Malware Analysis Report

2024-10-19 11:55

Sample ID 231106-1ww92shb95
Target 65f88e03c976323560c6ce136aeccacf227e46fca1a9e81296eea049d8fa2bcb.bin
SHA256 65f88e03c976323560c6ce136aeccacf227e46fca1a9e81296eea049d8fa2bcb
Tags
alienbot cerberus banker evasion infostealer rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

65f88e03c976323560c6ce136aeccacf227e46fca1a9e81296eea049d8fa2bcb

Threat Level: Known bad

The file 65f88e03c976323560c6ce136aeccacf227e46fca1a9e81296eea049d8fa2bcb.bin was found to be: Known bad.

Malicious Activity Summary

alienbot cerberus banker evasion infostealer rat stealth trojan

Cerberus payload

Alienbot

Cerberus

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service.

Loads dropped Dex/Jar

Acquires the wake lock.

Requests dangerous framework permissions

Requests disabling of battery optimizations (often used to enable hiding in the background).

Removes a system notification.

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-06 22:00

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-06 22:00

Reported

2023-11-06 22:06

Platform

android-x64-20231023.1-en

Max time kernel

2796164s

Max time network

166s

Command Line

com.clip.shoulder

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.clip.shoulder/app_DynamicOptDex/xDrdtlu.json N/A N/A

Processes

com.clip.shoulder

getprop ro.miui.ui.version.name

Network

Country Destination Domain Proto
NL 142.251.36.46:443 tcp
N/A 224.0.0.251:5353 udp
NL 142.250.179.138:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 172.64.165.25:443 jsonplaceholder.typicode.com tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.206:443 android.apis.google.com tcp
NL 142.250.179.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.251.36.40:443 ssl.google-analytics.com tcp
TR 37.148.210.173:80 37.148.210.173 tcp
DE 172.217.23.196:443 tcp
NL 216.58.214.14:443 tcp
NL 142.250.27.188:5228 tcp
NL 142.251.36.34:443 tcp
TR 37.148.210.173:80 37.148.210.173 tcp
US 1.1.1.1:53 g.tenor.com udp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.36.14:443 android.apis.google.com tcp
NL 142.251.36.14:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.208.106:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 g.tenor.com udp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
TR 37.148.210.173:80 37.148.210.173 tcp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
TR 37.148.210.173:80 37.148.210.173 tcp
TR 37.148.210.173:80 37.148.210.173 tcp
TR 37.148.210.173:80 37.148.210.173 tcp
TR 37.148.210.173:80 37.148.210.173 tcp
TR 37.148.210.173:80 37.148.210.173 tcp
TR 37.148.210.173:80 tcp

Files

/data/data/com.clip.shoulder/app_DynamicOptDex/xDrdtlu.json

MD5 966afdf8cdddbd6de72f0b2d30cde02e
SHA1 8c91f17f7cfe18fe684d7382cd098a2faf0b3fe8
SHA256 6d8f35ca3d2875b7255dbef0d04df7697e884fbb2a5ca0fceef75a00c0375cbf
SHA512 fc977a80e296af9e600ce511b0b4758b68072d52b7c40210249b26d97737c774d310a6d449f45555475c01e937d8def3485be5bbc325856cb0475ed9130832cb

/data/data/com.clip.shoulder/app_DynamicOptDex/xDrdtlu.json

MD5 033372e71cfe37afa161932ca1514575
SHA1 6ab3eb0a97fefa13be0a0ae2c40d87072e3e28a2
SHA256 080a2ace0567038838d754063aea5a7dc60bae013698e9152683247917842841
SHA512 c556ab68d506ec2bf107f2f1b65d22634c12d2ebb54652db8941d511d864936c316a41437d47db13be2648e131151f9fbaef44c313ae006108e33c9175d42374

/data/user/0/com.clip.shoulder/app_DynamicOptDex/xDrdtlu.json

MD5 fef861697d6e865ffd0ac495bba92bc3
SHA1 796094bd56f01b637c0165d8d734dc00a9481e4b
SHA256 9f81917c797bec5a26abf4ed12dd81f7b22837883182dea970398332af763f42
SHA512 fef90c111d11b58dc3a3ef8e50ba362a5d0307adc7d22b83dedbcab765b0926bbf074d7fe6d2a0f36177578432deee6c030b1696492b33b3d5685535d18fa7a8

Analysis: behavioral3

Detonation Overview

Submitted

2023-11-06 22:00

Reported

2023-11-06 22:07

Platform

android-x64-arm64-20231023-en

Max time kernel

2796336s

Max time network

169s

Command Line

com.clip.shoulder

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.clip.shoulder/app_DynamicOptDex/xDrdtlu.json N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

com.clip.shoulder

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 142.251.39.106:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
TR 37.148.210.173:80 37.148.210.173 tcp
TR 37.148.210.173:80 37.148.210.173 tcp
NL 142.250.179.142:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.36.46:443 android.apis.google.com tcp
NL 142.251.36.46:443 android.apis.google.com tcp
TR 37.148.210.173:80 37.148.210.173 tcp
TR 37.148.210.173:80 37.148.210.173 tcp
TR 37.148.210.173:80 37.148.210.173 tcp
TR 37.148.210.173:80 37.148.210.173 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
TR 37.148.210.173:80 37.148.210.173 tcp

Files

/data/user/0/com.clip.shoulder/app_DynamicOptDex/xDrdtlu.json

MD5 966afdf8cdddbd6de72f0b2d30cde02e
SHA1 8c91f17f7cfe18fe684d7382cd098a2faf0b3fe8
SHA256 6d8f35ca3d2875b7255dbef0d04df7697e884fbb2a5ca0fceef75a00c0375cbf
SHA512 fc977a80e296af9e600ce511b0b4758b68072d52b7c40210249b26d97737c774d310a6d449f45555475c01e937d8def3485be5bbc325856cb0475ed9130832cb

/data/user/0/com.clip.shoulder/app_DynamicOptDex/xDrdtlu.json

MD5 033372e71cfe37afa161932ca1514575
SHA1 6ab3eb0a97fefa13be0a0ae2c40d87072e3e28a2
SHA256 080a2ace0567038838d754063aea5a7dc60bae013698e9152683247917842841
SHA512 c556ab68d506ec2bf107f2f1b65d22634c12d2ebb54652db8941d511d864936c316a41437d47db13be2648e131151f9fbaef44c313ae006108e33c9175d42374

/data/user/0/com.clip.shoulder/app_DynamicOptDex/xDrdtlu.json

MD5 fef861697d6e865ffd0ac495bba92bc3
SHA1 796094bd56f01b637c0165d8d734dc00a9481e4b
SHA256 9f81917c797bec5a26abf4ed12dd81f7b22837883182dea970398332af763f42
SHA512 fef90c111d11b58dc3a3ef8e50ba362a5d0307adc7d22b83dedbcab765b0926bbf074d7fe6d2a0f36177578432deee6c030b1696492b33b3d5685535d18fa7a8

/data/user/0/com.clip.shoulder/app_DynamicOptDex/oat/xDrdtlu.json.cur.prof

MD5 eafae8a811bc8b926f22285962e14e92
SHA1 3a5c3ef68d49a469a02e6ed3ef21ad9de7483640
SHA256 7e4bcadf0d198f6b9b79175843c03dc38ca4b5362b6831afec0b18d3b18748b9
SHA512 b8f5c592a971335920617328ac6c9b69121366ba0035601be1e935887b2e50ad10cb20b9161861da6594abfe498be5b62069e876193d4c9cd5a2cd3b57992c72

Analysis: behavioral4

Detonation Overview

Submitted

2023-11-06 22:00

Reported

2023-11-06 22:04

Platform

win7-20231020-en

Max time kernel

134s

Max time network

133s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\CheatSheet-Algebra_zs.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005718aef034e0654ab00265bd8f8b2f5400000000020000000000106600000001000020000000f443e0f38369785376921683f38a53e821c1fde4b672aaa65e39bc526ee4cf43000000000e8000000002000020000000cff512986d18985518c0b48b5122bfd485c23fa5dcfac93e2a31f168e0cc3c24900000001f30fcca3fb5a1b8c2b2d20bcf35df7c33c5c983eea50ac774b8314a26692ce5586140eb56a0deec1d1fbc6d6ac9cbf8a3f9b9c7a657b160f3f7924a24a2112863f300ab39a6e8ffe72315c6060f7ccffc933e8c389a6623fef20129db71450bf344d36a4e3074ddaebd723eb7b92b6ee684262c83b145d59a68dedf6c925324dfd14c8f1dbe4a52b356ef33bd005d6240000000fd5795f05e3ceb16dc69e53de1c56b624c26184f5d8ab5795b26cd0e95350ef712c5ad1993b420f36e5d64e284700c8476a21ec4bb8182044a1a8c60aec8847e C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5022d3dffc10da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0AA8DC91-7CF0-11EE-9F09-7277A2B39E8A} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "405469960" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005718aef034e0654ab00265bd8f8b2f54000000000200000000001066000000010000200000008c38ff7871843585a4cc03f854450d1a38705be0aee3afac9198d7513140ee16000000000e80000000020000200000008074d43a2ab3018c12e1b6124e2846bc8fb6313ca656bcf0e66a1f4da44c62f620000000ebe68a4561d4915745baafed08eefef5015fbed65abcb1525620c6d9704379bb400000005bf4415a9cf2f6d2bf97218a43dd97de38468fa8f7c00e9ddc328ad598a96708f3842d06392ecec8651f4d4d20016031f665f8c77645e8bff37de2c82e935ac2 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\CheatSheet-Algebra_zs.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1896 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab6CF9.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar6D59.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 89be4e24e4b915da76112f495c386190
SHA1 a8652c731ae81d578a7fbb9d19f917955a666d7c
SHA256 f53b8022e9a66c97faff79dc041420b2dd3832019adb8136dd492c0fcb0c7357
SHA512 5d8f32504126cefc917b0d23bd31c00ffbbb99b1a6099ea98fc71b6444248601c87422cda2f8761d1ac27bbb73c83f8c24f6f49dca7e9c64cdf6ceaa9e222306

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 455218b0f105dabfb06549b73b148969
SHA1 5456af24f12433d91dbf50553b166a948d2fd18e
SHA256 28a8e34bd76e7089cfe4ae322c4ccf756e929007602bb3287efab445a6b79284
SHA512 234200882ad1a08765b86740d223140a7d73e405efe661bf7db2be5bf8c0d0541c3f6f223d8faebd2f10571f802d76fa36923d98ad8293a35a0c28ee42bf99b4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 466a50ecec78a40f2a0e863656b1f21f
SHA1 5cf7033718a5e1b690eecdd3e47b07f8b40f6338
SHA256 d864df21f960550337cd9ab9e1fc02f0be873a897e259509532198f24904c730
SHA512 93d5ad29d1ec1cd2215d8ce49f3a49297ce48f8f4c37d7031b7dcea96cac71998509e375f68d560939f39dcb631f922afa8493f711b628b201071d55fcc0cd43

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6a9b463944648cd5b102f6fa84bb3667
SHA1 7e78394d6c9f471aa2826af7c51954ae4c5f718f
SHA256 48625594cf5fdd08adff2e0f9ed22f720f9b92590f94faf8f03a555b0cbddf07
SHA512 0f7b61bc7a59acb3563ff2e5e0959ffb61cf088ed14a824ba0be40f665ad598dd0009846afdcc8337ae5a3d12470ad3c1b87169f060bcb7bef762b9c6dfee3bd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 459646f7065c9708b74357966b94c91d
SHA1 3f6d5ea1709f10b254764e844817727d89cc9f0f
SHA256 d07c01333dd72d205790d444694d775ebb208cc28e2d73efe13f2991762c0f15
SHA512 1dd05b5eed9f8805edeccff9903c0d5acda7cbc9ad0a8456165b26c978406a89a6def53ae5e7e2287de298a217f2bab02d576ac8ba8c0cc63b1fb5bb14b62c6e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ac019c42ab2154d7652f081b322bfb04
SHA1 f165c80ce569384cc61f43ad1ee713c1ed7267ea
SHA256 8d76e16f0b0b9dc57778a496db30beabc9c3058cf9d55547a7b797b8ff0a8143
SHA512 26e6eb959edbc4838d419063ca2cad0cbf46dcbf3d779b8aaee11b192326ca7cc7efd13c949a28284ebf2e40086d0ea96131f5ecb822c88d12e73c5b3d0f18c2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6b8e50b6feff80400c414b7b1d1dff54
SHA1 6ffdd121edaa009043c4a7f8ea240116b82107e7
SHA256 4f32b7f16a1360dbd676f17618cb41ec1e9d577b4471a229e5c63ba6fe52fddb
SHA512 1463a53b8f77aa3bd7d806ba4daed8e85506f536fd3ee0a0ec8dfd67c1d9bc9f8bf41987132ae91d36908f6743809deefe4f3748826545f67ceeee435db3229e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5319337ce5984c06f0b28f6158cd0b79
SHA1 2737e36c3d28950deff005dfe996f46fedccb2a2
SHA256 ed331b1b09efefd812d328703a046da898ff8e234b49af1913ba705c8c7d85a4
SHA512 e5704596bef71a96726bb7793a8f3a3ce336a903f26fca4f2d8ad6bf3b703cb36a95406402c00a8829c57b39c6a93ce9bbd3a95fd5d803a3b20859b6942dfc34

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a04a702141c5c785d6424dac3ff9c324
SHA1 60879d63464b24badca47f81ead7f7028391528f
SHA256 ef36fe18936154d9c44520da254508953dc7e85e8fef65b52b67516f8dabc0be
SHA512 2269da0e3ed4a3922cc43ecee08f3c1c68635218ba655364c290f7bf1b83116f078a9f1c9cd3b986120307666320855342d1ded15fa649803820fe4c53a590dd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a60106a046b33b15f08223ac91d13471
SHA1 fed332fa9bb6d2bd8360eeb0d7cc9657b6cd6e04
SHA256 1294dfeae32549cdd2597a21d953c155e7763f6340160de73df67e288b15987a
SHA512 c1c257f89c4c084e5ecfb401803fc8d4de980847bad611294e23fffd49a243c195a424385d9f60f4acea40521f8313d4e43f2f57eb6c2eb14fbb4709e8e78e0b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 979024a11b49ad15cf8d766ba9ffbd98
SHA1 86ebec40a80ec8b8aecce4dff92d40ad3582aa74
SHA256 337b3c968be967c27de7d6b265255c3de6423a7385daf12da35d6ca18fa98fe5
SHA512 9513fb22ad3ce2cee84801ccd198443b7a373decd00f5feb6a6f722ce776d75508eaae99d79512c0bbbf4824174a4ae5a9a91970df1e9aa0c9e3248d31dffd97

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 84d3ed49c8efd3c4ee0866b1f9d2c89c
SHA1 2b4ca7b72b5aea3d5c467fca9948962649dcb751
SHA256 897beeea6166597988e56b34b43c5e5b3a579c5e629218a288843fa4f95d36ba
SHA512 1f027badaa38f69639346de692f697721bde6f51a7e0d2f730e0f36ac4a3961a9256062debbb8659fd04cacdac8e372222cb9dc59500d697fd7075aaa8d30f11

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 35bb2dcb7c7c5103c73638c28335e18d
SHA1 10146227bfd44eebfbe5238f6d7ede7f3da4757c
SHA256 083f53f6ef24f7c76c3ce8c53c55a9706c94a52192b345891258305bcbdac710
SHA512 4786655e91ea94c423502400c22337aa79be910255647218d3b6ec15bdd6c7c9874cb72e6395d60f65a9c8698ffbb4e50eda7458398f8f138fae842cbfecf69e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1e32525cbfa71edacd5db2bea9d3ed82
SHA1 ff3048a9682993d7a98ce51b3516f966581e09fd
SHA256 892db47401db03cc064689ec48b706d698cad934765463457bb5f6ef52f8c1e1
SHA512 2a560c29902839167c13f4643d25eeb4f3f52899418d3719362dd931f78c8fdee81048c1368f2d3d1c913fa78558eadc7ecda8663f4406c4d740666d9e99266d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 93a8df20b01b7bffa95ca649252e5bc1
SHA1 8b2cade5cd0fe36bcffb8dfc03f95776addfd63a
SHA256 f116581146e651e360e6d689f8096070e6c7b281dc0aacdafcd113c3abd58ebe
SHA512 1f0df7d351de030eca78b58999f4e2564b478180d1b5c68c20f51188aec8a19185385fe6c9aec95488cf90c48ef67e393aa7580ecce8bae4d90f1a1797db36f9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 75dafe1b071e91e4e38d7763377db177
SHA1 774cda2e860b6ce38b1e17257a7f27ed1dd779c1
SHA256 066ff254651d5df72b4005094b0f18bd33b0f694a99d8e05aa4fcdd37294960a
SHA512 d60e178c470e57cd71baaebf1d053b10bb472585315b1cc891fe7371ed7268511f95015595ab905b877620be97a0c8b0b2db6fb65561850b40ab3be3242924bd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 affac93b3161949cd6ffeb72a84804d6
SHA1 fbd6142e54c10429052d28630b07c78b0e3fa5f3
SHA256 1d1d855a54a4b6ff40ec76f811e58c8809db9f22e45499ab08d356deec54e118
SHA512 59fd958786b1be21dd0339ac00418711a51325f6c37f7869a69d5f236f7c45096ab580c1385e1dea4a9efb1695222115778125dfa4ee5fb5ce704208cb317c62

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 110413c4feb35fddc2d7183be6bd8fcf
SHA1 c98f802b9ae0286cd46e45d1f3f767cd812d03de
SHA256 8720ff95a1d3814a66c2be1e801228e7864c3a99f16d9cf09b67f55250edea0d
SHA512 d3cd27a83c06c32bcb32feca6aa5af91da89840db121d632bcd7e70cae1d7bad7d8713e5a6c4e51d8f7837529edee9ef4225f90cbea0a619dec126242134a111

Analysis: behavioral5

Detonation Overview

Submitted

2023-11-06 22:00

Reported

2023-11-06 22:03

Platform

win10v2004-20231020-en

Max time kernel

142s

Max time network

152s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\CheatSheet-Algebra_zs.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90f7fdccfc10da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c4cc62da77d25b48a952cb775bb65c4700000000020000000000106600000001000020000000440e5358c3ffdb243a8a29d367925da267af9d4c89766907697c4f9961f6ba11000000000e80000000020000200000002ad6ce581b76d7894abf40c06900ebe7e5d0a300c4ac4b5eb2b598057f600b3e1000000029bd2f47adbcc6f448abcff35a1bdb5b4000000080d9e93a49b69129813ff57824116928f9e97eae2a900995b946b5298036c5b6cda59aaf3d8376d2f9ee6459da4503e57ac8bbb566efe8c46a15c3a8ad9a3419 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c4cc62da77d25b48a952cb775bb65c47000000000200000000001066000000010000200000005e60252f6cfccab17ced85beb29fc51e6bdd293c691be98acdd34611e3d317ed000000000e8000000002000020000000b4361cfb254598a814961bdcf5bc470a7f63b8b3ff0af5977ed929d1aea4f2d5500000001440eace2366ba4aa570ce7d01e63a5556840fea25a203e7e6cd089766700b8065e3fcae92af786edd1cf82b0508311b6948069fb0efe2523fd35ae7ee457229ef2d64798115ce1905d7f15504eb8d8240000000777dbdcc2e85c8a90dce85db1838f8344d35f85b70efa7e6c7256cd527d59a92c42880d949583756c840b0f1e293808a0d9b73bfb39b796d23dde56304075d2d C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = 6367109fb103da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3414828370" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31068412" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31068412" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Bing" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\Version = "5" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\KnownProvidersUpgradeTime = 6367109fb103da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F72AABCE-7CEF-11EE-91E2-7E7A7571E0BD} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURL = "http://www.bing.com/favicon.ico" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\User Preferences C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c4cc62da77d25b48a952cb775bb65c470000000002000000000010660000000100002000000011cc51aac1d2c1b6a743b7cfc7fa7d38d23eed8c3aaa03497234b0c204020207000000000e8000000002000020000000a467b1c9a5ff2b930d71bca8d71f63032709d5849be960ce4eced788869870bf20000000847dd1cb2511f6e7d6cdee32440e2b0d26082b08504abbc212f9a7e2c1396feb400000001369dae0ebf8aadad0d230d93dd365f6e4460401bee3ba37c8c083df5516f0e60f55e25a8a1ddc09ece17766b1b804f484aa4b7b55652e97569d953fa6099c1f C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTSR" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c4cc62da77d25b48a952cb775bb65c470000000002000000000010660000000100002000000053317cfe4efead412f931beaae2fb10a84d295ad0baf6ecfe88ad455505dc588000000000e8000000002000020000000bc4fc3cc77efbc264b69e5640427892b64a8413692a73fddc748dafbf82b4472200000000483c973d2614493368b4c1649c8c5adb2b17b97dd6f94ddc3ecc8a7eb9ef6fb4000000078a4a5e63e6afa572027aa42b54e863a8d9428301bd2e585f4e91e3a5f82eb10084d7e7b8db52a89f7ae6c62210e4880c8679d030625bbac5649f0b43752573b C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c4cc62da77d25b48a952cb775bb65c4700000000020000000000106600000001000020000000736fc092588c77be8a5d3b93051560c40e0a5d5a02a3059a92ecc5ea8b2cb2d6000000000e80000000020000200000005f57325f5fbd96302deb0aa35f242ca43898856e6e1f62409bcc05be47741b8050000000fbb38b656ac52941777f0633c1bd0ea3272bc48e6a1ec523ba93d132909aea1a90fdb421109f973b28c81ec9edcb3df335840cfac2e144996586a3c55d199f816bdf59d03c19ae71dcfb6789a05d97224000000078f84ae53fa854ff22fb396aa3082e599d1f67a2c48ffd857469c791c68fa4c341d59c139e01b8ee903a7fca2d4f3f1cf5a685daa44608883e04d3bfeb882e86 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3427797864" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 600a11cdfc10da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTSuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&market={language}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IENTSS" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3414828370" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31068412" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c4cc62da77d25b48a952cb775bb65c4700000000020000000000106600000001000020000000fe262f66816b0915c7e139a3d73a156a7b544bf972a18cb8ec38fe5f18859e41000000000e8000000002000020000000cd02c07174d10b7aff74cb19bcf5e6b93c08ed976c71ae0e116fbda9afddaf4c1000000004c086f7db4ada02b0c2d2896dabea76400000000173e2e2a4727182932bbe1e11fb4f7001b9835f3214b594fc26682ff0acf565326ae29cd3e1eccc59111f49fe4b5012774b599e52493cd76c5b81099eb1df26 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTTopResultURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTTR" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\CheatSheet-Algebra_zs.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3712 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
NL 104.110.240.131:443 www.bing.com tcp
NL 104.110.240.131:443 www.bing.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 183.2.85.104.in-addr.arpa udp
US 8.8.8.8:53 131.240.110.104.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 192.240.110.104.in-addr.arpa udp
US 8.8.8.8:53 161.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

MD5 da597791be3b6e732f0bc8b20e38ee62
SHA1 1125c45d285c360542027d7554a5c442288974de
SHA256 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512 d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

C:\Users\Admin\AppData\Local\Temp\Kno93C4.tmp

MD5 002d5646771d31d1e7c57990cc020150
SHA1 a28ec731f9106c252f313cca349a68ef94ee3de9
SHA256 1e2e25bf730ff20c89d57aa38f7f34be7690820e8279b20127d0014dd27b743f
SHA512 689e90e7d83eef054a168b98ba2b8d05ab6ff8564e199d4089215ad3fe33440908e687aa9ad7d94468f9f57a4cc19842d53a9cd2f17758bdadf0503df63629c6

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W5A2S7N8\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral14

Detonation Overview

Submitted

2023-11-06 22:00

Reported

2023-11-06 22:03

Platform

win7-20231020-en

Max time kernel

117s

Max time network

120s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\jquery-3.4.1.min.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\jquery-3.4.1.min.js

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2023-11-06 22:00

Reported

2023-11-06 22:03

Platform

win10v2004-20231023-en

Max time kernel

141s

Max time network

155s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\hammerjs.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\hammerjs.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 254.210.247.8.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2023-11-06 22:00

Reported

2023-11-06 22:03

Platform

win10v2004-20231023-en

Max time kernel

139s

Max time network

149s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\jquery-3.4.1.min.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\jquery-3.4.1.min.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 254.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 163.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2023-11-06 22:00

Reported

2023-11-06 22:03

Platform

win7-20231025-en

Max time kernel

134s

Max time network

134s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\CheatSheet-Derivatives_en.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002e1e81ecbc95de49994f369c3e7171840000000002000000000010660000000100002000000047b5a3999d992bf85c720accabd551b2cbbef3674a92c5404767b2cc7a9441b9000000000e800000000200002000000028e680a6eec29055580c250d214b00e4ad98913cf3ddf4b9a15e9b859600ac4c200000000f00eb20aebc5567c34b70753ba9902ecbc2bb8fbc0c8e2c4ecc05155c80c30d4000000060fdffcd260079f1011ebecc0e29486db8db58595cc77ca67c88dbda65dd74300f5fe7e465876dccab546f51b0612a4830beb4474f78f9c92940399ce54b1432 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F05ADA51-7CEF-11EE-AF87-7A1D39B0C785} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002e1e81ecbc95de49994f369c3e71718400000000020000000000106600000001000020000000fe12dc891c7b5f313dd9a4a5315418cae8f43c313534694bed57cc3abfc199d3000000000e8000000002000020000000b4088d3cf13f25b3e225c4840ab45e4c3eeeb6f40365ff2d7ca3e884aa62bf9b90000000cd351ee9a8275289800f26e477de0eaa365ac6ce50e1fd3df9da308920d6d58b804bf971db308ee142a65ca306f89c4e690ab88fec8857f892976b2a086a31c50047baa050d775add8238bd36d4beb3b590fb679a8414233e30f4d13294824953fe3f6911498d78b0cd019853b860a883b5c0a2a419c37f428594fa9fc3714938d274308d4c977924c2451c051dcd1e04000000054480b5f6aea6a9b9674c49f1dc30671bd4c2ddcbf45ac41773988d4c12fbd75d89fd1e75115a465c579367e9c0609c18189102194a3d075d81be1ce2d57d540 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 208a65c5fc10da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "405469915" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\CheatSheet-Derivatives_en.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2236 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab513F.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar5190.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fb877af8bfc5e498525345ea614d9ad2
SHA1 a0f6203d5095bfb343fa221c933f085fd061190f
SHA256 b17e08c1ee6f00604d7ec559c2a2912fbb9b2e8696b36cc3e3689e1692218911
SHA512 eb4e25ad0b44170ef97f412e1a321b96aff1e46318c913e270bc5a0bdef8264bc7414ad99195a518dfbaaf00d3ccdb453ef6c33364bb37d2bc14651c7b7903e1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 374742bd2be7fbcac89283b57efa8066
SHA1 8402490edeb43a085f3a971f22aef32f6e8edc4e
SHA256 cbd71f6e03a6c65d17e959e608ebe4767f30c29b9a4a723ec6a230cd392c71b9
SHA512 beac5fef1d55a53e010be8cc8cd6a40cc1e865f108024fa717e1cb2d30c87356098189253736df8107cdf2501ebd3b23837eb47e4abf4cbf07e02b4c4463efb0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b4cfb93f795257500574bc630ee03bc8
SHA1 f639840e6498f8857b22dd523d624acd596f488c
SHA256 875c1c95338297904edc60a62d11dcf7fe155512a64cc4617a341bee8c43da90
SHA512 4c3bbf3978b7b127ad10e3bbb829c1025b80295e799fc534836c38f1d77e6371ee7024f0b942acdc6f06151cf5029856d0bbc3d023a90fd81bbb3483bbe23b7d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5c5e3178383e03885f19b079a44e9e2e
SHA1 a2a2364cdad08874cd2452ce148219a74137b78b
SHA256 1b0cf562e541715a5181a7c61edce99b84924ab44f66cc92bbe57a6cefc62524
SHA512 6e93395aa1f09e93e409653da07318e5c8b17cdd4a385566e1e83ba96f3824340ebf787f40d73bda3ef1b0cd584b4394c8ab137624ebf38945fbf17e451671be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b174fc83fc2e2e969f631099305aa32e
SHA1 c6c2508b2e53438da221c4e891e492c97a5dfc1f
SHA256 8b426f7c452ae2c33b0075c5cbc4de84d81e8af7b77f4f7c57b6346c7c4fcf94
SHA512 92561fd729489a7aa0a8bda90d15fea41ca53d940a8ccd5dbaa65babe71dc8fc08386939a3755e37e03830a74ae4836c57697fcd1e1f20adb5b4357c70b81d37

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3615834fd5d8b0ec76e8ed21d3314f38
SHA1 b8ef14534ea9b5ed932a64b40fbd3a8f98229e4c
SHA256 05cce75d1bbb2b826c51b99af1f8bf7f6a96e64ff9d11cf0c6e4d7ef0ce8731d
SHA512 6b7fa5af7aea93a76a986e7848626e86ca8dd6e0d4da5a32519bd003cbb115ed4ee2aa7aa6715e5810d75bf32a912bc3c663e968930a16699726af1bf09feea1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 367bc7c31a2987791340c3e910722540
SHA1 987d31a199b9080900dbcb158c212a78ea8d0c2d
SHA256 a1bb0592fc837bbafc16de7ad4fff9bf9a9351d200d38bdffeb7c7c8711b5c50
SHA512 95066e9e5153f290196d12b89747f4860be53d431de1cc134168550415b0a295a8817a44643430a7bf03fc0aea263a86da4c5a31f0a164f1bbc5c0ccb86669f8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5176e323f627823b60d8129fe420b497
SHA1 5ec269ea3e7ba66da663cfd77233a50ad8f640aa
SHA256 f83fd7e8adffd5bb43c4be9fbb157a679a7a8b5940a5788efb961ccbe316ba17
SHA512 dd598b8dbb174f771708cc81a99793aba2ed9af757ce76cce7d565d52229afdcdd3081020529efa8673abcc6f0eb1eda6abfa960251d7bdbdb8fb92908240ad9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 670bf6f8610891c0051d0222fd25f8dc
SHA1 04d0b1447e8ba8c828c3d820b3c7a11e25e9e82a
SHA256 395b36ef676816c74dd54bb2f26abc3b03a3e7a6b457312d42c1da06464a7c45
SHA512 a9338ccb4afa03327bae48e92250d826c59b39893f76e58b014c2b462496bb7566196650fee145d46ac9b499f814cbdc40bb208522d66338062339d808171829

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 102dcabe97080d9a9fd25599ac23192f
SHA1 c397334da0ffbe58711467cf4a7ed5e8a7d635dc
SHA256 ce1e12d1dfe5e7a760b84a13bbd6edc20e7107f1dbca80444a6bdde836b57ba1
SHA512 ee1113b2f017fd6b436d64920382cc00dd1c761abe06afb6c786c3a3564bdfa4c9f8c11edc41cee39af6f9d93bbb88ef23a7dedb05e123e2f2afd065a1a50e3c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 49291b73e91cd98c034a9d92ec0f4339
SHA1 b652f2417f3e7a6fc9ee04dfc89ad8dd4518b811
SHA256 e857384d0493d4b92aac95a2957538b58cf695132e5eac7a3944151c0a219f20
SHA512 708f276e4371addde3e2a26d3a571665eeb103eeb59175a444b29c877ecffc03fa1565177ee75ddcb8aeeee09cb88531529ce28a35d6009339c004abd4bd9ff3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 50922754b3de22ebf33996e762f27feb
SHA1 33ae6e99c686be199b3e05d15cfc9f6b573ddf4c
SHA256 b247550f5b97701b5152dd26b526a108e27d36447fdf60053284a0087394fba2
SHA512 fef2165e1e38d69868e11c32eee01981a687990bc16d2a7f6606ba350dbd6ada6ba85bd45cc01f6baab1ba760bc6d3e519f63976eecf702dda6738288028cb24

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 235765f3b95fc0a09f4b119cdd4943fc
SHA1 85006fdee48875db74387b9a497b4381ae6e0ee1
SHA256 94c438f937967a22fbc588c7024c1525c9de7a4f30b0663f08e08a58636656ee
SHA512 9f894498c9a93d8500b505bfe3dd757c18189c4564f9026e498969640333277684bb22d2b57d0a179add11e1e5b88ed3a83294dbfe2e48873a800d287fa0ae53

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 661987baeb3266b0f76cffc9e2a5cacc
SHA1 45e4cd8d9b023ec0b79aa0e1041ae28c56a0fa7f
SHA256 09d38b20b11173ee01206150845383511d314d3e63117495b4a8d1c6a8012ff9
SHA512 93c336f30ee0db18aba2abe8f51f9fa1731a82f90b1bae0c1241f344f9d9d21129e8cb05ec04687cb392a294162b5adee9e387b90e6cbe923a18ab90eb6edc0a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9dfb719940772f7bb2f925c8fe115ce6
SHA1 b5bc56288b1e384516ace5fcc680c2701a719c7d
SHA256 e8be7f71a58de88c1a51432ecd156937fd4a051d4fbbe158a4045556ead15f73
SHA512 2cfe36683cdcd7f0acc5695fc5a898e727d875de76553d5dfdde48f7d9fb0b0848fe66dbfb13dad65ac355516cdc5bf01a3172da1601adf2975e548032b46a26

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b263809266f2e9d70184ada47c814b46
SHA1 7fbe79b02a46191e4aae69938ec4fbfa19354383
SHA256 f2daaa6758537f53451f19ccfd667554ade518418923fc44f6f425b12390a8ab
SHA512 0c7efc9934de7c9be03c043d803027d73afc32c9eb305ad12f93768f00a70c72f8277b676d9ebfd40ef995537e59e5b2e6c65d03b62f7e31d370cecc6e90b5e8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e5bcf46e256c576cc47367da5681f1e4
SHA1 d0bb07deb7a3895790599999844823501857abab
SHA256 5be411e7087f4adb8e8d8086fcb16f6288cc9d2a750388a129f708b84e9c24bd
SHA512 0cf870f04d7386370ca8aa4bea8ae66150be230c70a8d1ba9f1272225d6ae8a452fd2d7e0d706873065a9ce83c7ec1d9ad62a7dbd2f1ab1e0dd26c816f810026

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cb3b99ff329ffd687342d2f0da551928
SHA1 9a72e96fa4f7bb6e9878d4241ce188845fcd8e62
SHA256 fd09d6c09bb7fdda6b47f67ce589bfadf6097af449be55e05279d665018a5b81
SHA512 16185083680a9268b2befe0c44805f593489ccfd574441682d20d83e68ca3f4595f810b6ff2185659220fbc1fe51ef6d9af06dfe1ecf1aa39bc5f1cb8200a46a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 452d2874c7603c22a7f8f2122659a1c6
SHA1 20fc16999d62e9bc4ba3c97ccf6bd3140595ccac
SHA256 eb97615d5662ed5c706107d7dccee534e4c88c43b2dcdf52d81d321f1d278276
SHA512 cd87d6fabd574ba96da91703daae31b52690fadac75c0612cf08422c2163e1105f2b6833dd22e2be54effdfef8cd89cfcac6539ce11a8d78b1beb4b84051b166

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9b993c0615c545132ce813ca96784dd0
SHA1 03bbb27a2889c419e54c1ba33a319dade68992a1
SHA256 8fccb5ad944990c85429671e016dbfaa9fd4cf9a253f4ac1202907b6e2afc326
SHA512 b5b5bf42921fc8889ca46c8be87974d170fcf849241a7e51b80a9dd6ef3a3cca90347a6ea69135e74fe4607e42f2ca3155e7ea73036a42f2be6136842b88c252

Analysis: behavioral11

Detonation Overview

Submitted

2023-11-06 22:00

Reported

2023-11-06 22:03

Platform

win10v2004-20231025-en

Max time kernel

143s

Max time network

151s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\chartjs-plugin-zoom.min.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\chartjs-plugin-zoom.min.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 254.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2023-11-06 22:00

Reported

2023-11-06 22:04

Platform

win7-20231020-en

Max time kernel

118s

Max time network

121s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\hammerjs.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\hammerjs.js

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2023-11-06 22:00

Reported

2023-11-06 22:03

Platform

win10v2004-20231023-en

Max time kernel

142s

Max time network

154s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\template.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\template.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 161.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 192.240.110.104.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 163.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2023-11-06 22:00

Reported

2023-11-06 22:03

Platform

win7-20231023-en

Max time kernel

118s

Max time network

122s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\chartjs-plugin-zoom.min.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\chartjs-plugin-zoom.min.js

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2023-11-06 22:00

Reported

2023-11-06 22:03

Platform

win10v2004-20231023-en

Max time kernel

148s

Max time network

155s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\CheatSheet-Derivatives_en.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008a0c380f3628804cb3442a54a74494fd00000000020000000000106600000001000020000000b1b8ae6cbe9897ffa224303210858e48c7d850c08558859e6d5e87962be63953000000000e800000000200002000000097bcfb258c06ea14c385a663ee1d6bae13860e0b81230245a605c85d634919282000000050ee7ff4ea63baa5313ff02e71ac1728b194e5f5627e84381eeadf1eb77eee3940000000b5e073e2a8894ca8b3d49953fdc89819cf6fdcb2517b3fadfe3a865d9f7cd007179fbad4eade1094023b037f5fc3868df9673265759f2144aab9b1e5c4e3c3a0 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4094c9d2fc10da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31068412" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008a0c380f3628804cb3442a54a74494fd000000000200000000001066000000010000200000002eee64f5e70161d96d0befec6844833ef249560d816a7812c955529cf34f2bf0000000000e80000000020000200000001853fd9fc6a39b9236b58af1b3f404129f18cd677828bdba7c97ace35d45032220000000e453775d8995b84f115163a0b91be087808876fd39995831b75428fb96a628f34000000059262bbc2ea1b65ab0f6f20466c1dd3fcf5daa5b500883e553182e710c8dcdc92a7d1b4827945dcac3a8feb79f673194391aeea86d50a8ba959a7f18d3c34b50 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "406073043" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3460496096" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31068412" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0a08bd2fc10da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3460496096" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F9D96ACC-7CEF-11EE-B196-62262E857B52} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31068412" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3522370979" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\CheatSheet-Derivatives_en.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4424 CREDAT:17410 /prefetch:2

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 135.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 254.23.238.8.in-addr.arpa udp
US 8.8.8.8:53 170.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 32.144.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 254.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 126.211.247.8.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FNC8FKXQ\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

memory/8-16-0x0000023314EA0000-0x0000023314EB0000-memory.dmp

memory/8-32-0x0000023314FA0000-0x0000023314FB0000-memory.dmp

memory/8-48-0x000002331D310000-0x000002331D311000-memory.dmp

memory/8-50-0x000002331D340000-0x000002331D341000-memory.dmp

memory/8-51-0x000002331D340000-0x000002331D341000-memory.dmp

memory/8-52-0x000002331D450000-0x000002331D451000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2023-11-06 22:00

Reported

2023-11-06 22:03

Platform

win7-20231023-en

Max time kernel

134s

Max time network

133s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\CheatSheet-Derivatives_zs.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EFA2DCC1-7CEF-11EE-AF89-7E017AD50F09} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000099b8a3c6ff97044781f9dc0475faca4100000000020000000000106600000001000020000000965e9a2b8ac4b842686a2cf553857bbb40a5d08e27a8d23924fe0b531c009e44000000000e80000000020000200000006846d3fdf85b8c1067346b50dcf1aba1a44226e9e4f9f41df7cc767f952dbab5200000004346ac42410d8443959265626729a8c5210d9563c2e0f50dc1b69f0f05dc9adb400000009c6cbeb158222358c8a1b3d26cc60880de33d831012fa223090875bb7a2c55c7ade0cdd260ed183ddc95f52c68f4c9ac931b68deac994d004e0c1fddfba47e25 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7059e7c4fc10da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000099b8a3c6ff97044781f9dc0475faca4100000000020000000000106600000001000020000000684c36cf09b7ad51b1ad618f6c85968094b600de33a550765fd57793889a2a3d000000000e80000000020000200000009dcbe03e0b533ccdafde83a19f957ffdfecbf514a7f07b651489d2a7026be54d90000000a6f899ae7b35bc1ca9648d559b3c4b4a1ab757547ba501e6614e85edf6d84447882188cdfbb989331b2cc8aa662766f7440fb6d16b628d0c5a821605d4492ceb5f24d96926d24b989d7e85ddf7aeb025d4bd8e1f5e542c4c5c59ed19b80217e517431f66b67763be3fdf6bb36aa63f3acb57f854582e298c63f85d00d252aa56c638c33b9225058e102a1850188a9a3140000000756082fb5cf3405dc1579dc10c5ff0b129aedffc8583af74a5e8e374973cd078d848340704a9e4056b70ff0ca87dd852dd9df594b87b93224d5793d2c47bc785 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "405469913" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\CheatSheet-Derivatives_zs.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2228 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabBB45.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\TarBB98.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7a33dc17dd6a82d9319cf12c836058d1
SHA1 d07ce12cc8ae74be3eec70f9b321f54bc7538942
SHA256 e92142d870fac937263db627833068e9b6d028397f06fdfe88b19461b9836b69
SHA512 4d7d9be1af8d57423099b7fe69b87b30199de5120d3cfe009b3cfc16eb963061340161daf3ce23c9a0fa81936346c5a75c2c06945009d62e8848f4cd11a04d72

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1d1512202a2c839f73171f6d3a5f2f62
SHA1 866d3c1f68123cca1658a6bedaee89a4c6a8d7ce
SHA256 336ac0acbe65c240f6b17e8251beb6b87501b5953f7a0f1fc5995fe9174821fe
SHA512 7a4cbd119fee1b36f8b47b560da6772bd9842b85a9e6511ec52b1454730e231dc955c7923f261706e4e66d93a6dea47ac64c06e383c2bab2141b5d5fc6c35a3d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0819c7274bbafc2bf52414de21a38cf2
SHA1 eccf35b5c436b8c194a1dc2a56bbe3818dc7c970
SHA256 c623741b69f92eb9d8e29c7ad4628c9bd77e7a71920735ccdb480ae3fd292d3c
SHA512 6836f227414aa8bc852badf82691637bd516e7c498903791690286887b1292b69b78eb4f45eaf7e807fdfaf009b7fab95fee11afe3421752e3db853762e8016a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c70badfa0d958eb009d26cd1ac66a691
SHA1 5f97de4cd245d7154c548145620f8973488a9d1e
SHA256 33a0e954320ed9652b6717895e0848550dff0f8e5129c2c9bd04acb2bb232cad
SHA512 42fa817672610d7463fc2bd3f727ab07fa8e05376d02b24e0701328a6d4f7e0c856c143e9231e29f762116b3db1d708721de9470458d3733c5c63066f6e5f02c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cee906e85bc1cff097e9c758f55c9992
SHA1 b9a967114000d731de2704932420eb64b6701383
SHA256 785f9d3620e63e725dc6121bf237528eb136a5ee3ceba2367771b05ebee16916
SHA512 da1402569ea1a52ab7e4ca9e1ea6a15b7ce32ec6f321ee6d73f84e48bfdf3b02211f2dcfd89ffe0ea5d869b0a51525be2654bf0520e1d544058f920c059acd5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 54852040b3a4729820f809aa977caab4
SHA1 978f6fc8de5dc35c86e9f9409778886c193698cc
SHA256 b123f8520fbb561c1a344cacf2c9b959ed10843cff845289e3832c5a3e049713
SHA512 81e9eabe017b515ea052a4f1aeab6cb0a8d305b7bce3b79ed3887b646ee850cfa89fc876204d2a491e88cbf2bb37ba03da61a29833339edbe412934420a6a769

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8dfcae88842f018ec9c000f4118ad052
SHA1 edba873ced9c49421c32b7d31616ffba4b51e9c7
SHA256 1ee8c70266433734f029e7c6123d785f5b2c20e8bb906f784234c680777017f8
SHA512 4155bd3332b385371b82a2b711e421662fc514f99bd8e3cd6ae2a58cbc31f1953c138d989b8921a4898505842b6374dfff622a69c3ee27e3db0a19c5dd0827d8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0f89e485515147b9143201ba3bfb5647
SHA1 54af25a1f00ccb912accd47ce290e4d7e3f3789f
SHA256 d1f2b7e5e557355dc95f96c99e77899a7e03c090daf09f16722ac68a9f8e15c9
SHA512 172e392a4af118b9a39f6b2ed017238074c9c0eb9b0b0ac42380787ec3bdeb203c752e1bce0f0d0d46a32a6e3985f009226a7ad167a08925e5e86f0a48027278

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a2dbe3726c09882143fcce3c10444468
SHA1 1c0d46fe7c081ee0b289e84b6d8ad486469af68b
SHA256 10834cdcf1d670893500d26a33b14e982587d9b3665ff1b54f366de2c7a14018
SHA512 688ad5b8ad22a0965073897fb3b49f08803c3b31cae7814ff12ad938e178c15e7885b91f6d02f68019e0ab5c566d9676dd2c3cc8bc74e9113c6220cf2a12a23b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3482fbda76ba26454804d8725db32e74
SHA1 614fddd6ac67a0b03e947a83455cf08a83439680
SHA256 0c2cd914a2c6ba33ddec3339e07a8ce74faa3eda6b3ec9fe7e118672d5f655e5
SHA512 4336eedd65eb774151a8314c416a3bff7cc6bc4186668318fbfd5c56f17c61b87fcef21a8113a2cfde12ba33be3c0b59058ae7caea44fc65fd86c5e4d9ebdc6a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1986c1ccaec5e9f7d37c82419a3b77b9
SHA1 5e00828e0cced4440d4027f8a2a06abb9e605299
SHA256 3b3cbcfe25e3a56e1144c0ca4386c4c525be2bbea8b442d45f17e7b1429fc191
SHA512 f42499c62cebda1c068b06ac68ecbe4ea60636d8c8ac7e073c4d5ec68eb5eb137876d868cfc34a1f2ef6bcffa53d48ce65744f9e69d7a77ed33eadbff539350d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2cf8078faac3be82e2e0879fade2370a
SHA1 2e5e3aea23c3fc009e46dddf6d8c433809852768
SHA256 f93f6c7577f1415503827aec804b55a2efc4e4b67a90999ac1463e4e23f8af3e
SHA512 d8eeb2a65cb0e018c3a8ef49dc7390afdf4d21b2e9a043b5027308e2d75a28e55298c4629d71a252ad69a838a6f6cd607c24220102b84aee1883fd7dbeddebe8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e3f46934422799a89d5a2567e5f5c5a8
SHA1 93668407c2a9fdae31c55464f0966762429acb5a
SHA256 d44b8a503798e12b6fd8aead5f7a67d45c597d633f033524f1ad8b4b02f56680
SHA512 e26296c0c276f9f9dd89d9d6e25dfd7a17d03b8eef8bf8fc505c2c67b76b7deb52be6887585542d9163468c0791e95b68b3ba2651c6b26ef84e41912d46ab49f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dad1386bc5eb9f261fbb34e1da88e004
SHA1 87694e8778dc2fb10e4d2f805b4c11efa233f434
SHA256 4e26dd0a6b2e70a54f4c9f33ac9a7beec4a0e6ce87d4ca760160789cd7c84020
SHA512 c8964c1e26ced1cced908b9e0fe379049b6efc0c95a9373f7059642fcf51306272621822f69e545cf0ebfedf936aab0d0d54126b1a1c2172dee32de83317b17f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8ac0efe6d6f67beb7d306e38d02dfb1f
SHA1 2a8ba8b167b554fead00c608622634a105fb9ab8
SHA256 77990b937db82db673f6b8dda6ffe84045ac29d7183433e601e7feb62b703e60
SHA512 46ebbf098a649f88ed8677be1102e3165e7878f7fddf2f9e8b0778461203bf582ca73f61ed7182904095081cb7ebde31e6aaab2a15eb2d6f5e43d0fdebff21e6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 885258c424379c3730050afcc5fe432c
SHA1 58d6d1495d47e3f885867925a6f5a42847a4b3ae
SHA256 a83304ebbaad25a2914f0e6fff37c9061aba9814cca6af36ccd7d66eb2d96936
SHA512 c7b8bb093164de3f9a1043b040535e179a15f592b745b70f7be67194b578e8a1e5cc323f06f43ae4bfcc3eef54126cee55f4ed9a50f5e30650de99a940678a2f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 958d918c225876563c956d2c460c432b
SHA1 c225d3b97afd774a154fa57ce4e69ea234fc90f8
SHA256 479f44959e6881188b86994eec12a0ffb889fb0e47849ed3fc84f71c4016c54e
SHA512 48d1495d560f30050516fcf6d5ff48b0cccacda2ea17505cd57c79988f08079793fca4e6372c4cd0a533f09ae74cca34f65c465615a969684c480816f1376e7c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4fcd98e69077802b974ea5a874565e9c
SHA1 312cd97f3fa91cc8b28a675e290869e5e92305e8
SHA256 1ad1ae0922b39ee6cd40ad45c431bb079cec5d6b0059281fe8ad36bcdb768404
SHA512 56ac76b24956176d79a3b81c9e8c44434c26ac3bc68f937df345b11ccbe031d4a4a4ac14878b156835659d40ad0ea38052691d859227c6c903c0464d562c882b

Analysis: behavioral9

Detonation Overview

Submitted

2023-11-06 22:00

Reported

2023-11-06 22:04

Platform

win10v2004-20231020-en

Max time kernel

73s

Max time network

138s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\CheatSheet-Derivatives_zs.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31068412" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60f79ee3fc10da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0DBA9D39-7CF0-11EE-88E4-42A331C33A28} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3794944618" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3807914676" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31068412" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20c5b6e3fc10da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3794944618" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31068412" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c79fe21d651d6c4bb8d4cd4060a2fb9100000000020000000000106600000001000020000000c3148e180bf8ab0ddcfe636fa64f122540fda21a91438c4a30a2908fcacbc8d4000000000e80000000020000200000008978c6355a295d24edd33c00116a3074ff91b6da29b188e9f9edc13ebfcbd70320000000b61318537837994b2617d2aac21e2ea5fd8660da0e1c9f4e00c95f1a32b487eb400000004acd45bf7ac53a87f4f3b83409564eea2fba206f2948edacf013c0b30e7dfd1ab4a74bfdc9948dc0988e6a1f654037c84c639f4108f07617bdc4c51bd6b33f77 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c79fe21d651d6c4bb8d4cd4060a2fb9100000000020000000000106600000001000020000000147d47a3a7c4325716a9d31119866ef8a95515f6d64d26db4b9a273010f59a31000000000e8000000002000020000000cf5a115e882ed07c73fc5ebef51b0574f969958b67a5b5f0f4973d2814a72cf6200000006d11c012b15861a89974d54bc4ce08e3f52451ccb0fa58cc7fcbdb554828acff4000000015bc41abbdfa6cbad4a689284a7fc4e131c91fd6c459b0662f3003fcae91ab3ee23e82826a6521d39b210ece50884f1c64bc895aa3886fbd23ef9f504c372586 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "406073071" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\CheatSheet-Derivatives_zs.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4032 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 161.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 254.23.238.8.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\80UBY5GD\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral16

Detonation Overview

Submitted

2023-11-06 22:00

Reported

2023-11-06 22:04

Platform

win7-20231023-en

Max time kernel

121s

Max time network

124s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\template.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\template.js

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-06 22:00

Reported

2023-11-06 22:07

Platform

android-x86-arm-20231023-en

Max time kernel

2796321s

Max time network

149s

Command Line

com.clip.shoulder

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.clip.shoulder/app_DynamicOptDex/xDrdtlu.json N/A N/A
N/A /data/user/0/com.clip.shoulder/app_DynamicOptDex/xDrdtlu.json N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Processes

com.clip.shoulder

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.clip.shoulder/app_DynamicOptDex/xDrdtlu.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.clip.shoulder/app_DynamicOptDex/oat/x86/xDrdtlu.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 142.250.179.138:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
DE 172.217.23.202:443 semanticlocation-pa.googleapis.com tcp
GB 216.58.208.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.36.14:443 android.apis.google.com tcp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 172.64.165.25:443 jsonplaceholder.typicode.com tcp
TR 37.148.210.173:80 37.148.210.173 tcp
TR 37.148.210.173:80 37.148.210.173 tcp
TR 37.148.210.173:80 37.148.210.173 tcp
TR 37.148.210.173:80 37.148.210.173 tcp
TR 37.148.210.173:80 37.148.210.173 tcp
TR 37.148.210.173:80 37.148.210.173 tcp
TR 37.148.210.173:80 37.148.210.173 tcp
TR 37.148.210.173:80 37.148.210.173 tcp
TR 37.148.210.173:80 37.148.210.173 tcp

Files

/data/data/com.clip.shoulder/app_DynamicOptDex/xDrdtlu.json

MD5 966afdf8cdddbd6de72f0b2d30cde02e
SHA1 8c91f17f7cfe18fe684d7382cd098a2faf0b3fe8
SHA256 6d8f35ca3d2875b7255dbef0d04df7697e884fbb2a5ca0fceef75a00c0375cbf
SHA512 fc977a80e296af9e600ce511b0b4758b68072d52b7c40210249b26d97737c774d310a6d449f45555475c01e937d8def3485be5bbc325856cb0475ed9130832cb

/data/data/com.clip.shoulder/app_DynamicOptDex/xDrdtlu.json

MD5 033372e71cfe37afa161932ca1514575
SHA1 6ab3eb0a97fefa13be0a0ae2c40d87072e3e28a2
SHA256 080a2ace0567038838d754063aea5a7dc60bae013698e9152683247917842841
SHA512 c556ab68d506ec2bf107f2f1b65d22634c12d2ebb54652db8941d511d864936c316a41437d47db13be2648e131151f9fbaef44c313ae006108e33c9175d42374

/data/user/0/com.clip.shoulder/app_DynamicOptDex/xDrdtlu.json

MD5 fef861697d6e865ffd0ac495bba92bc3
SHA1 796094bd56f01b637c0165d8d734dc00a9481e4b
SHA256 9f81917c797bec5a26abf4ed12dd81f7b22837883182dea970398332af763f42
SHA512 fef90c111d11b58dc3a3ef8e50ba362a5d0307adc7d22b83dedbcab765b0926bbf074d7fe6d2a0f36177578432deee6c030b1696492b33b3d5685535d18fa7a8

/data/user/0/com.clip.shoulder/app_DynamicOptDex/xDrdtlu.json

MD5 57774766cbc43d889a671b7d57da2d0b
SHA1 b95248e49b4aebb8464be87c39bdec4fc099dc9c
SHA256 88b593e978070be1838d17a5a09c45af416bbf02319aa28c6f2ec90873f1cdc0
SHA512 eaca6b647a38f38e2d097f4d18c461740fe1763ffdedb4d25c75b4dee8c3aade8c4c68411fbc99590b6aca4f354fbedafd8b862a219279d3397e27c9a773f4de

/data/data/com.clip.shoulder/app_DynamicOptDex/oat/xDrdtlu.json.cur.prof

MD5 ba0c7e8332a70b24d46fb2fab5e39b4d
SHA1 3425622ff8edc3c464eee84c986052e6e2d09160
SHA256 03fb29e3c692c305d81a51eae346c2b71ce275c667a9e5dac850bd61b6b8be49
SHA512 aa9db84026613ae4144c9babdabf6d0145ac8fe1effa2121eb20a5b480b35b4fe5583a7efc0c8c967873e147a9e79cab863ce015f872865acb825baeb1fffca8