Malware Analysis Report

2024-10-19 11:56

Sample ID 231014-a7hypagd6t
Target 1b51293002041bfee9c8daba4eda7fe5b4678ef1b9ee693cced004400bf01d64.bin
SHA256 1b51293002041bfee9c8daba4eda7fe5b4678ef1b9ee693cced004400bf01d64
Tags
alienbot cerberus banker evasion infostealer rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1b51293002041bfee9c8daba4eda7fe5b4678ef1b9ee693cced004400bf01d64

Threat Level: Known bad

The file 1b51293002041bfee9c8daba4eda7fe5b4678ef1b9ee693cced004400bf01d64.bin was found to be: Known bad.

Malicious Activity Summary

alienbot cerberus banker evasion infostealer rat stealth trojan

Cerberus payload

Alienbot

Cerberus

Makes use of the framework's Accessibility service.

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Requests dangerous framework permissions

Acquires the wake lock.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Removes a system notification.

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-14 00:51

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2023-10-14 00:51

Reported

2023-10-14 13:13

Platform

win7-20230831-en

Max time kernel

120s

Max time network

140s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\HM_JsBridge.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\HM_JsBridge.js

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2023-10-14 00:51

Reported

2023-10-14 13:15

Platform

win10v2004-20230915-en

Max time kernel

150s

Max time network

154s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\HM_JsBridge.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\HM_JsBridge.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 29.81.57.23.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 126.21.238.8.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 131.109.69.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2023-10-14 00:51

Reported

2023-10-14 13:15

Platform

win7-20230831-en

Max time kernel

135s

Max time network

152s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\consentform.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c66dacf3255794896cbcb5ac20a7140000000000200000000001066000000010000200000007d87b9bcbb2385950e28120e93cb93b12106e26834384477ef760e98feb39ad4000000000e8000000002000020000000dcadd1167b2ef9db04aa4892f5db11457c272512e314fc41695b5e14a0cad6ad90000000d8f8eae4490ed65e3addc8f34683edf79f83662813292d7d4ea9435e1460fcb6ce15ed035c10ca9d04fc2e7fb6b6e8e32a334230cfc66022e182cce472234794f8d20aebf3af11d60207d6a85abef5828191326e01379f095381f69dbf64306e9854f05dafa167079c0cd87d60bbb5b3d1a6e765f77ec2013dd7686d925414b0a28a85543c8fa64625a92573db164b5b40000000097aeb414fc573ede82dbc93f2bb17fa1d1ed0b5d85e3d6e8a954f7b6d5cafc05b4424c90082e5b6c58caffba7aa7aa393fed9a8fb3ca60978f3d40bd248f7b6 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5BAF5CA1-6A93-11EE-BA54-F6205DB39F9E} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c66dacf3255794896cbcb5ac20a7140000000000200000000001066000000010000200000000ab2912127fd5a1926f73133f2b7be0b875c63b4538207464f259d1b0d882d3e000000000e800000000200002000000075881eee1bdb0570f2c2e8dc9633b47ff73842eac5903fe0fddf31451c2971dd20000000760307e47b215557860b1fa1fe17a862a53bd0aa3428886d5860596e3af72e824000000037b70c1a15c7f7305a0b440f2f429ac84b414a9bf3f6836990fcfe7640c44c4f4efeb11b49a8c4de6dc4a05489b0be12314e375ef1dbe6fe9f2e39d9dbd2da67 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 6061cf30a0fed901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "403451032" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\consentform.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1200 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ae608e716680375af089515825dda297
SHA1 2fce1d949ed380d98a8708ac296f4639f4d03360
SHA256 bfb24f8f351f9a5083d7160db31f4ca420c64ddd28875ae552b7891891c32e9f
SHA512 24b5c9dc454646c48ed0a7a5310283820c1fe939681ba7163416d19429197166e7460587930aff2517479d86aae5b9189af858c991442d7289085950c6a35d10

C:\Users\Admin\AppData\Local\Temp\CabA19D.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\TarA1A0.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 84c6180aa21aff14e76ffda3e2ea834e
SHA1 4eaa0fbcf941c61890de09d941eb63408674d734
SHA256 a6183a3d00d32e6e36f5ceb4064947806e0f72bd2faa14e6584b254969bec55c
SHA512 f9ed4e0ff3f78d775691b5b4810d181a146a0167e8a11b73b7b0222d9bc0e15a0f1776db14987e1876bffeac3aed4cb6900d5f16fc458255e44bd2d162c11e0d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8f380bcbeb8c631c828bc7903d91a066
SHA1 8a3e67aa830d11dcfb78d006f115e0abf63c3782
SHA256 0c3a3c1dfdf787cd2152bcba1c251819cc496ede380d51d9315ce86452cadecf
SHA512 364578925227d627f1bf0a82ef630a7b99f9d02504bd048dd45c1b95c1fc34f863d4fc6c71dd9d4903e6336c03920dbf0e369aefb6ab285ace30636d43f9c20b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6be92748cac9a5b6212dc846b3ad416e
SHA1 147233608051da2cde5cf9d590f36facdfc410e7
SHA256 57b54290d5a75a4e7adc3b9df5c392e5c94ae85b7ce7f8aaa40390c875d4125f
SHA512 e4594b46766f83d0001770517a4760c9ce55d999cba00910441a7fefc19ceb6255527941b34b7b66431d51fa64d8067fe4f66e100a29d2929ac41c42d1312305

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 07b55c736dd15c647c8812211f9c5b53
SHA1 abe52e6bea11a477d55f14045d0afa7237153476
SHA256 54a18ad8b686b82604f4187d28fd770c6fb0ab2172f7ddad88d50aba8ec351f7
SHA512 66ee4e89907a6adf9b7e3c7592a7a6766d38c634f21e3eb422f5eea2990264753fd3f3743724e3b6922283e9a603836925dde6b159ce8a641e6e2eef44991b03

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b90da6e143014d7df76ea3358d5a6115
SHA1 cd0b14f9ccae7b371b6426cb7238eddec25a5077
SHA256 ce8281499945a9b1ffa4b6995332563689eacd169185113317647e75e2b1d363
SHA512 32cd7b774f8c5715bece6372d6ccb05556c210ec6fe9b8c0fa67ffae67274d4e963e5f1c1603ff05f4b56579ef1232ef44026edefd1aaccf4e1abf4017969b04

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 722db67132055caafe61953cd561f026
SHA1 30016262435fcf96cf2782cadee89435cf3c0515
SHA256 882adb43b65d2baf3a76ccc720f27e14b4ded5c6008bc129c081601d0bcde1f4
SHA512 626559a1482e79b4690cbf760f19e7d08c26c117265640eb3942f8239e4e123ebc8b5074f255b34bb898b5edf043f0d48024dcd249ea0b8599985d556c9aecad

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d0c9b108768b676fbd804981c10d4ee5
SHA1 6638caf6c4fb86abbbceff90cb14b11f6b1287f2
SHA256 226f53668b59c1be80f6534d51be3be66cb213ef17d603f86dcc36ca87c813d4
SHA512 466cd804983c3cf79165d7bb4a5d35b42d9818ea03434108e0fe5a55bb2472f215394ca9599a93d0ae1e831871127371e06c8a1dc7ede6e931dd37cd0f4b1753

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 30483b6af9387f3fec7de480a0fd6a70
SHA1 d804524f2b21c2fcf678f39104cdae0362a2c20b
SHA256 afde15925ada4c3e606a6da64e5a2425fceb297baf4cbc2453c3d274013893e4
SHA512 c11f4753255fe2f0bffe223cdb4bda4d45f23c897561beeca4d411a93b5684166c1732029d9f51f633f3dc28d56a39322154612de619caf88b5c0dec094ab262

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1c2d85f3a5bebb1238362fafe0006f90
SHA1 cb839b59892d6dd16f479f8f20b23e29bcd78ba1
SHA256 c7094b262c3022e9381789d7cd83771e25d0c729c30374477a70f45b34f4a3e0
SHA512 532239cc7c1835d687af1e085713dacdeb40c1bb9af125ef2f1864ca202223c367b7ad89ce080501960292140c56d8f025481642b6fd8ee7c85645a2564b2d60

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8daaf4f145c06396072998d575aa2edf
SHA1 5867dd072d1f169b676a8c5f21fe784546ddea3c
SHA256 b4547f07618c0495be8a6212dccb17404d3956a837f3ad48815e61c3db375f44
SHA512 a15df27fc34c19b6b484420e2e9fea6356f4046b06e54e34e0dd07d584f0a30811395525fb6c3c8602b9e7fc9c2f2ab024cdb0c661804223e82deac605c99c5e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 13dd6ed296eb20bbd95d1db747100d44
SHA1 746e7318a159e6a87571fb44f3d160881270c266
SHA256 97893bd6a3c9e028df192eb6c401138937e978a010b41333d0c6e8d04c75a451
SHA512 05abe3bb42d572ef5f31c599f2fc7b9957129459c3f3641813028ebb3ee16c46fdd209e44982f5ca67539be4a9d6470e991af9d999c64bb4f95c3dd01c93dbc4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f217bbb87b7d03188d3049655104f28f
SHA1 6df679b2fc3821a6d558ba88fcc35dc344700f3d
SHA256 ed0a9b6b6f71ffb4ab076155e9557aac6c6c4ddcbfe5cac93615403a4f033ead
SHA512 76d734a70bf27eb21c4c303c99738292a8d9d48177dc1749d935e517ef436826249b89847eaa296c3784aeb02994ec4c660c1f93a2001fe8bd251e151c15ef89

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c95590503f449e2043cb69f54507c6c0
SHA1 0ad3ca50cee947c94255eb55b787da474b76edde
SHA256 88b11568bb07a81aa8774db8184293d94dc4f9e627e3ad19713f974d1cf20b20
SHA512 ec73ddf20a945118e16e5406c17a7878d0c4d2441b6765f9e6795a8e7816b45b5b6956a71d7e95443949bc830e2a3c5a566b86130cb81d26e5da3b25c13d9d8b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dfb637166f6c082c8210713b0cef8192
SHA1 3c90a2a436664b811f13853dc22ca076cbf3b585
SHA256 bde457de0f4714277fcb8aa08b1ac6ee2fc06aa28017eb86d2bf1f7c85be279c
SHA512 a44bd9a52397a837a31f1dd5c86088594da6c9f1f6399e34a0417f6a4480b513aaf22641375364a48aae4329fed4fb91b02755eb8771dec58e4b0de863c1c637

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 e97694635d72b53e6d27dbabd986af2d
SHA1 2e393a93d203c88de674ae4b2ddf0e391011748d
SHA256 b45d421f6c7048349e49634f6b6192bc8f3d1bf32095855c803df974d79b9ea9
SHA512 3d9ada2734cd49ddf3cfaf1759ea72d186ebff9346e11953b97548857c3038936f18c70eec735063c83d00409495d63a29cd3871ddc2f03557e88798ae19c257

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3deed1407f674123e0da884aafa8e5c7
SHA1 d19f7aa4ab07567ec85c5efc5828a7aa23d248d0
SHA256 bbe64f1afdafafd6c4140fc8ee4bb5c5e5e2735b7a04d58bf381dd0e88a9c301
SHA512 1155705df88f4223efa2bb6663925776104992be5fce382af510d3eea794bdc984b0b0d18cac0611682bb8ed5727831ac30284c9c29b037bc410dafe4a7c2f50

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3cbe04441156d95d33f302852d35fac2
SHA1 f1472ac656850f81e22246b95c14ce8c274031dd
SHA256 9468f56227f5713e2458eb55da1990082bd29eff54f649550eb98dbbb3afa7db
SHA512 ce3169179268c68f5a574deb1e53edd624eaf89def67e1d814384da660ec8c365bb2637456bb6e6867a0e8b7f5cb21b25f314b24f2027b2632fd5abb2e6a6176

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 793bbe657fa7f2affd0572cdf129e699
SHA1 2dab20907586283f7b003a8ebec744ae902e9c0d
SHA256 5c05a6f6e83c016751b5473ada4ae756e7f5773d6322543db1c35d009cc66b94
SHA512 10b4c4c93b5bea7dab8891d8ccb00ae08f647092567da5970e45efd6a1d194438425ea45ca26495eea090e9656c734d841a84fdd6bcbb9cc03b94a89fdd5f9b6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 5f18edd9738e5a37308c9303c33bd570
SHA1 f771b01ff3d199bdf8e694d2ac0c1c056cf58ff1
SHA256 18fa8fc727a03980f5cb97fcc85e0c0336bb4351a8386f9d71ad766b6ea6e52a
SHA512 b942ccb005612f654aa2898a76122acbdb777942270e035347e50f38e69e5931a1a748ea9a2541a73bdabde0abf85f369fb1198cd4c2e361fad7acd7484291fc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a615a303c0681e69925cda4f6d956183
SHA1 8afad9606c2fb9ed3351bcaf252406a1858b7f1a
SHA256 719d9569a27accd975e3f425171894c7135db05186e34197c6359500b99053b1
SHA512 80f5578a587d5cd0cc72c2feade3ca258cc33eda27cde24fd45cf513613a6837f63b95361ef22a2992c7e8e4384262101c586f9768870f81e2408c6c42a715b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1c6f2bbe0da2b29443816bc5029cd13a
SHA1 a5522296956e777e3f3e7ebe08979a11d3dace6a
SHA256 520a837116684ddd8c7b13642e0fb53f3bfe8945ecae17a48bd7ff7e083a4a04
SHA512 f31cdb8720d37c23dd7dce39796e4a5390d0f315ea74d16a5304d3af6ed4acd2657d0330220619ad138461d56cc8a884f964b8d6967f7a4bbaf5fd557e3d200e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 66bb9cb8231f8d486b4e8935b0936494
SHA1 30ed5140d6608a947aa406a0d6da474dec316ab3
SHA256 d6b97d4030ac33e0ea60fc3548b9301d78cbd8d5a327631ead21bedaf85c8516
SHA512 11d0cd6e4670d9c14953bcfa9887aed5a55c303bae515e69c9d3e875c74bec375fb20634eac4909c39bb96f39014bcc33a2ba85ad0cf3047ed952be17616ca49

Analysis: behavioral7

Detonation Overview

Submitted

2023-10-14 00:51

Reported

2023-10-14 13:12

Platform

win10v2004-20230915-en

Max time kernel

177s

Max time network

201s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\consentform.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "404053993" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000091f6bb296bed3f4ab6e1d050ca02d81f0000000002000000000010660000000100002000000005faedb4956065c9aee2c65f49c59d9cb6072952a731d5990608948603625b9a000000000e8000000002000020000000192854d7fc0c8b419744318dda2fb65e56f874a45fd98e54c6060d454cbfcb7520000000f490e78b4215f75182649441086b7c7725e8640e8c87dd3418221cfaa00edf9b40000000c08597b02478bccec663d0b53d1bd452db2ca600316d3d33ec439f72f6743575ca79aaa3e661e36b2e7341e18b8cf9849e87ac7556501daa69468aaea8d308db C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURL = "http://www.bing.com/favicon.ico" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\User Preferences C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\Version = "5" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3640144522" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0060ce09ffed901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3672020142" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31063711" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000091f6bb296bed3f4ab6e1d050ca02d81f00000000020000000000106600000001000020000000ac23615edb0367cec832a9419a094fb1b46a7dad0ba7aa94bbaea549d7e9fee1000000000e80000000020000200000007bbbb016fbc91cdaa65851a0b87e3be7e5359f1b742f9df0257f431f153a531720000000fd6a5fc5f9b6976c3cf716445daaa0ebeb6abea896868e1a315338ba955572f74000000060f90e3d9460b4177105704df3e5418160187baa5e2cf3eedd5cfbae7355e30f415b07419a84c7412faa7b8815264c4e5990b8dfe2e00a3cbc955a12db6cf4e9 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTSuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&market={language}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IENTSS" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0eb53dd9ffed901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTTopResultURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTTR" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000091f6bb296bed3f4ab6e1d050ca02d81f000000000200000000001066000000010000200000008d71ed8777a9ec0b9e08ea09d00a159793de354a6b4e052538b51dc26e375997000000000e8000000002000020000000865de48c3467b8726b01aa5a07af5398ed270c12c2405246c4613ae9e7d15eab50000000856c2cdee69db71675ee87197b0aa32f47ba4da533b7ef2147ff901fb6204fff3239f0e092ecd3cff30208ddafaa6c9ce246cc6c11616a04dc261082d9f119c2ad50a7054c02d739697b777cbc3d545b4000000012eb0e8253f0123c96715a886e7d718ca1bec250a6c909e2b86ae920673a2a84771e1a7ce134fd5b2e4b735a96931efacce8c566736544f813dd329711fc8c68 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoURL = "http://go.microsoft.com/fwlink/?LinkID=403856&language={language}&scale={scalelevel}&contrast={contrast}" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{059C0BC4-6A93-11EE-83FE-56402FC161CD} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31063711" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000091f6bb296bed3f4ab6e1d050ca02d81f0000000002000000000010660000000100002000000006c6d955bd94d5def4d1da9d6dedede2b224134c73246df953ae8bcd57a5811e000000000e800000000200002000000014ebabc6f3bce1a6cbcc3850391a723057a640e48ecd4ddbd35568cee375a4211000000097a04e5faa309aa8411644e8d881b05e400000009f978446ab6f2ec07697ed153dba7b5f50ad99e04c15a228892451ab78421b80ef66ed05badeb29ff42d5a4ed547be1009d5611db9351f497cbf2e4dc5146191 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = 042d5e82d5e7d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3640144522" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31063711" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTSR" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\consentform.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4964 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 106.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 29.81.57.23.in-addr.arpa udp
US 8.8.8.8:53 200.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 59.82.57.23.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 131.253.33.200:443 www.bing.com tcp
US 131.253.33.200:443 www.bing.com tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 200.33.253.131.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 104.116.69.13.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

MD5 da597791be3b6e732f0bc8b20e38ee62
SHA1 1125c45d285c360542027d7554a5c442288974de
SHA256 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512 d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7H3JZN74\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-14 00:51

Reported

2023-10-14 13:11

Platform

android-x86-arm-20230831-en

Max time kernel

776962s

Max time network

146s

Command Line

com.cattle.way

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.cattle.way/app_DynamicOptDex/efyrx.json N/A N/A
N/A /data/user/0/com.cattle.way/app_DynamicOptDex/efyrx.json N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Processes

com.cattle.way

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.cattle.way/app_DynamicOptDex/efyrx.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.cattle.way/app_DynamicOptDex/oat/x86/efyrx.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 142.251.36.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 172.217.168.202:443 infinitedata-pa.googleapis.com tcp
NL 142.250.179.170:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 188.114.96.0:443 jsonplaceholder.typicode.com tcp
DE 172.217.23.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.206:443 android.apis.google.com tcp
DE 23.88.40.50:80 tcp
DE 23.88.40.50:80 tcp
DE 23.88.40.50:80 tcp
DE 23.88.40.50:80 tcp
DE 23.88.40.50:80 tcp
DE 23.88.40.50:80 tcp
DE 23.88.40.50:80 tcp
DE 23.88.40.50:80 tcp
DE 23.88.40.50:80 tcp

Files

/data/data/com.cattle.way/app_DynamicOptDex/efyrx.json

MD5 f3985de7f85cf76cfa98e6c1e0477c61
SHA1 fed6b8d0fd062b72b031fcb2c65dd0eeda29326c
SHA256 77b822ba471e584f6a624e39aa7e30aee06996b75920a5eac9198244d7edfb87
SHA512 94a8b72324408f8da621db348bf2aed7c96927da838f611d48b84431334507ca592e260fa48e6adcf63eafde427201bbee079678d998bb8d5d1bc4b8c59d0ec8

/data/data/com.cattle.way/app_DynamicOptDex/efyrx.json

MD5 b5c02c909a7078df281f55ca9e60af8a
SHA1 03068e95674919cdbc49a289b2b33b668dff6a40
SHA256 a7828afdec786b19764540a2437575fcac02107139314c4140574b45a9dd159a
SHA512 a6d3f5cbf93fe3854be6b9aacc97dde9d4c68954a32ce2323fff648871e027a77ebdaa492c2ded2ceb0e9103ab06d5e95d6345e7ed4feabdc6e405b3f7a139e9

/data/user/0/com.cattle.way/app_DynamicOptDex/efyrx.json

MD5 cd5443f4f22b8a71f1d6aa4c9dc7b95d
SHA1 9044803662bf5b81c8181ed5cd92ec45974875db
SHA256 5027e406bb115f8b0312928d979392edf7e73bf194ff3712c9bfe2661750452f
SHA512 c122c4774f603bff013425b36575f4cd7257b48db9fa86b99477ffc25c71d1d55c7e12fbe86cefeb98bb35bb869abb060b0d02490c987e587c6415f259be926d

/data/user/0/com.cattle.way/app_DynamicOptDex/efyrx.json

MD5 2c4612b37cde86d4f83519190d66d5b6
SHA1 cb754ec9cc0b9119e31b843e8eeb0660c40c4d81
SHA256 971148e5eb4e575e3f5ffcdf26a55e86cc94e64b508f740df8e1be7b66f9b44b
SHA512 7dbcc932b9f90a4d4a64737058a6230f7186b381a7f82ce2aa44db2d5ae130daa64b8624242ae5f83e36dd5e371f23cb4463d13c0717237090a39a814efce756

/data/data/com.cattle.way/app_DynamicOptDex/oat/efyrx.json.cur.prof

MD5 a008c2c74b313e135961c3e3cf7a69d4
SHA1 1d5cb51d6faa3f82ce856667bc6a18bcab459bb2
SHA256 5cb96cdbd1b19e1f8055e95b0210bc06165e423a77297d77bf7e1e435faa48db
SHA512 f50dd40d762e607242e3c97045145fd75cb3ae4f4eee293c761ada55071db9ccb0ba3034cc4310c150bab2c63c7ec302da07fd5ca1c6228f4157c6728b458b5e

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-14 00:51

Reported

2023-10-14 13:11

Platform

android-x64-20230831-en

Max time kernel

776968s

Max time network

152s

Command Line

com.cattle.way

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.cattle.way/app_DynamicOptDex/efyrx.json N/A N/A

Processes

com.cattle.way

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

Network

Country Destination Domain Proto
US 1.1.1.1:53 android.apis.google.com udp
N/A 224.0.0.251:5353 udp
NL 216.58.214.10:80 play.googleapis.com tcp
DE 172.217.23.202:80 play.googleapis.com tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.251.36.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 188.114.96.0:443 jsonplaceholder.typicode.com tcp
DE 23.88.40.50:80 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.39.110:443 android.apis.google.com tcp
DE 23.88.40.50:80 tcp
DE 23.88.40.50:80 tcp
DE 23.88.40.50:80 tcp
DE 23.88.40.50:80 tcp
DE 23.88.40.50:80 tcp
DE 23.88.40.50:80 tcp
DE 23.88.40.50:80 tcp
DE 23.88.40.50:80 tcp
DE 23.88.40.50:80 tcp

Files

/data/data/com.cattle.way/app_DynamicOptDex/efyrx.json

MD5 f3985de7f85cf76cfa98e6c1e0477c61
SHA1 fed6b8d0fd062b72b031fcb2c65dd0eeda29326c
SHA256 77b822ba471e584f6a624e39aa7e30aee06996b75920a5eac9198244d7edfb87
SHA512 94a8b72324408f8da621db348bf2aed7c96927da838f611d48b84431334507ca592e260fa48e6adcf63eafde427201bbee079678d998bb8d5d1bc4b8c59d0ec8

/data/data/com.cattle.way/app_DynamicOptDex/efyrx.json

MD5 b5c02c909a7078df281f55ca9e60af8a
SHA1 03068e95674919cdbc49a289b2b33b668dff6a40
SHA256 a7828afdec786b19764540a2437575fcac02107139314c4140574b45a9dd159a
SHA512 a6d3f5cbf93fe3854be6b9aacc97dde9d4c68954a32ce2323fff648871e027a77ebdaa492c2ded2ceb0e9103ab06d5e95d6345e7ed4feabdc6e405b3f7a139e9

/data/user/0/com.cattle.way/app_DynamicOptDex/efyrx.json

MD5 cd5443f4f22b8a71f1d6aa4c9dc7b95d
SHA1 9044803662bf5b81c8181ed5cd92ec45974875db
SHA256 5027e406bb115f8b0312928d979392edf7e73bf194ff3712c9bfe2661750452f
SHA512 c122c4774f603bff013425b36575f4cd7257b48db9fa86b99477ffc25c71d1d55c7e12fbe86cefeb98bb35bb869abb060b0d02490c987e587c6415f259be926d

/data/data/com.cattle.way/app_DynamicOptDex/oat/efyrx.json.cur.prof

MD5 96babf2305587c439faa9d0e6557f562
SHA1 5139e512a9c09e2e65042ef7a86dd87bad52f332
SHA256 a9c98b1da9a516f4d395d7bbaa6dbcbf91beaf3e986738923991f3932037f19d
SHA512 6a20feebddd207cb7a0c234c1165beb22fc00d6fc3bff382c63c5551822a3fd7a997fad1f5d37d78f914b033c3ae6d49e060c849c2688c0f9a7e5c55d70f3c85

Analysis: behavioral3

Detonation Overview

Submitted

2023-10-14 00:51

Reported

2023-10-14 13:11

Platform

android-x64-arm64-20230831-en

Max time kernel

776985s

Max time network

163s

Command Line

com.cattle.way

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.cattle.way/app_DynamicOptDex/efyrx.json N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

com.cattle.way

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

Network

Country Destination Domain Proto
NL 142.251.36.10:80 play.googleapis.com tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 216.58.214.10:443 infinitedata-pa.googleapis.com tcp
NL 142.251.36.46:443 tcp
NL 142.250.179.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 188.114.96.0:443 jsonplaceholder.typicode.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
DE 23.88.40.50:80 tcp
US 1.1.1.1:53 android.apis.google.com udp
DE 172.217.23.206:443 android.apis.google.com tcp
DE 23.88.40.50:80 tcp
DE 23.88.40.50:80 tcp
DE 23.88.40.50:80 tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
NL 142.251.36.13:443 accounts.google.com tcp
DE 23.88.40.50:80 tcp
US 1.1.1.1:53 cdusochxsreyr udp
US 1.1.1.1:53 cuqslvlzrao udp
US 1.1.1.1:53 dyxfmytka udp
US 1.1.1.1:53 cdusochxsreyr udp
US 1.1.1.1:53 dyxfmytka udp
DE 23.88.40.50:80 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
DE 172.217.23.200:443 ssl.google-analytics.com tcp
DE 23.88.40.50:80 tcp
US 1.1.1.1:53 update.googleapis.com udp
US 1.1.1.1:53 edgedl.me.gvt1.com udp

Files

/data/user/0/com.cattle.way/app_DynamicOptDex/efyrx.json

MD5 f3985de7f85cf76cfa98e6c1e0477c61
SHA1 fed6b8d0fd062b72b031fcb2c65dd0eeda29326c
SHA256 77b822ba471e584f6a624e39aa7e30aee06996b75920a5eac9198244d7edfb87
SHA512 94a8b72324408f8da621db348bf2aed7c96927da838f611d48b84431334507ca592e260fa48e6adcf63eafde427201bbee079678d998bb8d5d1bc4b8c59d0ec8

/data/user/0/com.cattle.way/app_DynamicOptDex/efyrx.json

MD5 b5c02c909a7078df281f55ca9e60af8a
SHA1 03068e95674919cdbc49a289b2b33b668dff6a40
SHA256 a7828afdec786b19764540a2437575fcac02107139314c4140574b45a9dd159a
SHA512 a6d3f5cbf93fe3854be6b9aacc97dde9d4c68954a32ce2323fff648871e027a77ebdaa492c2ded2ceb0e9103ab06d5e95d6345e7ed4feabdc6e405b3f7a139e9

/data/user/0/com.cattle.way/app_DynamicOptDex/efyrx.json

MD5 cd5443f4f22b8a71f1d6aa4c9dc7b95d
SHA1 9044803662bf5b81c8181ed5cd92ec45974875db
SHA256 5027e406bb115f8b0312928d979392edf7e73bf194ff3712c9bfe2661750452f
SHA512 c122c4774f603bff013425b36575f4cd7257b48db9fa86b99477ffc25c71d1d55c7e12fbe86cefeb98bb35bb869abb060b0d02490c987e587c6415f259be926d

/data/user/0/com.cattle.way/app_DynamicOptDex/oat/efyrx.json.cur.prof

MD5 b8047385addbb9597d0b0b2cfa2beb41
SHA1 7ea408eb3ebdb629531fdfd9cd307758fc80588d
SHA256 c88e704bd411fcf3fedbcdd0633e2710682a0674ff37714f139706ffac6fb6fe
SHA512 cccc3a29b90412d1d6e11f9dfc39aa28ecd6305d553109e70b3ab26db24f76d48fe477ec5b66c99d8c039bfeb87b6c535fa67c3c646339006f2c7af6b71c4a42