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 05543ecb9ccc9d12893df71cec94cf8d |
| SHA1 | d43144bee3696733345714c6d8d6d9003693b212 |
| SHA256 | 5fdccec293a722314ffd3fb44de4cfac0564694c8395af9da1805e87da62abd5 |
| SHA512 | f0773ad02f9f70d1dd522c9b5ca44d3e6be8755574f4634b6b2ab2699eacbcbeb1cc17d97028bf4ac18d450fd9a13be60aea02a4fd7266c7462b15e7daed99a1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 89a16121c5fa94e78184fa8abfce0370 |
| SHA1 | f400b68c0f6fafa84031cdeb314bd052dc7c482c |
| SHA256 | a76c10bb3745153abed7b345d599b08e3d880314bbd5a3210088d5d6149afc08 |
| SHA512 | b3780d8adf76ee5176e90ec22b25e96261ea30e2575c9964093735c18bb826ba77387cd9371d15136697c539caa1543642d66e83018dd4bc7c7aa5c9b5df1677 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b0427107bacac0d346bd5b567860b048 |
| SHA1 | 7d3b13992aff3589bc9c0d6e49e411a7077b4774 |
| SHA256 | 58d9a74143330b860a15b617427aa00916c2132db89fdf0c1d37902745fbd4f0 |
| SHA512 | f54d51fa41edfcc1687e03b14f2e13810ce46033966d1b05ea15d13c3334b8fddc879ea41fef581168a5cab0e40eaeb0b0e15df35ebe3c3d7683389675ca99c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 955317f82adddb3116e35ba93275d76c |
| SHA1 | aaa9630b59a5cf2d339ebad450c94cf0dabd747f |
| SHA256 | 49c696c097d0868ac74cf23f1f438a3c9fadebeecee66910887102599c3b905b |
| SHA512 | 061273ae1362c3e220a083251bab410fd6f02e20550b342a80c4955b27f9e4f192a77809b8308b2058d1e2bcd614eb2a1f04ae4842f4a622440904de6529457b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2f566724695fa9d62c1340ef6796cbd1 |
| SHA1 | f8ef2682e2d04fbeb94effe826b3d5b8e7b1e47f |
| SHA256 | a88b4b2fe0e027791819cc8256396a69435688253dd07291fb25735f78d2d243 |
| SHA512 | 74bf7b4f241a8f9abbcba3f2a15f39b13b82f53b8a1417e5f46357bfd56a28d8c354675cb0239adc7863637b48cfabbc87512ad7205bc7cb61cadb77e094dbf9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c2e7983afba788997c41b567b874f8a0 |
| SHA1 | 64f0737c83d2c6ec84372a271b33dc329af91e47 |
| SHA256 | deda4aeb8914b153687fb26adc3a89f8d215ced30d919472a775bed50682ab45 |
| SHA512 | 45554ff044dbe75fd910b22cd0c892e8a262cb0c87d32967525dbf6725368d8d53b281ed41f19924aba4b77b3ed4da597d6f300d40022b98f677f1c253058fe8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b3af06308a80496c74ee2e6a94c871ed |
| SHA1 | 8182b8e08351c85748c0aa66ab9767c396ca163e |
| SHA256 | 32a22a2a43280fd8014e861e0fa6b4027182d6abe76da8c492a9496700c08744 |
| SHA512 | be6c83ea50c040eca96d79d4f29bdce7dc0a695d2f90ff0583912421c3bbd215e7d5e9feaaa6bf16cdbb9e1f6e726e9820abec3bef0a67a5b9fd63488f763585 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fb4803e04b4ccfd16032c3c498fa508e |
| SHA1 | 6df35ef40910e682c3ec1419fab85920113a71d3 |
| SHA256 | 565ff9e744ba825a4c280a087b39190353491bae352e8c1a18fa9fa94eb77d1f |
| SHA512 | 6325a3fc5646fa95d9f19377b9a278a303ab0f46f3d97ee7c0240490e81253e379d823099b56b7d36b6d74d3f4890abe10e88295e07156a59e9d29c2f0539c5d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3eb7ac1c0ba3cc76d292c95f47182edb |
| SHA1 | 65fd17f0881fd5c4ccb7ef480bd7f0680a3df0ed |
| SHA256 | 8fa9d59b473cd9f20c579299272fc4997737c5c2bf2d2feedc7ed0b47bc57404 |
| SHA512 | a97fbcfb13263aa1a18c55996278d9414a7310be36b09cb311a332537b7467b81d51f0846cdb4df21b431d8c3091c2f980117ea06b2c0eed7bab6d3cb3bada9e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0bfe595edb4cfdd9d13248e60ec1565c |
| SHA1 | fcdbd3ee3b494d667073401580d6cba578665fb0 |
| SHA256 | e1325f3cc8a12f60d8ca83ac7e3787e70c88d8f6127e9ec856329c64e5a2864d |
| SHA512 | 5b95d523e65a9f357f6938a5f5c1fa27286884d1c6f8a7a7de416f9a61093ad7256da2d85ee46b171740ab0a248e449b053a1da43bce3d3fbc3be1c53175d0bc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0aa0c184bf55b56f835782c34c878a91 |
| SHA1 | e63e1bf5760c6a415b474bd29a6e382bee82bb8e |
| SHA256 | 1071624550ceb0d06f4e845030ccd8f65ba4d2c399072abbe5603eb55aedea1b |
| SHA512 | 1270a49b55a6faf37a1320675c44c6227778a66e222d123651b01a4e3f4945dc5a53cfe6abb9e53ad4c18e80a1bc3fc006da903698e733c826f1fe9456582040 |
Analysis: behavioral11
Detonation Overview
Submitted
2023-08-30 04:44
Reported
2023-08-30 04:47
Platform
win7-20230712-en
Max time kernel
134s
Max time network
139s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005a31a35914bcf84cb1db54e391e8cdcb00000000020000000000106600000001000020000000b7c0684afe8152a4ee0b2b35d1ae161268a811f54673bdf262642b1bfb7215c0000000000e80000000020000200000003eff9a3a5063d92445b4cc74e334b42308cd0b98f56660f22b6b280e430785b090000000248a69382818cfc32bb943c77d26e373c29c9bb15dddd47894f0e39d747e48758e551d21e344c196d9a3bd1779ac03a4e26b7e6b350830badd0ab3fce0f4af2d29b17f66ca9f3f880c04de55cee018138f79319856144af0213e2074922147de313cd22afdd8b12c5e1ec4ad059510de56b31b1158fdacced88e75386cc5ff24356a33d23929ed6243d16f80e3018bee400000009ffaf7ab0fdb9bfda2214aa5df5b6dd36d01e1b6e3d849f5b95719d4f944b20024236030b9ff021847c284671c11441dad02859d5ef52a93c30870033d4a8da1 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005a31a35914bcf84cb1db54e391e8cdcb000000000200000000001066000000010000200000005a191c95f865e2428d8a8de6616df6fb3cd244a4c5a858bc65133467be985d01000000000e8000000002000020000000ba3cabff99494afe3ea664efdb7596dc6c9bb8aa8c2b461e7808ca0ee08ef82520000000529dc6a5e2bdd74bf0b8bb513434f5f5e36c97be9a654d266b455210376963ee40000000e7abd5346a0fa80c6615aa2100d59d2a5c4a2ebf360eb7de4d4f11e4c354340f2d443dffcff2f0838008a9a00d42f02f61ec9f05b2f7aba52d0285c81339665a | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0411B221-46F0-11EE-8B58-FEA3F30CF971} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 602700d9fcdad901 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "399532586" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ic_content_sticker_location_black.xml"
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2484 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabC035.tmp
| MD5 | 3ac860860707baaf32469fa7cc7c0192 |
| SHA1 | c33c2acdaba0e6fa41fd2f00f186804722477639 |
| SHA256 | d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904 |
| SHA512 | d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c |
C:\Users\Admin\AppData\Local\Temp\CabC103.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\TarC147.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1e205801d5342aa4ed87d268d29b40e3 |
| SHA1 | 1c92dddfd00738fcbeb7881d0a3d4aef0583dd6b |
| SHA256 | 24dd39974b78ff4d8e9b69504d5e3e2e20d0281f1503c3aefdd5bf5b9a485560 |
| SHA512 | 0473a9491077ceace9a3592d2b0b718edce267eabffbdb0cc2c810f83496c24dfa8d6f291b8e6e0996beb1d3d4507ddf573e037556636413da9d7615f8e9a100 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7157cc58ee10d10741dd3103c4c8f3a6 |
| SHA1 | e6e5078aa3d05d9955c0c7ad0404d11c1d905b0c |
| SHA256 | efd1910590653e8dba5d7be37c5ffe1d4ff9709b76b9adfbf7668a2bc1fd42f5 |
| SHA512 | 49d7b95cc1f59b919a14d385fc8ec408e1d9eebf663c6cb52c8e3275d05b409299d16899c65e44016b5f48c81d217a16fdada33839b9c55cba979bcd3eae4bc4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8180bc335db36813ce2d7881b4793539 |
| SHA1 | a69536a9fe38397370731c2f2fdaec219fe3e8de |
| SHA256 | b8bd6b1dbff08a99f61ed4fa424a8593e8e62d4368905b2da31a4d8c5c3db51a |
| SHA512 | 26ab86c67c1feba007ffe68207e69f8e05838d8284e4a22d0a524179df6236950ff34ce0bf1e88a54916dda1c97f1000f725f6ad8599696bc674825c14e1a05c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | eec76c86c232ff8109b73211ea3135f9 |
| SHA1 | 95e90e029af5f35a61f4eeceeb3eaed2ee877ded |
| SHA256 | a43888cd28fb5a984046837f30a1e93c2774a316baa9f5e7e7d88e3a6d4dd5bc |
| SHA512 | 8308119d8e76ff555e1df50ee56d1d846bd263cfc5eb00baea5f700339b05e41b2431950b93053fc08b32902cf9896c3e717dc4e56d3dc3927292f27722e7030 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1905d53be08a6be3e1eb82e62f44eb53 |
| SHA1 | 571eddd99544ccbb6ca19ad918ef33bd90e61d2c |
| SHA256 | 6d17081a12bf0454945d5da7bf1a5cabfba6571c26c2e4818a61cdc859933b99 |
| SHA512 | e53c34ddc95283ce5d3f1c2557ba92d9fae1b918de7a9ece793e618a829cb47491c799725507dc706314cb3e206f0db7e4c24960401a0a73ec5844fc3310b83d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 80edd6ccf6389c73c3598fb5731ced2b |
| SHA1 | 95917aebafb93d2aec1e0822c1cd2e5f59fae271 |
| SHA256 | 9df8056b60c6ea4c12b2a2918e7493084a002669d81a45d9752e3f31f43f7490 |
| SHA512 | aaf663e6a9351cbbc7796307cac5e091e9da9d39c3706f0d262a9a7b9d59736716a908c68804acdbc5cc4860a76cb67ef8fee4665337083ccf268ade938f16bd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f97a8c21588485fbd1a96d45b677b83d |
| SHA1 | e967d4ebe63eb88d2d07a77712531ed9f659b9a0 |
| SHA256 | 39e03d12d58fe1e3e81a1fab48971dace680a2e97f112b74939d2a351a5f7b11 |
| SHA512 | 6e082effed34e800f75638cb5311d83380438f0a81a47360ca17907c35da9b4303c52f57d39382f2aa8b77b649f2c909fce16a3d8c7763ba108dbeecef572b25 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 361666607c06c44f2146c5a75da99cf7 |
| SHA1 | c504243d2e0891b09b2ba37ef9bea7645ee09b59 |
| SHA256 | f513c258f878f9a2a59721e1f5b663b4176f1c9fa32ae7657c2594b16e95e1bc |
| SHA512 | a5dc68ec377981df12ff5572be1ffc0bbd817437419952b70026bc7633b2115a97b5267b508b93ea472704b1afa231fcf73eb538d173d6a11dc457415c3c1d04 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0ff4de3e425fe2676317216c8dc0e0b9 |
| SHA1 | 87878e893b4df610ae58ad2647821eb850edd6a6 |
| SHA256 | 2ca993ad88f5556ac1b606211de77ae4efab909163a6bddf65256cb284b1d3ca |
| SHA512 | 7863017296f1009bdfdf2aa6c461538a34d5bfb14495e2d96b00a689ff0b956092e271d9f0213f3964136e45122fba535a51137982d28b17c02452da8f3bde83 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7c7d07883f8c9b6b8833d5a60fefce24 |
| SHA1 | 02fc2e9dc3fb5ed08bbf91cd2018a8de8c907982 |
| SHA256 | 5fbd44c9be53b2a1e9ef1efcfc74cce41a3debe774c6a1a49f928065d8900877 |
| SHA512 | a985d176c34d7cd5022d1c16a34c2cd5980234eec02c731a471e2880b1fe3ae1429d5d361203481d80e3b4c39d6dc03211dae6055d639479d89ef04da14a2acd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0d530603f27c6b386ea3222636b6669f |
| SHA1 | 01271df6b4b050033e3b812e2645d1ce7c45643c |
| SHA256 | 1daefb8a20cca726daa892a2808f2ea226cf8da33447aafcfc85661a0c3b9a2c |
| SHA512 | cda21d2428fe7cd3d291c11c1133b7dcc89066f201bf67cf7d09b51b7e002761a49352a2e33c111ca2007feb6f686588b66d81a082c97eec373e6eddf428c506 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c4945458ff86fcd1371fcb1e60413aa1 |
| SHA1 | 3fdf51a5daa67588502de2a275dd86c5b5643262 |
| SHA256 | 3a3f958eb25139be1f78ad4032439e12c39a543498892aa36d1262e6fef84a6a |
| SHA512 | 813a5eb7653c663ae7ef680576f64091f2672c0a6eacfd407d49e9aed2e477e89bc7018a428aec22c5537b20651b2eee1fa139ea287bb5a61619849115166218 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1c27278ff9fdfd262bd312a559c7ec08 |
| SHA1 | a1f3a02b0944a6a0be5ddb1c3058260a51e59e9d |
| SHA256 | f58d2e65d8df0f46e8bb8eb479714b8d00735777f1b80917b1f2f4d0c7a5720b |
| SHA512 | 4afe131893cdaeb5fbb930400cf35caa18cb2f4b560db383fab580163d6715bf5cb74403548f07a9e3fa7fdecb80cbe73f6a6c3e078216d9ac8fa9e3c19ca7b1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 96a9613d6fe3094f3ff19ee29c128e37 |
| SHA1 | 2007b849dd3586e8e96d28378e5d936c4d3cc866 |
| SHA256 | fd3b488da317cfda5d44c26774b53b2edaba529263323d77fe7f989744c3b3bd |
| SHA512 | ec33f651f7630cb8e5ef610ac4f42af9782c79a266b9ba69a37eab8b6107c1b3468135ebc5b5bfc3be5c8f9b04a6d539d418e8090abfa0d5a43f04e9f7a850cc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b1fe142fe0c14b2d83cc421315366156 |
| SHA1 | 3ad35a24eab9a5b11268302f898c0f2017240bc3 |
| SHA256 | a7f4c38ed1f729e2c9726c6f02d0b4377e366ccaa403f822b05e696e85463470 |
| SHA512 | c06024cf8d897481dbcd92c278f904c305c8e26be5839839e13d03dd9bc90e08456f19ed7cd8e3b39c33a3ba474233535a461b50864328ddfcb6293cfad7714a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8ffad4116374483ec13bfeb791f4a509 |
| SHA1 | da4cc33a903193212dea99b984bc2e4eda6a04c3 |
| SHA256 | 56fb63d02d58fcf3183dbec44942cec4dc3f5af87e8484ae08ec0e471b81ae64 |
| SHA512 | 53e0c909b9766977b90b36c82a4e0bbf7072df893ac8a9eb2bfc3a21c40d6da5cb1306ba494b9c57e5b8c4fe49848b8f74f821a8e24732f3056d761afae23ed8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0e7f08c170ffbb59670454991f8dbd69 |
| SHA1 | 72cd23601697a87750b484d8735bce89ecf656dc |
| SHA256 | 276d6f4cafc649f23a49e13399caf8830d90760a8c20ebbcae8260529f185ef0 |
| SHA512 | 378d19439ce4cd806a5cadbe067c96e0c06a6d2c61a73d3c3331e576fab5feda967308084cf06fa34d64cd2f59ead22935a18835328e27982721e2b12a85e632 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fcfe95e709beb15a9f7c60b77f90c161 |
| SHA1 | 408d76d5bb5a38ef28c30ce09bd5284f59aa8dd1 |
| SHA256 | 22b2cd7c70d5e62a0366e5eb88fa99c9e9d3e83295cb6fbc33b91a1cad4e8e15 |
| SHA512 | 33513e148f334e32a1062293cef9530cfbd908438af385edb5a7e680988507468bc95de799e05d2a5f00fe84bc54893917ee4359b4ba219acca4f056932ad4de |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4328278965796f29a320f50e29084838 |
| SHA1 | 6739e2d07472f1314303aa8b9e7b392d010287a5 |
| SHA256 | 0a8146fbde0b9a148ef19727c35df6bae307293877836d976a2293b0783d29bd |
| SHA512 | 25ceadc7bf669d3344403218a19ee54b1fd0b45f6c6cd7878a4749f72784fbeaf950d0a3f7e84a7644f165b9018d4a94a8887630d799c606f9c9e5587a2d341d |
Analysis: behavioral5
Detonation Overview
Submitted
2023-08-30 04:44
Reported
2023-08-30 04:47
Platform
win7-20230712-en
Max time kernel
134s
Max time network
139s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b14723a8e389564aa88fef2378dcfc63000000000200000000001066000000010000200000004348d9a0d54f116ccba327d03a8f049d7a0ad0a6d9ab21fc072671a704781c2a000000000e80000000020000200000001273a4892b368b83b2f9190b2a6afd53aea16313ba780b35cddc0f7d9056a76a20000000c53a43d8d4915d8bf3d77dcf33c90a344c7fa2a72016107dc338dbdfbbc79f1740000000d428609920f1dc0748b05a808d98d0423a096c5cdbdf1a1b256be3ce1be9e9979bb1cb841290e70f2222877e28f869e9c1006fb00ae7b5c8e668411a638a3ffa | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b14723a8e389564aa88fef2378dcfc6300000000020000000000106600000001000020000000a2593641f7167ebe0ff906438713784422a9f94580ae4309785626ce376a0a68000000000e8000000002000020000000d06f30b50dd86f2b8444398653b9803f41ebbb28d13347083178ff3502707e3190000000abb836da1e22b7bce83e63b8dd7e1c43864e29429d8d296a5f9936b2268713c050eca1c334d079e8dbaad460ee7a991f287b5901b6016793fb39e98f4ac1673964142cf63bf6f844f2c2cd61873cb977eebf0067536d6c6e089b17fc5f182427e4bc72a7f1526aaf37fc406aefe931db90654567d790ff75ca05b179360117c0327b2e7dfde1345225b077d61675d9cd40000000f7ff0fca8f171a1f74e2cef13f87d1f85249986872fab99b237a6e77569dd1d9bca70f772e4c041e9e3b1df18be47a0d6c6cd11215c713e0297c8ce299249eaa | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "399532587" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40fba0d9fcdad901 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{04F2CB21-46F0-11EE-99CD-FA28F6AD3DBC} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\clockLightTheme.xml"
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1976 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\TarC1D1.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7f173c80d200a7ff4d4d792d3abe7962 |
| SHA1 | ddfa5e2511892dd51f750dbb25e64494536f113e |
| SHA256 | 97bba31adba1362e7ed05c1bd52001a54ea16747bb0c6ec207a80a8a77c13c45 |
| SHA512 | 25b24dc35c04d5915424c7ed245a07353e544328a34f2e38a85d95c50768720a4e6c264cdfad8936e1c31bd90e3f45b42d94921a439b7da85f4527a657ef880b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2110d775fffe43fed5bbc6db7ea57036 |
| SHA1 | b46c0109ae191ac7a69bfd0278942a2cb46e41f1 |
| SHA256 | 4e02d092dad77834311fce28899a0000e81ac4f1c234c781266e535743720c06 |
| SHA512 | 34901b843706bc2e7712100f82e6f562922ee3a65be437b1062806327506744d61348f78a54a63185f4af611d9600f2126baaa89c718fb7a8612b5cc63563bd5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0c693a33a1127a9cdc7ecbe3be401b23 |
| SHA1 | 2f6246b195499c4544a2e6869477bf51a9043a2d |
| SHA256 | b4786001473ce24b65e43e88ce56dd681ff3050951a804b04fb56dbc83fdd326 |
| SHA512 | bea37b612fbf751f02165aa2b2aa45cd0f5efe12c646767c1b9cb7f34fd6cdd5346b111c3266374788ee6135810ee9677ad41a2e46dfb3a9dd395e4601044c4a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 507f775b3f39f213d12a036b37612b17 |
| SHA1 | db6c69265f21c2826a83e158eddba91be3118ee5 |
| SHA256 | e8a9ab3eab3d78c75641bb385d9661f20c2a1a891d68ca2b5e75e20b84b5220f |
| SHA512 | 9d966b1caa7813af94e205380b3302f2a4b78d54433a6fe88772e6f97273930dfad9d23d2014b44a87ded0aae57eb6c45429e83dcf848bb35d98b91a799c7d91 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d6cd1837c2e7bf79bdb7765a54cfea17 |
| SHA1 | 4626b52bdf4d3088a57a53e394906f27ee108c02 |
| SHA256 | 20e3162839d8ea4ed6fd9a1c5a83ddd6bf09521efa6d4642012df8546932620c |
| SHA512 | b99e9c3b98fce77249cbd246b3cdafcb49bda51e89fd735a010f97ee971eaa8924377bbc4277dbcdbf6df7cc9c050da0ad7919959748b0193955caa67ef0f1ac |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d39f59f17764b4dc53fc5b900b8020d2 |
| SHA1 | f2e20a716a302440132adb38400d0cffba0ab61f |
| SHA256 | f2b14035f27ccad259d94bcedb8926cd22768375b012d40993b6691a591d9e7d |
| SHA512 | b86b885e3c5d494476990b318cee018cdcc6607304fe0a86aae5df4ef01e99d5ab0a9af8b6b6374664d8942bef783ca74999eb561d9a5b21a2fba6ef64499b3b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d6f8c839764e3135738a333358757993 |
| SHA1 | feac617e58066c1d12024e7d76622ebb45d52cc1 |
| SHA256 | c5493a35bf77ce64a248f8865e2a0f15f49b31eef25fdd832a443cbaa39f740b |
| SHA512 | 9387f88fb5426e13ba8e6024d3532880ed3140aa322159fe13f7550887480ac5b47f8848deba111a12c2b2ebd3ea776f3e53e1a432d60b178898ca8eb3eeba6b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6c62f47a32c06378d50c4a73daf9aa17 |
| SHA1 | 9ae7d9aba83cbcd8718f751cf7770c69b828daa2 |
| SHA256 | 45e343f5a8085ad1cf4ea2f886f34d95c39709db7b22f7896c5e55ec98c2671e |
| SHA512 | 8baf7b20436c144fc85402d884ec637ec34ae6ebb14fb99c53d71888e22935b4907f7f1c640223c18b20cfcb7e07d20cc907a28816c5feb5b2b304640284e599 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e3d13378ac7e9d684c4e6be9f4fb5208 |
| SHA1 | ed595bb257d916abfeb87e88b6fa61df6bdaabe5 |
| SHA256 | 004efad978061d3a41389c934d77b9e0afbc44acfd05381532c34760d604b0b6 |
| SHA512 | 182bca9fd5add611347d67478a03f75ad89843526f44da2c754e0c9460c5507b6e9bd0c2eb89a8b57e7112235cb2949226391069d523e125d11af36579911568 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2caf13bf6b10c2d6864955b33907268e |
| SHA1 | b70b759d7382a19a444eeba2bb5e5897fb848d77 |
| SHA256 | fa1925f210c2ff27b335fcffaf1dc83ad5024ff5e37338a7a2b3abb69ea57743 |
| SHA512 | 311f258d22dc4a3160d628ddb84a07f64f66d8ea1237970a44c0a23d96b253e82eaac2bfb43e86707c3116a2be926a7742903aee7e28b91ccef8c1528057520b |
Analysis: behavioral24
Detonation Overview
Submitted
2023-08-30 04:44
Reported
2023-08-30 04:47
Platform
win7-20230824-en
Max time kernel
134s
Max time network
143s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{06FB3D81-46F0-11EE-9ADF-5AD8E9EE121A} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 503b76dcfcdad901 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007527a1bfe6a818429fcd5676e9b72b2700000000020000000000106600000001000020000000320bc8a96cd42704e3cca61ca2a7c97ad043b5029fa5d5d74bfa8c8323f27c0d000000000e800000000200002000000056a2a4188fd7a074bffb7848b7df920764e6f4e95bae10dc1f9eee365f40277320000000258b7f8de9077a11a57f61c8c097c51fd61f99e0a0e2fef121598341653e62b140000000599fbd1fa3a0e792904df5fbed663806aaed5a8304e429e8a167d01d3fbc1b362118fc167d2e72d778a3614dcf22efa1097182b03a6e11f3ec8bfabe3ac284d4 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007527a1bfe6a818429fcd5676e9b72b2700000000020000000000106600000001000020000000cca1979f5377858d4444047595ea596da2a7a051d0ebdbb7bab4711d729c5810000000000e8000000002000020000000f38c357ef6684a59bee2392d71da6a5c879c393012fbb67fc46102b73571b11590000000d6eda3dd29f6f2e590ec319f511aed03fbe7565279cb2668d39a342c0532898f22fe7eacc18e30ac15b5fa067e932fe3bf945b7c4398ab991c89e355107714cd1b5b6d916527c0ca8ed3809fb0fffd903005df829a59206930e75e940e2bda9ec4126273642e2b4e4898ebcdea55be6c0a904c417314e4ae0b48e2810ab1a4bb265c9b71b59a77eac7c6e6f6792d7ff540000000267b84a93bcfc9631fe52c1eec8dbbb4114af9b238df0676a3365d1c8e668978e4fff692c60734a0f2a6a842784c39fd3706ad99ed73d390148660e1432b620e | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "399532591" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\stella_wa.xml"
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2384 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab21D5.tmp
| MD5 | e56ec378251cd65923ad88c1e14d0b6e |
| SHA1 | 7f5d986e0a34dd81487f6439fb0446ffa52a712e |
| SHA256 | 32ccf567c07b62b6078cf03d097e21cbf7ef67a4ce312c9c34a47f865b3ad0a0 |
| SHA512 | 2737a622ca45b532aebc202184b3e35cde8684e5296cb1f008e7831921be2895a43f952c1df88d33011a7b9586aafbd88483f6c134cb5e8e98c236f5abb5f3aa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\Tar2401.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3ce591fb31e91193dc996551eb05854a |
| SHA1 | fd4e3bd443497d4de4292709769d7df45bf9d888 |
| SHA256 | e64ee963a2aac59141445800abbbfc7df43280e5bc0d9b72df0dfae87003cb90 |
| SHA512 | 06480de9902132b424080406876b1c60ea83edbdb0b5e80d81e5805bff62613d3d14344c039ba07e54ea0951f405998a0de5f7988156b7c6128d68b1267e683d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b1c1b274db24501973f4624a248144d4 |
| SHA1 | 1caf9ba7665b33b6eb9ab08659c46daf595f78c8 |
| SHA256 | 22845d119a884921bdd355eca43d0f1760f06cbdbafeea4d8d8f450b2b6e0665 |
| SHA512 | e0ad2618f59f3a2734bd0be12a07a27c120a0768a3c8ee51e5a2dc9594600d6ec768eee4245d8974f2068c7e61b5e7c6044f2671ee3b3baebfd26cce1081b3c3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8c53425ae5ef7ffaaeaaa8b5c311de52 |
| SHA1 | a432190588a84dc8306e12db7b27d68f7f39015d |
| SHA256 | 145a0e0f4ec6a60a17070c6d60c2e331bb05e087f2875dab6307d85afd3baa46 |
| SHA512 | e9d9f379c0e446996437bf2dbdee686975005a88a746630356746222d48beedf55f581ed60623025ade8b9510ab4b481ff9e764aae8ae9221c21890b23132019 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6e10dcd79aff47bdb0aedd70e4f5d1bd |
| SHA1 | af5cf7bf70e18ed697f0302d9a1bb8d0731e0342 |
| SHA256 | 358ce1b87ed990f5b22e1060dcc64728656c174b1cb14b754b4e78df4b143290 |
| SHA512 | 988c4eb12f9f013e38e3a22cd2109c548e79f9055d7df0f5d1de7eaeb3f2d5bbb82d047a3048dd1e571d0a0c8e00ede698528b8b8f998da38bebf5809e2cae61 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fe351c778d1fedc294b5d643dada5e72 |
| SHA1 | ca03914166afec897052ad874777f9fa198fe385 |
| SHA256 | dd85b1c2356449f296d6a49b0497911d82f9a9ab7f49b0b9c3facd7b2411ee1c |
| SHA512 | 5b081969d37a4699fe48c19528e47142095d6526688092df46240a0407228caabdf477a7dc26149c93e94b11bdf2d2e57aa826b917657275668876326ed9a231 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 387087cc02030ff45dac091ef147a14f |
| SHA1 | 97ef517740a7aae410bd6444a0cdb2b24b2ac3b8 |
| SHA256 | 187b0551af418bd3e35cd337d60db5901f006a9d392d4e41d26590b785a9e6e8 |
| SHA512 | 308d2f6d2085aed92ef8a7761d940eece098436cc8ec5792e3d8aac1b59b598f8bce054b7e9eb1a6ea2ac6bd612a381279ea81d75cffdcf88c2f7ac9e7dc43a8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 80ff49abd4cc99d1730cfc7faf2bc279 |
| SHA1 | 7f4c49226be31e69602cd0dbb3067c9d28a406b5 |
| SHA256 | 085aa8001bc70dee27b35e1d97d92b1edf46cf36d2e982de27543feb28e9efd3 |
| SHA512 | ddaccd6bd4ccf838c37db15ac41b331a8c549738eab5b6f3516437aa4b38ca8a1eb93de9f7a8d03b167dd1276b5613892210ae7fd5ac283edcca1f1233a6d474 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a95b3cda588e1fe406b330695fa53275 |
| SHA1 | b6979fc5d7c051fa88d06b4892e5abe80cf22a96 |
| SHA256 | 404e7d284106c722f9715ebde3ee90548451a7cb4df3a72f59c9d31f73496dab |
| SHA512 | 2bec74853ad01b1e637347ebc78b7d8e4eebe42f7a72da636a236dcb9178d80180aa04e715e5a011b90b191ff1eacc58eda5ece5d9db054c91c892377f9794d9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d8d6c80cc8598b96d45781aef6d0b543 |
| SHA1 | f332bdfda6cd87487608ad0abf495fecf6c84c41 |
| SHA256 | 0b3442cbeaf410a9375b7276c50f6f72e75004ece59d58cdd71cfacb23f59ed8 |
| SHA512 | 006e3f5e7ba31318eb42ab7ea817dacde445f68ea8ec7322eaadc0b03b1f768eca5fbc1278caa8480f0a3d447b151908ae88adfa71d27247e56f4d1925b60ac7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e7e1612cda44c527fd6fe67cdf162ef5 |
| SHA1 | 7c1a736d8c4fd3be21aa9ec197ca1a2d1e7160b4 |
| SHA256 | 54f212dc329ade1da93a3812e3570a1a1bb6d4caacd691ad0fc4a24b28101782 |
| SHA512 | ebfabe053f2065a591a980fb9bd644b71746ef63ff21508f629aeed18e4f9b7348964e84d7db680377707f4cbcda3b85f1b4577f3e18bdba28b6cb6f0a997c01 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b7dc0e1811fdf26d28394399ddaeddb0 |
| SHA1 | 1b02c6562c294e6e10958ca9f91070679d6e9324 |
| SHA256 | 193e8fc921b9cc4e95cac6b8fab204902780a2b1db37c965b0053a930a1ad117 |
| SHA512 | f02b601d32f23346389e31cab0d4cffce5aa7c7db77766d5a250ff37ce615a14dd09faf8ba3e6bc987f10726394355e24a31256524fa00137fddd53af1e32518 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0ddcccb0261525290c7fad18aecf8458 |
| SHA1 | 7f99df0dc51572255892d7f9475807aa5ea821b4 |
| SHA256 | b92376283cd7bdeec9c96f930b31eb4aa9287ebd006403803becf68fc7ce55c3 |
| SHA512 | 134f869acb81859d77cc03f6dd62f37628e5a514763c064cef8dca6a1ffce161f18cf98c683aad1ecc0a92d3eabd480a5d8c540bb6d789f65f6558996dbbc9f0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1fb3502fbdb948f3875147df4f6098fc |
| SHA1 | bc2c1bd97da2740fac84b526111cd5bf79e417e6 |
| SHA256 | 1043d5504178da2a358bc41cf77e00e52553a425518c33764e49e2f880aec4ca |
| SHA512 | a889708467e6a4ed9ea67dc1d645f3343b21a22588a9b366e1152a3843d47bf59e93f7dedfb4daaecc5f57368cecf8cef4db29e44a9d59be55be1a4c3a912e5a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7c94e14ac66d867e0955308cc574204e |
| SHA1 | 4e96d66ce32ce7117fde5ab5a3f7f2099c2ebf5a |
| SHA256 | 056cc46377dca1530713b54889aa7784165155f7cc2c7de01975a7e24c306196 |
| SHA512 | 945a9ebb87d05a019bf77e86baa2e422dcae1bab5640f834f3f16822f497ad05348f5f0aaa0ae166c6c9d0a27480dbc519fc08adbc629f62f7bbb52e484a02fe |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e367392999aff1c930262e7736b6c599 |
| SHA1 | 9badff23ae4c1a32da2db5b2a071694c0029263b |
| SHA256 | 85c1fba0573773ebbfa556527d75980349565b29c929773d2a31f2a30f1435cf |
| SHA512 | a096375c538f6798cc56d572217fbe424b968d4367b2547a398ad2729c2bdae3a1a39fc63ea494cb4ca218258861c98088bd8ab0c69aaf96c163efecc3575b10 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1a3e173671e8151277fe5f929d75835b |
| SHA1 | 133adf32f798fa8d429e0f214362332dde68a1ce |
| SHA256 | 3c3e86604ec4af51ab3824fd7ea27ae88ccd3c05878532a6272150ab1f61cf5a |
| SHA512 | c8e319462549ad299309c07be0ee382e4035676b2ced5c5bcd07d214a78b086cd5e5f854b366f77b1bceb0ae086d46cca5dcd080c884c3173d6df371a5f022fc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fb61a2940c66f517c52580699495404b |
| SHA1 | e1b2fdca1d6350ac0769884d9d8249dfa5a6b54e |
| SHA256 | de90eadf9a326d91925ddd9c791057ac2bda5a17e854335681113d2a325fd9cd |
| SHA512 | 7247464a34256ccd3d69691c03f32fa20485f16c2dfc43f191e06dde9483e2e640e44b8ebd4d96e6b97a20ea55639ef9e8fe53fc58605936a3ddaf811947e58f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 21b88f6a01dcbc663509f661b0a62fc7 |
| SHA1 | f68a3f6ad008cb4c8b8f4b504533a49640723118 |
| SHA256 | 2b6a6e17f1136a36f0142b8584921b0f867e5076d427fb5852fa8e4bf036a9e0 |
| SHA512 | 11d6f557b6386aec03e1bd17f8193f41c3e2a95202e16a6f988569cd65fbc909deebb772627362971552ead141d35e27a78aa64c2b33d3fb842d10d62fbe557b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5db4c353d651c4da9dac96f6a64f6784 |
| SHA1 | 80f3095667ab49fa41c1d36dafe29fbc6a2ccffb |
| SHA256 | c92bca4cd44dd7d9be3b260b9f2ef5964ff55556088c4bba5ebd2963bbdd2fc8 |
| SHA512 | aa4e083fccf5f70a1d2f0e3238088750af7b79a7716cd42d62a03263a8428b16233c506ef897dd3190482cbc2970dfa0c16214d5ac431a30a574165f4e083b19 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f6911f624a7d1e9e16e2f0ccf01bdf35 |
| SHA1 | 9d1ce36abbf17b8619be86829f0bf12e5f997f59 |
| SHA256 | ea36b3888988d01b25ec96469933b4a2ad4181054da82eaf39ec61011572739c |
| SHA512 | 43bfa9a0f4f94ba0b7dbfd77466a7321efaedb9ffeba820f569de191d07ed07e42d0f27861600c252077f7dcc1b940aef5f20ea9d45ea29f2f2bb3ebc8f1e1c4 |
Analysis: behavioral19
Detonation Overview
Submitted
2023-08-30 04:44
Reported
2023-08-30 04:45
Platform
debian9-mipsel-20221111-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2023-08-30 04:44
Reported
2023-08-30 04:47
Platform
ubuntu1804-amd64-en-20211208
Max time kernel
4s
Max time network
102s
Command Line
Signatures
Processes
/tmp/l3ce7c8df_x86.so
[/tmp/l3ce7c8df_x86.so]
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2023-08-30 04:44
Reported
2023-08-30 04:47
Platform
win10v2004-20230703-en
Max time kernel
133s
Max time network
158s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE |
Processes
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ic_content_sticker_location.xml"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 3876 -ip 3876
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3876 -s 448
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
Files
memory/3876-1-0x00007FFA4FFB0000-0x00007FFA501A5000-memory.dmp
memory/3876-0-0x00007FFA10030000-0x00007FFA10040000-memory.dmp
memory/3876-2-0x00007FFA4FFB0000-0x00007FFA501A5000-memory.dmp
memory/3876-3-0x00007FFA4FFB0000-0x00007FFA501A5000-memory.dmp
memory/3876-4-0x00007FFA4D8E0000-0x00007FFA4DBA9000-memory.dmp
memory/3876-5-0x00007FFA10030000-0x00007FFA10040000-memory.dmp
memory/3876-6-0x00007FFA4FFB0000-0x00007FFA501A5000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2023-08-30 04:44
Reported
2023-08-30 04:47
Platform
win10v2004-20230703-en
Max time kernel
134s
Max time network
147s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE |
Processes
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ic_content_sticker_location_60_percent_black.xml"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 4440 -ip 4440
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4440 -s 448
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.173.189.20.in-addr.arpa | udp |
Files
memory/4440-1-0x00007FFFAE870000-0x00007FFFAEA65000-memory.dmp
memory/4440-0-0x00007FFF6E8F0000-0x00007FFF6E900000-memory.dmp
memory/4440-2-0x00007FFFAE870000-0x00007FFFAEA65000-memory.dmp
memory/4440-3-0x00007FFFAE870000-0x00007FFFAEA65000-memory.dmp
memory/4440-4-0x00007FFFAC050000-0x00007FFFAC319000-memory.dmp
memory/4440-5-0x00007FFF6E8F0000-0x00007FFF6E900000-memory.dmp
memory/4440-6-0x00007FFFAE870000-0x00007FFFAEA65000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2023-08-30 04:44
Reported
2023-08-30 04:45
Platform
ubuntu1804-amd64-20230621-en
Max time kernel
3s
Command Line
Signatures
Processes
/tmp/l3ce7c8df_a64.so
[/tmp/l3ce7c8df_a64.so]
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2023-08-30 04:44
Reported
2023-08-30 04:47
Platform
win10v2004-20230703-en
Max time kernel
136s
Max time network
156s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE |
Processes
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ic_content_sticker_location_emerald.xml"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 1268 -ip 1268
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1268 -s 448
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.177.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
Files
memory/1268-0-0x00007FFCFE7D0000-0x00007FFCFE7E0000-memory.dmp
memory/1268-1-0x00007FFD3E750000-0x00007FFD3E945000-memory.dmp
memory/1268-2-0x00007FFD3E750000-0x00007FFD3E945000-memory.dmp
memory/1268-3-0x00007FFD3C4A0000-0x00007FFD3C769000-memory.dmp
memory/1268-4-0x00007FFCFE7D0000-0x00007FFCFE7E0000-memory.dmp
memory/1268-5-0x00007FFD3E750000-0x00007FFD3E945000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2023-08-30 04:44
Reported
2023-08-30 04:45
Platform
debian9-armhf-20221125-en
Max time kernel
15s
Command Line
Signatures
Processes
/tmp/l3ce7c8df_a64.so
[/tmp/l3ce7c8df_a64.so]
Network
Files
Analysis: behavioral22
Detonation Overview
Submitted
2023-08-30 04:44
Reported
2023-08-30 04:47
Platform
win7-20230712-en
Max time kernel
138s
Max time network
139s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "399532585" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a91d4b999c9854dbdd04be1b9b2202d0000000002000000000010660000000100002000000092fec6890238b1d5ca6472e25ad44999e4ddf72456e6e7e8c903092a87e77fa3000000000e8000000002000020000000c193e9177fa36b25512d84c942254c9dbe4414fa18e0b1e16158199b63bb6a449000000057ca4708a31408c17f8c69eff76b08dd21e79472a0b92007b3f60ff0474f6c641d16cf4e9b9cc9dfe5623ade166fab9ccfd4db591ee122cb91250fb2a08062c85bb875b13e125e81800900c413e02097aa55fe80627e06f629dce2a226b187c7f4b2b68180098201066a8495e725ad6b2bfd514787920da03f7545a1ec0fb62ee331e808dce4ef3006908207a4ec1fc0400000009fb759b54c8d015b08034e215f95c1f5821eb9d715c372ce0ba314672fac482506831f4148f501249a05b30a1c10014c0083e30bee13c5dd1285a3bf494129e4 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{03B37521-46F0-11EE-ADF5-F2F391FB7C16} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a91d4b999c9854dbdd04be1b9b2202d0000000002000000000010660000000100002000000085916827662d447919c1e3591da1a932c8b9798dc949386e47311069279ae555000000000e800000000200002000000091f5900e69738fd48791ee0aaa76d5e8b157603c9cb1ba66849dac9fe1f4471220000000054cf22b24c972707910069b10ee5ee05bd5034ddd9099b47e0bfd38aeb3b9c640000000bd8c058c295459f2933151f2d4549789061dba49dbebf1b2d453344efadbfe4a7544daab4871194e68548a7b9808f20434e90bfdc428ca9701906be993f28d22 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a032b0d8fcdad901 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\stella_e2e.xml"
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2488 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\TarB39E.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6f1341a8c40929c7f52029a6816c77f3 |
| SHA1 | 8259068b6496adcae274126b0138b9faa07f7a14 |
| SHA256 | 312d7da8963c19551aea063a14ab148e25f3d56b5c3d84d2ac3716ead1dcfee7 |
| SHA512 | 0a9ee1731945e344badfbf9050fa6b859586464ccda7affb7d9b7f5c02a2d4ad499a41dcf92f52f6bd98830dbf75c7156e10f8294f9a12fbcdf356bbbf9e3995 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 99ee9f91eaeaa90e158295908bd2aaf9 |
| SHA1 | 763df7de35bb5110dbbd5d15d862a9b68e9f13ae |
| SHA256 | 7c2c3fd8085b33b9fb6c09f6d68afdda9f27194fc8ffc0fc9b68b07364425611 |
| SHA512 | 17d6bc3df25ee5ecad38a4a7ddc95635949b0ce16e2db7bc28a93499de67c56a9b28a86db1de1aae9b32cfb89953d22c3b0ccf185a1522e1237733069bd50545 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5eb0d814e2d502c10889a5de98804aa5 |
| SHA1 | fd049906451e7715fb3ccb40784c2a04d6818deb |
| SHA256 | bd4f7f9a2331fa0bdbd129eda7871fec8df92110fe9002c531a943c1a7f973c2 |
| SHA512 | 58c252e0277ac4c37d0583921681f146de865e0975d6228ee23286865ac00902f6af07a5bfc9f0625fb4c5c20f193200a146561369c1166ea5ef103ef680518f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ca5454be1e60ec029558130f04719751 |
| SHA1 | c63c074e0f4ce11b0df3b5255ef6f9a3c972f8cb |
| SHA256 | e4c708c2fbe32e005fa854c922526ba1cd172928df13ed955fd181e4316acd5e |
| SHA512 | 78831e15fe8c729d453838bf77b6e834e653a05c7cfa94934006437c011f6ac5eac37289688b2a416f1e3bcd5ed6ed5e31ebe23e30af9a2fce07ff98cba239ed |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 64a3c08d32265f69ed9f253a86f84b77 |
| SHA1 | bac4e846a9195c476505b7d4f2123e12ed1ed30f |
| SHA256 | aaa610624e654203f6fa8be1ff408679d56db29d41223669787835e8c1679856 |
| SHA512 | 1db8d2985fa6debd1bfd696e2cf68c226d66a9c43e2441b27fa265df90f5ba742bc190145ee2bb8dc714e58ca6dbbb775628cfe167083bcef9c7e43258282e06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 910586d74b60dd3ac2f6d2cc4143da1b |
| SHA1 | 8d5c2f0f32769c75ad4f5635f2282f15c8640f40 |
| SHA256 | 4dc8f8baf9b28483618028dfcc2d119508ddc18bffd27f6f0319470872c16b3f |
| SHA512 | ab747a8f7a10ec1fbd8c0074b709b894daec6fee071b47d5333416bfc9510c30e2ba5271a33f6160f3ced780ac3caec93120bad6787422ae0c65629ffd14235c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | eea55acf29846b36f019cc4eebb792e6 |
| SHA1 | 0770e828954de550f44d2c64500b117dead273a4 |
| SHA256 | 86b86a2e57ba7476923852fe46115182a313f99731c22987cb84d25dec202cd3 |
| SHA512 | 5cae5f6a3172859841a0c2adb2deaa83415878f4db517b761393dea46cde1a171b6afbe12ed0feaac8e5bf49be53c4a6988cf9d0bffcef631cb3ab2a215b470d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 07417fbb43d0534c9d4f5077845b6842 |
| SHA1 | 1d6d582da6492f595a33f627625d489e0513ba13 |
| SHA256 | 2007c24f49665f7d5052f6372e7e0fbcd0af68351b6c5bd1be7bbbc96614631a |
| SHA512 | c47d2a7544a5d10086a3314b3d94e9344fee64684779ba71cdb35680e9845f25e65543366d1f6d45ef154400a5e03fc213139c6bbd8923fa6795cbe699b3854c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7ce6c922699361f4c22e448f7fce993c |
| SHA1 | feffbc7cf6ba5f664c59222c861bd8ebadeec3c9 |
| SHA256 | e532918448ecfc88f64a2f5ad19a0f70f26a93e58a6b60ebe068e3fc85d9481b |
| SHA512 | b12884545c24fb8755eca4b593a4ccca69a64278bb1896536704f36d684cc78d6c5b5b13d1c8b95901167f8f91716a9863112b9ab955e468e2ea1e924faa4176 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 22bb77ed23dd60081be28f4f9b562d6e |
| SHA1 | 8f78a9063bf9ce9a8c8644af50ea5f45994b7607 |
| SHA256 | 0b9332ea53dc6df8e593e764bd48c33e07bb575421de48439badbdf2dab6de86 |
| SHA512 | 3728acb0e0c1db7ca6669e60e8e29274c422a642b6be7e52b1e5c717d079883c2bf8a9ae961b7c44d1e66f934962def16dc42fc8b0c6a664906e8a6670d4e12e |
Analysis: behavioral3
Detonation Overview
Submitted
2023-08-30 04:44
Reported
2023-08-30 04:47
Platform
win7-20230712-en
Max time kernel
134s
Max time network
162s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{067B6EC1-46F0-11EE-B530-E23FD76D3CC4} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005a31a35914bcf84cb1db54e391e8cdcb0000000002000000000010660000000100002000000031da6d2dc3a5ba7e79a11ddab8969623ccb74cc563f8ffde44dbafe5d1863aa9000000000e8000000002000020000000a4e5fdffe8ce0d1b08b49cfe18d53d0ad1cb04b406d315fac2eacb857519e75120000000c230bde49929f68b744e1d1992528eb72019914baa0a12a8ec6a62777e0a1f5f40000000dd3c91ca52c2dcfb8ae78ff18a4b610bc9b84e0d1feba453f69075f96c39d5f47abbc4307574aac0d57308865e04cf21b87a9cf5927b92fdf931e5eed2d65713 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d04646dbfcdad901 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "399532610" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005a31a35914bcf84cb1db54e391e8cdcb00000000020000000000106600000001000020000000b23504ca72ede8cf93f51a5f355caef518c89bbe98dc8c80593f5a899de147e7000000000e80000000020000200000008309a27ca229314c3d702682ba100f70a4b643e3f26c1a2818f6c8f65f18d58f900000005902b60f709f644f87e727ce5a2696cd7ce7dff579c9d9bc9b25e155823aade494b27fed130860fe31de9bc54453a247057ffed73a40e852008dc7247863fbff6592144700c7baed8e41e1330ecee3fea4b8ba136bfff460bda1583c40e37988788a04cf2dfa3427989ccbd3576f875e14c298a2749eee6ed913e5d986a61d3291aefa8c8ac0e6796e3e3991c4b5facb400000008a2bf416a2a13341679a040eb5cddf874eab7d70d903da7003249f0c7d4755e636f3abb48a00d8f695b4aeee3dd7564b2e9e7eeaef944e55e109c46ab4c8bd67 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\clockDarkTheme.xml"
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3040 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\TarBD10.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
Analysis: behavioral9
Detonation Overview
Submitted
2023-08-30 04:44
Reported
2023-08-30 04:47
Platform
win7-20230712-en
Max time kernel
134s
Max time network
142s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b09aaedafcdad901 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000e8664bdb653864eb3b20ffc0ad3b02100000000020000000000106600000001000020000000cc1405eec0789a7d87dc5470efd6fd72d49a00e3767fddaf8332ef1a60d84630000000000e800000000200002000000046bc933110ad62c8f3c03ac433037a45b334060db12cd41708e0bdadb58d26329000000087855114fd82f2b87a5d6d946446aec301e19d9f9c3f391dc880b370dac0dda582ed9e6f22ff82b5eb11d0ac6bee6824254c2c34ef5e6f24fdf75bd399ad699538757b8e0c12d045e9cf5b756e878d1a24165b0a6a01b099e8c8f6f89713f05d5107a1de61eb01666c73cf9729f56920f5774aaf51d4ad6afd15c26ec3a3ba1f38998e666cdbe3ffd50a4410f660108a400000008e0fdc1fb351aa566769b48cc5093bdf3fb3aade18f4720f0d8e40dd9b840e85e621943bd9d47ed571c7ac445a7e3dd9bb271ce3333edb1d5c839db409f3ff96 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "399532589" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{05BDB471-46F0-11EE-AAA1-4E44D8A05677} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000e8664bdb653864eb3b20ffc0ad3b02100000000020000000000106600000001000020000000db7b00fd87e1091a10047cd21ad7ab375c115952152d2528fafc4b1d992a7c17000000000e8000000002000020000000daecad96dc92868e3127c97040319cacdc213619bce069842200a9e2e0d8898e20000000e824cd0b62d610b3ecb4fe831156d0b2629ed75078679c36e3bc2978c3b82a164000000091e1da696f268358714b44f8204c69a97d10ae6cf9d7fb807bf5a7654ce451826f3d8aebde57fb2fb8953085afbe905e0d5bf5f8050d5e334086704618566f95 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ic_content_sticker_location_60_percent_black.xml"
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2496 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabAE5A.tmp
| MD5 | 3ac860860707baaf32469fa7cc7c0192 |
| SHA1 | c33c2acdaba0e6fa41fd2f00f186804722477639 |
| SHA256 | d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904 |
| SHA512 | d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\TarAFAA.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b38b40d57afe7ce598154d7eca894703 |
| SHA1 | f55c62f2304eba605d1506654a13ab8ae88ce585 |
| SHA256 | b44bf1cf6c917e126e76650ba90bbe124b7acd84a04e19c15db5259fb510ed7f |
| SHA512 | a4d620f7d1194c7acbe0e7d85cedb8d783b78c7a45e500039c4c32759dbc1350d868bb102e4c3fa36062906b1d27c67856ae7dc4c99cd0cff9c2a18eb3ee2107 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 940c66b2e9042631175946640643c1a2 |
| SHA1 | 04317fc7824eaa2161a4d39890000bf70025007d |
| SHA256 | 938cd526dd4f8ef030766a01e3e5817bdd1e7ee597041ecd12448f35f935646c |
| SHA512 | e255340aff0b02587f8cbb661ce7571cc9b1a075493e7a40fdbc60d1b4bc07f615f1eba62966a13fe572c947c6167181284d69c1fbd605356a3220823af85513 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 73ee9f3f93843d725b9725b7196e79a9 |
| SHA1 | 32adaf6f79319fb0e89a46b6bf38b86efd3242fa |
| SHA256 | 26cd5a6f5b5608eb717e6c0b7ca4234e192ab95434a31b863fad537227d6b342 |
| SHA512 | 1fc9b2b75e17ffef53fa091848112f29ca04103fb3e49a185c4a9ccd7e70cc4a704d59fc6c79c79a3a113c1265f393f1026f257254f7cd42b59f7df36aa0fb1c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 653b9049ce4112638fc1990e63257e67 |
| SHA1 | ac492687c400910f5afee0879e3fa6b7aaff76f1 |
| SHA256 | c087b207089d8551edcdd3f962f43bb6db7ee3c0fb4a519526fd0456d0cfadd0 |
| SHA512 | f1bcc770f2ef89efd8deceb0818b1f477738b08b8fce5695e014dc9195f1f801d27135051fa20f21a033b849c005c6490b500628fab0216de5f3f9c905180893 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 37c41392a71a78bcbea243b72d8d4022 |
| SHA1 | a1d803999c9f7dc83f3aeb3b8310a7b393abfabe |
| SHA256 | 3a53a61c21d8cdbd2ee7f02af463170b2f2a8089689451c052f370b525da56c8 |
| SHA512 | 63c192c0190e377772bad411212dd40eb913bb379de6eab8dbb079e32ba6be9ff4c8d7fa3f8c8f252312d98bc0e0cdb6383da08920d55629721d52405f4cb1cb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9f51d318fc0c41a8a0b14e4239184a2d |
| SHA1 | 751e5d41003b5e2a0c595d582af63bda282da27c |
| SHA256 | d2290aa6cc937370652c6592e1044dbf1c74aef132b8ee15d6035bd112cdca49 |
| SHA512 | 7d9816c062bc884d949b1cec876b24408d56b0714efe5a2a17d9af962949eb854aaa28e848cb9d6cf60a9becae8ccb20347616cdc192945b842fc23ddc5e69ce |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 94dcea67e553851d2c2c07d5364f947d |
| SHA1 | 2c544603311e4f61163340b807b98e084ae4be97 |
| SHA256 | ff0c5bd9bd8c12647746575eb81b99423dc043d43f65baa8da63613c5b1e65d4 |
| SHA512 | 96f7a543db4a3e2c56898f0653052def4bd3a44ee61b941972505a46ce012fc11b3971a55f36f4ba769d45308f6d347981d3165f886c2f403816e20cc849a1bd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dc036e13d033d18fa8f0211d0c1dc7e3 |
| SHA1 | 1cf9421c8e36849e73006c2a56c0c07093ff35e1 |
| SHA256 | 3d0094e9061a1e68ad26b0ee84fba96e4182623ad7c84fd8c4a6c17923d5a089 |
| SHA512 | a36ec7ce736b62b89e82f0567273945f11c11aa6bb37fbdaafc3c8d278a79f57ff6ff4848e969b3104186a6696cfff879e85c36fc0608f7c30620a019e73b03e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | db0e49824a6239920d8c26c473581e30 |
| SHA1 | a5c1ade817d97ec48c32002348f95bca5f83ce0f |
| SHA256 | 939129b9dc69a16d00c87f0eadfcf7f567627d3934f814755ff23f805016061f |
| SHA512 | 3b8d535353fa0720f6c91ce386a54feaf69bb1b3560f7cd286992cf8eb0fdd9cfc61551c4ae7c9d3519678a4d07dcbaeb4f0a14bfb4afce1867001dc81a64ed8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9ba1440e8410622bb66fd7d43af1f166 |
| SHA1 | 2b92296206f2ef1e39940af211eca47b3d4466d0 |
| SHA256 | f9ea97f41a013d0e0c2287821cba945e74b0c8d81e0e21037d2e3e346e2c3eb6 |
| SHA512 | 4c5a4e0233be34a8495e8d291d61fd4cacdd7e6a02616ad656914703f7f9c367b1f851189560039891b911f3ed2b5f2c5937da38d2f407a9e5c3e7a032b98b57 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | eca12f8a4944000bcb0c9af560382a7a |
| SHA1 | 827dd4ac1a352ba934b34a96d2394f1a78ad43a5 |
| SHA256 | 325a27609a2f75441cc21011db23011697cefaac65ca6019730a4238b8dfbad7 |
| SHA512 | 1da08a222cc68790b8570ad2a4c243d0275ad788b68c87bd6a661650e3bad5c3505a2d12a5c3c7d29558a6ea43b9e2a41ea53cb46feb349a230fa581273e94e6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 67e0ebc8c6596e56daa6002e309f6e49 |
| SHA1 | 4e8f9072d064aeb55810d1b1a6bd240b1f316201 |
| SHA256 | 3abb766a9cf8594124652930c6b6f20c55e1d2402854d6f2d58c0e05e0d2a986 |
| SHA512 | 575607adff2503d5c0103fc1fa9f1c7c29b4f9c1bc4577d62778ec47feab77140a738817f1d4dcbf2d9a5b59e09b6e57c73530bde420719106bc81e2adced2f0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d6a5ee113772db942141e26c43822fbf |
| SHA1 | bddd69d821409d7c72a1de4b91ccff74317c77c8 |
| SHA256 | c723c9e3f3798c81dbd12d52fb2bb40b58c7790e5cd2f22280e1d85c422f79b2 |
| SHA512 | 672092fa1c987db0693a7c84184056d31e4e233ac37654163df56f9f7be6d50b4ab46108c240426ce01a16af4793ca7c9b33bc64cd9e2acb383dbd842750102f |
Analysis: behavioral12
Detonation Overview
Submitted
2023-08-30 04:44
Reported
2023-08-30 04:47
Platform
win10v2004-20230703-en
Max time kernel
138s
Max time network
157s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE |
Processes
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ic_content_sticker_location_black.xml"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 4148 -ip 4148
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4148 -s 448
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.173.189.20.in-addr.arpa | udp |
Files
memory/4148-1-0x00007FF91D6F0000-0x00007FF91D8E5000-memory.dmp
memory/4148-0-0x00007FF8DD770000-0x00007FF8DD780000-memory.dmp
memory/4148-2-0x00007FF91D6F0000-0x00007FF91D8E5000-memory.dmp
memory/4148-3-0x00007FF91D6F0000-0x00007FF91D8E5000-memory.dmp
memory/4148-4-0x00007FF91AE10000-0x00007FF91B0D9000-memory.dmp
memory/4148-5-0x00007FF8DD770000-0x00007FF8DD780000-memory.dmp
memory/4148-6-0x00007FF91D6F0000-0x00007FF91D8E5000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2023-08-30 04:44
Reported
2023-08-30 04:47
Platform
win7-20230712-en
Max time kernel
134s
Max time network
138s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000e8664bdb653864eb3b20ffc0ad3b02100000000020000000000106600000001000020000000f0f14a0ca17b0676080189e23b04657ae9d3c97ac26b3701acc744faa545bd70000000000e80000000020000200000006b969a33b94027a382e0c6d1bf8be98006bbcd8a71f1a4ab1c50da70a4178c049000000034873577c3999430e46003ba39df85343d445b3ecd2f9cbc6d529c0a71f1cfabf3d38b392f46425ead4f0ae3af868274c00f430cbeb94b3d32b05b4c553db0724cb3a35140e0e2b4249bacfd5a7006a5b22f11f3e4a0f7c7262957d58cf01420dfbf67626ad63472b7f45c697f98d5904114eb5a21cbb9d7a4dd6834dfe01f4ddc3a357e9feacf1131f6c108ec8b2fae400000007fff4b75d3312f076303da03c8797671ba995da2b5caea9984138255fb5eb6bd96ca6f95097a9c3af9921805a96ea1598fee15709628c2a8046a62215349519b | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000e8664bdb653864eb3b20ffc0ad3b021000000000200000000001066000000010000200000008605f410ae35d6d12520a8cd6a4fd781d7161bd2b83c57362c3ab9e44529619f000000000e8000000002000020000000855fe5adb365ddf56392918cfcaa88c295a9b8fdbb0f4293a4f34bf09bc8802b20000000c47203e449d3e0b61da6946296669c5626f09ad1756b882761c82be71335b2dd400000005525c29073c2d5f8e695b63c37cca129374a03ba726415b21464fca1300b3fd042acce50b170368fb877ac7ff3eb12c002d4334700f7016f89aee43a9ed009b1 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3042eed7fcdad901 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{032CFF41-46F0-11EE-897D-66AFBA4EB959} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "399532585" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ic_content_sticker_location_emerald.xml"
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2968 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabA892.tmp
| MD5 | 3ac860860707baaf32469fa7cc7c0192 |
| SHA1 | c33c2acdaba0e6fa41fd2f00f186804722477639 |
| SHA256 | d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904 |
| SHA512 | d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\TarA944.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1d5bde38af4b9024134e567b19a02b8d |
| SHA1 | c6a052c44cde29e3e166c22b9c1e21b9a4b47d24 |
| SHA256 | 65e4b9550761dad49a81fdd078214babdb83f522206276f8ba27f330728e9372 |
| SHA512 | 6c16554702782171fed66eaccd0cea10e59ae8c276c14581f2f59aef8d5101ce514cc398b9f3bbec74e422c7ef57693cf2e76e10b2cae8d90c7f841c11c61891 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 04e44f558cca1fdbbd505e33109fa552 |
| SHA1 | 3f16e8a4848b90947b1ec9a4c0ca1c0af8028e4d |
| SHA256 | 6018e1802828c206fb6e743c4339ffc939a2f38476fbd3d47e0235be2e4ef265 |
| SHA512 | f7f9e5a29c85b92acbb11334395fb5d8e4b8deade196538cac49d0230d86451ab56055585141d26ae40240040cff11ed6965d4671e67258de2276626ba89098f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 04e44f558cca1fdbbd505e33109fa552 |
| SHA1 | 3f16e8a4848b90947b1ec9a4c0ca1c0af8028e4d |
| SHA256 | 6018e1802828c206fb6e743c4339ffc939a2f38476fbd3d47e0235be2e4ef265 |
| SHA512 | f7f9e5a29c85b92acbb11334395fb5d8e4b8deade196538cac49d0230d86451ab56055585141d26ae40240040cff11ed6965d4671e67258de2276626ba89098f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e1f207d126b7057ccf767fba74c1ff9d |
| SHA1 | 47d5ff8eb17e5ee942bf943c66c34131b7a707cc |
| SHA256 | 973fd97e4c8939e6e6506409ffcc39118660a09bb80f8814b165e39e4ed3879d |
| SHA512 | 7d227e4bb7eca4141ab7739e08418a8ff5ba4567a49b4416c549c1c53f8aaf1f4b1c41d018f0a5bc91aa85fe167c71ffb7b413a69fa1dc6dc4278afe9e7f9109 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8cad6890af63746633df30f83457d754 |
| SHA1 | 99a65c99fa74305ad4e2321ac9d2c0c4ef4c007a |
| SHA256 | 21f253aaea4f6287834c81ab82fbd584c18a542a27c03b86545e4ccb546b9173 |
| SHA512 | 43b2e8abc4ada4c506a6df78a364723f33ec9c764ca334c95dd0f7ec4d2dee887d0d25b39b04bb30369757e1bd79bc140ae0bfe51d331961715cdbbfa7bc555d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0f7ca5ab92893bfffe17696168235f2f |
| SHA1 | 1d350c127e0eee59da39d0fdd67f3c94bc98178e |
| SHA256 | 28872659d0a8be4ccfa633202a44b32a0099764f4f0ddc1c625ea236c3c60fa0 |
| SHA512 | c5d2fa34a6f90bff6ceb90d82ed8c36a9bc729a2e9638cf4fddc9891d4bd4c08b8c3771f2f2e82885b9a8cb1d5ee87ae5f7e534e314fb4ec6e89432f481a4a1a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1ebd966cef0d146af4a65ba0023e8b80 |
| SHA1 | fdc37b64725dff3d4b55be3a9c5d5f3f54d0be2b |
| SHA256 | 60e8818ea3e116800fef32083e22c5e9a4660be3627cb00bf34b0f9e7a6e1434 |
| SHA512 | 89ed768ea0c7a149f35bdd40b8d262e0f0b4ed2e75383cda377e16bb2703c1f0afd5f6a286e903acc70b0e85e3aeeae48064024bd9bdb021f85aac0045fd125e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 00b4f9c389708e4f69bd6ed0e4a4c400 |
| SHA1 | 12c58f9df2aeafbbf75cbfb2f79b7e0608f82d7a |
| SHA256 | dc9df4f223ddd430092904ea893bf2c2fe481aa58371010aa7ebc33114ac4c3e |
| SHA512 | e01a945d120705f044bcd378fc0183871feec9e3c271c9612554369f813805ddcb29b3020b4e31d4d3aeb06f38d83bef4eaf989e988ea03f5b2b1c3ef888c88a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 57f193c7054565649d949345bdc96ab5 |
| SHA1 | 1947d850d8bc0e40527aa8e7764044a5750f5dad |
| SHA256 | fc2c42d847bcad10d2ac705a920e39f4c416a7731d64656ec94aff5b5a6865fa |
| SHA512 | 6cc73dcc1e76b8c7e6bc55da455af21447acf1b046ccd9e65146c52200e0da479158b92b424a0115001e7b5d269b832343cfe723de08f29beb25982d3ea8838b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 33ddca65e79634eb10ff9e2a3fd79f3e |
| SHA1 | 25aabada192391f599b9cada9694a261778b13f1 |
| SHA256 | 8eca5694bbb78b9039b85a572405cb543a5ccbc37a73a4bd5f746710afc00734 |
| SHA512 | 3029650619381d34bdb6cda34dd424fabae31ec825bd28188985b73467aee1ed99742246fb852843e20961dcfd3bd5e7d1ccb1442cb0b2c09f29b366ca84ca64 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b2d89686fb2803d2b9dafbe11f5df35e |
| SHA1 | ebde7658e93f61e0a9208b3b7284797306c885c2 |
| SHA256 | cbae84d47b85b8c71e5ebaffb6eda531acf1b0426d2ae3aa23c3967b509ded7d |
| SHA512 | ef6c3fbebfa7f6ce28976532efbd67fad7687cfab9467642a01b245bcdbefff1a43b08d647b9e6e9ce6a6afd55252348b3f5ddcdd51022c3a7119c1fd063a41c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e3441c1f60c16696e9a16df75d15ab07 |
| SHA1 | 759396e5da16253e1360d962a9b3555c2974b5e7 |
| SHA256 | f78f56d0353b1b5769b7d303b06150d3ca9db8cffcc25cc42b8f6f2dcabdd608 |
| SHA512 | 2fd3c6c3a1663bb9df72645548f2777f065fa01195494af916453cb674a60ab9a7dd1f4a28282de7bfeecbcd730f27cd029bdf5b8a7ba05fc4d8c3a3bb8bc27e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4e9a52386c88b5cc7c7a36588ceb2e02 |
| SHA1 | 69d4e8ac4b73a3125a7763396b5f574e2b4139be |
| SHA256 | f740b3c6ea921be917bba780cb4ce2ef78b0632154a398c2508d27308cd1c502 |
| SHA512 | 5ff37a4109974027a87124b805d14b302b5b1387e676b9a29b080d083e3af764bfb7cb28759b057d88b5b8fde8709cb919ed97f52a88239c4a63450966072d46 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3e3122244b37a13dd364c7c1f78cfc1d |
| SHA1 | 4a81bdcb32412ac91349c08b0ba3aff293763b68 |
| SHA256 | 7ff6972af9e9ed008ad75b3f8f358638c70477e81adbc244077b683f94cf748f |
| SHA512 | f4c9863cdd23eb5e9c82a2488732dc65c95977c918c9e63e521bd0853a120609fb495274695fb9f18896bbd2de6acb8b85ecd0428e0221c251c973049edcf5f2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c0dcf9798bdf8d2d787f8df737c2574f |
| SHA1 | 05a5d8f8add590bf6bc51433b4e83412a0d33660 |
| SHA256 | 95f9cd55a142861e2eae9b432eb121a54d7c257e9baa340703c4e7f60de6b11b |
| SHA512 | 2da0e4a9fdb87c435ac47fff68d94316e805f8564d4696b4702da41fb7b68fd55f69da94e634af856ea4fbba17856931307fc11030b9727365609f359bc42c5f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cdd7ad8efc4e2415bffcb19de75c8db8 |
| SHA1 | 2048febd0da7a1a042d1fec3a533523d221fa91d |
| SHA256 | 19e55712fdf9b732de6586b746204e1f204ddff9bee838ccb1e71681aa43583f |
| SHA512 | e55d7c7794583b7e2097652a82a4e32344262c13dece01bd5a93304c3ef484e28a1a669a216b92bc6f9eef495e1c02d0b2db2020a8f36542c8491414c2ae133e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8bdf178640e9dc548af0f34a7b0f6431 |
| SHA1 | 95af97a3d33e976de289812ccef254e716d79bd4 |
| SHA256 | 60821ca7c566b35da277782832cd9e7cc7266ccf6a44fe026d5f130fe8fe9abe |
| SHA512 | d1dff2ca1ba293f369a54c7bd9b82f28ce212fea881cc45d9524f9609ed2d01c8fdea084b4cd7f566821358e191e4d18d1e4eb708c1e9ca1bbd95eae392c1915 |
Analysis: behavioral20
Detonation Overview
Submitted
2023-08-30 04:44
Reported
2023-08-30 04:47
Platform
ubuntu1804-amd64-20230621-en
Max time kernel
3s
Max time network
134s
Command Line
Signatures
Processes
/tmp/l3ce7c8df_x64.so
[/tmp/l3ce7c8df_x64.so]