Malware Analysis Report

2024-12-04 03:11

Sample ID 230907-vv5xxacc21
Target SA_B7363pxz.apk
SHA256 f4d8b494fd1730b4563c9857b3c4f41abe9b3cc634f128486285fc442f7f654b
Tags
gigabud infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f4d8b494fd1730b4563c9857b3c4f41abe9b3cc634f128486285fc442f7f654b

Threat Level: Known bad

The file SA_B7363pxz.apk was found to be: Known bad.

Malicious Activity Summary

gigabud infostealer rat trojan

Gigabud

Requests dangerous framework permissions

Drops file in System32 directory

Program crash

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Modifies Internet Explorer settings

Enumerates system info in registry

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-07 17:19

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Required to be able to advertise and connect to nearby devices via Wi-Fi. android.permission.NEARBY_WIFI_DEVICES N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Allows an application to read user selected media files from external storage. android.permission.READ_MEDIA_VISUAL_USER_SELECTED N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2023-09-07 17:19

Reported

2023-09-07 17:23

Platform

win7-20230831-en

Max time kernel

141s

Max time network

148s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\changelog-ar.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D955F551-4DA2-11EE-B8E7-E6515181EC0E} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0c82dafafe1d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "400269100" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003916b9f19191c547a3cd833648cc0b6b0000000002000000000010660000000100002000000029051f1b812b28a3791f23f8b90c8ed0a727188fe28e06e6b7b6d12f628d58d5000000000e8000000002000020000000f556cdf6a40067c9707931a66cee4cfb8ef3b6f1f28f3b3f6cc72d285fa8938890000000c09412fc0f2f9126a189f90c644cab34be4e7cf87bde963fe1d398e372c91fb1ac6dc9df0fcdf18eaf2bf0d79b1db6e822ca69e9f89bd02c960a3dc953a43fa8a8cae0c756963b38bf7377ce842229177b2f363f68249bcd452f737e955bdc96db77aacdbadd915e99d48da25d3b97e2cf4122e1afeb8f5c22da648e19009865ff083dd9300efa86eaea550180eece05400000002b6d599347e0dc0ba7e61f0026b39e1c9ffb20b8d450eca2d9fd22f7d41db43472744451124548e8b817f57600bdfab6beed0bd5e58291ad4d2127ca6830524f C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003916b9f19191c547a3cd833648cc0b6b00000000020000000000106600000001000020000000ff2ce9f328564b0763c9581cabfb238c8f2e256ab21b539cf08a5984703f2f36000000000e80000000020000200000002376cfe28ef3d0dc839038fabd4b3a49c844c4d749bb4735823312d7e382dd9020000000e722d8e5b70bc51ca093aa801bbe61c60bdeb50cbc8c3ac0d17a503f73c1e8884000000011977be8e418186f546931e24da7c6d65eefa4134dd04c43309b9fc55b546c86c8daf9f87cd737e200ab59bb426e0b211f23b900545a81988f383a5e031551ef C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\changelog-ar.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabED6E.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\TarEDBF.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9aa365e370831652d4646554c4f874c5
SHA1 c01e58052cca79db92b7ac747638d6d242afa099
SHA256 2d405da3f1c3c5169f4985647783a354440f7d91b0eeaa24e24cd5d7bc3d731f
SHA512 977945390c6de803cc47642e9261103b9955ef7f2d4caf53152c9a682dc270c8efc61d1f22ccc43e019e592bf6b71777d8b586791b48ada9de1926583ac50bf9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0e8d4f116002390645a1d1b97bd07bd9
SHA1 f231bdd69a394352e2e18b9d2cdda650d0f454cc
SHA256 d25690f4308ca579bfc0eb82f5d26172ce5a64e5eb9da3d191f7abca1a0376e0
SHA512 1529daf887cb35253d5cf847ec86aa453debc3bc73291363fd5bb34b0e10084229c0002e30a2e1e08f076346bf090b9bcfd1edf81e1f36b03136c70bf6980ef3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6778b9cbd68f1b10688b9d8ade508409
SHA1 c5eccba983db3e711c38258f5f9d48f83d208adb
SHA256 d153130f00364ac48c124d15c35587b83ff9569668d664b930878d92f2fc3053
SHA512 3519905b076ef707e08677aeb8a3fb1f60fcee5c2f5a51162e35b8b6a39c2e793d55b1cc5ce88f0cd014b1c958f7dbcdaf11af1392804c2e803c4128dd8d52cd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e1b1ecf5685faa73c8e627b72ac44ab2
SHA1 a6c50fcb7b2d45e929f7c9add7862beea3053c98
SHA256 e66d879d2819093c6d96f5e0ac372d78451c753c6ccb79a8751b66fd9ed9a057
SHA512 07a0f8d7ab4a765a4785a7d3308f1b753c1a2b20fb1440e71fabaa50c7ba22032c465238f7f3f1c2e4d452abeb1962691acc09ab2bf1ff05ff823acbc9453d63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6e31680dcff4899e3ce47cd1a49f1abd
SHA1 73cb75fdf2efc313efc70827a7dfa9ade1f7c4b5
SHA256 9426e26990de773d7e585e952e263f8ab43ca85dff1def2e75bd187962843f84
SHA512 9d37fb170cbb5638941717a8e68f792a818da559916b96b574ab807fb6b741651a41a60028b353be26ba49f752502471fb1b6f163ce21a9cc176cd4361aaec55

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2555e8802c5ad9c55a0feb6a1999ca25
SHA1 b02afd5d9115078f11c85e1de404cd06b703e29b
SHA256 708e140ab9776f17d05a4cdf34129b1e4fbc7ea187139fa00ae466305330ca94
SHA512 08de83457dd0046f12f7ce66860547a10d921e0d6309e9f04478ae02e89bbf5797c88908ac6dae3a0875590fb8f6e730e52bb85c6e4021034db322f7cf126a17

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 44be216b6cc649225a6a103d5b6a70b2
SHA1 49691c781229421b7186abc5429e52f6ebd9a836
SHA256 065519ee0cd915267d69c15160598858b272ae0733444e8613721f2e049627f4
SHA512 f64719ecc6f0a39fc934fd52201794f109009424fa2dd089af446d64360e68b13f97cfba258e50036d13c8d3ee4dfa24b602507d67a137693d81b4024dc5faab

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c1a78adbc9c758717cddbb5007cbcf72
SHA1 0f122ef6ccd6276e46cc4ff8cac4625a2a36d9ab
SHA256 dac678ee32431c20fcfb2931549e6802c73ea2711779f60cdbdcc31a612fe148
SHA512 54e93bed9e5ee18177f9d4d33ed12219e9f4c3a7dcea384987cfd4cb8cb16017a37f94783b74b8907e8033532bddac05ba29411eb6e3f90ec54ed54b331a2f1c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 19eaff4857957e884c983577112b1c0f
SHA1 e8aa53f9c203b8b768a975e9df415b700fda99f1
SHA256 b128c8c35470a69cde9355936320b8a095ecf35a711c17f29c02c2861e886263
SHA512 52a2012e97564aad9e68b1b5d4a779ff5542377f5f9584fa82be68fdc3a6046a69b5e841a7a23b9f380273e59668aa2a48a3f8670540e9711c3bc688da1f8c93

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7be984bc05cc43ea71fcece4dc903cc9
SHA1 8c25cb28ef8145d4b667a3bebe79c1d4944c6e49
SHA256 0f00f29031598c0d3bd258c33cd66485faa2ac912adad63e5eeb88c2da8cfd81
SHA512 82fe51d6a04d846df5b70bc27b79c761528a754a0fd6f07e549a3738dfa298bcc84a7be2ce505123b346aeccdc691f2be9f2ad434955909b085bf6640ca90872

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7729a7a6d077e2e1f9b29825476aa386
SHA1 738ed134040f1230f762541100591dbab002baf0
SHA256 c2a17e918d7fbacfd020a2c73a8b8efe0fbcad1f4bdcdc0be2867e03588bfd7e
SHA512 c147f7c0fa7b99efef157a8d6503ac5941360c8bc10477fc7fbf9eb136545627b0c636df8ca74e5b49d80c337918207370970342d735b037443e6633b9e56ea6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ff61b9d3490953c74b8c980915dbbf04
SHA1 a89797b40ae38832f6d77423000933a6bd988465
SHA256 7bedc284a6d947e8f22cde0ad047121d9477ed4c3247b327c1fe78616628c2d7
SHA512 60b471216200bf9632c4f630f46dd00f99ac022282b09693589da8ed412f3bae7fde4a9e6327aaf3e4cdb0ef97cc07a9ebdd0c173444ef206175ba3f18b05cf9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0b326a6466d085ec13df14929507e41d
SHA1 8e40bbf4b51d8362ac008c672f6a2b8d2b7d96ca
SHA256 051783f7b8e2946758338b80ef2ccb04b835e0c50cb659aecdcd520a45288c12
SHA512 d59de02d11a2d1ec838ccc91c50048600dacf62b5d57efa38a64893a1bbc66d91a07e94393599bb2de942e4d72f6e9d379fbf0d8532cdc050523ea628099ca27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0e9fc34367d2ee5f35599c94255cf932
SHA1 7eb0411ece36a9cd2f96dd11db1acd57f1405990
SHA256 d5c0d552094d2fa454476481930b9593b103247ac76f204399255807a1449a14
SHA512 675d513e4b400659e021ca76fa293349e65fe7d6ab321832a9cef385ceb9e792181ad24e6d3c574a96ac2c76909ca741b7ec772112f400b549b563b044ce20c7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4cd36ffdc03e5f7903200aa156a69e2e
SHA1 b099142a32069bc5f4683a0a9de94213200b2872
SHA256 cbc98ebc1bb1c689ba8c43b8ce6ec929463b599d680f70cb47979e9cf0615853
SHA512 c3ee9fa6c25e80b34cd48feee8d8b1f98fd9c0bbc9ce0d153170c8ff534635ecf8a135c1648cb159bc9f49c7d7fa0aadfa11040c15a0630fa7f6d2c6808cff67

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 65b98bb80f92cf5df5927244898973a0
SHA1 16b1a02bc2e828f7b7af5da0f40430dae23d9131
SHA256 b96cb5e680c4e2fdde57dbac34cf2a4a88588f1a59426193890da2432c9f7872
SHA512 aa6d2ec8f88ba0372b41f379e1aaeea70e6528d8c6a9838451c04849b3c8be9fba1aa0134f10cdca34e98e45bf91556e5739f9eadaeace57d1da714565966e1c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d579ffe877b9823b7bef78b5ae1a27c9
SHA1 efcf425d0f3dfba1d02e6dfcbd971b1e6dc85bdf
SHA256 798a0151533d78918f731867991d99f16de3f53e323a17659a335be88e05ad96
SHA512 9bcac51c919efdacadcb68936edd6e254f016fd5da75fbbc5530d4e04884de906337683bdc282c88dab4241991ce13427fa57129151a0af4ff33ce7e6b8adba3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 587b5443f09f72862cb97591e6b74db5
SHA1 32167f0e510bc89627346f0da312ec50d804c10c
SHA256 f97e70f779b39a7583ca9da559be8868d1d4d374ec987dad1303c70751d9d5f8
SHA512 0b44d5e390444ae42a15dfd793483725f80a06123f5e4831069da5746ca3167ba30b78515faff01a56e7d56d26fd617dd2f596e337422acd79b3df34b53e4f67

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2bbfbad9d3d2060b861da57c75c7f2fb
SHA1 b603df786f52dccd3f5ff0884914d93fdf1f7856
SHA256 c956b894353aad59c6c0ec0805ad2f4675d239c730500f1248c0fb65fbaf5e80
SHA512 8885ebe04010894d63390c147ac8dd95de15b0732e7b89967f565ae96856064a6a9bb471e727ed60cfc7236b40e264e06731dfde1b6dd4782252eafeb75e4751

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f501d2603113305b5eaa3d29f7b0884b
SHA1 c753061737917a97c2010ca3a373a6ab9e033211
SHA256 0985222811ff35747715dfabbef9e66e8a84bf1d888beb96cec2e58b1aaef10a
SHA512 9ae86d51044ae507adaf3844971fc8adecbfb469d3e5ec16c2b161bdd287b52e6f557cc06d739dac77f70b2827a322325d834d77f59cfefa3f118f8ebb122b07

Analysis: behavioral14

Detonation Overview

Submitted

2023-09-07 17:19

Reported

2023-09-07 17:22

Platform

win7-20230831-en

Max time kernel

135s

Max time network

139s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ic_content_sticker_location.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70293fabafe1d901 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000918258b1c6eaef44bc85c7515db804ef0000000002000000000010660000000100002000000035cc59e737a258648b3925b9c217ad2b0f449d392887aaeb9e0739c1350f4da8000000000e8000000002000020000000b6ed599c7720e8c062dd3ecc92e9cac124be22aa3b08242d7b7b0d5c9fdac8ef90000000bdde2b5403b69781560eefc72cf02cd4acd4797a3d64ab24b91f0b923d3fdc3e5f86489dbe39aaebe4e09d0888f623e73d96c0171585522816345d1f2e97e52a2a94a66ace60ca605c6ecd0ac0f36e026756ee4f5269b9a2ef35cc8df2566ac07a4247acb68b62fcc8c6c557b8677de5263a8a3c1c25960d9a44b1babdf656d5d7c635e434bef1e60d1d86cac60ac4b640000000e53f0f30fef68bb0ac3af143a8a08dc8b3cc723944db1ba837773e594d0d5d7e71edb79dd3d9966e3e8856fcf872c351b22029a851f54c568cd54b4a3d0b9c09 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D4214171-4DA2-11EE-A400-462CFFDA645F} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000918258b1c6eaef44bc85c7515db804ef000000000200000000001066000000010000200000001a5cb399c9e873d71acb12ad3d1d7952dbaa4d8822c5ee2ea745c778869863b6000000000e800000000200002000000082da70a22f7a5e99b171dec8dc98f82799fe4d093dcaed609d840f55da25735720000000b1e4abce8339745664984c5b736be8b2dc94c83306eb3b1b9e02c8278bbc1ce940000000e16c81c652098af8006bb061b2edd3de53a628b822aae1b8fcee553764b162be82cfd830bbc6b9dcdc1e05705d490c8f83b2fac3781f209ddc3e6cd9be4c6697 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "400269092" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 1612 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2208 wrote to memory of 1612 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2208 wrote to memory of 1612 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2208 wrote to memory of 1612 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1612 wrote to memory of 2632 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1612 wrote to memory of 2632 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1612 wrote to memory of 2632 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1612 wrote to memory of 2632 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2632 wrote to memory of 2692 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2632 wrote to memory of 2692 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2632 wrote to memory of 2692 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2632 wrote to memory of 2692 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ic_content_sticker_location.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2632 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab8D82.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar944A.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1e501dd58d0839fbd3b904a2cdd5f049
SHA1 98bbf619668a12d482f24f1a1dd182efd701a16d
SHA256 36c688979586a3a0a56c9b1cbf563161206de5638d00a146143b383f41077758
SHA512 679662d343aa94ae567313521419d36b48b9e3ea871532069cb1cd599727c43aac7a19d4ec867adfd56a136fed6277b2291093f0751d93c6222b35563966e283

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 72913f64ae5bc709e1a2bb552d302efc
SHA1 29bc1e515202586381d58198959aa0be0ab823ec
SHA256 601fab7fad699249193926dfc831830386cc67d39477d0ed5a6fbc57ab234e6a
SHA512 839bfdc9b8bad8c544a1786612513698c5dec571ba02b97671bdb6b11295a7c4f4745d9201e3456401f69bbf350c222d00723fee177554cfb945ae85bdd67e09

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 680d48b689927c94026c217adac1565c
SHA1 3fffb055d9796e89c2b52f2964e73d315da40b59
SHA256 782c562fdc4bd88f98f76e4384c2651b91c69748788895ec4601076d04053802
SHA512 3d01f341d30a72fab78ea794b202f6bfdc3dc342da78b6628e6c84310943a0b523be1e6b7022a4d6f4e165f438fe032a26364ae07fe89f9f4e68f861359e7963

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c18f6117be2648c9ea0b22d46e8ecb98
SHA1 a235a6ba463762e26e02f0e1b16a39b64ecbff57
SHA256 36d5dc8cfa68d20e2b1f8427dd6de75953fbc9b9349f8357fb1d761d42d483cd
SHA512 6e706faa164cd05af80a5cc9c6f08f256b5fa04868c8289c661965296bfda4b006d00973f8fafc759eaee6f896bb234310cb8aa9ea00ce3b79fb96ba09190668

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c161c8539b65636ba97a2e4dbdc92d45
SHA1 2fb002ea6d61463bd43bb60d5ffd83c0e9fe243f
SHA256 297bf9b137e5632ab566e332046b47e9d6ab798be8fba41d34fdcfc41bf6bf9c
SHA512 ffb0576122f5d1034ea32b7c80e0760bb9f787090b70c79f227906954d98dba6be8ecaafbca1f93ea0ea7d8cbe72d3bde2067d890c5b86fb1a26423118e42eef

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 21cddaeea514394df889f43cf462cc91
SHA1 98df99fc2d3f8af56266d91a57d6b980be60b9a0
SHA256 af4223809e13db4e1cd4e8fb6e2d544033299baf6a99327a46eb5bcffb2aef0f
SHA512 6063b3f7906406aa001a53786e2abb4831361f7c06ee20129ef448da6bdb82d6c3113e3c88f439170c0e693f3d7e701832f09f54665c2d06c195b7ad66ab9e36

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7260296ee831d93a3e2fbbd419ff1e13
SHA1 ff9bb2e552621da4c65462cfd783d079939d66fc
SHA256 06bb5cc56f6e3c2042a4ac0ae18d3e8d193f064578df3d4e5be6f619b0e4001d
SHA512 e0a8931862cf3c701b86190db5c02d7951a73c3bb9938ad2420925b5513680cd6aae9f25e6a5bb6b5f2d4c7a250d63389331361cdade01ed8909c8c17e7bff55

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3b5fe693d17693cd87ef2dc7fee8058e
SHA1 4ac4eb76a65923915225d89fd58ccf2f37eec8aa
SHA256 a87a4f7c25b2b3b2c6c9dff5e09b14a4dccc344244103d6f1884d78a8fb7e207
SHA512 56fd9ec7f5ee055bbf87683db645536f0294aec0f525d136ede9ea4a0b0c1363de96736bd04bfe5149eda31d5dd4ccdcc1d87de8763ba174b7391152d5884ddb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3366d02987d01f7e67ada7f19787ac29
SHA1 33099d24ad39f197a8fe4caf6288ae3a1eaf5ba7
SHA256 b280f87db7e3bb88e3f3ca9a491401a21407f28f287484ab5a7a838100ccfe05
SHA512 d4a049eae989fb8bebdb4916456111260e988744d5db86e7fd56423f0859b6f7d660cae37e01a51d9297f15c8c1f2795bb4b2705c84ad4dc69aecbbd4fcbfe52

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2c0d4f976c0b99787bac66346bd155d5
SHA1 a99786327812eda819c58c2c454d2a466a504610
SHA256 4903f0e9f81d52e397b4b222e3070fb280ad143be9dd2a0e7dfa411cda00ee87
SHA512 948dc7f10e1077604bff6d8507e81b900da225f21f01feb3c19c52a6647491f0c52ff3035ec3d49a66be304bad68e41c7da5b402be6d6fc2f014c26aea2228e7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7b882a2931a1174b476ec144d6864fd6
SHA1 1001c95c3e4afd57c0124f58c52f79817299f08a
SHA256 f75f9578f0c1bd35e6216fa0c45516d389217ed25401f0665cd8dc7935d1332d
SHA512 36903d6eb5d040dd1f018fa2105b55c93814b134c43c44e6d2460176fa86b61026ade4c0be23c23124750cf3eed91d9bdcfeb3d0c32839f1dcdbaa4d14375f18

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2d96bd5cf1570a1c5063f81f4d3d975d
SHA1 b181e7be7630fa44af4df3f894ceafc7a40cf12f
SHA256 b788706f8c0b3c1e4c5d126031df515940e1c27911981e925a12b43cd9a6454c
SHA512 acd4c1a1b6c5d9200446cca70797e1b3c46e76b4bad4cbc6e73b046e0c038ad43abb1e2dc7526645045a5f379e5270b26e0ee923261d2abe372128f5d262e4bc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7bfbd614322e01dfa2d7e1d88b18ed89
SHA1 9554f0521a199532b76ef155f5b88151e4cc92e3
SHA256 c1f53d9db8364a6e1cf56b80c510b02198b386e94d767008d5d4ca97676a123a
SHA512 9c9ac90bd1bce8023cebf9b5c7950fd6dde6017fd3062ec5bc82f6f8955d6392fa853bea9c4469b4f4ff64aff30172818dcf3c6aea80f4d5b897a1152d28561e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c7ab01f1458f45e701485f2d6490ad22
SHA1 cf9a624cfd495f91cd712cf1e86ffdc16ae3795b
SHA256 4d8b64993f2fbab5d4b33208b7e3e6d5eddb74926d450321ad27f6081df3ec27
SHA512 854d0d2f8dedc1af77a761f4271319727f4a2c8d8141bdb7a48448c0e389b42ea1276799eea55929dd9431d32fbbe35b6848072c4e9e6bbc22f255ddd23893a1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c903f03d2d177d41ef61394aa1ad0f41
SHA1 9d5811420adbf9bd2feaad41dcb320d213121d7c
SHA256 1f386c79320b2e177aa8e321e725d4465192c8aaf63b96831f9f3629d1782e83
SHA512 0ec3c299a5501d482343d5c9d8f365edcc10e2f9d2496a58f82ddb684a519ecf7bfbc209815a5b3062707832c6c5173200ea6ffc6bec1b309192877328082309

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 84d9f6c03a8dbf561a874c53961a0780
SHA1 894eeceaf53dd3ea0bfc138d46385eae4f0f1400
SHA256 8d02ee7aa65c21f45f0b075f9d27f6eb9111310ab7ab3ba7a13bbf5d97fe8d30
SHA512 7b373b154fb5184d55d40c79992bf4fae142c30c3ec8cce8253014b9266d7d91eafbba9364ba29464f9e23874c55072711d28a85b0fca0efb3a774e6e85f32be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 995de0d029d04fec9179f42b5d8fd1a8
SHA1 bcbd019861074a7f799f9457eacfa02579539a05
SHA256 cde5a9e00a189ff56372553d87a0419d3deae45fb53faaba024de276679948e1
SHA512 46d06893dae4463f683139671b9a2f15b11bd99ec14c5e0b22c980e3a8ecd49d888ec3615fe03fb6f8f13c1da6a6224e647a9d10a86a26a3527164e206af0276

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ea4b39e997fb35fa768ff27885c2e088
SHA1 8e98896c61a89437012cafd1f344f8dc5777cc24
SHA256 4e11624e978e6547be115c44679a6a61d105fd7d612d2f712823c75c1cbcc876
SHA512 99c003693bef00219c4590308e60f016d9dee5160862eb480fa93494dcce5bc951afaa6055f896fba76872967ee327ac9ce6aa0df45a7a73c2941588d295b894

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f11f585cac662d6e8232c2679c62c276
SHA1 adb6c471f7c3602b694305c92d6cf98f20e4a9db
SHA256 7acaa88f739d0e229f54728174bc93b62099140a273d8a23a27c3fcc79adbdee
SHA512 344c88e5d30779aa9da779e69004a3b73c8e92ffef2a4f9fc4f1aaee31f3d16578b1e0c5a00c50c70ddc4c7bb4de7e132ce3cd34593a1da0c308cedf4c37504d

Analysis: behavioral26

Detonation Overview

Submitted

2023-09-07 17:19

Reported

2023-09-07 17:20

Platform

debian9-mipsel-20230831-en

Max time kernel

10s

Command Line

[/tmp/l3d4aa6fd_a64.so]

Signatures

N/A

Processes

/tmp/l3d4aa6fd_a64.so

[/tmp/l3d4aa6fd_a64.so]

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2023-09-07 17:19

Reported

2023-09-07 17:22

Platform

win7-20230831-en

Max time kernel

140s

Max time network

142s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ic_content_sticker_location_60_percent_black.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "400269092" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0e2d8a9afe1d901 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c66dacf3255794896cbcb5ac20a714000000000020000000000106600000001000020000000babe6f360b23050fb574c6c0d212e23f8826e7bdd1743b217f4aa5f8ef63492b000000000e80000000020000200000007b78ad90e120583022a638e638843ebfe3260e6bca454311918a8a8a2c84ef239000000063386e0ad9a24ef4cdbdf1536921c56f5a81a651cff075007d823399d0a7f876eb0d5f4227c38fe59034d0e04473ac09785db82f5b16b2de9cea5ea112f2afee9e9510904a481bc30550237598f805d7245bd2452daa83d20113d61be1d3d3d8125147fd3072afdaf339739c2697ee4872f67c426fb876ca46986500cd40f0d440c138d812342859ef3c387d3c9e7fe8400000004a0b2b458112bf417077d7b9f55750a57033d02b322d0d36b6cdbd658dd875dbb6054e1b0c6ffa828364cec849282c35decabaa60fe878b4a9b5aad8eaa11048 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D531B771-4DA2-11EE-9A91-FAA3B8E0C052} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c66dacf3255794896cbcb5ac20a71400000000002000000000010660000000100002000000087101bedd3b73f4cc08bac599eac9e2d48c237444ab6c117f8f7597ab6c71358000000000e800000000200002000000075fc0698518e66c306f33fcd038728e83bd41a7a3743163f63be5ccd99c7bd9b200000008a7aae4ea113fc8b1ad8fe34d4866511d6f882ed44786a4f5d23561d37b903b240000000b1a9f5e330b661930293fd7a882ca82807608c86526ee10d011a3aefbd17bf3ca993b42f112f595b6abd87268c9dbd01b5fbdd323b2dab3eb7cf29845ed6cd1b C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1976 wrote to memory of 2116 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1976 wrote to memory of 2116 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1976 wrote to memory of 2116 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1976 wrote to memory of 2116 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2116 wrote to memory of 2596 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2116 wrote to memory of 2596 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2116 wrote to memory of 2596 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2116 wrote to memory of 2596 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2596 wrote to memory of 2780 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2596 wrote to memory of 2780 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2596 wrote to memory of 2780 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2596 wrote to memory of 2780 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ic_content_sticker_location_60_percent_black.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2596 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab76D7.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar77A6.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6e0de1129b03f5d4618c1e1918c18c8d
SHA1 21d5db15fc464f790541d5b439bcfe348eb84c7d
SHA256 1d261f71e794fa5e67e9d1d36e95e8b6a6999bde9cc7b3889587770c0f3a289a
SHA512 ed8bd72b2cb1a1cdfd0dcdb50d4e5a4492fd626f7c98d9bdb08c1beb88ee08b8953020e031e8c7f111a68baa53ee6e0cfcbc010400ff434cd2f31fe27fa55ebe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2a9bf629e6d78eb64b77490772f4ae89
SHA1 40cf001949adaeb8bdb006e88b89bf83441b92ff
SHA256 4bdf1c2042d9a2694562b2dd1e843cd94bd7dd7ba6c2bf371dcdbf2e11f7bdf1
SHA512 f4de08910f5b868691693947283facbde73afc7db4ab21e375e937b3229d29219f7cd4372d4860955f35d390535868eeffce817c49f4a8497c0314ec50363618

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9ac5af3c2322fa3e6e046c33cf223153
SHA1 4c13c85fff45601f17dbe9574ff2594dbc5a5f41
SHA256 65d414e44536a9a7ca1177e3f71b81aa83380891f553abb64e82b5886dabeb3e
SHA512 4b9bdcd9c035524253e39b64971ca457a5e5ad3ce112b8e6fa9603b38c3b5923b396123a58927eb0564b173a54a68719196c9fb80d2842cf165d2c04a10ba095

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7363f964e3dd57a731b454bafe461e56
SHA1 881f330c980bea719e2c22b2a6055ab9fc7817c7
SHA256 87ecd151b669c6e5f5fe720651a251cb8701b066fa2adb52038655e3b59fabc2
SHA512 63a46442f403c5e30e683446a270dd1bc84c09f2400956d53913096ce25d06e851dff44825fb96660663d5baf3792432aac2f434820014e21ca72af7d75bf403

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6b844576d812221b8b223a2e21f0819f
SHA1 97d55addbf761730402c897904178a4c5cd12a00
SHA256 e4c0f3bbc6466a323b4c096537a34fd4a19e213235bb4625a22866b0726b29c6
SHA512 847656ff9d7f6b575a3099658316aaa5edb66bb590754ce614e18aaab70ca1bdc67a854d06ae31215140c0b1d864dd596aed360c49bcfb8ced4f3857e3f225f1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 86da14ef690627d5a050a71221b996b0
SHA1 f999e736797cd12e8055db2a6388e2611500b740
SHA256 21ef11398d48e85addce7a6c6079b339a6e1c8c2d89f72aeb1d6dd70802547b4
SHA512 1d1b566cf216a831168f0b309850fde5e596ef0d927c5eb479355f501a0e3c8f06178b48be2df4b4712ad7d842cfe57a1375b13a444ba91ce0a612aa386dc87f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2acb15f92b27eef7a77c38d0f33eeb55
SHA1 52a80fc8246db09af00acf79612eb12afe6675bf
SHA256 4d040df76eace073456cc0edcb431bc9426af87268711eba1c92172cea8c7c1b
SHA512 82301f98751fc69588e4df80d38187a6fafb7dec0235dd1a1c75ea4f9fa913864765c13732401cac55e7816c8073f42c555c3a0246f4527de1fcb5e3ba3e7da0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 720f09662d464109c084765685bf3c8a
SHA1 956967d2422ad391b946fe5e3494478b70f4bc47
SHA256 dd6438f7c8cd2bb3a379d73dd90bb02d04c06c511665649b14e50cd4e204c2b1
SHA512 f8166aeb089d4e6e9fdfea033e2a7d42d1061d91d3bb000bb7ec1d91390209a3540c521366b0c456e83267ae5e02b7639323d2da590d1c412a1bf9edd2273a29

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d752d1789dac5a7fdeb9394e2125c8da
SHA1 295ce483e12ed51991d89ef86a92cf34cc27ee6d
SHA256 2510229c4a4967eecbb4c49f91f78e0488a279b1ff0a83f8e93be37bba2358f8
SHA512 cf636fff5b37215d39912abe4ffb28a8fa4ed0480ae625d14f405c9dc1a83f7c99dd0d42586933ecf6024798712984b0a9b44017ce6dbfc5ad9c9c51922c6987

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a9e2a16d3a94b714bbf274b8848ddaf9
SHA1 ec9c10f573acf9f507693120d6ff12049d3e1b70
SHA256 e5ce46478514216b530a39d281ee9eb7a3b97d89218e6f213b80b2fdfff0980d
SHA512 e16a6f7ecc26592f38f6cc238765726e87309451f65f66ace243fc63a0bb5f0d33b18c66d391f760548f3712a2d77fe0128de5ade147217fd5775ed6a10897e4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c42e292612fc925c051f7497967d35ed
SHA1 fed1fd1f8551d69b76eca83718ebc675b9a88b5a
SHA256 4acb42198b71644cad5eaab4284819ac344477b406dd672790e12312d61ad9cb
SHA512 a9b4866567387931307037a225a3c07a1ad12a0c2c1d06c67c287f1c4850ac8c54f8546dfc24de432b6ba18a24a52ad9f5430d57332707f19cb4543e81be7eb2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5d6bb9bacd4cbc77ea4e6eebfaa8d05b
SHA1 a0c1bf5b7d805138fcbf0bfeefbfd663f0603544
SHA256 f85169f61387892a86d050c3364f35b5c5b233d2aca69e4dff657980c4031710
SHA512 6089a12d76490305e6cf32024072a5d73830c3294091d547e6fdbff875897f2481e018dd21a1c25bf0caa76a6b61005dad7f331ece8bde27c3d0f972efa9dcfa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 746d34bc32039f27cd22cb0bd48bce56
SHA1 992c269bbdf7ad7a3126021d6bf6b473d245d357
SHA256 e2108e36351b0af9533787f5a38d0f55d6ea7c124a96f0e021901286455fb889
SHA512 b4f3c8d8d2981631a35ed137e08af68ae29bc54585370a1ffa243397c045d9497151c3a8dcb894503501bfa3983108dc6dde2a7cfeaf1364ebbe812b1ae419d7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 384d2fd6a67d81d6d4ae0c0ee0e67817
SHA1 cfdbe01f48f056ea29435f923f71f216f9327cca
SHA256 f9b66bf5e34c90669c079ed44e73fe4a38f5b1f428a396f5e1fe07ff7aab8573
SHA512 86506e7fb3c906175c3b2d4253a2da4e7bdf9ac2e0c9aa6e8c37c45a7ffe8db1d5fd4cbcc7a28bc3b14d0df883bbfb33adf41c5dd4302ce61856eeba7b2406d1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 26e11dd225b78a7d5188677b0100bf91
SHA1 ba0b576adf527ef8532f884cafa1c0b89fd627a6
SHA256 106e2c119754ab09de9fadd9eb9653efb32bebad2c028594dbd96f6126462ff3
SHA512 6ff8e487443796196e488bb9ed5d76dc3cdf17ccbba1237314a316280ff880cc197614496af34852dcdfff764feeb88bfedca5ce6134a148bb9fc1e0401a71fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6a9041c2f81ea88bafecf9450863115e
SHA1 4fd8b311bd2bf2a376e44f43e37369a50a0d32c9
SHA256 808b3d4f8bb59766414cb39252c3905f35e3bc499a9f3d4c7a1424f259f0cd59
SHA512 5d94f31157a2da21ff080fc82da4ea1839a29e3bf969b63e9e2bee31cb6c893eaaf47aa82d000bd21ba17041179b5a5591ec9138c5c93f97b3f5aff8c040d37d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e447b3ed05d7221b90214d4465d62f84
SHA1 f4128857f55c2e9b92cdb911f7115e858f6024e9
SHA256 ed19bb4bd77620aa69a3f627ac659ed2ca69541191e6afd2cdbf87cac0bcd1fc
SHA512 732361ef86aa203768994d6107283069ffb90452075c5755b00193a2d556bca83a78b0c9395f3052d5418486a13c1e32e2a76cfe25204ea90337f03cb7d73580

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8b5a39e16a5791de91fae93bc55e7ff4
SHA1 e22c59cc7f144b1b3510f07fb04126ddf9386754
SHA256 3f0b8854b702fcb74c7cbf42e15ede05da0901220766ff83437eb22ea6961c7d
SHA512 2ec8a4e57d8738e738b8d73594bd06a32cdc6403eff3238aa56419336715d6255192e33500a1df0dbb3ce17e2eefb96f401a9f844e5bb58a841b1907da2fdd2f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6b91ed7ac2d4889581bbb7099dbd9d7d
SHA1 e8dcf166ef0719b72a9338ab4bf3affea3fc7767
SHA256 df99bd671a24b61331331628fa3e76db6d9d0a5bc25fbdc7a69520269d822d41
SHA512 dae2445c2332f7e5facd7eb90e65c410270be02e1517b1476b4af221ebc62e2893e5ab2bf6fb66d85bfe2ea3a78c8158d16db7b940375d2ba09185bdf869812a

Analysis: behavioral27

Detonation Overview

Submitted

2023-09-07 17:19

Reported

2023-09-07 17:22

Platform

ubuntu1804-amd64-20230831-en

Max time kernel

5s

Max time network

135s

Command Line

[/tmp/l3d4aa6fd_x64.so]

Signatures

N/A

Processes

/tmp/l3d4aa6fd_x64.so

[/tmp/l3d4aa6fd_x64.so]

Network

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2023-09-07 17:19

Reported

2023-09-07 17:23

Platform

win10v2004-20230831-en

Max time kernel

137s

Max time network

158s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\stella_wa.xml"

Signatures

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\stella_wa.xml"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 432 -p 860 -ip 860

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 860 -s 448

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 126.110.238.8.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

memory/860-1-0x00007FFE86B50000-0x00007FFE86D45000-memory.dmp

memory/860-0-0x00007FFE46BD0000-0x00007FFE46BE0000-memory.dmp

memory/860-2-0x00007FFE86B50000-0x00007FFE86D45000-memory.dmp

memory/860-3-0x00007FFE86B50000-0x00007FFE86D45000-memory.dmp

memory/860-4-0x00007FFE84460000-0x00007FFE84729000-memory.dmp

memory/860-5-0x00007FFE46BD0000-0x00007FFE46BE0000-memory.dmp

memory/860-6-0x00007FFE86B50000-0x00007FFE86D45000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2023-09-07 17:19

Reported

2023-09-07 17:23

Platform

win7-20230831-en

Max time kernel

135s

Max time network

130s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\clockDarkTheme.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D7667991-4DA2-11EE-B493-E6515181EC0E} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea3dc2a7c0fe4d49bd6e8f3e7e71513f000000000200000000001066000000010000200000000658ac2310698545678cf6e43a12b28e011ab8bc83632b910bf8850020feb9bc000000000e8000000002000020000000b3b29ef17ac03c6e9a735cf45e054bd122874d6f7dc2bf924615a9876500effc90000000eb1d227089642c74f8cfad6638d189c941c8e6fad79b62e021ede55565c19e149ea713a58dc6267683b9d050352a1c522964b97064f14b94edc8b64dbd7e29cac4e95bc582bfbf30b7472dab718f709406dc1d5fbac8ff9c4bd84a20e1d8ac3d52420bab7badf30e9e9397e0b59907ff9ad178ac8a212b2386c7a3119546256a4c0f5faa9892c2d8323f99e3e033c0fc400000004d49322ec0430051393171f0dcac68eae00b6272c9cb5f6c720b4cf0ab89ad6cf814b372db5a6d309e859f9d8c5321c9af566ce12a06e787967fb1b074915929 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "400269118" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea3dc2a7c0fe4d49bd6e8f3e7e71513f000000000200000000001066000000010000200000003b616dd3ad5dffbb813bb3d757c3ee06f7b2eefc8426730b3c7c9830c77860c3000000000e800000000200002000000007d16b8c1cae3a37292ca515b5f3456f0b3fa0a5460c627b56fd950836602c3320000000799b9cfbfd544d9bfadb5bb3f9531647ab8316d937f4ed38fe90ffc816640ef34000000082f87c216ea635b1e88c6883c793697958df563de0399bc6ccf10b831c4be9835bb69f99910996148afd4e654a42cc9186dbcf61417813f28e36506b49e4277c C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3087b6acafe1d901 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2788 wrote to memory of 2732 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2788 wrote to memory of 2732 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2788 wrote to memory of 2732 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2788 wrote to memory of 2732 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2732 wrote to memory of 2736 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2732 wrote to memory of 2736 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2732 wrote to memory of 2736 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2732 wrote to memory of 2736 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2736 wrote to memory of 2756 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2736 wrote to memory of 2756 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2736 wrote to memory of 2756 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2736 wrote to memory of 2756 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\clockDarkTheme.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2736 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabDB83.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\TarDC22.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Analysis: behavioral11

Detonation Overview

Submitted

2023-09-07 17:19

Reported

2023-09-07 17:23

Platform

win10v2004-20230831-en

Max time kernel

132s

Max time network

157s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\clockLightTheme.xml"

Signatures

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\clockLightTheme.xml"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 428 -p 4676 -ip 4676

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4676 -s 480

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 254.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

memory/4676-0-0x00007FFEF1350000-0x00007FFEF1360000-memory.dmp

memory/4676-1-0x00007FFF312D0000-0x00007FFF314C5000-memory.dmp

memory/4676-2-0x00007FFF312D0000-0x00007FFF314C5000-memory.dmp

memory/4676-3-0x00007FFF2ED60000-0x00007FFF2F029000-memory.dmp

memory/4676-4-0x00007FFEF1350000-0x00007FFEF1360000-memory.dmp

memory/4676-5-0x00007FFF312D0000-0x00007FFF314C5000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2023-09-07 17:19

Reported

2023-09-07 17:22

Platform

win10v2004-20230831-en

Max time kernel

0s

Max time network

12s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ic_content_sticker_location.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ic_content_sticker_location.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 126.23.238.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp

Files

memory/4800-1-0x00007FF840750000-0x00007FF840945000-memory.dmp

memory/4800-0-0x00007FF8007D0000-0x00007FF8007E0000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2023-09-07 17:19

Reported

2023-09-07 17:22

Platform

win10v2004-20230831-en

Max time kernel

138s

Max time network

158s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ic_content_sticker_location_emerald.xml"

Signatures

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ic_content_sticker_location_emerald.xml"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 448 -p 2468 -ip 2468

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2468 -s 448

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 126.185.247.8.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 126.110.238.8.in-addr.arpa udp
US 8.8.8.8:53 3.17.178.52.in-addr.arpa udp

Files

memory/2468-0-0x00007FFAD6850000-0x00007FFAD6860000-memory.dmp

memory/2468-1-0x00007FFB167D0000-0x00007FFB169C5000-memory.dmp

memory/2468-2-0x00007FFB167D0000-0x00007FFB169C5000-memory.dmp

memory/2468-3-0x00007FFB14030000-0x00007FFB142F9000-memory.dmp

memory/2468-4-0x00007FFAD6850000-0x00007FFAD6860000-memory.dmp

memory/2468-5-0x00007FFB167D0000-0x00007FFB169C5000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2023-09-07 17:19

Reported

2023-09-07 17:22

Platform

ubuntu1804-amd64-20230831-en

Max time kernel

3s

Max time network

144s

Command Line

[/tmp/l3d4aa6fd_x86.so]

Signatures

N/A

Processes

/tmp/l3d4aa6fd_x86.so

[/tmp/l3d4aa6fd_x86.so]

Network

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2023-09-07 17:19

Reported

2023-09-07 17:23

Platform

win7-20230831-en

Max time kernel

117s

Max time network

146s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\stella_e2e.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "400269099" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f908080c5c8cf442941c5db076e34ac200000000020000000000106600000001000020000000009cf0bf97eb48be2f56de17d349061edfc61bf312b2b2ca8309e126f5dbdead000000000e8000000002000020000000c40223a1f102e07da8d8ecb2dba9856eceafd217bdb754d24feabf49d8cc39ce2000000079beb6e03fbdc3a8c5d72ef0bc4217348ca4b7e806ef8c1fc096bec16019789c4000000064d9f7adede83e7069cdb3f66e54508cb619c3690571ce44a8160c9236383630156cec98b6dee6c3f8217796ad3c2de8850e81cd028a633208a84813698c6624 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0a5baacafe1d901 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D7ED7C11-4DA2-11EE-A967-7A253D57155B} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f908080c5c8cf442941c5db076e34ac200000000020000000000106600000001000020000000dd1852b2bd628b6432f5ba2090348595f7a73f1afbb613d717b801d57d562d19000000000e800000000200002000000046d36f879de03a52f12d76ca1b3e44e8fd87ba9520089d47e40c2fdf46425f4e90000000727bf7f66ac5cc24c6d486cea71a03d748ddfbe5de12e3b494a5ca9e4320f23d563694697f3465e953fe70348ff50f3a191b7209b88675ee62ba490e4156ca40598509f3b286257f616e09a076be99df2b758cbc8ea108ccc57147b528a371fd57b43eb1a5e5ff68895244b5fa2f500bc5f64f742d7063733262c4b35893a6f6da995ee3af1bed1f0f6b33f1622c10aa40000000043a5b7272b16d09685057746824919d6f03ca33ae096123be2a53f8de80dde21ab8c1160fa825be3926b9a7aca3ce2ddc9dc79834719fc84a7d8287700de45d C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1100 wrote to memory of 1168 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1100 wrote to memory of 1168 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1100 wrote to memory of 1168 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1100 wrote to memory of 1168 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1168 wrote to memory of 2604 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1168 wrote to memory of 2604 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1168 wrote to memory of 2604 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1168 wrote to memory of 2604 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2604 wrote to memory of 2724 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2604 wrote to memory of 2724 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2604 wrote to memory of 2724 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2604 wrote to memory of 2724 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\stella_e2e.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2604 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab9696.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar9794.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 90e623be46c8235244b18d43351503e0
SHA1 9a6bda6cca34cf12361f36810f9ee24df3eebeb2
SHA256 d15433cc291e1b81c1f3b04a5cf1e8a51e29524fd2d26b1447fcd1236576e62c
SHA512 01107c04b3f325fbaffaeca1ee9ee917f39b3f4835573f5f00ebe40c908f59e25962435a35efa669a164e374439f59229878028869426b842771f41be3dcb35d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 90c2c63e57c2d3396463af1360d4288b
SHA1 95f8527e5a3e05dd297ea73b80c2035945960030
SHA256 a7296c6eae4270a89c1b72a74d3aa346209f0ebc6f5134b251f16f3561b51b9c
SHA512 88f25430441af69c6c4bb592918eb526119f7a9489c2a079a60f402718359d3333edd9fb7174e841385eae90b8b20477b50e356c3a15a7fb6bd985cb8bdf8408

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ed379bcf900598970514a4939413755f
SHA1 b3235880d127eb0a09f7be64b6dd51156c664cf1
SHA256 6cd543c24d9f71a21300e72a1722dd76f8452341afd23e2b5c14790f91258889
SHA512 475f86c62216d4a94c63f40d7218328fb720e6b952a712795072fd995bcbddae318b2d8c3666d499f0acc84b4516ce3f276b65eed5f52e2b1a76638035feed4e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e37cd9ff00d6d23201c69d149aff1da4
SHA1 f94181c371394d4bd96d337227d99fb92a47db99
SHA256 b7858dfc071bfc2c87c65cdda0a3d6051ef5c9a7cf25b6e69c5913da13fe00f6
SHA512 c67df23a26f8d2130b3fd8f80feda0141f062f749a75ddd930ee08ecb3e60e3ec985cf459d239b6becbaa2a0edda4d0fc53fadbd16678e858f7f93539a26a22e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6c81ec6c0a10553bae2957a83714292f
SHA1 52cc8fc7fea26f2cb2dcb4bdf49f15a0e3460150
SHA256 41a7b85aaf455b43205d7c0372f7bfb2a4af5f4ec3373637f963c7d6c567f637
SHA512 0d72ba4068292863e2970f94abc7a387bfe2692bfdf9c1aef76ff44b95c0606a55d3514ead3dcd85a9e3f297fdb1ddc797e0b0b6cddcbef784865b0fe2a5321c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e0713d8e18a4f33c8f0caaa51eb3b729
SHA1 97a87a1fdd6e3ca7dde5bfeab4eac22c4caeebf7
SHA256 6f0bac1f3f1748c619a1ad27edb454e37febf2afec479e92ee84899a2bd16d53
SHA512 0c4a9450219aac95a74e01da55938bec9b9e7cf0e58e15f1ac0ccb85b5dfd7997213bb053e794b48dcfe093486e9b8796d651e4da4c873b42287f559781a3ecc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4a35208e02299541ef1beac8aba00e9e
SHA1 b81838ce24e6b3273c99f44f4b7126f7d3ed28bb
SHA256 6d14e301661f8820fdf7f5b16e7f2261c60363dcd9599e42c4fb9c97dbe093eb
SHA512 a84c095aeb812dfa24b4648c0ede0c5f4ca91d2ce6a8051fc46d2673096c30ee700a29bb430bf3138df03af8a12a553dd669a71dc1dd2546161792fbad673c36

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4b7b2b8faf5e56c09e5315085bf82b92
SHA1 d899f64ff75cbdece22be250ccd07b4472334e35
SHA256 5d3387d4aaf51bc26ef5cfef15c61596cdaf951c0a6f5766dfa28b31003c7850
SHA512 2c3cc5026265c55b66df4a68994f3b9aeaaa0b5c282d245367c3e576746138d3807832f093b27ef81c83446c275de668408b99467837b39ae52c19c1d128ec49

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8241f8a358b779c5c47c24a6f8e90f4c
SHA1 80bd0471c3669761291407fe426c016e70d8c5f2
SHA256 29ba3cca74037d63d80216242d4eba455354919a755a98f768105ca2d3bbca65
SHA512 f023aa6de55b2cf3ff45296695d6087030ac4ae91313b905e48b10bdc8c9d4a27b93f338f609fd8767ca958730d836eb93ca53727b80d72d92081d58bd3a012f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6242716fab3dfe399867eecf2caebdf2
SHA1 d8a70bca686a9e67f273613a2943884e8caf4985
SHA256 8f0f9b9df02dd160ab39e9c1d4a1ab0260ea92ca3e498dc43e016f45c5c5998a
SHA512 434aa432e555594d009c706c0dc7b037e7dbcf76677559600c8941965fd68c159a58525c6ecc9ae15ffc123914ef0646c30e4598f896ca0557f68537d1a53094

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-07 17:19

Reported

2023-09-07 17:23

Platform

win7-20230831-en

Max time kernel

118s

Max time network

128s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\YOWA.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 806f9cacafe1d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f908080c5c8cf442941c5db076e34ac200000000020000000000106600000001000020000000f2e842b0b6844b52b10670e80b617a394e369de1b2bdaf17584785210270d2d9000000000e8000000002000020000000fc08675e29e46884ab7d0b052a157da5f864ad28082d4d0a512103718419d0ef9000000098c9e15ae6bd55edc6aacc38bcfe2dc753f4c18eb1cd8957fa05b848a2f61c3397bf96ebee9ce86b2e0d333120e1729138dedfd08f0478e2452582175540235c83693e84ce38eae94248777685296429c51da0ab405fffcc8588734b90f0347f533f99c246ec82328474ab3bab102cf4cd2e9b1d08d925bf5b8407941aef323c423a352fdd44f3b1c00df3b74e5a71d8400000007fad04104956f32d3df959f2de1b8a1a5ac7b89e4f72deef50839c1ab7bde132f427880c67038c007b8243a826de585e8b44fd2daba45f24ee0dd1f99c46dbe9 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "400269118" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D6DAF2D1-4DA2-11EE-872D-F254FBA86A04} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f908080c5c8cf442941c5db076e34ac200000000020000000000106600000001000020000000361a18ff84e8888a8e53b3a200f02097541ac5daa96d03f041d68f4966f559c6000000000e8000000002000020000000ab7222683a2119d5986e19687c7ce109075db195a811847ae83e403b1c11aafd200000008c26ec28f0ab5c3ac71ddb9a877a38ecb5c5ef609e4176c39cffffd9e7ab8d2540000000d42009f0bed30629aa94ff47a8632cf35faa9b066ad68e942680a8ec7577d1ed14c3b9d19b31da0a22c5780f9dc9c30d3d61227e6f22ca02f5be2dba19a6343e C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\YOWA.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2244 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab83C1.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar84A1.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 429c8536add2d80a37f4e7370408e24f
SHA1 b818277f70af2f6072e2bb7047b6bddf8ea22d95
SHA256 fe7d90b0594ddbbec6e2f6427b109f820adfbf33d1d6a11ba519f98746650ae7
SHA512 4456219c5913f95dd420e93dac0e9934d46b44eb38a74e85b71a362f20b1a3c82a2a7937cd0bd4a9ef6b76475f22f54232b41e48989f82e11deff6531ec678cb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8e9348e5a5b1326b13c76954f64fb134
SHA1 5326b80e48fb3fc4eb77e780d8d281734f351152
SHA256 4cacae9ae346b5aeb6eedfa3d6c47f886d4627423468e1746640b1005facaf22
SHA512 edf59bb14fc5b1a868ba89f7637b3713399da6f3953a33b5cb60e8e7126c5187feacf6591bb131af821295ff8740865e9dcd6509caadda1b7e6db6a89e6795e5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0d16233f8a741394bcee702d76bac8f0
SHA1 1020274a21038d2d1d06be8a604247f7a5d74ec2
SHA256 b39f782714083763c3ce67459c8600ed9442fe001ea1ce4effc453199075a1d1
SHA512 d2bb41bec4e9ac60edd0fc067e046414d37f5f1b8369717b74ed5989775fea8d10e53e07d7dc4a3c3e7014b0086d420207103e861fcf11874513a951e95b1d19

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 26f6707ec5f2a836bae43d45f07becab
SHA1 3568171f98a38b14d8c85bd7649365e38e478bc0
SHA256 c751b5bee1d3186f6960431e05d39fa0d3bcf9a8a474d4d1109229a2775e5136
SHA512 ed6e6f421d318e7604134ce458b78b88e692bb2d3ff20d7dcb21ea5f7ab953b3f3ba61f58730798e2c2b18e8008593adbc6ff38181599849019cf63d3edaef34

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a4588f4ea452044749087726a6d151c1
SHA1 5b00218b7f57edc3276eb01a48e08bb86e3c8783
SHA256 0e03f18f6ce5228ffbc52084c9324ad0df54395b45a4d7619bf174b421f5ccf8
SHA512 78fd70ed34d141338475164c021fa19efe10a3a6b58877d7a8d39ff57c0635d9f5cd1f905a1e51b54f8e7218fc7eb481a13ece95ee65f198fc4c4a3aad5b0381

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e6facee4e90671357e02ff9f3adb74d6
SHA1 ab40bc9a6c8d9ba76844dfd7b35cf8c15a09ad2c
SHA256 f6f2e04e3ec8df2b04935241a33932d05a6be7dde6f29354897af0577337c465
SHA512 dcf8478c88d768294d6a2034510f66c360c3a81f1201ac33676aaad744c0b07cbb2e5aabfd89d8e2d42d6b76d9d7733d3c1d92bab198f31b2baf760f170dbc70

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 83fb762abb1968a928a646d9b658283d
SHA1 9370631da3d0b118ebdcaf80a1c8b2600d549263
SHA256 95b16f9eb9c544e29f84ca1a3ac37fd40780f1a935fc1ea472a3d5f754cc5a6f
SHA512 e8d001a499e5ae19c9c444054e21d9a783cbe4dfec400e8a35686e84c4e7661a4454ae1443b4607e88f099613b5572d8568fe7bd2c5d1635eea5f55f31e510a7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e28056ea9a23a023880bbb21ec39cf5b
SHA1 118ba260c454ef958eb117330dbc7c248f482fa7
SHA256 0f675ccb1c0c5c58b96fa421b15f7dde1bed8a9f49b7b2e9d7e42a052379874e
SHA512 0426bcbf16ac80c1d87a25b268197d9e2737dcef97d046e6559e62d01bc2e8b8c9dbf62e6cd5c44175db962b42f27ea2fb49f9c320fc9d11c01e72ef185cd6d9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aade08945e1b4996d05dbdcef35b4e73
SHA1 d2b6cc1ad3a80d2b3fc7ee3d4445fd03bf10c81f
SHA256 8148b432d8e4188c843c22c154618181602223fcb198806ecca05852ba584b26
SHA512 1750259d3af4c396775b5b39b26195b79def80c9fbdc429ef483298ffcabe294c42facbbfdf3311e979a36dc856fb1f96bf40357f24e14c597db0ff33546569e

Analysis: behavioral10

Detonation Overview

Submitted

2023-09-07 17:19

Reported

2023-09-07 17:23

Platform

win7-20230831-en

Max time kernel

119s

Max time network

136s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\clockLightTheme.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "400269136" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E1874761-4DA2-11EE-91B0-7200988DF339} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007832999c35766c4bae1b34334b3bf812000000000200000000001066000000010000200000005af7a6572104690a0f10547c9d7772f8119451c0155091e2e18bf4ca30920611000000000e8000000002000020000000542eef2d2e37749c8dab69ff59cd02caa557512f070065c159e63845e827a1cc20000000fc77e2a58038661e54e199d82e360971b8696f3bc97cd95170b1dbc5da730537400000003b8994aca19f90f26d9446b6d2c50a9886203bfae0a00cda8686cfbdc908653aa82f5401bfe85ce9272e5ee7f8c2d5f598c4f3b47f057ff6cdb5d300e47393bf C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00d665bbafe1d901 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007832999c35766c4bae1b34334b3bf8120000000002000000000010660000000100002000000039c398e0dba61600eccdb6e738f62396cc27162704b88276e1559555f54f778b000000000e80000000020000200000004568154cd2ef122b53186640f8b3e5904b06b3e6c623e918e533a23907d1b99b90000000e8de0795a9ac9a48a970aa1731f728c7d1d348fda9fbd8b74bc57fe592f56eee144beaf276666a14f9b04873ee7a7de89bf91fea9946ed8284a868be61b774b32b2c87e87041a4bc5a6704c32b80860371d3729bf8b35a273b4f4204676008973f6585df5059d1e167fe7c45b69b03fc8310da9e943a52aa2794287263c8097303ea02bd4f7dcb6e936e9114de25c38f40000000146cd58e73d1eb954727b61936df5b7bab9da851ef41a6135883bbb31c8d309d7f57ea02de4add76f1cee47c2c3defd231fd770c1243e0c9f6d478372eb08c20 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2332 wrote to memory of 2612 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2332 wrote to memory of 2612 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2332 wrote to memory of 2612 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2332 wrote to memory of 2612 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2612 wrote to memory of 2640 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2612 wrote to memory of 2640 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2612 wrote to memory of 2640 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2612 wrote to memory of 2640 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2640 wrote to memory of 1080 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2640 wrote to memory of 1080 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2640 wrote to memory of 1080 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2640 wrote to memory of 1080 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\clockLightTheme.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2640 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab29D1.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar2A03.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 562d1e93eb03526d877540a26c8fa644
SHA1 d6415d20c1e7f0da2bd434f8b9b3088220318520
SHA256 3397442157f1dc3645a183b38fc57c8794933334d394d75b7fdb4d404d11b5fb
SHA512 f2dedc8b9e6bc59f4620751e4cc660c28b5b87b13e6239ebd384fd31e15525a1921b40df45746f076f9e812936b8c9dfe651d3c0706e0e99a4479afff674dc49

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0375a2908d487f6ee1e79b20847c7d3f
SHA1 ce3122ebf5b0c4150ae3a4fe9eadc94f3d81da56
SHA256 bcb3fc2fb63a420b42bd4f9dbe23fd64b28e866efb553735018e7d68f41e1199
SHA512 b49a2c9d6b9b98310625ddebb85052f81ef82b895b53c1b8f68d37ff8fd78e4d50828f499ecdbd2351ca9c0c8f178beb414a0b3acbb35aeac2e42d2182b26d28

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c3d275b152585f0cf75aadea704a8122
SHA1 7d1ad58280a0a7bd9496e08107fd1a88aca59335
SHA256 7e061e09dce98d2a00fb1362fa5ad2550cc8eac53d6ea4faf2e2895198f0ef3c
SHA512 62b393347ec0157d8214e711630c177e5a1d32dc8c95a3605aa5701efaad9e8e76a88ffff33f435cc93ce97da133f480e87d07b77a98b4809b37dc583fbac666

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e28710501e8579d17e434f6ff242b914
SHA1 02b850f2576f18a50976e08f62016bbb315b8e9b
SHA256 292d648ae47f4397a9f2f0182c81ebf78aad9c679c79b0fb952306c08f6eb8aa
SHA512 96862e6b054d58282dc96ea66bd1a6f8f5b771ee0dfc46b430e24941ac1b5624de0aacafd184c9ec10383b67501cd0963f04acfe237306423082f4e2cee065af

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 58bd993345c34a64011ed89965706b48
SHA1 ef3be6ea7411bea4ff4ca9b8bfe1136fdb268327
SHA256 b829b38c17ac44387bc4c40483ddb14ec60746ab84e37b4de2fee817bd8e1f57
SHA512 d5f00bee90a512a2a19ee84696dfeed63f0a729bb943524eda1380484cfca86998041b15d88b12b18c0003a4252275fe94d97ef5ab2d83e5732ef27da412e83d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 13edffd9077692f0a2326c1010f5557e
SHA1 82aa41f5189733bd378891ddba2434e22bfc2568
SHA256 0860156b0a36440e7a0c7ddbba10cf74baf2e99a3f9d755b51ada6285c9f8c1f
SHA512 c7f0438ab86a793e77fea012ccff2794eb9f5f24d2b240c1f0023b76848d5b63aa5a72a7884562d00362611080bc97c1f7833fc30b1d55ffa221fc9d9f63e6fb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 caba46187c644e68ff929a024275b154
SHA1 d5aba206755d216954115eea2d02f485bbc1714a
SHA256 13bd1e9777b48006694d2a8ea4ae462141dbf55811adc37ef4d7d852a7f5c614
SHA512 8a301141d288fd2b0664564848918e42bde48ddb1ccb69ae19f0d0ae2ac63b9e4c886901a93c7d8e59b2bf12aa8256192ab2998b6e138b6e29bfec09e71673da

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 caba46187c644e68ff929a024275b154
SHA1 d5aba206755d216954115eea2d02f485bbc1714a
SHA256 13bd1e9777b48006694d2a8ea4ae462141dbf55811adc37ef4d7d852a7f5c614
SHA512 8a301141d288fd2b0664564848918e42bde48ddb1ccb69ae19f0d0ae2ac63b9e4c886901a93c7d8e59b2bf12aa8256192ab2998b6e138b6e29bfec09e71673da

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b70a0828b080e4d3fa6c347b6814b944
SHA1 e5f552e73046e2803dc99b7a28ca0f5518c668f5
SHA256 b299ad75f5eef9e71125a2106ee0b6ecc38dcde78d9b38cb7bf945ab1ee07074
SHA512 faa430a3fbd074682be1dae7b807c6484ac593918db8ba24f4c226383403d27e54db05c19746b8b727e83906be1bcd70115195da119b4645d90e2f710e3611f9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d8fc9dac9d52891c18f9f782ad2f3343
SHA1 d044bfa8f93863f13b1e4ab178a2a32c060c9401
SHA256 f6c765e5f1083b43b2f4a36a716f48518ffd9c8ce5b60ed117db4f6248c42585
SHA512 01581bef4d2d611ee00c669500dadb3f0f05aace40afc38dc32e0f332a5e8c06bf224f15dbd1b3e53dcf3dcc5c28bffae63d3a3c68c5e3c9c02f6b80febcc725

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 169603e01ab3083449a7f6b87f00712c
SHA1 7143e3cdb56498a0a4a9586d91d23682aa972cc2
SHA256 f6746f095e39e701b61052a593f7463fface2a9707e33ad5eb3356b54ce5b15b
SHA512 2e09af83b0e8e319706ba6f3e67f06a6a61b7330ee1234a8da906e9bf9bc89343a773b44cb6226b66eb1c568a8c52736dfce744b61adb67e116af998b2bbbd3e

Analysis: behavioral19

Detonation Overview

Submitted

2023-09-07 17:19

Reported

2023-09-07 17:22

Platform

win10v2004-20230831-en

Max time kernel

134s

Max time network

147s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ic_content_sticker_location_black.xml"

Signatures

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ic_content_sticker_location_black.xml"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 444 -p 4380 -ip 4380

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4380 -s 448

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 254.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

memory/4380-0-0x00007FF96A3F0000-0x00007FF96A400000-memory.dmp

memory/4380-1-0x00007FF9AA370000-0x00007FF9AA565000-memory.dmp

memory/4380-2-0x00007FF9AA370000-0x00007FF9AA565000-memory.dmp

memory/4380-3-0x00007FF9AA370000-0x00007FF9AA565000-memory.dmp

memory/4380-4-0x00007FF9A7D40000-0x00007FF9A8009000-memory.dmp

memory/4380-5-0x00007FF96A3F0000-0x00007FF96A400000-memory.dmp

memory/4380-6-0x00007FF9AA370000-0x00007FF9AA565000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2023-09-07 17:19

Reported

2023-09-07 17:23

Platform

win10v2004-20230831-en

Max time kernel

130s

Max time network

166s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\stella_e2e.xml"

Signatures

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\stella_e2e.xml"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 184 -p 4488 -ip 4488

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4488 -s 448

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 198.111.78.13.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp

Files

memory/4488-1-0x00007FF9B8730000-0x00007FF9B8925000-memory.dmp

memory/4488-0-0x00007FF9787B0000-0x00007FF9787C0000-memory.dmp

memory/4488-2-0x00007FF9B8730000-0x00007FF9B8925000-memory.dmp

memory/4488-3-0x00007FF9B64B0000-0x00007FF9B6779000-memory.dmp

memory/4488-4-0x00007FF9787B0000-0x00007FF9787C0000-memory.dmp

memory/4488-5-0x00007FF9B8730000-0x00007FF9B8925000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2023-09-07 17:19

Reported

2023-09-07 17:22

Platform

win7-20230831-en

Max time kernel

138s

Max time network

141s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\stella_wa.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D52D2B61-4DA2-11EE-9BFA-76A8121F2E0E} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c66dacf3255794896cbcb5ac20a714000000000020000000000106600000001000020000000b173eb3124fc25d0f175ada5df1f6d39c50f7efadd21917ba0a10892b467157a000000000e8000000002000020000000d36e7356093ae9cb2eeae69ed9a47bca30f4cd3ddcdb73aa91fcefa5979ac3d29000000079be9fb729ca669c2a30ebf793bed1d1f1485c09027e3c15adcb1d39a795394b6d3ca17e0b3f2ff8e0bf26eb3cf1e31841322b9290644cfbd9e8d4d8d743be1bd8996fdef86f10a193d8cc2d45fdb0d6d3372336db3a57a0f0a42580ada48d3d3b4bce88544c9cc481bd565f94e47920e6e053bf5f12cae8b8964d8c7026a3381b3a135a75aac995dfacfd77f01f84f9400000001af14f50329ab76766b66eec1b75824f2f10113697cf731defe6b0a86864933d191c546635d32d9b8a66023f843b80bc10a72dd8d780bfb3d120eb30ff863cd7 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c66dacf3255794896cbcb5ac20a7140000000000200000000001066000000010000200000002cb9442071c3fb7d9a7fc0ec17d38fc0b869524a634afaa3467a6db406381333000000000e8000000002000020000000378698e7b7b6094c91fa6d1aa43b43d3c5e78e0d76df80a680b044c1ad67dead20000000018b91337f4befdb4fe8f6bbd2367118b488a60cb2eb1b7742a5e5a2e4f793db400000003c5b96607c788600eb857b228a8e4146e66ba3bdd4ef5b60c9ed4b1fa4bd05451ec4161fe5c5cec40c2c04e80d9c771e9fea43c1d10b61f75e0ae0cfc05e4b69 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 403406aaafe1d901 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "400269093" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2892 wrote to memory of 2764 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2764 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2764 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2764 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2764 wrote to memory of 2768 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2764 wrote to memory of 2768 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2764 wrote to memory of 2768 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2764 wrote to memory of 2768 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2768 wrote to memory of 2732 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2768 wrote to memory of 2732 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2768 wrote to memory of 2732 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2768 wrote to memory of 2732 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\stella_wa.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2768 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab85B6.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar85C9.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0a9ace46c96e1138fd941080831e9d4a
SHA1 d7e84d837000c71d8f98c254bd95bca16060e9f8
SHA256 9552bd9c2918b20f760269268e73f6cb3e0e9885c2f55b83b6e0468fb86e853b
SHA512 98647ea1cec4dd7f17cb46484424ba8b2aa516ce0e7614220d8500351cf4585f8b4b070d4a762ae369ace49de5f5cd0cb355800d61fa5a41fa979d1a5b2a1abd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 37b5b555e4c23e14ece46dca207994ae
SHA1 ab69a40939466aed96b2f634d33a4baf0a9da256
SHA256 2c3a754e24e77ce5300abcdc43cdc0ec75cd87b1065aac3c121cf94fa8fec3ac
SHA512 06e3645c40163a82b1f847fc0198ffc7428e7f32face52dd2e5e3fe55008c1295d562db35448aae9f0df1714706da2daacd4c9af0e15680c5d2752451dd34be1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cf8b068c4ff9b16a1027327b14474353
SHA1 19faf0bdcf1fd194e5c7cc22c6aead96e3d59b6c
SHA256 0a8c8e73be6bc3406bec67f50bc4025bdccc9298b6ce1c57cc974fb9796ae734
SHA512 7832259218ffd9a1a68167a95c73b47d5b99247e4830daa7492a27a3f466e2abd4fcd68ee2d83f1fc93db50f55542aac66a2117e2e7ffb34a2c11aeed9ded11c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3baca49770dadb485639eaab56ede6c5
SHA1 e27a19fdf42f85eb119ed945d6d57c4786d5b9e1
SHA256 80dd664f4bfe88175392c98d2b7a526031873542b66ec6bf46a94e8cd96bd567
SHA512 b6cf4aba7c51037fd2095f2dfe44fc19b39668ebb38768992ea48b17455e31a76c44c45e3f8406429c07accee16d74195e6108990dc843a1596bc5749ca3a69d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3b31f4c3401abcffc9cb5a03797bb63e
SHA1 e35cc9e5ac1bdce6035212bd486c1119eb291963
SHA256 aae242d429298acdf24df4bbfa1a59c1d406ca1fb4d89fdf07b3c18c7e4e3e50
SHA512 cb3c34d6b4cce83fb5678b7e15314636259fb803efb604d39de48a1e780445183e4a4d471d8f9dc8fe9afbcb022fac12757691e859912304827745b083abccb0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 90501f5e78573fc97d2e85d2c2f9c4df
SHA1 4cd45c6880a57bc30594b14d11968539162b9f1d
SHA256 235d6ce21750c8a34fd290dcf4e2f9816abf54c4d82343fe9d68d69190f4dd51
SHA512 62e1456dff5ac163edb1b104eb58bca13d5eeca2aaf63862a492afb84a970643603ce8843b582c7221ad08f22973c925af4eca3d6616bccc262e3341ccb66155

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 08dbbf3f17e7dbf4809f3aadf7aa935f
SHA1 36457e081306c786e2d07b17feb2befec6f0da66
SHA256 503bbc6b918dae39abe3c31b662e0a3ef45808967b2a4eee87e77f5a289d13df
SHA512 ccc4f8cad40ddd3f63f7d6e216bb115287865c4887ffaf04259db1369d739d51a4c9e2f529c6fac4301ac5a4149640f056225e3575b60fda12e22d739c0fa22d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7aa36423ea3b3711d64875896fce9509
SHA1 94d10ed666d4551f3eed6be6d346e1c0401594c3
SHA256 f4a72c5f10e49557ef6fc9b5d403f2a9844e0b2450397fc8a91e154f1b4be401
SHA512 d95801f0440694392020614b87ad141699d906b2bee736b81bbc13a838449b361903fcc8839f4230df4366c563e7c9a5fb31966c6fa46e782e32827b0b3158d2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 43ab37c5235ead7d2f79dcc30ac10043
SHA1 06f231fc7046a95d27105299b94a4fcc39c8902c
SHA256 1fba43179ee47aa23f8748b7d5e90025a491a5eb64f2810d76690c569c8c1682
SHA512 25b01254ca066405f8d969f6c11a17e884b34c720ee268eaab7ac29596b70a5533ba95ddc0fab5364abdc6045c79beaf9432d17ac25650ea1cf4c6e316aed255

Analysis: behavioral5

Detonation Overview

Submitted

2023-09-07 17:19

Reported

2023-09-07 17:22

Platform

win10v2004-20230831-en

Max time kernel

138s

Max time network

158s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\changelog-ar.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31056303" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31056303" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 709b14afafe1d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045e8526c57639946b5b20d359be7ca6c0000000002000000000010660000000100002000000075b1fcb9eb2f82c0722f0820871c274568505a98ea6eedc75b464ada5968327a000000000e800000000200002000000070bf573616a4ce15e4ba72cf3c2f1131ea45e8ec94524edec4486b4921059ef020000000e4883460166130f281bed9a7a78e7af3faa28507a43afa6d65775683960f38a4400000006aceb661f30b7bb8cae33db7badc271b73a044ee993ce92e8320480d0fb5654af8c201c3e911c99abb7f2f5fa053e41170d1c0bb71c484bb9a777723aff7a3a4 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2841742103" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045e8526c57639946b5b20d359be7ca6c0000000002000000000010660000000100002000000071376a596c6ca7c5261c97437f4a4d832f3cf1af7082efa5c32123f43f0824c4000000000e800000000200002000000030f9ceee3d3d51a7d4163a271ddac74f9ef75f024671a0a9e0b4dbf51fbd1c2020000000ebb1b6ca100d584fb5e3be065e188d16ecad2be2a8141c8bc5eccda8a8fdaa7140000000ee4fe521946aa5eb7c8a0c190f343cfb67cd865d9c42c5ef3f0d31d831e2ea3df192f27e5b7ef35999355172e3565027d4d89c84bd53bb222e491595bd749beb C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D417E625-4DA2-11EE-9ACF-C679E4C6F477} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "400872206" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2841588122" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31056303" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b05cfaaeafe1d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2917680058" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\changelog-ar.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:380 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 126.185.247.8.in-addr.arpa udp
US 8.8.8.8:53 200.81.21.72.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0GV6JKGE\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral7

Detonation Overview

Submitted

2023-09-07 17:19

Reported

2023-09-07 17:23

Platform

win10v2004-20230831-en

Max time kernel

132s

Max time network

158s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\changelog.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2894377504" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D7E9139D-4DA2-11EE-AC9E-C64361C7A693} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80adc7b1afe1d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "400872211" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31056303" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002e066c10583e1946ba3d1022da920436000000000200000000001066000000010000200000007d87fa707083517acfcada06af06fcd54a9bb70b324986e7e92daac5dfedbfd5000000000e8000000002000020000000ebc787577602c165941187d32c77a12a48dfc714e60086948644974b77591cea200000000f902209048a3c850b7f76f7fb6a883dbae770758579d69addeb2b24a00f9fd540000000747a56009f5589cc45c2ba65f439c460ac423b956aafec9e1a607f0a9351b235b14f7f22e0ef675e41a088f552bda0ed66b43c1c10b758416b4fa388af276021 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2894377504" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2964689423" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d024abb1afe1d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31056303" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31056303" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002e066c10583e1946ba3d1022da92043600000000020000000000106600000001000020000000b3e9e849505579924f7f1301661ee0bc2d91dd5023f4d8e1243421ca6b2ce80c000000000e800000000200002000000006b7e3158329ec77c634ddef5154cc13529062b76bfb6c5a61ea88d8cd87b69420000000687197c572fb5fc704f7eace91cc1dd9dd6e95c42c1d5713625d31137bdc9f2140000000432cb94251121abc2c21dcda67e0391f51c2288b6bdfd36fe00c4a16f9920b0c3df1468dd1f10850589c28215260e0d1f79f97f768a8b4f487c74815a52f95b8 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\changelog.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4680 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 126.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 200.81.21.72.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 198.111.78.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0XT81K5W\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral22

Detonation Overview

Submitted

2023-09-07 17:19

Reported

2023-09-07 17:23

Platform

debian9-armhf-20230831-en

Max time kernel

17s

Max time network

158s

Command Line

[/tmp/l3d4aa6fd_a32.so]

Signatures

N/A

Processes

/tmp/l3d4aa6fd_a32.so

[/tmp/l3d4aa6fd_a32.so]

Network

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2023-09-07 17:19

Reported

2023-09-07 17:22

Platform

win7-20230831-en

Max time kernel

141s

Max time network

142s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ic_content_sticker_location_emerald.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c66dacf3255794896cbcb5ac20a7140000000000200000000001066000000010000200000001a01023b50b5d96bcceefb77b69d7e84c1a51d64ee59664e71825fe08890910d000000000e80000000020000200000005693efd8f13535b69422490a900a6df7676276a6c376c130c569ea6adda763a79000000004d6df1734927e332e70ed20647ed11e1240b9d136114855530678343832e2c4a06d45a6eee1aaaca17109f7ad0b8295191a08b5357183117a147ff10e187953219782eca7d6942b68c65bbe521e53055d09e1cf430f73be601e8873a9ee9553ad6a12c69eb9c714b459a154aa54cf5be7c0e287bebe5c0d18a462cbbbae9df4e0b5995eedcb08eaff075e8fc5a0b30f4000000071b1bfd18b0afa97efaac8f1adff2e0d9f700201b93de6e0db646f7edd256ba8975c1de8cdc96667b17488f713460e19f31269447c19442cc9fca3bc309216fd C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c66dacf3255794896cbcb5ac20a714000000000020000000000106600000001000020000000a939f51e73546ffdb548f89d2dd729b36c077405eb16cb53f3703114ad544603000000000e80000000020000200000008928e0b6132a25757ddf94b323aea6bd890a3c008a5b265de4d7e66c971bec5420000000c34daa7a1f5289bdc98c00b4b544089b03132d957181866421218c131bd307bc400000008c759adbf856bd57f1be747297169b7fe64888b3155872e4f90fe3b561283967e583fa2c3f4ce170e734beabdc895735629b28309bcff3b47f358fca76364dc5 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D5733511-4DA2-11EE-855F-5AE3C8A3AD14} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "400269094" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 305239aaafe1d901 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1548 wrote to memory of 2988 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 2988 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 2988 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1548 wrote to memory of 2988 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2988 wrote to memory of 2540 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2988 wrote to memory of 2540 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2988 wrote to memory of 2540 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2988 wrote to memory of 2540 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2540 wrote to memory of 2732 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2540 wrote to memory of 2732 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2540 wrote to memory of 2732 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2540 wrote to memory of 2732 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ic_content_sticker_location_emerald.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2540 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab7FCD.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar801E.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9fbeb150bfeff89435f0192475c42bfa
SHA1 fb702c7cc997660880a318bbe57fce0849722c54
SHA256 31896556472422400eb45195669f5b889435075cff00dc134a11ae2c415c5941
SHA512 eee17c5878521134b38144fba12d1626f97c97b000d476f8f155e9e70b3324247c964a236353321913fbd5201e2cecc3b6a7e17d7f2901ead2f3380e959d94b0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7115bc4eab6f2ba2b243538f4c7611e2
SHA1 d2e0824e4827484540ec13c72a23b04fa8315e99
SHA256 df43334cb4f87b628f831fc055672f9d1783b5d10463b1b6e0abcdc6fee3dc10
SHA512 356999b9b83befdd7b2176ce709a158fec39c53072a3b1565fa7f742fcc40f5f9b8df83d1c9c4a09d81931a9d55fd6b056d01def646f6c7dfa6966512de08178

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 45c5b6f4c9723d7400481f7754ad51b8
SHA1 82184d2c23e6e0e29d631cc0c7cfe915f2740128
SHA256 d9f00adcc855ea540f413a755a6356b71eb7a7ae5f51b961e9a62ed682476df0
SHA512 91a7c2a53ab1830070ba505569a79e2852a62b9621bf4daa5d6d8d958c9d87e70459e3a2475aecd9c68ff31deaa18ef5098116a06c5a96bc5c98d0c6633767f9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 59d25c0d31bf025bead4a5e577588f6c
SHA1 3b318bda33bcfcf3514dd5b72b9a3682f9493654
SHA256 1cafd1188e04039ae03d3ec24198a5b0ce8cd7c93995286344200cc14b76570e
SHA512 9ce8e6dfbb237230a1463f9b8581f77319f6d0840fa6ee27dbbd4cb5a2250693af89646ecfa4024e8285f424da32d5b60843e4e20a1c80377b2604e25bb20840

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 10ee89692354a8f1253d8aa309db401d
SHA1 55a75ccb17759efd2542cc3e475e1a6bc863ec19
SHA256 20d9d74ea2964c6c5f55ca294266ddfebfb17700e90e2f8a988000fb4e7280c7
SHA512 10c2b1c30b04c91a9aaf6c2d0f0899bfa74a9ca6472329f487def6bdd0cbeff0f7d3bc36c83c8128fbf176bd5403dc6ccbee003d2fbeff8e3209b4c59b6943e1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6ba68217b7ff7fae296ebfd5e073bbd8
SHA1 be3fa91108a6105425db2815d204bf396e2c5b7b
SHA256 d144b186dc8aa57dd3d49bd04533adf8d580b8b60018303ae4ae637ff27f0185
SHA512 a24cbc818efae1adb6c3a73a56d37165415f0b9b3729aca4e602b562c5a52f82dc58c0bff983e77bfd6c4ae83f00ca1bef2bb75c4e1c89a540312e721089244b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4a42b8da375850eecf28a724c4b50c7d
SHA1 381a93c68c61159b7ab4426d595aa799a4ea9dba
SHA256 8c7a3ed44200703b277d4e65849a08fa6d0ae000ed783ec8ed9af08c24413889
SHA512 9e47a86c22d6ab39e62b275a982970f7719d27520c25a8b716ded4fd57d5feec3a3fa64af5c520df7248764bfd95b15db9afe8f97255a9841796956c4075e484

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bcb2b2a223adb922644a25f28f184e5c
SHA1 f618de9279543f25561bbf8d8d415cc8b2f0b087
SHA256 75e55909786527e0cef2860c92988c850f8c4fdfbadcbf59e5a8ba2b4bafecc5
SHA512 bc67dd1c5a64decfe67b849bc9d92065ed42b9629e9ddbd21c47dc0f27a254a768a5ff579f4e0b966c63ea64e8502bab63f02c4eea18e28ba5cd47a8332832fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9cc0c4be463bcc604144dd272d45353a
SHA1 0acac9ccc5365615aec6a7c184189c8509d1b95b
SHA256 4d49671964b5719a2698f554e448404fe08f1a315dde7d971318f82786480cda
SHA512 6fd30d3e698ffff5cd6b62b13376d3991e3201ba1d57f33049690773e61659a828865b7c163bbe2917ba73b6fac15981bf66a90617dd529595c796d2c31026e3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 15acb4514c332dbb89e187865276fb07
SHA1 b4d2ee3fd503a4533fdd1655a297df7791ad4cc4
SHA256 5bbaacb6232ab84cb5831f71b92f7a95be9e1d90e5f09b966cc8d88687c9f6ad
SHA512 0431e61ab4c69943748879d344b087ae590f9ec7f8342b3eb1f9fc689095835c007ecdc1ae898be9e889898a457d72cb2a92e69c1089550cb41e7e0f0cdce02d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a35b8685fdbbba250ad502328ac65764
SHA1 e43a58a7ef8aab10be2811054633c38e9394885b
SHA256 c21b3b5f9bda4ddbd10985d470bb0470e9e2a0796d89d300f82e0b5403d00cf4
SHA512 5bdebcd6ad8454832dbb953737b4088a2210cc98fceb6b3d04acce9df9f90f006ffe9a665144aebfc1bafccfa91b04db8c985c63c359bd3d2532885ee0fb28dd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d738bbd03c10d94393d08c2c3a1375a4
SHA1 6a2c8d6f7597b85caf8d6bc2e96630182ba91b67
SHA256 1014c97df1685263be65cfa18b109436e49d14ac5f14519da0391f6f45353b3f
SHA512 513c521637f7b93fe1197842d683cbe9f83b71ce96d80c8c0269a9fca6af5e8903f181a6178353d109b78fa7dc057e9aca0766fc311c66516a2f8dd60dab1d97

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0d9566aeb8dd92dfe87f752dec60ec05
SHA1 c36e04e65f36e1e6419b90aab46893b2bc6f2c02
SHA256 85e6e1fa5539c302db44fa6bdbec73b1b29cc29770dbdc696bf0188ec8431448
SHA512 3fdd1a99ea47c9b9701ba7f25a79426ba0b48cf2634deba76ed823fb80eb56e03e5bbd0789c67cda94e4f7d962c2eba5d5a49c5527e2a91f7987a91414f4c35d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b7608e8b96a5bbbdbe9a3afb77b11742
SHA1 2af83cfc5a9cb2170789f33e3ee444388575ba24
SHA256 d73636eaafbbfcce67b48960683a3364e5f0e5c9b4cd09d47f7c4c5dcec996ce
SHA512 d7c0d4c405957b245e4f1860312358d766e341910fd4e4a110894d1c0b210802e0c6251d33a45237dc86385b76f85d7e14ee14895629ccc4a82542ace3e1a342

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bb9b164c8414ae86d7010f9020d6c471
SHA1 9740c0d2ac6581e7ba390d283ce772f8bcc553f4
SHA256 aa0fb353fb027ae98f45e10af66f3f50a74b2797c42506ff1b07df7d319fb516
SHA512 b51e98961b3f2d379af29b849bcec9fc1218c9866281f624e9447105fa945f01fa1051c33c8a2aa96c096023dd898a4b4f1c47adc25d753da81812fd9cf078ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d2c91504f9ba880d1ecd82dd75edd5d2
SHA1 b7349effd2fbc15f6bddb506e9657e8efe499193
SHA256 cba1038b22305449bc830763958746760b67891e5c6bfc02d9fca346247210b6
SHA512 c8f2378424a38ea4053831bed2633acf7d5868dc7b9be0672ae5e0fab3792bd9e76001137fa6f5d2b8cb49680d1228384380dbd6b9f789ac70162ecf9ca092de

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3001401adefc1d204e0c73f080b37065
SHA1 d655431ed0d6461835d4e5cb1e0ebb616edfd41d
SHA256 3fb9e0e91aadce3c04ec7f72771a81b9dea03f86980f727cde98009fbab3ef75
SHA512 967dd49eb33a971616b5ec639671c9b0a4f65b1af674a57fe408b68ac3b2621114b99bd1b26a411edda934d6de4f8f046bca31d49b6a3e4680840d1fd69e75f6

Analysis: behavioral23

Detonation Overview

Submitted

2023-09-07 17:19

Reported

2023-09-07 17:20

Platform

ubuntu1804-amd64-20230831-en

Max time kernel

4s

Command Line

[/tmp/l3d4aa6fd_a64.so]

Signatures

N/A

Processes

/tmp/l3d4aa6fd_a64.so

[/tmp/l3d4aa6fd_a64.so]

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2023-09-07 17:19

Reported

2023-09-07 17:20

Platform

debian9-mipsbe-20230831-en

Max time kernel

9s

Command Line

[/tmp/l3d4aa6fd_a64.so]

Signatures

N/A

Processes

/tmp/l3d4aa6fd_a64.so

[/tmp/l3d4aa6fd_a64.so]

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2023-09-07 17:19

Reported

2023-09-07 17:20

Platform

debian9-armhf-en-20211208

Max time kernel

1s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2023-09-07 17:19

Reported

2023-09-07 17:22

Platform

win7-20230831-en

Max time kernel

120s

Max time network

142s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\credits.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D4710751-4DA2-11EE-A96A-6AEC76ABF58F} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "400269094" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbd2da6efca7814e97bd67c6ea97aa8b000000000200000000001066000000010000200000004f050b7ab414e1b1f6cf5dfce4cbe923191ac3a5584baf17c6c3ad9d4ea35778000000000e8000000002000020000000e7c917880a45834f57690ff350849292e3521ce3b814c8f501fc7c5e557a3ec720000000ad00c2a6e3a7e80c4b02f2e28bc10ce4908740fa5bf509f25183a213686dadb3400000004da60e3ea03cb80b2947c29eb27dae564f5243f1b704c4f934dd49065852a2d671a94d05bb7da07e7eb0754f38a6775eb0d2908994c698514cc956b2045b0e2f C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d04de3aaafe1d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbd2da6efca7814e97bd67c6ea97aa8b00000000020000000000106600000001000020000000dfd0c92ea0f409db93e49f7d221040d93806d9440b7ba8ffe2d6e59a42994815000000000e80000000020000200000000ae33c24bfd2e52f842a4cf47fd1c458cbf1c9f7bc79b1b1121efc3add9a243a900000000e3797e2e1b20b0dd02dd435f4489a917caebda7884f3f60fb3a1396d1b79519fcef85c7704a2674ab5134759f508f9018132aa5952961522da9929993e88bbcebc8f5099f48a82f332d666d67461ee04a25396e5088be16dca8fa38c56fb759e219c585df3bb10d720fe6b2e353806f3ff7286774d9e5eef45f218b90ae9bdaf7b6c420f757c963a250c2d6cd11a99a400000009d84f9e912d2fd221c6f52742d2c055c94b9ff47a9c8b071b14dbf1710dd45676164fd32d53cac3e370da828122dcf57a2abf274927606949cc5047ba9c6709f C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\credits.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2892 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab8ECA.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar8F89.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0519b2cd71bef4757d70a5eaaf024540
SHA1 091a3bc840a32278e462122f4debe0e28192e187
SHA256 a610fa976788ed0dcb2fa4e5cea11fbbb1f9adcee8aa5ac760337260680f432a
SHA512 284e8aff48e27396505e1ce2e035688ba92203c3101fb1dcba5d0e936d2910fc9248266800799e53cdeccf55ec7f4b3ba09b3925fefc44a87683e2f8197b05d7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0519b2cd71bef4757d70a5eaaf024540
SHA1 091a3bc840a32278e462122f4debe0e28192e187
SHA256 a610fa976788ed0dcb2fa4e5cea11fbbb1f9adcee8aa5ac760337260680f432a
SHA512 284e8aff48e27396505e1ce2e035688ba92203c3101fb1dcba5d0e936d2910fc9248266800799e53cdeccf55ec7f4b3ba09b3925fefc44a87683e2f8197b05d7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d7a1d065fdc443266813a50024f36fc3
SHA1 88e46395b577f40d57b3edcd17332ba579a451bc
SHA256 8b5c890264a38fa337a59bd597046abd2e3c508ceb5261fe47b7781e820892f9
SHA512 c02173dd9354d4e3d360f93db77d30369f04a37d30a946d4276e2185b64e09b4dababe5f6f8ffb11f38a16b799e2c6b6ea7c134fef3d6f232750fc02eb638a78

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 12d8463118a09cb53c882a5c6d3ea069
SHA1 7a0560831c5065f153b66d4e8ef5488d596023ab
SHA256 763e629541a24f8742cec76010ce1c48fbf4d1d6114feb7c07fc26ef6532d8f9
SHA512 6f9594aa6405fc8d22bc9dae25718a1c8bf0459feb18c8185265c30c06f01d9c92cba4fa48b0bbca66c432d4e71486801be6b6dafaf422e46ba6e29051523db8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a9af8277d70a58edff9425a91a19b147
SHA1 f989205de71758c8376d31617c2bb7fa15cef084
SHA256 8ee3d0d867a3b8a2366989089a593990f65cddc8266383e8fb7aa51defb8b002
SHA512 321a2a45884c222927d61d4fed3834be70fa123eb91af20fdeed0d324d76c953622504f9a6fc9a703a826080fc01fe7d4c3ae6d284eb7372eb01978048a29d60

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1db1f3c8fbacbb1b547f5f47f69bef10
SHA1 f5edb36188c46094dfbd411dc3d076118769f104
SHA256 08c2731f77f63645d602faf77aa2bf11e7debb961279f1b77d15e69a28756352
SHA512 cfdd1599ca23135a380b9c31633458b8a4b1a2872ebda5b9c36a0b3195773601a31c5446fef32af873420e99d2acd9d90445afd0be746c13141d46c81f3e001d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e67e18a1641bf1ec6464a8a33efd2aa8
SHA1 bedba4df2969eadf24266c669ad1bcca271d5369
SHA256 878d4a11ca3d0714e91e210c72f276ec2bff24dd2bfe27a8dfef36df17830f03
SHA512 6999898a80394ead040b860b13e72a8f1ba77686ede8611690530eae59fe8728157afab5bd57c3d7e3c3591f93579987c6993f6f413e123c548862808c8b3f23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 01f96c2739cca1360a09399258d7210b
SHA1 f4ab331827165dabf7278cf3ce60e473efe547b7
SHA256 4750e6ef3246ecc576a1690abcc8710f555b0c290cee3e9e7482a8665fe28c14
SHA512 0354f2552a1a50b47b9b033d722b11d2e55225b66ce3c5038c40802638de729c21e579b1b04f558f0d335b4d6b2cf4e08f3c38109cacc64bcf6ee700acd60d5e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8c1b6b55d033420a6ab8c343a1b7a0d3
SHA1 3f45bd6573a62bdbc9580d27c828f291a672bc01
SHA256 590ba8b658d2c51deff111fb37a3c86e3b6b8a55ce7f085924863ba8fc11e918
SHA512 be8e0d40b1aa68fcd4026552afcdc7fa06045d608a8992fdc7c3ce66c1f348b95f14b614c080027882bd7a274c5043252d5ad39a28d8773518b8d85b23d36d5f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c3e5b64b43eda98a26ddeae757f9615c
SHA1 8c997f2ca3a96f978d5a8f81f818bf83914025ad
SHA256 e9a4a5bad221fd4086b5d1bbe838113197efc4598a8e25ce6fc6b5fcce3e6345
SHA512 827a63924665abcb01a011b0928751536aafaa07b061db62332173f217d2ef094520424ffe6f59b44f9eaf200296c0591c42384509554fb7b232f5618b7b1c42

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f0ca570d2e8984efcb526f017d9d13f4
SHA1 710c69c39e859d0985fc57182eb63f5a4c68853a
SHA256 51a53aa9b1a990bbe7108928d82bcfc7e7792d8dd266074d45776cee4910785b
SHA512 5228ef3dfdc872ab4b65bbbef6db06429df80a5322b82f02e203153c18f3401500cd292f83e1cca590048ddbdcf69f30f2b5baac00ea76f4bfb796eaa81141ea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 95a2599cf5db401d00d7167ad0617275
SHA1 39b50f2468039e51274393d24300f87ea01d4aca
SHA256 ef64c1627b3d87d73192d61296f47bb54958a7b37b21be609ce62f90c69155b3
SHA512 2ba5ca217889b60d83e7bf60cf95ca80a11ad30633ce23d9936b5bdc844b49efff318828dd30d738a0e2fa61878fc7ff728b89eeb78d4e6c985ddc8b6b5bcbef

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d88c765d4a97ebbcbf03e62f8f0f0563
SHA1 145614e5ef941abf03df0ef9d9e549258ba8725b
SHA256 4d63b92d0a744d9c8d65f9c09f330c6db332f3f424e454deff8e0b32197a45db
SHA512 571129a7fb1653c419d7c5d0316d2185a17d99e0746a3e54d1b81e5fc1e9972c7fadc1c5af5728bab8c5e6d7ccdc3658195b230659627d6e06872b59a1ec9e05

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a0570ea406a895921b8bf336de9f10e2
SHA1 8d8431376d8071ae0f7f50322ec681b3fe54bc1c
SHA256 a4e967766235505acadc0e6a134744b99a021d944220d76be013c95f13a66270
SHA512 dc95a89f31615087b1e4f866ead86116d009c78082b742e2af8dd64f2c03f3d03ee3bff8c3271d1eee082672b2be44d08fac724c581264c2e137d57d69cc2b5f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5353f90a4cc144654990739371f10040
SHA1 c04fe241903d09330f0027d10bfc7f7f5c74a4bc
SHA256 5ed9aef08d8abb17f85edb84756fc844bff102e14ef9ab5571e21740a400cd00
SHA512 64f15b2d2ced01bceb9e9e2ac4cf3b0868a5c6c4a0080d4c425a7de4e653fc5d2c21f0b5f640975131f09383bb864105270be789ee84f2bbca905936a7b850d1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e4a1519f0fd3c23b2e7b3021bb664e6b
SHA1 f8722b5c029a5d0a5bcaf3ea1e7edd537f400caf
SHA256 41b994db19d400b43141719df754a1b4ec22e6c3e90b59f35c119b0474eb4b47
SHA512 d37b1c530c7a53a87714552cee88e8da65c3a1b7251c2c4aa97187d6006c13209c7af46be971401ab74fd0d7911b5cd9309e71fbae28b47fba7074a77cd52666

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d754f4483e13262c159411bde5b39b24
SHA1 a361e497ad217e3e55fa874406cace9d3dfb3486
SHA256 d989d10db860c6b32b1bc57201f7c28cc93e6387abd9a63144bc1c2117a64f71
SHA512 5b23504c10551f8cfb46aa6dd93047ddc2a366b39ec644d9a8fabefb95530ac1b8331106b9eeeb0f2e5984d7bbcb30aaa10e53d6c27055835f5bfaa88d44bdae

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 219859a4c2486f90c2b0794cf7b54d06
SHA1 8dbefc47aec20f9477a8262300ce1f8cb56ac39b
SHA256 46adeeedd51c336751b3c7fda02ca2f6c262dd4ecf5bb7ea42d7b8842d9f6255
SHA512 84c730a07189568954766cc1866da0fd3c78cdf5a923c053a8b146d76f7dc8537f90b40b8824377f93a79ddcdaafd7fb97d4a8f4bea66c730b1853085b9a89b0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 72c8ad7a4e1d51ecf8f795620fa0b30e
SHA1 694ecf475f42d52f3b0b5da4e7f3f3ea93b04cc5
SHA256 7c857abcf79cb7f97419d037274411ba2c1fc1f2480dcb32971fdf16165ec722
SHA512 888b242432c0fd37416bc143181c67db948b50adc479938c3c4624b0da6c89c0454d9532b95c6dad591284173da0c1100a6f4e0c47cb371864faaa1b76e18653

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5713124c3051853104dfb11b7bcb2ef7
SHA1 776d115a0c47b57a0f19e865acfb23187fb36715
SHA256 55c01fb57eaded80d40d81c23168dbf21de32c3765d0e879c12e0b2020657a1c
SHA512 56b8b1e4c4f2d5b3140e38c7e023f051c5f0c9aa893bd6b17230f686f3b8bf1cdd2d1afb85da3339a06de32397c16da05be184efd211273b3c042694db143939

Analysis: behavioral17

Detonation Overview

Submitted

2023-09-07 17:19

Reported

2023-09-07 17:23

Platform

win10v2004-20230831-en

Max time kernel

157s

Max time network

171s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ic_content_sticker_location_60_percent_black.xml"

Signatures

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ic_content_sticker_location_60_percent_black.xml"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 408 -p 2004 -ip 2004

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2004 -s 476

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

memory/2004-0-0x00007FFBB4B90000-0x00007FFBB4BA0000-memory.dmp

memory/2004-1-0x00007FFBF4B10000-0x00007FFBF4D05000-memory.dmp

memory/2004-2-0x00007FFBF4B10000-0x00007FFBF4D05000-memory.dmp

memory/2004-3-0x00007FFBF2730000-0x00007FFBF29F9000-memory.dmp

memory/2004-4-0x00007FFBB4B90000-0x00007FFBB4BA0000-memory.dmp

memory/2004-5-0x00007FFBF4B10000-0x00007FFBF4D05000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2023-09-07 17:19

Reported

2023-09-07 17:23

Platform

win10v2004-20230831-en

Max time kernel

156s

Max time network

171s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\clockDarkTheme.xml"

Signatures

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\clockDarkTheme.xml"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 408 -p 3688 -ip 3688

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3688 -s 448

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp

Files

memory/3688-1-0x00007FFA6EAB0000-0x00007FFA6ECA5000-memory.dmp

memory/3688-0-0x00007FFA2EB30000-0x00007FFA2EB40000-memory.dmp

memory/3688-2-0x00007FFA6EAB0000-0x00007FFA6ECA5000-memory.dmp

memory/3688-3-0x00007FFA6C3E0000-0x00007FFA6C6A9000-memory.dmp

memory/3688-4-0x00007FFA2EB30000-0x00007FFA2EB40000-memory.dmp

memory/3688-5-0x00007FFA6EAB0000-0x00007FFA6ECA5000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2023-09-07 17:19

Reported

2023-09-07 17:23

Platform

win10v2004-20230831-en

Max time kernel

137s

Max time network

158s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\credits.html

Signatures

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{4CB14072-2AB7-4CAE-80FB-29609741A506}.catalogItem C:\Windows\System32\svchost.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\System32\svchost.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\System32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\System32\svchost.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31056303" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2873077313" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 604b89aeafe1d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2913234328" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20a89eaeafe1d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D5EC7D09-4DA2-11EE-B787-5AE5A01132AA} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31056303" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31056303" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2873077313" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d9128a71e390704e80d7e8307666c83b000000000200000000001066000000010000200000004529582234d5e0656ac28cd289400d69f2aebf179fe18844c24b173f0328e35e000000000e800000000200002000000014b1e00d5b76368c71bb2fd89180777d98f8ec174aed964c98306ad4507383132000000060cc7622d4f2592a69ae24bb40c5d2e9557e400713652fd28a6b119ecd6bae5340000000bde58e2798834a31ff02611768659beb064003a4ceb9706a026a09509fc8407d10e252b9aa3f9a76394b336b47b0758d65ccb5a669ae419cfeec2148731606fd C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d9128a71e390704e80d7e8307666c83b0000000002000000000010660000000100002000000050c6c646fb73295e51e788113f661c13cb2625d2e22d6457265f8d333e403a86000000000e800000000200002000000040e229d4ede55d98458c811110d212ce940c6a6dc58ef83f0c10120e921db3272000000059594094df05a212bfc9356f791d2c617218c3cf086179d5d3d835b8a56cd1bf4000000020b7c6f5abd36c41d1c852bf8323a46255720b630735a54583fde8603093df85c6b3fa09ea8cc2339b24e2008b4d0f725e2bfab42ff59057e35609724bcd8fe3 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "400872206" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\credits.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2888 CREDAT:17410 /prefetch:2

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 126.23.238.8.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 200.81.21.72.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\A3TJHFB2\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral18

Detonation Overview

Submitted

2023-09-07 17:19

Reported

2023-09-07 17:23

Platform

win7-20230831-en

Max time kernel

153s

Max time network

163s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ic_content_sticker_location_black.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E1B6E2E1-4DA2-11EE-815F-FA088ABC2EB2} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "400269114" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20b272bcafe1d901 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007832999c35766c4bae1b34334b3bf8120000000002000000000010660000000100002000000035fb6538a4d18b0dae7c70b42b72b30761f0aaeb366a9979eb2337fdd3aed27c000000000e8000000002000020000000271185822aea638ee2f7e38bad2b76a4023c6fc39ba59b3ba118eb5712bf0dbd900000004c9405059de06f541dc023eabe25e44147084decf071208c8d4fbff2a99c316a69ed1af7347ca4c987d26f09cff316041255b8b3aa6c0ac8ac039142e4664e2299bef2cf5f65626caad497aab183d8a58d758bb760c8bc5be31f01503c47589a2d1f887074f997c80d268d76c9a412724afb68f6c4e0297d6626fb306857888ecef665995d2187a5f0b74ac1bbd1982c40000000229ef69fe0e7d26c8b1dd1e758e57976c69f6e8246ad8c517ddb8a5725d327ca4e40a968fdbaeca9f52bb7ae5265ddd7e70df81ba988f44053b7f2ab78438695 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007832999c35766c4bae1b34334b3bf81200000000020000000000106600000001000020000000204b39b6793d2ca958b1fb8c6367030bace2c40a705abc9c091d53e12051d908000000000e80000000020000200000001e29359522efe958795cfb295db80a54e2076e9ca158c26c90301c1e79b4b7dd200000007f83e97f483fc02f13c6e7e20515cc878c5972199b70177a0df385694924da1c40000000f5298caecd2649e0df987f2e829c7a9f1811d682ed1a27285f41af2d5168a62cb1601a09e2d18dfe2816f4d0f722bcb2cfeff030f25a66590407656c2e92e377 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2904 wrote to memory of 2836 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2904 wrote to memory of 2836 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2904 wrote to memory of 2836 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2904 wrote to memory of 2836 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2836 wrote to memory of 2700 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2836 wrote to memory of 2700 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2836 wrote to memory of 2700 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2836 wrote to memory of 2700 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2700 wrote to memory of 2608 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2700 wrote to memory of 2608 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2700 wrote to memory of 2608 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2700 wrote to memory of 2608 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ic_content_sticker_location_black.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2700 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab287A.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar28CB.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6c72eb02542c5576f1028dad56297a42
SHA1 02c93c75cc8686c515083062713fb2771a9bfac6
SHA256 03958d3e164fa0851213ab3ed3d7f95fa01f9ef713f56ae19107c1714b0f72e1
SHA512 6ef0c435c37aead059542ddef2a19655b40735f96b298ae19290e17709bd63b0d0b4fadaec1f59131055ad453cf5c56cb94cb8f176e0a400cd0780099dc05460

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 708630aa66a01a9d6b4aadc7077b2dcb
SHA1 c9baa95ceb74c3b88f9f3c50d4bb2c40cb42dd56
SHA256 96539edf8225d119e92bc929ce020a58bdbdfc96277c66eeaf50258f30657ac7
SHA512 76bcb2a37971160fe16449e532250503b9507f117c54121e68c0dba13444ae9e884f2759248a23a0ab95c312593722699da5441d254fdbf6e4495781dbcbdff0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 de264801f70f97c19f6f3ee9447c1ef4
SHA1 3f844548392ae76fef866638f155ff6ad185028a
SHA256 4f2b457017b90d87ac1d65d04f712f60cc67a73173e09aed29eb01dcbea836a1
SHA512 540716d1e11cda0cdd9eb2fa5708c30a59396ef2dd49a81dd9ab3aec21bb37cb4bb61e6b9c6c90553078570ffab606d5ab0869b1eaf3d348d9db46bf1d2f2659

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 69a6c7da4aa5f29b92c988afa35fa129
SHA1 7325b4fe37faaa2f368fabb36a9d8d6114af4343
SHA256 ccfc1c23460badd25e24dff91524d1a8e43d0e454a75874e51de0f08fb3bc011
SHA512 43fc415e70bf914c1bda8025cb98d638ab3ad78df9c0aba47ba5f30955f7dd89b76c0e957004af89a325f1bae64f97e7b0e440025b43ef21d87ff394be490b79

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f064bddbdcb9035274ca728ced777841
SHA1 40e130ff518bf2cb8c4485957fb47490aeb4efd0
SHA256 da2b516cd8664997797a29da5ed23f44ee0b8f3405238368b3b36bfd8c2a1b47
SHA512 c5749bf9bd88e75938de60e8bf7aab42fc4a813dddfb7ca0a2bdab07376d15f326c50228911ece8318e01660ab48d52ccd7715aff698d7e9be0d8a73f2560073

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 370b22386076fee7e2156be4f1d1682a
SHA1 5e804233a507daf05cd4ba132baa2b8f58c27e3f
SHA256 3a02e4b0718642fa2f9a45d324bd32d85fb4e38653a0a84c118b27e74e404403
SHA512 370691d457256f284a678045d2adf7a1430dcd2f2bc6c0be067099a17686d021cc57d853d60041918f011847cc549b9d774c14a44d7cc5d258a609d5ca7ba7f6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2a30fdc740d4655458f5961cfdb83714
SHA1 e1b500728899a5f5faa6392cdeb08ad09192e512
SHA256 cce2498cbc97ff78319d6ac78a9520a5189021a410b31be22a6938da9ee21215
SHA512 13663f5d6fadf43e2aef40df7eab0e100c75928ad0086d1e13dfa885eae1d756a75d9f876ff87552642145b476e9708d86b8adeed390bc968fda2d599e6bbed7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 611924bac2edc6b5fecdb7b9179947e2
SHA1 e90c5ea23e8646b067682551f311db7b9e2cc3e8
SHA256 6b3fba58e42cc0fdbeb3217b6ef5d42e37354c726b3295c129dd519ba2b06749
SHA512 f264b2015d7af10a1a0aa4d5834f34f0554e480a563ddf19fe1866b1f92231459eafe4c2cda5f8f90d695e703df7347f122205a5a05ff3f0c64a3c0c15500fd5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 132a75aadefa269dab46072fe37d6ee7
SHA1 252073ec6a650ceb7d3bf84d403e2279fa1cd2d7
SHA256 34ac27ecbbe9e0e80ede9bb27e9ef23a1b2fd596550af72025bd98328152c8b7
SHA512 8b133217a159b06baa82fa18dc2513cf0b6c060fcbbf1df45e52c1c06f1308a37a3a764982280012d5ca81d02c049fa30bf6fb9c3e14cd8bf24e212ba3989c0c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 caf95511a35c5cab3f186bc486bf4722
SHA1 abaeed86c96b0e3d4e9c48920834ac51bd2065ef
SHA256 ddec069d045918af468b265ed335f9fb17e1b08e3648f1d18aedef10d91bf7fa
SHA512 605638977888e8005c684ccb21dbe985ae4c8239ab91ee3419e41f1c01371cd64aafa6b8d7aa1b916ad08d02065553b14c83fb7db8bf4afa3cea6116215c42c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 57e15e12320b5181ee3bbfc92b10566f
SHA1 e5e56ae41bec73d35c15e3df8337917fdfcc034c
SHA256 a103a86e6f20450482358d4439b66a1bc4f946e3d09d933a335f250e6d5f72a7
SHA512 e1d02a2dbc308d932bb7f8f95c2f9f39b58fa7520b971f217705065be4de6f13deb82e2c44943542cf0a6c1f0ed72addb18b25898a33a46fe3d57e892d081de2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5ad4deb8a99d35abeff46d77c91a4d54
SHA1 2a18848f2d067b280076b11a933b21258e6ce442
SHA256 02b756ffa8d47844476c3124c3ba6b47b4694adade28644344ebd0fbe15765a9
SHA512 e62663ce31d049d75f3ca5417b4312bf59985c98190b21fb5b7702bbecc639919e056cf625ff59d367dd2d3daf23e0dbad7595b40d56b964ae54b84a51424acd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e3a0d50863e4ea0c983087898bb5732c
SHA1 df5ea2c3d7ffb01097da8aff23900213f3efa591
SHA256 5d934d4fd7d4f38d23d95c3132b6ea22df49670356d6022877442888a2658f2f
SHA512 d3cf2415097808cf708837a0b3896a551a174f6cc57aff795dff7de228565f3fd4caa5efdc70a8d82ce65213727090e91994d203f8567b74991893cf8fd4a292

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e3a0d50863e4ea0c983087898bb5732c
SHA1 df5ea2c3d7ffb01097da8aff23900213f3efa591
SHA256 5d934d4fd7d4f38d23d95c3132b6ea22df49670356d6022877442888a2658f2f
SHA512 d3cf2415097808cf708837a0b3896a551a174f6cc57aff795dff7de228565f3fd4caa5efdc70a8d82ce65213727090e91994d203f8567b74991893cf8fd4a292

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7fcd4cddaa638bedfd7d4b648a8f4999
SHA1 003e2bc5504e3d7b0286b7330676fefc101a46d6
SHA256 c8e757ecbb30867f327febb76d95a92a20e247475cb6312ed838c6b31d935f64
SHA512 ede46674af02589ec7a19c220edf16627d5f48f60e44371b64ac21f7413e08ec7e10cfba72adee324a91f642194060631ca25070c4f8105cede389487c33a6b0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7fcd4cddaa638bedfd7d4b648a8f4999
SHA1 003e2bc5504e3d7b0286b7330676fefc101a46d6
SHA256 c8e757ecbb30867f327febb76d95a92a20e247475cb6312ed838c6b31d935f64
SHA512 ede46674af02589ec7a19c220edf16627d5f48f60e44371b64ac21f7413e08ec7e10cfba72adee324a91f642194060631ca25070c4f8105cede389487c33a6b0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 10c5d488b11c2d18c7b74443879cffa6
SHA1 16a1e6432a15179af8e9d7878d4b769dbda4a9c1
SHA256 29caa5e3ffd283e43d23e211dccae0a75e7773e16f58246cd109abdfb321c8fb
SHA512 c3978c3bd52c485d167be148f1d809e7d527c370e80047bce41596ac290955a86e28484e55a1372264a99c1e7d2a8e41009909326356bbd7a0882b9f7390d00b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 10c5d488b11c2d18c7b74443879cffa6
SHA1 16a1e6432a15179af8e9d7878d4b769dbda4a9c1
SHA256 29caa5e3ffd283e43d23e211dccae0a75e7773e16f58246cd109abdfb321c8fb
SHA512 c3978c3bd52c485d167be148f1d809e7d527c370e80047bce41596ac290955a86e28484e55a1372264a99c1e7d2a8e41009909326356bbd7a0882b9f7390d00b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6379a499605314cc1e7c16d925f550cf
SHA1 f934df9c0ef98dd18cf1aa47bd58a4bb7c30df2f
SHA256 e6ed6101785f9877a5f5558ad2ec4dffc78b96b49b2107f41d07f2c17fa59f18
SHA512 e0c3eae85a8e7004b18c957564c243ca2d8064987f5bf8f5be33061962c8d46c677bdf77668316943bf9ede41fae23a4a9d89e80af606c073fdc1611428a6a4b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8b68652a2b6679172163310eaf7dd86a
SHA1 e784a511b63889b4bb54b5b7b03935e09d1ed6c0
SHA256 5f1ff38d46b2759b0f327f70c6a746b1ea637899b6479e1beb57b3052d465a0d
SHA512 49e2b06f14769a7faa81f838621664aaeb69d96480c61d6f61629d644cd62f2fe715d4a48d76052b7bdeb4620e2333881693cb544580f4fd98a322ae27aab926

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1dc482bdf2e4bcd4d1713daf51b234c5
SHA1 a0e0083d9612f5b36ea383805035ff8df2f323fd
SHA256 20ec6ef4df1496236984b72b719811f473d5e364282252ea643bdf66f649fefa
SHA512 c9ef10ca079bdd23f5a3cae020dacd3ebbcc6e830e43f5d5667ef63cb51d87d4c64e7c81588080fd40eda913c8920ad38a8e92a0ad33ea61c5f67f5124ddf39d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4f9b25eded99f276ff3be14aa9b90d5e
SHA1 d544db6c3774550aaddbc84decf17317d0d79e33
SHA256 b0432b0452db080a7b18ec60cdc00d1ab6a7a15c7bc0ea9154abbe93902aa044
SHA512 3d4bd6236c02d47992337670b2fa58d0d7a36c42565c24ad7081065f4e0f137fe5077357074523efa02b5dec981a16f18513c97af25b7a86d1221b17bd9dfb2d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d377645765068051e8013484c5fc9476
SHA1 bfe82c2519620e0a512ad140811f0163fc3c5740
SHA256 261899bc1f4c246bfcb74ca244b0cecad907c9921093c925573ef01b5c1fdf6d
SHA512 c5cd72b31629590e0543ade6640e066272ef8c96f6d681b78d2c213d7897a47fbaa6b5589190c312282fff853a76627b489735c1d662ccc619cf8036588ab0cb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5197092e8c5de5d1b62689ac0ee0e0e9
SHA1 37d7598878b582f9dc5c1303930ec9d80c6f1e54
SHA256 8f200246c4c003a41edbddcd2cafcd33032cab4be69ce96e9afa7988afc573e3
SHA512 72f77aeb32bfecb2704bd1b2ec32c2626aea2595976c4453f4a538474fad19f4b6e43ee6517c7d61a6497ba3bc3a97c08fc7faa6dc6a9b6fc6175961e224561c

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-07 17:19

Reported

2023-09-07 17:23

Platform

android-x86-arm-20230831-en

Max time kernel

1890111s

Max time network

134s

Command Line

com.yowhats.sofitab

Signatures

Gigabud

rat trojan infostealer gigabud

Processes

com.yowhats.sofitab

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 digitalassetlinks.googleapis.com udp
NL 142.250.179.202:443 digitalassetlinks.googleapis.com tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 142.251.36.42:443 infinitedata-pa.googleapis.com tcp
NL 142.250.179.202:443 infinitedata-pa.googleapis.com tcp
NL 142.250.179.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.208.110:443 android.apis.google.com tcp

Files

/data/data/com.yowhats.sofitab/files/.ss/l3d4aa6fd.so

MD5 3ffe2eebf984ede0758917ef4c4e0324
SHA1 2359fa4918d9413c80c64010680b300ac1e5f16d
SHA256 b6ed8e5d0072a8657124bbaf64b7b8e1da194cc2978345405ba354ff5b6fdfee
SHA512 08a880853691d495a04f03e5ef19499876600767f0632e1ef9711aa9c5878043cf10b78581906868d8dc595a4affbee599aa6123ceb3402af6d3a728db9a5e25

Analysis: behavioral3

Detonation Overview

Submitted

2023-09-07 17:19

Reported

2023-09-07 17:23

Platform

win10v2004-20230831-en

Max time kernel

137s

Max time network

190s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\YOWA.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{EAFCA89F-4DA2-11EE-A128-C679E4C6F477} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3143491928" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3143491928" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31056303" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d03871c8afe1d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31056303" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3312554356" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00b55bc8afe1d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a91b6edbf6c06c439a19175ef94dc95b00000000020000000000106600000001000020000000d88b14dbfae9e305ee989ae81e267ef09e931ffa540194eafc13f78da7b2b717000000000e800000000200002000000099deb24dec42bd888acdcb3988cdd0a5517595d2130d81476e41baa68eb2b02b20000000894d64472bf8a0edb7f8d5337725bc40354ee7cd43729579a644e3d7da80e0bc4000000064fc2b34ec119f706a5572e46840bfd59af61bfe9f4a887e4b52e13140d52e1d134df2e880cd56e358bf8b8af7ef3039c62c05fedd6fba67e5d56e4025d32bad C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "400872245" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31056303" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a91b6edbf6c06c439a19175ef94dc95b00000000020000000000106600000001000020000000f395e079140258a6a68c8f79c25cedea49bf1651e0a4ea327f2c335624ecfba5000000000e8000000002000020000000f31d513c6d43960e2f017af163e39b40e74d3e6e0ae08c1396998ad9df796bc32000000079de2cd45a2daca277dd441b1af1a7aee037e0aba98e1365ab466c5a199dc89b40000000d4925fac6bad72d38a12c9ea1fdbe1a0a95791e054693e7932d0c3df9cb88acffd9fa420232d5c6aaa57f2a01ab80ef223c6183f431c8c2fcc44a0bedeadafa3 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\YOWA.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4624 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 200.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 126.110.238.8.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCFPASB5\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral6

Detonation Overview

Submitted

2023-09-07 17:19

Reported

2023-09-07 17:22

Platform

win7-20230831-en

Max time kernel

141s

Max time network

142s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\changelog.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 804fdda9afe1d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D466FD01-4DA2-11EE-AB4A-6AEC76ABF58F} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c66dacf3255794896cbcb5ac20a714000000000020000000000106600000001000020000000631612d73544453bcccb8f0359e4381972c8501088163e4202e66adbcbca5aed000000000e8000000002000020000000e790f07ea07990ab79e427a129ce5d8c9c5f559e55c8ba0b693ac9cb95080742200000000e97b90ecf8ed0ace047eebdada4b7cd58a5aa40c9939c0e1634b3bb207c122c40000000c7af924bbb43f1ea2bcc3acc3deddd529de866c2360e51a38b2f36846fa2c45f1264d6d5f74a96eec3a242a36bd8c842e6c61f370e93b64d20eb9119727265fd C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "400269093" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c66dacf3255794896cbcb5ac20a714000000000020000000000106600000001000020000000184d9f3109c30e70725a04f9c1ab963a54d11bf4835488b7c8be6c619afafb54000000000e80000000020000200000005fba4899a97f7555a8d362ae743700da4aa09cee3353f9c50a8b58dab70f4c1390000000a05b3ac8ff68ced053b6c98878c26b66415095ec44f01dde3f96fb568842dadb35808e0b988144e7c97071e733d99711c21b9056de8ffdbcab049ae7fc1a87bad64af20a60e2990c06895924f6fe4df5ad9ad7012772f1bfdd4b9aa70ac0df4c040c13b37ce174f1c18ee74ea59c7cd97fae5a8e043ed694d9b09a8100981687686ba2ddadaeb43311372590783de8924000000096424f754cb2823db11b3301270660a02ef973ccfa37b1f984debea282425f6c6c4534067a7f4abd91388628eba654809d458adeaef647bf99ae34bd925f1729 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\changelog.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1456 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab7DAB.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar7E0C.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 57bef1cce693e28b27a6d2b1aecc68c6
SHA1 9185bf5d6da56f4268ffad4956550471a8a4a9eb
SHA256 b906ae30247b277adfce5558529422146ff525154dd0ff6bfe2d6a65f6bf9907
SHA512 64f540a95b7b772d94f088c76dd4ef158010e29a443628fd5765b40ef8be2fce12ba975e2368ba54d6b0fe4d20e46bdaf6de0f756ade2e118737d4360fd9c56d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d56bca48ca92fddb1375752bd996c273
SHA1 b545703b6cbeba9f956fb849e26c52da48805622
SHA256 cb426e765a5ec1216cb26865b409b7381cb9a0f9a20b33854559d2e503ce53df
SHA512 4ae624501f4a720fbfc3f1aa83e025e812c16eec501b70bb554d43dbf73261f31484572d35ee57ff99d0baa014e2be501ce52f7ba388633b1bedf9dfa7683595

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 533ebd337bb151312114b23679c5e2ac
SHA1 e15df4ac44d395182beeb6266ec4466f2d020575
SHA256 34ffbfa2b660ac31899ad60bcf5f240395f402cae6f62a51d631bb1ca68b2f0c
SHA512 8ef055e0b4cda772df71d30d7fd2a91426cf766ac6e93833757e6a43c71dfd0238c698454c4eee58ddd042d5896778a9ad11e97f14e6945b6dd033f6642e5a32

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cad93a005cf383bfd67fc7d5a5ed88a8
SHA1 5a08238962340a59b56bc2c34b56a2bc4e89d1a6
SHA256 e0fe07464009fb7ea6d2a6ac97ed4db9a980b97c11cd2cb5128d86af14dcc19d
SHA512 0fa36b97f5f634851ce47e3c2caeb8754903b9f7fa34afb91a067b2178a3b45dccfa20716c64ce0d7949ed983bbd57a28403a7189452a44c227d7aea90064acd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aac408b32e627ef8a5d0bd5136a9292f
SHA1 1ed5fc660f5ca99f3a5b3ccefb7439bc91472fb3
SHA256 00fbc4516b4e417860dc49b23b6a79f5c1c39696ff65b1f14be118f2927c5529
SHA512 8340be0a1e64fca3ce6b4b8f6025f9877da089a8ed2df7e8027d3e17f432959028f0bce4038197f749eb2559835e6cabcba0600bbb541087cc15420cbdc9ad5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7b7747353acc6e28229a9e7ef4dfdfad
SHA1 588444191dcc177edb5cf18f62fcd1102b2133e4
SHA256 e5e33151b63f49750c668cf6b2d09c8eec938bdbdeaf2ff42e290e5b814a8452
SHA512 dcaca9cd8b76d20d5bd37eb74d2989b60b1a14f429b1176e7dc852437a5689c8030fa15563c393080e8df5c0a7bfb2381eaa03f92296fa812080c14a1a852803

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 51b5a84adc0bf5da7f576156d5daf50d
SHA1 5c543ca8284cf3f22182101a1eb89b34675458be
SHA256 ef07e88e7f6b2c9a24ed7040e55e213f14632a081d1d6c67933ab0d1149bfdd7
SHA512 c21b7e8be14ed3fc0a2094fad7763b0e121d22e14498345d3036ab7f4bd0ec1870278ba7e1cf147e66875ed9a0a481130b396ec1fa0c5cc3717738582ee350fe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 58cce0cfdc4f3ded2477970f8274f462
SHA1 81442cd868bd82af4b469e2d05f0e1af4bbe6421
SHA256 095ffdb87c7e1a69aa117b0e7d13823c62d832e29e36a9e5b3ca0859af270bf5
SHA512 c22d6335f5d8b7ac2397e28a98a89f0164d9f408a7cffd600c4a1608478b71d74c4b2e81a820760a5058fb170f93ac0bc894054784f919deb7235c52732fdc1d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ff64e8d356998315ab224a7bd233a809
SHA1 f8f6cf14c49872bba53e8363c08f13c1004fb397
SHA256 57b72f8abc334a5ade7d0fd6a40d7f0eca41ac517e0fdb865389e07e74ac4594
SHA512 77e3ba07d94ae3ab6cd6598f0d464c8c3c576e56ab17630f2aae2e34c528add7ae626592f198b5544c7bca2fec1e88fecca840bd4304ac7a614b3fbdb5443412

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7b7d6d614b111cece2d4082488f3100c
SHA1 de047ab389b72a595c43c3317eae6c66a5156a3d
SHA256 c42807877ba13eeb0d1579c9617584929008e3383656ee85312ae653d28f8c5b
SHA512 021ea6042089eb4bede72f5265ae0ed5676c3257be747e6bcab70825c7bf909a846b9f380e262efc1f58e48b4982ade04d18418b8a6b2aa7a22193479692f216