Malware Analysis Report

2024-10-19 12:18

Sample ID 230918-xlltsaec95
Target chromeupdate012302_JC.apk
SHA256 65d959c67f2086389e59c7a445a9eee5d8505d51d042e69001959156a4c86990
Tags
octo banker evasion infostealer ransomware rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

65d959c67f2086389e59c7a445a9eee5d8505d51d042e69001959156a4c86990

Threat Level: Known bad

The file chromeupdate012302_JC.apk was found to be: Known bad.

Malicious Activity Summary

octo banker evasion infostealer ransomware rat stealth trojan

Octo

Octo payload

Makes use of the framework's Accessibility service.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

Removes its main activity from the application launcher

Acquires the wake lock.

Requests dangerous framework permissions

Loads dropped Dex/Jar

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Uses Crypto APIs (Might try to encrypt user data).

Removes a system notification.

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-18 18:56

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-18 18:56

Reported

2023-09-18 18:59

Platform

android-x86-arm-20230831-en

Max time kernel

2846432s

Max time network

133s

Command Line

com.completebe0

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.completebe0/app_DynamicOptDex/IZlZ.json N/A N/A
N/A /data/user/0/com.completebe0/app_DynamicOptDex/IZlZ.json N/A N/A
N/A /data/user/0/com.completebe0/cache/bhvbn N/A N/A
N/A /data/user/0/com.completebe0/cache/bhvbn N/A N/A

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.completebe0

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.completebe0/app_DynamicOptDex/IZlZ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.completebe0/app_DynamicOptDex/oat/x86/IZlZ.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 142.250.179.202:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 142.250.179.202:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 zaglefolki1.info udp
N/A 185.161.248.142:443 zaglefolki1.info tcp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 passajire555.live udp
N/A 185.161.248.142:443 passajire555.live tcp
N/A 185.161.248.142:443 passajire555.live tcp
NL 142.250.179.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.36.14:443 android.apis.google.com tcp
N/A 185.161.248.142:443 passajire555.live tcp
N/A 185.161.248.142:443 passajire555.live tcp
N/A 185.161.248.142:443 passajire555.live tcp
N/A 185.161.248.142:443 passajire555.live tcp

Files

/data/data/com.completebe0/app_DynamicOptDex/IZlZ.json

MD5 ae7f2afa65682f8cc8895b69828481b5
SHA1 38f3739e2314b4687a7bd3afddb36ed554886f3d
SHA256 68072f003620920c92815d467212e4eb7da00f2f1213e468a0e439d363b1f39c
SHA512 d3a425190b9eed73cc76986ccf68fb76d0d3208edb1ef55b082cd863b0c94eff23b5d29a17648a2707976a674a4b0f6e473af19e51a00e82d7c666d9e65056f9

/data/data/com.completebe0/app_DynamicOptDex/IZlZ.json

MD5 3cd4276a4f8b5dccc7fac861851551ef
SHA1 7e7adffd9f0d0de2097029053e524c96d8187af9
SHA256 f02ea34e18b3b4823e8ceb55789cb656aafce21a36d228698bd07f6bbc9f0987
SHA512 f5f02cac02da0ba5737b3abcbc601914484eca61372db4156177df6977c8b64bf3e1c077fdbd6851c54b3d463b7ae5ca3ec209ad3dcd538003c408d67ce1ef69

/data/user/0/com.completebe0/app_DynamicOptDex/IZlZ.json

MD5 8e4612b5633c2f3f03aad82512e10946
SHA1 1ed04da4b21489501338b57999f858d775ff0579
SHA256 863d543d469a91d30fbf78676c5f014496fa2f36f8beda1c6f04a94fa22d6b88
SHA512 f0930dded69c9328957a170df5f78f10668aefd2e7168f6e17214169202750f7e9760dc2f6e6c0dffc593e49ee132fcbecf7597871b57dc71a8ffe958f587312

/data/user/0/com.completebe0/app_DynamicOptDex/IZlZ.json

MD5 0fb583646f5b47949f86d01282ca0435
SHA1 671034886dd68896d4f57c25a51b724aa0f324cb
SHA256 5521e7fdacd279fb031f57c6adf255cc788c86f9ee1e6709b969735d50c2dc84
SHA512 e9226ff0a2ffc2ce0df05b3b247f4f5e2798942fa894ac035d6965d393675a359c5419aa7ac14e09da56763b68787652ad1839aa64e912c377c542b556211e42

/data/data/com.completebe0/cache/bhvbn

MD5 0f298b4d05ac13449acd725c06fa6115
SHA1 da53ed2eb6952b54799328a33fd5275e60a0fcc9
SHA256 773a283d03ea5440eebcbb72b3f98988dc66342f0a8ab6415d9a01346aa407ac
SHA512 5d12aad043cf6a5b879a8285896c9eb73ff96c4ca29de6170db77937e83edf26ebe6aae3ebbd1f8208830f7886e8ce1d64f9fa4c4eccf75f6c86e4ae99b086a5

/data/user/0/com.completebe0/cache/bhvbn

MD5 0f298b4d05ac13449acd725c06fa6115
SHA1 da53ed2eb6952b54799328a33fd5275e60a0fcc9
SHA256 773a283d03ea5440eebcbb72b3f98988dc66342f0a8ab6415d9a01346aa407ac
SHA512 5d12aad043cf6a5b879a8285896c9eb73ff96c4ca29de6170db77937e83edf26ebe6aae3ebbd1f8208830f7886e8ce1d64f9fa4c4eccf75f6c86e4ae99b086a5

/data/user/0/com.completebe0/cache/bhvbn

MD5 0f298b4d05ac13449acd725c06fa6115
SHA1 da53ed2eb6952b54799328a33fd5275e60a0fcc9
SHA256 773a283d03ea5440eebcbb72b3f98988dc66342f0a8ab6415d9a01346aa407ac
SHA512 5d12aad043cf6a5b879a8285896c9eb73ff96c4ca29de6170db77937e83edf26ebe6aae3ebbd1f8208830f7886e8ce1d64f9fa4c4eccf75f6c86e4ae99b086a5

/data/data/com.completebe0/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/data/com.completebe0/kl.txt

MD5 ada7642875b92b32fee2247c3c725f9c
SHA1 a3aeb51603db27290500e2628088a5a50c8ab659
SHA256 604a38a3b250e5addd8f21224d05ad0a9d0a94c2ee427b6e3c8a8f0576296dcb
SHA512 d585f9bb1f37c79f8c0debda03a07fe94e2371271966ce2d54b16b0dc15b61c8444ecaa5597f110faee3a881212191dbb45ce746073958038c552b43c221fba5

/data/data/com.completebe0/kl.txt

MD5 0495ca452376f4229a5e031fd5292723
SHA1 421ec908de2a49b4eec4f87dafc92c5f7640163c
SHA256 53435a41d798e916b231f305c6733e8d2eae6ac9246fc791729a39becd67bcac
SHA512 2dee7af1963cf1ef37233bb51be16127996a46852d0886c3fd885d3c7ba876d3f5901ea38b1f2f4d56f49b25daa43f89eb3b00eab46e6194400a9e958c0509a2

/data/data/com.completebe0/kl.txt

MD5 95aece3362ee3403e90f9a758ff1cbb0
SHA1 f72ab37371fc22bde24100419d965761ccce476a
SHA256 0d8c0f59258f3b0dd52060653fe7441b24297548ed730ff19e6408074c5ed9d0
SHA512 7196a0cb5c1d211eda06a8a9f14557dd9780e244e75ae0425646ff0a1717cc63ff179bed25517e4d703e3d621e383301fb3174e80d15079202e7069aaba05b76

/data/data/com.completebe0/kl.txt

MD5 c0babf43b500967cd90773d384846a14
SHA1 bda0bd4e74623b2b65814afc5a49bba56dcc68c6
SHA256 526aa2050ea6c74cd55b02f0f43f7ceb765c2863d8baf3d49339afa864fc61c6
SHA512 b17b50754334db59cbc1ee58230aa6487ad2e44303d8fb26f819fe04226a83d9c6c47896635864faff03d2124355e0c13ca7f88fdd92c9405e53be0c984a2b0b

/data/data/com.completebe0/cache/oat/bhvbn.cur.prof

MD5 5f8d01d3a0216c24ba573be1d2c6acc7
SHA1 faa11ba2876cc39196995504e8c6d200a0bc64c4
SHA256 1d56e5a5027f6ff619487ce8538748f4103ecd0aac057aa3c5fc982fd689626c
SHA512 203fbefbefd082ba0a6681dc43b67be4f872441a0b4d8bd800d4c0a95c6ebfe82e15ef2990d5e07fa0b9fdcbdd8ec89ec1887634783acefb7ebec644687cfac1

/data/data/com.completebe0/.qcom.completebe0

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-18 18:56

Reported

2023-09-18 18:59

Platform

android-x64-20230831-en

Max time kernel

2846436s

Max time network

152s

Command Line

com.completebe0

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.completebe0/app_DynamicOptDex/IZlZ.json N/A N/A
N/A /data/user/0/com.completebe0/cache/bhvbn N/A N/A
N/A /data/user/0/com.completebe0/cache/bhvbn N/A N/A

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.completebe0

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 172.217.168.234:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 zaglefolki1.info udp
US 1.1.1.1:53 www.ip-api.com udp
US 1.1.1.1:53 jikugac818v.vip udp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 216.58.214.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 zaglefolki1.info udp
US 1.1.1.1:53 www.ip-api.com udp
US 1.1.1.1:53 jikugac818v.vip udp
N/A 185.161.248.142:443 jikugac818v.vip tcp
NL 142.250.179.142:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
N/A 185.161.248.142:443 jikugac818v.vip tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.36.46:443 android.apis.google.com tcp
N/A 185.161.248.142:443 jikugac818v.vip tcp
N/A 185.161.248.142:443 jikugac818v.vip tcp
NL 142.250.179.202:443 infinitedata-pa.googleapis.com tcp
N/A 185.161.248.142:443 jikugac818v.vip tcp
N/A 185.161.248.142:443 jikugac818v.vip tcp

Files

/data/data/com.completebe0/app_DynamicOptDex/IZlZ.json

MD5 ae7f2afa65682f8cc8895b69828481b5
SHA1 38f3739e2314b4687a7bd3afddb36ed554886f3d
SHA256 68072f003620920c92815d467212e4eb7da00f2f1213e468a0e439d363b1f39c
SHA512 d3a425190b9eed73cc76986ccf68fb76d0d3208edb1ef55b082cd863b0c94eff23b5d29a17648a2707976a674a4b0f6e473af19e51a00e82d7c666d9e65056f9

/data/data/com.completebe0/app_DynamicOptDex/IZlZ.json

MD5 3cd4276a4f8b5dccc7fac861851551ef
SHA1 7e7adffd9f0d0de2097029053e524c96d8187af9
SHA256 f02ea34e18b3b4823e8ceb55789cb656aafce21a36d228698bd07f6bbc9f0987
SHA512 f5f02cac02da0ba5737b3abcbc601914484eca61372db4156177df6977c8b64bf3e1c077fdbd6851c54b3d463b7ae5ca3ec209ad3dcd538003c408d67ce1ef69

/data/user/0/com.completebe0/app_DynamicOptDex/IZlZ.json

MD5 8e4612b5633c2f3f03aad82512e10946
SHA1 1ed04da4b21489501338b57999f858d775ff0579
SHA256 863d543d469a91d30fbf78676c5f014496fa2f36f8beda1c6f04a94fa22d6b88
SHA512 f0930dded69c9328957a170df5f78f10668aefd2e7168f6e17214169202750f7e9760dc2f6e6c0dffc593e49ee132fcbecf7597871b57dc71a8ffe958f587312

/data/data/com.completebe0/cache/bhvbn

MD5 0f298b4d05ac13449acd725c06fa6115
SHA1 da53ed2eb6952b54799328a33fd5275e60a0fcc9
SHA256 773a283d03ea5440eebcbb72b3f98988dc66342f0a8ab6415d9a01346aa407ac
SHA512 5d12aad043cf6a5b879a8285896c9eb73ff96c4ca29de6170db77937e83edf26ebe6aae3ebbd1f8208830f7886e8ce1d64f9fa4c4eccf75f6c86e4ae99b086a5

/data/user/0/com.completebe0/cache/bhvbn

MD5 0f298b4d05ac13449acd725c06fa6115
SHA1 da53ed2eb6952b54799328a33fd5275e60a0fcc9
SHA256 773a283d03ea5440eebcbb72b3f98988dc66342f0a8ab6415d9a01346aa407ac
SHA512 5d12aad043cf6a5b879a8285896c9eb73ff96c4ca29de6170db77937e83edf26ebe6aae3ebbd1f8208830f7886e8ce1d64f9fa4c4eccf75f6c86e4ae99b086a5

/data/user/0/com.completebe0/cache/bhvbn

MD5 0f298b4d05ac13449acd725c06fa6115
SHA1 da53ed2eb6952b54799328a33fd5275e60a0fcc9
SHA256 773a283d03ea5440eebcbb72b3f98988dc66342f0a8ab6415d9a01346aa407ac
SHA512 5d12aad043cf6a5b879a8285896c9eb73ff96c4ca29de6170db77937e83edf26ebe6aae3ebbd1f8208830f7886e8ce1d64f9fa4c4eccf75f6c86e4ae99b086a5

/data/data/com.completebe0/kl.txt

MD5 464da9feb365e6376271cac7a443b4cd
SHA1 cc2f8957b564cb7502d070116cb3987bd23401d4
SHA256 3e98f09ebdf3c34ef0b8b923e2cd5b4d061fc0ac950d86d24c6720848c43f93f
SHA512 1798d0be2057ff0803eac87c1d231e9503b8b3b916d37503d10afaaf91f199a5e1d4de17824341c92b02e9cd0b09fda288010e3dbaed5eb87846d709729afbc9

/data/data/com.completebe0/kl.txt

MD5 90765cdf010b8f8ffbb578cd100b4362
SHA1 a89841f94cf994ed2bccef03c7eb726c59c8dfe5
SHA256 220b224b7fc677f6a7fa29a6e04625d5084c4119148293a6ff4151b3a97bb99a
SHA512 971a0f7ddb9dbc6fa90fc21aff84d47383496c5fdc32eba1ae0e0e0a22c18633ef03666112922955a4b3bfe1ff4fc942dbce1a82e6dc9440c53a1fffe9c21db3

/data/data/com.completebe0/kl.txt

MD5 13a94abaa65aa4fab9f5ad6f68844a89
SHA1 d42e3cb47bdf05e49498f809128a5bfff4d347f9
SHA256 8dae4e8faaea503f9c0566a750097fb334a68d7fd8d9d046cdc1d19745f99917
SHA512 1a791d4448f33b8c7928182f079e3af861c73f8fddbf7cac23a298a4ec43f962afacd6b6b069a79aba95831fbd0ee996d5495ce5ed5dc316febe2d8007c2ec46

/data/data/com.completebe0/kl.txt

MD5 3862f49d9017e5dfa91a03e6d717b499
SHA1 b0dc5836dc005fc934371d137c1d752b2a187c44
SHA256 6b8e48b91e22eea7f0606b8df75f0e753be2600b7efc43ef68c9fb0242e7d8df
SHA512 a26b736d26c8a8afeead3c9d27a70810ffbd2df95f30a1e5c3966d08430371e15d17ac3e089a4e926212951e7e895c3d4d48caad13aec02dbc15b1117650a6ea

/data/data/com.completebe0/kl.txt

MD5 2a621d0f4115c0542a462f7e00f14859
SHA1 f736120b4f44e84a904008fe75293bb8042bcee9
SHA256 62de884c1deccc6bbd9636c757752dbee9751373cfdd968588f2454854c2006d
SHA512 b1b98c7a13ed908b975732267e1577ad44bf2d960d240dfb8bc19c402c1802f2d228a5d1dbe3dc6fde3601487dad8f2c2b767e05899e648f447f396302ce7596

/data/data/com.completebe0/cache/oat/bhvbn.cur.prof

MD5 ff291226300aca0b0047f2ee9c3878ba
SHA1 d53c97b5fc6fee003d7606791cba297b2f0ffbb5
SHA256 31449e4f8e37f0fe840a0fd4b266f315c344d760918e4384b88f20f1d3e7f8c0
SHA512 2028117fb74460110caf22aa7ff778d0961d83d89e428bafb325a1cb3235b10a8946d8f897444afe6016b46f7d9178dfa3147310dcc84bece15f9e971e4f8541

/data/data/com.completebe0/.qcom.completebe0

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral3

Detonation Overview

Submitted

2023-09-18 18:56

Reported

2023-09-18 18:59

Platform

win7-20230831-en

Max time kernel

135s

Max time network

133s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\license.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{18D63B31-5655-11EE-9884-5A71798CFAF9} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401225266" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003916b9f19191c547a3cd833648cc0b6b00000000020000000000106600000001000020000000b4abd9ffa1becc821cf42fcd381cbdfc98ff2f44cf121d33e07712635f3c9677000000000e8000000002000020000000469bd05f35364e33b3972a397a28345d8ce2ed74f8e784648c19c1304b8d86002000000047a7b7a5107aa07a20f4df16de8f0eae3e51d23c061b479bb15dc99a155cf2c140000000b02680d4169cbff80bac017fdfa577a9595914388e4066acdac919ccb420da22e8275533bc88efc9dfc128ae20c791a612b35fd1a6f095db4a9333d500f6681d C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 408aa2ed61ead901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003916b9f19191c547a3cd833648cc0b6b000000000200000000001066000000010000200000003ba616c5a12c81c26bb27c1fb13fef62510b178c2ab912c1e67f8c541a9b06bb000000000e80000000020000200000008e18e3d1305a4a1397336e150a53a9a461bc36788d155f9d1491f556c0bdd8b290000000b3a2cca7f07335f52562a4e98a7d7dd5860e23294e98f67f1ac1b5d31a3c86dfd65480c38018dc9a235acd31e3ca82a5256c0532b7177a53b6ee5d038183e552c2476d8367d2a16ec90a688973f4ddca6bd43aec7d825f5a35d40f83aad60665b42fc3a9cb1dde69707b020d5f039ceb3d0ef4a1703495daa41209636bc7815c79dc5cfe287acd5c586aedb7ff6c0718400000006ea2c7caf72abf7537e0afbf1f14b348f859c0fa018bbcbbcf2705c37cfb306cafc69d397994874e837ccfa04727ad0f14fc58258d2b10f160c6526da8b831a1 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\license.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2808 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab8BBF.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar8BD1.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c5b94af89daecb387766ea8542bc78b7
SHA1 d5853d4c6e8f52cd77ae861f6940f5688531a848
SHA256 716deef8f614298770a636986983cf05611628b7ee8b2f6a577ed301643572f6
SHA512 04d49f33dacedd997134608c238ef588c4d50242e4f1d69e05bbf9e69b0c34b3b6bbf0bdfc99fa2b09cd27e02106645840e6eb8c0da90379c2b3f5c3930d6081

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 924d9bdfa175a4100f9ca48fb16174b1
SHA1 7c6819c2bda63287437bec8f05601219b5822ca8
SHA256 3d1ce0c0322d736fa5231e8a8dc2c3d066347ffc6c9c4ba5ec976531c8543b5c
SHA512 9ea289a4c700db4c70c3cf5054670678bc04a773585b3cef56275bb732001e724ad817a4ebd4020d79e50e475f12dbc24cf7213c5960b3c5f795d7ab5f2436f0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c7a62e45c0f9a6e3e9d32a0c836728d5
SHA1 ee28b99f896c741187596ffdaabdef32e642a655
SHA256 dc7770f5bfc07fe9a46c51af8e0c45799e95cf0221dfdc438dfbb31ae2b55266
SHA512 a9bf5d478d387e7e168769f7233e7baeb6a57f2f4e280aef4035a438312d08f0c5925ae2f553d5a5cd57b5173ab3b4f0684f320ed18daeca3e9c3ad0ee36b9ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0ebff35a28684fe93407e8146b811018
SHA1 6873343db39cf96206798ceb9a5ebdc3b5674e02
SHA256 8cafd0bb397cac78f37cff24ba7fda08ee8fce46ce2171bc48fa98557c5e690c
SHA512 2a555bbb75d9077114962722ace1dc9a8edaa87865886701bfdb5cc6cc3746f75eeffd2b562afbaf0800fc557fe4353c01b2d5d3bf102da4440340649498342f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 03b055b17cfcbeaaeca57b435a67f896
SHA1 aeb09499f4f586cdce4e75242963f66076c2869a
SHA256 118cb659bc0e334b52d7ba932bf069006d997436c591b2146d72381d6468fd10
SHA512 1e9be67a1f701963fa856b22efacbe9d2cc6d877e1e3466a1707720f715ea41a531c5a3ec5ea16ab5ccb6380f5707cdb81b700307c6f2013abf69685df885db2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 feceb622598aca00ecca2324f0dd8e74
SHA1 5b4cbdb711b9dcffb9eff42071703787e3df2eca
SHA256 cb2f6d2dbf5bb6895330fd5c60e4080071a9c2cec6161ce2890fd5ca3fa8d628
SHA512 5547a6e2be26e785534a64269657d7e9b62792bbb521a243a101191dc7bf5951cebe450495cb582242472e94539c033f5bc4251f688df12679fbc164cccdb71a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8adfdf4564831b4513227645a29534ce
SHA1 f2c740c2d163ae2f627191be2d5b0d80a608747a
SHA256 5ed153f7e064be8b8c92eb3b1a7309bcb28a400df2b73f928147a00c8086b563
SHA512 8d96cfccc5dd382d8be8f5df3ec784cb32e80dd2c15253b83b73b8b65feed8b1a0b7fcd1679bf84605acb34c16f1479a92a92c407cece8c9d079b59577452e9c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 366173937593d286524a928912a680b9
SHA1 8dae9c5d337e0e9d48c87322c7d90f2e36445747
SHA256 d87ba79b2957cb6b6b3e116a9532476e86ef1ccebd239f1ac7e71a78505aa837
SHA512 253f80181c7b9797d184af041524fce764a62f065c2b2909393e48752373e4ce07cb57d91eb3241dc5cfd71cf2ea2a78308aaf4bb4627443be80b6a6aa8e6b6d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b28c0c527336291839b780084829aac3
SHA1 5d935367184c1ab428b6e6ab20472a9d414558d8
SHA256 6bfd2cee0758e761dd47c2f15a12f93947b6212a6cd574bba19b048505b2a36d
SHA512 e516b1d54c2a02db5244fe1f5d14d027aeec5b509505245199c622911f9a4806649fa6091c7147606762c264fd6911bc9b4cca67e583ac48f31fa3b05d484437

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cbafc23be0186a375d918fad99589ec0
SHA1 739b3cbf83f449256194ae7d2d9a6b707737705b
SHA256 02281756a30dc6b6e7f3b8bad397b0ed361e1badd7a17a42e9c2f2160aed7b4f
SHA512 bf95ed9c75a95110ac4a3aafee322e175af538130d44e3fcd994859fd26a3c17ef00b72114a84d88ea778fefc8b17ea30df2677c8b2f36a025d60be924dee470

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7c2745a72d755c72bf2d315b5227bd54
SHA1 0c4a1e522560cda50b5cb11fdc1dd33a2d239897
SHA256 7572cf794edd3808763c1efc07348e1d42993803e4035b9049c51932b66c9e3a
SHA512 20f10ee2bd806c23f7c3b7e5063313eca1a63c4a6decd0d360e58e15b5141c70dfa70ad0ae5271fa703a045ee5cf33aa7a9bcd07660cd6d6b0f8e6625139ff14

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 382d605153fadc84879834b7e90eca7e
SHA1 bd5c0f5307c0770ded4b3de772778342b1462d3f
SHA256 f6d9948c50542a2ce350129641028017e5357883c1685e3bf3b333eefd19bbcc
SHA512 9bfc60aba28878e2043982ccb015ae9c164bc9563cf2f25dc9dd9e8aa6005bfcfc82b3e770d6963c51f20b019fafaf9bbfc83b2240fcda3bfc01fc7baf3e28ba

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 97f7bc7ddf27ce4592faee3a9efa7c76
SHA1 d9ff78121b0432a8194ba6ee4f3aa8b69fbd70af
SHA256 8a0ca13b89a935f802a853d4307ac836216214764406deb252435ef14eaa6766
SHA512 83c65547eed3d9499e107c9c3fb5b6c2030e2560900285b55416bb2517ec9ce972b67a53a004f8f46a998e7690da7ded9c0a203b6c6399cd167247fb7439d19b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 88c3f228f80f9aea1baffbf9886932dd
SHA1 13b89696d2beb97912a512f18cb86f40134db7c8
SHA256 3f2b1db701d4370b298549f45d562806f70850048abc0d4ed5ed1ea0de13392f
SHA512 30f0f592f66374dc6863d22766922bd3f98a133f226147ca31745c2cd04ecb30614447da910a5c12b6b1725d8802f0a0ff8fb5300e27b910876d234cccbd3c96

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 619b7082871468d599e0d9c5e2147170
SHA1 d5c31915188e5748687ce7b9c570d9c2b2e2f128
SHA256 fd5ad1cb7d1c411807d84dfd9f1c8819604191d895c0a9d49ecbab9289448310
SHA512 66dc9693c0880cfefbd0c7b83b00f4a298c9455a1f24e8d32d80e86414406f91f338d82585f57c29a9f4f004f6c7e207a1997256cf06adcb35a89d021664489e

Analysis: behavioral4

Detonation Overview

Submitted

2023-09-18 18:56

Reported

2023-09-18 18:59

Platform

win10v2004-20230915-en

Max time kernel

143s

Max time network

152s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\license.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31058529" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f099e1ee61ead901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3975580006" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e01d3a14bb1f3846b5fc27e9e0ad35600000000002000000000010660000000100002000000035fa5d3b8c87192ff635e301e9b0ec5decad7791736739b7cb74ffbd52008ca3000000000e8000000002000020000000d7b07824ba64f3df33f9686d6107aff0a346f6b029ce1dbb944c655e7217e7712000000088353fe3c7babe9ba4b9a40ead44faaeeae943b70b8af24594a7169e2743bcd240000000497fa1347af39a02d8444a3564d927c61620f58566ae02237091b39e443f7441811b2e0453a1a4afc2eb2a6afce227219c595ed782d7a2d78678535bf46457e2 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3995891736" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40a0c2ee61ead901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401828374" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{18773A12-5655-11EE-941E-56402FC161CD} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3975580006" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e01d3a14bb1f3846b5fc27e9e0ad3560000000000200000000001066000000010000200000000795e79b97feec4b9bef88f74673f95b766584cb0390b951301bb6fa01a214ed000000000e8000000002000020000000976f0766d072327948590bcaf9b13678b5b04df6fd16250fabc36f8c0341c684200000002d7015b629b65ce3fa3c6ba9dceadf77c2725c323cb3a633fd66eeda75dd53144000000078e7ae7e0612a936096337913ab8e52b2d425b478630857e7132d3a5cb3f8bae0dd466be26d52c40ae1a25ad4e41e19ff60b9e33e42642191780d1bbfc2b1cf7 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31058529" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31058529" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\license.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3204 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 200.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 133.121.18.2.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MRL3SWXH\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee