Malware Analysis Report

2024-10-19 12:18

Sample ID 230917-kyjtqsgg4y
Target 78e6f36b8493f6f30accc0462fa3095175412269a9ecefd701fbeb03f6c76631bin_JC.zip
SHA256 78e6f36b8493f6f30accc0462fa3095175412269a9ecefd701fbeb03f6c76631
Tags
octo banker evasion infostealer ransomware rat trojan stealth
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

78e6f36b8493f6f30accc0462fa3095175412269a9ecefd701fbeb03f6c76631

Threat Level: Known bad

The file 78e6f36b8493f6f30accc0462fa3095175412269a9ecefd701fbeb03f6c76631bin_JC.zip was found to be: Known bad.

Malicious Activity Summary

octo banker evasion infostealer ransomware rat trojan stealth

Octo

Octo payload

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service.

Loads dropped Dex/Jar

Acquires the wake lock.

Requests dangerous framework permissions

Requests disabling of battery optimizations (often used to enable hiding in the background).

Reads information about phone network operator.

Removes a system notification.

Uses Crypto APIs (Might try to encrypt user data).

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-17 09:00

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral14

Detonation Overview

Submitted

2023-09-17 09:00

Reported

2023-09-17 09:03

Platform

win10v2004-20230915-en

Max time kernel

142s

Max time network

148s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\fyb_iframe_endcard_tmpl.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000017e431d9a2c98c4f9f85fcb7a9559b0300000000020000000000106600000001000020000000863c843936ec0098a2f4475abb4e5f85b099a9de130d8f23f714958941758568000000000e80000000020000200000001a0eb2790c2fc0f24368fd8dab636d32ee50043736dbc7fa248757b3006225dd2000000056b88392d3018daaaa39d895c2b9d2bc74eb2144ef1b24e04c90957d5e52a65640000000a8d40482f2feb0749c8c92f1737ab88400e848ff995dafcf05d9b8c786a40761e1e2fb565189477871868a90f9dc34efb2038ecdfd3255c558cf35219a878c76 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e094028345e9d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{AA9C7357-5538-11EE-B0C5-56402FC161CD} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31058245" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 003df48245e9d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401706212" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31058245" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2153301350" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2133612863" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31058245" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2133612863" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000017e431d9a2c98c4f9f85fcb7a9559b0300000000020000000000106600000001000020000000d85628fdd7b0e0ca697aee023662eecc4297bf1ee725b8fdb45e134f653b069b000000000e8000000002000020000000b0333dc94b17e9ced84109e63e35372dd978fb334b8d0708bfba84152163d15c20000000d06c3ba286570ef52ea0c1cec8fda638629f7291b781ab8480faaf5ccfd6f38140000000f14a6592ba2eb0f2b522884184539120ad4e8870e644e36f9b8195fef853b710b5bb871b1f8c3867bfb645a73be9167518f897233d598e75cf978a2020dcb9fb C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\fyb_iframe_endcard_tmpl.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4336 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 200.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 126.24.238.8.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 233.141.123.20.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DomainSuggestions\en-US.1

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral21

Detonation Overview

Submitted

2023-09-17 09:00

Reported

2023-09-17 09:03

Platform

win7-20230831-en

Max time kernel

119s

Max time network

122s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\mglyph.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\mglyph.js

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2023-09-17 09:00

Reported

2023-09-17 09:03

Platform

win10v2004-20230915-en

Max time kernel

150s

Max time network

157s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\mglyph.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\mglyph.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2023-09-17 09:00

Reported

2023-09-17 09:03

Platform

win7-20230831-en

Max time kernel

120s

Max time network

128s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ms.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ms.js

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-17 09:00

Reported

2023-09-17 09:03

Platform

android-x64-20230831-en

Max time kernel

2724274s

Max time network

162s

Command Line

com.factupx

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.factupx/app_DynamicOptDex/ujycFt.json N/A N/A
N/A /data/user/0/com.factupx/cache/phgpygedzvieza N/A N/A
N/A /data/user/0/com.factupx/cache/phgpygedzvieza N/A N/A

Reads information about phone network operator.

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.factupx

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
GB 216.58.208.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.142:443 android.apis.google.com tcp
US 1.1.1.1:53 41fdghhoo11.com udp
US 1.1.1.1:53 www.ip-api.com udp
US 1.1.1.1:53 42fdghhoo11.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
RU 176.113.115.110:443 tcp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
DE 172.217.23.202:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 42fdghhoo11.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
DE 172.217.23.202:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 38fdghhoo11.com udp
US 1.1.1.1:53 38fdghhoo11.com udp
US 1.1.1.1:53 31fdghhoo11.com udp
US 1.1.1.1:53 31fdghhoo11.com udp
US 1.1.1.1:53 39fdghhoo11.com udp
US 1.1.1.1:53 47fdghhoo11.com udp
US 1.1.1.1:53 36fdghhoo11.com udp
US 1.1.1.1:53 49fdghhoo11.com udp
US 1.1.1.1:53 45fdghhoo11.com udp
US 1.1.1.1:53 46fdghhoo11.com udp
US 1.1.1.1:53 39fdghhoo11.com udp
RU 176.113.115.110:443 tcp
US 1.1.1.1:53 46fdghhoo11.com udp
US 1.1.1.1:53 33fdghhoo11.com udp
US 1.1.1.1:53 50fdghhoo11.com udp
US 1.1.1.1:53 35fdghhoo11.com udp
US 1.1.1.1:53 42fdghhoo11.com udp
US 1.1.1.1:53 42fdghhoo11.com udp
RU 176.113.115.110:443 tcp
US 1.1.1.1:53 44fdghhoo11.com udp
US 1.1.1.1:53 37fdghhoo11.com udp
US 1.1.1.1:53 34fdghhoo11.com udp
US 1.1.1.1:53 48fdghhoo11.com udp
US 1.1.1.1:53 32fdghhoo11.com udp
RU 176.113.115.110:443 tcp
US 1.1.1.1:53 37fdghhoo11.com udp
US 1.1.1.1:53 37fdghhoo11.com udp
RU 176.113.115.110:443 tcp
US 1.1.1.1:53 43fdghhoo11.com udp
US 1.1.1.1:53 42fdghhoo11.com udp
US 1.1.1.1:53 40fdghhoo11.com udp
US 1.1.1.1:53 40fdghhoo11.com udp
BG 171.22.28.202:443 40fdghhoo11.com tcp
BG 171.22.28.202:443 40fdghhoo11.com tcp
BG 171.22.28.202:443 40fdghhoo11.com tcp
BG 171.22.28.202:443 40fdghhoo11.com tcp
BG 171.22.28.202:443 40fdghhoo11.com tcp
BG 171.22.28.202:443 40fdghhoo11.com tcp
BG 171.22.28.202:443 40fdghhoo11.com tcp
BG 171.22.28.202:443 40fdghhoo11.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
BG 171.22.28.202:443 40fdghhoo11.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.251.36.40:443 ssl.google-analytics.com tcp

Files

/data/data/com.factupx/app_DynamicOptDex/ujycFt.json

MD5 cbeb2a330bc5bb595285f8b49de824b4
SHA1 ca0ac1ba2b1ee3a315bdfead4d300262e63f0f40
SHA256 bf99b8738dfdd69f74e5da3369b205d4be8f01d8a0bd147b4bf46ba0cbf002a2
SHA512 85fb4110db3facc4600037ab3493eca9fb1f7302637fe992e486cb506544abd8546182b545272c29c101a10ab7fa486491dd544cf63af153da4754aed4116752

/data/data/com.factupx/app_DynamicOptDex/ujycFt.json

MD5 ccb34a777bfd9dcf00e1bf1ea73abb21
SHA1 505d5b6b4132d042690716a9afeae62769f8cd26
SHA256 0154661f8ff3116976885edbb9daf2a51293db5bccf953a1d7aa4521b56e1bf7
SHA512 eee31641031e1a0ef30341c15ef07bcf68b42267e80de3ce736655c9238de17245a484f7ca238d02d1bed9ae27fcd33ea42ab99d1e2959c03b3039a4383850bc

/data/user/0/com.factupx/app_DynamicOptDex/ujycFt.json

MD5 f9f93d3eff43dfce4e7c5a1cf8546290
SHA1 bd705897eb5b1e0ade8de52281f7c5137e26daf2
SHA256 642f9179c2c98febc07887ec91eb00e328ac13e35a93492eb2533216e015361c
SHA512 25da6b35caa5403d8ba032182e45a19ac2c4e6f4f53d95c2b888548cf284dc6243a4093849c5016afd7156ce1ba6b859c02735302fe8902b4c4b923d6f420355

/data/data/com.factupx/cache/phgpygedzvieza

MD5 5a80512b1d7846b456ac8f3dbd1c7f3d
SHA1 2de7cd24c284cbedba4767712a2f9989b3b1c5cb
SHA256 4fbd4cff76241fbed314e777c3bcc6d591a2b507be315c7551e0b0694aa267c3
SHA512 8b1b363502ed805f408cf4e97993dcce88ac50f0df76ea18405fc2e606de3944bbaecbe4d8e82f82ba6c66a0b17a23c705d8fcf1f0a78c6b8fbfac49d0137d75

/data/user/0/com.factupx/cache/phgpygedzvieza

MD5 5a80512b1d7846b456ac8f3dbd1c7f3d
SHA1 2de7cd24c284cbedba4767712a2f9989b3b1c5cb
SHA256 4fbd4cff76241fbed314e777c3bcc6d591a2b507be315c7551e0b0694aa267c3
SHA512 8b1b363502ed805f408cf4e97993dcce88ac50f0df76ea18405fc2e606de3944bbaecbe4d8e82f82ba6c66a0b17a23c705d8fcf1f0a78c6b8fbfac49d0137d75

/data/user/0/com.factupx/cache/phgpygedzvieza

MD5 5a80512b1d7846b456ac8f3dbd1c7f3d
SHA1 2de7cd24c284cbedba4767712a2f9989b3b1c5cb
SHA256 4fbd4cff76241fbed314e777c3bcc6d591a2b507be315c7551e0b0694aa267c3
SHA512 8b1b363502ed805f408cf4e97993dcce88ac50f0df76ea18405fc2e606de3944bbaecbe4d8e82f82ba6c66a0b17a23c705d8fcf1f0a78c6b8fbfac49d0137d75

/data/data/com.factupx/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/data/com.factupx/kl.txt

MD5 9cc418255a06f982a89dae3760c06c9c
SHA1 795d1fbf58a85ae83555b348b0dd4d8d642f7a3b
SHA256 d1ec8a52347816deb06d1f9248fa5a42d9b45ef138dd011e4a8a7f146fc0686c
SHA512 bd19f9ba96766956c91f67001c82460baa529a4f75a589dbf64cee2488b0ea9ac4b9ee13fe74bab0ee23ab33fafb3336e1778dd786958ffc161594ce36fc2e4d

/data/data/com.factupx/kl.txt

MD5 64ed629c86660fc0f044dcffcf1874f9
SHA1 3a4474c6ba969fab5682ca62d81151dbc14e7270
SHA256 72c3b78a12b51986f0aa778895932812137c05b42793bb40126959fe91f24cde
SHA512 6aa948c462f9138aa620fe0d30bd120231072782d5b7d943a05f22ec0fb5d2b1956d58cd95e600a719acb4b214c0e5ab3958f5f23e744fb9b2300f0881544f03

/data/data/com.factupx/kl.txt

MD5 dd471fa89695e0c13400dfb1929e18cc
SHA1 3490336c03a057137f5eb3f8f049c8a61e278a7b
SHA256 4958009939d8557c9f8fb8801da35fbc9d2e9f1ddc90a6713be9dcb112f91793
SHA512 fa9ee4dfcea9f733ff0c9e3ecc5a99d1443b38d415aa662fbc246c51d4cb7de534f0aed5b09a2f92eeafa3ab83794d96ee2d2da868c6e4edadb8b0dfaf53319f

/data/data/com.factupx/kl.txt

MD5 3052580d36a2278ef9c57c66f457fcf9
SHA1 80e7941ea5d501aad9a2fd0d95a4f82cccca5f5b
SHA256 a8a844075b4e708bc69deaa79c000d89012bf858cbf6f6c84abbbe5e1f213b42
SHA512 d2274709000ae897b86277089ed8dde76f1c5c9848fa62eee52613aa50b58c1a969454001f8bbefcb525da46908e7726a6190337898c4e7125cd300185bd00ba

/data/data/com.factupx/cache/oat/phgpygedzvieza.cur.prof

MD5 bff68dccd2e9c0f2b0a31e9e269e1e80
SHA1 082014ad0f2dc07734f8cf94bb30999045cbf712
SHA256 e127c3f1d7c5e4c5b95f4e7592baf1366b736e8e9c66e4cea0b38399af2fa68b
SHA512 3ab417d46399261964a34ab82d1eeb23ffb06405f7e094bc911ace7f9c5fd250879c966610961a95823b807739f67d7e58ec964666bf2e337bcb54b36f5fdbe4

/data/data/com.factupx/.qcom.factupx

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

/data/data/com.factupx/cache/oat/phgpygedzvieza.cur.prof

MD5 45faa89e379eddd11d07fbb5a418d771
SHA1 d7e9bd8dc991c02ead4ef19ea4b65333abf9bf44
SHA256 eb3901e1814f92d2fb721e74dc2a586ca88412d004b4cf54505893e6910e1a46
SHA512 9c6425e3c31d1a9791ac80b03803308f4ee1c2fbb6a1408ef619379169fdf9b0d9f74e87d3cd4b8af531accbe27e88bb435be10c6ea7f3dd9c7dc7ceb475db52

Analysis: behavioral5

Detonation Overview

Submitted

2023-09-17 09:00

Reported

2023-09-17 09:03

Platform

win7-20230831-en

Max time kernel

136s

Max time network

133s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\floating-sticky-note-selected.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401103103" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A9F7F811-5538-11EE-9EC9-FAA3B8E0C052} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0cea37e45e9d901 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002bccc567d90a0b479b49b1b2d43318c300000000020000000000106600000001000020000000dfe3f162bd2cd95559a9e89e1ceaaf161a7fa05e9c56fe2fcf8256a0a4998ec1000000000e8000000002000020000000357e038dbe836d82788dbe40b3c214f86eefff653abc57185e6c9d58eed05afa2000000063a0b4ad921e492c9001feefd9cd3e7df93979d5cdeaf28c0c713c5108668bb1400000009b6b53a62519c9b6554dd3b3e2056939362eaf783e673ef55fd7ce78bac824c854835130fc96efa840db23cb462537e42a5ecbc3378f6aba33c2d38a8272c05f C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002bccc567d90a0b479b49b1b2d43318c300000000020000000000106600000001000020000000f43f9203d80e365d87c19a52cc40b26af6ffa8084aa36abe5647cdb930fdae94000000000e800000000200002000000097696674265a3cb1942b2ed8eb0ef79a18cf8f786fee2c1aaf30657adb592ad190000000b22e8dfbe89e36548164d101ee9918aa18b568ec5f4967b4673d8c11dd4d2b9f15ecfce7add0799095da7f26223f61199dfd4b48d8b950f91aa8aa81e83728754df2a2b386eea95d39e9717810a1fb1929f8a568e38041e57a8fc86beb05f1f1e7e6d1bb656a8bcd0a4983f7b65c07d19ed9ee5d90086a3d92643d2c3201062c762848a8377e0e6fc206cb7817d5bcae4000000059a031c119a3364494302a601d230411e610234cbe71e01902de6e5104a47ec0e30fb64c5c9c020ca38d6479b26954790771102033a99d7aa89b559c23c43ae2 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1880 wrote to memory of 2132 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1880 wrote to memory of 2132 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1880 wrote to memory of 2132 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1880 wrote to memory of 2132 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2132 wrote to memory of 3016 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2132 wrote to memory of 3016 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2132 wrote to memory of 3016 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2132 wrote to memory of 3016 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 3016 wrote to memory of 2688 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3016 wrote to memory of 2688 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3016 wrote to memory of 2688 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3016 wrote to memory of 2688 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\floating-sticky-note-selected.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3016 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab64FB.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar656D.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5f45ee8cabc5c27bccee9e112fd6d97f
SHA1 6c321aba1914abc19215cb81b4858482e936c852
SHA256 e62af04c718ff3073da98268ff123abd0240bd86d0b10d795693fa1d2a6c91b6
SHA512 5427ba061587f55a5fb743e28a96f33d1914668763470d3c0ff4a99cbdb6af5af87875add242a6490756e35fe7b94bfaac6de5bcdc38a3caf17ebc0595dee559

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2ff7f2c66de48e6f1cf6188b0185c4b7
SHA1 ec2bac0027beb2f4e54cdc17beb3684d5da06078
SHA256 132259218738075bcf31d9a9a5d97e713a509951072043f2537c7cdcde0ae05c
SHA512 77583a8d4ceb0e090d364bc2d989cbf243754efa18366a30516a27b0c9572903652aa02ebc92d2d93699e0991052ef70f73e38b94ab4878be23146f1018a5c54

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9919e6dea43228ac7147a44788214e57
SHA1 15a68a540a637ff8b560d1197c68cc44623fe2d3
SHA256 ca4975bffbe31d77075e161fa1ae839221a72b2b61a318325556b49cc9962872
SHA512 c9e9edfbb5990383a95b5940096ab406af8e451cb392c81b99e0d557cf6d8ae69f9ccf22b60e58f58289ebe760686344756f75c308b9d17fd0cbed234d79530a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f876d28ae4bd4c0776b1beb082c67b64
SHA1 86111148fce66b8cbbc4700fcdacc719b77c9076
SHA256 77c5b5a9e8f093fe7a040358123af0c5f5908f00d05b6a0ff985ce51e2c979ff
SHA512 bf7c45157e1a24392a718b9d33125e28b722d5230f5c6f4acd448fca6058257a70b6f7b3a308c827ba04060956adef724412da559aa19bc653471d57e2ec3d6e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0ff33a824dd03259ba95ed2ec746fae4
SHA1 57c5a9e478543c41ae4d23a4c115aea7d8cd4a15
SHA256 7e83235434b2a802d113c7f9192fa1b562ff79fbc636e50989ec70f586b99930
SHA512 dd6978e46fcc528626b20089c3514ea2f100843bbe49ce2401db9e2f6a4f16f02bb21b67dca45ea6dbe89dd3bfec622db159b80b942bf73f3183a03519bb4cd0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ff4724fcad2c809a260e98c7f34c953c
SHA1 6de36240ea747848e682eb327a25a85c1f4f96b0
SHA256 3f1ca68ab69e4c8f6f140dd4973c5790ac1e5a3f874e8c4591f4499f6dc8e407
SHA512 43ffc0d4e0fd1be2bd4685b27ffde1beaee1e0558a4a577286731bf50b95d3ceae4ab3fac3ef3ccd272c9d7a853b06bdcd33417e32eaf78d9b679b52687cf3b1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d4188065d1c0df1737f2a7e66e771832
SHA1 f5614cc81f8f56607c1ba20fc5056d3b036ddd6b
SHA256 9b5160a8110c597eba00267b53cfa24149cad080364f82265ccd2514af602a7d
SHA512 6a743d6594bf624a530b97cc5f71e3bfbc3ec58ae054c502868eb4c1620f8071d17862e735c2ff74e17ebc1b2f3552298733a7eb7c1429a83da75de0df5fb4a3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 655dd417b0c3da0ce2718d12ba1e27e1
SHA1 efd9ab66d2ea7807429bfdfabb54fc749982019b
SHA256 3c67830a503c92cdac7fa4aa4dc312dc9ad6d55b9b195676c7b3028eda19c6c0
SHA512 0586622b98861cf7efbf2d474101c73108b0b25636ce9b8a74e8aaa3181bf09e08c8e464cd0ff73eb37d124d1be071e5bfc69fc442f2b4a3d1d0e150f95843db

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c0a0f2f2aceb3cb5cc9b600c2777c750
SHA1 40b30eed6cc6f4c25bf98a9428e82a08f64498c2
SHA256 f8891c7969bbe43c92d326c9a8a564805a50f37da2c9e9c56ae469a6d0a66ae1
SHA512 fd30224363604db9afa31970c213eb5b660a1576eaf4d90b624eaf2cd4edd309c661e7b39af6ff30e031433f6903ab6241eb34ed0e86d2cd0e3d5fc82180b26e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 438575431b82a8d88676ad0a150d0506
SHA1 ecfbf96b912279a5ded1af2c0719355ff7d148f8
SHA256 b3da0718070f83a41f5d11f3e4e4b4bba7273e069a9c425a355b3904270d6bf8
SHA512 01697b9f64803e22259d13c3757f3984548b2fc4a223167bc748929117b06cdd70b07122844b49349baac4de5be66aca61c764147c0afa990abca304070f3ab0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5b894248c54fd2f5301505654f02564f
SHA1 1b85d7cbdb167a06193199b543c306951cb99ec2
SHA256 9c37fd684ddd1aee8ff48f30d475a23e31ef2de80691c59d60ac9d9958695df4
SHA512 1e20c38f32e7277a6b7684a6bca90dccefa58dd394963ab5cedfbf61bb2c70f11f7f556da5dace9b6b2246b68e54ec1e54dd595c02737893d714decb5dfb63a1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 086bcce477f991d16a9446a0a29b2526
SHA1 8b1bc897354d4e20d4931b525b1703d21e7f9b21
SHA256 65e8e03bcbffc72e5d9c32ccae5498bee6d296b34a7727f0acdb0c6d61d5d745
SHA512 f08811fd7dbe7adfc95509f2ccaf9e0f967ae6a7d08c249c7e68d643cd68128062c314491a962fbba149369f5e119f86089bc4589e9576c5aaea255e8e6347fb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 437cf293c8116cbb813a3439d0c3153b
SHA1 c94789726324f11ada38ad326ba9bdb4310a6a4c
SHA256 615d530afdd56bd7a3d33c652b695b506e277d91d5b9b39c6aa68c7d2a7311b6
SHA512 586d88fd3b378e5e9146d3bb0b87b5781ccb2006df5edbbb0032452c122d7d42939af2b03c9d4f126ed05e271c3d34347b45837357be91a0eebb36e2ee55cb0f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c83ed85fa26754fc88bf6b1832b85526
SHA1 c3020b65627598cb34a054395c722206e552fb74
SHA256 f2aa07235f071ae894ea6206ed8977bb2fd1aff1fed4944a734f1261aa37de9f
SHA512 b78ff34e6297a114b71026013ac2dff8812b368f87d295fb6ae90d12641b74f63db6c8a36266a50a165e5c673d7350bf78b194c458b30cca80b7e18cad94fe9e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a3c090dc0618ff0c293fd604566b61f9
SHA1 899d74dcb02ff9909bfea4d397226973a8bbc5f1
SHA256 7f252a84e558876995daa296af9a4c2c896f2f9ee4950c32e8cbbcac1903c3e7
SHA512 12cd506689bc4b5a499bf75c0254a318b7669dd139fb4107a86b35e948d1e9f12ff721dabaafec31c5816c4e06c4c65c839ef313c900bfce6cfed2953efcb9d8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 accbfd7c5fec40e76f1835395856b40c
SHA1 d18c01c6624c33ba584ad7ea9607339959c05531
SHA256 f61d29957d36a8d60ec74743c4bf4976422bd2fae60c9f8cf31dfa673d2054d6
SHA512 d3809d40e036ca9f5cfba09affc9e46ad7900b604b93b8b2decfd7d0ccf12bbafdc7daf74ed69fd94abb62ba7337879cebb5a3cd9c1e3db19ca72add1dc72804

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 202a5fa9fb75832a837cbf44e4962535
SHA1 653238408de4a1789b74bbb8bcb895c0aa0b8577
SHA256 b1cf50f304fafd416680c5f1f0507b1e4fc5bab6dcbf3f26ed1c433234581613
SHA512 27715f5bca334f880d7d0d681532975b75f519bc26c3bc072c44318f74c4f9afcd70728027e7d3ef2ac031c121492060c510cd035061e68f2a7039fd5a116d03

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 775a76186edd09403900cb356569f69f
SHA1 b1c9474d58202b93f379ca24ecb4c94bb95940f7
SHA256 9fa2dbafd29bc7dc149c47dce386d13b08c396ef7f1a5aaf296c6f1687643c05
SHA512 4073a7d2d766b28abc7ca7121f92d210c551b8a261ec20f375bef61b1690dadfb7d619e84657c9351380d5be4e2dede5711dfa524a23e9d4eb5ad8b1549885d5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 913366589b704af2d7174760438334dd
SHA1 410d66e3d33974d25d55f93072708fc8b54dd9c9
SHA256 c3a0cef497450f52fc7e71085a8dbe5ee7060ddef0c8c6b4ad2fc05cf3aaa965
SHA512 9858708e22fb1b34f76afa394c3c05dbb6a77e89253bc613da017f3a803c529c052603d45bcdd7c665b763981d92a433c599df0cf4e5df7aded60b675b5c8946

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a4b62e762d63405043b77dca028247f6
SHA1 d28127358ff0e0649763e83566d4cbd1d119ada4
SHA256 20781ed48e3ed46749e260fa33e5c87fac84ae2e7b39347ee2b032d3e373ceaa
SHA512 193cd37dc3f4cd5092d528b81cee4ecf0ed03bd95475deb35a2a462c119743f7de9da48fd8f8eed8b910e5741311bee9c30ef7723225e91738dd945b2b89e9f1

Analysis: behavioral13

Detonation Overview

Submitted

2023-09-17 09:00

Reported

2023-09-17 09:03

Platform

win7-20230831-en

Max time kernel

134s

Max time network

135s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\fyb_iframe_endcard_tmpl.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea3dc2a7c0fe4d49bd6e8f3e7e71513f000000000200000000001066000000010000200000003874cab3cf2a082de628ff2a2f2dd370fc7fd7ccd1d7f06da187317b3668d28a000000000e80000000020000200000002f7360d1fa33de88e5ecad11580830c0696dcb80e8c63e3cffafcccf5f945d9c900000006c2e807ac3e04398e761962be03f4ba8abeb45216b134efe3b46516066273415a7d2474f5968fcbd72ff0dd6504736fc5779242ea5e34fc2ba041b4d5061c340ffa2a2c1d02fb744d60223d8de3166b0355778266e48a5fc517acb72d5a8b9aeb400474580dc1541bcc121fbac78648a2f74dd33babe4728c68684f8ca0585e7f9041519080a2b5dcbfb7b98d9478f8240000000da5e219c38ec6fcd09413d499e94e5ca0f2ed7929d216123edd533fefc53ff69fec6cb941d9d715253876958d7bb97e93e1779474609e98df8ce70d5acef6e73 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AA4D7AB1-5538-11EE-9D95-76BD0C21823E} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401103105" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea3dc2a7c0fe4d49bd6e8f3e7e71513f00000000020000000000106600000001000020000000a9100fd9c97ec122a436dcadcfeb74ab3d50789f8509fcb414039036a26f297a000000000e80000000020000200000002db0ccfaa16bcbce60408c7d319c577cababd832683c213b48abb3ad171e41b420000000a23688b09007f9a10661db3ce3c06fbb41b53658501a0dfa482634b30083cec54000000098fff2020f800b480b639078750223abbe5bf5fb5f752e69163e8fc71aca254d94a09e3187effab1899e8a2702d482bc202eede444862ad6fc6728e83d4a6ccc C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40b58f7f45e9d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\fyb_iframe_endcard_tmpl.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2148 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab6AC7.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar6ACA.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 167fc026b008515eeb2fcc8845d359f2
SHA1 2a8c24e5265363ed065b79f90d6e4f14e9b670c1
SHA256 6ce7c898337008eb49418f1b2b7448faf611e5583c6ffa054d5096029f9ea081
SHA512 6f53e649d528cbf8008f1d19f955855a0fb4d5d56ab6d8c71c6f77486f6666263d58c6cb5383f14f578ace649362ec60adba39a6cbd5e7b275f6577f7d9562c7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4d8e40c55936287c45b9bd0e0f803173
SHA1 9f127dc09cfdbfa349825857776c8412434a54ec
SHA256 0735c7c653850faf3f8ec37ba2969fca6093e23af6858387fec26a30ab12cc09
SHA512 62a40fe33ef3ca3c5c9a0b8c063d63e01ef7c28c7a6fdc779a9d0e0e54a2409c7a8cf570c56c40c5317b768fab1fde4ff8e3fefd7b2bce57fcb1ca94e4e9df2e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ba6272c39ff3167a2a9686664f083185
SHA1 cd73533e6a80ec8a6950c7107be53e191e0417ad
SHA256 5df9e2b7b2e7129226e8da19f5de0cb849c125586dd82e040fa6f91307d00e0c
SHA512 73da9dfbf2362e18c8ba9d5ceb6afa220ab1e97a0e1737283e7cb6208555d35e7ca41aee283315a8fd55d774fb9497cc5d866790b29379da43af72f5e7f8f46b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 26df6e1d1c7afb8429d10ef5525b4391
SHA1 0d5aba07e248b128c5fe5a089798a95cfe1a8fea
SHA256 3833b2fac39c5e1020c45d6cf3877d0c5da6e21690c1c30e98b52cd35210317f
SHA512 ec86e08bda18057eadf44109682f733a2327874757dd969bfd07f390b347504d03bc3bc4e8a7dcf959b5871c58b7767744c4478a27e5f9b59c2cd8fc85c4ea25

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0605789a4773c5ca33da4f46572a49b0
SHA1 a6b236042e31cb57057d977cf1e4f901b5c73bab
SHA256 6922c982db38b65343c7ab8f6129ca70cbd7ca66f55c6dfb048cbbab6e66cd07
SHA512 5253a8e94a64532bc350e194644b3a44ad2cdef92b115f4fd352f208f95f89a615d9a7f2eb3bdac33a2b0524670d23679f5ef4fe74f3a2e9d1a6329234257341

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b7ea65358ca582824f605d42f61f48e3
SHA1 666bd471a9f3eab78042dd844a934e51a89b4322
SHA256 9e31b89ba6a581b3d97e2e37cdf2377e2ffd1f8fcd955d8eb763f6737579be45
SHA512 6bb3e8d8de818dd6618ab258140744de37c417664a837eaf56b71b203e2124d9cd090cd7911a01c5778f5dec571166e7e24b47a434ab8edf29277576e6b8a94b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 405b6180701bf0b59c5be22ae33d47cf
SHA1 6c18b6c34ed81c416349118e29ab85ce2ec19ed4
SHA256 17c305a0d061f17b2600406afa975cb26c46bb9caaed90e9c8ced47d51600958
SHA512 c169e7a8c061b7bf327bd1d517d7afe7be041b0a84bd26441f6a6572ec8e639cb388c2d66393e0aeff4eed099c3f3d4a21e9db361127f6b434e61733cf0e7108

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d68e74d28e318990cb95e5c18f4fc776
SHA1 84249c1d95976afe0342fd3f1b25d332c1b77881
SHA256 066d05c0269c0d64acb9647722b804a46be0d6e9f992f26093bd4ce6e6db1d82
SHA512 2ae1a3dbf73a348301dbbfbd21cdc74dfa02ff76f59336cdb133e6b6b574d8dfce5845cbbdea5d3137389e4b69b591c9db4f58e17d2fe9e65d814dcca15b5c33

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 65ed85065ced0cf974920f1c72b684c8
SHA1 c50960dac78373bb042b23e0800bfc2534a4d191
SHA256 4a5d623d448c477c2893a0d39b54e7f1f86e29fbbac2abba0c35be8d5813f277
SHA512 3bd9996cd8346f03b94e543da3524af7580c67491570f06be77dd5cc543908596eca43da4e01b477fdcb0e31612bb3ba7b0d78d597c1d9745a53497ec9d658d3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d6769d914f14c9768c450214ac3acbb7
SHA1 49fb521273f175c887949720d3232edfd1b7faf4
SHA256 f1faf7f20e76df2f50a01bbfa899337d970fa75ff15bc957c476c8be7ff5b236
SHA512 9adfdb4558263b7991be461073765767312ef059a59fd15ebe36aff0b8db757da5718742baffbd338ba2761bb4679b05a37a2e50648bbca76e41127436343a26

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 41df7a5f347040161af6ec09a331dc72
SHA1 c9d500772b6ed301971ae0c73df62fd288fe26b1
SHA256 8c41ed78eca2a9d014c9c367f8aa2472dffd2abdd83d4fb63d63edb8763ec4db
SHA512 1599b5eb0d46dcc36f2afce9d17df11f9b23b8d12df7097537d4493745cf7634e9c81d40fab5c727aef36a80a278dfc53d6dec9df9d285b2fbb7693c54e6f049

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ad85beea11b7f1e0aa5d38708d7c58c9
SHA1 f9fc2a13bccbe8f1c5b4fdfc97e610c71c16e0f5
SHA256 c447f53aec64b8ee86b23e5868bf5df724e93ecb82756135b1cabd64c2880f14
SHA512 33ff6e2c85f9ab3304205996c68ee72e08e3bb2788b53523cee844bf0cf1f0d376edee6a53d4b839a648001a5ffd52d6b0478fe2ecbb4b7b6d50dc789ef82620

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1f93cc6b9b1bf8b4c270ae5c15b53569
SHA1 2f9708a9c5f7e18da4f0e9ebe5ec76983c365633
SHA256 af5751b33af3c1c0a19f4b04ea91f92e5ef3da2a0c457d863ff348ff7a967ca2
SHA512 677c7c494eb41cfc0cdefe2b52c2d1f3e3254ca578c39f8fdc976e7d1bc154751d649c8dd618a67e183a4cc036bb293049b7eea1706cd876914405a030888ae6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ed12a176d95ccbb8d06104ea29e756d7
SHA1 3c095cb0b7ea58b593d7fee23fd65a0959718acd
SHA256 9f2b1e0886e9b2d5e439e43f25717b315b6a437dbcc4cd8312eb936915312d85
SHA512 7b2b97d54f19507c8ba43dc7a9b49ca10eb4481ed882541977b57c6ec29e0298ed3beb19518be34d688e1036be0614787089341268e189dc4869691bd012d570

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4ba35a181cea4724bf3a6cf8f6a178b4
SHA1 84287195f2ef332ad7571c0db2db79bfe582fe88
SHA256 1af84b60ab22ff9f0ea55f73a0d3ef64e26075c9d8fec5282702dfbf030db9fd
SHA512 96c85fde8cba95dfcd07847a01f1ba69592ac30c3d91c6516389cd1700b91d255c14f64e7e9bfd89e3e124d2dee7bc9f8bf90587fbacafcf7162af89c34265fe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8bb5c3e5b84c3413f384ed0011ccfe89
SHA1 eb79cae5e1b7602760f576e9bdd16374c99e01cf
SHA256 779e2633b4ae55d372018a24453019df65eb51a55a1a61d0e39ac4546c0a4d59
SHA512 dbf95a9955e07f20304c70e69b3ae55b3e3ac9ce7eeb264d146e113aabef09e651c7d65ec3c4d4eea1f309ded4c928e19312d7d049ae2a88f355126f2256e734

Analysis: behavioral19

Detonation Overview

Submitted

2023-09-17 09:00

Reported

2023-09-17 09:03

Platform

win7-20230831-en

Max time kernel

118s

Max time network

121s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\menclose.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\menclose.js

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2023-09-17 09:00

Reported

2023-09-17 09:03

Platform

win10v2004-20230915-en

Max time kernel

134s

Max time network

179s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\menclose.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\menclose.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2023-09-17 09:00

Reported

2023-09-17 09:04

Platform

win7-20230831-en

Max time kernel

168s

Max time network

196s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\floating-sticky-note.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000918258b1c6eaef44bc85c7515db804ef00000000020000000000106600000001000020000000eee07e5d8efeaec68fb0a9bf814b4ff6693e01e81cb24d1f5dbf562a083de151000000000e8000000002000020000000f763315bbb576dc219dbf6c57d2cdbe25ddd70a5502953216c9ff3b14a44ff9d20000000ca3e7f87557e3b28135b54581aa4a6dd553abae5efee74073c99eee9b5868748400000004315f5cef0b9519ea2a7bcf586e7742adb28680523b9abf492a6e7020ff49b15a0819c27992ca51c60745f83a7e8f7410fef68aba56739a49cb3ad14c9fc6929 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000918258b1c6eaef44bc85c7515db804ef0000000002000000000010660000000100002000000003a04383427e59f06d469c02f3edd1a88e3cdef456b5d677bca84364f25a2895000000000e8000000002000020000000925e3efa5e3f9ea05ea96980ac3cc9065caaba7fa476af490bce846bec269f8e9000000090e890f483331bad2efd6454b55c1eb8418d03c6645c85d24321c980b6a8fe942ffbc04e09c30bdc8fad397256bdfdbca67993fdc50d56faf492fac4ec9bc66e6e6bb752486dbead7e1a23059890997d25a79252a662c2ecab9c00aff0c2eb4a93244c4f33061812319de0e5a61f8c992c50861811836e25405be4a792dc269a73a4da99c31c743b3f573df6402582a64000000021c3f33f1b4a65c0ec92ee55d06bc0f67d5a14dba6a5adfbeed5080a0eb13140e9b6efd52055986f16e677fbaba06e8749a38e1ebf21f882723627fb1cd613e3 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401103165" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CE66C821-5538-11EE-83A6-7A253D57155B} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00e765a345e9d901 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2656 wrote to memory of 2908 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2656 wrote to memory of 2908 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2656 wrote to memory of 2908 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2656 wrote to memory of 2908 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2908 wrote to memory of 2796 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2908 wrote to memory of 2796 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2908 wrote to memory of 2796 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2908 wrote to memory of 2796 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2796 wrote to memory of 2748 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2796 wrote to memory of 2748 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2796 wrote to memory of 2748 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2796 wrote to memory of 2748 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\floating-sticky-note.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2796 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab4C7C.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar4D2C.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f9283b415722f652a08f3586d3841008
SHA1 0477c3f7ecd0883a6817865a1fd5cbcd26b09937
SHA256 3f7b608451381331209897d84ccddc1c94804eb212abc7bb7ac3b94be015265a
SHA512 aa14a17e7b265952f0ce7cbaceb5e2d3da4c5f6db19cabee5b39a53deaa1868936ef13662126fad8c1dba5c22e38f80cc8f9c948a2ffea567220174747e07bf2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8678102da1c0810e2094a43035ee44a0
SHA1 6a9c5da3c811434242fdc932c24fd4867120d1ac
SHA256 724d98c36b2e576adba38f55e0070107afbcfe49b125763c3854470f4ac73b51
SHA512 8a4d806ea6faf2d2fce33e00862e837a93b2ea7049771842ea141fd6973fd9674e93a66530ab6d805f5b68d584f1dd53552bda19b69d961f75fb5882d26ca8b4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 343d84e116c1c646fb989eb9b858b7e1
SHA1 051de06eb1438c46ce08b503f33c3687fd5a27f8
SHA256 9e331f594cd704a08f2f58f79828ff88e568a6bf1ce8de7c034039610f898441
SHA512 4ce58117a7787b9b6a827e464b0dc43508288c61cce7b2f8212ce3623e532856f0007aee04326cd27eb009fe32b264123b8a491a26048717d68e0c42523cd3db

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 afb039f9ae24f9513ffda8a55e9652d7
SHA1 e12ef64df1c035269478a4a4a0d26c13b6ec2cc6
SHA256 6c52496fb1cfb478e1638725899f063f39bba95d483a94178d0670343dbeddae
SHA512 1e65e3ef8e2ad72f05e9df924a2d283f3e8f3f22dda9e8907d5d6f44bd134710f4dc2d30289151044cdebbba24a7c5952e0adda8c8017c0147c2358875ffe4b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 39a61fbda0e3a17290b8959758aaa1db
SHA1 5a4fe8931b2f0cc01d01be61d657d6e4fefac2dc
SHA256 911f09d2784636443e1906c67c5c0fdf359427b7371e0fa2cac890f4d7284f50
SHA512 f1b54dd8f111d97113ac829831a123160a80b7ecda7bd95911d438c10e4bc0b10080c01b3fb180327fd3e42c0655c90b81c2f86b070bd622b2e6787b5fc6074d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9ac1804844355e1e554c870460de1ad4
SHA1 462996e0b696a493c482b7cb5afc00788107e491
SHA256 d1806e8a46a432d3d6e49ebf90406d3049eacee52912901398e75a3fea7eb689
SHA512 b706529073ecc5fb4a5962befd115cac6b9b221c9599fb23f330c36f2eba98f76c1e7e3bc0ce1746c7349e7379558995f9ecb77f97274889e92ea73fadae39d2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 85356afa4c0c6ce400115bd696f0cd7d
SHA1 592b930886f78e54173a7fabe69542c56004b3e6
SHA256 276807ee8c900ced78c08d4dccf14f8440fc59a17ecad25e3f9616838d13eb54
SHA512 79b6ee5837163ff65e1ff286cfef39ed88a6037a73705c03fdc00fd9e966299aec6306e5f470372bd4dbae4ac15569284ffaf2c80858bfd70866a60457f40e3e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a144fc707779009a3dcfbbd14a37cdd0
SHA1 45fd21abfc5d1b3d3fa1a6856d406ab3de22fd4c
SHA256 9c2934fb71e92965a81babb2c7c0e6e99c06a4489d808db20c7232a652c16bd7
SHA512 8c061dffbc5893549b120eb4dad56303eb67ea701f4804e23046132bd8bd369efd138d011ec6298dc09066edcf6d5f9dea84364d6b6034ec504e8b63c1c4d667

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2ca3ea50467673015c81565ebd9ec05b
SHA1 24f2c40e3f4028292c0a312d04cc37c248ce7a29
SHA256 55b66ea55c40f1648f10067041574e82dfd1f4b453b5ca6b30b1e4e6f177c4ac
SHA512 881501d95405a0cdf4de9bdbb279c45961e574a8da84a8170095f007d1c370d0161a71cb5a63a61b5f6f517a889a998b297bb2ffea0bfbfb9a7ba65632174c50

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fea7ba27d3917358b6785aeb1cfd0301
SHA1 37865ccd49265a718a3b4cee3df132d299a4841a
SHA256 f314aabf72b5b1f06a38ad5056c6f89dcf92f017499dc6957ceae101bb3e8280
SHA512 8994515fa97612db2fa3eba86b65d2c6a71c0cff07c6b84d3e8076bd76e6d608b5ffdb9d570d0255a79e016d81e397e28f292977f327e2e135e60ec2b8a70a08

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c80201ca61827eefc63370ccab90ceb2
SHA1 f65979106cd35c225a6332cb9ddd51c8f55e3026
SHA256 269ac17e50917fabf1bc2e4402d66d24fc646c5a4af77e35cfc2f2ced5acf8df
SHA512 e65922226375ef21dbe65b1a52efb0f368a200b8d242d0c525d864cb44ec49fa9d27056d0745a47b71c777861f216c1c1c161958ea8c10eca591007d10e4e127

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 feb8c04ca13dee7efd7b69072d77cca2
SHA1 f583895627c5725498bafb9e325b4618f7064589
SHA256 be9059040ade6b892aa73bf3c47f08c3897b300cbca79b70187e0711767fb597
SHA512 83d08fda0fefd1f85a989c7ca81b7bd9d2efdb6a3a9770e03c40880dededfe639681aef68ad731b823d6c01b254bc9ead72e253915f560a66ddee166d66c6016

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2093f7eb2b13cd43f127bc3b413f701f
SHA1 70e13bc38a88bdfe4b6be4a3afa5578bd9de16e5
SHA256 3b7e19c475b4123f3c12745d707cf70759fad2b8b9393fa323727ea03e469ee6
SHA512 5b82a9e3c9010c29460940ec8edb4fb043c8a00c04e2ea885b2460dfab23716ec8a194216eadd1747c9d2ca51c46426772739cc97b036e7f38ed223b6c3867ee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9c11e6f116470241ebd019faabe439f5
SHA1 c456b1fc8df57882a413c5b2835c4b96a15cd18c
SHA256 30acddcee295a432e3d2ff5073801f6cb79567ea38ae34f52c3163d84271d597
SHA512 738ae5ca0062319d5d3b0a39806e64092df6e6b9f70491e3411732927317e723d475aed8ebc5704fe6af4f3bb7b6fa55c1db3e06b0f0fe26cd5ef16e00ac7179

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ddaafb020d21c441e86b170fd31cfdb9
SHA1 acab9245ad8794f196a5659d315e4957ca69adce
SHA256 5f43aaeb569a0da6e190f97ffd685819073d216b66d9205ae81c1a1a55e2c75a
SHA512 cce1e709db6aa497ded07a2c2cbd2c9491fe4d599719db32c2c9c38eebb995144dc7faa8b204715367c6368fb9dbf3b40054c83659c93703fa8c1794769eb45d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1876640f943b27e5d152f99e77f7aead
SHA1 79bd77b71ca281f144ce27c7f2467b9eba221469
SHA256 bfc86c9c54e07f162549cfe61d8efca03850fb0b4056d7636135ff05cc79cf56
SHA512 71206a37c13621dfe4acadc04188019a72fadf75a3b3190b369431498d2b1fef90ef12eec15b96f4a056e94d748d606280034752881e512ee16b1d13c99a3147

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f7f4a6c78368fef3ac22c5d1b50a6bc4
SHA1 d7ad1ed475974014a073466f968bcc0ceaf59012
SHA256 559f646ebf53ae32bd4033c600c7405e47296adb4d441f5ff7dec5586f328574
SHA512 a91705a275ded09e1565a3a5616ef67ba3677380b4f32b120cf3fa42d18cea234a056e929369b9508e3101d874ffffdb196ce836983d45f46a0a0b8c7c4bd849

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aa7c73d2e025549e2e53366ac2ae6dfa
SHA1 c2de4ab7c701f05771534987e24651b5a3bf34fb
SHA256 0bf5acf4c43e417a2f9a141ce4a6dff2126223da17a77f012ed06a423dcea51a
SHA512 1d939b991ea967681e8fad9e433d83b154942be8633f74acf6f601150a6e4a524dcd2617323369e75f994f32161b3d04c47ccc58ef00dd404702bdbe7d27365f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4bdafa8065acc849d7c9e45981d9f691
SHA1 7a81d088f972a669892d834dc92c446b53ec11f0
SHA256 361ebf0b437aafb93a80bfdf284998c66ee546cd47cfae71e2bc65f2f888e7e8
SHA512 06a78bcbff6afe682f26ab1c75df4d10ac7c79b1b54af613c2294fa7830c1bff8baaf8ea66e3abe3cd07826bfcbaa824db69a14ae09f52ce0207b8b81e79cab5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 74f1a5b7b6e2246387210a54619cd913
SHA1 e9c4d36bd858e48309f60701f68fd1cfd2daa625
SHA256 ef0f620e4807f1ce8c5b49af557ba86f1e8c19b411187cd23cd36e1087ddb591
SHA512 7701cf8ad5201dbe2ad2e6c1fd8868b4563e867f983ecb99c5e8201e247dd11e25c3e9310c88508144aeb821ae9f5c42bbba6499554951000615b1785559f2ff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3121fdf27b442d7f29f43817cab4278a
SHA1 0d3adc078bf36e4a51fbb741ec74fad11f800e9f
SHA256 ce38dc6b1bc704e0bc467fa356a40b5a9b528428d1f2fa33d24781bb74c44209
SHA512 083c57912694a3ff40c140c0bc293d73fd1947e08d8206aa765850e9d6a3746c47b3e15caa7c9dd60673d17a1739fcf2a16e2b4d25c81fe1782bfd86c3385312

Analysis: behavioral15

Detonation Overview

Submitted

2023-09-17 09:00

Reported

2023-09-17 09:04

Platform

win7-20230831-en

Max time kernel

107s

Max time network

196s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\fyb_static_endcard_tmpl.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000918258b1c6eaef44bc85c7515db804ef00000000020000000000106600000001000020000000d63940e85518ff99a6c3802cab3d2b5f7e5cbae753ac8b35635ade0bb6aab24e000000000e8000000002000020000000968a5966c2c32e8bed1125f6c7f6160e4c0231d59a7b8cd99f6951da118a71f920000000d35c1d3b51128ec60d8a828b0d5f96940e0575743fdaddacbebd290e1df6c31240000000797f2ffd5ba294fb10272f112b11a00a48e865b83de09c03731b81ef31eb2d34e52cbaeb0b65d130de7f812618008f9cc24517f538aa102ab98519afd5133854 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000918258b1c6eaef44bc85c7515db804ef00000000020000000000106600000001000020000000a704dd6d5a108d0d03ad2b4c0ca77717208fa2609914050b37e58b5aba449555000000000e800000000200002000000026cfecca2e2efaca6394a4edbbad1e1462e8c70fad110b96980c6314e5bd60879000000072dabd8145dfb28d2015faa5d1e170db89dc92629e25b97aea1764102bfefd6fb63c4e9c3e56bef02c23a23fcc1d14e011ddf9c451ef6995a85a8fa3169501e34b7e4260f880210d327cdc91c2c866cf0a872d71d0bbddce482d83e9cfca427c25ad0a26b50661c655949d9b559a70b4c0f6a33de06ab9cc2ec81bb8b44bafe333f0866209f8a72eff4dd88c090d5bf240000000210589349360cf3cd0134fd338e2e800aced818b1b7543ea4c2ebd546f22bbdae123af0f98066e0f40ac397dab1ea1d18e053f234d67ceaa52a240be4e74cee7 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401103165" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CE27C351-5538-11EE-935A-5AA0ABA81FFA} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30ad1aa345e9d901 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\fyb_static_endcard_tmpl.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2088 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab5007.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar5096.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dbdaddf44928e08e27e9ca29a261d0a4
SHA1 112140e582dbc2eb900bd978c83fe2565187f532
SHA256 59d6ab4b80f584436c8894fc3d128a6b8375dc85bb05bf432580998dddf9c8ae
SHA512 8bd8d7fc92371142583d5a1070f89c29d1971f77e9d52297faacf57a04eff1e237182fb15515bd90082a0109ece2ab03b12103b3f8f2e2c5e69125c777e653e0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 48d207ea6f5f8102e2ee9f02fc7addd8
SHA1 9753f6564f4babce50b568907a28f951f5e8aee1
SHA256 1c682b35f66438ffd6d90e40bda319063dcc804a8763c7feda3acf148b35cf08
SHA512 ea378801f914dc53e084e875a4b64be14550aae446b438e26c72ace15b1f2c972a4591e71b8da578bd991c5d5844bd0797b4976ee4b9ffece453bb4ae4e933b0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 28ccf0db871195614a826e199b70de48
SHA1 bb754ae23d48dbc08e2e8bcab3930adc40c5c570
SHA256 eba7999cc83499711883a029c5086f3dcec55adb07cb25ba4d054ebffc007484
SHA512 8672cdc63175d15b28a8dcc0dca26c489a9ed383bb0a5bf11a7aa155be48b77ad2fa79e8b7865d1a65c9038c86033cba45fe366a1737d58ff5eacb36c3daeda7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 39b471e2d88e42acc730dc0a314e4b74
SHA1 3e48988e2582eef962046396c6171c293d105968
SHA256 2f698511eb49c02e19de30cd9c67dff38690f3ef52c5484e277aa1949534d2dc
SHA512 c1e133484f28142edde60bec24785d6680df18da33f5847d11d3db75bb633dd0a987adf8fa85a1b64d4b7e79c991a388913b6d4aa001923a8727555e943a4e98

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e7ea54f588d46228327ca67bdea4cd7e
SHA1 1c1f8e7cd4bdf54973b0254552364275659f932e
SHA256 d4659011f8108d7c6d83faa012ca872646d63fd77160830a0d329a8250c45def
SHA512 a960761932f505a4b58d88191d1e67be900d63f07cc95db9503c60aae7562f3169f0e54e049edd75387e8b1fa1006128e39cbb77d209af0efaa0e99b4ca4cc98

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 22e6d00bb87724a6542a00ea2f4b1fa6
SHA1 f3759f672b8d699d6894d335fdbe870ec288d303
SHA256 452d6a500416becdf93ee5b6403ba219978ebb9ea980e38fb2dd29fb4a223ec1
SHA512 33a978edbc1b14a7649c7535e78fdf25f2b68db8fee83cd45f70f7e97db2671d109e2432786150b0d533b1e7a53a5cc9c4057377e9606714e5dce2aa79f01294

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e5606c7864c20ef6e63500678385d48f
SHA1 7c3878248f093d52e4ccf8d897c42ba1a9045ea2
SHA256 b61976b9308e5e898765d9c3f72264f19038ce477bcc3bef136b671787b39755
SHA512 4ec7eea33bccd746cc2f35fd6e6069909bb023fb26d70b621a48340a5aa94e777518951d3a402e1a24029b25006ce1fb729f849932146b91e3844ee0bf23e576

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8b9dc652b5132ccea1b5dd73fd49b2d8
SHA1 b16df32dde756e69bae3486191a322476973b3d2
SHA256 cccdda81ff9a846eeeb945cebe50c7ff04a0c9f6abb5dfd1f1cdbd13c3635dd3
SHA512 be910b1f12861bd87a2217c2980eaa0d9c7050510af85175e03555aae933c0d7fe42b0cf7cbedf5017c7034a2a9b397ad7432e4835ce62b0c2eece0f33e228fc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 52196edeca79da1f6ebe0fda29fc9e40
SHA1 1f9d2b3ee663cf89ff559f64c4fdd44671cbb687
SHA256 612936e7a7cc4e6102100f133ffb3d13afb2db2d092c039e320afc60d6b43c96
SHA512 bb6ee16c12439e0b5cc4fceb072df7051606f30db0cf9c6a7dc2c269bac342ad194bf7ba1da28edeb786aeb176abe9a16807b5f7a41d8b8e7855c89d7e35eb4d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c70cee0f2db76f06ab38d91c64f8365f
SHA1 efb2aed65dc28c7bf5de1387d6bd1899dfd11557
SHA256 809aa7a9c10cf14bc01b60cd408addb739bcb2f1da0454e3cebf199604ea5f18
SHA512 d9eea47e1f7bad72f4ab6c99b824b905ef2315bcab90f90df34fdb3f33d65bfad1047dd483a63862686d6568abe3f3fa6cb2477a7a7ae058a8c00a4dba7f4d47

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b9261f90071ee7de949036bd6ddad8d0
SHA1 88e2f2776ef1f1a67905d7ba47df6ac8a59b0066
SHA256 b4c0add04bb7e883dcdf0596f34d6c8d9444cfeb8f53db0aa0a3a8689799f52f
SHA512 785c59b8959b99ae72e6dc7182b86ddd96bc26d2cfe573b57bf317360cb5a71ada687bffe5d0e80a157ab9197624ab969e80af0929de2258f61c327b7d119d63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1079e01bc401a504967d15543d165a72
SHA1 1ef1d021e4d42a33b90e858e10902b72f15cf5d2
SHA256 eb6a9b362373ab1a10aabafcae19abc69d080b3ae4529e7075984ecdc62c1b33
SHA512 e1aa3a30b51c57a211be05611eddc0e601af84a7e5c1ad347bec148e4ebfea8cd728582f0c229b9fa30b7dedecfb68c9465c5840f8b0597a70b8556b8cbcbdef

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7a1c727caabadd1d5559c8b42711e17f
SHA1 3b10ae30d2079c9856362b74e3d570e7b7a25786
SHA256 53c843101cb272e3ebdeec67505aa4248dfa93cf08e13a7048e7ac520f097288
SHA512 b6223e82d724ad6ab37e07a379e04badd467686cf270a61cca1f64fa132c3c5e8a9a1bba262fb2c08d0b7c3f8493b2b21c03f31c2716548edb2b90492da34f46

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ae10f20890c1c431dff3e18241abd122
SHA1 d681b32156899a62438ecb3b42ae94039d383ccf
SHA256 9f2e045e4837229e89b79c220e34bd6ff89470b5d0eb494cfe4d1e962fd28629
SHA512 3f3b8f3518469dbe732721d41c05e6608a661f63859e5c9f320efa81e30682d21423e451b93a0f9a3e9be9f3f01c211ce227a41e0ca9d4cce32e11a962d831a1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1cba03b965da7e941d3a7b039eab170a
SHA1 cf072205b57fe1a6f62fa76bf5fe45f1a137bf1d
SHA256 72c111dd05595b32e7a4fdf59439a1abc81e3dc9ec8528a176cf39d68b068d39
SHA512 efd815e484bdcf7dab64171e86d614da46219c544e818c55353f6c8d80b9c1fe0229845c4062118a10d0da0742dd4005b8e1cce1b1619131cf0eb67857e7d018

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 816283780cb7d9a33c7428509f701cbb
SHA1 aadf6530153ff349696c2eeae2594f1c21dea57b
SHA256 8ce487185a456073ea2416227c0507fbf0abf7a38fb933ccf066c5c3c9024791
SHA512 a6ba03bc46b0b97608b71faca5be0e067571f3caa31e226e4873f8d1fcd0d8a866b6f0339962051485c48972a3deb9b6c408ab4ce616986f5af83cea7155c0e8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e9fa80d74df238da6305bacb8d1545b5
SHA1 d477df0f3206176a10b9d968f02cccfa4cf99415
SHA256 7dbd287eef11a3da5869644763a1a6ec9d328b147ad711b3698b19aa1c3226dd
SHA512 6c91df63db948aa8fefce192a92bcd52ab771c688bb662c19832cd90836b10078cec66e28388964a692cb534c58bb1c4764edbf26b4a1264141a2dbcfe5a3ac5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cbc940fa0049beb8324146fc8b5bc0ad
SHA1 afb361faabffd4afdb9bd33d19937c64b9f89c67
SHA256 867dd9fad75ef82aed834b5d195af1e1b07d60f316c3f8745318623079350039
SHA512 aad064442fbcbb7c3eb3eb662cb82f4cccd2a65a25d75424f1ee04adc2b89bd81e86aaa0483782a676fab077afb6753e63c9a82fda63bdf4facc4b0596c46877

Analysis: behavioral24

Detonation Overview

Submitted

2023-09-17 09:00

Reported

2023-09-17 09:03

Platform

win10v2004-20230915-en

Max time kernel

142s

Max time network

156s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\mmultiscripts.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\mmultiscripts.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 254.109.26.67.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 254.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2023-09-17 09:00

Reported

2023-09-17 09:03

Platform

win10v2004-20230915-en

Max time kernel

140s

Max time network

156s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ms.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ms.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2023-09-17 09:00

Reported

2023-09-17 09:03

Platform

win10v2004-20230915-en

Max time kernel

142s

Max time network

157s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\mtable.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\mtable.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 233.141.123.20.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-17 09:00

Reported

2023-09-17 09:03

Platform

android-x86-arm-20230831-en

Max time kernel

2724270s

Max time network

157s

Command Line

com.factupx

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.factupx/app_DynamicOptDex/ujycFt.json N/A N/A
N/A /data/user/0/com.factupx/app_DynamicOptDex/ujycFt.json N/A N/A
N/A /data/user/0/com.factupx/cache/phgpygedzvieza N/A N/A
N/A /data/user/0/com.factupx/cache/phgpygedzvieza N/A N/A

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.factupx

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.factupx/app_DynamicOptDex/ujycFt.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.factupx/app_DynamicOptDex/oat/x86/ujycFt.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 216.58.214.10:443 infinitedata-pa.googleapis.com tcp
NL 142.250.179.202:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 46fdghhoo11.com udp
US 1.1.1.1:53 31fdghhoo11.com udp
US 1.1.1.1:53 44fdghhoo11.com udp
US 1.1.1.1:53 36fdghhoo11.com udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 47fdghhoo11.com udp
US 1.1.1.1:53 34fdghhoo11.com udp
US 1.1.1.1:53 43fdghhoo11.com udp
US 1.1.1.1:53 40fdghhoo11.com udp
BG 171.22.28.202:443 40fdghhoo11.com tcp
BG 171.22.28.202:443 40fdghhoo11.com tcp
US 1.1.1.1:53 36fdghhoo11.com udp
US 1.1.1.1:53 48fdghhoo11.com udp
US 1.1.1.1:53 38fdghhoo11.com udp
BG 171.22.28.202:443 40fdghhoo11.com tcp
NL 142.251.36.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.36.14:443 android.apis.google.com tcp
BG 171.22.28.202:443 40fdghhoo11.com tcp
BG 171.22.28.202:443 40fdghhoo11.com tcp
BG 171.22.28.202:443 40fdghhoo11.com tcp
BG 171.22.28.202:443 40fdghhoo11.com tcp

Files

/data/data/com.factupx/app_DynamicOptDex/ujycFt.json

MD5 cbeb2a330bc5bb595285f8b49de824b4
SHA1 ca0ac1ba2b1ee3a315bdfead4d300262e63f0f40
SHA256 bf99b8738dfdd69f74e5da3369b205d4be8f01d8a0bd147b4bf46ba0cbf002a2
SHA512 85fb4110db3facc4600037ab3493eca9fb1f7302637fe992e486cb506544abd8546182b545272c29c101a10ab7fa486491dd544cf63af153da4754aed4116752

/data/data/com.factupx/app_DynamicOptDex/ujycFt.json

MD5 ccb34a777bfd9dcf00e1bf1ea73abb21
SHA1 505d5b6b4132d042690716a9afeae62769f8cd26
SHA256 0154661f8ff3116976885edbb9daf2a51293db5bccf953a1d7aa4521b56e1bf7
SHA512 eee31641031e1a0ef30341c15ef07bcf68b42267e80de3ce736655c9238de17245a484f7ca238d02d1bed9ae27fcd33ea42ab99d1e2959c03b3039a4383850bc

/data/user/0/com.factupx/app_DynamicOptDex/ujycFt.json

MD5 f9f93d3eff43dfce4e7c5a1cf8546290
SHA1 bd705897eb5b1e0ade8de52281f7c5137e26daf2
SHA256 642f9179c2c98febc07887ec91eb00e328ac13e35a93492eb2533216e015361c
SHA512 25da6b35caa5403d8ba032182e45a19ac2c4e6f4f53d95c2b888548cf284dc6243a4093849c5016afd7156ce1ba6b859c02735302fe8902b4c4b923d6f420355

/data/user/0/com.factupx/app_DynamicOptDex/ujycFt.json

MD5 6e4f53accdcc8cccbc638a04af27e930
SHA1 c93b1e8f917fb5b241f3a4789b7632becbe0122e
SHA256 c62a2ab31679bc2739d0a1eb0895d557a0c9c88853e8d7e5d1ebe258f5c927d0
SHA512 6356aa2d447dd46f1b028aff6dcd69bc56623a517a0bdf9a8f3c2835d26c457b15593b164dca4831a926a039671dd59ddd4c939bcd01c75ca12d9eeacaca0006

/data/data/com.factupx/cache/phgpygedzvieza

MD5 5a80512b1d7846b456ac8f3dbd1c7f3d
SHA1 2de7cd24c284cbedba4767712a2f9989b3b1c5cb
SHA256 4fbd4cff76241fbed314e777c3bcc6d591a2b507be315c7551e0b0694aa267c3
SHA512 8b1b363502ed805f408cf4e97993dcce88ac50f0df76ea18405fc2e606de3944bbaecbe4d8e82f82ba6c66a0b17a23c705d8fcf1f0a78c6b8fbfac49d0137d75

/data/user/0/com.factupx/cache/phgpygedzvieza

MD5 5a80512b1d7846b456ac8f3dbd1c7f3d
SHA1 2de7cd24c284cbedba4767712a2f9989b3b1c5cb
SHA256 4fbd4cff76241fbed314e777c3bcc6d591a2b507be315c7551e0b0694aa267c3
SHA512 8b1b363502ed805f408cf4e97993dcce88ac50f0df76ea18405fc2e606de3944bbaecbe4d8e82f82ba6c66a0b17a23c705d8fcf1f0a78c6b8fbfac49d0137d75

/data/user/0/com.factupx/cache/phgpygedzvieza

MD5 5a80512b1d7846b456ac8f3dbd1c7f3d
SHA1 2de7cd24c284cbedba4767712a2f9989b3b1c5cb
SHA256 4fbd4cff76241fbed314e777c3bcc6d591a2b507be315c7551e0b0694aa267c3
SHA512 8b1b363502ed805f408cf4e97993dcce88ac50f0df76ea18405fc2e606de3944bbaecbe4d8e82f82ba6c66a0b17a23c705d8fcf1f0a78c6b8fbfac49d0137d75

/data/data/com.factupx/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/data/com.factupx/kl.txt

MD5 6cb2f824cca8ebf4be6d57e7aebcd086
SHA1 ce3795ca73465103efe3b99101ed75bd35bf5432
SHA256 9e07ffc622264f08afe396afa0f54d1409881f6fa28b46db35d0ec802c02588d
SHA512 8a92b1284ff010aa5758f7d12cc56cca86273976579e22abc251b61e270af8bd09943147808d5065c5572bcc31d7a1b305cb9b997e452b0f108376eca20763e1

/data/data/com.factupx/kl.txt

MD5 0093a1a11be6e0cc065b7007215ef6fa
SHA1 4f934846e02a0b066d20640f877beff81c396df9
SHA256 e3dd2fc8e76ecb6046172b7bd5bac55dc06b69350f39ca690f51de20e3061c8b
SHA512 fb15bc03c24d83b3496719e648e85c0107506247ce7aeeb84e8644739b1faa7687f41f0d9b7c075964b6545e0d0199abbd71550d78fb955fcfa6e7b83fdb42c6

/data/data/com.factupx/kl.txt

MD5 a9681eb3ff9d48125d73fbbd62cb1052
SHA1 75d64403bfa5b79782d42d201a50f7ea9e844252
SHA256 a83f8e706d25dc5e4f2ddf3b45105520c33e2821da0963a0f5357adab9777923
SHA512 32d871feb8d7ce1de1a3fdf957fd04be644bcec83b003008509e8a026215f0bb09f6bcf9835abf7201a9dd310cb5e40c285a5a76f90b55131d709da637d79d8c

/data/data/com.factupx/kl.txt

MD5 6f4548b141e37723fada89c7fc2bec43
SHA1 d6bf82f6d6a4e581d8e7991df47c194212dfe300
SHA256 352075f067125d7fbd0560dccea35bda9c59aad64a536b1a7ab3422f5cf455b3
SHA512 4b201a558df03c8b6e1653ff38c3cae79f73bb1a9e7210a5368d6369aac3fa0a51f7f7c425b1d3bdb9dbae8f2c54c353209f61b951c2cfed0138cbbbea671961

/data/data/com.factupx/cache/oat/phgpygedzvieza.cur.prof

MD5 93e5092dfd5c3c5359c51c07fdd0118f
SHA1 65423a218507a080cbf148ff916643a963320f89
SHA256 325e625fa22206a4a1deb7e91dfa628933c6316e9280d4d1f19611f7a0a048ed
SHA512 23ec5f53148c85e3d1eb979005ac23e778f0820e39a1f139e18e9159203821072eeab492205716ea4f0f3b10d3a6c5c985ee1b6664eb4b9d0051d24ff773dd09

/data/data/com.factupx/.qcom.factupx

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral4

Detonation Overview

Submitted

2023-09-17 09:00

Reported

2023-09-17 09:03

Platform

win10v2004-20230915-en

Max time kernel

143s

Max time network

148s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\demo.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31058245" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2135331894" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2151113971" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401706212" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31058245" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d72dbb839895304dbc3a7dbf8a262ef5000000000200000000001066000000010000200000003c3cde5a638f0a4125be428d41ef67031f3f5456905ef0c4589e247701598534000000000e8000000002000020000000ec448a6d38cec17b854edd8d45347f5a10eb4eeba9c954c61548f24b8a1c8d9720000000d502d987d67d460d88df4864bf6903be932568c093e5a61a5749a98f2267e8c1400000002a7fdb9d067c0297d77fe428decbd3dd720ed0f823619191ad85edef9e05a1f071aa7dd0b4bdf081c27dab43d37cdd79712813aff2c265a05e8f2f4ebc07ca41 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2135331894" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80d1c88045e9d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60d6cf8045e9d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31058245" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d72dbb839895304dbc3a7dbf8a262ef50000000002000000000010660000000100002000000033d5b08e9899ab07a5670a624a7be5d61674c715ec9718e32be0ae9798d8ed65000000000e8000000002000020000000375a8e0f20307563bfc38a4b5b339210cb3299f73d098107e8d5ef24b903dc0f20000000c517de2890ac45ac69f344531c7f3f161b0ce6296885b8b7bf04376527dc7f354000000043dbfc4da2a183f6e4ee0fb3969d78eebd27ce6681057cd1913679e5aa179da6060fbcb25bd2cfc144d5203f063a8aecbb954bb3455ab9b8f0d2874749d3153b C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{AAC0679E-5538-11EE-9784-FEEDB4A4667E} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\demo.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:380 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 254.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 200.81.21.72.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MBSMWSRL\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral6

Detonation Overview

Submitted

2023-09-17 09:00

Reported

2023-09-17 09:03

Platform

win10v2004-20230915-en

Max time kernel

141s

Max time network

148s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\floating-sticky-note-selected.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\floating-sticky-note-selected.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 254.109.26.67.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

memory/916-1-0x00007FFCB30D0000-0x00007FFCB32C5000-memory.dmp

memory/916-0-0x00007FFC73150000-0x00007FFC73160000-memory.dmp

memory/916-2-0x00007FFCB30D0000-0x00007FFCB32C5000-memory.dmp

memory/916-3-0x00007FFCB0890000-0x00007FFCB0B59000-memory.dmp

memory/916-4-0x00007FFC73150000-0x00007FFC73160000-memory.dmp

memory/916-5-0x00007FFCB30D0000-0x00007FFCB32C5000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2023-09-17 09:00

Reported

2023-09-17 09:03

Platform

win10v2004-20230915-en

Max time kernel

139s

Max time network

148s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\free-text-comment-selected.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\free-text-comment-selected.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 126.24.238.8.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

memory/4188-0-0x00007FFE3BA10000-0x00007FFE3BA20000-memory.dmp

memory/4188-1-0x00007FFE7B990000-0x00007FFE7BB85000-memory.dmp

memory/4188-2-0x00007FFE7B990000-0x00007FFE7BB85000-memory.dmp

memory/4188-3-0x00007FFE79580000-0x00007FFE79849000-memory.dmp

memory/4188-4-0x00007FFE3BA10000-0x00007FFE3BA20000-memory.dmp

memory/4188-5-0x00007FFE7B990000-0x00007FFE7BB85000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2023-09-17 09:00

Reported

2023-09-17 09:03

Platform

win10v2004-20230915-en

Max time kernel

140s

Max time network

147s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\maction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\maction.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2023-09-17 09:00

Reported

2023-09-17 09:03

Platform

win7-20230831-en

Max time kernel

119s

Max time network

123s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\multiline.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\multiline.js

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2023-09-17 09:00

Reported

2023-09-17 09:03

Platform

win10v2004-20230915-en

Max time kernel

167s

Max time network

168s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\multiline.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\multiline.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2023-09-17 09:00

Reported

2023-09-17 09:03

Platform

win7-20230831-en

Max time kernel

137s

Max time network

133s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\free-text-comment-selected.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4040e77e45e9d901 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401103104" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbd2da6efca7814e97bd67c6ea97aa8b000000000200000000001066000000010000200000004a160ba1b44b4cea5c06e72da9247d8dbfa5f80839583263139c350d86371383000000000e80000000020000200000009c00c82d4b4488c1791e4187232808fd2d73266ab50924030db2fea8b891ae0e2000000068c31b0a0b9c3aa1b2ff997a32ee3d44d7b5d9141456383d55ad6559e76c1c6740000000f9a5039b35feb56b01489900f368cfd91fee5e2a097373a1581bb2c3351f5ae81a7a81823918ab822e3b29baaa5712c18f3dfff54e650fb727cd958c9b0c17e0 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbd2da6efca7814e97bd67c6ea97aa8b0000000002000000000010660000000100002000000078e7bb8cef0ce9b7398fd3960a6c0fd608a319f4b5fa3ff93585f0a76d3900b7000000000e80000000020000200000003149ca1e76d354c01ae2c1b2b22133449ca5060fed13264e90048b48e18148a39000000067f574407b65cd11bf95293677a19e3ebc34bc4ecb95732b81ea1290983594905fd7307cf3e3b351b1f8c4d91446b6ca07d0f557d7739bfe4fd38c45cf317f8bfd5b4082ec018889ea58202cc97fd205b9e4992daecc6be0c894e1535ce090e7864ca2e282c8ed36c42131bd282e83483c2f2e4f8b652a31ee8c3872d21934c7256ffd0ad69ea1404bbf5a4a2c2fa28c40000000243c976fac0d03f9b9b18b54700a49fcbe1a0b6cddb2f2f68f121c8d5fe33220758316f594c9aea133c31b8e72e649828428eb1f25351c2e6ea0d29df805faef C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A99BD621-5538-11EE-BD1B-D2B3C10F014B} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2468 wrote to memory of 2172 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2468 wrote to memory of 2172 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2468 wrote to memory of 2172 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2468 wrote to memory of 2172 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2172 wrote to memory of 2376 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2172 wrote to memory of 2376 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2172 wrote to memory of 2376 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2172 wrote to memory of 2376 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2376 wrote to memory of 2776 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2376 wrote to memory of 2776 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2376 wrote to memory of 2776 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2376 wrote to memory of 2776 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\free-text-comment-selected.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2376 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab54F6.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar5AF2.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 33b6ce32931ec369c46cb0632f4d15c4
SHA1 c731358296508ba276cf0d8066049ba5d57be802
SHA256 4ed66811d909f9b2161b5987a53fa10e22ca68e15697178ebe539b5109feb57c
SHA512 b52992ad20caa68a11ca34fd98ef483e4dc1c89b2909d07687ba5f61708e742b54740a5e03f0ef6b04c70693450cc093fd794552184fd5c3beb4484aef2e298e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 065d396d0fc9acd5b84b92eef2f62aa9
SHA1 9c0e30e119ada2fa88bfe701b6012cca5e379f5e
SHA256 94dcb020d9c82367c23edc78e556f506433a2b70c482bd382f785576f61e78fd
SHA512 0f60cc3addab044a3fb61d167189ccbf1fbedbdac06a7f30d8434bf39acc91d70f0eefff30b154868dfd057fcb395ceee2250dcef116edb290eaddc6ea52a2bd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6c134b05753f9f98f0742134f042bae5
SHA1 cc9f5aad508aa0eb56e417879f983bc873c87019
SHA256 97ec207092063508227f5170805f4b2e7a45ae430a959880b3f946ee3343025e
SHA512 07dbb8a80ec347fb7b27aff7a5f4ccf3461670b335223fada071884b2e6aab9e0470ae156177e3ef6be30feaa175b2fbfddca7cb055fcd047af4bc9043854aeb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6a3f5593417243275fc62c713bbd9572
SHA1 3506a1cd3e0d8b7251b57fea053afbd95b4244a8
SHA256 5fad04e38f2c9badd481eef044a2a0744e324fbfd3a5ff1f9378d5449bbe60cb
SHA512 433b7386a8996e111bd087368386bf893b48972bfb3517495cdf601c8608d49f9f9e2395dfdbf50ac2e12141229c632f0e315891952757039a7da9eba8b57a58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b696f5ddea255bccbd51028b0a42674c
SHA1 2211155b36229dd086fd056ed7b029cefa6354be
SHA256 f19aef128a7749ae92fcc1a27646be9d8bf72eb1d3ade7f36ab77892d4dcec42
SHA512 4d59fed5fc54903e9f0ab4f7ecfd3ca7f747ad87d0f87afdcae03c8ee854cdda9b7da7413de57d54054ed71c71e7fc56baede929aeb55181f72f11db60e4a805

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 90086e8c55c794b4f8c5a2646fd323e6
SHA1 794b7aee12cb9036d59130fce955181d9ab837a1
SHA256 a47fc5557a471f161cc0df3a00a520dc970221a404f29dc00edd385db55a37d9
SHA512 cdc8c062fcb0f2cd69049f6dfb3f6c9a51516196c0b4749adb2a05f6660630f3038ca76f4fed707858edfac6189300e27a5e4e173b458d93829b9e51231a7507

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 47aaf40158acf55be10a7f0c2ebef828
SHA1 655af67711132a7b9baa9cb46e7d027fc2e76002
SHA256 4a21320d565630cc72e4343ca44e695a4c29df27ef261bedf489783ea1a7017a
SHA512 cbfdbffff0d45fbe17d87cffdca12e645248668644d81140245eb9d7cff8d12dda4a83ad0a70f672ff7a99aa17b30680d0440768e96399bd532c6b45e57e569b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4767a251f162690d7cfc6c6dc9280c69
SHA1 a994f4fd41d16ecdabea7ff774449b1373c10b30
SHA256 9be05bc83e73784bab86e5b0ed73db95310f8f5bb23a4c5824e97c606f0f4002
SHA512 fa0e704e393204c426682e0d038cc1d006a5d32a8bb7a9aebfa2d07737432e542b56d0e67b99cd9172b71db1c7774d9e048da557377e21bf2f18f7a090b77c51

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6a713d103850d16c9af3e68b62ace905
SHA1 fd85f28b7c408cb92e4ac87c8992b77f8de92b8d
SHA256 d84e676aed0455cfb325e875743b927284343de6345c80e6f099a5a56664a164
SHA512 28f5949a22c6b7de3b7a966ef248e00e2d6b54fd25419e10538f4174b413025e3dc8f2904d16301cdd6644077c73318435b90f130bcaab1dd4b4870ec8fb40c7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 12bba8d4e903ae804121227044903245
SHA1 75237a48373fa9b3173fe8e29e5d9a5ed7bdf2bc
SHA256 2bcdcdd0e0ffc1358098e8ded083f558f0cbc684277fff5905b5b2a4d99ab7d5
SHA512 94aab905568380ed555eeea92269640639f287a7b0f4fb1148164fb68eb6b007cb1c60cffc7bceaed5ffc24f7170972939d7f543dd99101dcc55c4d7f59686d9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ae452718c1013c504f0eb043e4fdde43
SHA1 41834ebccc9aa4c28e3a9f90f51fc15732ff3a2e
SHA256 13c1e499a90c7ca17c26e4f0264e292d21ed6025b44ca1cdb717af9e99a2e9d2
SHA512 908b23e95b7aad5f5e1d61e51e6ab964b0fa8cb51b780f085c16a88d9b1857418039bf0a1cc11a8f131c4294f7c6849f204a8f991802440b9f3844795924aa1b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7d0481114c3a13d6ef3b7c57838842b0
SHA1 f4a47854e57e079f5689b3a241246a7e82be1acd
SHA256 17a42bf8fef9310c8db009e1c81385de1153aba7bcba3669c708df5b3b955959
SHA512 25f1b0bbbe5db4e6d491c4e7cf162ff95bab9a9fea382f71f7ff074012e642347205a87a4539f54a09d3f0b16315d41ecc0670b0aeb83b40b727a5515d4d14c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 536d1a8b3496c82e9ade3c61a24e99e8
SHA1 995d17c269d72b1c0deb0402d0fe8921528698c3
SHA256 0016081361d0430726364f765f3cf74c4bcc1771ed4d192b52f5ee8d73276ea7
SHA512 31600b68ad623b44bfef2b09ac7388fba2a7fe20f34d6e03b856b137218ff56cd2b8dd06b7ae446d842d72bf1d495175c4110357b483df04d3d6393f65acd9ff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 28e34dbcac0c710861566058f0e3e624
SHA1 e1d7a900da82be71fc5e5f6452fab9420172a877
SHA256 578b21e4abc9f189123533ab79f129a3c4424649460c9a210da971ca59079054
SHA512 1816dfddc505eb9e4abf1b9fb47d4a848a5757b373f1266ce6f63f420be925fbe26376e6ebc8069de164c2cc8e1da94b6fd9827aefdbb23cfb2ae75ec63b5c56

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 de11a2e1e60748792ba52e06a1693277
SHA1 4973081e504ec125f135bd32cc2fe5d64a0fde61
SHA256 682bf69f999339204873b5cd569a4b2e33e0f56d7246756dab357a409ffcc80e
SHA512 512126084d29cd1b5368e64ea3cad2bfb4663273af1a64947fee80371d2835cd2cea4dc745a4c5eb1a239982a8ee276920dabb13740657e10a5cd1bb701f1383

Analysis: behavioral16

Detonation Overview

Submitted

2023-09-17 09:00

Reported

2023-09-17 09:03

Platform

win10v2004-20230915-en

Max time kernel

142s

Max time network

148s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\fyb_static_endcard_tmpl.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2058ca8045e9d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401706212" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d72dbb839895304dbc3a7dbf8a262ef500000000020000000000106600000001000020000000710937570102eac78757926243ea9fc027d31f6540c9383a456b9dd9c85c780d000000000e8000000002000020000000b02207342a6d1d1625cd578b5329a9a44c0b3a560df95f845c437c9bfbb2a02720000000953fa39ac135ea889f1cf5d232b620c0db8f895eb0e7528f5bb19b573298d6b840000000afe952707fcee54248e8b6eb1ed1573f7abe92cc4cfcc8b02c1a219f00f5b3312032796cce670cceb483f8c748f2b5ab9bc941513ce3e5df0365ffa54c37fe51 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31058245" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2150746741" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{AABAD347-5538-11EE-9784-DA422A6BCB39} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2135277348" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2135277348" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31058245" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d72dbb839895304dbc3a7dbf8a262ef5000000000200000000001066000000010000200000004ba576573a9f89f8db652c28e8541775de6103a9137d093677f442cbd7a6a81d000000000e800000000200002000000099fdff7fc9a85ded24341fc0aebcbaf0dd4b5d631a754eae45aef3e792acaf2f20000000412aa31e0d5c1064c66aefc5ff1d9bcf5c7fe0aa21bbc1b7a495691b7ff20212400000003af7b8fe8a9c7fd5b3a595accc28e711801d10805807d3f291bbf1142d56f76c1bee3c2dd614bf063de1a890549bfd9e7881302a555b53017a2a86d1da0808c2 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0f9da8045e9d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31058245" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\fyb_static_endcard_tmpl.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1984 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 200.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 254.177.238.8.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MBSMWSRL\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral31

Detonation Overview

Submitted

2023-09-17 09:00

Reported

2023-09-17 09:03

Platform

win7-20230831-en

Max time kernel

120s

Max time network

124s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\no_sleep.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\no_sleep.js

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2023-09-17 09:00

Reported

2023-09-17 09:03

Platform

win10v2004-20230915-en

Max time kernel

142s

Max time network

148s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\no_sleep.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\no_sleep.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2023-09-17 09:00

Reported

2023-09-17 09:03

Platform

win10v2004-20230915-en

Max time kernel

142s

Max time network

156s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\floating-sticky-note.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\floating-sticky-note.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 254.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 120.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 254.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

memory/2444-0-0x00007FF91DF30000-0x00007FF91DF40000-memory.dmp

memory/2444-1-0x00007FF95DEB0000-0x00007FF95E0A5000-memory.dmp

memory/2444-2-0x00007FF95DEB0000-0x00007FF95E0A5000-memory.dmp

memory/2444-3-0x00007FF95DEB0000-0x00007FF95E0A5000-memory.dmp

memory/2444-4-0x00007FF95B920000-0x00007FF95BBE9000-memory.dmp

memory/2444-5-0x00007FF91DF30000-0x00007FF91DF40000-memory.dmp

memory/2444-6-0x00007FF95DEB0000-0x00007FF95E0A5000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2023-09-17 09:00

Reported

2023-09-17 09:03

Platform

win7-20230831-en

Max time kernel

134s

Max time network

134s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\free-text-comment.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c66dacf3255794896cbcb5ac20a714000000000020000000000106600000001000020000000d64ad76640dba47f36e6d1187c1a8925f7a4c1d6bf84a1700dd8b21b21b3eef7000000000e8000000002000020000000612dc3a99ecc1ba8b1827ae09599ba16b12b51b9a7cde7865a5237fdff4b228f90000000b58b8e7c98b58ed05fcd02bd8086e06ce616c887351ff3c8a61179f0e0e0f69af6b512741761ffe82be441458708791686911455c1204a4c6351d5a76635a85e99367524470ea7f0ae1a3ebb0f225b41ddb3677988f4403268137e45dd264760080eddbb5c8b8b4de557c3003bbefca160d1e3179dc4bb945d2ea9a7c034a9f5d8bfabc89bc9f83ec6dae7db4604879d400000001b6ee562c2d9352d55869ddf3fd7c7015ce4e021cefac23e37a118869e7c3b67e27689bbfde8276bd87b0bff6d8c37c2af44b6201972f96a9d36fe133fcb34e2 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401103105" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c66dacf3255794896cbcb5ac20a714000000000020000000000106600000001000020000000ff779e8a8336ec422713327c18c27b98cd0c8b4abd3000e7a4acdc3ca6365945000000000e8000000002000020000000ad42d2313d9e42e8f18b1a516b02d6b1130e0330b75319fcbfd7ebcf3d301982200000006566aa35be0270552fdc02ba43728f56a5457fd8ef3d886b3fe7f9072d35e96c400000008030afd6d9759ed02d7eabf1d81e141969607d9427e8a0a4d45f177b4226650758260c9390b60037028ae367fa7324a6cd8fdfe0e7554a9ae26fcd9127f530d5 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AA304DF1-5538-11EE-AB4A-6AEC76ABF58F} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0533b7f45e9d901 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1736 wrote to memory of 2408 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1736 wrote to memory of 2408 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1736 wrote to memory of 2408 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1736 wrote to memory of 2408 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2408 wrote to memory of 2324 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2408 wrote to memory of 2324 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2408 wrote to memory of 2324 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2408 wrote to memory of 2324 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2324 wrote to memory of 2776 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2324 wrote to memory of 2776 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2324 wrote to memory of 2776 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2324 wrote to memory of 2776 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\free-text-comment.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2324 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab6404.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar6426.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b3c3524a9147c3a3479e4b6c8f42e240
SHA1 bade7c82047e55c16d8eaabc6c72e6033ae7b164
SHA256 440a6ce9a4a01e414d9b8ea2bde8577186996869e7444f9370a22c1846848e11
SHA512 4f8b97408d72f7bdd2d380837dfc9605e81055a013ef5dc062307c6ec52974b8e892fe889289f42f961ffb1021fd61aa4ef7d589f365aae59ad7525e82c56c39

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f9cf39c7b481d044b763245f3949d4e2
SHA1 446d2d228ddcc469a4fd0e65b1f614b5462ad11e
SHA256 e3088426316607bd5748c4e68829939e28ae131ae8a32fba41756ffff2af749d
SHA512 7ab533330f387cb86ec32500665d7803b9456b61e9bd191d36492432e72b5b909418d5d23f6a607604d075159e0878607cddba43efe9c0aff1aa8be4e1388f0f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8b459f7594de5d9d91c496a02f330da9
SHA1 2dbc253fa831e3a93d80312667c7da6e3e5a1582
SHA256 cc09845a5b5b225a773945583d4db30f72a75fd15c831363dd91c738464b017c
SHA512 a80dcd7ff4ad0b9edeca8f904bd0417360ba2e74d55e53f2f4a187a444d23e30890b4bae3a33b1f880af1cef6cd9030668ed71d343f35112ab0323d4a5f8c572

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 958a6f2012c3c1121c35226929b24252
SHA1 0757bffffae71a53d9356536ee5a7c561886f7fb
SHA256 f37271879c6daeabcf7b037be6be94c739d8f849a462c9020564272fbdbe49cc
SHA512 b09a6262dbd914ae2a7210b8bd7fcd78ed2a1613987ad83e39f1943335009d408d2f8b5122ea93c04ca1eba7a5e75baa80107d61532d174723b7ac50bd151f33

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1c1605628745e4e770cdff32b42439be
SHA1 9741741e09a8d455e49390b75f6b752fa93ac9d1
SHA256 1c5883544f9d24e21b422ed277b988b9808a6086d45e27ff30480358172578b8
SHA512 a2d54e588a86cec8b188b612381133c9bb993a496ae34b94b750a461c396946046b22832f6863127915ac2346c202028bb0e0382c8e0f9e6df9cf36e9693e32d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 06cdb13c968675f5ec3fc35028687b80
SHA1 23bb05a108d3f5d262e3615c92a9a121ae1f730c
SHA256 19712e18003e3f8f2d09564e9237fad5d9bdbfa211a1236e977418593d8b9395
SHA512 6254a5939e649540ad8b11fd0a3ac68822b6d000f78f610138dfdbdb479a83d07de6dc6ced2d03436884c97d1bf95f03eb128a34ea285305a6fb954a4a7976e5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 12c79982f8b80259186986c0b2bc9448
SHA1 f7eb64bffd5730752c1b704f35410546e7b89b5c
SHA256 85b3e64561f8f815c6d86ae050e4e01400f073c5b4ff199afb34cd264a242053
SHA512 f9bb0a7d3cfca3fd7afd726546a7dedf3ca3b685f8e09cb3f85a6f44392b0ebb3eda2e4de8c0454aa89ff28d50a30a3cc62d4219b340070f9a6cd413f4c088bc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 539a98ace4070c698fc9f4a6c4784778
SHA1 23ed204c4a65c44f4461a560d7b19330871fe38d
SHA256 640fdff373098c2b0dbe8b32c0c61ee7354a9197a9cdd776e8563ab705c6240c
SHA512 ab89858d7c1fd7b78882a529f19c3e15d421983c1aa5411ffe94c69ca57047984f6a1a340a33a0adb0d7016f3d3921968d48cb3ad349f7375a93c904f02e06c8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2baaeb24d66ba190703d681563b45337
SHA1 a3b653cb0785437443b292d8229712e99f451dc7
SHA256 d2f4b496a96e2de764a542b0e91063c35ab1c334585aaf4d36306eeb378e7198
SHA512 52ffd1db8236f757cae98f6c3680dc09e5c79155ec88eb07fcbec80f094ebfaddb25c3b2e0052d6b1d9bbc83ad935402984350709c7443f51d1a436b756d7d9a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 104fbe173d4599f5ad6b7ab5d493ef76
SHA1 c9aa988db3093d9176212fffd2f0535ec5a19ee6
SHA256 5b1f3234fdf80c4f510dda095a05a291b2cbfff88162e34c5e451a581bd05bd2
SHA512 24540b4719eebbb8553d49d020dbcd606c17a10f0aa046fa1724c77c52559b9523beeac870b2cd3bf89f10bd70491d4652c178e8170eb673ad2bca1526bce5d9

Analysis: behavioral12

Detonation Overview

Submitted

2023-09-17 09:00

Reported

2023-09-17 09:03

Platform

win10v2004-20230915-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\free-text-comment.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\free-text-comment.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 254.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 254.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

memory/868-0-0x00007FFB1D230000-0x00007FFB1D240000-memory.dmp

memory/868-1-0x00007FFB5D1B0000-0x00007FFB5D3A5000-memory.dmp

memory/868-2-0x00007FFB5D1B0000-0x00007FFB5D3A5000-memory.dmp

memory/868-3-0x00007FFB5AD10000-0x00007FFB5AFD9000-memory.dmp

memory/868-4-0x00007FFB1D230000-0x00007FFB1D240000-memory.dmp

memory/868-5-0x00007FFB5D1B0000-0x00007FFB5D3A5000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2023-09-17 09:00

Reported

2023-09-17 09:03

Platform

win7-20230831-en

Max time kernel

120s

Max time network

126s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\maction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\maction.js

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2023-09-17 09:00

Reported

2023-09-17 09:03

Platform

win7-20230831-en

Max time kernel

134s

Max time network

155s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\demo.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AA53F2F1-5538-11EE-91E1-FAA3B8E0C052} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c083787f45e9d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea3dc2a7c0fe4d49bd6e8f3e7e71513f00000000020000000000106600000001000020000000f5d9f35529b264f5622f469cf9b783cdcdbb90c051a4ee3557f6f8fcd2dd3af6000000000e8000000002000020000000562dade802689b25bcc1ec432486d8a1696ddd04e9d5d1aea25e639fa8ed1c7690000000c036a88ad06e8c320314d0ceb412dddacffc3f113d69cb197aeed32b1d797e54be6cfb4cad159aa1d24c675a49bfdcb41cefd22fd3502e1ecba88e6ddfdc203b9a701c9e43a94aacce0c2cb697b33ebb48dc9610e1f93e27584b6b58940c07edd05014e1ab95868d75ce1c8ed80e8e76bc6fc3706313c3d10e5f1161aa2964ef751cac20f333005f1f978e4fd8fa7d204000000015cc9ba8cda6bf913c9ef027f4b2ecf133f944e334d8594978c220552f29ec7974dde3a35664c223e1b0a8e791482548ce3cbec45297f1207cd897c25872dc6c C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea3dc2a7c0fe4d49bd6e8f3e7e71513f00000000020000000000106600000001000020000000395bc0c60ebbb99cd92b0958a9d6b87cbe4d617852b7f90a481300fb2d438390000000000e80000000020000200000001a065c2221206e552bf606cd919e7b452639cbdc5e8e10bdc8f1d650eb4ab3d22000000065924530d43cac73ac62e30d343513c32482d7a8d198e4e448b63687c86d4c1040000000779ce4673b9a3fa24257124e67e2b0cabd118c08d4deccd9b2a3d4e063dc5397fab3b8cc3bfc65e1df6c5d1fb8a1164cd17063d3b1e461cf3e26daa4825d84b1 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401103125" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\demo.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3064 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab57D3.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar57F6.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a9b9a367cccaf4f80d272adf5bbf34b9
SHA1 c2731f0c045c61ec33733b09e5a5f3a6dcda49b1
SHA256 8a0d2961d744c8736623f94cb6864e361f5d87eea976da4cb9a7c97cd5bde646
SHA512 6f55ed4087da676b7c343d377cc91bbe16d08154d7c84f7a5cfdccd4e9479da297fc58ab1a4f72a022c999235385c23f015d19488a5e283447f291bf331a47bb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5c7b327f4d2167e23bf946b5d7c399f3
SHA1 7e3d2ae8a0c6e8050be101b24fd1a9b46f127f63
SHA256 3ba25402b40dcf211e8a5be29352fb7a02fb514bf9dba2e13856012210f775de
SHA512 8e2742b8bff02244f32e3307e2da0ba2372bfa13985f40221c0839072ae5e7e139cc35c152b62a9f35acb067caadaa9f8e0c7700bb40836ce5cf8fb5b6c3f7fe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a326ee579c93945963b682c6d8dc165d
SHA1 4f6d202f567d17d8efb35aa1f35270783219b02b
SHA256 735f741098917ce40da3dab9164bddc8937ae13376c5c328d3606aa1e4e73755
SHA512 11e27bbfa8ef507e19a7e03199a9491d21c135c2446d977a04383c12db7f4c4cbeba6e6b90a3afeac609a858442cd9be37d9335a7a87f54fa7ed88645a5e39e2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cb13f3ac7aa753166b1da0b2f79bbc61
SHA1 889447ee69247ba9c2b6aa97f06d5281bb80542b
SHA256 d847ead823eb52b1d01952267dd53f4b4530e542aa0fcbf4cc413c00dda2083c
SHA512 6bd6e1cdf3fa98063cd00ba1c75f460ada2856e8ddb115cca212d9429e8cb2835bd25c3dd3387d5a41117f0129f0bc5da2a43868f8c5a2037fef340f66b4cb67

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e51db188ce9f1bd8776424610ceb0c9c
SHA1 4a13873dada85b958183e3f9f7439568c826f9e7
SHA256 8ce018a7fbcce7fbd3a1ade20927f7b624b2b3c3b71a8e419d7d6c4ea01dd497
SHA512 22d42e75f403508981a93e0472f40deef47d11bceda7b901943da362cbdf447bda5adb009ffeb9de9533c95c463a2e26ae0dee9292040c14e302449f729fcffd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a7de935463394d345d10109d4e0412b9
SHA1 7be16bd26527a37574de636e9a6e28e8c9542a68
SHA256 b61d0740dbc7e9925852de1321196a914e9b198c40b27d1539f966269055cc60
SHA512 be97d9a816c834964bfef8b45daf768380729f01cd2b3c9b5e94265804b4dc3dd6fa6a3781457be9f6183cb8a0c8bc0c12e7ab33b7451e9e7110dd166113e3c8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3eea76e874c53304e1d955e6c79d5fab
SHA1 c4a3a8321c3f786f5cdcbdd8d8759ae68a1914b4
SHA256 41f7e26dafd0abf5a252a74717cf81c1f8854b9a2364d304bc3fc0798a6261ae
SHA512 3c8ea8839d33f36bb6df61f5abb003574107e7968ebf45a75e0ef0ca95815b8b8030281a8258a3d94c28608146147f1f1196d2f6f178399f01c3306b19c8d191

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cc17e9745d9e268d235ab242a5b099dc
SHA1 b97b7f05c809a2dd8fe18d1b876b3154f8650412
SHA256 712ad5baa3ff09129e91137c5b19f4680a38be79a48af1a0b36ba227ea0f08f5
SHA512 b9787689ac9c8727ef3d3c2f9ba265bb24f0bbdce3ac3e5fe90a090be5d4f71cbb609e0633e80ad356d694773592ca686cffd4040ac836d47e9543394ead737c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eeebc7be311d6b28365a3de81c2f5f31
SHA1 9ad5903ac6225e4414b3290db4ddbdeb1d90e7cb
SHA256 b858d6fd5b1fc3211cdaaa9e5b4a0294b3b4f7fdc911b8b238a6089d44b33f61
SHA512 2c7ce944e4ce8c5ef1cf4446dff6b20231bf330e4b5a50283cd45d96768596a5e592fbffad9ed15860e5eedfe558620d6a6e01806cfedda57195dabea44aeb58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1eb2983f7e9db9b7c5926cc471865ff7
SHA1 c4426db7f8cb86fdbf3531d1491a028a8ee335a4
SHA256 8ba0b0455eae53746c12e21659c600d4b7a2a60244425e0a5184754f932136fb
SHA512 72ac38b7efe7f73d7f5e30f928ea032978cccf7862d32a5826f5d190c2e3a7c26d5a3a3497027bce60d1b9881e0d075e525bf66cce667c8d20ef3de3017b37a2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a87132fdc2f12058f330b01a40b1834e
SHA1 3d509e3e41accf3be8b2a24c7373492e4a4f9d0c
SHA256 f7b22ef531b0905df8d6012df4bace858a8523f95533dd5dd65778902868c603
SHA512 72a8b69612928ba43331e5a2c3a33cbf2f9043eda067dadc079a6ce39e571b082477d18d0dc0b41e5560b47c48f33fdbbb28e4a2846d8c15068aced06b999108

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2f2ba882d78d448475c321f5cd16b6e9
SHA1 f16c8947e07bf9502fd47ab747bceb47a623c332
SHA256 b19d7716b715770fa7ec35b3ae5ccc5dc4d843b6a984d5618a95e72744af4314
SHA512 47a16ff8953146f852536b213a42e7499c686bf8161fd941ab38233e9c8e01b776e187af084fbc07c0ea0b8bf63797d7cd76d036618bd851219fc6a23ae29f8b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 092fd0fe41f19f2feed9cf2df6baceee
SHA1 dddcfc89b8dc9c9fb58475bb6e71b2af3210b2e3
SHA256 81f12b16553bb1503319cd5a82a83876df1b715c23fe9d929616c0bbc35531d2
SHA512 ccf71a34e993c732ea3b0a26c1510cfc8c19c055de73631dc552eab5bf49f1e917624f4c20f3d49d37c10d258bbaa28255d813889b040c79706cfa39945abbe8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 346e5a2aa8619189ca74504877af163d
SHA1 0a7c6c3589d223421fdf97b98c72994b07d126a0
SHA256 0810ba06e6e3115961e9e0cf007147324b430dcf473dc0c43743a543b43d15cf
SHA512 0efe3a6bbf438bf97862ebea6b4313f7867e76c1e140039b3710a1fc934383aee25de59151f9a77443a1bae0d67265f2f448d69461b80a9c007354d66e8f40ab

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a5b5d7bf0805c5afd460e80e5fa61345
SHA1 f78bd8fc1af1c1f8640bf18249d0ea088dec603a
SHA256 00b8a0bae1fdc3dc81d92a8dc629f1d2353488bc982cc54e60c46c6222a65797
SHA512 17801a34fdf658d91b216f868f1a7066c3cdda565223f9c1dbad1e72df5048850f296fa4ad71a1c0f5638be31f3ad486d7d58120f5c12f9c30b653d0b714a503

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 24b1ee4322395d99367be4316cd16164
SHA1 007583ff5eb394fbe4250160c777dd6c827f9558
SHA256 c4512ff51497f3f83264fc88bd0d96773d33a18cf9abe4298682202915d2cf30
SHA512 859c50eea235cea2530c604aacf93b0e3860f5531db177c5aedc59f58d35c78a1dbade961e58ef13664d2a5d64c35f083ee7f9fd3302e81afa2a276acfe7fa97

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 292db9a8ec1ad5e1da311e3bbf72a442
SHA1 0c5530db41b6c86f35fd58de096fa5f4d5fbfe9a
SHA256 23efd647d64d99a486dbb0cc1f3e07f139d8e0dad42c0167e8f2de4a0695e305
SHA512 fe914ac68246522c9268f8e178814c974e7b8f1b8e5198ec251899b4be1ccf8391dbb1ba548c685734548894dba356e55a4218ced8d8afd7b714b2fefc9d0043

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a8028535dbe41afc95421488770ca590
SHA1 b518f0947334da4b42a59d6221b565164b91bd5a
SHA256 d1be96f691421efb7a96cc04105dd3be0b62459c59909d615b0a073512ffb737
SHA512 fd58a10d5fbea6aae70e7700bdfe46fd310b1ed3aa5107ebcf9e58cdd01b6f74a92d669598a22ed120ae4d513ca1b017fbc482388ed8ebf8b6031ab625c20aea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f448e4a0ec53028a9ca9996c335a4a87
SHA1 ce77d78fa95a4d716399f724c4dcfb813b7cf7a7
SHA256 cea98ed116e88e10d2d0878957f7ddc068e28a9917f4839fc7a6b6513d35dc62
SHA512 8601e5d020378e69c3da8337ac1c3a8941d30efe94d19200dde505aebcf2ce5522c78379d636b9accee4dcef8a7ee309d6f4f9ab1f0c9c5273c7e9ceb877190f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9d03df113e6cde7346c542091a575855
SHA1 d736e7f64ca1eb0e1b1b13bb36d620ec91732c78
SHA256 9e88efb3c89a47f10327c916215af0457d1d912fb0fdc0808b525429adb272a9
SHA512 0c6f59cc20a8a1768dc80a3428f32b6503000a34da86a46dcbb3480e9d76cae600a67fb968f50476f8601cc461dbf533820027d9b9f72728de2135797daf68f7

Analysis: behavioral23

Detonation Overview

Submitted

2023-09-17 09:00

Reported

2023-09-17 09:03

Platform

win7-20230831-en

Max time kernel

118s

Max time network

125s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\mmultiscripts.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\mmultiscripts.js

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2023-09-17 09:00

Reported

2023-09-17 09:03

Platform

win7-20230831-en

Max time kernel

120s

Max time network

123s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\mtable.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\mtable.js

Network

N/A

Files

N/A