Malware Analysis Report

2024-10-19 12:19

Sample ID 230917-hjxe6sga3t
Target 4750303ce5a24d4adbc33df186560fd813f1b3788734e38c5320c904ceb1fca2bin_JC.zip
SHA256 4750303ce5a24d4adbc33df186560fd813f1b3788734e38c5320c904ceb1fca2
Tags
octo banker evasion infostealer ransomware rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4750303ce5a24d4adbc33df186560fd813f1b3788734e38c5320c904ceb1fca2

Threat Level: Known bad

The file 4750303ce5a24d4adbc33df186560fd813f1b3788734e38c5320c904ceb1fca2bin_JC.zip was found to be: Known bad.

Malicious Activity Summary

octo banker evasion infostealer ransomware rat stealth trojan

Octo payload

Octo

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service.

Acquires the wake lock.

Loads dropped Dex/Jar

Requests dangerous framework permissions

Requests disabling of battery optimizations (often used to enable hiding in the background).

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data).

Removes a system notification.

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-17 06:46

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-17 06:46

Reported

2023-09-17 06:49

Platform

android-x86-arm-20230831-en

Max time kernel

2716232s

Max time network

155s

Command Line

com.mightthree8

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.mightthree8/app_DynamicOptDex/Rd.json N/A N/A
N/A /data/user/0/com.mightthree8/cache/aegtcn N/A N/A
N/A /data/user/0/com.mightthree8/cache/aegtcn N/A N/A

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.mightthree8

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
GB 216.58.208.106:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 junggpervbvqqqqqq.com udp
US 1.1.1.1:53 junggvrebvqq.org udp
US 1.1.1.1:53 lauytropo.net udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 junggvbvqqgroup.com udp
US 1.1.1.1:53 nonkapizza.top udp
US 1.1.1.1:53 junggvbvqqnetok.com udp
US 1.1.1.1:53 bobnoopo.org udp
NL 142.251.39.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.36.14:443 android.apis.google.com tcp
NL 142.251.39.106:443 infinitedata-pa.googleapis.com tcp

Files

/data/data/com.mightthree8/app_DynamicOptDex/Rd.json

MD5 fda8738e2b938345dbd7362c977ef46b
SHA1 58fbf0d0b1b71bbf7bb779cf05bebd614c8ab48e
SHA256 e6e0b11c06889ac71349de379dae8be6b0fd73e843a28dce660287cd78c37df9
SHA512 3190dbe283d1134d62d09428e6893e46225d45810578e04eff0bd139d048ba00df5802fc452159bce7078b58a69037329ec1fface22d038ecc4014c3ece66ba5

/data/data/com.mightthree8/app_DynamicOptDex/Rd.json

MD5 b8c44bee2cede7cd084f1a830b06998f
SHA1 c7358f9eb5cf23ad67625fa71f80fa0ed83fcbaf
SHA256 4497a4ebbfd33ec17e080bb79a4c47cc29526687b800e98cda5676ea505e03f6
SHA512 20f0d2725a97764bea4a8884172843abeea06192cf69839b624aa81008e4fe255c9d4b76d43ba355fc20c6d5828ffeb5c94b3ded95d98dc85d58b0e61a66c34b

/data/user/0/com.mightthree8/app_DynamicOptDex/Rd.json

MD5 fc5e73b0a05523c5f79fc5418dc7d708
SHA1 8fdc13ba3ebf8af84b1050a5ec0837a7f419e6ef
SHA256 378950999010cc81ee319d4c622df90bd796589cb0e9f1223c8e7678f92796a9
SHA512 cfb2ccda173563409273d14b54a95e530715ec64c8787dc61faafce40da17e326d5fc3306e69015b58d843a073a06c95e86ff4dac909d8770b4d9c3a703a1816

/data/data/com.mightthree8/cache/aegtcn

MD5 7ac13a4fad1781ad1156ecc3b40b3f5d
SHA1 437766ff59af6a649f3734b53e96411e87ba1ccd
SHA256 ebe35df979664e1491adf89b13aaaf999220ad0ddd10e41c8b681102d0ca4ff5
SHA512 b576c10ddb47e62b3abee87c3a48ddd13c62770448cc61b404ac9e94fcbf2de6d8bd517e5482793137c94b931fdf973bab9ddb160484b0da59a7ae6c0ce64d8b

/data/user/0/com.mightthree8/cache/aegtcn

MD5 7ac13a4fad1781ad1156ecc3b40b3f5d
SHA1 437766ff59af6a649f3734b53e96411e87ba1ccd
SHA256 ebe35df979664e1491adf89b13aaaf999220ad0ddd10e41c8b681102d0ca4ff5
SHA512 b576c10ddb47e62b3abee87c3a48ddd13c62770448cc61b404ac9e94fcbf2de6d8bd517e5482793137c94b931fdf973bab9ddb160484b0da59a7ae6c0ce64d8b

/data/user/0/com.mightthree8/cache/aegtcn

MD5 7ac13a4fad1781ad1156ecc3b40b3f5d
SHA1 437766ff59af6a649f3734b53e96411e87ba1ccd
SHA256 ebe35df979664e1491adf89b13aaaf999220ad0ddd10e41c8b681102d0ca4ff5
SHA512 b576c10ddb47e62b3abee87c3a48ddd13c62770448cc61b404ac9e94fcbf2de6d8bd517e5482793137c94b931fdf973bab9ddb160484b0da59a7ae6c0ce64d8b

/data/data/com.mightthree8/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/data/com.mightthree8/kl.txt

MD5 612539923f45ac6d43b9f3181a10e34f
SHA1 a826fbf913f40363e6adabdb707d4449328e5d63
SHA256 e5dbf70905e38efb75c58d03560602b4b86b467062e61d912d35fd9bb6842e28
SHA512 7062e9350c79c885335f40a6a5ba6820f601fa96a51ecfb68bf0c8cb2b7d552412a9dfa38635421febb0a025e66b97bae6eb414efc60d90bddacc5cc09059412

/data/data/com.mightthree8/kl.txt

MD5 1e4c77a2643f8c70a88a8c9b43aaac7e
SHA1 43d276abc758952c73fef44be37861e06667bb4b
SHA256 6ddfc57354788dcaed8bc1c4da5c08ba10548f5dedec1ebe0a0533b66e4747c9
SHA512 9d1abdee78affcfcd69b46127f695bae6447c0bc0d7167bd1ed8870e772e057e9a476e753f5413b2efba9ae5644738eb9a6f38d23f624cb4947c989c76f59149

/data/data/com.mightthree8/kl.txt

MD5 a828375e41e615eceb25f25191d4ea14
SHA1 c15d3e917d0063c10ef847dbd805be965f827870
SHA256 045cf671091f934e3b5effdc300211a76db15bb2af3f7cef3534061600dcf449
SHA512 0a5ef1ec52909f6a64c7a693d2145dd67f18de742932a070919a84a647398022676e9b0b7f28da9beb680d3eb64b29327343108f3d97060399e8b6bfe9bf064b

/data/data/com.mightthree8/kl.txt

MD5 5c00a629415325efcbaaf7bcd1334fe5
SHA1 c05db39664888960cf55d15790728b5134890133
SHA256 38c446d101924750f6ac0cc305cd84a60fc940da5665261676bb640ada17f422
SHA512 e4093e6c4de2989d1a0dfad62ef2ddce4c0868e72e2e3ff62e3d8995aae0e457a4f004c32f8dc57341d79b2ae72703d3b4b634f714c954443d94f9e080d9fcc6

/data/data/com.mightthree8/cache/oat/aegtcn.cur.prof

MD5 0f2901393876f9d10e36399b2214c871
SHA1 9f46f528c1091e25577a54ba50c7c9e0def02e8c
SHA256 122dfc2f43cf9490737fb0ba532a965f63ea5880f7c9c9910fa1da39b50cafa9
SHA512 8e23b94329cbb2a6352f3584b6cdd3f5ca3e71c8c9a1fa6c25691c127c88798985bdcf830099f3d3ace5908762830cd64337007483dfa54e186f67f0f6af3111

/data/data/com.mightthree8/cache/oat/aegtcn.cur.prof

MD5 6f1dd219fad512fe2ba2dcfe30cd27e2
SHA1 2ca0fac95f51c89aa13f3e62978aa93b354e3fa2
SHA256 84e295c9c1cdea9ae8d7cf7aa411b8db03a715816cb84fdc6b0d002f4de24303
SHA512 c0fe54bf0902176995cd38de0f09634838a5e3614aa6dfc4e0ffcdb8cce8d4998cb2980689d889aa8301357c863461dce71488b9b7a4a450795e9f4b1b4b783c

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-17 06:46

Reported

2023-09-17 06:49

Platform

android-x64-arm64-20230831-en

Max time kernel

2716235s

Max time network

150s

Command Line

com.mightthree8

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.mightthree8/app_DynamicOptDex/Rd.json N/A N/A
N/A /data/user/0/com.mightthree8/cache/aegtcn N/A N/A
N/A /data/user/0/com.mightthree8/cache/aegtcn N/A N/A

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.mightthree8

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 142.250.179.142:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 bobnoopo.org udp
US 1.1.1.1:53 www.ip-api.com udp
US 1.1.1.1:53 junggvbvqqgroup.com udp
US 1.1.1.1:53 junggvrebvqq.org udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 junggvbvqqnetok.com udp
US 1.1.1.1:53 lauytropo.net udp
US 1.1.1.1:53 junggpervbvqqqqqq.com udp
US 1.1.1.1:53 lauytropo.net udp
US 1.1.1.1:53 bobnoopo.org udp
US 1.1.1.1:53 nonkapizza.top udp
US 1.1.1.1:53 junggvrebvqq.org udp
US 1.1.1.1:53 junggvrebvqq.org udp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.142:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
DE 172.217.23.200:443 ssl.google-analytics.com tcp

Files

/data/user/0/com.mightthree8/app_DynamicOptDex/Rd.json

MD5 fda8738e2b938345dbd7362c977ef46b
SHA1 58fbf0d0b1b71bbf7bb779cf05bebd614c8ab48e
SHA256 e6e0b11c06889ac71349de379dae8be6b0fd73e843a28dce660287cd78c37df9
SHA512 3190dbe283d1134d62d09428e6893e46225d45810578e04eff0bd139d048ba00df5802fc452159bce7078b58a69037329ec1fface22d038ecc4014c3ece66ba5

/data/user/0/com.mightthree8/app_DynamicOptDex/Rd.json

MD5 b8c44bee2cede7cd084f1a830b06998f
SHA1 c7358f9eb5cf23ad67625fa71f80fa0ed83fcbaf
SHA256 4497a4ebbfd33ec17e080bb79a4c47cc29526687b800e98cda5676ea505e03f6
SHA512 20f0d2725a97764bea4a8884172843abeea06192cf69839b624aa81008e4fe255c9d4b76d43ba355fc20c6d5828ffeb5c94b3ded95d98dc85d58b0e61a66c34b

/data/user/0/com.mightthree8/app_DynamicOptDex/Rd.json

MD5 fc5e73b0a05523c5f79fc5418dc7d708
SHA1 8fdc13ba3ebf8af84b1050a5ec0837a7f419e6ef
SHA256 378950999010cc81ee319d4c622df90bd796589cb0e9f1223c8e7678f92796a9
SHA512 cfb2ccda173563409273d14b54a95e530715ec64c8787dc61faafce40da17e326d5fc3306e69015b58d843a073a06c95e86ff4dac909d8770b4d9c3a703a1816

/data/user/0/com.mightthree8/cache/aegtcn

MD5 7ac13a4fad1781ad1156ecc3b40b3f5d
SHA1 437766ff59af6a649f3734b53e96411e87ba1ccd
SHA256 ebe35df979664e1491adf89b13aaaf999220ad0ddd10e41c8b681102d0ca4ff5
SHA512 b576c10ddb47e62b3abee87c3a48ddd13c62770448cc61b404ac9e94fcbf2de6d8bd517e5482793137c94b931fdf973bab9ddb160484b0da59a7ae6c0ce64d8b

/data/user/0/com.mightthree8/cache/aegtcn

MD5 7ac13a4fad1781ad1156ecc3b40b3f5d
SHA1 437766ff59af6a649f3734b53e96411e87ba1ccd
SHA256 ebe35df979664e1491adf89b13aaaf999220ad0ddd10e41c8b681102d0ca4ff5
SHA512 b576c10ddb47e62b3abee87c3a48ddd13c62770448cc61b404ac9e94fcbf2de6d8bd517e5482793137c94b931fdf973bab9ddb160484b0da59a7ae6c0ce64d8b

/data/user/0/com.mightthree8/cache/aegtcn

MD5 7ac13a4fad1781ad1156ecc3b40b3f5d
SHA1 437766ff59af6a649f3734b53e96411e87ba1ccd
SHA256 ebe35df979664e1491adf89b13aaaf999220ad0ddd10e41c8b681102d0ca4ff5
SHA512 b576c10ddb47e62b3abee87c3a48ddd13c62770448cc61b404ac9e94fcbf2de6d8bd517e5482793137c94b931fdf973bab9ddb160484b0da59a7ae6c0ce64d8b

/data/user/0/com.mightthree8/cache/oat/aegtcn.cur.prof

MD5 b2554155945f660a4aaf6a5c66a6823b
SHA1 9dc33c3c1f042c0b0cf364470638938e4b629d79
SHA256 be4c14fc26e8d0597c974b7999fc420c933acfc7c8d5f97febe3c1d4f7673161
SHA512 12e96d290bb4cf9c6a33250895f38edf2869c6c811c0f6a623346dbbc59eb98eb76f6e3e2030c4311f2802a099255b2e1307cd376f14d82b94bab1b06771b2d5

Analysis: behavioral3

Detonation Overview

Submitted

2023-09-17 06:46

Reported

2023-09-17 06:49

Platform

win7-20230831-en

Max time kernel

135s

Max time network

132s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\license.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003916b9f19191c547a3cd833648cc0b6b00000000020000000000106600000001000020000000af6ce823f62c5f9ab1485c906eb3eb87b173fd959f7bb3d212fb3a29d6ab34a7000000000e800000000200002000000033c4a0be8df99eaab8dea51df5cc259b3d839c9a9487a8086d6087f3d8b473f19000000084479f6a1f4bc3a4c5d739d481c56d9bc89dc14eaaa439d24064072127c429ada06c794b31bd9ff91f6d36aa9941803b442e60d0184f37d8a6022dc1aaf9233f9533ad28d7720d0f75a7fdc9f33edd1741f2ba30981a1841dfa380103eb6f3f22ae8d14dc78278c3a80699c4252d694b62c826af2fd55fe41f34211a380bdb91b2f8fb6d037e93f6366d5f0f3b7a7847400000000c7946f9284d0af595825d2673ac79affd4a0bd9584a0cb88f36e3e4a2562e017f2e40d18e477f8ea400f5588fa2e83098c527885d4cc174811d91c09e236e19 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F2F1E4D1-5525-11EE-A617-EEDB236BE57B} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003916b9f19191c547a3cd833648cc0b6b000000000200000000001066000000010000200000009e70e5da699bc3dfa1f11124ec7a9cf7ce5ca954da5deb6df70236bcd30c0cb3000000000e800000000200002000000042826390668be5dfa9863785ce575c1b76f0b99479c8adca37ccd5fd2ad929a820000000537f64cf19f8ff3d4b074d6fe149f587b37cfe336f744c9ff65b9c9451d2731a400000000aae047f22e1ed326062d6e415b731c83e8b8d03d252b8c079c1eacbe20ce8047e8d51f8790430dbe0312db38ec66660e17b3a56d75304afc3dc0baf6f3e2778 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401095065" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a08966c832e9d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\license.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2020 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab81FF.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar825F.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3e54e6a0c654bb3ced229dd9cd2cae23
SHA1 7092f84d4938992064a06a9325936999b7040ef3
SHA256 b66592b23e44ad49b67693be47135bfe0769b14ecfc03242ab73da65d8926953
SHA512 8ea4231a9537746b438c2aea87159f4fafd9adca963bfa8189766ccd4438080dc973b5cd3d81bbdd7fd502045fac50ee77d8d93fccf8284eeea8ed9e2ae03935

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 77db18a5428962c63e2ea92a45a9316a
SHA1 ec5d2845b971b9658fb30fb5cdca38e8a2200afd
SHA256 78dcd705989d91a55522a78f3f5bb9164137b8894030729201b77059565aadcd
SHA512 9744bacaf710021d97e878476ebb62d306698add1e9fe935e4173109aabad9e98af0de88804b69b3781e11ad05eeee22bebff90badd9366cb9f780fc4aae518c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 12dd34349777701c80eece88d36c77c5
SHA1 db09106ec2e8b61124ae9fe5fd3ca1407e51e68f
SHA256 01cf6f4ba761f61e9223d652844a74e5d40f3ead1e78401e9f6fcfec1915191a
SHA512 ee82e14e79af0edaa6417e1cd7dc52e0640e31fa719f127f2da052cd84c63ee0fee88e5cdda2977d7fff2a381fd73e500e043cdaac76ca23318f66646d33ace7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4a940c5e765a8e005ca44b30d5fc7fd0
SHA1 967bcc7ec78f0059b6c47d74dba012b2089572ed
SHA256 3a4c8cf278196ae7bd3f6e7af5e0df4d63d48280f4950b9fb5497ece525700c5
SHA512 c76a37997ae6806227b86b255121a0ed2a4b40937df87ee70cec9bab7b766a93ac1419cee9651f4273eb0225d6741fc12cedd3ff46f2b1ad28b9f585807e1dbe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8fe08f8fc47a6aa9fae236e081f4fa8d
SHA1 12a700f29d768680851fca9ddb0034c719f1f5c5
SHA256 5b6e074b2a298de1d8d8069af2efd698588e1f9e4c00898cfbf5c35383fd5b71
SHA512 7244ab348cd05b4904a65191347df98d0968ac63f34f99fe420eeb4ea50e50471086acc90765bcb32823dc26f9bdfe3ea74da4018c31a624e1ca4e5c101c17ee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ea61e438baa83fd45580f8b36b23fa68
SHA1 e3209a4a4930768a2492203f345c5a1660049696
SHA256 f84d549865e07571f6c4f07a9f71ab08a35e263c97902e9933e2e1752348243c
SHA512 4c54811dee9678805f668dd34426bcae5869a1a65da8f08f99f8081e46653aeadafee413c06ed7540eb702a6f612c07fc893040721120acd4da69d26ae094afc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8a05e39cdc0463caaad05c9b810f34b6
SHA1 f51e876be1f35ec0d29df02e631d27aad5cb5360
SHA256 7788a0673f88b8ca2aed69ae45e8e8a69785452b541c066d6df7a26e2bc6cac6
SHA512 ac59b0651ca64e55fed7b59fa7182607d87b117403084b6826fbf6f34f4f8afea03bf1bda4dc2ed108410ce6b6aac31c70b1fb5b934c4531b27522c1fc7b15bf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0c831276f18eea572c5d05de6577b7af
SHA1 e9d1b2729dc2143192e71b2b52e717004a7daa6f
SHA256 6b27b4ea618b09266715c15c3d5061c606667480f17b0ab88a43dd5a93574c3c
SHA512 67088d3342ff75a73a8b4e66b6fcce2d08fb89f0a8e0b9f25a0c4d6e71bb17610c5829317b66122fecc273fc4ac1d2cc2f2ebd092c59ef88f4e8c4c88c473160

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 24258ffd9feafb577ebef23041063b9c
SHA1 da415d558b67cbab91acb56536434020a413f053
SHA256 7333c0960ac0372289ff8a7b4dde7e95bbfa7da62412c470cd3f6a9f14b271a4
SHA512 b61eaf6c5293d13493c044ab2f03797f286aa6315cb37517492bd18871cd8ddc41ee6718aaea771e13c2438b97d4871c7c89cd1c02b518be4a598c52e00438dc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 11510004ee100d6061f7c3f7f2ae4363
SHA1 4bcd6560a26ceff0bb99730728c7652b3d1cce87
SHA256 d98968ff33b8bc55dff9fd5a4b8909c4dbcb43776b99b537ff03ffcf5b47d679
SHA512 3e138da672613c0b812d63027371cce24c8fb129c70911a898775aa8b33bbbee907df92dd7fca69319ba75569925deaf9d83d5e1b47cdf858ba0c5e77ddb4150

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 35f551ae556fea73a553a9e9db94f0a4
SHA1 52293f499fb9dc721813c855d4038de29d976e2c
SHA256 419fbf824142c6f65812e6ff4ff3531e7503b26799268264dc6724c48bfc015f
SHA512 f4eeb6ef12b11ad711bc5061aaf9021ac67d3f5c32d5e451d6cc821c997188b3f0bea96d6723eadd9a4f4d79cbae411dddf82cc8b0d79231aceafc4df92b6fc2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 786a9e100aa65f3f0395da1e9919cf70
SHA1 3aef738994f9db8db378a680ef88e65f869e64dd
SHA256 1f662d0d23588809c04493b5ae9d04232b220d62f14ae4f653ea9fd6c437e2bd
SHA512 885e7b705d78226775b99a36fcb73e9b6133cab8e6f716a0af4a5171c50e1b36c09748c7fd92eff8f78f76c59b773d6e323d78d96c5266e19890b032da764891

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f5286edc8f44c20251f18619b54715fd
SHA1 d238e5c73bf82cdce6e8809d70cbe2b2ab168d1b
SHA256 2d301a2d3d1edc5cd65bdbfb878526589fbbd6a063058e4c31609c8fa3332801
SHA512 1b6d85ed3a71224dd94f1f1d2c34a7142bbdc72a84ea634573e6ff440c91f8e02e5c000a75fc234c1724c4ddd17660417eaf4e9376d18f4b34aa2063382a422e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8e8512fd88c8dae2f257a5a9523cb66f
SHA1 3181563efe2eba8e4870f4042e9bfdfe2e119be3
SHA256 6f6ba3f2a4b0aecbba44376bb812e765d1b921e20dead2216fcfdc8ba88ec43b
SHA512 f41becd8a9effe4c689f88782d97ddaa291f361cc2ec40f3b532a92833b9779d0fceff8118b504a9f8a2a3ea6beb1cfaeeeec27a61e25758f9d0a1f50dbcb323

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dc0bbcc599d37a02847da9260446f54e
SHA1 d94e51845a4c738eb3db6223529712c42dc8b90a
SHA256 dc6ca418b47b09cf06588c19e8d55ac55029b3d86663b09fa9ed03c65702c2d7
SHA512 6eda72a1eef94ceb4598ea3fc89426a9f4e9542a7b19ab78b39c392d2f7789756e1c390ad7fa18420dd0f0264c8511e7d01ac799af212f341b80d0b9fb62d7b0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b6d3f3d640d0aaa62b2ca7a864a8f42b
SHA1 ef771d4acfadad70e701a003dc4ceee8098e293e
SHA256 e2cd612a8fcbab300a3de52d48c481e91a3330a6d7a3a6de35580d340997b017
SHA512 9d21178dbd5fc8cfd1cae68a547b041995a4f222bcac762d75a1071edaa97d271a8ff92a454d9f42e146d0c1192cd0450e055f99a6e041a607ca5dd6ed959f33

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 243f787f8b522c613076c2498ccadb15
SHA1 91f4cb7f72159c78bdcd206cf80e56ce30d29074
SHA256 3e79dd67ca75deb44a85e9dd748ac81b3fc5e7869b95845b094c010d40387a46
SHA512 338ece44a6d121088c6141c5867f4e3c60098d55f88cf53171b08af546bc017f12ce2ae8dc6ff1e0f47201d189f307d5932e4b46dc6a92290bbc9895b58b5c3d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 121484ddae57c08be29671b5a9cfdd6d
SHA1 24cf172837b8f63599cea9845429d44cfbbdb44f
SHA256 f33ea4cd51976793dc2ea3d6c22e9190af47055ef9a232067900be618e1341c7
SHA512 ee94e25d08272105b38fda32d8479df64c1e702ee1750de256b3cf62d461cdf9b133b95f216006a722e73c1e90052dae7eb615b215c3bf90b2ed7e4b765520e2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 56eeac8a61591e7077185aa9c8b214a1
SHA1 6614af28eb1f598f5cfaec3dadfc9b5306ee9e1c
SHA256 453a7d82fa0a55792df766a6f07c76b68120ad4bf725c8ddb547e6563a80c4c6
SHA512 32c05f3095699f8b3c156eb61227c72abb9714d8b29e2a9c9e2d0e056ff8bc047587dc5355128364b3217a28ed2a76f83bb0e7693873b702c0115106f1766b0c

Analysis: behavioral4

Detonation Overview

Submitted

2023-09-17 06:46

Reported

2023-09-17 06:49

Platform

win10v2004-20230915-en

Max time kernel

143s

Max time network

152s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\license.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31058226" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3372872457" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e01d3a14bb1f3846b5fc27e9e0ad356000000000020000000000106600000001000020000000cb76ff9850f64fe00e777a25bbfe7f45bd85db80e9c0e2f952801bc790a5a84d000000000e80000000020000200000006e0a14aed4e22b5c4b128f76f2547923b77b37ea1403a12aef1152eb702d172f200000003b6d67ddfad4084237fa2518d4439748117452ace7b413ce9076eb73dab076b840000000aa71ef2c6594d08ddd38b11269e2e475488c67ebef60a6ca47ad23f0118a6c50ffebba18115f88dfd1cd083a0979fd7c1b5dc851c0af78ccd1005c885a9157e6 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F3D5BE32-5525-11EE-941E-DA9BDFB2881E} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31058226" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401698174" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e01d3a14bb1f3846b5fc27e9e0ad3560000000000200000000001066000000010000200000000379677ded1c537fa2fb5d3de405501cb605442dcaee0a45fb263788b33d8a30000000000e800000000200002000000019d44633e3ec99f41159257cf2f03e4fe68ddb531317de156a53f955f880c1d62000000015bc3e56f2e17b92cac989c8d5defc3dce26b6c5372799b09609dab138d3549e4000000045f973da27fae493616674e33b396fe60d494001d16cc047ac423eb390806b62c65342bd21bfafa92d8c91688bef2e0f478bea1f2637b874ebb75d2d075c1a69 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31058226" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d077b5c932e9d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3360997202" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0065a2c932e9d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3360997202" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\license.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3696 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 200.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MRL3SWXH\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee