Analysis Overview
SHA256
78e6f36b8493f6f30accc0462fa3095175412269a9ecefd701fbeb03f6c76631
Threat Level: Known bad
The file 78e6f36b8493f6f30accc0462fa3095175412269a9ecefd701fbeb03f6c76631bin_JC.zip was found to be: Known bad.
Malicious Activity Summary
Octo
Octo payload
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
Removes its main activity from the application launcher
Makes use of the framework's Accessibility service.
Loads dropped Dex/Jar
Acquires the wake lock.
Requests dangerous framework permissions
Requests disabling of battery optimizations (often used to enable hiding in the background).
Reads information about phone network operator.
Removes a system notification.
Uses Crypto APIs (Might try to encrypt user data).
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-17 09:00
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to write the user's contacts data. | android.permission.WRITE_CONTACTS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an app to access location in the background. | android.permission.ACCESS_BACKGROUND_LOCATION | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows read access to the device's phone number(s). | android.permission.READ_PHONE_NUMBERS | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an app to access location in the background. | android.permission.ACCESS_BACKGROUND_LOCATION | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an application to read the user's call log. | android.permission.READ_CALL_LOG | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
Analysis: behavioral14
Detonation Overview
Submitted
2023-09-17 09:00
Reported
2023-09-17 09:03
Platform
win10v2004-20230915-en
Max time kernel
142s
Max time network
148s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000017e431d9a2c98c4f9f85fcb7a9559b0300000000020000000000106600000001000020000000863c843936ec0098a2f4475abb4e5f85b099a9de130d8f23f714958941758568000000000e80000000020000200000001a0eb2790c2fc0f24368fd8dab636d32ee50043736dbc7fa248757b3006225dd2000000056b88392d3018daaaa39d895c2b9d2bc74eb2144ef1b24e04c90957d5e52a65640000000a8d40482f2feb0749c8c92f1737ab88400e848ff995dafcf05d9b8c786a40761e1e2fb565189477871868a90f9dc34efb2038ecdfd3255c558cf35219a878c76 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e094028345e9d901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{AA9C7357-5538-11EE-B0C5-56402FC161CD} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31058245" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 003df48245e9d901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401706212" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31058245" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2153301350" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2133612863" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31058245" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2133612863" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000017e431d9a2c98c4f9f85fcb7a9559b0300000000020000000000106600000001000020000000d85628fdd7b0e0ca697aee023662eecc4297bf1ee725b8fdb45e134f653b069b000000000e8000000002000020000000b0333dc94b17e9ced84109e63e35372dd978fb334b8d0708bfba84152163d15c20000000d06c3ba286570ef52ea0c1cec8fda638629f7291b781ab8480faaf5ccfd6f38140000000f14a6592ba2eb0f2b522884184539120ad4e8870e644e36f9b8195fef853b710b5bb871b1f8c3867bfb645a73be9167518f897233d598e75cf978a2020dcb9fb | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4336 wrote to memory of 4476 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 4336 wrote to memory of 4476 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 4336 wrote to memory of 4476 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\fyb_iframe_endcard_tmpl.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4336 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.24.238.8.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 233.141.123.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DomainSuggestions\en-US.1
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
Analysis: behavioral21
Detonation Overview
Submitted
2023-09-17 09:00
Reported
2023-09-17 09:03
Platform
win7-20230831-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\mglyph.js
Network
Files
Analysis: behavioral22
Detonation Overview
Submitted
2023-09-17 09:00
Reported
2023-09-17 09:03
Platform
win10v2004-20230915-en
Max time kernel
150s
Max time network
157s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\mglyph.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.15.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2023-09-17 09:00
Reported
2023-09-17 09:03
Platform
win7-20230831-en
Max time kernel
120s
Max time network
128s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ms.js
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2023-09-17 09:00
Reported
2023-09-17 09:03
Platform
android-x64-20230831-en
Max time kernel
2724274s
Max time network
162s
Command Line
Signatures
Octo
Octo payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
| Description | Indicator | Process | Target |
| Framework service call | android.content.pm.IPackageManager.getInstalledApplications | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.factupx/app_DynamicOptDex/ujycFt.json | N/A | N/A |
| N/A | /data/user/0/com.factupx/cache/phgpygedzvieza | N/A | N/A |
| N/A | /data/user/0/com.factupx/cache/phgpygedzvieza | N/A | N/A |
Reads information about phone network operator.
Removes a system notification.
| Description | Indicator | Process | Target |
| Framework service call | android.app.INotificationManager.cancelNotificationWithTag | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data).
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.factupx
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| GB | 216.58.208.110:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.250.179.142:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | 41fdghhoo11.com | udp |
| US | 1.1.1.1:53 | www.ip-api.com | udp |
| US | 1.1.1.1:53 | 42fdghhoo11.com | udp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| RU | 176.113.115.110:443 | tcp | |
| US | 208.95.112.1:80 | www.ip-api.com | tcp |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| DE | 172.217.23.202:443 | infinitedata-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | 42fdghhoo11.com | udp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| DE | 172.217.23.202:443 | infinitedata-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | 38fdghhoo11.com | udp |
| US | 1.1.1.1:53 | 38fdghhoo11.com | udp |
| US | 1.1.1.1:53 | 31fdghhoo11.com | udp |
| US | 1.1.1.1:53 | 31fdghhoo11.com | udp |
| US | 1.1.1.1:53 | 39fdghhoo11.com | udp |
| US | 1.1.1.1:53 | 47fdghhoo11.com | udp |
| US | 1.1.1.1:53 | 36fdghhoo11.com | udp |
| US | 1.1.1.1:53 | 49fdghhoo11.com | udp |
| US | 1.1.1.1:53 | 45fdghhoo11.com | udp |
| US | 1.1.1.1:53 | 46fdghhoo11.com | udp |
| US | 1.1.1.1:53 | 39fdghhoo11.com | udp |
| RU | 176.113.115.110:443 | tcp | |
| US | 1.1.1.1:53 | 46fdghhoo11.com | udp |
| US | 1.1.1.1:53 | 33fdghhoo11.com | udp |
| US | 1.1.1.1:53 | 50fdghhoo11.com | udp |
| US | 1.1.1.1:53 | 35fdghhoo11.com | udp |
| US | 1.1.1.1:53 | 42fdghhoo11.com | udp |
| US | 1.1.1.1:53 | 42fdghhoo11.com | udp |
| RU | 176.113.115.110:443 | tcp | |
| US | 1.1.1.1:53 | 44fdghhoo11.com | udp |
| US | 1.1.1.1:53 | 37fdghhoo11.com | udp |
| US | 1.1.1.1:53 | 34fdghhoo11.com | udp |
| US | 1.1.1.1:53 | 48fdghhoo11.com | udp |
| US | 1.1.1.1:53 | 32fdghhoo11.com | udp |
| RU | 176.113.115.110:443 | tcp | |
| US | 1.1.1.1:53 | 37fdghhoo11.com | udp |
| US | 1.1.1.1:53 | 37fdghhoo11.com | udp |
| RU | 176.113.115.110:443 | tcp | |
| US | 1.1.1.1:53 | 43fdghhoo11.com | udp |
| US | 1.1.1.1:53 | 42fdghhoo11.com | udp |
| US | 1.1.1.1:53 | 40fdghhoo11.com | udp |
| US | 1.1.1.1:53 | 40fdghhoo11.com | udp |
| BG | 171.22.28.202:443 | 40fdghhoo11.com | tcp |
| BG | 171.22.28.202:443 | 40fdghhoo11.com | tcp |
| BG | 171.22.28.202:443 | 40fdghhoo11.com | tcp |
| BG | 171.22.28.202:443 | 40fdghhoo11.com | tcp |
| BG | 171.22.28.202:443 | 40fdghhoo11.com | tcp |
| BG | 171.22.28.202:443 | 40fdghhoo11.com | tcp |
| BG | 171.22.28.202:443 | 40fdghhoo11.com | tcp |
| BG | 171.22.28.202:443 | 40fdghhoo11.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| BG | 171.22.28.202:443 | 40fdghhoo11.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| NL | 142.251.36.40:443 | ssl.google-analytics.com | tcp |
Files
/data/data/com.factupx/app_DynamicOptDex/ujycFt.json
| MD5 | cbeb2a330bc5bb595285f8b49de824b4 |
| SHA1 | ca0ac1ba2b1ee3a315bdfead4d300262e63f0f40 |
| SHA256 | bf99b8738dfdd69f74e5da3369b205d4be8f01d8a0bd147b4bf46ba0cbf002a2 |
| SHA512 | 85fb4110db3facc4600037ab3493eca9fb1f7302637fe992e486cb506544abd8546182b545272c29c101a10ab7fa486491dd544cf63af153da4754aed4116752 |
/data/data/com.factupx/app_DynamicOptDex/ujycFt.json
| MD5 | ccb34a777bfd9dcf00e1bf1ea73abb21 |
| SHA1 | 505d5b6b4132d042690716a9afeae62769f8cd26 |
| SHA256 | 0154661f8ff3116976885edbb9daf2a51293db5bccf953a1d7aa4521b56e1bf7 |
| SHA512 | eee31641031e1a0ef30341c15ef07bcf68b42267e80de3ce736655c9238de17245a484f7ca238d02d1bed9ae27fcd33ea42ab99d1e2959c03b3039a4383850bc |
/data/user/0/com.factupx/app_DynamicOptDex/ujycFt.json
| MD5 | f9f93d3eff43dfce4e7c5a1cf8546290 |
| SHA1 | bd705897eb5b1e0ade8de52281f7c5137e26daf2 |
| SHA256 | 642f9179c2c98febc07887ec91eb00e328ac13e35a93492eb2533216e015361c |
| SHA512 | 25da6b35caa5403d8ba032182e45a19ac2c4e6f4f53d95c2b888548cf284dc6243a4093849c5016afd7156ce1ba6b859c02735302fe8902b4c4b923d6f420355 |
/data/data/com.factupx/cache/phgpygedzvieza
| MD5 | 5a80512b1d7846b456ac8f3dbd1c7f3d |
| SHA1 | 2de7cd24c284cbedba4767712a2f9989b3b1c5cb |
| SHA256 | 4fbd4cff76241fbed314e777c3bcc6d591a2b507be315c7551e0b0694aa267c3 |
| SHA512 | 8b1b363502ed805f408cf4e97993dcce88ac50f0df76ea18405fc2e606de3944bbaecbe4d8e82f82ba6c66a0b17a23c705d8fcf1f0a78c6b8fbfac49d0137d75 |
/data/user/0/com.factupx/cache/phgpygedzvieza
| MD5 | 5a80512b1d7846b456ac8f3dbd1c7f3d |
| SHA1 | 2de7cd24c284cbedba4767712a2f9989b3b1c5cb |
| SHA256 | 4fbd4cff76241fbed314e777c3bcc6d591a2b507be315c7551e0b0694aa267c3 |
| SHA512 | 8b1b363502ed805f408cf4e97993dcce88ac50f0df76ea18405fc2e606de3944bbaecbe4d8e82f82ba6c66a0b17a23c705d8fcf1f0a78c6b8fbfac49d0137d75 |
/data/user/0/com.factupx/cache/phgpygedzvieza
| MD5 | 5a80512b1d7846b456ac8f3dbd1c7f3d |
| SHA1 | 2de7cd24c284cbedba4767712a2f9989b3b1c5cb |
| SHA256 | 4fbd4cff76241fbed314e777c3bcc6d591a2b507be315c7551e0b0694aa267c3 |
| SHA512 | 8b1b363502ed805f408cf4e97993dcce88ac50f0df76ea18405fc2e606de3944bbaecbe4d8e82f82ba6c66a0b17a23c705d8fcf1f0a78c6b8fbfac49d0137d75 |
/data/data/com.factupx/kl.txt
| MD5 | 6311c3fd15588bb5c126e6c28ff5fffe |
| SHA1 | ce81d136fce31779f4dd62e20bdaf99c91e2fc57 |
| SHA256 | 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8 |
| SHA512 | 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6 |
/data/data/com.factupx/kl.txt
| MD5 | 9cc418255a06f982a89dae3760c06c9c |
| SHA1 | 795d1fbf58a85ae83555b348b0dd4d8d642f7a3b |
| SHA256 | d1ec8a52347816deb06d1f9248fa5a42d9b45ef138dd011e4a8a7f146fc0686c |
| SHA512 | bd19f9ba96766956c91f67001c82460baa529a4f75a589dbf64cee2488b0ea9ac4b9ee13fe74bab0ee23ab33fafb3336e1778dd786958ffc161594ce36fc2e4d |
/data/data/com.factupx/kl.txt
| MD5 | 64ed629c86660fc0f044dcffcf1874f9 |
| SHA1 | 3a4474c6ba969fab5682ca62d81151dbc14e7270 |
| SHA256 | 72c3b78a12b51986f0aa778895932812137c05b42793bb40126959fe91f24cde |
| SHA512 | 6aa948c462f9138aa620fe0d30bd120231072782d5b7d943a05f22ec0fb5d2b1956d58cd95e600a719acb4b214c0e5ab3958f5f23e744fb9b2300f0881544f03 |
/data/data/com.factupx/kl.txt
| MD5 | dd471fa89695e0c13400dfb1929e18cc |
| SHA1 | 3490336c03a057137f5eb3f8f049c8a61e278a7b |
| SHA256 | 4958009939d8557c9f8fb8801da35fbc9d2e9f1ddc90a6713be9dcb112f91793 |
| SHA512 | fa9ee4dfcea9f733ff0c9e3ecc5a99d1443b38d415aa662fbc246c51d4cb7de534f0aed5b09a2f92eeafa3ab83794d96ee2d2da868c6e4edadb8b0dfaf53319f |
/data/data/com.factupx/kl.txt
| MD5 | 3052580d36a2278ef9c57c66f457fcf9 |
| SHA1 | 80e7941ea5d501aad9a2fd0d95a4f82cccca5f5b |
| SHA256 | a8a844075b4e708bc69deaa79c000d89012bf858cbf6f6c84abbbe5e1f213b42 |
| SHA512 | d2274709000ae897b86277089ed8dde76f1c5c9848fa62eee52613aa50b58c1a969454001f8bbefcb525da46908e7726a6190337898c4e7125cd300185bd00ba |
/data/data/com.factupx/cache/oat/phgpygedzvieza.cur.prof
| MD5 | bff68dccd2e9c0f2b0a31e9e269e1e80 |
| SHA1 | 082014ad0f2dc07734f8cf94bb30999045cbf712 |
| SHA256 | e127c3f1d7c5e4c5b95f4e7592baf1366b736e8e9c66e4cea0b38399af2fa68b |
| SHA512 | 3ab417d46399261964a34ab82d1eeb23ffb06405f7e094bc911ace7f9c5fd250879c966610961a95823b807739f67d7e58ec964666bf2e337bcb54b36f5fdbe4 |
/data/data/com.factupx/.qcom.factupx
| MD5 | 046a414913add6f5bb60072c7db819b6 |
| SHA1 | 451ee4f6809260aec622d772fd329c7d0297a842 |
| SHA256 | b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a |
| SHA512 | 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c |
/data/data/com.factupx/cache/oat/phgpygedzvieza.cur.prof
| MD5 | 45faa89e379eddd11d07fbb5a418d771 |
| SHA1 | d7e9bd8dc991c02ead4ef19ea4b65333abf9bf44 |
| SHA256 | eb3901e1814f92d2fb721e74dc2a586ca88412d004b4cf54505893e6910e1a46 |
| SHA512 | 9c6425e3c31d1a9791ac80b03803308f4ee1c2fbb6a1408ef619379169fdf9b0d9f74e87d3cd4b8af531accbe27e88bb435be10c6ea7f3dd9c7dc7ceb475db52 |
Analysis: behavioral5
Detonation Overview
Submitted
2023-09-17 09:00
Reported
2023-09-17 09:03
Platform
win7-20230831-en
Max time kernel
136s
Max time network
133s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401103103" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A9F7F811-5538-11EE-9EC9-FAA3B8E0C052} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0cea37e45e9d901 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002bccc567d90a0b479b49b1b2d43318c300000000020000000000106600000001000020000000dfe3f162bd2cd95559a9e89e1ceaaf161a7fa05e9c56fe2fcf8256a0a4998ec1000000000e8000000002000020000000357e038dbe836d82788dbe40b3c214f86eefff653abc57185e6c9d58eed05afa2000000063a0b4ad921e492c9001feefd9cd3e7df93979d5cdeaf28c0c713c5108668bb1400000009b6b53a62519c9b6554dd3b3e2056939362eaf783e673ef55fd7ce78bac824c854835130fc96efa840db23cb462537e42a5ecbc3378f6aba33c2d38a8272c05f | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002bccc567d90a0b479b49b1b2d43318c300000000020000000000106600000001000020000000f43f9203d80e365d87c19a52cc40b26af6ffa8084aa36abe5647cdb930fdae94000000000e800000000200002000000097696674265a3cb1942b2ed8eb0ef79a18cf8f786fee2c1aaf30657adb592ad190000000b22e8dfbe89e36548164d101ee9918aa18b568ec5f4967b4673d8c11dd4d2b9f15ecfce7add0799095da7f26223f61199dfd4b48d8b950f91aa8aa81e83728754df2a2b386eea95d39e9717810a1fb1929f8a568e38041e57a8fc86beb05f1f1e7e6d1bb656a8bcd0a4983f7b65c07d19ed9ee5d90086a3d92643d2c3201062c762848a8377e0e6fc206cb7817d5bcae4000000059a031c119a3364494302a601d230411e610234cbe71e01902de6e5104a47ec0e30fb64c5c9c020ca38d6479b26954790771102033a99d7aa89b559c23c43ae2 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\floating-sticky-note-selected.xml"
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3016 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab64FB.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\Tar656D.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5f45ee8cabc5c27bccee9e112fd6d97f |
| SHA1 | 6c321aba1914abc19215cb81b4858482e936c852 |
| SHA256 | e62af04c718ff3073da98268ff123abd0240bd86d0b10d795693fa1d2a6c91b6 |
| SHA512 | 5427ba061587f55a5fb743e28a96f33d1914668763470d3c0ff4a99cbdb6af5af87875add242a6490756e35fe7b94bfaac6de5bcdc38a3caf17ebc0595dee559 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2ff7f2c66de48e6f1cf6188b0185c4b7 |
| SHA1 | ec2bac0027beb2f4e54cdc17beb3684d5da06078 |
| SHA256 | 132259218738075bcf31d9a9a5d97e713a509951072043f2537c7cdcde0ae05c |
| SHA512 | 77583a8d4ceb0e090d364bc2d989cbf243754efa18366a30516a27b0c9572903652aa02ebc92d2d93699e0991052ef70f73e38b94ab4878be23146f1018a5c54 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9919e6dea43228ac7147a44788214e57 |
| SHA1 | 15a68a540a637ff8b560d1197c68cc44623fe2d3 |
| SHA256 | ca4975bffbe31d77075e161fa1ae839221a72b2b61a318325556b49cc9962872 |
| SHA512 | c9e9edfbb5990383a95b5940096ab406af8e451cb392c81b99e0d557cf6d8ae69f9ccf22b60e58f58289ebe760686344756f75c308b9d17fd0cbed234d79530a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f876d28ae4bd4c0776b1beb082c67b64 |
| SHA1 | 86111148fce66b8cbbc4700fcdacc719b77c9076 |
| SHA256 | 77c5b5a9e8f093fe7a040358123af0c5f5908f00d05b6a0ff985ce51e2c979ff |
| SHA512 | bf7c45157e1a24392a718b9d33125e28b722d5230f5c6f4acd448fca6058257a70b6f7b3a308c827ba04060956adef724412da559aa19bc653471d57e2ec3d6e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0ff33a824dd03259ba95ed2ec746fae4 |
| SHA1 | 57c5a9e478543c41ae4d23a4c115aea7d8cd4a15 |
| SHA256 | 7e83235434b2a802d113c7f9192fa1b562ff79fbc636e50989ec70f586b99930 |
| SHA512 | dd6978e46fcc528626b20089c3514ea2f100843bbe49ce2401db9e2f6a4f16f02bb21b67dca45ea6dbe89dd3bfec622db159b80b942bf73f3183a03519bb4cd0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ff4724fcad2c809a260e98c7f34c953c |
| SHA1 | 6de36240ea747848e682eb327a25a85c1f4f96b0 |
| SHA256 | 3f1ca68ab69e4c8f6f140dd4973c5790ac1e5a3f874e8c4591f4499f6dc8e407 |
| SHA512 | 43ffc0d4e0fd1be2bd4685b27ffde1beaee1e0558a4a577286731bf50b95d3ceae4ab3fac3ef3ccd272c9d7a853b06bdcd33417e32eaf78d9b679b52687cf3b1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d4188065d1c0df1737f2a7e66e771832 |
| SHA1 | f5614cc81f8f56607c1ba20fc5056d3b036ddd6b |
| SHA256 | 9b5160a8110c597eba00267b53cfa24149cad080364f82265ccd2514af602a7d |
| SHA512 | 6a743d6594bf624a530b97cc5f71e3bfbc3ec58ae054c502868eb4c1620f8071d17862e735c2ff74e17ebc1b2f3552298733a7eb7c1429a83da75de0df5fb4a3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 655dd417b0c3da0ce2718d12ba1e27e1 |
| SHA1 | efd9ab66d2ea7807429bfdfabb54fc749982019b |
| SHA256 | 3c67830a503c92cdac7fa4aa4dc312dc9ad6d55b9b195676c7b3028eda19c6c0 |
| SHA512 | 0586622b98861cf7efbf2d474101c73108b0b25636ce9b8a74e8aaa3181bf09e08c8e464cd0ff73eb37d124d1be071e5bfc69fc442f2b4a3d1d0e150f95843db |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c0a0f2f2aceb3cb5cc9b600c2777c750 |
| SHA1 | 40b30eed6cc6f4c25bf98a9428e82a08f64498c2 |
| SHA256 | f8891c7969bbe43c92d326c9a8a564805a50f37da2c9e9c56ae469a6d0a66ae1 |
| SHA512 | fd30224363604db9afa31970c213eb5b660a1576eaf4d90b624eaf2cd4edd309c661e7b39af6ff30e031433f6903ab6241eb34ed0e86d2cd0e3d5fc82180b26e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 438575431b82a8d88676ad0a150d0506 |
| SHA1 | ecfbf96b912279a5ded1af2c0719355ff7d148f8 |
| SHA256 | b3da0718070f83a41f5d11f3e4e4b4bba7273e069a9c425a355b3904270d6bf8 |
| SHA512 | 01697b9f64803e22259d13c3757f3984548b2fc4a223167bc748929117b06cdd70b07122844b49349baac4de5be66aca61c764147c0afa990abca304070f3ab0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5b894248c54fd2f5301505654f02564f |
| SHA1 | 1b85d7cbdb167a06193199b543c306951cb99ec2 |
| SHA256 | 9c37fd684ddd1aee8ff48f30d475a23e31ef2de80691c59d60ac9d9958695df4 |
| SHA512 | 1e20c38f32e7277a6b7684a6bca90dccefa58dd394963ab5cedfbf61bb2c70f11f7f556da5dace9b6b2246b68e54ec1e54dd595c02737893d714decb5dfb63a1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 086bcce477f991d16a9446a0a29b2526 |
| SHA1 | 8b1bc897354d4e20d4931b525b1703d21e7f9b21 |
| SHA256 | 65e8e03bcbffc72e5d9c32ccae5498bee6d296b34a7727f0acdb0c6d61d5d745 |
| SHA512 | f08811fd7dbe7adfc95509f2ccaf9e0f967ae6a7d08c249c7e68d643cd68128062c314491a962fbba149369f5e119f86089bc4589e9576c5aaea255e8e6347fb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 437cf293c8116cbb813a3439d0c3153b |
| SHA1 | c94789726324f11ada38ad326ba9bdb4310a6a4c |
| SHA256 | 615d530afdd56bd7a3d33c652b695b506e277d91d5b9b39c6aa68c7d2a7311b6 |
| SHA512 | 586d88fd3b378e5e9146d3bb0b87b5781ccb2006df5edbbb0032452c122d7d42939af2b03c9d4f126ed05e271c3d34347b45837357be91a0eebb36e2ee55cb0f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c83ed85fa26754fc88bf6b1832b85526 |
| SHA1 | c3020b65627598cb34a054395c722206e552fb74 |
| SHA256 | f2aa07235f071ae894ea6206ed8977bb2fd1aff1fed4944a734f1261aa37de9f |
| SHA512 | b78ff34e6297a114b71026013ac2dff8812b368f87d295fb6ae90d12641b74f63db6c8a36266a50a165e5c673d7350bf78b194c458b30cca80b7e18cad94fe9e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a3c090dc0618ff0c293fd604566b61f9 |
| SHA1 | 899d74dcb02ff9909bfea4d397226973a8bbc5f1 |
| SHA256 | 7f252a84e558876995daa296af9a4c2c896f2f9ee4950c32e8cbbcac1903c3e7 |
| SHA512 | 12cd506689bc4b5a499bf75c0254a318b7669dd139fb4107a86b35e948d1e9f12ff721dabaafec31c5816c4e06c4c65c839ef313c900bfce6cfed2953efcb9d8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | accbfd7c5fec40e76f1835395856b40c |
| SHA1 | d18c01c6624c33ba584ad7ea9607339959c05531 |
| SHA256 | f61d29957d36a8d60ec74743c4bf4976422bd2fae60c9f8cf31dfa673d2054d6 |
| SHA512 | d3809d40e036ca9f5cfba09affc9e46ad7900b604b93b8b2decfd7d0ccf12bbafdc7daf74ed69fd94abb62ba7337879cebb5a3cd9c1e3db19ca72add1dc72804 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 202a5fa9fb75832a837cbf44e4962535 |
| SHA1 | 653238408de4a1789b74bbb8bcb895c0aa0b8577 |
| SHA256 | b1cf50f304fafd416680c5f1f0507b1e4fc5bab6dcbf3f26ed1c433234581613 |
| SHA512 | 27715f5bca334f880d7d0d681532975b75f519bc26c3bc072c44318f74c4f9afcd70728027e7d3ef2ac031c121492060c510cd035061e68f2a7039fd5a116d03 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 775a76186edd09403900cb356569f69f |
| SHA1 | b1c9474d58202b93f379ca24ecb4c94bb95940f7 |
| SHA256 | 9fa2dbafd29bc7dc149c47dce386d13b08c396ef7f1a5aaf296c6f1687643c05 |
| SHA512 | 4073a7d2d766b28abc7ca7121f92d210c551b8a261ec20f375bef61b1690dadfb7d619e84657c9351380d5be4e2dede5711dfa524a23e9d4eb5ad8b1549885d5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 913366589b704af2d7174760438334dd |
| SHA1 | 410d66e3d33974d25d55f93072708fc8b54dd9c9 |
| SHA256 | c3a0cef497450f52fc7e71085a8dbe5ee7060ddef0c8c6b4ad2fc05cf3aaa965 |
| SHA512 | 9858708e22fb1b34f76afa394c3c05dbb6a77e89253bc613da017f3a803c529c052603d45bcdd7c665b763981d92a433c599df0cf4e5df7aded60b675b5c8946 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a4b62e762d63405043b77dca028247f6 |
| SHA1 | d28127358ff0e0649763e83566d4cbd1d119ada4 |
| SHA256 | 20781ed48e3ed46749e260fa33e5c87fac84ae2e7b39347ee2b032d3e373ceaa |
| SHA512 | 193cd37dc3f4cd5092d528b81cee4ecf0ed03bd95475deb35a2a462c119743f7de9da48fd8f8eed8b910e5741311bee9c30ef7723225e91738dd945b2b89e9f1 |
Analysis: behavioral13
Detonation Overview
Submitted
2023-09-17 09:00
Reported
2023-09-17 09:03
Platform
win7-20230831-en
Max time kernel
134s
Max time network
135s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea3dc2a7c0fe4d49bd6e8f3e7e71513f000000000200000000001066000000010000200000003874cab3cf2a082de628ff2a2f2dd370fc7fd7ccd1d7f06da187317b3668d28a000000000e80000000020000200000002f7360d1fa33de88e5ecad11580830c0696dcb80e8c63e3cffafcccf5f945d9c900000006c2e807ac3e04398e761962be03f4ba8abeb45216b134efe3b46516066273415a7d2474f5968fcbd72ff0dd6504736fc5779242ea5e34fc2ba041b4d5061c340ffa2a2c1d02fb744d60223d8de3166b0355778266e48a5fc517acb72d5a8b9aeb400474580dc1541bcc121fbac78648a2f74dd33babe4728c68684f8ca0585e7f9041519080a2b5dcbfb7b98d9478f8240000000da5e219c38ec6fcd09413d499e94e5ca0f2ed7929d216123edd533fefc53ff69fec6cb941d9d715253876958d7bb97e93e1779474609e98df8ce70d5acef6e73 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AA4D7AB1-5538-11EE-9D95-76BD0C21823E} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401103105" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea3dc2a7c0fe4d49bd6e8f3e7e71513f00000000020000000000106600000001000020000000a9100fd9c97ec122a436dcadcfeb74ab3d50789f8509fcb414039036a26f297a000000000e80000000020000200000002db0ccfaa16bcbce60408c7d319c577cababd832683c213b48abb3ad171e41b420000000a23688b09007f9a10661db3ce3c06fbb41b53658501a0dfa482634b30083cec54000000098fff2020f800b480b639078750223abbe5bf5fb5f752e69163e8fc71aca254d94a09e3187effab1899e8a2702d482bc202eede444862ad6fc6728e83d4a6ccc | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40b58f7f45e9d901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2148 wrote to memory of 1880 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2148 wrote to memory of 1880 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2148 wrote to memory of 1880 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2148 wrote to memory of 1880 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\fyb_iframe_endcard_tmpl.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2148 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab6AC7.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\Tar6ACA.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 167fc026b008515eeb2fcc8845d359f2 |
| SHA1 | 2a8c24e5265363ed065b79f90d6e4f14e9b670c1 |
| SHA256 | 6ce7c898337008eb49418f1b2b7448faf611e5583c6ffa054d5096029f9ea081 |
| SHA512 | 6f53e649d528cbf8008f1d19f955855a0fb4d5d56ab6d8c71c6f77486f6666263d58c6cb5383f14f578ace649362ec60adba39a6cbd5e7b275f6577f7d9562c7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4d8e40c55936287c45b9bd0e0f803173 |
| SHA1 | 9f127dc09cfdbfa349825857776c8412434a54ec |
| SHA256 | 0735c7c653850faf3f8ec37ba2969fca6093e23af6858387fec26a30ab12cc09 |
| SHA512 | 62a40fe33ef3ca3c5c9a0b8c063d63e01ef7c28c7a6fdc779a9d0e0e54a2409c7a8cf570c56c40c5317b768fab1fde4ff8e3fefd7b2bce57fcb1ca94e4e9df2e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ba6272c39ff3167a2a9686664f083185 |
| SHA1 | cd73533e6a80ec8a6950c7107be53e191e0417ad |
| SHA256 | 5df9e2b7b2e7129226e8da19f5de0cb849c125586dd82e040fa6f91307d00e0c |
| SHA512 | 73da9dfbf2362e18c8ba9d5ceb6afa220ab1e97a0e1737283e7cb6208555d35e7ca41aee283315a8fd55d774fb9497cc5d866790b29379da43af72f5e7f8f46b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 26df6e1d1c7afb8429d10ef5525b4391 |
| SHA1 | 0d5aba07e248b128c5fe5a089798a95cfe1a8fea |
| SHA256 | 3833b2fac39c5e1020c45d6cf3877d0c5da6e21690c1c30e98b52cd35210317f |
| SHA512 | ec86e08bda18057eadf44109682f733a2327874757dd969bfd07f390b347504d03bc3bc4e8a7dcf959b5871c58b7767744c4478a27e5f9b59c2cd8fc85c4ea25 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0605789a4773c5ca33da4f46572a49b0 |
| SHA1 | a6b236042e31cb57057d977cf1e4f901b5c73bab |
| SHA256 | 6922c982db38b65343c7ab8f6129ca70cbd7ca66f55c6dfb048cbbab6e66cd07 |
| SHA512 | 5253a8e94a64532bc350e194644b3a44ad2cdef92b115f4fd352f208f95f89a615d9a7f2eb3bdac33a2b0524670d23679f5ef4fe74f3a2e9d1a6329234257341 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b7ea65358ca582824f605d42f61f48e3 |
| SHA1 | 666bd471a9f3eab78042dd844a934e51a89b4322 |
| SHA256 | 9e31b89ba6a581b3d97e2e37cdf2377e2ffd1f8fcd955d8eb763f6737579be45 |
| SHA512 | 6bb3e8d8de818dd6618ab258140744de37c417664a837eaf56b71b203e2124d9cd090cd7911a01c5778f5dec571166e7e24b47a434ab8edf29277576e6b8a94b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 405b6180701bf0b59c5be22ae33d47cf |
| SHA1 | 6c18b6c34ed81c416349118e29ab85ce2ec19ed4 |
| SHA256 | 17c305a0d061f17b2600406afa975cb26c46bb9caaed90e9c8ced47d51600958 |
| SHA512 | c169e7a8c061b7bf327bd1d517d7afe7be041b0a84bd26441f6a6572ec8e639cb388c2d66393e0aeff4eed099c3f3d4a21e9db361127f6b434e61733cf0e7108 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d68e74d28e318990cb95e5c18f4fc776 |
| SHA1 | 84249c1d95976afe0342fd3f1b25d332c1b77881 |
| SHA256 | 066d05c0269c0d64acb9647722b804a46be0d6e9f992f26093bd4ce6e6db1d82 |
| SHA512 | 2ae1a3dbf73a348301dbbfbd21cdc74dfa02ff76f59336cdb133e6b6b574d8dfce5845cbbdea5d3137389e4b69b591c9db4f58e17d2fe9e65d814dcca15b5c33 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 65ed85065ced0cf974920f1c72b684c8 |
| SHA1 | c50960dac78373bb042b23e0800bfc2534a4d191 |
| SHA256 | 4a5d623d448c477c2893a0d39b54e7f1f86e29fbbac2abba0c35be8d5813f277 |
| SHA512 | 3bd9996cd8346f03b94e543da3524af7580c67491570f06be77dd5cc543908596eca43da4e01b477fdcb0e31612bb3ba7b0d78d597c1d9745a53497ec9d658d3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d6769d914f14c9768c450214ac3acbb7 |
| SHA1 | 49fb521273f175c887949720d3232edfd1b7faf4 |
| SHA256 | f1faf7f20e76df2f50a01bbfa899337d970fa75ff15bc957c476c8be7ff5b236 |
| SHA512 | 9adfdb4558263b7991be461073765767312ef059a59fd15ebe36aff0b8db757da5718742baffbd338ba2761bb4679b05a37a2e50648bbca76e41127436343a26 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 41df7a5f347040161af6ec09a331dc72 |
| SHA1 | c9d500772b6ed301971ae0c73df62fd288fe26b1 |
| SHA256 | 8c41ed78eca2a9d014c9c367f8aa2472dffd2abdd83d4fb63d63edb8763ec4db |
| SHA512 | 1599b5eb0d46dcc36f2afce9d17df11f9b23b8d12df7097537d4493745cf7634e9c81d40fab5c727aef36a80a278dfc53d6dec9df9d285b2fbb7693c54e6f049 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ad85beea11b7f1e0aa5d38708d7c58c9 |
| SHA1 | f9fc2a13bccbe8f1c5b4fdfc97e610c71c16e0f5 |
| SHA256 | c447f53aec64b8ee86b23e5868bf5df724e93ecb82756135b1cabd64c2880f14 |
| SHA512 | 33ff6e2c85f9ab3304205996c68ee72e08e3bb2788b53523cee844bf0cf1f0d376edee6a53d4b839a648001a5ffd52d6b0478fe2ecbb4b7b6d50dc789ef82620 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1f93cc6b9b1bf8b4c270ae5c15b53569 |
| SHA1 | 2f9708a9c5f7e18da4f0e9ebe5ec76983c365633 |
| SHA256 | af5751b33af3c1c0a19f4b04ea91f92e5ef3da2a0c457d863ff348ff7a967ca2 |
| SHA512 | 677c7c494eb41cfc0cdefe2b52c2d1f3e3254ca578c39f8fdc976e7d1bc154751d649c8dd618a67e183a4cc036bb293049b7eea1706cd876914405a030888ae6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ed12a176d95ccbb8d06104ea29e756d7 |
| SHA1 | 3c095cb0b7ea58b593d7fee23fd65a0959718acd |
| SHA256 | 9f2b1e0886e9b2d5e439e43f25717b315b6a437dbcc4cd8312eb936915312d85 |
| SHA512 | 7b2b97d54f19507c8ba43dc7a9b49ca10eb4481ed882541977b57c6ec29e0298ed3beb19518be34d688e1036be0614787089341268e189dc4869691bd012d570 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4ba35a181cea4724bf3a6cf8f6a178b4 |
| SHA1 | 84287195f2ef332ad7571c0db2db79bfe582fe88 |
| SHA256 | 1af84b60ab22ff9f0ea55f73a0d3ef64e26075c9d8fec5282702dfbf030db9fd |
| SHA512 | 96c85fde8cba95dfcd07847a01f1ba69592ac30c3d91c6516389cd1700b91d255c14f64e7e9bfd89e3e124d2dee7bc9f8bf90587fbacafcf7162af89c34265fe |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8bb5c3e5b84c3413f384ed0011ccfe89 |
| SHA1 | eb79cae5e1b7602760f576e9bdd16374c99e01cf |
| SHA256 | 779e2633b4ae55d372018a24453019df65eb51a55a1a61d0e39ac4546c0a4d59 |
| SHA512 | dbf95a9955e07f20304c70e69b3ae55b3e3ac9ce7eeb264d146e113aabef09e651c7d65ec3c4d4eea1f309ded4c928e19312d7d049ae2a88f355126f2256e734 |
Analysis: behavioral19
Detonation Overview
Submitted
2023-09-17 09:00
Reported
2023-09-17 09:03
Platform
win7-20230831-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\menclose.js
Network
Files
Analysis: behavioral20
Detonation Overview
Submitted
2023-09-17 09:00
Reported
2023-09-17 09:03
Platform
win10v2004-20230915-en
Max time kernel
134s
Max time network
179s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\menclose.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2023-09-17 09:00
Reported
2023-09-17 09:04
Platform
win7-20230831-en
Max time kernel
168s
Max time network
196s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000918258b1c6eaef44bc85c7515db804ef00000000020000000000106600000001000020000000eee07e5d8efeaec68fb0a9bf814b4ff6693e01e81cb24d1f5dbf562a083de151000000000e8000000002000020000000f763315bbb576dc219dbf6c57d2cdbe25ddd70a5502953216c9ff3b14a44ff9d20000000ca3e7f87557e3b28135b54581aa4a6dd553abae5efee74073c99eee9b5868748400000004315f5cef0b9519ea2a7bcf586e7742adb28680523b9abf492a6e7020ff49b15a0819c27992ca51c60745f83a7e8f7410fef68aba56739a49cb3ad14c9fc6929 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000918258b1c6eaef44bc85c7515db804ef0000000002000000000010660000000100002000000003a04383427e59f06d469c02f3edd1a88e3cdef456b5d677bca84364f25a2895000000000e8000000002000020000000925e3efa5e3f9ea05ea96980ac3cc9065caaba7fa476af490bce846bec269f8e9000000090e890f483331bad2efd6454b55c1eb8418d03c6645c85d24321c980b6a8fe942ffbc04e09c30bdc8fad397256bdfdbca67993fdc50d56faf492fac4ec9bc66e6e6bb752486dbead7e1a23059890997d25a79252a662c2ecab9c00aff0c2eb4a93244c4f33061812319de0e5a61f8c992c50861811836e25405be4a792dc269a73a4da99c31c743b3f573df6402582a64000000021c3f33f1b4a65c0ec92ee55d06bc0f67d5a14dba6a5adfbeed5080a0eb13140e9b6efd52055986f16e677fbaba06e8749a38e1ebf21f882723627fb1cd613e3 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401103165" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CE66C821-5538-11EE-83A6-7A253D57155B} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00e765a345e9d901 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\floating-sticky-note.xml"
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2796 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab4C7C.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\Tar4D2C.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f9283b415722f652a08f3586d3841008 |
| SHA1 | 0477c3f7ecd0883a6817865a1fd5cbcd26b09937 |
| SHA256 | 3f7b608451381331209897d84ccddc1c94804eb212abc7bb7ac3b94be015265a |
| SHA512 | aa14a17e7b265952f0ce7cbaceb5e2d3da4c5f6db19cabee5b39a53deaa1868936ef13662126fad8c1dba5c22e38f80cc8f9c948a2ffea567220174747e07bf2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8678102da1c0810e2094a43035ee44a0 |
| SHA1 | 6a9c5da3c811434242fdc932c24fd4867120d1ac |
| SHA256 | 724d98c36b2e576adba38f55e0070107afbcfe49b125763c3854470f4ac73b51 |
| SHA512 | 8a4d806ea6faf2d2fce33e00862e837a93b2ea7049771842ea141fd6973fd9674e93a66530ab6d805f5b68d584f1dd53552bda19b69d961f75fb5882d26ca8b4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 343d84e116c1c646fb989eb9b858b7e1 |
| SHA1 | 051de06eb1438c46ce08b503f33c3687fd5a27f8 |
| SHA256 | 9e331f594cd704a08f2f58f79828ff88e568a6bf1ce8de7c034039610f898441 |
| SHA512 | 4ce58117a7787b9b6a827e464b0dc43508288c61cce7b2f8212ce3623e532856f0007aee04326cd27eb009fe32b264123b8a491a26048717d68e0c42523cd3db |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | afb039f9ae24f9513ffda8a55e9652d7 |
| SHA1 | e12ef64df1c035269478a4a4a0d26c13b6ec2cc6 |
| SHA256 | 6c52496fb1cfb478e1638725899f063f39bba95d483a94178d0670343dbeddae |
| SHA512 | 1e65e3ef8e2ad72f05e9df924a2d283f3e8f3f22dda9e8907d5d6f44bd134710f4dc2d30289151044cdebbba24a7c5952e0adda8c8017c0147c2358875ffe4b9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 39a61fbda0e3a17290b8959758aaa1db |
| SHA1 | 5a4fe8931b2f0cc01d01be61d657d6e4fefac2dc |
| SHA256 | 911f09d2784636443e1906c67c5c0fdf359427b7371e0fa2cac890f4d7284f50 |
| SHA512 | f1b54dd8f111d97113ac829831a123160a80b7ecda7bd95911d438c10e4bc0b10080c01b3fb180327fd3e42c0655c90b81c2f86b070bd622b2e6787b5fc6074d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9ac1804844355e1e554c870460de1ad4 |
| SHA1 | 462996e0b696a493c482b7cb5afc00788107e491 |
| SHA256 | d1806e8a46a432d3d6e49ebf90406d3049eacee52912901398e75a3fea7eb689 |
| SHA512 | b706529073ecc5fb4a5962befd115cac6b9b221c9599fb23f330c36f2eba98f76c1e7e3bc0ce1746c7349e7379558995f9ecb77f97274889e92ea73fadae39d2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 85356afa4c0c6ce400115bd696f0cd7d |
| SHA1 | 592b930886f78e54173a7fabe69542c56004b3e6 |
| SHA256 | 276807ee8c900ced78c08d4dccf14f8440fc59a17ecad25e3f9616838d13eb54 |
| SHA512 | 79b6ee5837163ff65e1ff286cfef39ed88a6037a73705c03fdc00fd9e966299aec6306e5f470372bd4dbae4ac15569284ffaf2c80858bfd70866a60457f40e3e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a144fc707779009a3dcfbbd14a37cdd0 |
| SHA1 | 45fd21abfc5d1b3d3fa1a6856d406ab3de22fd4c |
| SHA256 | 9c2934fb71e92965a81babb2c7c0e6e99c06a4489d808db20c7232a652c16bd7 |
| SHA512 | 8c061dffbc5893549b120eb4dad56303eb67ea701f4804e23046132bd8bd369efd138d011ec6298dc09066edcf6d5f9dea84364d6b6034ec504e8b63c1c4d667 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2ca3ea50467673015c81565ebd9ec05b |
| SHA1 | 24f2c40e3f4028292c0a312d04cc37c248ce7a29 |
| SHA256 | 55b66ea55c40f1648f10067041574e82dfd1f4b453b5ca6b30b1e4e6f177c4ac |
| SHA512 | 881501d95405a0cdf4de9bdbb279c45961e574a8da84a8170095f007d1c370d0161a71cb5a63a61b5f6f517a889a998b297bb2ffea0bfbfb9a7ba65632174c50 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fea7ba27d3917358b6785aeb1cfd0301 |
| SHA1 | 37865ccd49265a718a3b4cee3df132d299a4841a |
| SHA256 | f314aabf72b5b1f06a38ad5056c6f89dcf92f017499dc6957ceae101bb3e8280 |
| SHA512 | 8994515fa97612db2fa3eba86b65d2c6a71c0cff07c6b84d3e8076bd76e6d608b5ffdb9d570d0255a79e016d81e397e28f292977f327e2e135e60ec2b8a70a08 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c80201ca61827eefc63370ccab90ceb2 |
| SHA1 | f65979106cd35c225a6332cb9ddd51c8f55e3026 |
| SHA256 | 269ac17e50917fabf1bc2e4402d66d24fc646c5a4af77e35cfc2f2ced5acf8df |
| SHA512 | e65922226375ef21dbe65b1a52efb0f368a200b8d242d0c525d864cb44ec49fa9d27056d0745a47b71c777861f216c1c1c161958ea8c10eca591007d10e4e127 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | feb8c04ca13dee7efd7b69072d77cca2 |
| SHA1 | f583895627c5725498bafb9e325b4618f7064589 |
| SHA256 | be9059040ade6b892aa73bf3c47f08c3897b300cbca79b70187e0711767fb597 |
| SHA512 | 83d08fda0fefd1f85a989c7ca81b7bd9d2efdb6a3a9770e03c40880dededfe639681aef68ad731b823d6c01b254bc9ead72e253915f560a66ddee166d66c6016 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2093f7eb2b13cd43f127bc3b413f701f |
| SHA1 | 70e13bc38a88bdfe4b6be4a3afa5578bd9de16e5 |
| SHA256 | 3b7e19c475b4123f3c12745d707cf70759fad2b8b9393fa323727ea03e469ee6 |
| SHA512 | 5b82a9e3c9010c29460940ec8edb4fb043c8a00c04e2ea885b2460dfab23716ec8a194216eadd1747c9d2ca51c46426772739cc97b036e7f38ed223b6c3867ee |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9c11e6f116470241ebd019faabe439f5 |
| SHA1 | c456b1fc8df57882a413c5b2835c4b96a15cd18c |
| SHA256 | 30acddcee295a432e3d2ff5073801f6cb79567ea38ae34f52c3163d84271d597 |
| SHA512 | 738ae5ca0062319d5d3b0a39806e64092df6e6b9f70491e3411732927317e723d475aed8ebc5704fe6af4f3bb7b6fa55c1db3e06b0f0fe26cd5ef16e00ac7179 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ddaafb020d21c441e86b170fd31cfdb9 |
| SHA1 | acab9245ad8794f196a5659d315e4957ca69adce |
| SHA256 | 5f43aaeb569a0da6e190f97ffd685819073d216b66d9205ae81c1a1a55e2c75a |
| SHA512 | cce1e709db6aa497ded07a2c2cbd2c9491fe4d599719db32c2c9c38eebb995144dc7faa8b204715367c6368fb9dbf3b40054c83659c93703fa8c1794769eb45d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1876640f943b27e5d152f99e77f7aead |
| SHA1 | 79bd77b71ca281f144ce27c7f2467b9eba221469 |
| SHA256 | bfc86c9c54e07f162549cfe61d8efca03850fb0b4056d7636135ff05cc79cf56 |
| SHA512 | 71206a37c13621dfe4acadc04188019a72fadf75a3b3190b369431498d2b1fef90ef12eec15b96f4a056e94d748d606280034752881e512ee16b1d13c99a3147 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f7f4a6c78368fef3ac22c5d1b50a6bc4 |
| SHA1 | d7ad1ed475974014a073466f968bcc0ceaf59012 |
| SHA256 | 559f646ebf53ae32bd4033c600c7405e47296adb4d441f5ff7dec5586f328574 |
| SHA512 | a91705a275ded09e1565a3a5616ef67ba3677380b4f32b120cf3fa42d18cea234a056e929369b9508e3101d874ffffdb196ce836983d45f46a0a0b8c7c4bd849 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | aa7c73d2e025549e2e53366ac2ae6dfa |
| SHA1 | c2de4ab7c701f05771534987e24651b5a3bf34fb |
| SHA256 | 0bf5acf4c43e417a2f9a141ce4a6dff2126223da17a77f012ed06a423dcea51a |
| SHA512 | 1d939b991ea967681e8fad9e433d83b154942be8633f74acf6f601150a6e4a524dcd2617323369e75f994f32161b3d04c47ccc58ef00dd404702bdbe7d27365f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4bdafa8065acc849d7c9e45981d9f691 |
| SHA1 | 7a81d088f972a669892d834dc92c446b53ec11f0 |
| SHA256 | 361ebf0b437aafb93a80bfdf284998c66ee546cd47cfae71e2bc65f2f888e7e8 |
| SHA512 | 06a78bcbff6afe682f26ab1c75df4d10ac7c79b1b54af613c2294fa7830c1bff8baaf8ea66e3abe3cd07826bfcbaa824db69a14ae09f52ce0207b8b81e79cab5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 74f1a5b7b6e2246387210a54619cd913 |
| SHA1 | e9c4d36bd858e48309f60701f68fd1cfd2daa625 |
| SHA256 | ef0f620e4807f1ce8c5b49af557ba86f1e8c19b411187cd23cd36e1087ddb591 |
| SHA512 | 7701cf8ad5201dbe2ad2e6c1fd8868b4563e867f983ecb99c5e8201e247dd11e25c3e9310c88508144aeb821ae9f5c42bbba6499554951000615b1785559f2ff |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3121fdf27b442d7f29f43817cab4278a |
| SHA1 | 0d3adc078bf36e4a51fbb741ec74fad11f800e9f |
| SHA256 | ce38dc6b1bc704e0bc467fa356a40b5a9b528428d1f2fa33d24781bb74c44209 |
| SHA512 | 083c57912694a3ff40c140c0bc293d73fd1947e08d8206aa765850e9d6a3746c47b3e15caa7c9dd60673d17a1739fcf2a16e2b4d25c81fe1782bfd86c3385312 |
Analysis: behavioral15
Detonation Overview
Submitted
2023-09-17 09:00
Reported
2023-09-17 09:04
Platform
win7-20230831-en
Max time kernel
107s
Max time network
196s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000918258b1c6eaef44bc85c7515db804ef00000000020000000000106600000001000020000000d63940e85518ff99a6c3802cab3d2b5f7e5cbae753ac8b35635ade0bb6aab24e000000000e8000000002000020000000968a5966c2c32e8bed1125f6c7f6160e4c0231d59a7b8cd99f6951da118a71f920000000d35c1d3b51128ec60d8a828b0d5f96940e0575743fdaddacbebd290e1df6c31240000000797f2ffd5ba294fb10272f112b11a00a48e865b83de09c03731b81ef31eb2d34e52cbaeb0b65d130de7f812618008f9cc24517f538aa102ab98519afd5133854 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000918258b1c6eaef44bc85c7515db804ef00000000020000000000106600000001000020000000a704dd6d5a108d0d03ad2b4c0ca77717208fa2609914050b37e58b5aba449555000000000e800000000200002000000026cfecca2e2efaca6394a4edbbad1e1462e8c70fad110b96980c6314e5bd60879000000072dabd8145dfb28d2015faa5d1e170db89dc92629e25b97aea1764102bfefd6fb63c4e9c3e56bef02c23a23fcc1d14e011ddf9c451ef6995a85a8fa3169501e34b7e4260f880210d327cdc91c2c866cf0a872d71d0bbddce482d83e9cfca427c25ad0a26b50661c655949d9b559a70b4c0f6a33de06ab9cc2ec81bb8b44bafe333f0866209f8a72eff4dd88c090d5bf240000000210589349360cf3cd0134fd338e2e800aced818b1b7543ea4c2ebd546f22bbdae123af0f98066e0f40ac397dab1ea1d18e053f234d67ceaa52a240be4e74cee7 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401103165" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CE27C351-5538-11EE-935A-5AA0ABA81FFA} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30ad1aa345e9d901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2088 wrote to memory of 2692 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2088 wrote to memory of 2692 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2088 wrote to memory of 2692 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2088 wrote to memory of 2692 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\fyb_static_endcard_tmpl.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2088 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab5007.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\Tar5096.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dbdaddf44928e08e27e9ca29a261d0a4 |
| SHA1 | 112140e582dbc2eb900bd978c83fe2565187f532 |
| SHA256 | 59d6ab4b80f584436c8894fc3d128a6b8375dc85bb05bf432580998dddf9c8ae |
| SHA512 | 8bd8d7fc92371142583d5a1070f89c29d1971f77e9d52297faacf57a04eff1e237182fb15515bd90082a0109ece2ab03b12103b3f8f2e2c5e69125c777e653e0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 48d207ea6f5f8102e2ee9f02fc7addd8 |
| SHA1 | 9753f6564f4babce50b568907a28f951f5e8aee1 |
| SHA256 | 1c682b35f66438ffd6d90e40bda319063dcc804a8763c7feda3acf148b35cf08 |
| SHA512 | ea378801f914dc53e084e875a4b64be14550aae446b438e26c72ace15b1f2c972a4591e71b8da578bd991c5d5844bd0797b4976ee4b9ffece453bb4ae4e933b0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 28ccf0db871195614a826e199b70de48 |
| SHA1 | bb754ae23d48dbc08e2e8bcab3930adc40c5c570 |
| SHA256 | eba7999cc83499711883a029c5086f3dcec55adb07cb25ba4d054ebffc007484 |
| SHA512 | 8672cdc63175d15b28a8dcc0dca26c489a9ed383bb0a5bf11a7aa155be48b77ad2fa79e8b7865d1a65c9038c86033cba45fe366a1737d58ff5eacb36c3daeda7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 39b471e2d88e42acc730dc0a314e4b74 |
| SHA1 | 3e48988e2582eef962046396c6171c293d105968 |
| SHA256 | 2f698511eb49c02e19de30cd9c67dff38690f3ef52c5484e277aa1949534d2dc |
| SHA512 | c1e133484f28142edde60bec24785d6680df18da33f5847d11d3db75bb633dd0a987adf8fa85a1b64d4b7e79c991a388913b6d4aa001923a8727555e943a4e98 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e7ea54f588d46228327ca67bdea4cd7e |
| SHA1 | 1c1f8e7cd4bdf54973b0254552364275659f932e |
| SHA256 | d4659011f8108d7c6d83faa012ca872646d63fd77160830a0d329a8250c45def |
| SHA512 | a960761932f505a4b58d88191d1e67be900d63f07cc95db9503c60aae7562f3169f0e54e049edd75387e8b1fa1006128e39cbb77d209af0efaa0e99b4ca4cc98 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 22e6d00bb87724a6542a00ea2f4b1fa6 |
| SHA1 | f3759f672b8d699d6894d335fdbe870ec288d303 |
| SHA256 | 452d6a500416becdf93ee5b6403ba219978ebb9ea980e38fb2dd29fb4a223ec1 |
| SHA512 | 33a978edbc1b14a7649c7535e78fdf25f2b68db8fee83cd45f70f7e97db2671d109e2432786150b0d533b1e7a53a5cc9c4057377e9606714e5dce2aa79f01294 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e5606c7864c20ef6e63500678385d48f |
| SHA1 | 7c3878248f093d52e4ccf8d897c42ba1a9045ea2 |
| SHA256 | b61976b9308e5e898765d9c3f72264f19038ce477bcc3bef136b671787b39755 |
| SHA512 | 4ec7eea33bccd746cc2f35fd6e6069909bb023fb26d70b621a48340a5aa94e777518951d3a402e1a24029b25006ce1fb729f849932146b91e3844ee0bf23e576 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8b9dc652b5132ccea1b5dd73fd49b2d8 |
| SHA1 | b16df32dde756e69bae3486191a322476973b3d2 |
| SHA256 | cccdda81ff9a846eeeb945cebe50c7ff04a0c9f6abb5dfd1f1cdbd13c3635dd3 |
| SHA512 | be910b1f12861bd87a2217c2980eaa0d9c7050510af85175e03555aae933c0d7fe42b0cf7cbedf5017c7034a2a9b397ad7432e4835ce62b0c2eece0f33e228fc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 52196edeca79da1f6ebe0fda29fc9e40 |
| SHA1 | 1f9d2b3ee663cf89ff559f64c4fdd44671cbb687 |
| SHA256 | 612936e7a7cc4e6102100f133ffb3d13afb2db2d092c039e320afc60d6b43c96 |
| SHA512 | bb6ee16c12439e0b5cc4fceb072df7051606f30db0cf9c6a7dc2c269bac342ad194bf7ba1da28edeb786aeb176abe9a16807b5f7a41d8b8e7855c89d7e35eb4d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c70cee0f2db76f06ab38d91c64f8365f |
| SHA1 | efb2aed65dc28c7bf5de1387d6bd1899dfd11557 |
| SHA256 | 809aa7a9c10cf14bc01b60cd408addb739bcb2f1da0454e3cebf199604ea5f18 |
| SHA512 | d9eea47e1f7bad72f4ab6c99b824b905ef2315bcab90f90df34fdb3f33d65bfad1047dd483a63862686d6568abe3f3fa6cb2477a7a7ae058a8c00a4dba7f4d47 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b9261f90071ee7de949036bd6ddad8d0 |
| SHA1 | 88e2f2776ef1f1a67905d7ba47df6ac8a59b0066 |
| SHA256 | b4c0add04bb7e883dcdf0596f34d6c8d9444cfeb8f53db0aa0a3a8689799f52f |
| SHA512 | 785c59b8959b99ae72e6dc7182b86ddd96bc26d2cfe573b57bf317360cb5a71ada687bffe5d0e80a157ab9197624ab969e80af0929de2258f61c327b7d119d63 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1079e01bc401a504967d15543d165a72 |
| SHA1 | 1ef1d021e4d42a33b90e858e10902b72f15cf5d2 |
| SHA256 | eb6a9b362373ab1a10aabafcae19abc69d080b3ae4529e7075984ecdc62c1b33 |
| SHA512 | e1aa3a30b51c57a211be05611eddc0e601af84a7e5c1ad347bec148e4ebfea8cd728582f0c229b9fa30b7dedecfb68c9465c5840f8b0597a70b8556b8cbcbdef |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7a1c727caabadd1d5559c8b42711e17f |
| SHA1 | 3b10ae30d2079c9856362b74e3d570e7b7a25786 |
| SHA256 | 53c843101cb272e3ebdeec67505aa4248dfa93cf08e13a7048e7ac520f097288 |
| SHA512 | b6223e82d724ad6ab37e07a379e04badd467686cf270a61cca1f64fa132c3c5e8a9a1bba262fb2c08d0b7c3f8493b2b21c03f31c2716548edb2b90492da34f46 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ae10f20890c1c431dff3e18241abd122 |
| SHA1 | d681b32156899a62438ecb3b42ae94039d383ccf |
| SHA256 | 9f2e045e4837229e89b79c220e34bd6ff89470b5d0eb494cfe4d1e962fd28629 |
| SHA512 | 3f3b8f3518469dbe732721d41c05e6608a661f63859e5c9f320efa81e30682d21423e451b93a0f9a3e9be9f3f01c211ce227a41e0ca9d4cce32e11a962d831a1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1cba03b965da7e941d3a7b039eab170a |
| SHA1 | cf072205b57fe1a6f62fa76bf5fe45f1a137bf1d |
| SHA256 | 72c111dd05595b32e7a4fdf59439a1abc81e3dc9ec8528a176cf39d68b068d39 |
| SHA512 | efd815e484bdcf7dab64171e86d614da46219c544e818c55353f6c8d80b9c1fe0229845c4062118a10d0da0742dd4005b8e1cce1b1619131cf0eb67857e7d018 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 816283780cb7d9a33c7428509f701cbb |
| SHA1 | aadf6530153ff349696c2eeae2594f1c21dea57b |
| SHA256 | 8ce487185a456073ea2416227c0507fbf0abf7a38fb933ccf066c5c3c9024791 |
| SHA512 | a6ba03bc46b0b97608b71faca5be0e067571f3caa31e226e4873f8d1fcd0d8a866b6f0339962051485c48972a3deb9b6c408ab4ce616986f5af83cea7155c0e8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e9fa80d74df238da6305bacb8d1545b5 |
| SHA1 | d477df0f3206176a10b9d968f02cccfa4cf99415 |
| SHA256 | 7dbd287eef11a3da5869644763a1a6ec9d328b147ad711b3698b19aa1c3226dd |
| SHA512 | 6c91df63db948aa8fefce192a92bcd52ab771c688bb662c19832cd90836b10078cec66e28388964a692cb534c58bb1c4764edbf26b4a1264141a2dbcfe5a3ac5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cbc940fa0049beb8324146fc8b5bc0ad |
| SHA1 | afb361faabffd4afdb9bd33d19937c64b9f89c67 |
| SHA256 | 867dd9fad75ef82aed834b5d195af1e1b07d60f316c3f8745318623079350039 |
| SHA512 | aad064442fbcbb7c3eb3eb662cb82f4cccd2a65a25d75424f1ee04adc2b89bd81e86aaa0483782a676fab077afb6753e63c9a82fda63bdf4facc4b0596c46877 |
Analysis: behavioral24
Detonation Overview
Submitted
2023-09-17 09:00
Reported
2023-09-17 09:03
Platform
win10v2004-20230915-en
Max time kernel
142s
Max time network
156s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\mmultiscripts.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.109.26.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.177.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2023-09-17 09:00
Reported
2023-09-17 09:03
Platform
win10v2004-20230915-en
Max time kernel
140s
Max time network
156s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ms.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2023-09-17 09:00
Reported
2023-09-17 09:03
Platform
win10v2004-20230915-en
Max time kernel
142s
Max time network
157s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\mtable.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.141.123.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-17 09:00
Reported
2023-09-17 09:03
Platform
android-x86-arm-20230831-en
Max time kernel
2724270s
Max time network
157s
Command Line
Signatures
Octo
Octo payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
| Description | Indicator | Process | Target |
| Framework service call | android.content.pm.IPackageManager.getInstalledApplications | N/A | N/A |
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.factupx/app_DynamicOptDex/ujycFt.json | N/A | N/A |
| N/A | /data/user/0/com.factupx/app_DynamicOptDex/ujycFt.json | N/A | N/A |
| N/A | /data/user/0/com.factupx/cache/phgpygedzvieza | N/A | N/A |
| N/A | /data/user/0/com.factupx/cache/phgpygedzvieza | N/A | N/A |
Reads information about phone network operator.
Requests disabling of battery optimizations (often used to enable hiding in the background).
| Description | Indicator | Process | Target |
| Intent action | android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS | N/A | N/A |
Removes a system notification.
| Description | Indicator | Process | Target |
| Framework service call | android.app.INotificationManager.cancelNotificationWithTag | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data).
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.factupx
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.factupx/app_DynamicOptDex/ujycFt.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.factupx/app_DynamicOptDex/oat/x86/ujycFt.odex --compiler-filter=quicken --class-loader-context=&
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| NL | 216.58.214.10:443 | infinitedata-pa.googleapis.com | tcp |
| NL | 142.250.179.202:443 | infinitedata-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | 46fdghhoo11.com | udp |
| US | 1.1.1.1:53 | 31fdghhoo11.com | udp |
| US | 1.1.1.1:53 | 44fdghhoo11.com | udp |
| US | 1.1.1.1:53 | 36fdghhoo11.com | udp |
| US | 1.1.1.1:53 | www.ip-api.com | udp |
| US | 208.95.112.1:80 | www.ip-api.com | tcp |
| US | 1.1.1.1:53 | 47fdghhoo11.com | udp |
| US | 1.1.1.1:53 | 34fdghhoo11.com | udp |
| US | 1.1.1.1:53 | 43fdghhoo11.com | udp |
| US | 1.1.1.1:53 | 40fdghhoo11.com | udp |
| BG | 171.22.28.202:443 | 40fdghhoo11.com | tcp |
| BG | 171.22.28.202:443 | 40fdghhoo11.com | tcp |
| US | 1.1.1.1:53 | 36fdghhoo11.com | udp |
| US | 1.1.1.1:53 | 48fdghhoo11.com | udp |
| US | 1.1.1.1:53 | 38fdghhoo11.com | udp |
| BG | 171.22.28.202:443 | 40fdghhoo11.com | tcp |
| NL | 142.251.36.46:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.251.36.14:443 | android.apis.google.com | tcp |
| BG | 171.22.28.202:443 | 40fdghhoo11.com | tcp |
| BG | 171.22.28.202:443 | 40fdghhoo11.com | tcp |
| BG | 171.22.28.202:443 | 40fdghhoo11.com | tcp |
| BG | 171.22.28.202:443 | 40fdghhoo11.com | tcp |
Files
/data/data/com.factupx/app_DynamicOptDex/ujycFt.json
| MD5 | cbeb2a330bc5bb595285f8b49de824b4 |
| SHA1 | ca0ac1ba2b1ee3a315bdfead4d300262e63f0f40 |
| SHA256 | bf99b8738dfdd69f74e5da3369b205d4be8f01d8a0bd147b4bf46ba0cbf002a2 |
| SHA512 | 85fb4110db3facc4600037ab3493eca9fb1f7302637fe992e486cb506544abd8546182b545272c29c101a10ab7fa486491dd544cf63af153da4754aed4116752 |
/data/data/com.factupx/app_DynamicOptDex/ujycFt.json
| MD5 | ccb34a777bfd9dcf00e1bf1ea73abb21 |
| SHA1 | 505d5b6b4132d042690716a9afeae62769f8cd26 |
| SHA256 | 0154661f8ff3116976885edbb9daf2a51293db5bccf953a1d7aa4521b56e1bf7 |
| SHA512 | eee31641031e1a0ef30341c15ef07bcf68b42267e80de3ce736655c9238de17245a484f7ca238d02d1bed9ae27fcd33ea42ab99d1e2959c03b3039a4383850bc |
/data/user/0/com.factupx/app_DynamicOptDex/ujycFt.json
| MD5 | f9f93d3eff43dfce4e7c5a1cf8546290 |
| SHA1 | bd705897eb5b1e0ade8de52281f7c5137e26daf2 |
| SHA256 | 642f9179c2c98febc07887ec91eb00e328ac13e35a93492eb2533216e015361c |
| SHA512 | 25da6b35caa5403d8ba032182e45a19ac2c4e6f4f53d95c2b888548cf284dc6243a4093849c5016afd7156ce1ba6b859c02735302fe8902b4c4b923d6f420355 |
/data/user/0/com.factupx/app_DynamicOptDex/ujycFt.json
| MD5 | 6e4f53accdcc8cccbc638a04af27e930 |
| SHA1 | c93b1e8f917fb5b241f3a4789b7632becbe0122e |
| SHA256 | c62a2ab31679bc2739d0a1eb0895d557a0c9c88853e8d7e5d1ebe258f5c927d0 |
| SHA512 | 6356aa2d447dd46f1b028aff6dcd69bc56623a517a0bdf9a8f3c2835d26c457b15593b164dca4831a926a039671dd59ddd4c939bcd01c75ca12d9eeacaca0006 |
/data/data/com.factupx/cache/phgpygedzvieza
| MD5 | 5a80512b1d7846b456ac8f3dbd1c7f3d |
| SHA1 | 2de7cd24c284cbedba4767712a2f9989b3b1c5cb |
| SHA256 | 4fbd4cff76241fbed314e777c3bcc6d591a2b507be315c7551e0b0694aa267c3 |
| SHA512 | 8b1b363502ed805f408cf4e97993dcce88ac50f0df76ea18405fc2e606de3944bbaecbe4d8e82f82ba6c66a0b17a23c705d8fcf1f0a78c6b8fbfac49d0137d75 |
/data/user/0/com.factupx/cache/phgpygedzvieza
| MD5 | 5a80512b1d7846b456ac8f3dbd1c7f3d |
| SHA1 | 2de7cd24c284cbedba4767712a2f9989b3b1c5cb |
| SHA256 | 4fbd4cff76241fbed314e777c3bcc6d591a2b507be315c7551e0b0694aa267c3 |
| SHA512 | 8b1b363502ed805f408cf4e97993dcce88ac50f0df76ea18405fc2e606de3944bbaecbe4d8e82f82ba6c66a0b17a23c705d8fcf1f0a78c6b8fbfac49d0137d75 |
/data/user/0/com.factupx/cache/phgpygedzvieza
| MD5 | 5a80512b1d7846b456ac8f3dbd1c7f3d |
| SHA1 | 2de7cd24c284cbedba4767712a2f9989b3b1c5cb |
| SHA256 | 4fbd4cff76241fbed314e777c3bcc6d591a2b507be315c7551e0b0694aa267c3 |
| SHA512 | 8b1b363502ed805f408cf4e97993dcce88ac50f0df76ea18405fc2e606de3944bbaecbe4d8e82f82ba6c66a0b17a23c705d8fcf1f0a78c6b8fbfac49d0137d75 |
/data/data/com.factupx/kl.txt
| MD5 | 6311c3fd15588bb5c126e6c28ff5fffe |
| SHA1 | ce81d136fce31779f4dd62e20bdaf99c91e2fc57 |
| SHA256 | 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8 |
| SHA512 | 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6 |
/data/data/com.factupx/kl.txt
| MD5 | 6cb2f824cca8ebf4be6d57e7aebcd086 |
| SHA1 | ce3795ca73465103efe3b99101ed75bd35bf5432 |
| SHA256 | 9e07ffc622264f08afe396afa0f54d1409881f6fa28b46db35d0ec802c02588d |
| SHA512 | 8a92b1284ff010aa5758f7d12cc56cca86273976579e22abc251b61e270af8bd09943147808d5065c5572bcc31d7a1b305cb9b997e452b0f108376eca20763e1 |
/data/data/com.factupx/kl.txt
| MD5 | 0093a1a11be6e0cc065b7007215ef6fa |
| SHA1 | 4f934846e02a0b066d20640f877beff81c396df9 |
| SHA256 | e3dd2fc8e76ecb6046172b7bd5bac55dc06b69350f39ca690f51de20e3061c8b |
| SHA512 | fb15bc03c24d83b3496719e648e85c0107506247ce7aeeb84e8644739b1faa7687f41f0d9b7c075964b6545e0d0199abbd71550d78fb955fcfa6e7b83fdb42c6 |
/data/data/com.factupx/kl.txt
| MD5 | a9681eb3ff9d48125d73fbbd62cb1052 |
| SHA1 | 75d64403bfa5b79782d42d201a50f7ea9e844252 |
| SHA256 | a83f8e706d25dc5e4f2ddf3b45105520c33e2821da0963a0f5357adab9777923 |
| SHA512 | 32d871feb8d7ce1de1a3fdf957fd04be644bcec83b003008509e8a026215f0bb09f6bcf9835abf7201a9dd310cb5e40c285a5a76f90b55131d709da637d79d8c |
/data/data/com.factupx/kl.txt
| MD5 | 6f4548b141e37723fada89c7fc2bec43 |
| SHA1 | d6bf82f6d6a4e581d8e7991df47c194212dfe300 |
| SHA256 | 352075f067125d7fbd0560dccea35bda9c59aad64a536b1a7ab3422f5cf455b3 |
| SHA512 | 4b201a558df03c8b6e1653ff38c3cae79f73bb1a9e7210a5368d6369aac3fa0a51f7f7c425b1d3bdb9dbae8f2c54c353209f61b951c2cfed0138cbbbea671961 |
/data/data/com.factupx/cache/oat/phgpygedzvieza.cur.prof
| MD5 | 93e5092dfd5c3c5359c51c07fdd0118f |
| SHA1 | 65423a218507a080cbf148ff916643a963320f89 |
| SHA256 | 325e625fa22206a4a1deb7e91dfa628933c6316e9280d4d1f19611f7a0a048ed |
| SHA512 | 23ec5f53148c85e3d1eb979005ac23e778f0820e39a1f139e18e9159203821072eeab492205716ea4f0f3b10d3a6c5c985ee1b6664eb4b9d0051d24ff773dd09 |
/data/data/com.factupx/.qcom.factupx
| MD5 | 046a414913add6f5bb60072c7db819b6 |
| SHA1 | 451ee4f6809260aec622d772fd329c7d0297a842 |
| SHA256 | b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a |
| SHA512 | 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c |
Analysis: behavioral4
Detonation Overview
Submitted
2023-09-17 09:00
Reported
2023-09-17 09:03
Platform
win10v2004-20230915-en
Max time kernel
143s
Max time network
148s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31058245" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2135331894" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2151113971" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401706212" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31058245" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d72dbb839895304dbc3a7dbf8a262ef5000000000200000000001066000000010000200000003c3cde5a638f0a4125be428d41ef67031f3f5456905ef0c4589e247701598534000000000e8000000002000020000000ec448a6d38cec17b854edd8d45347f5a10eb4eeba9c954c61548f24b8a1c8d9720000000d502d987d67d460d88df4864bf6903be932568c093e5a61a5749a98f2267e8c1400000002a7fdb9d067c0297d77fe428decbd3dd720ed0f823619191ad85edef9e05a1f071aa7dd0b4bdf081c27dab43d37cdd79712813aff2c265a05e8f2f4ebc07ca41 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2135331894" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80d1c88045e9d901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60d6cf8045e9d901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31058245" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d72dbb839895304dbc3a7dbf8a262ef50000000002000000000010660000000100002000000033d5b08e9899ab07a5670a624a7be5d61674c715ec9718e32be0ae9798d8ed65000000000e8000000002000020000000375a8e0f20307563bfc38a4b5b339210cb3299f73d098107e8d5ef24b903dc0f20000000c517de2890ac45ac69f344531c7f3f161b0ce6296885b8b7bf04376527dc7f354000000043dbfc4da2a183f6e4ee0fb3969d78eebd27ce6681057cd1913679e5aa179da6060fbcb25bd2cfc144d5203f063a8aecbb954bb3455ab9b8f0d2874749d3153b | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{AAC0679E-5538-11EE-9784-FEEDB4A4667E} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 380 wrote to memory of 3244 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 380 wrote to memory of 3244 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 380 wrote to memory of 3244 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\demo.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:380 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 254.178.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.81.21.72.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 63.141.182.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MBSMWSRL\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
Analysis: behavioral6
Detonation Overview
Submitted
2023-09-17 09:00
Reported
2023-09-17 09:03
Platform
win10v2004-20230915-en
Max time kernel
141s
Max time network
148s
Command Line
Signatures
Processes
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\floating-sticky-note-selected.xml"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.109.26.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
Files
memory/916-1-0x00007FFCB30D0000-0x00007FFCB32C5000-memory.dmp
memory/916-0-0x00007FFC73150000-0x00007FFC73160000-memory.dmp
memory/916-2-0x00007FFCB30D0000-0x00007FFCB32C5000-memory.dmp
memory/916-3-0x00007FFCB0890000-0x00007FFCB0B59000-memory.dmp
memory/916-4-0x00007FFC73150000-0x00007FFC73160000-memory.dmp
memory/916-5-0x00007FFCB30D0000-0x00007FFCB32C5000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2023-09-17 09:00
Reported
2023-09-17 09:03
Platform
win10v2004-20230915-en
Max time kernel
139s
Max time network
148s
Command Line
Signatures
Processes
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\free-text-comment-selected.xml"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.24.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.141.182.52.in-addr.arpa | udp |
Files
memory/4188-0-0x00007FFE3BA10000-0x00007FFE3BA20000-memory.dmp
memory/4188-1-0x00007FFE7B990000-0x00007FFE7BB85000-memory.dmp
memory/4188-2-0x00007FFE7B990000-0x00007FFE7BB85000-memory.dmp
memory/4188-3-0x00007FFE79580000-0x00007FFE79849000-memory.dmp
memory/4188-4-0x00007FFE3BA10000-0x00007FFE3BA20000-memory.dmp
memory/4188-5-0x00007FFE7B990000-0x00007FFE7BB85000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2023-09-17 09:00
Reported
2023-09-17 09:03
Platform
win10v2004-20230915-en
Max time kernel
140s
Max time network
147s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\maction.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral29
Detonation Overview
Submitted
2023-09-17 09:00
Reported
2023-09-17 09:03
Platform
win7-20230831-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\multiline.js
Network
Files
Analysis: behavioral30
Detonation Overview
Submitted
2023-09-17 09:00
Reported
2023-09-17 09:03
Platform
win10v2004-20230915-en
Max time kernel
167s
Max time network
168s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\multiline.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.15.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2023-09-17 09:00
Reported
2023-09-17 09:03
Platform
win7-20230831-en
Max time kernel
137s
Max time network
133s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4040e77e45e9d901 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401103104" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbd2da6efca7814e97bd67c6ea97aa8b000000000200000000001066000000010000200000004a160ba1b44b4cea5c06e72da9247d8dbfa5f80839583263139c350d86371383000000000e80000000020000200000009c00c82d4b4488c1791e4187232808fd2d73266ab50924030db2fea8b891ae0e2000000068c31b0a0b9c3aa1b2ff997a32ee3d44d7b5d9141456383d55ad6559e76c1c6740000000f9a5039b35feb56b01489900f368cfd91fee5e2a097373a1581bb2c3351f5ae81a7a81823918ab822e3b29baaa5712c18f3dfff54e650fb727cd958c9b0c17e0 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbd2da6efca7814e97bd67c6ea97aa8b0000000002000000000010660000000100002000000078e7bb8cef0ce9b7398fd3960a6c0fd608a319f4b5fa3ff93585f0a76d3900b7000000000e80000000020000200000003149ca1e76d354c01ae2c1b2b22133449ca5060fed13264e90048b48e18148a39000000067f574407b65cd11bf95293677a19e3ebc34bc4ecb95732b81ea1290983594905fd7307cf3e3b351b1f8c4d91446b6ca07d0f557d7739bfe4fd38c45cf317f8bfd5b4082ec018889ea58202cc97fd205b9e4992daecc6be0c894e1535ce090e7864ca2e282c8ed36c42131bd282e83483c2f2e4f8b652a31ee8c3872d21934c7256ffd0ad69ea1404bbf5a4a2c2fa28c40000000243c976fac0d03f9b9b18b54700a49fcbe1a0b6cddb2f2f68f121c8d5fe33220758316f594c9aea133c31b8e72e649828428eb1f25351c2e6ea0d29df805faef | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A99BD621-5538-11EE-BD1B-D2B3C10F014B} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\free-text-comment-selected.xml"
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2376 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab54F6.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\Tar5AF2.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 33b6ce32931ec369c46cb0632f4d15c4 |
| SHA1 | c731358296508ba276cf0d8066049ba5d57be802 |
| SHA256 | 4ed66811d909f9b2161b5987a53fa10e22ca68e15697178ebe539b5109feb57c |
| SHA512 | b52992ad20caa68a11ca34fd98ef483e4dc1c89b2909d07687ba5f61708e742b54740a5e03f0ef6b04c70693450cc093fd794552184fd5c3beb4484aef2e298e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 065d396d0fc9acd5b84b92eef2f62aa9 |
| SHA1 | 9c0e30e119ada2fa88bfe701b6012cca5e379f5e |
| SHA256 | 94dcb020d9c82367c23edc78e556f506433a2b70c482bd382f785576f61e78fd |
| SHA512 | 0f60cc3addab044a3fb61d167189ccbf1fbedbdac06a7f30d8434bf39acc91d70f0eefff30b154868dfd057fcb395ceee2250dcef116edb290eaddc6ea52a2bd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6c134b05753f9f98f0742134f042bae5 |
| SHA1 | cc9f5aad508aa0eb56e417879f983bc873c87019 |
| SHA256 | 97ec207092063508227f5170805f4b2e7a45ae430a959880b3f946ee3343025e |
| SHA512 | 07dbb8a80ec347fb7b27aff7a5f4ccf3461670b335223fada071884b2e6aab9e0470ae156177e3ef6be30feaa175b2fbfddca7cb055fcd047af4bc9043854aeb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6a3f5593417243275fc62c713bbd9572 |
| SHA1 | 3506a1cd3e0d8b7251b57fea053afbd95b4244a8 |
| SHA256 | 5fad04e38f2c9badd481eef044a2a0744e324fbfd3a5ff1f9378d5449bbe60cb |
| SHA512 | 433b7386a8996e111bd087368386bf893b48972bfb3517495cdf601c8608d49f9f9e2395dfdbf50ac2e12141229c632f0e315891952757039a7da9eba8b57a58 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b696f5ddea255bccbd51028b0a42674c |
| SHA1 | 2211155b36229dd086fd056ed7b029cefa6354be |
| SHA256 | f19aef128a7749ae92fcc1a27646be9d8bf72eb1d3ade7f36ab77892d4dcec42 |
| SHA512 | 4d59fed5fc54903e9f0ab4f7ecfd3ca7f747ad87d0f87afdcae03c8ee854cdda9b7da7413de57d54054ed71c71e7fc56baede929aeb55181f72f11db60e4a805 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 90086e8c55c794b4f8c5a2646fd323e6 |
| SHA1 | 794b7aee12cb9036d59130fce955181d9ab837a1 |
| SHA256 | a47fc5557a471f161cc0df3a00a520dc970221a404f29dc00edd385db55a37d9 |
| SHA512 | cdc8c062fcb0f2cd69049f6dfb3f6c9a51516196c0b4749adb2a05f6660630f3038ca76f4fed707858edfac6189300e27a5e4e173b458d93829b9e51231a7507 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 47aaf40158acf55be10a7f0c2ebef828 |
| SHA1 | 655af67711132a7b9baa9cb46e7d027fc2e76002 |
| SHA256 | 4a21320d565630cc72e4343ca44e695a4c29df27ef261bedf489783ea1a7017a |
| SHA512 | cbfdbffff0d45fbe17d87cffdca12e645248668644d81140245eb9d7cff8d12dda4a83ad0a70f672ff7a99aa17b30680d0440768e96399bd532c6b45e57e569b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4767a251f162690d7cfc6c6dc9280c69 |
| SHA1 | a994f4fd41d16ecdabea7ff774449b1373c10b30 |
| SHA256 | 9be05bc83e73784bab86e5b0ed73db95310f8f5bb23a4c5824e97c606f0f4002 |
| SHA512 | fa0e704e393204c426682e0d038cc1d006a5d32a8bb7a9aebfa2d07737432e542b56d0e67b99cd9172b71db1c7774d9e048da557377e21bf2f18f7a090b77c51 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6a713d103850d16c9af3e68b62ace905 |
| SHA1 | fd85f28b7c408cb92e4ac87c8992b77f8de92b8d |
| SHA256 | d84e676aed0455cfb325e875743b927284343de6345c80e6f099a5a56664a164 |
| SHA512 | 28f5949a22c6b7de3b7a966ef248e00e2d6b54fd25419e10538f4174b413025e3dc8f2904d16301cdd6644077c73318435b90f130bcaab1dd4b4870ec8fb40c7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 12bba8d4e903ae804121227044903245 |
| SHA1 | 75237a48373fa9b3173fe8e29e5d9a5ed7bdf2bc |
| SHA256 | 2bcdcdd0e0ffc1358098e8ded083f558f0cbc684277fff5905b5b2a4d99ab7d5 |
| SHA512 | 94aab905568380ed555eeea92269640639f287a7b0f4fb1148164fb68eb6b007cb1c60cffc7bceaed5ffc24f7170972939d7f543dd99101dcc55c4d7f59686d9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ae452718c1013c504f0eb043e4fdde43 |
| SHA1 | 41834ebccc9aa4c28e3a9f90f51fc15732ff3a2e |
| SHA256 | 13c1e499a90c7ca17c26e4f0264e292d21ed6025b44ca1cdb717af9e99a2e9d2 |
| SHA512 | 908b23e95b7aad5f5e1d61e51e6ab964b0fa8cb51b780f085c16a88d9b1857418039bf0a1cc11a8f131c4294f7c6849f204a8f991802440b9f3844795924aa1b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7d0481114c3a13d6ef3b7c57838842b0 |
| SHA1 | f4a47854e57e079f5689b3a241246a7e82be1acd |
| SHA256 | 17a42bf8fef9310c8db009e1c81385de1153aba7bcba3669c708df5b3b955959 |
| SHA512 | 25f1b0bbbe5db4e6d491c4e7cf162ff95bab9a9fea382f71f7ff074012e642347205a87a4539f54a09d3f0b16315d41ecc0670b0aeb83b40b727a5515d4d14c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 536d1a8b3496c82e9ade3c61a24e99e8 |
| SHA1 | 995d17c269d72b1c0deb0402d0fe8921528698c3 |
| SHA256 | 0016081361d0430726364f765f3cf74c4bcc1771ed4d192b52f5ee8d73276ea7 |
| SHA512 | 31600b68ad623b44bfef2b09ac7388fba2a7fe20f34d6e03b856b137218ff56cd2b8dd06b7ae446d842d72bf1d495175c4110357b483df04d3d6393f65acd9ff |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 28e34dbcac0c710861566058f0e3e624 |
| SHA1 | e1d7a900da82be71fc5e5f6452fab9420172a877 |
| SHA256 | 578b21e4abc9f189123533ab79f129a3c4424649460c9a210da971ca59079054 |
| SHA512 | 1816dfddc505eb9e4abf1b9fb47d4a848a5757b373f1266ce6f63f420be925fbe26376e6ebc8069de164c2cc8e1da94b6fd9827aefdbb23cfb2ae75ec63b5c56 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | de11a2e1e60748792ba52e06a1693277 |
| SHA1 | 4973081e504ec125f135bd32cc2fe5d64a0fde61 |
| SHA256 | 682bf69f999339204873b5cd569a4b2e33e0f56d7246756dab357a409ffcc80e |
| SHA512 | 512126084d29cd1b5368e64ea3cad2bfb4663273af1a64947fee80371d2835cd2cea4dc745a4c5eb1a239982a8ee276920dabb13740657e10a5cd1bb701f1383 |
Analysis: behavioral16
Detonation Overview
Submitted
2023-09-17 09:00
Reported
2023-09-17 09:03
Platform
win10v2004-20230915-en
Max time kernel
142s
Max time network
148s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2058ca8045e9d901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401706212" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d72dbb839895304dbc3a7dbf8a262ef500000000020000000000106600000001000020000000710937570102eac78757926243ea9fc027d31f6540c9383a456b9dd9c85c780d000000000e8000000002000020000000b02207342a6d1d1625cd578b5329a9a44c0b3a560df95f845c437c9bfbb2a02720000000953fa39ac135ea889f1cf5d232b620c0db8f895eb0e7528f5bb19b573298d6b840000000afe952707fcee54248e8b6eb1ed1573f7abe92cc4cfcc8b02c1a219f00f5b3312032796cce670cceb483f8c748f2b5ab9bc941513ce3e5df0365ffa54c37fe51 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31058245" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2150746741" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{AABAD347-5538-11EE-9784-DA422A6BCB39} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2135277348" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2135277348" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31058245" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d72dbb839895304dbc3a7dbf8a262ef5000000000200000000001066000000010000200000004ba576573a9f89f8db652c28e8541775de6103a9137d093677f442cbd7a6a81d000000000e800000000200002000000099fdff7fc9a85ded24341fc0aebcbaf0dd4b5d631a754eae45aef3e792acaf2f20000000412aa31e0d5c1064c66aefc5ff1d9bcf5c7fe0aa21bbc1b7a495691b7ff20212400000003af7b8fe8a9c7fd5b3a595accc28e711801d10805807d3f291bbf1142d56f76c1bee3c2dd614bf063de1a890549bfd9e7881302a555b53017a2a86d1da0808c2 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0f9da8045e9d901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31058245" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1984 wrote to memory of 872 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1984 wrote to memory of 872 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1984 wrote to memory of 872 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\fyb_static_endcard_tmpl.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1984 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.177.238.8.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MBSMWSRL\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
Analysis: behavioral31
Detonation Overview
Submitted
2023-09-17 09:00
Reported
2023-09-17 09:03
Platform
win7-20230831-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\no_sleep.js
Network
Files
Analysis: behavioral32
Detonation Overview
Submitted
2023-09-17 09:00
Reported
2023-09-17 09:03
Platform
win10v2004-20230915-en
Max time kernel
142s
Max time network
148s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\no_sleep.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.15.104.51.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2023-09-17 09:00
Reported
2023-09-17 09:03
Platform
win10v2004-20230915-en
Max time kernel
142s
Max time network
156s
Command Line
Signatures
Processes
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\floating-sticky-note.xml"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.178.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 120.208.253.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.177.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
Files
memory/2444-0-0x00007FF91DF30000-0x00007FF91DF40000-memory.dmp
memory/2444-1-0x00007FF95DEB0000-0x00007FF95E0A5000-memory.dmp
memory/2444-2-0x00007FF95DEB0000-0x00007FF95E0A5000-memory.dmp
memory/2444-3-0x00007FF95DEB0000-0x00007FF95E0A5000-memory.dmp
memory/2444-4-0x00007FF95B920000-0x00007FF95BBE9000-memory.dmp
memory/2444-5-0x00007FF91DF30000-0x00007FF91DF40000-memory.dmp
memory/2444-6-0x00007FF95DEB0000-0x00007FF95E0A5000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2023-09-17 09:00
Reported
2023-09-17 09:03
Platform
win7-20230831-en
Max time kernel
134s
Max time network
134s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c66dacf3255794896cbcb5ac20a714000000000020000000000106600000001000020000000d64ad76640dba47f36e6d1187c1a8925f7a4c1d6bf84a1700dd8b21b21b3eef7000000000e8000000002000020000000612dc3a99ecc1ba8b1827ae09599ba16b12b51b9a7cde7865a5237fdff4b228f90000000b58b8e7c98b58ed05fcd02bd8086e06ce616c887351ff3c8a61179f0e0e0f69af6b512741761ffe82be441458708791686911455c1204a4c6351d5a76635a85e99367524470ea7f0ae1a3ebb0f225b41ddb3677988f4403268137e45dd264760080eddbb5c8b8b4de557c3003bbefca160d1e3179dc4bb945d2ea9a7c034a9f5d8bfabc89bc9f83ec6dae7db4604879d400000001b6ee562c2d9352d55869ddf3fd7c7015ce4e021cefac23e37a118869e7c3b67e27689bbfde8276bd87b0bff6d8c37c2af44b6201972f96a9d36fe133fcb34e2 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401103105" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c66dacf3255794896cbcb5ac20a714000000000020000000000106600000001000020000000ff779e8a8336ec422713327c18c27b98cd0c8b4abd3000e7a4acdc3ca6365945000000000e8000000002000020000000ad42d2313d9e42e8f18b1a516b02d6b1130e0330b75319fcbfd7ebcf3d301982200000006566aa35be0270552fdc02ba43728f56a5457fd8ef3d886b3fe7f9072d35e96c400000008030afd6d9759ed02d7eabf1d81e141969607d9427e8a0a4d45f177b4226650758260c9390b60037028ae367fa7324a6cd8fdfe0e7554a9ae26fcd9127f530d5 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AA304DF1-5538-11EE-AB4A-6AEC76ABF58F} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0533b7f45e9d901 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\free-text-comment.xml"
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2324 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab6404.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\Tar6426.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b3c3524a9147c3a3479e4b6c8f42e240 |
| SHA1 | bade7c82047e55c16d8eaabc6c72e6033ae7b164 |
| SHA256 | 440a6ce9a4a01e414d9b8ea2bde8577186996869e7444f9370a22c1846848e11 |
| SHA512 | 4f8b97408d72f7bdd2d380837dfc9605e81055a013ef5dc062307c6ec52974b8e892fe889289f42f961ffb1021fd61aa4ef7d589f365aae59ad7525e82c56c39 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f9cf39c7b481d044b763245f3949d4e2 |
| SHA1 | 446d2d228ddcc469a4fd0e65b1f614b5462ad11e |
| SHA256 | e3088426316607bd5748c4e68829939e28ae131ae8a32fba41756ffff2af749d |
| SHA512 | 7ab533330f387cb86ec32500665d7803b9456b61e9bd191d36492432e72b5b909418d5d23f6a607604d075159e0878607cddba43efe9c0aff1aa8be4e1388f0f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8b459f7594de5d9d91c496a02f330da9 |
| SHA1 | 2dbc253fa831e3a93d80312667c7da6e3e5a1582 |
| SHA256 | cc09845a5b5b225a773945583d4db30f72a75fd15c831363dd91c738464b017c |
| SHA512 | a80dcd7ff4ad0b9edeca8f904bd0417360ba2e74d55e53f2f4a187a444d23e30890b4bae3a33b1f880af1cef6cd9030668ed71d343f35112ab0323d4a5f8c572 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 958a6f2012c3c1121c35226929b24252 |
| SHA1 | 0757bffffae71a53d9356536ee5a7c561886f7fb |
| SHA256 | f37271879c6daeabcf7b037be6be94c739d8f849a462c9020564272fbdbe49cc |
| SHA512 | b09a6262dbd914ae2a7210b8bd7fcd78ed2a1613987ad83e39f1943335009d408d2f8b5122ea93c04ca1eba7a5e75baa80107d61532d174723b7ac50bd151f33 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1c1605628745e4e770cdff32b42439be |
| SHA1 | 9741741e09a8d455e49390b75f6b752fa93ac9d1 |
| SHA256 | 1c5883544f9d24e21b422ed277b988b9808a6086d45e27ff30480358172578b8 |
| SHA512 | a2d54e588a86cec8b188b612381133c9bb993a496ae34b94b750a461c396946046b22832f6863127915ac2346c202028bb0e0382c8e0f9e6df9cf36e9693e32d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 06cdb13c968675f5ec3fc35028687b80 |
| SHA1 | 23bb05a108d3f5d262e3615c92a9a121ae1f730c |
| SHA256 | 19712e18003e3f8f2d09564e9237fad5d9bdbfa211a1236e977418593d8b9395 |
| SHA512 | 6254a5939e649540ad8b11fd0a3ac68822b6d000f78f610138dfdbdb479a83d07de6dc6ced2d03436884c97d1bf95f03eb128a34ea285305a6fb954a4a7976e5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 12c79982f8b80259186986c0b2bc9448 |
| SHA1 | f7eb64bffd5730752c1b704f35410546e7b89b5c |
| SHA256 | 85b3e64561f8f815c6d86ae050e4e01400f073c5b4ff199afb34cd264a242053 |
| SHA512 | f9bb0a7d3cfca3fd7afd726546a7dedf3ca3b685f8e09cb3f85a6f44392b0ebb3eda2e4de8c0454aa89ff28d50a30a3cc62d4219b340070f9a6cd413f4c088bc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 539a98ace4070c698fc9f4a6c4784778 |
| SHA1 | 23ed204c4a65c44f4461a560d7b19330871fe38d |
| SHA256 | 640fdff373098c2b0dbe8b32c0c61ee7354a9197a9cdd776e8563ab705c6240c |
| SHA512 | ab89858d7c1fd7b78882a529f19c3e15d421983c1aa5411ffe94c69ca57047984f6a1a340a33a0adb0d7016f3d3921968d48cb3ad349f7375a93c904f02e06c8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2baaeb24d66ba190703d681563b45337 |
| SHA1 | a3b653cb0785437443b292d8229712e99f451dc7 |
| SHA256 | d2f4b496a96e2de764a542b0e91063c35ab1c334585aaf4d36306eeb378e7198 |
| SHA512 | 52ffd1db8236f757cae98f6c3680dc09e5c79155ec88eb07fcbec80f094ebfaddb25c3b2e0052d6b1d9bbc83ad935402984350709c7443f51d1a436b756d7d9a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 104fbe173d4599f5ad6b7ab5d493ef76 |
| SHA1 | c9aa988db3093d9176212fffd2f0535ec5a19ee6 |
| SHA256 | 5b1f3234fdf80c4f510dda095a05a291b2cbfff88162e34c5e451a581bd05bd2 |
| SHA512 | 24540b4719eebbb8553d49d020dbcd606c17a10f0aa046fa1724c77c52559b9523beeac870b2cd3bf89f10bd70491d4652c178e8170eb673ad2bca1526bce5d9 |
Analysis: behavioral12
Detonation Overview
Submitted
2023-09-17 09:00
Reported
2023-09-17 09:03
Platform
win10v2004-20230915-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
Processes
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\free-text-comment.xml"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.178.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.177.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
Files
memory/868-0-0x00007FFB1D230000-0x00007FFB1D240000-memory.dmp
memory/868-1-0x00007FFB5D1B0000-0x00007FFB5D3A5000-memory.dmp
memory/868-2-0x00007FFB5D1B0000-0x00007FFB5D3A5000-memory.dmp
memory/868-3-0x00007FFB5AD10000-0x00007FFB5AFD9000-memory.dmp
memory/868-4-0x00007FFB1D230000-0x00007FFB1D240000-memory.dmp
memory/868-5-0x00007FFB5D1B0000-0x00007FFB5D3A5000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2023-09-17 09:00
Reported
2023-09-17 09:03
Platform
win7-20230831-en
Max time kernel
120s
Max time network
126s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\maction.js
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2023-09-17 09:00
Reported
2023-09-17 09:03
Platform
win7-20230831-en
Max time kernel
134s
Max time network
155s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AA53F2F1-5538-11EE-91E1-FAA3B8E0C052} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c083787f45e9d901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea3dc2a7c0fe4d49bd6e8f3e7e71513f00000000020000000000106600000001000020000000f5d9f35529b264f5622f469cf9b783cdcdbb90c051a4ee3557f6f8fcd2dd3af6000000000e8000000002000020000000562dade802689b25bcc1ec432486d8a1696ddd04e9d5d1aea25e639fa8ed1c7690000000c036a88ad06e8c320314d0ceb412dddacffc3f113d69cb197aeed32b1d797e54be6cfb4cad159aa1d24c675a49bfdcb41cefd22fd3502e1ecba88e6ddfdc203b9a701c9e43a94aacce0c2cb697b33ebb48dc9610e1f93e27584b6b58940c07edd05014e1ab95868d75ce1c8ed80e8e76bc6fc3706313c3d10e5f1161aa2964ef751cac20f333005f1f978e4fd8fa7d204000000015cc9ba8cda6bf913c9ef027f4b2ecf133f944e334d8594978c220552f29ec7974dde3a35664c223e1b0a8e791482548ce3cbec45297f1207cd897c25872dc6c | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea3dc2a7c0fe4d49bd6e8f3e7e71513f00000000020000000000106600000001000020000000395bc0c60ebbb99cd92b0958a9d6b87cbe4d617852b7f90a481300fb2d438390000000000e80000000020000200000001a065c2221206e552bf606cd919e7b452639cbdc5e8e10bdc8f1d650eb4ab3d22000000065924530d43cac73ac62e30d343513c32482d7a8d198e4e448b63687c86d4c1040000000779ce4673b9a3fa24257124e67e2b0cabd118c08d4deccd9b2a3d4e063dc5397fab3b8cc3bfc65e1df6c5d1fb8a1164cd17063d3b1e461cf3e26daa4825d84b1 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401103125" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3064 wrote to memory of 2648 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 3064 wrote to memory of 2648 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 3064 wrote to memory of 2648 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 3064 wrote to memory of 2648 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\demo.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3064 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab57D3.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\Tar57F6.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a9b9a367cccaf4f80d272adf5bbf34b9 |
| SHA1 | c2731f0c045c61ec33733b09e5a5f3a6dcda49b1 |
| SHA256 | 8a0d2961d744c8736623f94cb6864e361f5d87eea976da4cb9a7c97cd5bde646 |
| SHA512 | 6f55ed4087da676b7c343d377cc91bbe16d08154d7c84f7a5cfdccd4e9479da297fc58ab1a4f72a022c999235385c23f015d19488a5e283447f291bf331a47bb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5c7b327f4d2167e23bf946b5d7c399f3 |
| SHA1 | 7e3d2ae8a0c6e8050be101b24fd1a9b46f127f63 |
| SHA256 | 3ba25402b40dcf211e8a5be29352fb7a02fb514bf9dba2e13856012210f775de |
| SHA512 | 8e2742b8bff02244f32e3307e2da0ba2372bfa13985f40221c0839072ae5e7e139cc35c152b62a9f35acb067caadaa9f8e0c7700bb40836ce5cf8fb5b6c3f7fe |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a326ee579c93945963b682c6d8dc165d |
| SHA1 | 4f6d202f567d17d8efb35aa1f35270783219b02b |
| SHA256 | 735f741098917ce40da3dab9164bddc8937ae13376c5c328d3606aa1e4e73755 |
| SHA512 | 11e27bbfa8ef507e19a7e03199a9491d21c135c2446d977a04383c12db7f4c4cbeba6e6b90a3afeac609a858442cd9be37d9335a7a87f54fa7ed88645a5e39e2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cb13f3ac7aa753166b1da0b2f79bbc61 |
| SHA1 | 889447ee69247ba9c2b6aa97f06d5281bb80542b |
| SHA256 | d847ead823eb52b1d01952267dd53f4b4530e542aa0fcbf4cc413c00dda2083c |
| SHA512 | 6bd6e1cdf3fa98063cd00ba1c75f460ada2856e8ddb115cca212d9429e8cb2835bd25c3dd3387d5a41117f0129f0bc5da2a43868f8c5a2037fef340f66b4cb67 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e51db188ce9f1bd8776424610ceb0c9c |
| SHA1 | 4a13873dada85b958183e3f9f7439568c826f9e7 |
| SHA256 | 8ce018a7fbcce7fbd3a1ade20927f7b624b2b3c3b71a8e419d7d6c4ea01dd497 |
| SHA512 | 22d42e75f403508981a93e0472f40deef47d11bceda7b901943da362cbdf447bda5adb009ffeb9de9533c95c463a2e26ae0dee9292040c14e302449f729fcffd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a7de935463394d345d10109d4e0412b9 |
| SHA1 | 7be16bd26527a37574de636e9a6e28e8c9542a68 |
| SHA256 | b61d0740dbc7e9925852de1321196a914e9b198c40b27d1539f966269055cc60 |
| SHA512 | be97d9a816c834964bfef8b45daf768380729f01cd2b3c9b5e94265804b4dc3dd6fa6a3781457be9f6183cb8a0c8bc0c12e7ab33b7451e9e7110dd166113e3c8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3eea76e874c53304e1d955e6c79d5fab |
| SHA1 | c4a3a8321c3f786f5cdcbdd8d8759ae68a1914b4 |
| SHA256 | 41f7e26dafd0abf5a252a74717cf81c1f8854b9a2364d304bc3fc0798a6261ae |
| SHA512 | 3c8ea8839d33f36bb6df61f5abb003574107e7968ebf45a75e0ef0ca95815b8b8030281a8258a3d94c28608146147f1f1196d2f6f178399f01c3306b19c8d191 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cc17e9745d9e268d235ab242a5b099dc |
| SHA1 | b97b7f05c809a2dd8fe18d1b876b3154f8650412 |
| SHA256 | 712ad5baa3ff09129e91137c5b19f4680a38be79a48af1a0b36ba227ea0f08f5 |
| SHA512 | b9787689ac9c8727ef3d3c2f9ba265bb24f0bbdce3ac3e5fe90a090be5d4f71cbb609e0633e80ad356d694773592ca686cffd4040ac836d47e9543394ead737c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | eeebc7be311d6b28365a3de81c2f5f31 |
| SHA1 | 9ad5903ac6225e4414b3290db4ddbdeb1d90e7cb |
| SHA256 | b858d6fd5b1fc3211cdaaa9e5b4a0294b3b4f7fdc911b8b238a6089d44b33f61 |
| SHA512 | 2c7ce944e4ce8c5ef1cf4446dff6b20231bf330e4b5a50283cd45d96768596a5e592fbffad9ed15860e5eedfe558620d6a6e01806cfedda57195dabea44aeb58 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1eb2983f7e9db9b7c5926cc471865ff7 |
| SHA1 | c4426db7f8cb86fdbf3531d1491a028a8ee335a4 |
| SHA256 | 8ba0b0455eae53746c12e21659c600d4b7a2a60244425e0a5184754f932136fb |
| SHA512 | 72ac38b7efe7f73d7f5e30f928ea032978cccf7862d32a5826f5d190c2e3a7c26d5a3a3497027bce60d1b9881e0d075e525bf66cce667c8d20ef3de3017b37a2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a87132fdc2f12058f330b01a40b1834e |
| SHA1 | 3d509e3e41accf3be8b2a24c7373492e4a4f9d0c |
| SHA256 | f7b22ef531b0905df8d6012df4bace858a8523f95533dd5dd65778902868c603 |
| SHA512 | 72a8b69612928ba43331e5a2c3a33cbf2f9043eda067dadc079a6ce39e571b082477d18d0dc0b41e5560b47c48f33fdbbb28e4a2846d8c15068aced06b999108 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2f2ba882d78d448475c321f5cd16b6e9 |
| SHA1 | f16c8947e07bf9502fd47ab747bceb47a623c332 |
| SHA256 | b19d7716b715770fa7ec35b3ae5ccc5dc4d843b6a984d5618a95e72744af4314 |
| SHA512 | 47a16ff8953146f852536b213a42e7499c686bf8161fd941ab38233e9c8e01b776e187af084fbc07c0ea0b8bf63797d7cd76d036618bd851219fc6a23ae29f8b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 092fd0fe41f19f2feed9cf2df6baceee |
| SHA1 | dddcfc89b8dc9c9fb58475bb6e71b2af3210b2e3 |
| SHA256 | 81f12b16553bb1503319cd5a82a83876df1b715c23fe9d929616c0bbc35531d2 |
| SHA512 | ccf71a34e993c732ea3b0a26c1510cfc8c19c055de73631dc552eab5bf49f1e917624f4c20f3d49d37c10d258bbaa28255d813889b040c79706cfa39945abbe8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 346e5a2aa8619189ca74504877af163d |
| SHA1 | 0a7c6c3589d223421fdf97b98c72994b07d126a0 |
| SHA256 | 0810ba06e6e3115961e9e0cf007147324b430dcf473dc0c43743a543b43d15cf |
| SHA512 | 0efe3a6bbf438bf97862ebea6b4313f7867e76c1e140039b3710a1fc934383aee25de59151f9a77443a1bae0d67265f2f448d69461b80a9c007354d66e8f40ab |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a5b5d7bf0805c5afd460e80e5fa61345 |
| SHA1 | f78bd8fc1af1c1f8640bf18249d0ea088dec603a |
| SHA256 | 00b8a0bae1fdc3dc81d92a8dc629f1d2353488bc982cc54e60c46c6222a65797 |
| SHA512 | 17801a34fdf658d91b216f868f1a7066c3cdda565223f9c1dbad1e72df5048850f296fa4ad71a1c0f5638be31f3ad486d7d58120f5c12f9c30b653d0b714a503 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 24b1ee4322395d99367be4316cd16164 |
| SHA1 | 007583ff5eb394fbe4250160c777dd6c827f9558 |
| SHA256 | c4512ff51497f3f83264fc88bd0d96773d33a18cf9abe4298682202915d2cf30 |
| SHA512 | 859c50eea235cea2530c604aacf93b0e3860f5531db177c5aedc59f58d35c78a1dbade961e58ef13664d2a5d64c35f083ee7f9fd3302e81afa2a276acfe7fa97 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 292db9a8ec1ad5e1da311e3bbf72a442 |
| SHA1 | 0c5530db41b6c86f35fd58de096fa5f4d5fbfe9a |
| SHA256 | 23efd647d64d99a486dbb0cc1f3e07f139d8e0dad42c0167e8f2de4a0695e305 |
| SHA512 | fe914ac68246522c9268f8e178814c974e7b8f1b8e5198ec251899b4be1ccf8391dbb1ba548c685734548894dba356e55a4218ced8d8afd7b714b2fefc9d0043 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a8028535dbe41afc95421488770ca590 |
| SHA1 | b518f0947334da4b42a59d6221b565164b91bd5a |
| SHA256 | d1be96f691421efb7a96cc04105dd3be0b62459c59909d615b0a073512ffb737 |
| SHA512 | fd58a10d5fbea6aae70e7700bdfe46fd310b1ed3aa5107ebcf9e58cdd01b6f74a92d669598a22ed120ae4d513ca1b017fbc482388ed8ebf8b6031ab625c20aea |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f448e4a0ec53028a9ca9996c335a4a87 |
| SHA1 | ce77d78fa95a4d716399f724c4dcfb813b7cf7a7 |
| SHA256 | cea98ed116e88e10d2d0878957f7ddc068e28a9917f4839fc7a6b6513d35dc62 |
| SHA512 | 8601e5d020378e69c3da8337ac1c3a8941d30efe94d19200dde505aebcf2ce5522c78379d636b9accee4dcef8a7ee309d6f4f9ab1f0c9c5273c7e9ceb877190f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9d03df113e6cde7346c542091a575855 |
| SHA1 | d736e7f64ca1eb0e1b1b13bb36d620ec91732c78 |
| SHA256 | 9e88efb3c89a47f10327c916215af0457d1d912fb0fdc0808b525429adb272a9 |
| SHA512 | 0c6f59cc20a8a1768dc80a3428f32b6503000a34da86a46dcbb3480e9d76cae600a67fb968f50476f8601cc461dbf533820027d9b9f72728de2135797daf68f7 |
Analysis: behavioral23
Detonation Overview
Submitted
2023-09-17 09:00
Reported
2023-09-17 09:03
Platform
win7-20230831-en
Max time kernel
118s
Max time network
125s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\mmultiscripts.js
Network
Files
Analysis: behavioral27
Detonation Overview
Submitted
2023-09-17 09:00
Reported
2023-09-17 09:03
Platform
win7-20230831-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\mtable.js