Malware Analysis Report

2024-10-19 13:02

Sample ID 230908-dzpm2sgc54
Target Lol.apk
SHA256 238cdfbab88cbcb6b1a2379b2a18c993640c1f498c4cb0e9faef408331f41c0b
Tags
hook evasion infostealer rat trojan ransomware stealth
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

238cdfbab88cbcb6b1a2379b2a18c993640c1f498c4cb0e9faef408331f41c0b

Threat Level: Known bad

The file Lol.apk was found to be: Known bad.

Malicious Activity Summary

hook evasion infostealer rat trojan ransomware stealth

Hook

Makes use of the framework's Accessibility service.

Removes its main activity from the application launcher

Acquires the wake lock.

Loads dropped Dex/Jar

Requests dangerous framework permissions

Requests disabling of battery optimizations (often used to enable hiding in the background).

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data).

Removes a system notification.

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-08 03:26

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A

Analysis: behavioral12

Detonation Overview

Submitted

2023-09-08 03:26

Reported

2023-09-08 03:29

Platform

debian9-armhf-20230831-en

Max time kernel

1s

Max time network

128s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2023-09-08 03:26

Reported

2023-09-08 03:29

Platform

debian9-armhf-20230831-en

Max time kernel

1s

Max time network

124s

Command Line

[/tmp/libnpth_dl.so]

Signatures

N/A

Processes

/tmp/libnpth_dl.so

[/tmp/libnpth_dl.so]

Network

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2023-09-08 03:26

Reported

2023-09-08 03:29

Platform

win7-20230831-en

Max time kernel

119s

Max time network

122s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\zepto.min.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\zepto.min.js

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2023-09-08 03:26

Reported

2023-09-08 03:27

Platform

android-x64-arm64-20230831-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2023-09-08 03:26

Reported

2023-09-08 03:29

Platform

win10v2004-20230831-en

Max time kernel

142s

Max time network

152s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\consentform.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31056388" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1821327516" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0d81a6e04e2d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "400908604" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1811637456" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1811637456" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{9779FBE3-4DF7-11EE-A3D1-EA7B92612D76} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000776f9e01abbbd44483f1dd33e709243e0000000002000000000010660000000100002000000042422246b5b6307eb240b780e2a8dab959c7c3c247339a404d4db0d5bc488145000000000e80000000020000200000001a255ad5e527b4e69f5554ac33e20f78de065f2a7ed1bb1b5a8b3ccd59e6eee3200000006f8f5ea6698605ffede2bf43f24a8ca280e8bdb9ff0188e80ff419db8447146040000000c7148e6099523d11c714f145557ab86e6005d229123873f3e04d0327eced8a82c92ecec547f998e7ae89bd8d6062b00146c9ad98ea023133ed125bfc67d0f62d C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31056388" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000776f9e01abbbd44483f1dd33e709243e0000000002000000000010660000000100002000000099bdfd21aa0eb9364e1c194609779819936d37db419e7d576af0940414b59fe1000000000e80000000020000200000001ae07edde550e9a4a9fe87a65f43db49b2aca4295dd81a97d2fe6515982cfc6c20000000e8a4ff96bdc0e507977f31a0e8155bdd4c0bd36a46de47685f578d49caa0e79840000000d1e910573bd39378d5023bcdf0d27f257d1420cca00008402c05c9166948e48433010ab660ee00f4b74d8a69274a7515fb185c18210f9c12b1250e9ba099fa81 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e00a036e04e2d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31056388" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\consentform.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4932 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 106.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 200.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZC71R6A\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral9

Detonation Overview

Submitted

2023-09-08 03:26

Reported

2023-09-08 03:29

Platform

debian9-armhf-20230831-en

Max time kernel

1s

Max time network

125s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2023-09-08 03:26

Reported

2023-09-08 03:29

Platform

debian9-armhf-en-20211208

Max time kernel

1s

Max time network

124s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2023-09-08 03:26

Reported

2023-09-08 03:29

Platform

debian9-armhf-20230831-en

Max time kernel

1s

Max time network

126s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2023-09-08 03:26

Reported

2023-09-08 03:27

Platform

android-x64-20230831-en

Max time network

8s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2023-09-08 03:26

Reported

2023-09-08 03:29

Platform

debian9-armhf-en-20211208

Max time kernel

1s

Max time network

126s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2023-09-08 03:26

Reported

2023-09-08 03:29

Platform

debian9-armhf-20230831-en

Max time kernel

2s

Max time network

126s

Command Line

[/tmp/libnative-filters.so]

Signatures

N/A

Processes

/tmp/libnative-filters.so

[/tmp/libnative-filters.so]

Network

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2023-09-08 03:26

Reported

2023-09-08 03:29

Platform

win7-20230831-en

Max time kernel

134s

Max time network

132s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\webvideo.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "15204" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "6" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "15322" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "492" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "115" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "15204" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "15210" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "121" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "15414" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "407" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "6" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "15414" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "407" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "407" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "115" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "15210" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "15210" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "15414" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "6" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "197" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "15204" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "197" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5096436e04e2d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "15322" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "492" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbd2da6efca7814e97bd67c6ea97aa8b00000000020000000000106600000001000020000000ea7c063fc550c5c9f8aa96c17556484bb69c1d4ad54e1f7252f891f579096a37000000000e800000000200002000000059d2a207263a4a5998555cf5df464168ea4eb15e9ccf4058901527804bf951dc9000000095978542af9d8cfcdf4c15f56966385d71b719e975f69e7448dc893c338ffaedd6b829f29440d69291cf50e60fabbc64966f401fb53c4df552898fb493ed06a151bd205c82d9c119b2151e1be30b7ea78c991f5f5348826ee498558e24b1429c1ec709dae6a8731764dc3f565e7fd9779dcd38b8c1e2bca3d25b5ca2f05862cfacc3cbba8ced27d57efb9be7667f27b640000000ef53f9cb5394b51366b117c62a66ac620ffaadbe9ba9884d18e0b391107186f9b5c756d6077cc47f9c7c21b09e3910a9556025ccde4ca6690ee42a1694d9e051 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{96B1D611-4DF7-11EE-BD1B-D2B3C10F014B} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "121" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "15322" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "400305496" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "121" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "492" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbd2da6efca7814e97bd67c6ea97aa8b0000000002000000000010660000000100002000000082bed371e6bae0a737876df6c7040f30e882503aaf9a058fd3826c54030d8f00000000000e80000000020000200000005893648b32a8dca086373d5cb19f62bfd87c68bfa9278e03e1c614e98181d20a20000000cb369bc2a62bab53b93a333948ff0535e86a5195c018f47edcb484fa1087b65a4000000098c1fb7ac25c5cdf33efe4463a600d22962c1726c074470f7b71a9a701fce918848d17a72d0095e086588eb9e2b8f69922b8383b4328a3ac1641b2759913755f C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\webvideo.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2224 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 link.mobihealthplus.com udp
US 52.202.23.131:80 link.mobihealthplus.com tcp
US 52.202.23.131:80 link.mobihealthplus.com tcp
US 8.8.8.8:53 apis.google.com udp
DE 172.217.23.206:443 apis.google.com tcp
DE 172.217.23.206:443 apis.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 ssl.gstatic.com udp
DE 172.217.23.195:443 ssl.gstatic.com tcp
DE 172.217.23.195:443 ssl.gstatic.com tcp
DE 172.217.23.195:443 ssl.gstatic.com tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
NL 142.250.179.130:443 googleads.g.doubleclick.net tcp
NL 142.250.179.130:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 static.doubleclick.net udp
NL 142.251.36.6:443 static.doubleclick.net tcp
NL 142.251.36.6:443 static.doubleclick.net tcp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
NL 142.251.36.10:443 jnn-pa.googleapis.com tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
NL 142.250.179.130:443 googleads.g.doubleclick.net tcp
NL 142.250.179.130:443 googleads.g.doubleclick.net tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NO1NR40C\cb=gapi[1].js

MD5 6ad382fa50a2250514d6142072a647f4
SHA1 316d68172c63ff03f82bb644b5a1ef54149ae818
SHA256 6c34aa6863dc470b805525b8db49e29a2946b73cc81c1ab6b558efd49a5b2efe
SHA512 0fc179c172c7a1256045dee5b4283651932017086b1e846388c855a8ec72b9dc0046d4ce4feee3073bb1e099ff19e3abc30654a962a3f871c9b8efb272fd91bf

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\A6D4ART6\www.youtube[1].xml

MD5 c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA1 35e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256 b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA512 6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\A6D4ART6\www.youtube[1].xml

MD5 1a12d5f18ae0418dc9af19ede80d72f7
SHA1 4adb7c46bfe25e3760a5187a8b8568b0e34dd7e2
SHA256 f633dcce5f2bb0abe4bf5b05a98457d15c004f8421749c2e6c2d5a4ac73910b1
SHA512 54531df03ba1031bd8b637ad724ed02e175639c12f496399c0d0581047f20801369375c221744bdd1c960906cd535bac33b30cbf059585614f4c89db013e840e

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\A6D4ART6\www.youtube[1].xml

MD5 d2765765023a68b58d09b2f15382d841
SHA1 d78a427e0e718f2e1a656a079d433728fe31aa67
SHA256 74eb02d55cc2abdace8fffff9304681d19ca0e8c6ef529e03816bb0214086539
SHA512 076596a3bde8bbd2ea7e62d3589899cb921685327be7c693ced105f5b58efe6b872011ac22b07a70c92d9c4b8c90f431b6f0868b6e2a593771d0724cddf44e78

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\A6D4ART6\www.youtube[1].xml

MD5 35f57d1f0f1bc19849be30e43b2bce29
SHA1 df365ee3809d038497d136011ae28bcf8ea2aff3
SHA256 f3bf1b6dc6daf952371ebc720641e6b5c4221f81e03f404894f206998258f73d
SHA512 8eb4c0cf70b0948fc143762c8535b58bf02a416d7831d330d90f0e4e437365afff0979aa643542411a03ba1b51990e32401b8d4199eb8c2b35f38177fec556e6

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\A6D4ART6\www.youtube[1].xml

MD5 5693e7c8238fe8c77c77c7da285482ac
SHA1 b57b751717e70d64bec86709e33f312b194121ae
SHA256 be4e7795e97bc569bf1a86de579c19a66b655723a34b917073a94658f31b4432
SHA512 1388fac2e954c60e68d0b3a8957480ba8c43a95cb3802e8336be8001219d29795cc08a5ef33fc95596b05e4c69cd41c2eb0249e959e120412055ee1c2e50bc84

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 28ac3d046e14e40445c36bb692adafcc
SHA1 e78a35a36c5bf0ca3c20b8e9baceb7ac491df41a
SHA256 acb362e90dfee1529878c46031bd67539cf8981bd3dbf5753f35c73e7ea4acb3
SHA512 d170fb2c464a862c2567ce4f34f435ca3dceb5085b0bd31f50f321379c78a9182caa0f8ce54bacfb80849afc507c753240ed7feb281de9e379564e991f6afc56

C:\Users\Admin\AppData\Local\Temp\Tar6359.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\Local\Temp\Cab6358.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 86eb7254d98af0ecc5f2ac012396fb58
SHA1 14ff710134602f5c11a029d0c81b9e704f447378
SHA256 95a848f52304d152f1223a8fadb6f25cdf665f00835a1fa8e48bd2a6788c3fa3
SHA512 6f89a97b08ffa494883fdad27d2a0ec0711d4b01a799c44d35a31ae529bcab6e56f1eadea49185ddda0d86ae4888af3b0f9d190dae29439c05e6556784f3d4b0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 45b2c9f45a512ef37dc2ea1b4a45bbed
SHA1 8b701ff8896768fbef4114d7634cd2fa3698aa52
SHA256 b87be2e0d0dfd332ec607e4ddc3beb297483583d07d1c4fbcd2b895cb4ac0d73
SHA512 0f216e867c8c1f209ab9f53fd5403de47570535f2c8939768b64c539c3c5cec35385b14a501850df4afe085a50a6603049cacb4ce1ab1d74df056988ad53a1fb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 811ca1a357f10c5cd1a7eaf8021d0f26
SHA1 e67ac64fd150f49e471b0ebad48e3bcd36ca40f8
SHA256 d28f04c6a6bdf21a2f3b2b6a7cf426a7129b4d953620173e838115e89a09ba52
SHA512 c751a87b6b2402b3faf1f3e21c34bb04ecfda54606600ff6b00577d730dca14be603d304b81e0259f1f4f069e0950ca2025d3bd220e6472b8ce9985d87e5e675

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 859f63c0fb65b9c66e0bd0c1051e2106
SHA1 e69b6326bf02c95873eb11ca1fcabf4c359bf1f7
SHA256 10e5958e8520ed0e17c2d49bbe7b91ad8fd9cb515781522b597fb7c22d4fc141
SHA512 ee8fbe330396d23aded02efb7ae13c2667ed035d5efb797044c5ea21386728ed2eaccb3f2cad02d6af7e45ab4389d37b4c754b11028a8966e669b6af4514c0a6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1773fe5300d0d27e78ada82e64405657
SHA1 10ba951d1febb6c60748c99b367cf9d700a2bffa
SHA256 143a4e49b087a9e20d9aa10eb158b6e7ae753c6046f842d2f0862ffb12cf91ed
SHA512 180ef9304b8ed89d28bac92e7ff4e36a4f914e9997f8e02926e3ebf4b27dbbfcde18b12660656eceb5741f706891f7db72d39c86a07460f46d7d4a190e59bff2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e93e28847e447c036b2c7097eb96e369
SHA1 9d3a69f1e06bcf9ed642a125b3d36cdc69b54f2b
SHA256 9a43e13419c4fca1d7aae974bac0e659ff8584f96a2c7bb3c26b59f332ba7e3a
SHA512 9ff28c105e4c3574e503a06de0a17c088e629788403ba7cd2a6076396262a9e273a25e919ec840fe333d6643acaed77ee1d13884c8faf22f43323cf787a7c3b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3041b9ee19d0bb3db01d1d73c5659f1f
SHA1 e660470bf39d9406ad0268647e277b8b5a858aeb
SHA256 499727ca85021e4249ee129b5a3c433173599e01dbf6134839823b742e7c6a2e
SHA512 a3329f35013d542d34c7e24db495ee0f1f6c0d0ff9e7e911e59f448af26ac66dbf7f766fa396b91e1e33b0ba29da78d703cfeccaa78b891956454e2e744e06f4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8e276d87e4423fd6e0b46ef10197895b
SHA1 34ce25c8e90ff004cc4fb01982817ac9afa32b3f
SHA256 338ad789d83261f00d839e3c0bc580e6654b9a786484560d1c90af7c379972fd
SHA512 ab329b650c17c19e5ffa2e5bb3a5ad77b3aef5f2e962f4f4535b461b0cf5a185b1961f12d07f7ead21af91679fdeacc702a008153cef4d1a63cd7154e808ad90

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 91fbf5c44f07702ae8e236c32575b54e
SHA1 77b1a3eb67cbbe99710429eefdf93a13c068289b
SHA256 6bdc1ba1e9e520f99c483d2ab9d2d68551a32cb374b24643a221214979c005af
SHA512 44bf2634eecdd270d2d76667e544aa5e8f2246593ebd22392618509dfbb341576be328384d5a631bd6e2ff19edbd53c36f63bc7de37443ea1e29ac205500026e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 442010a48cc3b6a1109336d13cd53046
SHA1 8b51a50233d2307ae236dfd83fd6dfadcb0c7e2c
SHA256 64086b0c9abdb2b46e600b3f12bbaea150c7355cf043fb8c347441535d0802fc
SHA512 9a6d1a127af5f3e8c04aefc6499a4fed8a6d8719b89dccf7bfa0d9721c8cbfda3bacea66d95f6ad7348f582f02b651850fa953d8a1a7762bcf74ec24e4dee946

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7de749c03b2fc05284748bae95f98721
SHA1 eb85d753105f28e4a098047aaa4ca67b1372508e
SHA256 2e21e1d587fdfa0dde69ef41197ed058d52acf12fa89d8d25d4562efd4861d17
SHA512 1c6748fb8a2f203c6158536d7e98f5080f3e8ba2209fcc3c213fbeb9569c61626225da073e3b1b690b5f7cc6900c55551452fa4bbb6b3571a899388c4dfd6e3a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8f8506431da0e8e03dd8ddf82310f7e8
SHA1 1e30e48b5133d5fef45f671c853c65ed2d271578
SHA256 8b05c696b3c91b4cbeca3cf2d8bfe98a132cd42c6f7501eada61337c33d4b4c5
SHA512 1049833494bd8587b106d7ffb8a9cb9383c4b7fb545a1411915e0acbb2aefacc8a4df1f626b1ba77ba9758cbecd6d73dc1ecaeabd4304d010df5022221c682f7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3e421fd6fac74b3083d500d65ac2aba0
SHA1 0c8690e5e76779bd1b1f50b44f48313c2662b8d7
SHA256 0a243b050be6c6a882a304352f1d6f9042bad5adf8359f1b2ab4e05c7a174302
SHA512 0d14dbf1edacf27b377be4753484be3282dcf3b613dfd22e3cda49482c9732910b90681edb8da64d96a79b5c49def09d7abac10762f5b901959fb9acd7849082

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dffccf8da2ba8710eb812bfddeacd222
SHA1 77691d7f73bcb0f985dc2ce49fe73c0785fddb51
SHA256 3ffa2be75f9c0d67c0d83eb719b528c167e2bef50445494d95909052abe72aa1
SHA512 93d4e43f64bb0f9bf13b88810591d1784dd8c88639a3b5bb5c61b89e0d68f50f4ef3d26b199a9843f75f9648be5cdb5ba11826414cc58a250d27467315109cc2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 89fea9255470df096787ab5b92c0dd7c
SHA1 9f0f6a0419933a328ad87b94cbf9ae69112c3ad1
SHA256 c3f32407e62bc9420c2bca832d939f08b61dc8428987e61d92706d5cbf04afd2
SHA512 64214e085857e76e430f93ab8fdc963eaaa8ec06d1819717d128085c1216e9f005981195da458e1aff7a21a019ce81e57914b2a2c48fff0b47e8f7ed9522f59f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 97ed5e984dcd6115c420b021e6f38111
SHA1 22aa63048912aaae8ce425ceba608f477da33b05
SHA256 a4eb1c93306f5443af8d6c97d2759af834be7f36b396c5820b5b8b78edf5b4ca
SHA512 9e6e1318d15ca82a227ad32675880adb151db3d185120b43389f420bd7c6487d9e0930fdcabf21328145d57ac8839fbd23908ec28c0bc94850c9fdf810f49690

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 22d1165c37df9a60dbe5db7ffea45d33
SHA1 cf1660a3f393247dd8d46d52b0a594a1199a5433
SHA256 7b710da5c4dcabc7d01abac279c532a34ff52077c150f5d027a300941108bfe9
SHA512 20092f12fed47464b59816590432f577f5bcc39eab980b0cba55f87a5e9281c2a08f4a9f8f87caa349814c5f8f978050d590dc577b8c69b4d2f104b8a1921cc0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0d6a261e43a2a688a910b9a362260564
SHA1 3cb79919574a3be704b59d1282cb4c39114bcac7
SHA256 97e2790053418ebc25cfc5a089968a334ba8a1e945bbaae42df30e8807e33dbb
SHA512 86bcd4c3a9b2593bf9ac10e201a845243140e99e0d4b6b3e5c18a6f62813a42e150893f8ca97c8b47ae875e0096d12ad7cd433c523123a3ec390b00071518dba

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1a818747793917c0e0616105863f2755
SHA1 9fd4d7e6c8b090b2fb352397a624296778f37175
SHA256 92ce56b4096ad808c6c93bfd809ebb27b30c0acac401ce7c4d8b97d166fb7d3d
SHA512 3f1d077a7b60581b77f56d098b17aec32d1d7d528433c28062d06276505ba1df4e94937d429e4978d3552564310d4b0c997b1acf3afe4de5f99d937300d46c06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c9830ea239344726250fc3fa909a8b3b
SHA1 129eda06af2d91dddd4eb157c01a4f10ba100471
SHA256 6dca011a07fd95e0615e0587d73f6dc3759b8a6dcd04c0a8a73b503bd0e2336b
SHA512 eb4aef7769be11b618dee54302de74c7743d363b5f8100caee655619cab28d3e9cc4b200f534880ba219c0fba4ab65425e2148b6ff644b4e6721a1cb4f0236ac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 849107781f99dc34da1687c615d1a2cc
SHA1 9630182464215339b238d8e5345bf5470876b15f
SHA256 7055dc5b7d0c85c33b0fbee6f7129d3a1877571b6de2e094c9d3d01665e9270d
SHA512 a4f554deef3217732121b9fe84b00bc4668fbafe58dae9e277952a906b94d69e2a174367c8b4475a06e4f0219419ac9529509a925ae7eaaee8da6296c843e70f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9ed8f4e7cc0fe82ec0233346fa3f8ec9
SHA1 66870d4c6b15f22e18abd06859349d3cab8df36e
SHA256 7673be896066f1bc8af29d8d700f8f822b7bbf5b0a32ac738554f45fae3ff16f
SHA512 5488c6b0d6fe9c3052bbfcfdfe5ff72390c979afcf6d1079f237354340ba763353bb2dd3d2cb5bc298e79278a54dbafa9e8a20edb7434ea1075aa88b297090ac

Analysis: behavioral23

Detonation Overview

Submitted

2023-09-08 03:26

Reported

2023-09-08 03:29

Platform

win10v2004-20230831-en

Max time kernel

141s

Max time network

146s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\zepto.min.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\zepto.min.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 126.22.238.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.113.22.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2023-09-08 03:26

Reported

2023-09-08 03:29

Platform

debian9-armhf-20230831-en

Max time kernel

1s

Max time network

127s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2023-09-08 03:26

Reported

2023-09-08 03:29

Platform

win10v2004-20230831-en

Max time kernel

142s

Max time network

152s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\webvideo.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "6" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "121" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "121" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "15379" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "115" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "197" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "15175" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002e066c10583e1946ba3d1022da920436000000000200000000001066000000010000200000002507d4062f65cb2b5da855c01b6f183790475e2ab6aaaf92dd80960abe107c8f000000000e80000000020000200000005e4322fd2aa530d8d9f41ea3f4faf108873a225c2b8d601f45832d735d33b682200000008d99665efe4b274f5a860ed324d2deb9f3bcfd2f3c91e25d90350b058986b0cd4000000006cce8457a0bd8d7ab29393ca051b1be60703449df0442d5d8d87051aa9fcd9f872e9188965cc994dc3f97465e47330ecf2044b468222b0c1c7d657f655cbb7d C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{96DFE8A5-4DF7-11EE-AC9E-4E56ACC62F07} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "400908603" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "15175" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "492" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31056388" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1804103818" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\youtube.com\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "15169" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1811520608" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "6" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "6" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "407" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "197" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "15169" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1804103818" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "197" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "15175" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "407" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "492" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "492" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "15379" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31056388" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "15287" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31056388" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50d39b6f04e2d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "115" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "121" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2415528079-3794552930-4264847036-1000\{A9538C4C-968E-498B-B7A1-70F68C7B38A7} C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\webvideo.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2144 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.113.22.20.in-addr.arpa udp
US 8.8.8.8:53 link.mobihealthplus.com udp
US 52.202.23.131:80 link.mobihealthplus.com tcp
US 52.202.23.131:80 link.mobihealthplus.com tcp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 apis.google.com udp
DE 172.217.23.206:443 apis.google.com tcp
DE 172.217.23.206:443 apis.google.com tcp
US 8.8.8.8:53 131.23.202.52.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
NL 142.251.36.34:443 googleads.g.doubleclick.net tcp
NL 142.251.36.34:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 static.doubleclick.net udp
NL 142.251.36.6:443 static.doubleclick.net tcp
NL 142.251.36.6:443 static.doubleclick.net tcp
US 8.8.8.8:53 ssl.gstatic.com udp
DE 172.217.23.195:443 ssl.gstatic.com tcp
DE 172.217.23.195:443 ssl.gstatic.com tcp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 34.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 6.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
NL 142.250.179.202:443 jnn-pa.googleapis.com tcp
NL 142.250.179.202:443 jnn-pa.googleapis.com tcp
US 8.8.8.8:53 202.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 195.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 200.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 254.1.248.8.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com tcp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp
NL 142.251.36.34:443 googleads.g.doubleclick.net tcp
NL 142.251.36.34:443 googleads.g.doubleclick.net tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0XT81K5W\cb=gapi[1].js

MD5 6ad382fa50a2250514d6142072a647f4
SHA1 316d68172c63ff03f82bb644b5a1ef54149ae818
SHA256 6c34aa6863dc470b805525b8db49e29a2946b73cc81c1ab6b558efd49a5b2efe
SHA512 0fc179c172c7a1256045dee5b4283651932017086b1e846388c855a8ec72b9dc0046d4ce4feee3073bb1e099ff19e3abc30654a962a3f871c9b8efb272fd91bf

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\W2CA9RND\www.youtube[1].xml

MD5 c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA1 35e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256 b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA512 6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\W2CA9RND\www.youtube[1].xml

MD5 bca599ac13d6a0797cb904cc54ccb0a7
SHA1 fa4801f937dd0d6f50ab87b7eaea2f89e3365e0d
SHA256 7360291ed6d36db3214367d8c8a4059b9fb4e05555f9929408541fc222f07a23
SHA512 540b687acf7235eebf4614f7e5cf4e126382f569dde1e3bfa6163a8688c6b7770d242ff85b5a1be6fe8b561be9387c0cdf4100099ad5e478dd8cfc5c86415fd0

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0XT81K5W\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-08 03:26

Reported

2023-09-08 03:29

Platform

android-x86-arm-20230831-en

Max time kernel

1926665s

Max time network

159s

Command Line

com.dogilowopuna.zico

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.dogilowopuna.zico/app_DynamicOptDex/pskPXGY.json N/A N/A
N/A /data/user/0/com.dogilowopuna.zico/app_DynamicOptDex/pskPXGY.json N/A N/A

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Processes

com.dogilowopuna.zico

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.dogilowopuna.zico/app_DynamicOptDex/pskPXGY.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.dogilowopuna.zico/app_DynamicOptDex/oat/x86/pskPXGY.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 142.250.179.138:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 142.251.36.42:443 infinitedata-pa.googleapis.com tcp
RU 193.233.196.2:3434 tcp
NL 172.217.168.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.174:443 android.apis.google.com tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp

Files

/data/data/com.dogilowopuna.zico/app_DynamicOptDex/pskPXGY.json

MD5 9bfea1b2027ec1635c3590e0ea14e3cf
SHA1 9cc1ea7f49e361961be1f5d2ab43658d41f86d59
SHA256 f2620b302348120f00c9bd7a3e0a6cbef991b484edcdcdd915fbbd13ac861eb4
SHA512 4e17d67bcd5f5361a3d9b27f4fbc29969b25a2686edffa9872e7bca1a6528b4eaaf7f90541eda8d31583d8e515b1a20d4d1b20dd4a88c9e83e07d91d525de4a1

/data/data/com.dogilowopuna.zico/app_DynamicOptDex/pskPXGY.json

MD5 4c5cc08fbf8fe10e34fc490fef580f3c
SHA1 92f11a0ec664e21d5546109af27ac481d4741b8f
SHA256 604976f65004e5c54cd7ded095be2b42aae134c7e48c4bbef1faea342b8ed878
SHA512 f69b6877c057b0907b60a429d20af46f48931b3e95ab429ec2f580e1c6fa61232b0177a3dac18292f7bb4cef82d3dfe9e9263d929ffa1a8ffc1fb0319d3ab214

/data/user/0/com.dogilowopuna.zico/app_DynamicOptDex/pskPXGY.json

MD5 cf80a0964d7adb2dc9ab389185abcff1
SHA1 a630b6d63b9be79f2fe9f2fc38c91fcbc1d8d6ea
SHA256 f90f95cb686db2f9ce0607038438527e3665ca8e33c38fd168834f6d96def4ed
SHA512 ef1a6f7c47772fd49ae2fda552df4f54fea83e30c99980ae8e0863b4abcfe2d7cb9869449962129cb560760d49ee6349add36e6ca7417e6cf0e9f99d86a3ee53

/data/user/0/com.dogilowopuna.zico/app_DynamicOptDex/pskPXGY.json

MD5 7ffa71e1e1ae0b4b47d6be864fc29366
SHA1 8f19d6ff1a28b1737f298a22c19009782ef84331
SHA256 593b12a640d78ee06f6b74458c7f456eaff676b68dca095de5feeb86adeae18e
SHA512 f017f92ccbb379f7fae44df3473c12b03200081263c9f5187b929db49887f4af0498f46697cb51cfab0901f5b04c133f10b7d7b2291a8832a9e7f1b9082f5d9d

/data/data/com.dogilowopuna.zico/no_backup/androidx.work.workdb-journal

MD5 f1ab5a7520e069f5b4659c8770c83168
SHA1 81c6546546294ce416c5ed6b05d51f47075e17a6
SHA256 03053e106e85cbc8ac17c674eddf5e7a851f2747ffa5c39ba60a6c7ebbb925bb
SHA512 76f0c98879071b48ca55757b2bae0f47b191fad99d821135bb2e6fec76509ce3e003198d8c7c5647bfdc041cab5c46a58642031828ba57e14472428965c71c1e

/data/data/com.dogilowopuna.zico/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.dogilowopuna.zico/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.dogilowopuna.zico/no_backup/androidx.work.workdb-wal

MD5 f1526c64ea7cf68aab166ae9d153400a
SHA1 5d69e7b725a2845a05d33262fd6b135c4e9e42a2
SHA256 6f0f175fa7783ba2720e4f752ff23b76b031cd3ebcdf326e07b77530ad3a39b4
SHA512 94006634d6f90a856ace8bf2e11d76f9f762a4f4d472cf0fb22a3ab90b0de6113e3170831c1671878d3184082100b7e15476e62ab0bf4dc880d427e4bf49e34e

/data/data/com.dogilowopuna.zico/no_backup/androidx.work.workdb-wal

MD5 ae60635d87c7eb9c0c2cb4c6f4429630
SHA1 ec36c9477ee8c54f30c1f212073a4a8619c8a55d
SHA256 5ffd6a636fc4eef7b5c0830617f3eaa5e1eb735dc1a9b800fceecfef0a7037e2
SHA512 ee84a6d1482e378eaf1d51fe4f3fdf0a78b9079068e5c0aca68fcefb335ab75f6e144994d14fe010c7578d80838b126801cf0c7a4244306a45c143785fdfcd16

/data/data/com.dogilowopuna.zico/no_backup/androidx.work.workdb-wal

MD5 7a214acb0e8af6cf66401f855816b240
SHA1 674fa7c2c2ae76a7eaeefadf2edd0dcfa0b3f1db
SHA256 4853a604096f8f8c570e1a2fe597b1be5fa273171e619c24a7efcbde31513b6c
SHA512 591cff4bc3396fe4b255b432752fa573b89da0f546033a8973772a3af52a4a72a5bac49dfed8c389ebc1b48ae8c4b3786e0d5cdd86bd863ed4b29096651d347d

/data/data/com.dogilowopuna.zico/app_DynamicOptDex/oat/pskPXGY.json.cur.prof

MD5 3acbcf62324f2658dcded6fe36ca9aa9
SHA1 9c8a773b4407e9c11462372ad21ecd975bfd6723
SHA256 f83b521aa47b26f1531a2e47d62ea67b8a034f4ff6a5ebda03f549afd9b73aff
SHA512 95261f77321e9c3cbfeecae49b469d60dd5113feac6ff5d1f254179185ec2cbe9d67effe0356d0a04dd3201db64e562ce6ab9c6fa3b90c4a8d87631dd89e97f3

/data/data/com.dogilowopuna.zico/app_DynamicOptDex/oat/pskPXGY.json.cur.prof

MD5 ed540288b396c674ba0a3e60dbe9b4eb
SHA1 eba0fbb7dc17fde0baf538bbca1bef11f4386d34
SHA256 fee549d071fc50a2ca63880055955a9ccdd76df33cec629358b71972d2af6a65
SHA512 7f159fed436578a21436f133a451c34a6362b7797f7fc8b580187c4a9619c3707886321b788da29e6aeab9237265199d6a18c5466d7da35037279bc33080ac3e

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-08 03:26

Reported

2023-09-08 03:29

Platform

android-x64-20230831-en

Max time kernel

1926667s

Max time network

161s

Command Line

com.dogilowopuna.zico

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.dogilowopuna.zico/app_DynamicOptDex/pskPXGY.json N/A N/A

Reads information about phone network operator.

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.dogilowopuna.zico

Network

Country Destination Domain Proto
US 1.1.1.1:53 android.apis.google.com udp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.251.36.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.208.110:443 android.apis.google.com tcp
RU 193.233.196.2:3434 tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 142.251.36.42:443 infinitedata-pa.googleapis.com tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp

Files

/data/data/com.dogilowopuna.zico/app_DynamicOptDex/pskPXGY.json

MD5 9bfea1b2027ec1635c3590e0ea14e3cf
SHA1 9cc1ea7f49e361961be1f5d2ab43658d41f86d59
SHA256 f2620b302348120f00c9bd7a3e0a6cbef991b484edcdcdd915fbbd13ac861eb4
SHA512 4e17d67bcd5f5361a3d9b27f4fbc29969b25a2686edffa9872e7bca1a6528b4eaaf7f90541eda8d31583d8e515b1a20d4d1b20dd4a88c9e83e07d91d525de4a1

/data/data/com.dogilowopuna.zico/app_DynamicOptDex/pskPXGY.json

MD5 4c5cc08fbf8fe10e34fc490fef580f3c
SHA1 92f11a0ec664e21d5546109af27ac481d4741b8f
SHA256 604976f65004e5c54cd7ded095be2b42aae134c7e48c4bbef1faea342b8ed878
SHA512 f69b6877c057b0907b60a429d20af46f48931b3e95ab429ec2f580e1c6fa61232b0177a3dac18292f7bb4cef82d3dfe9e9263d929ffa1a8ffc1fb0319d3ab214

/data/user/0/com.dogilowopuna.zico/app_DynamicOptDex/pskPXGY.json

MD5 cf80a0964d7adb2dc9ab389185abcff1
SHA1 a630b6d63b9be79f2fe9f2fc38c91fcbc1d8d6ea
SHA256 f90f95cb686db2f9ce0607038438527e3665ca8e33c38fd168834f6d96def4ed
SHA512 ef1a6f7c47772fd49ae2fda552df4f54fea83e30c99980ae8e0863b4abcfe2d7cb9869449962129cb560760d49ee6349add36e6ca7417e6cf0e9f99d86a3ee53

/data/data/com.dogilowopuna.zico/no_backup/androidx.work.workdb-journal

MD5 03dd45ccbe623759a159749af965fcb4
SHA1 588d79319fec64d972feda8b93ebaef9fe8bf570
SHA256 577c965f12f5a10153d25ecd1d84f70ffe73154df00d92c99c90fd5b9d50a679
SHA512 ade7e6490b915f5725fe58d76c66acd65fa1ca435ccc898b702609e2b0773b599dff41bc365a1b64b902f8cd02d3c5fd4ad38350846f7438492210565fe54241

/data/data/com.dogilowopuna.zico/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.dogilowopuna.zico/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.dogilowopuna.zico/no_backup/androidx.work.workdb-wal

MD5 364ed9e466deb6c603399a82a986a128
SHA1 5503a7a95bb8e253ac41816b8878d79b777de0dc
SHA256 18ed7065a180f1ab66f081809a7287f7d38d365048c8de51acbbd601650d9b23
SHA512 7ec24834fff1bd33f3b54e6edd597506c6232b290ea0befe832944581abd008972bd78ecdb64a31417e9d94a6af7fc2d506bcf4f208f628ff558c18675f2f4d9

/data/data/com.dogilowopuna.zico/no_backup/androidx.work.workdb-wal

MD5 cb2316e7604d74a7dfd2b3ada414ba56
SHA1 ddc0b39e1a380211cb370c08f50c6bc11f278601
SHA256 c881604f09f1cc79703ec2500d6014ead1a842ddc0aa3f8b2f448d0c79811af6
SHA512 50ad776c65f845fb194a7a754214a76aceb3474d6db79d08c7f71048deb8cbd607cd82fbfb094a53a7b0d95a1184c27ac1dff30c8e04ea3fc33b78cce2f56066

/data/data/com.dogilowopuna.zico/no_backup/androidx.work.workdb-wal

MD5 688270ebe30ea755716f5ba9ad909a00
SHA1 7f9544ad6cc993026bc9fccfe506f9d2641738be
SHA256 23ebf71c637ff7530fe0eb7304652508113dda2c2e0093776c5c43203da11d98
SHA512 80ffbd0818a29736ca17ba41f57e4cf5e41e6641160fe101d85075e85e06b93052b8669624b15c4068765783c7211abff70d431d29954cad1abf2fa0835d9ff9

/data/data/com.dogilowopuna.zico/app_DynamicOptDex/oat/pskPXGY.json.cur.prof

MD5 ed951ebd0d9b582b0f33df7c0ccf2d49
SHA1 4add8f66b4a70acbf9b71ff23bd683f48e41032f
SHA256 588eae818a895f4f12a4d51120ba046dfe1991b9ea760ad0cd8ee0c40cf34822
SHA512 a9c7a03fb2ceafa46f231ecf04a40a9b0e2d7ea7c67f6f33ed50a7cb81a86199452c2dd8ebe54d3f2ddb5d6c5914285fb26148289565e24da57ccb2922981931

/data/data/com.dogilowopuna.zico/app_DynamicOptDex/oat/pskPXGY.json.cur.prof

MD5 c94a5a7ff1d5d7f44e476fefbb3c2035
SHA1 4075bfc3c9ace7ac5ed14e159f1cbc986426a650
SHA256 0b22132420ced7862347267a93117cb1f6b245c317aa85b75fd5dbcffa40ea95
SHA512 0b0eeb43aebc928d4de78a5b9e64ea27e67c34d84d7183a17f546c52e17ccc4fd5fcfa2e2ef64d3c73ea2a5f1e22dfc833fb0f4b82b3f71f405a43e417c90489

Analysis: behavioral4

Detonation Overview

Submitted

2023-09-08 03:26

Reported

2023-09-08 03:27

Platform

android-x86-arm-20230831-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2023-09-08 03:26

Reported

2023-09-08 03:29

Platform

debian9-armhf-20230831-en

Max time kernel

1s

Max time network

154s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2023-09-08 03:26

Reported

2023-09-08 03:29

Platform

android-x64-arm64-20230831-en

Max time kernel

1926668s

Max time network

162s

Command Line

com.dogilowopuna.zico

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.dogilowopuna.zico/app_DynamicOptDex/pskPXGY.json N/A N/A

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Processes

com.dogilowopuna.zico

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 142.250.179.142:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.36.46:443 android.apis.google.com tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.250.179.136:443 ssl.google-analytics.com tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
DE 172.217.23.206:443 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp

Files

/data/user/0/com.dogilowopuna.zico/app_DynamicOptDex/pskPXGY.json

MD5 9bfea1b2027ec1635c3590e0ea14e3cf
SHA1 9cc1ea7f49e361961be1f5d2ab43658d41f86d59
SHA256 f2620b302348120f00c9bd7a3e0a6cbef991b484edcdcdd915fbbd13ac861eb4
SHA512 4e17d67bcd5f5361a3d9b27f4fbc29969b25a2686edffa9872e7bca1a6528b4eaaf7f90541eda8d31583d8e515b1a20d4d1b20dd4a88c9e83e07d91d525de4a1

/data/user/0/com.dogilowopuna.zico/app_DynamicOptDex/pskPXGY.json

MD5 4c5cc08fbf8fe10e34fc490fef580f3c
SHA1 92f11a0ec664e21d5546109af27ac481d4741b8f
SHA256 604976f65004e5c54cd7ded095be2b42aae134c7e48c4bbef1faea342b8ed878
SHA512 f69b6877c057b0907b60a429d20af46f48931b3e95ab429ec2f580e1c6fa61232b0177a3dac18292f7bb4cef82d3dfe9e9263d929ffa1a8ffc1fb0319d3ab214

/data/user/0/com.dogilowopuna.zico/app_DynamicOptDex/pskPXGY.json

MD5 cf80a0964d7adb2dc9ab389185abcff1
SHA1 a630b6d63b9be79f2fe9f2fc38c91fcbc1d8d6ea
SHA256 f90f95cb686db2f9ce0607038438527e3665ca8e33c38fd168834f6d96def4ed
SHA512 ef1a6f7c47772fd49ae2fda552df4f54fea83e30c99980ae8e0863b4abcfe2d7cb9869449962129cb560760d49ee6349add36e6ca7417e6cf0e9f99d86a3ee53

/data/user/0/com.dogilowopuna.zico/no_backup/androidx.work.workdb-journal

MD5 982193774cb48e8d321a33f9c3b694e4
SHA1 bd605f44183872f29e84028cd2418915bb81d4de
SHA256 f005010ec69ade9a6c037d8c2f174aa1a16031b146bfc09d3d1c75280ae5f609
SHA512 bc220503bd124069ee924dcc33f7a81b9ab7c114120d88e7e4f81194d2f5d15652e3063234e6d77a9574002da69a972b3ee94b37135078b7316571b9dd9a29f5

/data/user/0/com.dogilowopuna.zico/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.dogilowopuna.zico/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.dogilowopuna.zico/no_backup/androidx.work.workdb-wal

MD5 41ef082384bc494d2d9dad3916e1387b
SHA1 8614b17dd0b7ca0110bc80985d9f7daa9a6e9508
SHA256 c04b0fe979a5f93679857c7dd7fcdddd612ca62c62b8fa57747a54c511ed1c07
SHA512 1e58ba4edf99e00b6d11430663ed6934b5d9c8718f44b97d5244bd7b9ded2f9ead25d0a852cb795ea925a743b6443385f9c133c1ef3ed1919925b3cd9e345472

/data/user/0/com.dogilowopuna.zico/no_backup/androidx.work.workdb-wal

MD5 689cc31b08b3333b1401247a3bfa52bb
SHA1 293388b41fc31506f696aaad11e55ae22c0840fc
SHA256 1c1dd8678dc314e9eb98990a36ae28c0690ea109f7a6817107c8c9a80c482a75
SHA512 a379a3df68b86c38e5c18af6a942a1cb78b70ca04844e5b654c64ca719d8ded0d443d3118d89f98387d4607c431407a38242cb431155680ebb23a9d4ca35aa42

/data/user/0/com.dogilowopuna.zico/no_backup/androidx.work.workdb-wal

MD5 2c9541b28a5c7d6003a4689c346c99ff
SHA1 0729ddb0031ea37a4d4098eba66ebb7d97fa8613
SHA256 000fd7e611565c6b4d49b466658e606d1c176384c8dbfcd381800f45b0ecdb4b
SHA512 548e2ac969e6d378653f938c081e52ae230c3b9781e60b8c19cbbc8942dcd36a212477f3e71c6dacef455652085937a6c8ca73cf90fec0041b768e47b25e4864

/data/user/0/com.dogilowopuna.zico/app_DynamicOptDex/oat/pskPXGY.json.cur.prof

MD5 ce9ab1e3e554bf9961b18e6cdb06a4f7
SHA1 32770227381320d116224f7bf924e60fc140464b
SHA256 4ddea8401595b4f85daee925ff7876aad5c555df2de577843206d53e2cf39636
SHA512 6d0fbd1f0195cd1da12b92108cf38675a7829fc56f129778213911db33d8e48e2cf86418405bbb544165fa530d8fa2d58e720fac50fee421df13a980e1e95a89

Analysis: behavioral7

Detonation Overview

Submitted

2023-09-08 03:26

Reported

2023-09-08 03:29

Platform

win7-20230831-en

Max time kernel

134s

Max time network

132s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\consentform.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000918258b1c6eaef44bc85c7515db804ef00000000020000000000106600000001000020000000d510be4b93f25867973ab2b77cb033c03a8ee57e89dc3474288c37dc4b485e72000000000e8000000002000020000000459e2309e888ed2c3e8d2949e4d863d8bffe4e08727f1df5c562ddd993cbaaf790000000a87e1bb2edba52ce3e87f0b395f56ffd8f91e3df9a3f4d0e400f28c2236e395cc569f8e128c582e914ae3eafe683fe9b3e1ea958e69e1e54ec44fed32e6fa3b144c957e15f604b2720d703cc6e2dc13c9389e3e519e39d6cbfc2acd65bc169c27357489234e798b7d7e17a7e157aba419c155899867ef40cc95f720e2277599417643aae4e296ca408acf263cf57b2f240000000c73bf498feb727e3021f5a051ed71661c9cc02e961eade9f4ba761e12ed93dbad8eeeb8ccc046c0fac742232bade6a85ffa6d1b3ce2f8c7a9543e7eb87dbefb6 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f027646c04e2d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "400305496" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{970B19A1-4DF7-11EE-A914-5AE3C8A3AD14} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000918258b1c6eaef44bc85c7515db804ef000000000200000000001066000000010000200000006474d7d05d88b4a68d295081ef5639113d20e8d759ee3bef426fed739edd86c4000000000e8000000002000020000000ff78582c4372c3ee69a8e7a735a4f2540dbd7b5b0501ccaba4670cc11ea7c30220000000bc71dfba85cf4b14c709149b3bdc1dd854094b0d14c821f5b82f8043f44102ff4000000076437412321e256a2a88c5e8155acd7278b89d3b1b4ee1e1f4b555e6a3945557b12b8806cc4eab953103e7410d1df8a37fefe75e0b9b7453c60dd2c6cdb6047e C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\consentform.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2292 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1fd67302e42886671cde6375b18cd1e0
SHA1 6d8fde866a90c2919610dc8222993d84264c15f1
SHA256 bbc4cfba752c07c9c5e95d8d44c55cd255657b353d871109ddf4968d798adfe9
SHA512 edc08ea8ab138c9090512726679e993d2d3baec426779e22ec5ef809b43b2eaeb93624c3db446dc435d413e7fdf9f699abcab75214d194201bd24b14e0e5991a

C:\Users\Admin\AppData\Local\Temp\Cab60E8.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar60E9.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 07cb34875b6ebecee79af6f25f3a5f1c
SHA1 40a2ddcaeec18a59b6d21d4641e3c017e79f78fd
SHA256 c72cef93caa8813b3a563b6f19bb7d7c579a15dc8b5d74f32eb1ab1a7bbf53a9
SHA512 a4fbfb5f7b5f7ee2d839793d0a37475f5ec798113b6ba9703f7d7c087fb71722ef56685b8d30c19c3424d138b94e3ac53b506e5a931264a44c91557524b74a95

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 94a5dadbe205b47aa0209121e401305f
SHA1 9c80d59061d06485ff3788e73841266ecf2483d4
SHA256 a7b8226fbedaeabed4de15cffda0f40354d4e4f90a792025a001413acc6adda9
SHA512 1acf6be6d3a24fcac1471e8f4ab22beeb6241da968516ab24b1fed37416972ba032e4e822084ecdd842aef9fa7b7e0404e89cf0ee46b42e997138d3abe9fd438

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9aa8235a6f7a783a54cbc349b6f78a92
SHA1 89ed8f38db553bc4924bd5fd71b2f2c4aeebbdff
SHA256 0bf8ecaa2c04e440a6ed1fd2fafda581325a7dd79cb2d9d8fbf71127140724f3
SHA512 ac3d791a36d13f43221c671021cf4cf4ade0d09f32c8167b86b05c5d78ad6845df3fd7ebfbb6d1696636a940e63daf014eeeadd489a8880da87ee719245b8fef

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 256558645d3fd9ca7d540e51f23d0a89
SHA1 bfc3923962f9d01e630f418472bdc717b9218090
SHA256 ecb911ad5c845c1bb1965ba62bbc0d0d02b36e614ee3db4a9b4cfbcdbbe9c3e7
SHA512 344cf17ea2f991764710aae70fabf445a43cc69acb5043826449abb58ff9e1b5bc921c6740304ffdde55a0f0798c9ce733fdaaf38b68a83f0533ab33ba8aa7ea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ce461323afb44b462451d5ff18e0417e
SHA1 6d66cfcf43fed6ba511fad3c45e84100633d1bb5
SHA256 5c9a02d27e6aa4e451b66f2ff466c42d401bb2ff3a086ec3e1fa57c8965123b4
SHA512 de602ec574e73ac068ca14f33ce92548acdc6af70d8ec123e3cfc14a065ea7ef825da256971224afdf2f707c22476528ba4521756ca9072f3da7b15ba1dfa440

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9b66717994231eee71a0c453a6cb6636
SHA1 5552430453ccce1aa2b55c3ab28191cae6d403e8
SHA256 b2360caad7910d3e68977cd9ffe77fd646579c7cf17f923e4f3fc878484f8940
SHA512 0d6f91573ebb757ed9dad9a6dea42e55766abf93bd708f8ad3945880e45c641430a5bda3026925226e30579d9f5fe6dd3a21de7536b5e18ea0e1cb7eebb5327d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 332d2e59c690d2d0476fd7da2121880e
SHA1 28edfa6d5ebc4645e743cfd7f4fd3ffeceac5cba
SHA256 c4814c3f60fdde6a2a4b5ecb5d84ad956a87abc570ce8e864e3a1a5ae433e787
SHA512 d7ea52d4a98fb38338611b44c1fc9befdddf7691f4ceddc62e0d6ebf2d467a0885b80b9a71c5282612b2257116223baadd23810660c16a3f1f73a803003a14a9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0c5d4103ffbbc0921c87ab5fc932c882
SHA1 483b3e97bd22af5803963f5292f3b3769ffff678
SHA256 ba91ae7b80e3ebbbf8661d337ab9c09bb52eae36f3f469e1b04f68b18bd86ba2
SHA512 2d30d91a4cc18e495c776ccdc24521110469a149e2e39a4f8e31355b5ad45e0cb8798f168bed2cfcc285a30deff92bec7ea23cd560aa337872b27fd3cb4c40cf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5bd5d036b37170ce305fc6319b001073
SHA1 5c27ce75bb11ff3e8d6fc65cf172c2fbd2309925
SHA256 dcfb20d39f1448686aff7b26a377a7a009eba48212eaae6a229638e2962fa190
SHA512 21033ee5f295b9b63d162b14783675a9ec3e8ef6a3a60afd710c4e801531289259d39fc9b0f982a3c81bc83072c839cbd757f4526508ef75809e878528c56a31

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 98ba4380d5cfa50919c7c87777a1dc73
SHA1 c8fa4a9970df14b1ce909802e80b6f24d7ed2a3a
SHA256 9ed39c42be34d982ef4eabd56a9235f8c5e30a4c2aeca5053a80874f606ef447
SHA512 ff7d716b6b09ba5fe09358cdbc48a36ee2588725057bff263f3eac5d6a9ff6b5d3b204ceefa8f952d4cae090ca434b644fa314ac13f343a20b74c184e82e6a0f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d460b728c2656bbeaeece49f6ba4180e
SHA1 0ac71831c906cafdc85abb6f8c5e8ef57f3c76db
SHA256 2c6a34d5986509e7d9d5ea701d6e957515ebf4b10b2c1e0e4fe0c68dead8f137
SHA512 2712eb86f652f5fbadb7b9705ea7003a7fadb1c301e8058c190dd20f69370d6307030991ab444e7f9f671b2070396cb37a3ceb5fe69db2bea70cdaec0abba44f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f82231eef74eadc4d5a9c2332520d92a
SHA1 244bb7066188120d26a8309f9ce6925012bf2515
SHA256 143c930e2b12b530cfacf249b5268ec4b5a0d0bfd2ca7ef2cf71bbbe8af2e3b7
SHA512 c3c6eff3758007b16876fd1ded582dd629785fe198d3d2741cc8fcc2a5a39af11a7d5b2b1bf7ac3e6eea4377a182193a5857cb1074d6462005e59a80879a23c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2d2ba15365e0084430f94ccfda95ff98
SHA1 4e5159557121ef74512a027a2090f39493ca6a76
SHA256 f156fe1728b9f05578b084d3a824d01012a5d799dc5385500ea2de4071565612
SHA512 cccac3baef0488b3468914e1ed7d07785cca5e1a05295c168faa069696a0b66684520cf7e94da9b506211813ee8122d8270c6614b85a54b11aa63f9da3a88bd7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 46366de647d3072d91519fc7c550d439
SHA1 ec14695ca43bd9d09327d57f0000f1fc9b3f2123
SHA256 0aa14161170eec7cfe31ad6ba7b374c53ee9f3a500cd1986bd71fcf16c9c6633
SHA512 b4956d4d390e31424344322603400957aefdd75e5d7611eb6cf51764d257b43ac66d60905bdc6977c0377394795402a94a1089968ce35e18573a43f35902e99c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f1d74b13580c5ed136bbeef9a2a46dc6
SHA1 fa7997547d1836bf0c9c6a251b0dc5a97bcedd57
SHA256 7bfbbeb69437214a332e6673f2fc277ead9f985a0a1d312bae7fde5b272ab7df
SHA512 ba274f9a8ca6d673cdc73d998dad4f5ce1f6383e842d1081738485e831c8a6c48ae7e09bdea16cf2c718959c22216992efc792e684cf8890e4a0294eb390a3d0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 63c5f7267b05665672528aee83db94cb
SHA1 26884ad14ddfbed03f3d1b2eaeaac852e50b2c2a
SHA256 cf6b4b6944446fed5ca1764b0c9f9d005fff4beffc535959df12d6451b52435e
SHA512 91bcac551fc4f442057e801dbd716e5813ddc0a0a9bea9fbb648f9d083227bb15130d414a927884d93dff1835babb9356e86354713acf806cb1044c6c8c563da

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6a57201a709350c6cc45209887b07ba8
SHA1 0ecb1a027dea04260daf7239f69996d3d3f7c9da
SHA256 7391a6adc6f07db3c54b41238e47f40e310d5cbf2109edb8a6644fba5ff20bd4
SHA512 b50ce0fcef610c6af1f52d2e52151b0e1d33a4e822c5a9f07a6419012dd3faeec0ed7f14cc7e5c266dedd68a56564d6a4daa19baf00d86c23e3cc50b303b1d51

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 442543ea49bd2b34a65fc363e036eed5
SHA1 0f41bd4de44cf9e67f4278e81920e469d601ab83
SHA256 192ff4c9a776e8531804794ad1f260977928c4ac53631a8221fa7fe8770284d9
SHA512 82349e5af9c75c7cd95dac2a9f3427090726cbc80989997e27f3efe5cda9b65280422b29f2cce5938e509ba509ec6b5eddb9069fc5075058e83ffbdd589c8e71

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a13996b8297e77449212feb812c1c75c
SHA1 267a08567542bb8059cfafb215d5fbb8d8600b9c
SHA256 662fbb2202a6459b697f2f3b3863fb065916b071b8c354e08fcd6c2d883ae1fa
SHA512 253147e777817e944429d5572d38943aeacc73a7d9f7031bc6ab4af519af1ba3d641ceeba2d72169aac0e306a020d7a60dba857e22f57186f70785f1ae22b727

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e2995bb2bfb831ff2847c4a8cfc490f2
SHA1 1ada26ccfc9b7c60c52fab4f53babf74fc0af0b3
SHA256 cc4b0de278e3f70960526174a9bbd376ec9268e9b0881f5154e8dcfac9305647
SHA512 d3464c7c9c67361919a40e1b7e3a208ed39f24a33c04c1b31ed77deeb0ddc312417a31b5c10c491ac833cf7c3bf75d585314338c73ea32f0515664f1740c2e4e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 019635844bde89ff3f2afba14b32174a
SHA1 a2fc29c5e70fa97159f085cea4f984da49ab59d3
SHA256 f7c65a44d18a4fa204b43b03b0d13a53ff66eb42bdd27b023b2616651deae59c
SHA512 103edd2c60c984f5bd60f02ee6ffd1f3bd363e6af2bd9bf56edf9a6cf1052cb69c57a1f2b60eeeee4575f4cadab4074e2435404c0db81a6138efb773f0663cee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cea7c532dc40bf520319ddb4d81e0340
SHA1 9cbd4a9d78920d3bce97b04fcfd87cfd3fc00963
SHA256 4e499cff3d6341269dbad3bcc913493179e9a514aad3cb015de2fa267e92ae9a
SHA512 ec39b1705b57fb97276bd0d3f390c63eaab99211aad81239b61ea076dd9729d65c618fcba01c983a4ac79af61f064a5936d0f9ef83e49ec733ab583b5c0dfe19

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 babdd5189c0b619b6e58e6c9649c8c04
SHA1 028dee3617116046acfe54092fe720ca2f9d2816
SHA256 e46f18bc4388d001f6609ec751ec538ecd49098e8f7294754f46e98874eb29fb
SHA512 04f3e175a5f60bbc1c0c4326091798e5a650d69a210c83240c76ec1ad8231a198954734eddb929759d18b4df6537e3279f467cd6da3eb04fccc6db02e6c4fd83

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e4afe3b229a1b00c27876a6d1147a0c7
SHA1 8688779af7a9048899eaea0f60578fdb940fc28e
SHA256 687511a3e71197b90e18b960f73b4aac7b3bd3ebb0bf290c7f368273b8b90f87
SHA512 9ec433b28b42e542a4a869223c4942330f9ae8c71a3f06cdb1c18a6c871ff060367f26a6964b8f389a7f477c99959146e50ec2ff7e36c050a451b86ebaaf581e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2bab5195d8d9c55fe29e0f193a16e1a5
SHA1 465dd9d2802811fd858ded0f7ff1310bda6e0f20
SHA256 f5f6a0ab66cb9f20b439773dcb4c431c972fa92bac9240ea23f3505b9d4960ed
SHA512 ca70fcecfa8448e455dd61c74b4d137f13efbfa960f5502757fff6d3693285fd7c7a63d6e08ebdcf4c73ea4fbe5da6a541e64002dc9f5a2d4abd15c5cb6d9466

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 892b3cbc9c003f11dae0d339974ae172
SHA1 d24e02844c99c490d04456cf9e4eec23595159d6
SHA256 023656816e644f1f30cf7fb0a89bbd3635933c55421cb2abbc257c451bb1df07
SHA512 6b76ccda528f981c9e88c8f913d87208941bda0f9d01f373e485f90d156895327a2ec31a219bafd784d55526a5d5cd7b4f55225a7e9fa3cba4445ad883c25b4f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 73bd0c1d6ded16186832f467b20b1bf8
SHA1 f30f01688ba2b78cae2e615273062165c63886ff
SHA256 64f0e6847128bd85939e1e2af09e1e3188001e1664085fc569969ca1c1f09872
SHA512 a7571405dc4be162705e0dde3c75f80f77dac768ef29a959e6f3534b400a1bae542d92f17f48072774fac4bb81259a4bfaf47a8131179d877424480c322eb8b8

Analysis: behavioral17

Detonation Overview

Submitted

2023-09-08 03:26

Reported

2023-09-08 03:29

Platform

debian9-armhf-20230831-en

Max time kernel

1s

Max time network

126s

Command Line

[/tmp/libttmverifylite.so]

Signatures

N/A

Processes

/tmp/libttmverifylite.so

[/tmp/libttmverifylite.so]

Network

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2023-09-08 03:26

Reported

2023-09-08 03:29

Platform

debian9-armhf-en-20211208

Max time kernel

1s

Max time network

124s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Files

N/A