Malware Analysis Report

2024-12-01 22:19

Sample ID 230830-fczwlsch2w
Target YoWhatsApp-08212028-626.apk
SHA256 4bd40978ef887eb143a1df76013d41165fc51feb53abdb5271f827ae2241fdb5
Tags
gigabud infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4bd40978ef887eb143a1df76013d41165fc51feb53abdb5271f827ae2241fdb5

Threat Level: Known bad

The file YoWhatsApp-08212028-626.apk was found to be: Known bad.

Malicious Activity Summary

gigabud infostealer rat trojan

Gigabud

Loads dropped Dex/Jar

Requests dangerous framework permissions

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-30 04:44

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Required to be able to advertise and connect to nearby devices via Wi-Fi. android.permission.NEARBY_WIFI_DEVICES N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to access any geographic locations persisted in the user's shared collection. android.permission.ACCESS_MEDIA_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Allows an application to read user selected media files from external storage. android.permission.READ_MEDIA_VISUAL_USER_SELECTED N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A

Analysis: behavioral18

Detonation Overview

Submitted

2023-08-30 04:44

Reported

2023-08-30 04:46

Platform

debian9-mipsbe-en-20211208

Max time kernel

61s

Command Line

[/tmp/l3ce7c8df_a64.so]

Signatures

N/A

Processes

/tmp/l3ce7c8df_a64.so

[/tmp/l3ce7c8df_a64.so]

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2023-08-30 04:44

Reported

2023-08-30 04:47

Platform

win10v2004-20230703-en

Max time kernel

122s

Max time network

157s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\stella_e2e.xml"

Signatures

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\stella_e2e.xml"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 368 -p 2164 -ip 2164

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2164 -s 452

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp

Files

memory/2164-1-0x00007FFB71A70000-0x00007FFB71C65000-memory.dmp

memory/2164-0-0x00007FFB31AF0000-0x00007FFB31B00000-memory.dmp

memory/2164-2-0x00007FFB71A70000-0x00007FFB71C65000-memory.dmp

memory/2164-3-0x00007FFB71A70000-0x00007FFB71C65000-memory.dmp

memory/2164-4-0x00007FFB6F7C0000-0x00007FFB6FA89000-memory.dmp

memory/2164-5-0x00007FFB31AF0000-0x00007FFB31B00000-memory.dmp

memory/2164-6-0x00007FFB71A70000-0x00007FFB71C65000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2023-08-30 04:44

Reported

2023-08-30 04:47

Platform

win10v2004-20230703-en

Max time kernel

124s

Max time network

135s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\stella_wa.xml"

Signatures

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\stella_wa.xml"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 408 -p 4140 -ip 4140

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4140 -s 448

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 254.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp

Files

memory/4140-0-0x00007FFDBDED0000-0x00007FFDBDEE0000-memory.dmp

memory/4140-1-0x00007FFDFDE50000-0x00007FFDFE045000-memory.dmp

memory/4140-2-0x00007FFDFDE50000-0x00007FFDFE045000-memory.dmp

memory/4140-3-0x00007FFDFDE50000-0x00007FFDFE045000-memory.dmp

memory/4140-4-0x00007FFDFB970000-0x00007FFDFBC39000-memory.dmp

memory/4140-5-0x00007FFDBDED0000-0x00007FFDBDEE0000-memory.dmp

memory/4140-6-0x00007FFDFDE50000-0x00007FFDFE045000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-30 04:44

Reported

2023-08-30 04:47

Platform

android-x86-arm-20230824-en

Max time kernel

1153606s

Max time network

127s

Command Line

com.gbbwhatsapp

Signatures

Gigabud

rat trojan infostealer gigabud

Processes

com.gbbwhatsapp

chmod 755 /data/user/0/com.gbbwhatsapp/files/.ss/l3ce7c8df.so

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 digitalassetlinks.googleapis.com udp
DE 172.217.23.202:443 digitalassetlinks.googleapis.com tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
DE 172.217.23.202:443 infinitedata-pa.googleapis.com tcp
NL 142.251.39.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.36.14:443 android.apis.google.com tcp
NL 142.250.179.170:443 infinitedata-pa.googleapis.com tcp

Files

/data/data/com.gbbwhatsapp/files/.ss/l3ce7c8df.so

MD5 030d3e22746d32c1c7b1678033802361
SHA1 a80c4afb3ef027846092644ea43765efee44c659
SHA256 e7fa64c1b8b263f083c05ace45e799bd043b09052a77fafe540049b320128f3b
SHA512 daa7e0cbe3e2e89c5447f65553b3646f711e163e1fdbeec9729d671cb12ee473c49524a9adf97d1b81d73369a309c043cc61aa1b44ad9c7890d0fff02da9469e

Analysis: behavioral4

Detonation Overview

Submitted

2023-08-30 04:44

Reported

2023-08-30 04:47

Platform

win10v2004-20230703-en

Max time kernel

138s

Max time network

156s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\clockDarkTheme.xml"

Signatures

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\clockDarkTheme.xml"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 408 -p 4012 -ip 4012

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4012 -s 472

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp

Files

memory/4012-1-0x00007FFF13010000-0x00007FFF13205000-memory.dmp

memory/4012-0-0x00007FFED3090000-0x00007FFED30A0000-memory.dmp

memory/4012-2-0x00007FFF13010000-0x00007FFF13205000-memory.dmp

memory/4012-3-0x00007FFF107C0000-0x00007FFF10A89000-memory.dmp

memory/4012-4-0x00007FFED3090000-0x00007FFED30A0000-memory.dmp

memory/4012-5-0x00007FFF13010000-0x00007FFF13205000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2023-08-30 04:44

Reported

2023-08-30 04:47

Platform

win7-20230712-en

Max time kernel

118s

Max time network

126s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\strings_ca.spk.ps1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\strings_ca.spk.ps1

Network

N/A

Files

memory/2280-4-0x000000001B330000-0x000000001B612000-memory.dmp

memory/2280-5-0x0000000002220000-0x0000000002228000-memory.dmp

memory/2280-6-0x000007FEF5A20000-0x000007FEF63BD000-memory.dmp

memory/2280-7-0x0000000002620000-0x00000000026A0000-memory.dmp

memory/2280-8-0x000007FEF5A20000-0x000007FEF63BD000-memory.dmp

memory/2280-9-0x0000000002620000-0x00000000026A0000-memory.dmp

memory/2280-10-0x000007FEF5A20000-0x000007FEF63BD000-memory.dmp

memory/2280-11-0x0000000002620000-0x00000000026A0000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2023-08-30 04:44

Reported

2023-08-30 04:47

Platform

win10v2004-20230703-en

Max time kernel

124s

Max time network

156s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\strings_ca.spk.ps1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\strings_ca.spk.ps1

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 254.111.26.67.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bf0wvsqs.4r0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4404-8-0x00000125041E0000-0x0000012504202000-memory.dmp

memory/4404-12-0x00007FFD205F0000-0x00007FFD210B1000-memory.dmp

memory/4404-13-0x00007FFD205F0000-0x00007FFD210B1000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2023-08-30 04:44

Reported

2023-08-30 04:48

Platform

debian9-armhf-en-20211208

Max time kernel

1s

Max time network

158s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-30 04:44

Reported

2023-08-30 04:48

Platform

android-x64-arm64-20230824-en

Max time kernel

1153608s

Max time network

146s

Command Line

com.gbbwhatsapp

Signatures

Gigabud

rat trojan infostealer gigabud

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /system_ext/framework/androidx.window.sidecar.jar N/A N/A
N/A /system_ext/framework/androidx.window.sidecar.jar N/A N/A

Processes

com.gbbwhatsapp

chmod 755 /data/user/0/com.gbbwhatsapp/files/.ss/l3ce7c8df.so

Network

Country Destination Domain Proto
NL 142.251.39.110:443 tcp
NL 142.251.39.110:443 tcp
NL 142.251.39.110:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 digitalassetlinks.googleapis.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 172.217.168.202:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 216.58.214.8:443 ssl.google-analytics.com tcp

Files

/system_ext/framework/androidx.window.sidecar.jar

MD5 bdf3529e80318eb14e53a5bf3720c10d
SHA1 25c9ace4b1af6e80ebb2572345972c56505969ba
SHA256 bbc8300dd1e9cd08de8f66560c1ac2c928615b72b51cef9649f88974f586d64b
SHA512 48b9c2d01171bb651b9b54826baa51f4add48431a3efd8ceb5f7cc3bcd6f8f37edf47fabb24349dd15b3a02329cd450f90a8d164bf4f8dfae554bf3b35a8a55b

/system_ext/framework/androidx.window.sidecar.jar

MD5 bdf3529e80318eb14e53a5bf3720c10d
SHA1 25c9ace4b1af6e80ebb2572345972c56505969ba
SHA256 bbc8300dd1e9cd08de8f66560c1ac2c928615b72b51cef9649f88974f586d64b
SHA512 48b9c2d01171bb651b9b54826baa51f4add48431a3efd8ceb5f7cc3bcd6f8f37edf47fabb24349dd15b3a02329cd450f90a8d164bf4f8dfae554bf3b35a8a55b

/data/data/com.gbbwhatsapp/files/.ss/l3ce7c8df.so

MD5 ef543b742269b5d7f1f065f840450ace
SHA1 974d006057256da4ac28a4186619ab2d0905533d
SHA256 5d95fcb5ce0f716deb8963cbb13a47c3df8171fc7353c401b5cef3bd2057bff2
SHA512 3afc2ed3132512bd7e138d6b95a4ec928ea093e52adcdea349d7766939a6576bd3c5938201d228ee5dca101ca9a7c2f37572d4b450f0cd805e303241f06311d2

Analysis: behavioral6

Detonation Overview

Submitted

2023-08-30 04:44

Reported

2023-08-30 04:47

Platform

win10v2004-20230703-en

Max time kernel

138s

Max time network

149s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\clockLightTheme.xml"

Signatures

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\clockLightTheme.xml"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 368 -p 220 -ip 220

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 220 -s 448

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

memory/220-0-0x00007FFC34410000-0x00007FFC34420000-memory.dmp

memory/220-1-0x00007FFC74390000-0x00007FFC74585000-memory.dmp

memory/220-2-0x00007FFC74390000-0x00007FFC74585000-memory.dmp

memory/220-3-0x00007FFC71E70000-0x00007FFC72139000-memory.dmp

memory/220-4-0x00007FFC34410000-0x00007FFC34420000-memory.dmp

memory/220-5-0x00007FFC74390000-0x00007FFC74585000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2023-08-30 04:44

Reported

2023-08-30 04:47

Platform

win7-20230712-en

Max time kernel

137s

Max time network

138s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ic_content_sticker_location.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000dfff1b3a562844db5bcdd926cd8279400000000020000000000106600000001000020000000b1eb9d2c98afcfde65837603d606bde441afba05a3816963ea3174f893d98376000000000e80000000020000200000001a5772e68034a0975e6f6214879c16cdd0a8da2ee8309daa3f56b0e31d4de0d590000000fd42b252cacadb2eecf44fc5393e1848f42138e702a9867568961afb2ded1a1617d4b854ba92ba8481575952d8b85b9e7b7702ce7fbb479c81c64f2705716f827a7f828de8679e6dcd80408701e0247fbac1b1e19799c2393e342b981fc76ffbd7779dc9f93f1f06f310cd3762669c379c8a6fce05759f6ced297c9031e644d7b1467baa05655f6f0934ec37e765f4264000000019d5e8d62e352b15705fe4d20c97793c2266dc2f3ea836e8a46488c15c55cb000ee34a07f910368effc161023b465ad4f92f02709e9c5f0c0796b25541914c67 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b03e6adafcdad901 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{054E77E1-46F0-11EE-A1D8-E66BF7DF47AF} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000dfff1b3a562844db5bcdd926cd8279400000000020000000000106600000001000020000000ff760ef6b8aae162c97f8c9507ad9a64b59b2e2a048c0564d63c86ff0728ef22000000000e8000000002000020000000f90328601e4ef170ec73a95820217d8c605bf404376df86f52ab3459fce5c050200000008c05193243560e28a85b4369b2a14ecf9f2023c1752ff21769e5f64695ece065400000006d5034344612630acc19eec61c050f07a0ce34a7219719eda2dc1265a6f586cbfb94d8a15f49884db2eb94bd10065bc0c25cdf7ac28add94ac03ce1ce9405d58 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "399532587" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1960 wrote to memory of 2116 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1960 wrote to memory of 2116 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1960 wrote to memory of 2116 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1960 wrote to memory of 2116 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2116 wrote to memory of 748 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2116 wrote to memory of 748 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2116 wrote to memory of 748 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2116 wrote to memory of 748 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 748 wrote to memory of 2104 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 748 wrote to memory of 2104 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 748 wrote to memory of 2104 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 748 wrote to memory of 2104 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ic_content_sticker_location.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:748 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabD79B.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

C:\Users\Admin\AppData\Local\Temp\CabD80C.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eed5dd527d3d693f27d0a877a9284c19
SHA1 f150eb217626a6e00495890e9f91029b461e2811
SHA256 be64f7ed53950d230f5408eb3ee2965ac182c3af27642a9d9b345fee924d7ae9
SHA512 888ddc467023853623ceadabfc02144cdb73f2bba669a2b6ab5d48491e2e77afb88f968ccad70013d2f1e2c572e5eb6e54a5faaa542badd82f149b46ee43938e

C:\Users\Admin\AppData\Local\Temp\TarD88E.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c8696fe3e560e9a48138fa652ca84e99
SHA1 4dfc41cde1b26b0753093c2c6ab135b2c8826067
SHA256 fd6646f62df70185cf3b2cc08ee33620108f260a92fe4f64274e936706e6c6f3
SHA512 2cbf5f11297579efcf84b2696eb58ed798b0db5abb3865268d1c20fc93562120ae05e0f6171213daa775479844fb3b9d73b95094c057b6aa736d5f8de2ef1dc0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 072d1e31c6ca1e2ba5f0664c79830869
SHA1 cd22969851f8d73b6f607b08de435051d9f09741
SHA256 9eb6be1042ecdb81d93e10f034c1f8c30702baa3092296cf356f38bb54bd9151
SHA512 e7f1b067a14c79edaa3c3aae4c0f600019dbd00decfd78300f256004e7a436c88dacd297846a56b6a046f923e90e7d95e30414b2eacb0c82627ea325f0c36129

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0b7bf4935b38e8dfc14db7fb3d7caf91
SHA1 c2b1c5b74dde7d3b1268f9bc90fa8dc039f93ab4
SHA256 ad4215987e1ac5d31d6ab9fd7060aed3868cb8440bf957146214ba1da9a6c8a2
SHA512 59699a670e6305b4ef61e0eef5548c322ff6afd896c6de22177470b6439ebd4039958d03f3870934d568373c3e5c76817723477c93148aa803b4c8c6bdc9f186

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b9374f756f004310eb00d62cc3c88480
SHA1 767c70a3c43883d9105bf8f981173cc5f04d1778
SHA256 42ce45282c4fa14804a7ac268b235b8ea880e7f0ebe65058be37e5b7e514e387
SHA512 a650a6d98d546967a445756360a1e757963f37e36b0d3de2846c793cd7fb6a4bf3c289a4f3313ee89754d7a9a23a484b429999c00a4ef5bd420a790045ff4bc3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 732efda432dabf760b5635aaff69557a
SHA1 f853a8f64188afb35c1afd52f40f4d5d0ae1792c
SHA256 037d6382a1d08dc44e7c4ced4279a19952dff3e976dbc210121a3b55a38efd24
SHA512 e026d1973b32f5a113dc3e4f66dc00eb382805d7711f23d81d900802dda4ed3907af25d926ecf8baf3038129e54e76e06649fc715b0e68d902745d55e4fb5258

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a3c1c49cadb844da12c8c5647527b534
SHA1 f7a9bcc19cde4ca7c29197e090acce7699380dcf
SHA256 c80200aa4d5edfa522e97f34ecf1f0cb753ef7b1c348acd960b7453b1417f69f
SHA512 764f3c63f19c9eaa8c0caa5fb1741bda772ecff9f1cf563eae0e56436d7be29daa606c13b0a40de5101d9e9ec293e50e9c7c448ffcdb40e4cb6d57c49ac3ee64

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 41e02f0facbdfb60a0ddd845359290ce
SHA1 4efbef61c57020695e784a1bbe6c35aa5653df44
SHA256 4c0e473a4f030e68c7686bc74e54956f50c51e69c1237a5aa5331eff432622ca
SHA512 965a199df4138a58f589bfbe7c4c76a134a0c2aef14d60b5bd906b888b2b4128ced9232586634137a327b75e34e854b39aa0bb322be330cba3b427054596c1a5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4393093c3dff3fff659bd9f0d9ba2450
SHA1 50f87485de64236926ee2c010d9a1c4ff666d28b
SHA256 2fdcd2fc938c686e2d9f031aacc56eafafbd3bda0b4335171c610bbe0f344e7f
SHA512 345c44750bd72cbaaaff64d552c8abfb3783fbc21d1bb1258d657fb9a88308944e7c6f5ac8b2d0a4b994a11428a7641a85f98b318f31334d9a86ea93251e2e27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c5f622171a115595c255be5f29dc19b0
SHA1 42d8b79b7d315e508e2aa888412781baef1e5534
SHA256 2d557963a173baf0ff9adc4571cc273ca8c2cc8d83aa9458774fb31b3e155bce
SHA512 3fdc15acc5284da328fd09bd5f93646937252a1bd1087aa26de870166593141ab4d9cf870ed800fed1d31d59d07a5bcc5edfb41599c078b1f37360509935f963

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 08862b99e659d37cd0211ad33aa67c97
SHA1 cf23a456357be2842ad1d773b33d4008bd920739
SHA256 b59eb8939cbc30ce37c25af3aff2ec5ef3b6d4bfb24cc90764c812dbde527421
SHA512 edb222b18cab607a2ca2cf246ebed1d1775ff2cbd7a20c8b8ac777b2a3fb09a1885ed9efa9a4519f75e7eeacb6ad1d6e2b3fdcd6e3f9c5c442c1e080aa4dfadd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 05543ecb9ccc9d12893df71cec94cf8d
SHA1 d43144bee3696733345714c6d8d6d9003693b212
SHA256 5fdccec293a722314ffd3fb44de4cfac0564694c8395af9da1805e87da62abd5
SHA512 f0773ad02f9f70d1dd522c9b5ca44d3e6be8755574f4634b6b2ab2699eacbcbeb1cc17d97028bf4ac18d450fd9a13be60aea02a4fd7266c7462b15e7daed99a1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 89a16121c5fa94e78184fa8abfce0370
SHA1 f400b68c0f6fafa84031cdeb314bd052dc7c482c
SHA256 a76c10bb3745153abed7b345d599b08e3d880314bbd5a3210088d5d6149afc08
SHA512 b3780d8adf76ee5176e90ec22b25e96261ea30e2575c9964093735c18bb826ba77387cd9371d15136697c539caa1543642d66e83018dd4bc7c7aa5c9b5df1677

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b0427107bacac0d346bd5b567860b048
SHA1 7d3b13992aff3589bc9c0d6e49e411a7077b4774
SHA256 58d9a74143330b860a15b617427aa00916c2132db89fdf0c1d37902745fbd4f0
SHA512 f54d51fa41edfcc1687e03b14f2e13810ce46033966d1b05ea15d13c3334b8fddc879ea41fef581168a5cab0e40eaeb0b0e15df35ebe3c3d7683389675ca99c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 955317f82adddb3116e35ba93275d76c
SHA1 aaa9630b59a5cf2d339ebad450c94cf0dabd747f
SHA256 49c696c097d0868ac74cf23f1f438a3c9fadebeecee66910887102599c3b905b
SHA512 061273ae1362c3e220a083251bab410fd6f02e20550b342a80c4955b27f9e4f192a77809b8308b2058d1e2bcd614eb2a1f04ae4842f4a622440904de6529457b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2f566724695fa9d62c1340ef6796cbd1
SHA1 f8ef2682e2d04fbeb94effe826b3d5b8e7b1e47f
SHA256 a88b4b2fe0e027791819cc8256396a69435688253dd07291fb25735f78d2d243
SHA512 74bf7b4f241a8f9abbcba3f2a15f39b13b82f53b8a1417e5f46357bfd56a28d8c354675cb0239adc7863637b48cfabbc87512ad7205bc7cb61cadb77e094dbf9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c2e7983afba788997c41b567b874f8a0
SHA1 64f0737c83d2c6ec84372a271b33dc329af91e47
SHA256 deda4aeb8914b153687fb26adc3a89f8d215ced30d919472a775bed50682ab45
SHA512 45554ff044dbe75fd910b22cd0c892e8a262cb0c87d32967525dbf6725368d8d53b281ed41f19924aba4b77b3ed4da597d6f300d40022b98f677f1c253058fe8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b3af06308a80496c74ee2e6a94c871ed
SHA1 8182b8e08351c85748c0aa66ab9767c396ca163e
SHA256 32a22a2a43280fd8014e861e0fa6b4027182d6abe76da8c492a9496700c08744
SHA512 be6c83ea50c040eca96d79d4f29bdce7dc0a695d2f90ff0583912421c3bbd215e7d5e9feaaa6bf16cdbb9e1f6e726e9820abec3bef0a67a5b9fd63488f763585

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fb4803e04b4ccfd16032c3c498fa508e
SHA1 6df35ef40910e682c3ec1419fab85920113a71d3
SHA256 565ff9e744ba825a4c280a087b39190353491bae352e8c1a18fa9fa94eb77d1f
SHA512 6325a3fc5646fa95d9f19377b9a278a303ab0f46f3d97ee7c0240490e81253e379d823099b56b7d36b6d74d3f4890abe10e88295e07156a59e9d29c2f0539c5d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3eb7ac1c0ba3cc76d292c95f47182edb
SHA1 65fd17f0881fd5c4ccb7ef480bd7f0680a3df0ed
SHA256 8fa9d59b473cd9f20c579299272fc4997737c5c2bf2d2feedc7ed0b47bc57404
SHA512 a97fbcfb13263aa1a18c55996278d9414a7310be36b09cb311a332537b7467b81d51f0846cdb4df21b431d8c3091c2f980117ea06b2c0eed7bab6d3cb3bada9e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0bfe595edb4cfdd9d13248e60ec1565c
SHA1 fcdbd3ee3b494d667073401580d6cba578665fb0
SHA256 e1325f3cc8a12f60d8ca83ac7e3787e70c88d8f6127e9ec856329c64e5a2864d
SHA512 5b95d523e65a9f357f6938a5f5c1fa27286884d1c6f8a7a7de416f9a61093ad7256da2d85ee46b171740ab0a248e449b053a1da43bce3d3fbc3be1c53175d0bc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0aa0c184bf55b56f835782c34c878a91
SHA1 e63e1bf5760c6a415b474bd29a6e382bee82bb8e
SHA256 1071624550ceb0d06f4e845030ccd8f65ba4d2c399072abbe5603eb55aedea1b
SHA512 1270a49b55a6faf37a1320675c44c6227778a66e222d123651b01a4e3f4945dc5a53cfe6abb9e53ad4c18e80a1bc3fc006da903698e733c826f1fe9456582040

Analysis: behavioral11

Detonation Overview

Submitted

2023-08-30 04:44

Reported

2023-08-30 04:47

Platform

win7-20230712-en

Max time kernel

134s

Max time network

139s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ic_content_sticker_location_black.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005a31a35914bcf84cb1db54e391e8cdcb00000000020000000000106600000001000020000000b7c0684afe8152a4ee0b2b35d1ae161268a811f54673bdf262642b1bfb7215c0000000000e80000000020000200000003eff9a3a5063d92445b4cc74e334b42308cd0b98f56660f22b6b280e430785b090000000248a69382818cfc32bb943c77d26e373c29c9bb15dddd47894f0e39d747e48758e551d21e344c196d9a3bd1779ac03a4e26b7e6b350830badd0ab3fce0f4af2d29b17f66ca9f3f880c04de55cee018138f79319856144af0213e2074922147de313cd22afdd8b12c5e1ec4ad059510de56b31b1158fdacced88e75386cc5ff24356a33d23929ed6243d16f80e3018bee400000009ffaf7ab0fdb9bfda2214aa5df5b6dd36d01e1b6e3d849f5b95719d4f944b20024236030b9ff021847c284671c11441dad02859d5ef52a93c30870033d4a8da1 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005a31a35914bcf84cb1db54e391e8cdcb000000000200000000001066000000010000200000005a191c95f865e2428d8a8de6616df6fb3cd244a4c5a858bc65133467be985d01000000000e8000000002000020000000ba3cabff99494afe3ea664efdb7596dc6c9bb8aa8c2b461e7808ca0ee08ef82520000000529dc6a5e2bdd74bf0b8bb513434f5f5e36c97be9a654d266b455210376963ee40000000e7abd5346a0fa80c6615aa2100d59d2a5c4a2ebf360eb7de4d4f11e4c354340f2d443dffcff2f0838008a9a00d42f02f61ec9f05b2f7aba52d0285c81339665a C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0411B221-46F0-11EE-8B58-FEA3F30CF971} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 602700d9fcdad901 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "399532586" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2648 wrote to memory of 2124 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2648 wrote to memory of 2124 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2648 wrote to memory of 2124 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2648 wrote to memory of 2124 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2124 wrote to memory of 2484 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2124 wrote to memory of 2484 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2124 wrote to memory of 2484 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2124 wrote to memory of 2484 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2484 wrote to memory of 2820 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2484 wrote to memory of 2820 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2484 wrote to memory of 2820 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2484 wrote to memory of 2820 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ic_content_sticker_location_black.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2484 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabC035.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

C:\Users\Admin\AppData\Local\Temp\CabC103.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\TarC147.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1e205801d5342aa4ed87d268d29b40e3
SHA1 1c92dddfd00738fcbeb7881d0a3d4aef0583dd6b
SHA256 24dd39974b78ff4d8e9b69504d5e3e2e20d0281f1503c3aefdd5bf5b9a485560
SHA512 0473a9491077ceace9a3592d2b0b718edce267eabffbdb0cc2c810f83496c24dfa8d6f291b8e6e0996beb1d3d4507ddf573e037556636413da9d7615f8e9a100

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7157cc58ee10d10741dd3103c4c8f3a6
SHA1 e6e5078aa3d05d9955c0c7ad0404d11c1d905b0c
SHA256 efd1910590653e8dba5d7be37c5ffe1d4ff9709b76b9adfbf7668a2bc1fd42f5
SHA512 49d7b95cc1f59b919a14d385fc8ec408e1d9eebf663c6cb52c8e3275d05b409299d16899c65e44016b5f48c81d217a16fdada33839b9c55cba979bcd3eae4bc4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8180bc335db36813ce2d7881b4793539
SHA1 a69536a9fe38397370731c2f2fdaec219fe3e8de
SHA256 b8bd6b1dbff08a99f61ed4fa424a8593e8e62d4368905b2da31a4d8c5c3db51a
SHA512 26ab86c67c1feba007ffe68207e69f8e05838d8284e4a22d0a524179df6236950ff34ce0bf1e88a54916dda1c97f1000f725f6ad8599696bc674825c14e1a05c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eec76c86c232ff8109b73211ea3135f9
SHA1 95e90e029af5f35a61f4eeceeb3eaed2ee877ded
SHA256 a43888cd28fb5a984046837f30a1e93c2774a316baa9f5e7e7d88e3a6d4dd5bc
SHA512 8308119d8e76ff555e1df50ee56d1d846bd263cfc5eb00baea5f700339b05e41b2431950b93053fc08b32902cf9896c3e717dc4e56d3dc3927292f27722e7030

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1905d53be08a6be3e1eb82e62f44eb53
SHA1 571eddd99544ccbb6ca19ad918ef33bd90e61d2c
SHA256 6d17081a12bf0454945d5da7bf1a5cabfba6571c26c2e4818a61cdc859933b99
SHA512 e53c34ddc95283ce5d3f1c2557ba92d9fae1b918de7a9ece793e618a829cb47491c799725507dc706314cb3e206f0db7e4c24960401a0a73ec5844fc3310b83d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 80edd6ccf6389c73c3598fb5731ced2b
SHA1 95917aebafb93d2aec1e0822c1cd2e5f59fae271
SHA256 9df8056b60c6ea4c12b2a2918e7493084a002669d81a45d9752e3f31f43f7490
SHA512 aaf663e6a9351cbbc7796307cac5e091e9da9d39c3706f0d262a9a7b9d59736716a908c68804acdbc5cc4860a76cb67ef8fee4665337083ccf268ade938f16bd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f97a8c21588485fbd1a96d45b677b83d
SHA1 e967d4ebe63eb88d2d07a77712531ed9f659b9a0
SHA256 39e03d12d58fe1e3e81a1fab48971dace680a2e97f112b74939d2a351a5f7b11
SHA512 6e082effed34e800f75638cb5311d83380438f0a81a47360ca17907c35da9b4303c52f57d39382f2aa8b77b649f2c909fce16a3d8c7763ba108dbeecef572b25

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 361666607c06c44f2146c5a75da99cf7
SHA1 c504243d2e0891b09b2ba37ef9bea7645ee09b59
SHA256 f513c258f878f9a2a59721e1f5b663b4176f1c9fa32ae7657c2594b16e95e1bc
SHA512 a5dc68ec377981df12ff5572be1ffc0bbd817437419952b70026bc7633b2115a97b5267b508b93ea472704b1afa231fcf73eb538d173d6a11dc457415c3c1d04

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0ff4de3e425fe2676317216c8dc0e0b9
SHA1 87878e893b4df610ae58ad2647821eb850edd6a6
SHA256 2ca993ad88f5556ac1b606211de77ae4efab909163a6bddf65256cb284b1d3ca
SHA512 7863017296f1009bdfdf2aa6c461538a34d5bfb14495e2d96b00a689ff0b956092e271d9f0213f3964136e45122fba535a51137982d28b17c02452da8f3bde83

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7c7d07883f8c9b6b8833d5a60fefce24
SHA1 02fc2e9dc3fb5ed08bbf91cd2018a8de8c907982
SHA256 5fbd44c9be53b2a1e9ef1efcfc74cce41a3debe774c6a1a49f928065d8900877
SHA512 a985d176c34d7cd5022d1c16a34c2cd5980234eec02c731a471e2880b1fe3ae1429d5d361203481d80e3b4c39d6dc03211dae6055d639479d89ef04da14a2acd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0d530603f27c6b386ea3222636b6669f
SHA1 01271df6b4b050033e3b812e2645d1ce7c45643c
SHA256 1daefb8a20cca726daa892a2808f2ea226cf8da33447aafcfc85661a0c3b9a2c
SHA512 cda21d2428fe7cd3d291c11c1133b7dcc89066f201bf67cf7d09b51b7e002761a49352a2e33c111ca2007feb6f686588b66d81a082c97eec373e6eddf428c506

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c4945458ff86fcd1371fcb1e60413aa1
SHA1 3fdf51a5daa67588502de2a275dd86c5b5643262
SHA256 3a3f958eb25139be1f78ad4032439e12c39a543498892aa36d1262e6fef84a6a
SHA512 813a5eb7653c663ae7ef680576f64091f2672c0a6eacfd407d49e9aed2e477e89bc7018a428aec22c5537b20651b2eee1fa139ea287bb5a61619849115166218

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1c27278ff9fdfd262bd312a559c7ec08
SHA1 a1f3a02b0944a6a0be5ddb1c3058260a51e59e9d
SHA256 f58d2e65d8df0f46e8bb8eb479714b8d00735777f1b80917b1f2f4d0c7a5720b
SHA512 4afe131893cdaeb5fbb930400cf35caa18cb2f4b560db383fab580163d6715bf5cb74403548f07a9e3fa7fdecb80cbe73f6a6c3e078216d9ac8fa9e3c19ca7b1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 96a9613d6fe3094f3ff19ee29c128e37
SHA1 2007b849dd3586e8e96d28378e5d936c4d3cc866
SHA256 fd3b488da317cfda5d44c26774b53b2edaba529263323d77fe7f989744c3b3bd
SHA512 ec33f651f7630cb8e5ef610ac4f42af9782c79a266b9ba69a37eab8b6107c1b3468135ebc5b5bfc3be5c8f9b04a6d539d418e8090abfa0d5a43f04e9f7a850cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b1fe142fe0c14b2d83cc421315366156
SHA1 3ad35a24eab9a5b11268302f898c0f2017240bc3
SHA256 a7f4c38ed1f729e2c9726c6f02d0b4377e366ccaa403f822b05e696e85463470
SHA512 c06024cf8d897481dbcd92c278f904c305c8e26be5839839e13d03dd9bc90e08456f19ed7cd8e3b39c33a3ba474233535a461b50864328ddfcb6293cfad7714a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8ffad4116374483ec13bfeb791f4a509
SHA1 da4cc33a903193212dea99b984bc2e4eda6a04c3
SHA256 56fb63d02d58fcf3183dbec44942cec4dc3f5af87e8484ae08ec0e471b81ae64
SHA512 53e0c909b9766977b90b36c82a4e0bbf7072df893ac8a9eb2bfc3a21c40d6da5cb1306ba494b9c57e5b8c4fe49848b8f74f821a8e24732f3056d761afae23ed8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0e7f08c170ffbb59670454991f8dbd69
SHA1 72cd23601697a87750b484d8735bce89ecf656dc
SHA256 276d6f4cafc649f23a49e13399caf8830d90760a8c20ebbcae8260529f185ef0
SHA512 378d19439ce4cd806a5cadbe067c96e0c06a6d2c61a73d3c3331e576fab5feda967308084cf06fa34d64cd2f59ead22935a18835328e27982721e2b12a85e632

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fcfe95e709beb15a9f7c60b77f90c161
SHA1 408d76d5bb5a38ef28c30ce09bd5284f59aa8dd1
SHA256 22b2cd7c70d5e62a0366e5eb88fa99c9e9d3e83295cb6fbc33b91a1cad4e8e15
SHA512 33513e148f334e32a1062293cef9530cfbd908438af385edb5a7e680988507468bc95de799e05d2a5f00fe84bc54893917ee4359b4ba219acca4f056932ad4de

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4328278965796f29a320f50e29084838
SHA1 6739e2d07472f1314303aa8b9e7b392d010287a5
SHA256 0a8146fbde0b9a148ef19727c35df6bae307293877836d976a2293b0783d29bd
SHA512 25ceadc7bf669d3344403218a19ee54b1fd0b45f6c6cd7878a4749f72784fbeaf950d0a3f7e84a7644f165b9018d4a94a8887630d799c606f9c9e5587a2d341d

Analysis: behavioral5

Detonation Overview

Submitted

2023-08-30 04:44

Reported

2023-08-30 04:47

Platform

win7-20230712-en

Max time kernel

134s

Max time network

139s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\clockLightTheme.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b14723a8e389564aa88fef2378dcfc63000000000200000000001066000000010000200000004348d9a0d54f116ccba327d03a8f049d7a0ad0a6d9ab21fc072671a704781c2a000000000e80000000020000200000001273a4892b368b83b2f9190b2a6afd53aea16313ba780b35cddc0f7d9056a76a20000000c53a43d8d4915d8bf3d77dcf33c90a344c7fa2a72016107dc338dbdfbbc79f1740000000d428609920f1dc0748b05a808d98d0423a096c5cdbdf1a1b256be3ce1be9e9979bb1cb841290e70f2222877e28f869e9c1006fb00ae7b5c8e668411a638a3ffa C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b14723a8e389564aa88fef2378dcfc6300000000020000000000106600000001000020000000a2593641f7167ebe0ff906438713784422a9f94580ae4309785626ce376a0a68000000000e8000000002000020000000d06f30b50dd86f2b8444398653b9803f41ebbb28d13347083178ff3502707e3190000000abb836da1e22b7bce83e63b8dd7e1c43864e29429d8d296a5f9936b2268713c050eca1c334d079e8dbaad460ee7a991f287b5901b6016793fb39e98f4ac1673964142cf63bf6f844f2c2cd61873cb977eebf0067536d6c6e089b17fc5f182427e4bc72a7f1526aaf37fc406aefe931db90654567d790ff75ca05b179360117c0327b2e7dfde1345225b077d61675d9cd40000000f7ff0fca8f171a1f74e2cef13f87d1f85249986872fab99b237a6e77569dd1d9bca70f772e4c041e9e3b1df18be47a0d6c6cd11215c713e0297c8ce299249eaa C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "399532587" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40fba0d9fcdad901 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{04F2CB21-46F0-11EE-99CD-FA28F6AD3DBC} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1716 wrote to memory of 1856 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1716 wrote to memory of 1856 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1716 wrote to memory of 1856 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1716 wrote to memory of 1856 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1856 wrote to memory of 1976 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1856 wrote to memory of 1976 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1856 wrote to memory of 1976 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1856 wrote to memory of 1976 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1976 wrote to memory of 1500 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1976 wrote to memory of 1500 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1976 wrote to memory of 1500 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1976 wrote to memory of 1500 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\clockLightTheme.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1976 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\TarC1D1.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7f173c80d200a7ff4d4d792d3abe7962
SHA1 ddfa5e2511892dd51f750dbb25e64494536f113e
SHA256 97bba31adba1362e7ed05c1bd52001a54ea16747bb0c6ec207a80a8a77c13c45
SHA512 25b24dc35c04d5915424c7ed245a07353e544328a34f2e38a85d95c50768720a4e6c264cdfad8936e1c31bd90e3f45b42d94921a439b7da85f4527a657ef880b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2110d775fffe43fed5bbc6db7ea57036
SHA1 b46c0109ae191ac7a69bfd0278942a2cb46e41f1
SHA256 4e02d092dad77834311fce28899a0000e81ac4f1c234c781266e535743720c06
SHA512 34901b843706bc2e7712100f82e6f562922ee3a65be437b1062806327506744d61348f78a54a63185f4af611d9600f2126baaa89c718fb7a8612b5cc63563bd5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0c693a33a1127a9cdc7ecbe3be401b23
SHA1 2f6246b195499c4544a2e6869477bf51a9043a2d
SHA256 b4786001473ce24b65e43e88ce56dd681ff3050951a804b04fb56dbc83fdd326
SHA512 bea37b612fbf751f02165aa2b2aa45cd0f5efe12c646767c1b9cb7f34fd6cdd5346b111c3266374788ee6135810ee9677ad41a2e46dfb3a9dd395e4601044c4a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 507f775b3f39f213d12a036b37612b17
SHA1 db6c69265f21c2826a83e158eddba91be3118ee5
SHA256 e8a9ab3eab3d78c75641bb385d9661f20c2a1a891d68ca2b5e75e20b84b5220f
SHA512 9d966b1caa7813af94e205380b3302f2a4b78d54433a6fe88772e6f97273930dfad9d23d2014b44a87ded0aae57eb6c45429e83dcf848bb35d98b91a799c7d91

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d6cd1837c2e7bf79bdb7765a54cfea17
SHA1 4626b52bdf4d3088a57a53e394906f27ee108c02
SHA256 20e3162839d8ea4ed6fd9a1c5a83ddd6bf09521efa6d4642012df8546932620c
SHA512 b99e9c3b98fce77249cbd246b3cdafcb49bda51e89fd735a010f97ee971eaa8924377bbc4277dbcdbf6df7cc9c050da0ad7919959748b0193955caa67ef0f1ac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d39f59f17764b4dc53fc5b900b8020d2
SHA1 f2e20a716a302440132adb38400d0cffba0ab61f
SHA256 f2b14035f27ccad259d94bcedb8926cd22768375b012d40993b6691a591d9e7d
SHA512 b86b885e3c5d494476990b318cee018cdcc6607304fe0a86aae5df4ef01e99d5ab0a9af8b6b6374664d8942bef783ca74999eb561d9a5b21a2fba6ef64499b3b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d6f8c839764e3135738a333358757993
SHA1 feac617e58066c1d12024e7d76622ebb45d52cc1
SHA256 c5493a35bf77ce64a248f8865e2a0f15f49b31eef25fdd832a443cbaa39f740b
SHA512 9387f88fb5426e13ba8e6024d3532880ed3140aa322159fe13f7550887480ac5b47f8848deba111a12c2b2ebd3ea776f3e53e1a432d60b178898ca8eb3eeba6b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6c62f47a32c06378d50c4a73daf9aa17
SHA1 9ae7d9aba83cbcd8718f751cf7770c69b828daa2
SHA256 45e343f5a8085ad1cf4ea2f886f34d95c39709db7b22f7896c5e55ec98c2671e
SHA512 8baf7b20436c144fc85402d884ec637ec34ae6ebb14fb99c53d71888e22935b4907f7f1c640223c18b20cfcb7e07d20cc907a28816c5feb5b2b304640284e599

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e3d13378ac7e9d684c4e6be9f4fb5208
SHA1 ed595bb257d916abfeb87e88b6fa61df6bdaabe5
SHA256 004efad978061d3a41389c934d77b9e0afbc44acfd05381532c34760d604b0b6
SHA512 182bca9fd5add611347d67478a03f75ad89843526f44da2c754e0c9460c5507b6e9bd0c2eb89a8b57e7112235cb2949226391069d523e125d11af36579911568

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2caf13bf6b10c2d6864955b33907268e
SHA1 b70b759d7382a19a444eeba2bb5e5897fb848d77
SHA256 fa1925f210c2ff27b335fcffaf1dc83ad5024ff5e37338a7a2b3abb69ea57743
SHA512 311f258d22dc4a3160d628ddb84a07f64f66d8ea1237970a44c0a23d96b253e82eaac2bfb43e86707c3116a2be926a7742903aee7e28b91ccef8c1528057520b

Analysis: behavioral24

Detonation Overview

Submitted

2023-08-30 04:44

Reported

2023-08-30 04:47

Platform

win7-20230824-en

Max time kernel

134s

Max time network

143s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\stella_wa.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{06FB3D81-46F0-11EE-9ADF-5AD8E9EE121A} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 503b76dcfcdad901 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007527a1bfe6a818429fcd5676e9b72b2700000000020000000000106600000001000020000000320bc8a96cd42704e3cca61ca2a7c97ad043b5029fa5d5d74bfa8c8323f27c0d000000000e800000000200002000000056a2a4188fd7a074bffb7848b7df920764e6f4e95bae10dc1f9eee365f40277320000000258b7f8de9077a11a57f61c8c097c51fd61f99e0a0e2fef121598341653e62b140000000599fbd1fa3a0e792904df5fbed663806aaed5a8304e429e8a167d01d3fbc1b362118fc167d2e72d778a3614dcf22efa1097182b03a6e11f3ec8bfabe3ac284d4 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007527a1bfe6a818429fcd5676e9b72b2700000000020000000000106600000001000020000000cca1979f5377858d4444047595ea596da2a7a051d0ebdbb7bab4711d729c5810000000000e8000000002000020000000f38c357ef6684a59bee2392d71da6a5c879c393012fbb67fc46102b73571b11590000000d6eda3dd29f6f2e590ec319f511aed03fbe7565279cb2668d39a342c0532898f22fe7eacc18e30ac15b5fa067e932fe3bf945b7c4398ab991c89e355107714cd1b5b6d916527c0ca8ed3809fb0fffd903005df829a59206930e75e940e2bda9ec4126273642e2b4e4898ebcdea55be6c0a904c417314e4ae0b48e2810ab1a4bb265c9b71b59a77eac7c6e6f6792d7ff540000000267b84a93bcfc9631fe52c1eec8dbbb4114af9b238df0676a3365d1c8e668978e4fff692c60734a0f2a6a842784c39fd3706ad99ed73d390148660e1432b620e C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "399532591" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 108 wrote to memory of 2348 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 108 wrote to memory of 2348 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 108 wrote to memory of 2348 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 108 wrote to memory of 2348 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2348 wrote to memory of 2384 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2348 wrote to memory of 2384 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2348 wrote to memory of 2384 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2348 wrote to memory of 2384 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2384 wrote to memory of 2736 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2384 wrote to memory of 2736 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2384 wrote to memory of 2736 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2384 wrote to memory of 2736 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\stella_wa.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2384 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab21D5.tmp

MD5 e56ec378251cd65923ad88c1e14d0b6e
SHA1 7f5d986e0a34dd81487f6439fb0446ffa52a712e
SHA256 32ccf567c07b62b6078cf03d097e21cbf7ef67a4ce312c9c34a47f865b3ad0a0
SHA512 2737a622ca45b532aebc202184b3e35cde8684e5296cb1f008e7831921be2895a43f952c1df88d33011a7b9586aafbd88483f6c134cb5e8e98c236f5abb5f3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar2401.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3ce591fb31e91193dc996551eb05854a
SHA1 fd4e3bd443497d4de4292709769d7df45bf9d888
SHA256 e64ee963a2aac59141445800abbbfc7df43280e5bc0d9b72df0dfae87003cb90
SHA512 06480de9902132b424080406876b1c60ea83edbdb0b5e80d81e5805bff62613d3d14344c039ba07e54ea0951f405998a0de5f7988156b7c6128d68b1267e683d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b1c1b274db24501973f4624a248144d4
SHA1 1caf9ba7665b33b6eb9ab08659c46daf595f78c8
SHA256 22845d119a884921bdd355eca43d0f1760f06cbdbafeea4d8d8f450b2b6e0665
SHA512 e0ad2618f59f3a2734bd0be12a07a27c120a0768a3c8ee51e5a2dc9594600d6ec768eee4245d8974f2068c7e61b5e7c6044f2671ee3b3baebfd26cce1081b3c3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8c53425ae5ef7ffaaeaaa8b5c311de52
SHA1 a432190588a84dc8306e12db7b27d68f7f39015d
SHA256 145a0e0f4ec6a60a17070c6d60c2e331bb05e087f2875dab6307d85afd3baa46
SHA512 e9d9f379c0e446996437bf2dbdee686975005a88a746630356746222d48beedf55f581ed60623025ade8b9510ab4b481ff9e764aae8ae9221c21890b23132019

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6e10dcd79aff47bdb0aedd70e4f5d1bd
SHA1 af5cf7bf70e18ed697f0302d9a1bb8d0731e0342
SHA256 358ce1b87ed990f5b22e1060dcc64728656c174b1cb14b754b4e78df4b143290
SHA512 988c4eb12f9f013e38e3a22cd2109c548e79f9055d7df0f5d1de7eaeb3f2d5bbb82d047a3048dd1e571d0a0c8e00ede698528b8b8f998da38bebf5809e2cae61

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fe351c778d1fedc294b5d643dada5e72
SHA1 ca03914166afec897052ad874777f9fa198fe385
SHA256 dd85b1c2356449f296d6a49b0497911d82f9a9ab7f49b0b9c3facd7b2411ee1c
SHA512 5b081969d37a4699fe48c19528e47142095d6526688092df46240a0407228caabdf477a7dc26149c93e94b11bdf2d2e57aa826b917657275668876326ed9a231

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 387087cc02030ff45dac091ef147a14f
SHA1 97ef517740a7aae410bd6444a0cdb2b24b2ac3b8
SHA256 187b0551af418bd3e35cd337d60db5901f006a9d392d4e41d26590b785a9e6e8
SHA512 308d2f6d2085aed92ef8a7761d940eece098436cc8ec5792e3d8aac1b59b598f8bce054b7e9eb1a6ea2ac6bd612a381279ea81d75cffdcf88c2f7ac9e7dc43a8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 80ff49abd4cc99d1730cfc7faf2bc279
SHA1 7f4c49226be31e69602cd0dbb3067c9d28a406b5
SHA256 085aa8001bc70dee27b35e1d97d92b1edf46cf36d2e982de27543feb28e9efd3
SHA512 ddaccd6bd4ccf838c37db15ac41b331a8c549738eab5b6f3516437aa4b38ca8a1eb93de9f7a8d03b167dd1276b5613892210ae7fd5ac283edcca1f1233a6d474

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a95b3cda588e1fe406b330695fa53275
SHA1 b6979fc5d7c051fa88d06b4892e5abe80cf22a96
SHA256 404e7d284106c722f9715ebde3ee90548451a7cb4df3a72f59c9d31f73496dab
SHA512 2bec74853ad01b1e637347ebc78b7d8e4eebe42f7a72da636a236dcb9178d80180aa04e715e5a011b90b191ff1eacc58eda5ece5d9db054c91c892377f9794d9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d8d6c80cc8598b96d45781aef6d0b543
SHA1 f332bdfda6cd87487608ad0abf495fecf6c84c41
SHA256 0b3442cbeaf410a9375b7276c50f6f72e75004ece59d58cdd71cfacb23f59ed8
SHA512 006e3f5e7ba31318eb42ab7ea817dacde445f68ea8ec7322eaadc0b03b1f768eca5fbc1278caa8480f0a3d447b151908ae88adfa71d27247e56f4d1925b60ac7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e7e1612cda44c527fd6fe67cdf162ef5
SHA1 7c1a736d8c4fd3be21aa9ec197ca1a2d1e7160b4
SHA256 54f212dc329ade1da93a3812e3570a1a1bb6d4caacd691ad0fc4a24b28101782
SHA512 ebfabe053f2065a591a980fb9bd644b71746ef63ff21508f629aeed18e4f9b7348964e84d7db680377707f4cbcda3b85f1b4577f3e18bdba28b6cb6f0a997c01

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b7dc0e1811fdf26d28394399ddaeddb0
SHA1 1b02c6562c294e6e10958ca9f91070679d6e9324
SHA256 193e8fc921b9cc4e95cac6b8fab204902780a2b1db37c965b0053a930a1ad117
SHA512 f02b601d32f23346389e31cab0d4cffce5aa7c7db77766d5a250ff37ce615a14dd09faf8ba3e6bc987f10726394355e24a31256524fa00137fddd53af1e32518

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0ddcccb0261525290c7fad18aecf8458
SHA1 7f99df0dc51572255892d7f9475807aa5ea821b4
SHA256 b92376283cd7bdeec9c96f930b31eb4aa9287ebd006403803becf68fc7ce55c3
SHA512 134f869acb81859d77cc03f6dd62f37628e5a514763c064cef8dca6a1ffce161f18cf98c683aad1ecc0a92d3eabd480a5d8c540bb6d789f65f6558996dbbc9f0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1fb3502fbdb948f3875147df4f6098fc
SHA1 bc2c1bd97da2740fac84b526111cd5bf79e417e6
SHA256 1043d5504178da2a358bc41cf77e00e52553a425518c33764e49e2f880aec4ca
SHA512 a889708467e6a4ed9ea67dc1d645f3343b21a22588a9b366e1152a3843d47bf59e93f7dedfb4daaecc5f57368cecf8cef4db29e44a9d59be55be1a4c3a912e5a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7c94e14ac66d867e0955308cc574204e
SHA1 4e96d66ce32ce7117fde5ab5a3f7f2099c2ebf5a
SHA256 056cc46377dca1530713b54889aa7784165155f7cc2c7de01975a7e24c306196
SHA512 945a9ebb87d05a019bf77e86baa2e422dcae1bab5640f834f3f16822f497ad05348f5f0aaa0ae166c6c9d0a27480dbc519fc08adbc629f62f7bbb52e484a02fe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e367392999aff1c930262e7736b6c599
SHA1 9badff23ae4c1a32da2db5b2a071694c0029263b
SHA256 85c1fba0573773ebbfa556527d75980349565b29c929773d2a31f2a30f1435cf
SHA512 a096375c538f6798cc56d572217fbe424b968d4367b2547a398ad2729c2bdae3a1a39fc63ea494cb4ca218258861c98088bd8ab0c69aaf96c163efecc3575b10

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1a3e173671e8151277fe5f929d75835b
SHA1 133adf32f798fa8d429e0f214362332dde68a1ce
SHA256 3c3e86604ec4af51ab3824fd7ea27ae88ccd3c05878532a6272150ab1f61cf5a
SHA512 c8e319462549ad299309c07be0ee382e4035676b2ced5c5bcd07d214a78b086cd5e5f854b366f77b1bceb0ae086d46cca5dcd080c884c3173d6df371a5f022fc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fb61a2940c66f517c52580699495404b
SHA1 e1b2fdca1d6350ac0769884d9d8249dfa5a6b54e
SHA256 de90eadf9a326d91925ddd9c791057ac2bda5a17e854335681113d2a325fd9cd
SHA512 7247464a34256ccd3d69691c03f32fa20485f16c2dfc43f191e06dde9483e2e640e44b8ebd4d96e6b97a20ea55639ef9e8fe53fc58605936a3ddaf811947e58f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 21b88f6a01dcbc663509f661b0a62fc7
SHA1 f68a3f6ad008cb4c8b8f4b504533a49640723118
SHA256 2b6a6e17f1136a36f0142b8584921b0f867e5076d427fb5852fa8e4bf036a9e0
SHA512 11d6f557b6386aec03e1bd17f8193f41c3e2a95202e16a6f988569cd65fbc909deebb772627362971552ead141d35e27a78aa64c2b33d3fb842d10d62fbe557b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5db4c353d651c4da9dac96f6a64f6784
SHA1 80f3095667ab49fa41c1d36dafe29fbc6a2ccffb
SHA256 c92bca4cd44dd7d9be3b260b9f2ef5964ff55556088c4bba5ebd2963bbdd2fc8
SHA512 aa4e083fccf5f70a1d2f0e3238088750af7b79a7716cd42d62a03263a8428b16233c506ef897dd3190482cbc2970dfa0c16214d5ac431a30a574165f4e083b19

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f6911f624a7d1e9e16e2f0ccf01bdf35
SHA1 9d1ce36abbf17b8619be86829f0bf12e5f997f59
SHA256 ea36b3888988d01b25ec96469933b4a2ad4181054da82eaf39ec61011572739c
SHA512 43bfa9a0f4f94ba0b7dbfd77466a7321efaedb9ffeba820f569de191d07ed07e42d0f27861600c252077f7dcc1b940aef5f20ea9d45ea29f2f2bb3ebc8f1e1c4

Analysis: behavioral19

Detonation Overview

Submitted

2023-08-30 04:44

Reported

2023-08-30 04:45

Platform

debian9-mipsel-20221111-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2023-08-30 04:44

Reported

2023-08-30 04:47

Platform

ubuntu1804-amd64-en-20211208

Max time kernel

4s

Max time network

102s

Command Line

[/tmp/l3ce7c8df_x86.so]

Signatures

N/A

Processes

/tmp/l3ce7c8df_x86.so

[/tmp/l3ce7c8df_x86.so]

Network

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2023-08-30 04:44

Reported

2023-08-30 04:47

Platform

win10v2004-20230703-en

Max time kernel

133s

Max time network

158s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ic_content_sticker_location.xml"

Signatures

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ic_content_sticker_location.xml"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 184 -p 3876 -ip 3876

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3876 -s 448

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

memory/3876-1-0x00007FFA4FFB0000-0x00007FFA501A5000-memory.dmp

memory/3876-0-0x00007FFA10030000-0x00007FFA10040000-memory.dmp

memory/3876-2-0x00007FFA4FFB0000-0x00007FFA501A5000-memory.dmp

memory/3876-3-0x00007FFA4FFB0000-0x00007FFA501A5000-memory.dmp

memory/3876-4-0x00007FFA4D8E0000-0x00007FFA4DBA9000-memory.dmp

memory/3876-5-0x00007FFA10030000-0x00007FFA10040000-memory.dmp

memory/3876-6-0x00007FFA4FFB0000-0x00007FFA501A5000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2023-08-30 04:44

Reported

2023-08-30 04:47

Platform

win10v2004-20230703-en

Max time kernel

134s

Max time network

147s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ic_content_sticker_location_60_percent_black.xml"

Signatures

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ic_content_sticker_location_60_percent_black.xml"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 408 -p 4440 -ip 4440

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4440 -s 448

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp

Files

memory/4440-1-0x00007FFFAE870000-0x00007FFFAEA65000-memory.dmp

memory/4440-0-0x00007FFF6E8F0000-0x00007FFF6E900000-memory.dmp

memory/4440-2-0x00007FFFAE870000-0x00007FFFAEA65000-memory.dmp

memory/4440-3-0x00007FFFAE870000-0x00007FFFAEA65000-memory.dmp

memory/4440-4-0x00007FFFAC050000-0x00007FFFAC319000-memory.dmp

memory/4440-5-0x00007FFF6E8F0000-0x00007FFF6E900000-memory.dmp

memory/4440-6-0x00007FFFAE870000-0x00007FFFAEA65000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2023-08-30 04:44

Reported

2023-08-30 04:45

Platform

ubuntu1804-amd64-20230621-en

Max time kernel

3s

Command Line

[/tmp/l3ce7c8df_a64.so]

Signatures

N/A

Processes

/tmp/l3ce7c8df_a64.so

[/tmp/l3ce7c8df_a64.so]

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2023-08-30 04:44

Reported

2023-08-30 04:47

Platform

win10v2004-20230703-en

Max time kernel

136s

Max time network

156s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ic_content_sticker_location_emerald.xml"

Signatures

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ic_content_sticker_location_emerald.xml"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 408 -p 1268 -ip 1268

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1268 -s 448

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 254.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

memory/1268-0-0x00007FFCFE7D0000-0x00007FFCFE7E0000-memory.dmp

memory/1268-1-0x00007FFD3E750000-0x00007FFD3E945000-memory.dmp

memory/1268-2-0x00007FFD3E750000-0x00007FFD3E945000-memory.dmp

memory/1268-3-0x00007FFD3C4A0000-0x00007FFD3C769000-memory.dmp

memory/1268-4-0x00007FFCFE7D0000-0x00007FFCFE7E0000-memory.dmp

memory/1268-5-0x00007FFD3E750000-0x00007FFD3E945000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2023-08-30 04:44

Reported

2023-08-30 04:45

Platform

debian9-armhf-20221125-en

Max time kernel

15s

Command Line

[/tmp/l3ce7c8df_a64.so]

Signatures

N/A

Processes

/tmp/l3ce7c8df_a64.so

[/tmp/l3ce7c8df_a64.so]

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2023-08-30 04:44

Reported

2023-08-30 04:47

Platform

win7-20230712-en

Max time kernel

138s

Max time network

139s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\stella_e2e.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "399532585" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a91d4b999c9854dbdd04be1b9b2202d0000000002000000000010660000000100002000000092fec6890238b1d5ca6472e25ad44999e4ddf72456e6e7e8c903092a87e77fa3000000000e8000000002000020000000c193e9177fa36b25512d84c942254c9dbe4414fa18e0b1e16158199b63bb6a449000000057ca4708a31408c17f8c69eff76b08dd21e79472a0b92007b3f60ff0474f6c641d16cf4e9b9cc9dfe5623ade166fab9ccfd4db591ee122cb91250fb2a08062c85bb875b13e125e81800900c413e02097aa55fe80627e06f629dce2a226b187c7f4b2b68180098201066a8495e725ad6b2bfd514787920da03f7545a1ec0fb62ee331e808dce4ef3006908207a4ec1fc0400000009fb759b54c8d015b08034e215f95c1f5821eb9d715c372ce0ba314672fac482506831f4148f501249a05b30a1c10014c0083e30bee13c5dd1285a3bf494129e4 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{03B37521-46F0-11EE-ADF5-F2F391FB7C16} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a91d4b999c9854dbdd04be1b9b2202d0000000002000000000010660000000100002000000085916827662d447919c1e3591da1a932c8b9798dc949386e47311069279ae555000000000e800000000200002000000091f5900e69738fd48791ee0aaa76d5e8b157603c9cb1ba66849dac9fe1f4471220000000054cf22b24c972707910069b10ee5ee05bd5034ddd9099b47e0bfd38aeb3b9c640000000bd8c058c295459f2933151f2d4549789061dba49dbebf1b2d453344efadbfe4a7544daab4871194e68548a7b9808f20434e90bfdc428ca9701906be993f28d22 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a032b0d8fcdad901 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2528 wrote to memory of 2804 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2528 wrote to memory of 2804 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2528 wrote to memory of 2804 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2528 wrote to memory of 2804 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2804 wrote to memory of 2488 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2804 wrote to memory of 2488 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2804 wrote to memory of 2488 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2804 wrote to memory of 2488 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2488 wrote to memory of 2956 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2488 wrote to memory of 2956 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2488 wrote to memory of 2956 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2488 wrote to memory of 2956 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\stella_e2e.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2488 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\TarB39E.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6f1341a8c40929c7f52029a6816c77f3
SHA1 8259068b6496adcae274126b0138b9faa07f7a14
SHA256 312d7da8963c19551aea063a14ab148e25f3d56b5c3d84d2ac3716ead1dcfee7
SHA512 0a9ee1731945e344badfbf9050fa6b859586464ccda7affb7d9b7f5c02a2d4ad499a41dcf92f52f6bd98830dbf75c7156e10f8294f9a12fbcdf356bbbf9e3995

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 99ee9f91eaeaa90e158295908bd2aaf9
SHA1 763df7de35bb5110dbbd5d15d862a9b68e9f13ae
SHA256 7c2c3fd8085b33b9fb6c09f6d68afdda9f27194fc8ffc0fc9b68b07364425611
SHA512 17d6bc3df25ee5ecad38a4a7ddc95635949b0ce16e2db7bc28a93499de67c56a9b28a86db1de1aae9b32cfb89953d22c3b0ccf185a1522e1237733069bd50545

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5eb0d814e2d502c10889a5de98804aa5
SHA1 fd049906451e7715fb3ccb40784c2a04d6818deb
SHA256 bd4f7f9a2331fa0bdbd129eda7871fec8df92110fe9002c531a943c1a7f973c2
SHA512 58c252e0277ac4c37d0583921681f146de865e0975d6228ee23286865ac00902f6af07a5bfc9f0625fb4c5c20f193200a146561369c1166ea5ef103ef680518f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ca5454be1e60ec029558130f04719751
SHA1 c63c074e0f4ce11b0df3b5255ef6f9a3c972f8cb
SHA256 e4c708c2fbe32e005fa854c922526ba1cd172928df13ed955fd181e4316acd5e
SHA512 78831e15fe8c729d453838bf77b6e834e653a05c7cfa94934006437c011f6ac5eac37289688b2a416f1e3bcd5ed6ed5e31ebe23e30af9a2fce07ff98cba239ed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 64a3c08d32265f69ed9f253a86f84b77
SHA1 bac4e846a9195c476505b7d4f2123e12ed1ed30f
SHA256 aaa610624e654203f6fa8be1ff408679d56db29d41223669787835e8c1679856
SHA512 1db8d2985fa6debd1bfd696e2cf68c226d66a9c43e2441b27fa265df90f5ba742bc190145ee2bb8dc714e58ca6dbbb775628cfe167083bcef9c7e43258282e06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 910586d74b60dd3ac2f6d2cc4143da1b
SHA1 8d5c2f0f32769c75ad4f5635f2282f15c8640f40
SHA256 4dc8f8baf9b28483618028dfcc2d119508ddc18bffd27f6f0319470872c16b3f
SHA512 ab747a8f7a10ec1fbd8c0074b709b894daec6fee071b47d5333416bfc9510c30e2ba5271a33f6160f3ced780ac3caec93120bad6787422ae0c65629ffd14235c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eea55acf29846b36f019cc4eebb792e6
SHA1 0770e828954de550f44d2c64500b117dead273a4
SHA256 86b86a2e57ba7476923852fe46115182a313f99731c22987cb84d25dec202cd3
SHA512 5cae5f6a3172859841a0c2adb2deaa83415878f4db517b761393dea46cde1a171b6afbe12ed0feaac8e5bf49be53c4a6988cf9d0bffcef631cb3ab2a215b470d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 07417fbb43d0534c9d4f5077845b6842
SHA1 1d6d582da6492f595a33f627625d489e0513ba13
SHA256 2007c24f49665f7d5052f6372e7e0fbcd0af68351b6c5bd1be7bbbc96614631a
SHA512 c47d2a7544a5d10086a3314b3d94e9344fee64684779ba71cdb35680e9845f25e65543366d1f6d45ef154400a5e03fc213139c6bbd8923fa6795cbe699b3854c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7ce6c922699361f4c22e448f7fce993c
SHA1 feffbc7cf6ba5f664c59222c861bd8ebadeec3c9
SHA256 e532918448ecfc88f64a2f5ad19a0f70f26a93e58a6b60ebe068e3fc85d9481b
SHA512 b12884545c24fb8755eca4b593a4ccca69a64278bb1896536704f36d684cc78d6c5b5b13d1c8b95901167f8f91716a9863112b9ab955e468e2ea1e924faa4176

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 22bb77ed23dd60081be28f4f9b562d6e
SHA1 8f78a9063bf9ce9a8c8644af50ea5f45994b7607
SHA256 0b9332ea53dc6df8e593e764bd48c33e07bb575421de48439badbdf2dab6de86
SHA512 3728acb0e0c1db7ca6669e60e8e29274c422a642b6be7e52b1e5c717d079883c2bf8a9ae961b7c44d1e66f934962def16dc42fc8b0c6a664906e8a6670d4e12e

Analysis: behavioral3

Detonation Overview

Submitted

2023-08-30 04:44

Reported

2023-08-30 04:47

Platform

win7-20230712-en

Max time kernel

134s

Max time network

162s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\clockDarkTheme.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{067B6EC1-46F0-11EE-B530-E23FD76D3CC4} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005a31a35914bcf84cb1db54e391e8cdcb0000000002000000000010660000000100002000000031da6d2dc3a5ba7e79a11ddab8969623ccb74cc563f8ffde44dbafe5d1863aa9000000000e8000000002000020000000a4e5fdffe8ce0d1b08b49cfe18d53d0ad1cb04b406d315fac2eacb857519e75120000000c230bde49929f68b744e1d1992528eb72019914baa0a12a8ec6a62777e0a1f5f40000000dd3c91ca52c2dcfb8ae78ff18a4b610bc9b84e0d1feba453f69075f96c39d5f47abbc4307574aac0d57308865e04cf21b87a9cf5927b92fdf931e5eed2d65713 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d04646dbfcdad901 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "399532610" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005a31a35914bcf84cb1db54e391e8cdcb00000000020000000000106600000001000020000000b23504ca72ede8cf93f51a5f355caef518c89bbe98dc8c80593f5a899de147e7000000000e80000000020000200000008309a27ca229314c3d702682ba100f70a4b643e3f26c1a2818f6c8f65f18d58f900000005902b60f709f644f87e727ce5a2696cd7ce7dff579c9d9bc9b25e155823aade494b27fed130860fe31de9bc54453a247057ffed73a40e852008dc7247863fbff6592144700c7baed8e41e1330ecee3fea4b8ba136bfff460bda1583c40e37988788a04cf2dfa3427989ccbd3576f875e14c298a2749eee6ed913e5d986a61d3291aefa8c8ac0e6796e3e3991c4b5facb400000008a2bf416a2a13341679a040eb5cddf874eab7d70d903da7003249f0c7d4755e636f3abb48a00d8f695b4aeee3dd7564b2e9e7eeaef944e55e109c46ab4c8bd67 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2444 wrote to memory of 2972 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2444 wrote to memory of 2972 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2444 wrote to memory of 2972 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2444 wrote to memory of 2972 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2972 wrote to memory of 3040 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2972 wrote to memory of 3040 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2972 wrote to memory of 3040 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2972 wrote to memory of 3040 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 3040 wrote to memory of 3048 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3040 wrote to memory of 3048 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3040 wrote to memory of 3048 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3040 wrote to memory of 3048 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\clockDarkTheme.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3040 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\TarBD10.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Analysis: behavioral9

Detonation Overview

Submitted

2023-08-30 04:44

Reported

2023-08-30 04:47

Platform

win7-20230712-en

Max time kernel

134s

Max time network

142s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ic_content_sticker_location_60_percent_black.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b09aaedafcdad901 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000e8664bdb653864eb3b20ffc0ad3b02100000000020000000000106600000001000020000000cc1405eec0789a7d87dc5470efd6fd72d49a00e3767fddaf8332ef1a60d84630000000000e800000000200002000000046bc933110ad62c8f3c03ac433037a45b334060db12cd41708e0bdadb58d26329000000087855114fd82f2b87a5d6d946446aec301e19d9f9c3f391dc880b370dac0dda582ed9e6f22ff82b5eb11d0ac6bee6824254c2c34ef5e6f24fdf75bd399ad699538757b8e0c12d045e9cf5b756e878d1a24165b0a6a01b099e8c8f6f89713f05d5107a1de61eb01666c73cf9729f56920f5774aaf51d4ad6afd15c26ec3a3ba1f38998e666cdbe3ffd50a4410f660108a400000008e0fdc1fb351aa566769b48cc5093bdf3fb3aade18f4720f0d8e40dd9b840e85e621943bd9d47ed571c7ac445a7e3dd9bb271ce3333edb1d5c839db409f3ff96 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "399532589" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{05BDB471-46F0-11EE-AAA1-4E44D8A05677} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000e8664bdb653864eb3b20ffc0ad3b02100000000020000000000106600000001000020000000db7b00fd87e1091a10047cd21ad7ab375c115952152d2528fafc4b1d992a7c17000000000e8000000002000020000000daecad96dc92868e3127c97040319cacdc213619bce069842200a9e2e0d8898e20000000e824cd0b62d610b3ecb4fe831156d0b2629ed75078679c36e3bc2978c3b82a164000000091e1da696f268358714b44f8204c69a97d10ae6cf9d7fb807bf5a7654ce451826f3d8aebde57fb2fb8953085afbe905e0d5bf5f8050d5e334086704618566f95 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1688 wrote to memory of 2808 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1688 wrote to memory of 2808 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1688 wrote to memory of 2808 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1688 wrote to memory of 2808 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2808 wrote to memory of 2496 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2808 wrote to memory of 2496 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2808 wrote to memory of 2496 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2808 wrote to memory of 2496 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2496 wrote to memory of 2956 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2496 wrote to memory of 2956 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2496 wrote to memory of 2956 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2496 wrote to memory of 2956 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ic_content_sticker_location_60_percent_black.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2496 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabAE5A.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\TarAFAA.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b38b40d57afe7ce598154d7eca894703
SHA1 f55c62f2304eba605d1506654a13ab8ae88ce585
SHA256 b44bf1cf6c917e126e76650ba90bbe124b7acd84a04e19c15db5259fb510ed7f
SHA512 a4d620f7d1194c7acbe0e7d85cedb8d783b78c7a45e500039c4c32759dbc1350d868bb102e4c3fa36062906b1d27c67856ae7dc4c99cd0cff9c2a18eb3ee2107

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 940c66b2e9042631175946640643c1a2
SHA1 04317fc7824eaa2161a4d39890000bf70025007d
SHA256 938cd526dd4f8ef030766a01e3e5817bdd1e7ee597041ecd12448f35f935646c
SHA512 e255340aff0b02587f8cbb661ce7571cc9b1a075493e7a40fdbc60d1b4bc07f615f1eba62966a13fe572c947c6167181284d69c1fbd605356a3220823af85513

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 73ee9f3f93843d725b9725b7196e79a9
SHA1 32adaf6f79319fb0e89a46b6bf38b86efd3242fa
SHA256 26cd5a6f5b5608eb717e6c0b7ca4234e192ab95434a31b863fad537227d6b342
SHA512 1fc9b2b75e17ffef53fa091848112f29ca04103fb3e49a185c4a9ccd7e70cc4a704d59fc6c79c79a3a113c1265f393f1026f257254f7cd42b59f7df36aa0fb1c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 653b9049ce4112638fc1990e63257e67
SHA1 ac492687c400910f5afee0879e3fa6b7aaff76f1
SHA256 c087b207089d8551edcdd3f962f43bb6db7ee3c0fb4a519526fd0456d0cfadd0
SHA512 f1bcc770f2ef89efd8deceb0818b1f477738b08b8fce5695e014dc9195f1f801d27135051fa20f21a033b849c005c6490b500628fab0216de5f3f9c905180893

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 37c41392a71a78bcbea243b72d8d4022
SHA1 a1d803999c9f7dc83f3aeb3b8310a7b393abfabe
SHA256 3a53a61c21d8cdbd2ee7f02af463170b2f2a8089689451c052f370b525da56c8
SHA512 63c192c0190e377772bad411212dd40eb913bb379de6eab8dbb079e32ba6be9ff4c8d7fa3f8c8f252312d98bc0e0cdb6383da08920d55629721d52405f4cb1cb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9f51d318fc0c41a8a0b14e4239184a2d
SHA1 751e5d41003b5e2a0c595d582af63bda282da27c
SHA256 d2290aa6cc937370652c6592e1044dbf1c74aef132b8ee15d6035bd112cdca49
SHA512 7d9816c062bc884d949b1cec876b24408d56b0714efe5a2a17d9af962949eb854aaa28e848cb9d6cf60a9becae8ccb20347616cdc192945b842fc23ddc5e69ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 94dcea67e553851d2c2c07d5364f947d
SHA1 2c544603311e4f61163340b807b98e084ae4be97
SHA256 ff0c5bd9bd8c12647746575eb81b99423dc043d43f65baa8da63613c5b1e65d4
SHA512 96f7a543db4a3e2c56898f0653052def4bd3a44ee61b941972505a46ce012fc11b3971a55f36f4ba769d45308f6d347981d3165f886c2f403816e20cc849a1bd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dc036e13d033d18fa8f0211d0c1dc7e3
SHA1 1cf9421c8e36849e73006c2a56c0c07093ff35e1
SHA256 3d0094e9061a1e68ad26b0ee84fba96e4182623ad7c84fd8c4a6c17923d5a089
SHA512 a36ec7ce736b62b89e82f0567273945f11c11aa6bb37fbdaafc3c8d278a79f57ff6ff4848e969b3104186a6696cfff879e85c36fc0608f7c30620a019e73b03e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 db0e49824a6239920d8c26c473581e30
SHA1 a5c1ade817d97ec48c32002348f95bca5f83ce0f
SHA256 939129b9dc69a16d00c87f0eadfcf7f567627d3934f814755ff23f805016061f
SHA512 3b8d535353fa0720f6c91ce386a54feaf69bb1b3560f7cd286992cf8eb0fdd9cfc61551c4ae7c9d3519678a4d07dcbaeb4f0a14bfb4afce1867001dc81a64ed8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9ba1440e8410622bb66fd7d43af1f166
SHA1 2b92296206f2ef1e39940af211eca47b3d4466d0
SHA256 f9ea97f41a013d0e0c2287821cba945e74b0c8d81e0e21037d2e3e346e2c3eb6
SHA512 4c5a4e0233be34a8495e8d291d61fd4cacdd7e6a02616ad656914703f7f9c367b1f851189560039891b911f3ed2b5f2c5937da38d2f407a9e5c3e7a032b98b57

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eca12f8a4944000bcb0c9af560382a7a
SHA1 827dd4ac1a352ba934b34a96d2394f1a78ad43a5
SHA256 325a27609a2f75441cc21011db23011697cefaac65ca6019730a4238b8dfbad7
SHA512 1da08a222cc68790b8570ad2a4c243d0275ad788b68c87bd6a661650e3bad5c3505a2d12a5c3c7d29558a6ea43b9e2a41ea53cb46feb349a230fa581273e94e6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 67e0ebc8c6596e56daa6002e309f6e49
SHA1 4e8f9072d064aeb55810d1b1a6bd240b1f316201
SHA256 3abb766a9cf8594124652930c6b6f20c55e1d2402854d6f2d58c0e05e0d2a986
SHA512 575607adff2503d5c0103fc1fa9f1c7c29b4f9c1bc4577d62778ec47feab77140a738817f1d4dcbf2d9a5b59e09b6e57c73530bde420719106bc81e2adced2f0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d6a5ee113772db942141e26c43822fbf
SHA1 bddd69d821409d7c72a1de4b91ccff74317c77c8
SHA256 c723c9e3f3798c81dbd12d52fb2bb40b58c7790e5cd2f22280e1d85c422f79b2
SHA512 672092fa1c987db0693a7c84184056d31e4e233ac37654163df56f9f7be6d50b4ab46108c240426ce01a16af4793ca7c9b33bc64cd9e2acb383dbd842750102f

Analysis: behavioral12

Detonation Overview

Submitted

2023-08-30 04:44

Reported

2023-08-30 04:47

Platform

win10v2004-20230703-en

Max time kernel

138s

Max time network

157s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ic_content_sticker_location_black.xml"

Signatures

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ic_content_sticker_location_black.xml"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 408 -p 4148 -ip 4148

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4148 -s 448

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

memory/4148-1-0x00007FF91D6F0000-0x00007FF91D8E5000-memory.dmp

memory/4148-0-0x00007FF8DD770000-0x00007FF8DD780000-memory.dmp

memory/4148-2-0x00007FF91D6F0000-0x00007FF91D8E5000-memory.dmp

memory/4148-3-0x00007FF91D6F0000-0x00007FF91D8E5000-memory.dmp

memory/4148-4-0x00007FF91AE10000-0x00007FF91B0D9000-memory.dmp

memory/4148-5-0x00007FF8DD770000-0x00007FF8DD780000-memory.dmp

memory/4148-6-0x00007FF91D6F0000-0x00007FF91D8E5000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2023-08-30 04:44

Reported

2023-08-30 04:47

Platform

win7-20230712-en

Max time kernel

134s

Max time network

138s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ic_content_sticker_location_emerald.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000e8664bdb653864eb3b20ffc0ad3b02100000000020000000000106600000001000020000000f0f14a0ca17b0676080189e23b04657ae9d3c97ac26b3701acc744faa545bd70000000000e80000000020000200000006b969a33b94027a382e0c6d1bf8be98006bbcd8a71f1a4ab1c50da70a4178c049000000034873577c3999430e46003ba39df85343d445b3ecd2f9cbc6d529c0a71f1cfabf3d38b392f46425ead4f0ae3af868274c00f430cbeb94b3d32b05b4c553db0724cb3a35140e0e2b4249bacfd5a7006a5b22f11f3e4a0f7c7262957d58cf01420dfbf67626ad63472b7f45c697f98d5904114eb5a21cbb9d7a4dd6834dfe01f4ddc3a357e9feacf1131f6c108ec8b2fae400000007fff4b75d3312f076303da03c8797671ba995da2b5caea9984138255fb5eb6bd96ca6f95097a9c3af9921805a96ea1598fee15709628c2a8046a62215349519b C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000e8664bdb653864eb3b20ffc0ad3b021000000000200000000001066000000010000200000008605f410ae35d6d12520a8cd6a4fd781d7161bd2b83c57362c3ab9e44529619f000000000e8000000002000020000000855fe5adb365ddf56392918cfcaa88c295a9b8fdbb0f4293a4f34bf09bc8802b20000000c47203e449d3e0b61da6946296669c5626f09ad1756b882761c82be71335b2dd400000005525c29073c2d5f8e695b63c37cca129374a03ba726415b21464fca1300b3fd042acce50b170368fb877ac7ff3eb12c002d4334700f7016f89aee43a9ed009b1 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3042eed7fcdad901 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{032CFF41-46F0-11EE-897D-66AFBA4EB959} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "399532585" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1708 wrote to memory of 2464 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1708 wrote to memory of 2464 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1708 wrote to memory of 2464 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1708 wrote to memory of 2464 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2464 wrote to memory of 2968 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2464 wrote to memory of 2968 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2464 wrote to memory of 2968 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2464 wrote to memory of 2968 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2968 wrote to memory of 2788 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2968 wrote to memory of 2788 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2968 wrote to memory of 2788 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2968 wrote to memory of 2788 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ic_content_sticker_location_emerald.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2968 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabA892.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\TarA944.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1d5bde38af4b9024134e567b19a02b8d
SHA1 c6a052c44cde29e3e166c22b9c1e21b9a4b47d24
SHA256 65e4b9550761dad49a81fdd078214babdb83f522206276f8ba27f330728e9372
SHA512 6c16554702782171fed66eaccd0cea10e59ae8c276c14581f2f59aef8d5101ce514cc398b9f3bbec74e422c7ef57693cf2e76e10b2cae8d90c7f841c11c61891

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 04e44f558cca1fdbbd505e33109fa552
SHA1 3f16e8a4848b90947b1ec9a4c0ca1c0af8028e4d
SHA256 6018e1802828c206fb6e743c4339ffc939a2f38476fbd3d47e0235be2e4ef265
SHA512 f7f9e5a29c85b92acbb11334395fb5d8e4b8deade196538cac49d0230d86451ab56055585141d26ae40240040cff11ed6965d4671e67258de2276626ba89098f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 04e44f558cca1fdbbd505e33109fa552
SHA1 3f16e8a4848b90947b1ec9a4c0ca1c0af8028e4d
SHA256 6018e1802828c206fb6e743c4339ffc939a2f38476fbd3d47e0235be2e4ef265
SHA512 f7f9e5a29c85b92acbb11334395fb5d8e4b8deade196538cac49d0230d86451ab56055585141d26ae40240040cff11ed6965d4671e67258de2276626ba89098f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e1f207d126b7057ccf767fba74c1ff9d
SHA1 47d5ff8eb17e5ee942bf943c66c34131b7a707cc
SHA256 973fd97e4c8939e6e6506409ffcc39118660a09bb80f8814b165e39e4ed3879d
SHA512 7d227e4bb7eca4141ab7739e08418a8ff5ba4567a49b4416c549c1c53f8aaf1f4b1c41d018f0a5bc91aa85fe167c71ffb7b413a69fa1dc6dc4278afe9e7f9109

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8cad6890af63746633df30f83457d754
SHA1 99a65c99fa74305ad4e2321ac9d2c0c4ef4c007a
SHA256 21f253aaea4f6287834c81ab82fbd584c18a542a27c03b86545e4ccb546b9173
SHA512 43b2e8abc4ada4c506a6df78a364723f33ec9c764ca334c95dd0f7ec4d2dee887d0d25b39b04bb30369757e1bd79bc140ae0bfe51d331961715cdbbfa7bc555d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0f7ca5ab92893bfffe17696168235f2f
SHA1 1d350c127e0eee59da39d0fdd67f3c94bc98178e
SHA256 28872659d0a8be4ccfa633202a44b32a0099764f4f0ddc1c625ea236c3c60fa0
SHA512 c5d2fa34a6f90bff6ceb90d82ed8c36a9bc729a2e9638cf4fddc9891d4bd4c08b8c3771f2f2e82885b9a8cb1d5ee87ae5f7e534e314fb4ec6e89432f481a4a1a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1ebd966cef0d146af4a65ba0023e8b80
SHA1 fdc37b64725dff3d4b55be3a9c5d5f3f54d0be2b
SHA256 60e8818ea3e116800fef32083e22c5e9a4660be3627cb00bf34b0f9e7a6e1434
SHA512 89ed768ea0c7a149f35bdd40b8d262e0f0b4ed2e75383cda377e16bb2703c1f0afd5f6a286e903acc70b0e85e3aeeae48064024bd9bdb021f85aac0045fd125e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 00b4f9c389708e4f69bd6ed0e4a4c400
SHA1 12c58f9df2aeafbbf75cbfb2f79b7e0608f82d7a
SHA256 dc9df4f223ddd430092904ea893bf2c2fe481aa58371010aa7ebc33114ac4c3e
SHA512 e01a945d120705f044bcd378fc0183871feec9e3c271c9612554369f813805ddcb29b3020b4e31d4d3aeb06f38d83bef4eaf989e988ea03f5b2b1c3ef888c88a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 57f193c7054565649d949345bdc96ab5
SHA1 1947d850d8bc0e40527aa8e7764044a5750f5dad
SHA256 fc2c42d847bcad10d2ac705a920e39f4c416a7731d64656ec94aff5b5a6865fa
SHA512 6cc73dcc1e76b8c7e6bc55da455af21447acf1b046ccd9e65146c52200e0da479158b92b424a0115001e7b5d269b832343cfe723de08f29beb25982d3ea8838b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 33ddca65e79634eb10ff9e2a3fd79f3e
SHA1 25aabada192391f599b9cada9694a261778b13f1
SHA256 8eca5694bbb78b9039b85a572405cb543a5ccbc37a73a4bd5f746710afc00734
SHA512 3029650619381d34bdb6cda34dd424fabae31ec825bd28188985b73467aee1ed99742246fb852843e20961dcfd3bd5e7d1ccb1442cb0b2c09f29b366ca84ca64

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b2d89686fb2803d2b9dafbe11f5df35e
SHA1 ebde7658e93f61e0a9208b3b7284797306c885c2
SHA256 cbae84d47b85b8c71e5ebaffb6eda531acf1b0426d2ae3aa23c3967b509ded7d
SHA512 ef6c3fbebfa7f6ce28976532efbd67fad7687cfab9467642a01b245bcdbefff1a43b08d647b9e6e9ce6a6afd55252348b3f5ddcdd51022c3a7119c1fd063a41c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e3441c1f60c16696e9a16df75d15ab07
SHA1 759396e5da16253e1360d962a9b3555c2974b5e7
SHA256 f78f56d0353b1b5769b7d303b06150d3ca9db8cffcc25cc42b8f6f2dcabdd608
SHA512 2fd3c6c3a1663bb9df72645548f2777f065fa01195494af916453cb674a60ab9a7dd1f4a28282de7bfeecbcd730f27cd029bdf5b8a7ba05fc4d8c3a3bb8bc27e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4e9a52386c88b5cc7c7a36588ceb2e02
SHA1 69d4e8ac4b73a3125a7763396b5f574e2b4139be
SHA256 f740b3c6ea921be917bba780cb4ce2ef78b0632154a398c2508d27308cd1c502
SHA512 5ff37a4109974027a87124b805d14b302b5b1387e676b9a29b080d083e3af764bfb7cb28759b057d88b5b8fde8709cb919ed97f52a88239c4a63450966072d46

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3e3122244b37a13dd364c7c1f78cfc1d
SHA1 4a81bdcb32412ac91349c08b0ba3aff293763b68
SHA256 7ff6972af9e9ed008ad75b3f8f358638c70477e81adbc244077b683f94cf748f
SHA512 f4c9863cdd23eb5e9c82a2488732dc65c95977c918c9e63e521bd0853a120609fb495274695fb9f18896bbd2de6acb8b85ecd0428e0221c251c973049edcf5f2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c0dcf9798bdf8d2d787f8df737c2574f
SHA1 05a5d8f8add590bf6bc51433b4e83412a0d33660
SHA256 95f9cd55a142861e2eae9b432eb121a54d7c257e9baa340703c4e7f60de6b11b
SHA512 2da0e4a9fdb87c435ac47fff68d94316e805f8564d4696b4702da41fb7b68fd55f69da94e634af856ea4fbba17856931307fc11030b9727365609f359bc42c5f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cdd7ad8efc4e2415bffcb19de75c8db8
SHA1 2048febd0da7a1a042d1fec3a533523d221fa91d
SHA256 19e55712fdf9b732de6586b746204e1f204ddff9bee838ccb1e71681aa43583f
SHA512 e55d7c7794583b7e2097652a82a4e32344262c13dece01bd5a93304c3ef484e28a1a669a216b92bc6f9eef495e1c02d0b2db2020a8f36542c8491414c2ae133e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8bdf178640e9dc548af0f34a7b0f6431
SHA1 95af97a3d33e976de289812ccef254e716d79bd4
SHA256 60821ca7c566b35da277782832cd9e7cc7266ccf6a44fe026d5f130fe8fe9abe
SHA512 d1dff2ca1ba293f369a54c7bd9b82f28ce212fea881cc45d9524f9609ed2d01c8fdea084b4cd7f566821358e191e4d18d1e4eb708c1e9ca1bbd95eae392c1915

Analysis: behavioral20

Detonation Overview

Submitted

2023-08-30 04:44

Reported

2023-08-30 04:47

Platform

ubuntu1804-amd64-20230621-en

Max time kernel

3s

Max time network

134s

Command Line

[/tmp/l3ce7c8df_x64.so]

Signatures

N/A

Processes

/tmp/l3ce7c8df_x64.so

[/tmp/l3ce7c8df_x64.so]

Network

Files

N/A