Analysis Overview
SHA256
7142344ff1efa338898a69da6c5081007223717b01b3f4d6207cecb9f646aab0
Threat Level: Known bad
The file 7142344ff1efa338898a69da6c5081007223717b01b3f4d6207cecb9f646aab0.bin was found to be: Known bad.
Malicious Activity Summary
Cerberus payload
Alienbot
Cerberus
Removes its main activity from the application launcher
Makes use of the framework's Accessibility service.
Loads dropped Dex/Jar
Requests dangerous framework permissions
Requests disabling of battery optimizations (often used to enable hiding in the background).
Removes a system notification.
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-11-06 22:00
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-11-06 22:00
Reported
2023-11-06 22:07
Platform
android-x86-arm-20231023-en
Max time kernel
2796348s
Max time network
135s
Command Line
Signatures
Alienbot
Cerberus
Cerberus payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/chef.isolate.task/app_DynamicOptDex/fTnEmT.json | N/A | N/A |
| N/A | /data/user/0/chef.isolate.task/app_DynamicOptDex/fTnEmT.json | N/A | N/A |
| N/A | /data/user/0/chef.isolate.task/app_DynamicOptDex/fTnEmT.json | N/A | N/A |
Requests disabling of battery optimizations (often used to enable hiding in the background).
| Description | Indicator | Process | Target |
| Intent action | android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS | N/A | N/A |
Removes a system notification.
| Description | Indicator | Process | Target |
| Framework service call | android.app.INotificationManager.cancelNotificationWithTag | N/A | N/A |
Processes
chef.isolate.task
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/chef.isolate.task/app_DynamicOptDex/fTnEmT.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/chef.isolate.task/app_DynamicOptDex/oat/x86/fTnEmT.odex --compiler-filter=quicken --class-loader-context=&
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| NL | 216.58.214.10:443 | infinitedata-pa.googleapis.com | tcp |
| NL | 142.251.36.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.251.36.14:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | buuncanlidersvarmi11.com | udp |
| NL | 142.251.36.10:443 | infinitedata-pa.googleapis.com | tcp |
Files
/data/data/chef.isolate.task/app_DynamicOptDex/fTnEmT.json
| MD5 | 941798c87bc19acf81e9a30c5c9d342d |
| SHA1 | 9c729d4edf25fdebabe911858ac4d51551946284 |
| SHA256 | 89418d37f636411e97486c68de47965757b31da3a0b481979865c8efb5804fec |
| SHA512 | d803a09f708f2834f683a22d3077b41d6b7cc512ba41f777ecde4670d2bc63b4a357ff06699e530bf4c3fdbf0b6fd10a6c33e6c8e4b8015955724bfb3fb19cc0 |
/data/data/chef.isolate.task/app_DynamicOptDex/fTnEmT.json
| MD5 | 9848f326eb31b8eb6a6aff56e08eaa6f |
| SHA1 | 475866a598c6c9d049f5ed2ffb3410d98edc7159 |
| SHA256 | f49be7fe820c785aef3578b113a3240e8450c797609578b6d05316cbb3495779 |
| SHA512 | cff258de266dd100a77768560bd0e013c25d73ea46630f37dde7c8f3731d95128c99cdbe424379bed655aee20fe9187f37699f1966b5157aee2047d6127003a3 |
/data/user/0/chef.isolate.task/app_DynamicOptDex/fTnEmT.json
| MD5 | 9848f326eb31b8eb6a6aff56e08eaa6f |
| SHA1 | 475866a598c6c9d049f5ed2ffb3410d98edc7159 |
| SHA256 | f49be7fe820c785aef3578b113a3240e8450c797609578b6d05316cbb3495779 |
| SHA512 | cff258de266dd100a77768560bd0e013c25d73ea46630f37dde7c8f3731d95128c99cdbe424379bed655aee20fe9187f37699f1966b5157aee2047d6127003a3 |
/data/user/0/chef.isolate.task/app_DynamicOptDex/fTnEmT.json
| MD5 | 9848f326eb31b8eb6a6aff56e08eaa6f |
| SHA1 | 475866a598c6c9d049f5ed2ffb3410d98edc7159 |
| SHA256 | f49be7fe820c785aef3578b113a3240e8450c797609578b6d05316cbb3495779 |
| SHA512 | cff258de266dd100a77768560bd0e013c25d73ea46630f37dde7c8f3731d95128c99cdbe424379bed655aee20fe9187f37699f1966b5157aee2047d6127003a3 |
/data/user/0/chef.isolate.task/app_DynamicOptDex/fTnEmT.json
| MD5 | 80325e6176a8229b4277a4f9fd3167ef |
| SHA1 | 8a8603a983739865f6eee2d1e354b20a3d830aee |
| SHA256 | cece4981711ef42769076bb78c8f08b0f8e23555bfae65b7c6af42b174163e41 |
| SHA512 | cce27a566dea2b768010540898a2dfaaedf475f49fcd26f5a752b69afddcdb71994701891ee03f7f95ddc1b6ed72aac01e9c7eecde223d4332a842b02895390a |
/data/data/chef.isolate.task/app_DynamicOptDex/oat/fTnEmT.json.cur.prof
| MD5 | dfd93517ab4c755b6bc910f4ceca3d1f |
| SHA1 | 8b8c34ddbdd176af7573a19bd9042abe017add70 |
| SHA256 | ed7637431e8a52051f4fa839460a852dd04a7c945168242bdd839cd653bf955d |
| SHA512 | d981de26a4f0531f73b4bbecac71c002a99b3c24439438ff4ec5dde9a2b78e8a98e3ce81a44dec34f893f26153bf5449f350e07542e17c733383b441d26dcc23 |
Analysis: behavioral7
Detonation Overview
Submitted
2023-11-06 22:00
Reported
2023-11-06 22:04
Platform
win10v2004-20231020-en
Max time kernel
142s
Max time network
148s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4001520100" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4020581778" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50fd57f8fc10da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c79fe21d651d6c4bb8d4cd4060a2fb9100000000020000000000106600000001000020000000b14171981b58314fc54238e366889926dfdc8628d9edea6e544df5a8d89f43de000000000e80000000020000200000004069494d1f8b89c02b582eb159851424b730ba83261337675398e9e00bd0e86d200000008f14f2eabc422243b9f776d8bf3639e1f814455a322cfbadd6b110a6b9cc3a9340000000751968558a0b319444a9c5cbd06c6ca852d783211bcefb9a4609e5302e8338c91a44cedaa74bac3f45209e1f6fb90960eb93397ac8e440fe9f7b253ac99b082d | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c79fe21d651d6c4bb8d4cd4060a2fb9100000000020000000000106600000001000020000000bd24adc3712892e02491fd4dc553f1a5a3d47e4868866a30004f209f1b777257000000000e8000000002000020000000c88fde96a220029be9a9a1a8397847fd8c9f4a807d67a73c1b0dc3e02cb8036620000000140ea7e2e39a03f81040f7dadd915d5024b82a1173f4c923b39f8302e28e6dee400000000511375b5fc64394fb206e2fec87173b1e170dbc9df417bb7f2df6b378c35cd067949b3d7cd3514eb23995c223a2b64f1e2c91629f28753a11f2765bd0558a77 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{1A1EC692-7CF0-11EE-88E4-D6630BA3544A} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "406073093" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31068412" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31068412" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4001520100" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31068412" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20106bf8fc10da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2108 wrote to memory of 4672 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2108 wrote to memory of 4672 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2108 wrote to memory of 4672 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\calendar1.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2108 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | appsrentables.net | udp |
| US | 52.38.238.10:80 | appsrentables.net | tcp |
| US | 52.38.238.10:80 | appsrentables.net | tcp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 52.38.238.10:80 | appsrentables.net | tcp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.23.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\80UBY5GD\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
Analysis: behavioral9
Detonation Overview
Submitted
2023-11-06 22:00
Reported
2023-11-06 22:04
Platform
win10v2004-20231025-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c673c30fa5e1df4483894e0a711271f900000000020000000000106600000001000020000000d66f2b7cfbd9578ab10857fb37ca5ba079f6ee149daa119de13a6a1309636c5b000000000e800000000200002000000009621640a266199487a72341c4e74e1955bf2916cd45b8d6c6d62e83fd0b56ca200000004e1a6eb6e8cce52f7e07417232a3f98be0f578f62ec818de5cca872e2bb6f9d640000000e4cf0098714a25c3f8526c7bb9efc98b98ff5c83ec211469e966527c56b641dcc6b758dd39e7a83fb46a87f90113a2706a813f1223a90474ca06c5d3e5b74f59 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31068413" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "23160965" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{2C498D75-7CF0-11EE-8286-CEFD533AA927} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\appsrentables.com | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1004cff1fc10da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31068413" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Software\Microsoft\Internet Explorer\DOMStorage\appsrentables.com | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "10816735" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "10816735" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31068413" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\appsrentables.com\NumberOfSubdomains = "1" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "406073122" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-177160434-2093019976-369403398-1000\{CAC91F9E-2D45-480A-BA89-12C89A12D0C6} | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-177160434-2093019976-369403398-1000\{47C82297-17DD-404F-8818-809D8080E4C7} | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4268 wrote to memory of 2896 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 4268 wrote to memory of 2896 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 4268 wrote to memory of 2896 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\circle1.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4268 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | appsrentables.com | udp |
| FR | 94.23.213.57:80 | appsrentables.com | tcp |
| FR | 94.23.213.57:80 | appsrentables.com | tcp |
| FR | 94.23.213.57:80 | appsrentables.com | tcp |
| FR | 94.23.213.57:80 | appsrentables.com | tcp |
| FR | 94.23.213.57:80 | appsrentables.com | tcp |
| FR | 94.23.213.57:80 | appsrentables.com | tcp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.213.23.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| FR | 94.23.213.57:80 | appsrentables.com | tcp |
| FR | 94.23.213.57:80 | appsrentables.com | tcp |
| FR | 94.23.213.57:80 | appsrentables.com | tcp |
| FR | 94.23.213.57:80 | appsrentables.com | tcp |
| FR | 94.23.213.57:80 | appsrentables.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| FR | 94.23.213.57:443 | appsrentables.com | tcp |
| FR | 94.23.213.57:443 | appsrentables.com | tcp |
| FR | 94.23.213.57:443 | appsrentables.com | tcp |
| FR | 94.23.213.57:443 | appsrentables.com | tcp |
| FR | 94.23.213.57:443 | appsrentables.com | tcp |
| US | 8.8.8.8:53 | 9.175.53.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.174.42.23.in-addr.arpa | udp |
| FR | 94.23.213.57:80 | appsrentables.com | tcp |
| FR | 94.23.213.57:80 | appsrentables.com | tcp |
| FR | 94.23.213.57:80 | appsrentables.com | tcp |
| FR | 94.23.213.57:80 | appsrentables.com | tcp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.240.110.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 224.162.46.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\J9NF6NB1\w-logo-blue-white-bg[1].png
| MD5 | 000bf649cc8f6bf27cfb04d1bcdcd3c7 |
| SHA1 | d73d2f6d74ec6cdcbae07955592962e77d8ae814 |
| SHA256 | 6bdb369337ac2496761c6f063bffea0aa6a91d4662279c399071a468251f51f0 |
| SHA512 | 73d2ea5ffc572c1ae73f37f8f0ff25e945afee8e077b6ee42ce969e575cdc2d8444f90848ea1cb4d1c9ee4bd725aee2b4576afc25f17d7295a90e1cbfe6edfd5 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\39d26rl\imagestore.dat
| MD5 | a08d2281456680ceee95f61510ac076a |
| SHA1 | f878268931ee0be724d57a70ed928216cc025c5b |
| SHA256 | 47d25bc8b83b7e567338a99aa9c3bbfa7698509c61591beedb4ffe28e4e9425a |
| SHA512 | 85c8a38d8aa1e9827e6f934f5d89d981d29b0c1a184bffabc59c97d4d087da9631e8373c26d3797f37990a9933e148c97abae4499fe54c157b79f7fdfdf1c87a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BRUT4RU0\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
Analysis: behavioral13
Detonation Overview
Submitted
2023-11-06 22:00
Reported
2023-11-06 22:05
Platform
win10v2004-20231023-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d07cd80efd10da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "222044689" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008a0c380f3628804cb3442a54a74494fd000000000200000000001066000000010000200000004def024019c4bee5b6bd24b406b1ce26d5fa6c3697c4d970812e1d034f752596000000000e80000000020000200000006c12f08999b1a7fb5884f4bcd94d95f87a6700051cfe0bde0a1bc9cefd9a672620000000036e4938f1347d1180b4b06512da0cd6392ddfa478ccbefbcbd32e9bb29e50ae40000000b6d3eaad37b0853a443cc49e2661c964fd2effe27529c3b5fe6ee72e1cc631f21a2cb8f351004cdda9b04895e97d8dc3b777cf2d48c5e41cf63592a73d3232ff | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10c38d0ffd10da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31068413" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "163763477" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "163763477" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31068413" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{356C59C4-7CF0-11EE-B196-E2134A816827} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31068413" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008a0c380f3628804cb3442a54a74494fd00000000020000000000106600000001000020000000543c0dc9e1921bb6b829626b2a0ff418fbb381c81dee683dd822b10e53d57fe6000000000e8000000002000020000000398ef6a5320e83dcba5a73612f9deee2e0a9deb761e3bd0db53a1d0f03a1d3ef200000007883dc12a2abe871a8ea169bd43ccf6e465072b42c1e6a260ee1b07ce6edffe540000000bf87caf5ed104be132e9f16eeb5427b30d45fb0c7a3cf2c57a3eab9cba0709e806b7b1f4d98e07df5f5a59ca646c7b40f9b1cdd749ae0c5a3177fec4582db673 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "406073142" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2320 wrote to memory of 4068 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2320 wrote to memory of 4068 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2320 wrote to memory of 4068 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\fyb_iframe_endcard_tmpl.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2320 CREDAT:17410 /prefetch:2
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.240.110.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.252.72.23.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.192.11.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FNC8FKXQ\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
memory/1152-20-0x00000136C0940000-0x00000136C0950000-memory.dmp
memory/1152-36-0x00000136C0A40000-0x00000136C0A50000-memory.dmp
memory/1152-52-0x00000136C8DB0000-0x00000136C8DB1000-memory.dmp
memory/1152-54-0x00000136C8DE0000-0x00000136C8DE1000-memory.dmp
memory/1152-55-0x00000136C8DE0000-0x00000136C8DE1000-memory.dmp
memory/1152-56-0x00000136C8EF0000-0x00000136C8EF1000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2023-11-06 22:00
Reported
2023-11-06 22:04
Platform
win7-20231023-en
Max time kernel
135s
Max time network
137s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\DOMStorage\appsrentables.com\NumberOfSubdomains = "1" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008d5ea254cbc3cc499365b391a5fd669200000000020000000000106600000001000020000000aad01ec9e4c0899c87c80dd2f48ed93fa8aa6fbfac941d45296ced3d62a32ff1000000000e800000000200002000000000cd36c304098abb7cc8e304e1d93d713a7f6fe896ecd8f7594c396c21bf7d35900000005a3e78090cd9d30efb5d4baa584d3ca29d50ff4d15fa0521b90d57be569eba3bd808a9594b66433126d27ab769fd16f221e160c3c7c673b064adba6e97f63b734bdde7819a8dacd545ec920ffec3540e3d775032a13c08727aa47761440e175c67add580838877160b72f0c918ed9a2499d93265f7dc54999547371863b75e23ef07bfae839243287034b65cc6ccd93a40000000cd58c504f9060da5d4ee136a802df1e0df34f44e45b2522e60e4d89d7063c5bcbad126e7315d51748e0db6e46730613a3a4e09342b3e45f9e16723e0d5a8042c | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008d5ea254cbc3cc499365b391a5fd6692000000000200000000001066000000010000200000000c38b2a00be17c90388716919d44c5eee2dec3d89caf4bb776a31d654c496b11000000000e80000000020000200000008359e49c2a306fe573ccf4ef84bfc3920adb634e45e2d78dc69dfc335b6a58f5200000002bea7dd0ae10eb70bdecbd723b103a0e59de940a8ef87f7f57722fe6aa5e322d40000000228adc27eb4f5216bc948f82d3677f298d58fc204d68ca77ff6a1ef56ebdf93849ce4277f19d1021fb634c076c6b32e4ebd615b5ab22930e66c0a623823e5146 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\DOMStorage | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0DE0BEA1-7CF0-11EE-945E-4EB5D1862232} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "405469964" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1020bad1fc10da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\DOMStorage\appsrentables.com | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2920 wrote to memory of 2620 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2920 wrote to memory of 2620 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2920 wrote to memory of 2620 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2920 wrote to memory of 2620 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\circle1.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2920 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | appsrentables.com | udp |
| FR | 94.23.213.57:80 | appsrentables.com | tcp |
| FR | 94.23.213.57:80 | appsrentables.com | tcp |
| FR | 94.23.213.57:80 | appsrentables.com | tcp |
| FR | 94.23.213.57:80 | appsrentables.com | tcp |
| FR | 94.23.213.57:80 | appsrentables.com | tcp |
| FR | 94.23.213.57:80 | appsrentables.com | tcp |
| FR | 94.23.213.57:443 | appsrentables.com | tcp |
| FR | 94.23.213.57:443 | appsrentables.com | tcp |
| FR | 94.23.213.57:443 | appsrentables.com | tcp |
| FR | 94.23.213.57:443 | appsrentables.com | tcp |
| FR | 94.23.213.57:443 | appsrentables.com | tcp |
| FR | 94.23.213.57:443 | appsrentables.com | tcp |
| FR | 94.23.213.57:443 | appsrentables.com | tcp |
| FR | 94.23.213.57:443 | appsrentables.com | tcp |
| FR | 94.23.213.57:443 | appsrentables.com | tcp |
| FR | 94.23.213.57:443 | appsrentables.com | tcp |
| FR | 94.23.213.57:443 | appsrentables.com | tcp |
| FR | 94.23.213.57:443 | appsrentables.com | tcp |
| FR | 94.23.213.57:443 | appsrentables.com | tcp |
| FR | 94.23.213.57:443 | appsrentables.com | tcp |
| FR | 94.23.213.57:443 | appsrentables.com | tcp |
| FR | 94.23.213.57:443 | appsrentables.com | tcp |
| FR | 94.23.213.57:443 | appsrentables.com | tcp |
| FR | 94.23.213.57:443 | appsrentables.com | tcp |
| FR | 94.23.213.57:443 | appsrentables.com | tcp |
| FR | 94.23.213.57:443 | appsrentables.com | tcp |
| FR | 94.23.213.57:443 | appsrentables.com | tcp |
| FR | 94.23.213.57:443 | appsrentables.com | tcp |
| FR | 94.23.213.57:443 | appsrentables.com | tcp |
| FR | 94.23.213.57:443 | appsrentables.com | tcp |
| FR | 94.23.213.57:80 | appsrentables.com | tcp |
| FR | 94.23.213.57:80 | appsrentables.com | tcp |
| FR | 94.23.213.57:443 | appsrentables.com | tcp |
| FR | 94.23.213.57:443 | appsrentables.com | tcp |
| FR | 94.23.213.57:443 | appsrentables.com | tcp |
| FR | 94.23.213.57:443 | appsrentables.com | tcp |
| FR | 94.23.213.57:443 | appsrentables.com | tcp |
| FR | 94.23.213.57:443 | appsrentables.com | tcp |
| FR | 94.23.213.57:443 | appsrentables.com | tcp |
| FR | 94.23.213.57:443 | appsrentables.com | tcp |
| FR | 94.23.213.57:443 | appsrentables.com | tcp |
| FR | 94.23.213.57:443 | appsrentables.com | tcp |
| FR | 94.23.213.57:443 | appsrentables.com | tcp |
| FR | 94.23.213.57:443 | appsrentables.com | tcp |
| FR | 94.23.213.57:443 | appsrentables.com | tcp |
| FR | 94.23.213.57:443 | appsrentables.com | tcp |
| FR | 94.23.213.57:443 | appsrentables.com | tcp |
| FR | 94.23.213.57:443 | appsrentables.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab8088.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\Tar80D9.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 98cd094664578686d82e78028222a8ec |
| SHA1 | fb5ca75bed5ddd71cda265944315bde36be38df3 |
| SHA256 | a4ef86d0e876f4e5c87f8b71105a5a77c32f0ec5e47ecf870f8f6cfdf097364a |
| SHA512 | 2413619d2f2baa2b1af3f981aeb6014957d0f81b2aabdc76dba5dcd4327c2eb75f9be7296188ba396a26d802c927865ef80eb87cdd32de7a3af61bca6e260e84 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 79e3bbdeb03f7209beb9c0aa561961fa |
| SHA1 | 3af969b7591a4f5b5215a00f7eaff5f5c5397cc0 |
| SHA256 | 7a745312a1452cf2fee0a905a842e3c0b8507bbb65cce6e2a9d254a93ff2b3ff |
| SHA512 | d9b7f99291ef596088e053c413364ac92d1fbda0692b597f989afa16076da5fd3d97890b2d1509f612fb48b68d5342765ae20b13f6bff3a17e1bf23d3d79a39c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e4d0b68cc4552332d28fab4124c4fb62 |
| SHA1 | 567af5eff703adc0f2e19e62e22fc39633105565 |
| SHA256 | 512b177ba14441c949e962afd03e013285b716652dd1db8f209a8f57cf4dc377 |
| SHA512 | eb55514a9626c694ebde2fb4df6d444441fee1727c2be420db3af096b66227245c3ce9ce60c4aa8f336a95f49ff5fe7f1a97f08c1b86533b0ef1756a0c78b361 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8d2f565e1c9521477130db74cc3f781f |
| SHA1 | 66d8027286db8b071479bdbd5f5d4dbb5bd08ff7 |
| SHA256 | d23e94505796bb4b99d6f7672a4272aeb4fa9d32f8b70f2c412b6ae4701effdc |
| SHA512 | 285349fb76b40b5a9073210812d99ab20fc5de221b2732e3f665ab35fd9a4fc579ae6cef2148d38965f79c90c574401b5949cc590cdbfe6e2814717c419619ea |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0b9741878ef81b2bfea4b142f584c058 |
| SHA1 | 9021bf1597f116f38112165ce85d9d75a7937ee6 |
| SHA256 | 82b0af5e2f3d6ebae654eafffc1304bdae93e48e79c03ea57275bc746a3de3a0 |
| SHA512 | 5a23748355dd31819a25b6af99abd867ad27540f1d82c0e5e0094754f524486ae24f52f50ea54a046e3c05226e05fb769d92d736564339101daa4c34bded624f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 18139f41c6f7a35903e64f976a42a1a5 |
| SHA1 | 8f3ed07f21fc239324699e3f3e0592c527ba1185 |
| SHA256 | 6c7744bcdcb556d19c67be70576af8e7db824e28ed1e501bb27eabfa06999e49 |
| SHA512 | 9d1e151541913e6f115f0771a2708cfc0a9b970ec8ca87aecf48afaf06c46731d24574d522df4d2d87cae6a821260b9d38902dd6371f6b66b6767285ef76e5f3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 73ac80fa8a947de2f90bd04500ba724e |
| SHA1 | 085102a5daf2dd7f88e5bb9736a12ad57dc41085 |
| SHA256 | 2fca8f61de6de7fc0208db62d3dc08ce876544153681e6d266610aca5122d362 |
| SHA512 | 6dccdad2d3530a99b1f242638eae1ab1969d97cb4d458f78c77feb1fe2a40b9e409fdce00e663e9828ef6391d5937399cf4f55d7965767cce96b1c23ec4167ff |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 98ef4ff677d702e8c067014fd26f93ae |
| SHA1 | 04fb3cc82b549932b87a0b543362fbdf57c4c856 |
| SHA256 | e0297b90f2a67ed24d7544158e601f97128fd0fce7d313df22f7447556b95545 |
| SHA512 | 14b1d725023da6a9692aacbc5ab81d904b3eff162afc73fd4863189d9bfcd84340e10efbc1988be11c3ddc24e4482f2ca636701e02c2d79e2f39b5f00c5559e2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7cf610aaded16c6199962f0af1fcab41 |
| SHA1 | a8101d993222af52551ad79f0a8144a86726ca4b |
| SHA256 | 5c92a6b204bc75e1e4b2461b37761c88db8b69592615a8c15f2333c5cbbe96bd |
| SHA512 | a554cba3d5e9c43258f8400c6791a2cc2438ab5ff81b47f8cf00be0714cb08e0b2911af560a544ee6ac686ad00803043b0c9abf299b4bb5085f0e0c4e51fade1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ee56727ce530a27948e4230123a8897b |
| SHA1 | a7110ce08682c0f69c934db00245cfdd954099d7 |
| SHA256 | 801b04dc95decf215a265aff1a4930ba20887f01609ce96538c882f2a5e94b2c |
| SHA512 | bfc416d74a3fd3cefc2a7de1678cace2d7935397bb32ac4710c80ffb0b3cd96668a32583b40756106faada343e007d8b1b6acd2cd49fdfa8747fdf70db916420 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cd1096ca8ae613389153f512c2eba26d |
| SHA1 | 46ddfffe69eaa90c04406ddf4a4b8476eabe9ec2 |
| SHA256 | 4f74ee86a7ab148033081fd7311b7b764f60d0b641bc419e74591bd55dc0b2da |
| SHA512 | e1a5f0a223a7c2041af0200705b6714b6f004e04a89efaf9a780a430966dbdc1a38501ee8929bf43449702aeb05565ac80b1ea4742367c5886cc8ec5867c2d7d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4032c5fc1c7d9cb4a6d90879dbab4d7a |
| SHA1 | 0dfea1945f2385d37dfd4fc3fe409d70f1b69912 |
| SHA256 | ce8f3578b461dcf29bc571c8f7d1dc162b2b57226bc88071541ee13543f21b48 |
| SHA512 | dfd27989edec32d1155ed337592190765e59fd1d160253c3c8139cb832e8534d3ee4bdc5c141bd306de3ba7261e0302a1655117483e02d783e68a0aac626a93d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 995401907f8d91938c8aca4b136947f6 |
| SHA1 | c1fb9d90f7b7f3ed446bd795ecdd8d8efa93970b |
| SHA256 | cc48a71d89bde215556d85ab63b05a7a4b1ef06a9ab7426671ba97dc304fa4d0 |
| SHA512 | f0aa3b08f968c628d7498312017fdd4ff1ae8d19d9a4add65e04c0faaf1222488164f7585622ce9d5f34679066664a37f5cf71c2d5ea59035712fda5c8817ba8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ddcc7cab74201bf2c7f0b7f09d36e309 |
| SHA1 | 38219d1039f93709548dfdfa7d1f10d1109e3f3a |
| SHA256 | 85dae7af21988099c5add2403f74703b775da158cbeb73b186f1768f4968e57d |
| SHA512 | f87d87d232cf2f16e98fc9a92fb9b8e475fa3c3ff3139b3ba94c3def4d58e636257ebf6a7f95ea0fa7d6c35242abfe0fdd357cd5933c6f5addfacb25e5fd6138 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ff5cef51f6a11094dc2094f47c406702 |
| SHA1 | 3f80487fe8f8d84347917e90cf4445a55fd19030 |
| SHA256 | 5cf768aee10ea2adcb7a96c182d69f3322f9a24acbdd8b89b2352bee4e84b432 |
| SHA512 | 42e62760248a3573c4e232eb3a48a2c0574d9583dffd00feecdc3064256048d8f64cefbea8b794965c2672db22f2bf8915400b795b2187e5754635978514a6ff |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5b8c4c69d9b674be70ec9315390fc84c |
| SHA1 | b5c9060d9ed12cf96f086b3c095fbb4621fdff9a |
| SHA256 | eae6e1b039d22eebea1ac7ba3f5037a4be68dd7c3866f704026f876fdfe94c66 |
| SHA512 | 432426bbb728421ed288beddd55397025edbb5422acf865a14fadcfea5537931eac88005f56f05ae380014ad7a546d2250a44c5bd0dbc83dfdf1c5735bc12493 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8d215e02ca73e3119edb3f3bd0d7b1a7 |
| SHA1 | a6476442bfbace111e363e7f94515a079f64a338 |
| SHA256 | 2d5159134c42d51df0ee7996e052dbff30e21fc126d13ed952b9576434f0bce5 |
| SHA512 | eb9129786e334cb722d18a5b2fb0462986238db06f1a6e4d08a4a639cb0999a4fa0c80e0255bc2b30181a5777dd8be36bb014586d32abb930adbee10973ed034 |
Analysis: behavioral14
Detonation Overview
Submitted
2023-11-06 22:00
Reported
2023-11-06 22:04
Platform
win7-20231020-en
Max time kernel
135s
Max time network
131s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70dd2fdffc10da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "405469958" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009159649b912a9140bf53d83809c5b2ac00000000020000000000106600000001000020000000fa29ceb7a4c64b781490bec6c8ab596351bd633fdfc926220f6df0b5eee87158000000000e8000000002000020000000a39937a4ee447b83631b30575b375599cfeeb3e0d74d51fe1ac3a169d32c4f109000000030e852eb0d84c99d05c929e7a3a5d784e4d68ce9c87723e48e48820d348803e9f788e6aa061d21ed5d2307502530024e27f0d58590b2c1f5797807b5309aaae79450b20f8ea0488f9ac60c2aa35472b563771b0da52e41bab8a4d2095c2ab20250604273dc2e92c21eb85efa38d29e8adb07eda96e62eba0f601c0f1ec9ab0874bb95fae7a1bd6abd07825052f31e7674000000072390a78db84e2353b4a1d35515e15724ad396ce62f90a23ed208492fb2eb230a2188a41fea6abd7d5711b2de2bae0791ce7dfd90387a640b5c97017d9828f04 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0A60CF41-7CF0-11EE-A7A1-C63A139B68A6} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009159649b912a9140bf53d83809c5b2ac00000000020000000000106600000001000020000000a70b17a027d0debe2f8100b71d2d06fe192ca659fff911b88d5e87c4b4f9ec35000000000e800000000200002000000074107ada380da13225033d45bdb4197b1fa551f8f0aac64829350b16bb42b28120000000ad00be6abc051ce5b41b19610289c2c76140556477c5ec3fd76d48fbf03afbdc40000000eecb69087bb3c4730424be65be3e764f001a1b12d8597b24d5ee97945f341ec905ea355dd4ebc2f213e3698354ec8ab2dd831ffce9dc01ec0bf72ba5512a1a6a | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2316 wrote to memory of 2188 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2316 wrote to memory of 2188 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2316 wrote to memory of 2188 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2316 wrote to memory of 2188 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\fyb_static_endcard_tmpl.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2316 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabC302.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\TarC401.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1bb7358810111428726573fa66a8caa8 |
| SHA1 | 113c28ddf68fe9ea29b4110d28af4072b3ec73a8 |
| SHA256 | ecb12543ea09fd407a26fda9829b904825262b23477f4206539cedb1379dfb40 |
| SHA512 | 239d2bf0d0a890fb6b2d98dee139b55a77a5d811719cf5e8d6461983847f56bec00e56106dd0497bcd4d6102d53cd10966a64be6e1c22744362679444013cef6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a64629c9b71b510953ef3dc10273a205 |
| SHA1 | 6348b121e5206f313fc5969714a61c27b159073d |
| SHA256 | c2b321c66d5df105dd0b58d7c557a4a7bd319394ce1460e6ee2993cb5ee6904f |
| SHA512 | a43125a09280fe518f7dc85fb8d99c54a8f0654ed1953c2e103db68d0ec00d860d896ac0f0e90a2626b562f3bfbe0e01c9aca5c1ebbf8a7a1f91eab24e358dd0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 74c95f63885cc07143f6fc007d5335b3 |
| SHA1 | bfb7e671ef9894cd8844e87ff23bf793712c7766 |
| SHA256 | e4966b20047c20e44efe9e7e79d282a0916e0be60bef04610271b0a3b11e66fc |
| SHA512 | 30f8ce600366d22fb1e10e00691912604abbad3ec48204d85c0b20830d4fc9c160a538ebbc90a8bbfaa1800047abdc774fbbf7fac6602c7f978841658182672c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d756f0665e6e1a4c64ee957a37c7abae |
| SHA1 | 71d71f042ae8be28659d80f3d41bdb0e401a6aa5 |
| SHA256 | 4dd3d46303332a6764df5978c5d665e8d68a3e76d5ae7a1464023c62bb1a8d90 |
| SHA512 | d2cacc7ddc5f8dce6895763195181a10a904bf040b5e84e455bded621c488430e68740f626a32dd6640c95e0043e74a0ec80b74da5f8702b38669fbcf2f40353 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 72ef25b525313bdf4d8bb5762a5ffe29 |
| SHA1 | f89e8a1f2660d1dd90ad88a80e3efc6cfbe9b9a4 |
| SHA256 | b974a8b02190fe27fbbcf00fe30c4eb620a7f191e97eb58bd0ff8dffb8f89725 |
| SHA512 | 73f9e40fecb0fac3995ae152d8eaa7d94cbe69069314f206523261bee34f16cd2183aafe9d81a5370a59e1509ab6771d70f577abec939baed12a8a4fb4884e7f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3c33832da9969134f26db23948da6483 |
| SHA1 | 53ede5b8e268b1476d53c316fa2b1b5a27745c17 |
| SHA256 | 325e4a8faaa01c4e70c4011b6048135c3802910ca4b6a54c9c010b0f7ed14c94 |
| SHA512 | e3b93c59990434a58d7a0438420bb88e89ad08d8bb2f41c9169e0e89bf017cf22ef37caee9c76c23328f1d8bfdc34f97179fed7b18cf8ed2e781a1d63dc3669f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ef50ed44e84c7b2aa53fa7bb798e5eea |
| SHA1 | ca9e094012adaee9e1e747a9000d891fbfe8bc6c |
| SHA256 | a00f2e5f430f5d56b519d626e4fd2764e5802a4b0af9fae2260dfe4a545ed1ac |
| SHA512 | aaece616368eaa4116e7f0cffab78c6ec25b042d9a15f5c6c825cf5ac7f9e8032a1f785410eac917080678bec4bed6074da0a55f3c3c6603d196b0c42f725b4a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 73f810b00e9dc49db242f13032783aab |
| SHA1 | 438551a2962b78676c3b6715984208e830471a27 |
| SHA256 | 30ebbc0e2ef7711d9e9b3e8e66c189a6aaa8c130be127e1c750805fc364d313e |
| SHA512 | 6ac8e1daead88383edbc65e9496629edb638f548a9c9b09809bf9185a11dee7ffa83542c5ab1aa9bc3afc3db51056b4a6ff5796bcf8bb3a8eb5baea3fadbbca3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a6a01259ea08b39c9fd634117f18c3dc |
| SHA1 | 0fe89d77f13db13a207a5651cd3eecbf7e925185 |
| SHA256 | ac962187772b6daf5b19930ba091ef5c5e2c12668cfc722d76e38180491e8148 |
| SHA512 | 0b93e9c1211292181e7bc09b3d580eda8aadfcab3cc75f4ab4b4d1389a67dd96fc391383d6520128bc5e6340ab59006b3bcb880e5d8d57f996071e0ddb4c8d1e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a785227309dd67a9637e8ce8b71d1797 |
| SHA1 | 544b049e7262c6efb595887a4ca44fba4750cfa3 |
| SHA256 | 10be3d5e45f66a3d84660a017fd12bad998b4aca0af183a10252543f3df64a19 |
| SHA512 | fbe0fb17137864d3487bd7ad93f08036ce8ad2618ea12168a98726d0ef9e81acffefa6de1f7ec9639bd32568b280d7c4e3fb28282828ea2669dc516aa3432069 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 528db2cab3c8b47ba76aa612c1d697c5 |
| SHA1 | 8106f3ccc994c1d9597ebb997111c51bd2bba475 |
| SHA256 | c007d6626b2b46a4c59bcb06ac337b3beefeff14816ce6bb56ccf8983b2fc436 |
| SHA512 | 5d80db7911ed75a9588f3c0dd833d3c59568bdf7060a486c4c5171d7ddf22efba1bef522619d2a7dc620bcdc9891fb1d75bce7d59f289690628f0ae6f0e240eb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 175a747ea145367a3afaf25fd4af7040 |
| SHA1 | ffd37d9022439f23cbe9f8f96aa3617265af0116 |
| SHA256 | 524c25d679bdecb96e41ffdc6d342f731a5e8708ca88ab49eb59062a313cfb1f |
| SHA512 | eb1cdfc3f18b1a337deb0d019dd3b5a4aad238b97a1f045c32e53e09ce502d6fdb404c40c37e7c64934514e61a456475615c7a80d6a19e7295dca80e7c850e9e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ff8f90c05c9694e242c5ffd48bb0f315 |
| SHA1 | 3cf95c4ae91e286b8ea997c5ede8b178336c1966 |
| SHA256 | 726036b8835c60e149d1aae4005b46d1e4d2d3521fdd441a180d3f29456660d1 |
| SHA512 | 495c07ffe9c7e289720ffbb33639ff80850117c6ed206fae7ff8c806e4d0a116edad9a6e594a05797ba08aedd34d8e2c41e8c886f9c1e785a5629f917a02e5f0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | df2cea87431a12350716ad8ba09f34e2 |
| SHA1 | 6c0207b0d7900f26a9e6a838544452c11343f330 |
| SHA256 | 2486ddd04586d6c31e11adcc60cca5cab2de1e965cec1abd8b2bf4253028da40 |
| SHA512 | 278dd7a0bb30010b51cc4357c3e67f7d77f32ee9ad322614de9549eeb102deef463d3b3a817174d82d4b3f7b34386da9903987e100b13df9b2dcb2f2f06d4d06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7c70423255e8dff2a277e8308f3697ef |
| SHA1 | 0757c5e1c82643bd0ebd79052a32ae918018e4b7 |
| SHA256 | a86c03ea638da3b509e05269941aef4bf2918019fd1500251450dc363c965783 |
| SHA512 | 7127569172d7e0efed91a88c3ed288f3940c2460e0f3ede50ffb1b9169bf9f1966e2fa713135b2361c8740fab6f2a0755de63004ddd5616c72547444f8f1153b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1639ab8436365cf07f32651921396b95 |
| SHA1 | 9f3672db6304ee0816ce6b17856a235930ec4bd3 |
| SHA256 | 7fd26d1b41a3c461f5741c6590cd45918f1da68f07399377cfa8706b1188ee44 |
| SHA512 | 1a9b80720c89b83da3675df3ea431c67e579d36d9da40ad6936eb8cda60b813e0d73edd4f9aefb5011a5170887b95e747081c74e17f12a49d6e78a81aa628936 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 65b9bcaf4443a1e50752d1cc9108a40c |
| SHA1 | c4039fd93cb2cf8c44aaf964604120ad021dcfbd |
| SHA256 | 9044265fbf77b52e46e7ae376078356e72cb4afb81fd391e1172e6145a82deb2 |
| SHA512 | 6f85214cfe7f20b993ed8cf767a9843e040bc6aba6b0098612bf9027f5690c57eb678eacb42ea34176d9c01c78697807018711ba12b22c1a79441607bed9f7be |
Analysis: behavioral16
Detonation Overview
Submitted
2023-11-06 22:00
Reported
2023-11-06 22:01
Platform
ubuntu1804-amd64-20231026-en
Max time kernel
6s
Max time network
10s
Command Line
Signatures
Processes
/tmp/libc763d2.so
[/tmp/libc763d2.so]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 151.101.194.49:443 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| US | 1.1.1.1:53 | cdn.fwupd.org | udp |
| US | 1.1.1.1:53 | cdn.fwupd.org | udp |
| US | 151.101.194.49:443 | cdn.fwupd.org | tcp |
| NL | 143.244.42.32:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| US | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| US | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| NL | 143.244.42.33:443 | 1527653184.rsc.cdn77.org | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2023-11-06 22:00
Reported
2023-11-06 22:07
Platform
android-x64-20231023.1-en
Max time kernel
2796287s
Max time network
165s
Command Line
Signatures
Alienbot
Cerberus
Cerberus payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/chef.isolate.task/app_DynamicOptDex/fTnEmT.json | N/A | N/A |
| N/A | /data/user/0/chef.isolate.task/app_DynamicOptDex/fTnEmT.json | N/A | N/A |
Processes
chef.isolate.task
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 142.251.39.110:443 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| NL | 142.250.179.168:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | buuncanlidersvarmi11.com | udp |
| NL | 142.250.102.188:5228 | tcp | |
| US | 1.1.1.1:53 | g.tenor.com | udp |
| US | 1.1.1.1:53 | buuncanlidersvarmi11.com | udp |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | g.tenor.com | udp |
| NL | 142.250.179.138:443 | g.tenor.com | tcp |
| US | 1.1.1.1:53 | mdh-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.250.179.206:443 | android.apis.google.com | tcp |
| NL | 142.250.179.206:443 | android.apis.google.com | tcp |
Files
/data/data/chef.isolate.task/app_DynamicOptDex/fTnEmT.json
| MD5 | 941798c87bc19acf81e9a30c5c9d342d |
| SHA1 | 9c729d4edf25fdebabe911858ac4d51551946284 |
| SHA256 | 89418d37f636411e97486c68de47965757b31da3a0b481979865c8efb5804fec |
| SHA512 | d803a09f708f2834f683a22d3077b41d6b7cc512ba41f777ecde4670d2bc63b4a357ff06699e530bf4c3fdbf0b6fd10a6c33e6c8e4b8015955724bfb3fb19cc0 |
/data/data/chef.isolate.task/app_DynamicOptDex/fTnEmT.json
| MD5 | 9848f326eb31b8eb6a6aff56e08eaa6f |
| SHA1 | 475866a598c6c9d049f5ed2ffb3410d98edc7159 |
| SHA256 | f49be7fe820c785aef3578b113a3240e8450c797609578b6d05316cbb3495779 |
| SHA512 | cff258de266dd100a77768560bd0e013c25d73ea46630f37dde7c8f3731d95128c99cdbe424379bed655aee20fe9187f37699f1966b5157aee2047d6127003a3 |
/data/user/0/chef.isolate.task/app_DynamicOptDex/fTnEmT.json
| MD5 | 9848f326eb31b8eb6a6aff56e08eaa6f |
| SHA1 | 475866a598c6c9d049f5ed2ffb3410d98edc7159 |
| SHA256 | f49be7fe820c785aef3578b113a3240e8450c797609578b6d05316cbb3495779 |
| SHA512 | cff258de266dd100a77768560bd0e013c25d73ea46630f37dde7c8f3731d95128c99cdbe424379bed655aee20fe9187f37699f1966b5157aee2047d6127003a3 |
/data/user/0/chef.isolate.task/app_DynamicOptDex/fTnEmT.json
| MD5 | 9848f326eb31b8eb6a6aff56e08eaa6f |
| SHA1 | 475866a598c6c9d049f5ed2ffb3410d98edc7159 |
| SHA256 | f49be7fe820c785aef3578b113a3240e8450c797609578b6d05316cbb3495779 |
| SHA512 | cff258de266dd100a77768560bd0e013c25d73ea46630f37dde7c8f3731d95128c99cdbe424379bed655aee20fe9187f37699f1966b5157aee2047d6127003a3 |
/data/data/chef.isolate.task/app_DynamicOptDex/oat/fTnEmT.json.cur.prof
| MD5 | 8de620c78836dccee1eb1ada7efb42c0 |
| SHA1 | 02ce40766bd8f0f9b15033e7f9da16f2ddf5624a |
| SHA256 | 84d23c496050ca17c1336074f21e9f4d48d86c9fe6266246585dce23359b3ab2 |
| SHA512 | f6c8903f901f846c903107a52d9278802663317160d44bb9f42af7eebde5d1205cc421da33a8066d538726bebf00afb44cfb14249ad1be4f28ab094f52a557f8 |
Analysis: behavioral3
Detonation Overview
Submitted
2023-11-06 22:00
Reported
2023-11-06 22:07
Platform
android-x64-arm64-20231023-en
Max time kernel
2796365s
Max time network
144s
Command Line
Signatures
Alienbot
Cerberus
Cerberus payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/chef.isolate.task/app_DynamicOptDex/fTnEmT.json | N/A | N/A |
| N/A | /data/user/0/chef.isolate.task/app_DynamicOptDex/fTnEmT.json | N/A | N/A |
Requests disabling of battery optimizations (often used to enable hiding in the background).
| Description | Indicator | Process | Target |
| Intent action | android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS | N/A | N/A |
Processes
chef.isolate.task
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 142.250.179.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 216.58.214.10:443 | tcp | |
| NL | 216.58.214.10:443 | tcp | |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| DE | 172.217.23.200:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.250.179.174:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | buuncanlidersvarmi11.com | udp |
| NL | 142.250.179.174:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | buuncanlidersvarmi11.com | udp |
| US | 1.1.1.1:53 | buuncanlidersvarmi11.com | udp |
Files
/data/user/0/chef.isolate.task/app_DynamicOptDex/fTnEmT.json
| MD5 | 941798c87bc19acf81e9a30c5c9d342d |
| SHA1 | 9c729d4edf25fdebabe911858ac4d51551946284 |
| SHA256 | 89418d37f636411e97486c68de47965757b31da3a0b481979865c8efb5804fec |
| SHA512 | d803a09f708f2834f683a22d3077b41d6b7cc512ba41f777ecde4670d2bc63b4a357ff06699e530bf4c3fdbf0b6fd10a6c33e6c8e4b8015955724bfb3fb19cc0 |
/data/user/0/chef.isolate.task/app_DynamicOptDex/fTnEmT.json
| MD5 | 9848f326eb31b8eb6a6aff56e08eaa6f |
| SHA1 | 475866a598c6c9d049f5ed2ffb3410d98edc7159 |
| SHA256 | f49be7fe820c785aef3578b113a3240e8450c797609578b6d05316cbb3495779 |
| SHA512 | cff258de266dd100a77768560bd0e013c25d73ea46630f37dde7c8f3731d95128c99cdbe424379bed655aee20fe9187f37699f1966b5157aee2047d6127003a3 |
/data/user/0/chef.isolate.task/app_DynamicOptDex/fTnEmT.json
| MD5 | 9848f326eb31b8eb6a6aff56e08eaa6f |
| SHA1 | 475866a598c6c9d049f5ed2ffb3410d98edc7159 |
| SHA256 | f49be7fe820c785aef3578b113a3240e8450c797609578b6d05316cbb3495779 |
| SHA512 | cff258de266dd100a77768560bd0e013c25d73ea46630f37dde7c8f3731d95128c99cdbe424379bed655aee20fe9187f37699f1966b5157aee2047d6127003a3 |
/data/user/0/chef.isolate.task/app_DynamicOptDex/fTnEmT.json
| MD5 | 9848f326eb31b8eb6a6aff56e08eaa6f |
| SHA1 | 475866a598c6c9d049f5ed2ffb3410d98edc7159 |
| SHA256 | f49be7fe820c785aef3578b113a3240e8450c797609578b6d05316cbb3495779 |
| SHA512 | cff258de266dd100a77768560bd0e013c25d73ea46630f37dde7c8f3731d95128c99cdbe424379bed655aee20fe9187f37699f1966b5157aee2047d6127003a3 |
/data/user/0/chef.isolate.task/app_DynamicOptDex/oat/fTnEmT.json.cur.prof
| MD5 | d9aafcff073bd42f1a04014aa624515f |
| SHA1 | 5f42616ec3d9b98a547a8fc6bfdc0de0d3d4236f |
| SHA256 | 71312128869b22147616bc93eab3c65b532adcd77474f7b66f99759f6f832dbb |
| SHA512 | 5479f2ec53ed8ce28d05ad458836a64353b081afb514e6023db6ce51410c281a1e5f61fea0ed5888908ea6d211be4524dd20a591489c2eb73a195ad14e8e36be |
Analysis: behavioral4
Detonation Overview
Submitted
2023-11-06 22:00
Reported
2023-11-06 22:04
Platform
win7-20231025-en
Max time kernel
121s
Max time network
125s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\aps-mraid.js
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2023-11-06 22:00
Reported
2023-11-06 22:05
Platform
win10v2004-20231023-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\aps-mraid.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.210.247.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.240.110.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2023-11-06 22:00
Reported
2023-11-06 22:02
Platform
debian9-mipsbe-20231026-en
Max time kernel
2s
Command Line
Signatures
Processes
/tmp/libc763d2.so
[/tmp/libc763d2.so]
Network
Files
Analysis: behavioral19
Detonation Overview
Submitted
2023-11-06 22:00
Reported
2023-11-06 22:00
Platform
debian9-mipsel-20231026-en
Max time kernel
3s
Command Line
Signatures
Processes
/tmp/libc763d2.so
[/tmp/libc763d2.so]
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2023-11-06 22:00
Reported
2023-11-06 22:04
Platform
win7-20231020-en
Max time kernel
135s
Max time network
155s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "405469982" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0C35B651-7CF0-11EE-91A4-F6B55313AF05} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000efee191c820df7499e31472656722fd5000000000200000000001066000000010000200000002ef622f8fdc201e554fb06482b8efac45ce9db43a8687c320df3eb07bc96af87000000000e8000000002000020000000da8a51b94aef736d87f05640703e1460f31bc42b564f1194691b78fe79458190900000002b8659f18c81aba64ba613ba468cb3facad673bf5223ea0fefeecc6886508382e5dc90d058048f78a28e453fe18e45b29efa4e6420998318b8bb4cb42de977e23946cc75293e1e55166d5fd8f36b7348cc57e2681eccc4dcd40d5a46202d7cabc0b93f515df680a34d0b6ae36cb116dab642572476b78f791ebd992d4b4178cb6b1942fbc809a4750e490e882a4612f9400000000203a8e91593dae4d6c74d9c2a607ac4c1ed735ebefae7aafdfe9de31097907b3613d4af688534f14a3ec81af9b5c6040c0cd0e34f8a961a3eee5dcd98a9ac38 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f076e7f9fc10da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000efee191c820df7499e31472656722fd5000000000200000000001066000000010000200000004ad777f5380c022d1e2611aca6a739e4d0e8dfaabaed5af3a8442fb9a739b47b000000000e800000000200002000000071e77dfb35bb59cdd1c0c83697f31922176b81bbafb972f237e5d10ab7f3ed95200000005b8b3c856f884b208296c2a52026a0915ae66d4d5031c25a75cfb87097da93eb40000000177638a839f401127e3588877c93a468f0149bb5262015c2c3da0d251ff9b283f4994d88b17b1e86b662f8046e69994822c22c785488f8d16788a63e118b7b3b | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2192 wrote to memory of 2104 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2192 wrote to memory of 2104 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2192 wrote to memory of 2104 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2192 wrote to memory of 2104 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\calendar1.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2192 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | appsrentables.net | udp |
| US | 52.38.238.10:80 | appsrentables.net | tcp |
| US | 52.38.238.10:80 | appsrentables.net | tcp |
| US | 52.38.238.10:80 | appsrentables.net | tcp |
| US | 52.38.238.10:80 | appsrentables.net | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabF7E7.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\TarF8D6.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cb144b94fbe97ba306ab4ed051f0001b |
| SHA1 | f6e6e90a6c017dfe7066fd0f564927c3c5930a16 |
| SHA256 | 8c871cc69ba526f5b90ad595a4ea8fcec6369268e517a8ebf00238d62244bd47 |
| SHA512 | b14dc76271ce08d09b2674ca508d4ec275eaaa4c02b8a7e63b2608a2aca0a25b4d65b606d25ccfb3c5fa84a6601de643b603542065680fc90ad076246957d240 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f6add199d01947d11379503361c58b45 |
| SHA1 | 4a6472bfa9a0503a19c91ddcd6b3a0d11fe5fee0 |
| SHA256 | 2eb72945d34d84d6bbd443128c76aa96e5d631d6708e0e7a71ac75df2e4fd16c |
| SHA512 | 29cc85bcca5a942805837dd667797d81001bbc11488323de0a5e215dc06b775165774cb2eca6cb5f6eb62e75cb228a7331195a534013f6a26a0ae99c72dddc27 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2df88809a6009f66606ff5e9ac0ab11a |
| SHA1 | 4d389a3ae8bcb6438aa3d9fe17dfd60476a8e2c0 |
| SHA256 | 73ef14ea2b03c59da3fee9164500221eb899e7ca9d1cf9b76346d7f0e61fe2db |
| SHA512 | ecd16327ec6405d13ce6611b0a438e009193fa119dae1e6893be0e286c315d829adf60a733cf894658be2d3a049001808746018311904048aae6d0c2bac74a6b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3cd108e36760cc4b25f22dc84acbc8bd |
| SHA1 | e3effa7b976b1e728c39f6a15586320613a62960 |
| SHA256 | cb63db3c52c66cde0055c9e8e7ff2589fd313aa7624f9a0a558d44d1d644c592 |
| SHA512 | ad3a0ddca6a75aaf6fa53195721a3762072132f3af57cc8294451f9628e7b9cfe3d1a5ade35d551880da45532106e2b1cdd70ef6b39ca7153520f791d021afbf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b55cbbe6304e9114cb01a238d00ef798 |
| SHA1 | 148bca63acd46d901475d94d20398f2a98bd4d41 |
| SHA256 | 457fa86f966185564d3fe106f662599abb7a8fb5b04543c9558d25617d0923da |
| SHA512 | 5a1d96f98dcb1afd53f0d48000a717511b0b32737674b7642adf228d66f11d9165bfc3edfef6ac4065495a5318b94bc1c9a0cff792d569eb830423237961cd84 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 453c94825b9509b39a1a9012e42cd1a1 |
| SHA1 | 4b2bd2b0b79dbe4613ebe3d0184181b915d24c9e |
| SHA256 | 4680fd7d4876a4070979d7e7d594789845560a940a7eea830999e6e4960ed783 |
| SHA512 | 1027c74f03b844b68fbb98d727bc3dff56333416960b87982667c6419aa31da16f92dc2e544a69294260e5bbc88b70f8657780f52c3eed7f358ea979a648fa5e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bc3c3bd58f82121de52410e87076d843 |
| SHA1 | e3f1a7efe4e73a332548ca419321dbf58dac12da |
| SHA256 | 14c86fde2fff552bbc3f7336434db1911f211a4e8aca619217da4856d6e87096 |
| SHA512 | e0d6fda11ee493524dcd08a69f22c4a9c1d09797e44868286461e2c97588649c68accfb7b9bfec2289f11bf18cb566c3e2e83c0d74f785157b333310619c643f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3ed44fdfd737af0786e42a25230d4526 |
| SHA1 | e55c6fd35e4d5caa3ea2d4544a9d82164c5260c7 |
| SHA256 | 6271bb348161d2044e27772fbac055ca33b25b3f0b6bdd12e1d9089ab879fb10 |
| SHA512 | dac3380389220c00df495dd0b8dadd71d60ce99aa094de88e4eec864b220fecfaed960b961c0052237c016036e98c628557da0a6d9d0adb00f261dbcd79dbfa4 |
Analysis: behavioral10
Detonation Overview
Submitted
2023-11-06 22:00
Reported
2023-11-06 22:05
Platform
win7-20231020-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\dtb-m.js
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2023-11-06 22:00
Reported
2023-11-06 22:05
Platform
win10v2004-20231023-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\dtb-m.js
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.22.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 163.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 224.162.46.104.in-addr.arpa | udp |
Files
memory/3992-0-0x000002959BA40000-0x000002959BA50000-memory.dmp
memory/3992-16-0x000002959BB40000-0x000002959BB50000-memory.dmp
memory/3992-32-0x00000295A3FF0000-0x00000295A3FF1000-memory.dmp
memory/3992-33-0x00000295A5110000-0x00000295A5111000-memory.dmp
memory/3992-34-0x00000295A5110000-0x00000295A5111000-memory.dmp
memory/3992-35-0x00000295A5110000-0x00000295A5111000-memory.dmp
memory/3992-36-0x00000295A5110000-0x00000295A5111000-memory.dmp
memory/3992-37-0x00000295A5110000-0x00000295A5111000-memory.dmp
memory/3992-38-0x00000295A5110000-0x00000295A5111000-memory.dmp
memory/3992-39-0x00000295A5110000-0x00000295A5111000-memory.dmp
memory/3992-40-0x00000295A5110000-0x00000295A5111000-memory.dmp
memory/3992-41-0x00000295A5110000-0x00000295A5111000-memory.dmp
memory/3992-42-0x00000295A5110000-0x00000295A5111000-memory.dmp
memory/3992-43-0x00000295A3D40000-0x00000295A3D41000-memory.dmp
memory/3992-44-0x00000295A3D30000-0x00000295A3D31000-memory.dmp
memory/3992-46-0x00000295A3D40000-0x00000295A3D41000-memory.dmp
memory/3992-49-0x00000295A3D30000-0x00000295A3D31000-memory.dmp
memory/3992-52-0x00000295A3C70000-0x00000295A3C71000-memory.dmp
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm
| MD5 | e5c2b7071d78f47092d6e57270828644 |
| SHA1 | 2449ec02cd2ecda73ed885145bf7d91d633f6748 |
| SHA256 | 8d61d78c1b0267546bd26581bd237dea91441ba83a3f67e2725b211393d4c28c |
| SHA512 | 159a656b16285f5a328acd5add466ab2b98f3f53f409ab00c06c58639accf9416beb2e4d1b32e5a471c78e716e7f94f13c4aff5990521cf83ca9a87bdf2086f4 |
memory/3992-64-0x00000295A3E70000-0x00000295A3E71000-memory.dmp
memory/3992-66-0x00000295A3E80000-0x00000295A3E81000-memory.dmp
memory/3992-67-0x00000295A3E80000-0x00000295A3E81000-memory.dmp
memory/3992-68-0x00000295A3F90000-0x00000295A3F91000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2023-11-06 22:00
Reported
2023-11-06 22:03
Platform
win7-20231023-en
Max time kernel
135s
Max time network
134s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10ccdfcdfc10da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000099b8a3c6ff97044781f9dc0475faca4100000000020000000000106600000001000020000000a9bfa3c3e52329e422a2197a807323de2f919f3ec595a6bcff714f0711bb2ff9000000000e8000000002000020000000ae5a40ff0dc70719df2c0bad7bdf25fff8a5ef3e62048423220ac888823344e89000000002afaaccac75215fbd88bc49cf9c5cddaaef5fa5403261b3774d072588f8930d9515ea1ff7a32b8504c3cc9105d41a42cb497b19938ef8808f091fc80f289b64bded22c8c2d78559a12408dbe37eb3ef2114a7d324636cc805a57f795ac3173174183f6d1a5bac3db1f7ceb051fb24805018268d49d8b9bbc44b0e292ed05e95cae0600326ee0f39e265dc8b3107f93d400000005504c54dd31a9e990933047013b8ed31ef22e7d79c9829be2b7f6277514083c5b1dfb79cadd62ffcef5fce4e1d4ac19ced0de9ec5072f75d1a1e7967df779de1 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "405469929" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000099b8a3c6ff97044781f9dc0475faca41000000000200000000001066000000010000200000006995466322f50b65ea32f67ae12758d55df64c085a993e7018eb590ce53169ae000000000e80000000020000200000005c8503f601a48e85fd1edff18860fbe2e47e661c4c1ec4843a2ce664a11e286420000000f9caf514949c1c0434d50339696dc6fc4c9f4a6ceaef6388fb6764d9194d3d6a40000000444157a93103cd1dbb94a8f492b37e1c800c0f5b0a211faec65663e37291fbf74c691048cad4c8e1cbe95e3412291c81b9f154a85fc95e72e494c029e2abb094 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F904AFF1-7CEF-11EE-9B4E-4EB5D1862232} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1264 wrote to memory of 3056 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1264 wrote to memory of 3056 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1264 wrote to memory of 3056 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1264 wrote to memory of 3056 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\fyb_iframe_endcard_tmpl.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1264 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabA989.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\TarA9DC.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7baf9c9d435d0cf9cb1546a6e8480ef6 |
| SHA1 | 785b5db0049415d81640c0eff64c4fc835dcdc6b |
| SHA256 | a88a711e3f6c1309b483e44422bfefedf940a821b1571b3e53b4dfb1f6abf903 |
| SHA512 | 87e776df50a1800f5ae46504ca7dd5fe4d96eda95af89afb048cfbd86be9f91b64dc7550ca8870827b87985a5f3bcb09223261bb8ca88fb2a81932639b38b47f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 79f8e4279fbf7bd5030e3d6ac5876bb0 |
| SHA1 | 99d7027aebef1ec3425be9a02783b2245a8611e3 |
| SHA256 | 88943fc73b8780500d43fa1d2136b58c37458c89fb59b09bcb9deb085e221f7c |
| SHA512 | 18302bec93267965b987cb43d4420eccec37c7270b45909a6baf936d08b3992902c52f7fc3ef2e47a81bc9d77118806a0a279f189238ae132cb2ee39768e505d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 79f8e4279fbf7bd5030e3d6ac5876bb0 |
| SHA1 | 99d7027aebef1ec3425be9a02783b2245a8611e3 |
| SHA256 | 88943fc73b8780500d43fa1d2136b58c37458c89fb59b09bcb9deb085e221f7c |
| SHA512 | 18302bec93267965b987cb43d4420eccec37c7270b45909a6baf936d08b3992902c52f7fc3ef2e47a81bc9d77118806a0a279f189238ae132cb2ee39768e505d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4d3782c251a1403afa0c3dccd597b112 |
| SHA1 | 24d32b479e2e37adb2650522bbea4fa891382a8b |
| SHA256 | 739b5d9db8dc0406c0a67c7d0157932f07b05d05928c25bd3e8e2973b4837971 |
| SHA512 | 294a5c1b76db33e3f11abf6a686621c6988c743ad8672e0b1a1b63f4819a907baade2f5211580518da1e8710ac74226827e4a028677b4405869145d5789ea905 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e44dc1af53006141f836f1166660cc1e |
| SHA1 | 21def68bdd8a48572cf4dd2d6292457251150fd0 |
| SHA256 | d7f72fdfbbc60fc87b4fd1ae9f44d62d95b2fc87901cf910ca34b0f21f54b6ca |
| SHA512 | 2837584ad5cb6471460eba9f6d11556d415b6dcdfba4f45a843e9004f7f39854f48d3a556dabaa1fa00f9bcbfefe8f28e0ef679039b98e273e1284e684a62e78 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c7814cc835885039b7c12d8969c4f282 |
| SHA1 | 4b064845d0aed8c3ffab5c930a741320c166d1a3 |
| SHA256 | 7317b9c634e4270cb2be8b469c0180178aaa6a76a446ce9be5eb44ed8155d1f2 |
| SHA512 | 094600d5a1a86f330c8498b76ccb43dd9583c636b7ef6236495aa8da449cf26e10c8db69d09a7cb32552ddfd872089ce4238a9afef633d8e0d122ce488afaaa9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 323d478deb7c406f24f0540817d90211 |
| SHA1 | 9137020e271631b9835e00cb82321ae4d1a6cf07 |
| SHA256 | 184061f04b95e6062902a5ea4d55adc262a0002457930d070ec90408ea6181fc |
| SHA512 | a8ab431b1a797bf76bb0afa008490756c125f99072cf40c02bf9e6ba498de6928a4591410084bb06b25010359bf215ca637844cb24fccc02b64ca088d6afa60a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2f6d4034f9416b2791c55a916db63efe |
| SHA1 | 4747f1a7c5ee5cd37761e862a12cf56b0320e005 |
| SHA256 | fe4c59aca80a5cd4ef9eb179584fbc3116cb20df3189494277b4c615bf00ea7b |
| SHA512 | 4b02d9cde1b40bf31f163289a1c7243c6bb6fe7bff5af4c870305cd3f2833326a05698fbc248f918a8fb33d7b11c9bec22859e2bbd2ced640ac5bdc527ce7ef0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8292f0121ee8ec05011e136717b3c219 |
| SHA1 | f6f8c3dfb3846168f7608efc21e3b0a1a5628b04 |
| SHA256 | ac7124dd5462f70514addf71d59e6a360e8e096a91af7cefc3e5e85df2204ad9 |
| SHA512 | 2a18ee7af96cd9e1b85a5eabda1ad60be789055915d59360219fd88f0a66896a67c915f7b8f964bcb285d370ca98d30365dd1c7405876a75df15a6ec7fdd4b53 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 77c56ae3981e7c14e54855c3310dac5e |
| SHA1 | 6b9bb8e2cef28148a42e4e6bbe4212487a7bead6 |
| SHA256 | a82e715c028bc114c80a05d10fd80ddd5db412d97b5cd443e556dae14ca815d2 |
| SHA512 | 2f4a73da5c3c2aaa6f39af43cd21112192338601c54906211297e780f10a1ebf10d0740aab9ab7c47c21e273dc6b6ba4bc94bd9b11678778f7fba038b45e7d9c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 17a8bedc74dfca33781dbb1217e9fe65 |
| SHA1 | c178fc853bf9dadc3dd1daacb4895943dfcd6936 |
| SHA256 | add2979711dfa035e19241acf8abfbbbcb658608d2321b773a62148e6b9118e8 |
| SHA512 | a684051dca8b9f0d681cc6d3a7cbb04431d987123da7b304b5a203a992cacc3d583943d8b0b8eae6acbaee190f69590063d45827cf69a34f6196bf6210d49f4d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4079bb159fbfaaac3e1db6f47d67373c |
| SHA1 | 7f83c337323892a8faff89290a24dc79559dd14c |
| SHA256 | 5c50f20c98b78f6ee6272965058e0c8493ab60bc72bf274a2e2dd479deebb6d4 |
| SHA512 | 1de4d05b3b8b445aad91b456b7dd39a1bdd63e1aabf61a793a00ea0f7d818b5ba06f33dfa564f4d769011a9c2a81554b4a3bd311063888f83bab533668e718e9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4452bc37ebba8a2776a6fbef4deb9625 |
| SHA1 | 982ee4f16daf1002d722c5ffd6db284df09cc8cf |
| SHA256 | a7e5662af6997360f78781c5a484857a058e7f3b391afff2f1fe239548907162 |
| SHA512 | 88507ad4c669cb160e6e579b3d95d50267575d811884e2251d2e0ef10200cbbe128a94fc09bd3516b4734061e7e35fb39a9d52d3a6813d88e7676dcfa85fd811 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | af0695cc91677bbd24ecbbd139a0e8ef |
| SHA1 | c53bcac1e6b2154a581f40759e6cf2427758309a |
| SHA256 | 4bcc771c07b6e2a0798e51d8fb378a06057b137f1f1122aeca374b391436897a |
| SHA512 | eea2b4c6fe94a78136ef9e4339fc10e98c6cd57efa6617f40176e40da4513206e2ff588e39c10eaf005a6af1b9e13aa02bdacee048eb5b8e71b9b06a89a1d22b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | eada2680208d58c7e7704a471d009944 |
| SHA1 | 3b09ebed2a17bb972f2ef699917c5cc2c5ba7e54 |
| SHA256 | b86e418161ccf78a0a6883e4ee886809077ef2caa3076866ff86193fe4347e4f |
| SHA512 | 8fb53d31c27f217f7513361abe7a9ffb08e132d7cae7fd07ffb2028fcebb97a7dafb6210ea5d48a9ecbcdb42c28810c5f7a988980d2817cbb8557b68f7d3764e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4f5cb4be557d0084eeb3ac78f84e5689 |
| SHA1 | b54b58036401481798f0481dfd7e3d2813ba672c |
| SHA256 | 2ca5f4815b64a29c04273e32fe15e424fc0130c5fb255b1677982e97095bf33e |
| SHA512 | fe5b003a77fd9eaef37ab018bdab1035ff0f5569a43047828e05c7bdacb9cfdc9408ce4cef811a9b881694ce6606f1fc5c641b9f110a0f30528c1e2b3d99beb1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2620ab9f66b3461c7cd108d8b5fb88c1 |
| SHA1 | 6f49b4f3dd3193189893a7229d414d6dfa45c8da |
| SHA256 | 3e6cc66b8e5f2520f22b7f31fc722d7b313dc7893cd04d8b7d65312ee25f2567 |
| SHA512 | 55554e82a662b608c35076d1a62230d30076781a7e591d2a15d2c3be954cf0937dccfd28a912f0f2f1554e008feb5942e00e4c944df02d15c3989590236019f8 |
Analysis: behavioral15
Detonation Overview
Submitted
2023-11-06 22:00
Reported
2023-11-06 22:04
Platform
win10v2004-20231023-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4275002321" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abe4f06573e2f04c9485dceedf57e48200000000020000000000106600000001000020000000811603cba70425404e56ce0924cda447bf3a10609103b0ba4b717ecfd1ef43ee000000000e8000000002000020000000f25f5568f5112f533945fdd045c569030d159dcb9b7685c29df359fa6dd52928200000009ed8ea64a4fa8973446353e3a39c330ef0d490bcf13b40b6ec4ea145a8e0df4e40000000c5fc1f17ba2f87e316500ca3f64f1885707cd42bf56c8d3e343d73ce5809ffb52e4bad10d9e0ab533d2e34a5087c1a3f7b7827dde6b3ea9d64c447425c5c1b8e | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abe4f06573e2f04c9485dceedf57e48200000000020000000000106600000001000020000000238ff3ff9c6538fa5ce010e99dd65a83a05a40a4a1ef38daf84fbb1d4adbffa9000000000e8000000002000020000000403141108bd6b141f0366c09d61d6f2bf0639b13d79adf166cd998ff990ee87d200000002b1d78e95ab4b0aacfec524f1959c2f183e33f66ac68f2cb4d9f4ed7f3069432400000008d892f377c9532ab2edc528e9fe90e109d39e047804c2ea2bf7d7c7d884de4234f7706dd6b0a9b56d9969c8d708044cc61499c1bb08474ebd57048b328d839a1 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31068412" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0502b00fd10da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{2A4B28D4-7CF0-11EE-BEE0-F6F16E2EEE59} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90bb4c00fd10da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31068412" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4285315170" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4274846278" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "406073119" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31068412" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4496 wrote to memory of 4168 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 4496 wrote to memory of 4168 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 4496 wrote to memory of 4168 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\fyb_static_endcard_tmpl.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4496 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.240.110.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X8T7NIZL\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
Analysis: behavioral17
Detonation Overview
Submitted
2023-11-06 22:00
Reported
2023-11-06 22:03
Platform
debian9-armhf-20231026-en
Max time kernel
3s
Command Line
Signatures
Processes
/tmp/libc763d2.so
[/tmp/libc763d2.so]