Analysis Overview
SHA256
3f39c2fc43173b203a6a0b0331adb6ad265f0ee09fbab56ff25f18dec4fb805b
Threat Level: Known bad
The file 3f39c2fc43173b203a6a0b0331adb6ad265f0ee09fbab56ff25f18dec4fb805b.bin was found to be: Known bad.
Malicious Activity Summary
Cerberus
Alienbot
Cerberus payload
Removes its main activity from the application launcher
Makes use of the framework's Accessibility service.
Acquires the wake lock.
Loads dropped Dex/Jar
Requests dangerous framework permissions
Requests disabling of battery optimizations (often used to enable hiding in the background).
Removes a system notification.
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-11-19 22:00
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows read access to the device's phone number(s). | android.permission.READ_PHONE_NUMBERS | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2023-11-19 22:00
Reported
2023-11-19 22:03
Platform
win7-20231025-en
Max time kernel
135s
Max time network
132s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002e1e81ecbc95de49994f369c3e71718400000000020000000000106600000001000020000000198b080376238195f707ced99d26442c89b5b4af7beabc73486b86202a941372000000000e8000000002000020000000b4968f065fd6d8a21d8efe3576870552b963ea9c12c472cae9f34756083171dd200000007370d4e502f6b44c7508caa6a967511f9ff36cd0081ea74cd6d8c0693acdba0a400000005055098e270f1201fd42a3e31c484100cb67a617b2ab029f90ca342356f7789ecb05e316aacc82c111bc07ff517e9f555635462cf7042b22241cb3410cdf1bff | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5045c1e2331bda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "406593098" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0DFD0C91-8727-11EE-B466-42BF89FD39DA} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002e1e81ecbc95de49994f369c3e717184000000000200000000001066000000010000200000007b25a0648f4a8417a08331388ce8dcd5bd9f503b750123c92b6dfc10d1d3fa09000000000e80000000020000200000009444641253be0ac16660f7664bdbe8f5b31c8be6714344cbce631b9001eb1c4f90000000ad46736458c4954515c3915bb827847b8f9f995e411d815f5305777c9f238e17759172c17156a8df9f6a44a560bf8aae4ee9d638cf4934ca2fa98271ce2581b218b46b705b424717598050cea5b450137415feb25253a88b8287178304d3830d736d46594cfb825bb913113b7ca86a29d1de0a58f2c921603adb248b586dc67a6151da8ee107228220c7a915d7339e474000000009a21d595f699319f2a5f2263d9935be1ed50cfaad4332301f048e5042edc3cd8b70b4ab7dca5ea01cf943c3738e5f26e504637e846ef7eff2f8f5e0d4e796ee | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2944 wrote to memory of 1708 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2944 wrote to memory of 1708 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2944 wrote to memory of 1708 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2944 wrote to memory of 1708 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\about1d.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2944 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab5026.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\Tar5048.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fc619f9cd0f92b2914f9961bdd71bb14 |
| SHA1 | 28b272bea907fef3089597510b070526e6814e24 |
| SHA256 | 8a764a10761b6b9ce9b94b9c01996a0444153b220cc72055cc92504ace5e4672 |
| SHA512 | b93b25b57ce5cbde66418194f9acf58deebcad3d2d9526fbf96ac56d4c18f8d63b55db16095d1d7ac9fb6f5f595d8f4a050211c56d8f6e41ec68dd25e70d3cfb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e9879d3a41fd91b9242931b2c10ed9b8 |
| SHA1 | 0b65a3209214648643c73a56c493e25218e5b9cc |
| SHA256 | e223233da87d1a45977870ef083d0ec884f0558468403934117376501d19d19e |
| SHA512 | 2897b1fd5a605f9c1f9c46029d21b685f731249a3d38d8715b5f7d5c19df5082c794ba8de12b12c8905a7061e08b45496b092fd07eaf4642bba39dc74a47e3b1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7cb83ebe81c759bf79a76d24ad448d2a |
| SHA1 | a02870092fa944e2f8f498890459e520fb4e5f53 |
| SHA256 | aeb7b8121f5a74114c50d9c29d0f4185c1ccde64469ad55fec6fd4d91a73796d |
| SHA512 | c6f0aa6431556f26a273dbd64b966a34ab1fa8b91dee2431fc13f0ccc0836195f176ad76c90088266def936977efe017ed9a98d3c8d3cdc78619b25a1a8de56d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c0277d7e3eb450eeeccaf37dd4c5a589 |
| SHA1 | 815f53252bdf22f44953b55f7fb71bcf575cd6be |
| SHA256 | 23d411431fd704004e44607be3d414b82ca77f0138a234ea1caa3d1ea9e69d2e |
| SHA512 | 6ae5a904aa0d23b231b3996dfe5bcf2635590f25347a13acde875f4c492f6bb40179ceac4fc27e345d91e6493f4dd8c769697e2cb407297eb515ec2df74a117e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a892f1ef831110715565bb6acfcd3ac8 |
| SHA1 | e0fe07a1242350c5d837bc7574497d8df35da4dd |
| SHA256 | c6b7cbaf25bc23ef6ba162991f835779683be9d9d4081c6c071e55cf1e7120f6 |
| SHA512 | 5fc65638e16e77887a55f84afdd1f55dfe0af94bb7e6d223b746c00310ddf81f38dae8351969d4146dd2094262a29e9e4cbd4a51a1e999d88c6e5c0700a6f292 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d639e4f161fab7d78bd053d64c733756 |
| SHA1 | 42a4b8e5c18f6ea6d72dbd747c1529b6c053abfb |
| SHA256 | 7ac33adb83d03752f46641e7bdd164694801b37bbf8b7e3b1d634212d19e8096 |
| SHA512 | 27781b897ca4b7dbc36dc978c24a9cb4cd29aeaf596ab52352b60a4ee3d4c8f231d29c331d7dd5bbbbb0d4d27f6bedb15b220d19b4048f5d524fd79baa516914 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6438ab0c4faa12b9ce6e34b9107f8890 |
| SHA1 | 7a3f73e625a2e4e04e950fab250ea223ca087167 |
| SHA256 | 08df419170e3ce57564607babb88a9432b5b92566686971da5d140d2b1312c3e |
| SHA512 | 679e78cd5b4af816bb7404271cfaa53483efa99c4c54e6f7bfaa4f2a8e239a9b33d8d58da78eb9fd3a97d53f268c9d0419ddb6beebfe8839ddae23cccf6c39fc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cac3ba3ef28c7b479a73600307a666ae |
| SHA1 | 7259473fa8eb49578f0b4c0f730d7ddd053d6843 |
| SHA256 | 0e922531cdbe456f878a98496c3b68c7883d18f60adff57790df527d2f55c66e |
| SHA512 | 5a979aca4c1cc40d7b6fab6ae3ecd339e5abba79f4ecefa03ed4fc721a6aa4c82d5fece914af63e3b408db6194e0b24b193dd765dc45e8dd1aa7f7f47be849dd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 472b14c46a68a55a3fbea130d9089623 |
| SHA1 | 7ca156585073c8600f84ec2a9d98a3fbeb76c04f |
| SHA256 | de676cdb4dbc0d70d136b2943c24039ea3c34ea82a520400789662c0585a6fc7 |
| SHA512 | eaa89bdb2f788cc595c76910795a73bf0641ee496c374e2de38a136b8d4f956032c18b83123e835f1ab2644147ecf64ccc36dcb0cb7f7b903c4310fbc96ee1a3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e7e0c82dde8d6a592007851288698351 |
| SHA1 | eb17a6676fbe9932c4e2bd26220aa8f0fac29cb0 |
| SHA256 | e302e6bf477a390d003dd1deaa08123bee4e4d444727043a1df6a3c5beb39561 |
| SHA512 | 71f8401e9e9d0e483e0439bdc0d25d76b42bf07e8b94406cbeb8d637c3351afdc9ef81e1a3b0c54241e5bc41394740080b2ac5540ac544dae590aeda93842ef3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 66ef9b2aebe9d9c008b8d586ba9f1dce |
| SHA1 | cf1bd0af1e43b8bf68ce6d20170aaef694b65839 |
| SHA256 | b5305e3d538ecef636dfe4b2feebb084a6163a4d557a3f194a45bc1f3b257518 |
| SHA512 | 6ea988247f1579161f1e451be8f162212e24e36b5a8432db2fb9ddd1f669e3eeac2e729268ba3955175eaad19d46fb085aca06053060cc3a6a7106e97bb3fac2 |
Analysis: behavioral9
Detonation Overview
Submitted
2023-11-19 22:00
Reported
2023-11-19 22:03
Platform
win10v2004-20231020-en
Max time kernel
138s
Max time network
150s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3886249304" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3902031618" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31071027" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003b97c1da6bd61743bfb3911f85184de2000000000200000000001066000000010000200000005fee33f611ea28af3429438890b3e76ff8de604df9741e74c25bed230466fa24000000000e8000000002000020000000b8554e232458d1e0af499a6a9047c3d2a3022447f143eaec3fde2628eea2d09020000000ec6a55ddcb49ad0a536f38a76069c4a3ebef731d4c00fec7cb713a96446557a040000000dafe9c9468f2ae876a94cf553295f4af8bd082a9c73b12d9279b7f965ec658eb207ea98578ba39da3f02c2e57c5bc02826bc6cb623e6d44f2f3de52bab9c3607 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3886249304" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31071027" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003b97c1da6bd61743bfb3911f85184de200000000020000000000106600000001000020000000b86fe6ac31dbf16d84f99306313f2c73666c55cbed59a9fe6313010111fcbb38000000000e800000000200002000000065bb646fc99b0f19be96fe0baaa7018d0f1a74e462a0bc369169d2b1303b22482000000032ab20f9699b4e8e1bb8da1a28b020994cd013d1832c1b06244f58c4f98892b9400000005546ad2aa8b1b2c9c3bc921add774cb8180f75f0e1abefa64daa1bcd1ebd886d49de31224ba4754bf6db783154a87e227f4e4571978cd8cf757f2321b5fbc6bb | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "407196215" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0ff68eb331bda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{13486429-8727-11EE-BDA1-F6568660663D} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31071027" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0d361eb331bda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 436 wrote to memory of 1940 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 436 wrote to memory of 1940 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 436 wrote to memory of 1940 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\index.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:436 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.254.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.23.238.8.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 9.73.50.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PVJSO5VT\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
Analysis: behavioral12
Detonation Overview
Submitted
2023-11-19 22:00
Reported
2023-11-19 22:03
Platform
win7-20231020-en
Max time kernel
117s
Max time network
133s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0D0E5731-8727-11EE-A9F6-F64027C77725} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009159649b912a9140bf53d83809c5b2ac00000000020000000000106600000001000020000000022756fc3329beebb22801270699c4d5c92529c016399b8ca88e63b0e6d48703000000000e800000000200002000000009fdc2e73be7b23f75eb9e6e4011ea4810a7b36635c656b45decb9d9bcfae9249000000014eceea6a2071fa008a720eae741b28f61488fbbae7e6278a7ebe6867cc4494d7da089ed8734a6468e0d2a9c3e5a9a349d56c750061fbda5666b7604039db88753c942557619ee70134a916c36f51071c7465f30032a7a8ae221b56fb8d341300fd50cbac6f84dbe6b4610a9f9a066e871d28fc16fcd6104da9434996b71def56d5b90e362e345a71bc49ab3bbbdfa1f400000009643d64381c4fca96a20212823113e605153fda8038afe121fc208ef68d6860e3bb6f74360913697366f5a1d4d69b6a9160cd092c3dcba6fe2e3666f80872d2a | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f06f7ee2331bda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "406593098" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009159649b912a9140bf53d83809c5b2ac00000000020000000000106600000001000020000000081bac74434e53522f4a6b9ad20f09a1ff919eed8fc50f20857f15fade593e64000000000e8000000002000020000000c6b5db29465d2280f9e5203af8b8c2b16ba3ba8ca4859096de1198000e0aacbc200000009a36904c4a2a835b1b6de874a6eecc9dbe9737cad759f20a742adbb0698774e5400000001c39d0a7edb60b04b45d14b3829fb1b874080b90d296281507b60cb7c4ad934bf9782ab411df74b68edd483b912f12d388a38898a86bce3e0c5b78801bc2e57a | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1956 wrote to memory of 2484 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1956 wrote to memory of 2484 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1956 wrote to memory of 2484 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1956 wrote to memory of 2484 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\sharing.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1956 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab738C.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\Tar8D96.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 10815de4f50b52a7ec31a3ecc447556c |
| SHA1 | 6046ea2fca5041726e71a2f0cc4b058bbcc9beef |
| SHA256 | e3a1fd744895cd4443bf7cf00cae2bd7663c20fe26774dfdd3e7036bacaac17f |
| SHA512 | 7ef1227af7c64a69e403280cd24977b0eb0ab0cff4cd3b3395bae815d50268a25847764aa67b3226e59e8bc22ae3f25f8f7874352c68078d12a239c384779710 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b7f8652953d1cf5c1d3c797d24c9b6d5 |
| SHA1 | 3b63a3fe8b4063d9953568aaedb05b249733a8d4 |
| SHA256 | d5158e2ad0f2e1d2478e4402e85f2d414be2fb13060a87f1ef28cdda7c179d4b |
| SHA512 | c738280e79a261482937960e7a4d1d6c168a611a4b556eff78c4e21317e45b20651394674dcedfc3bed14c2b7fab80345c58e9de41a09026cf7b6933aac5fee2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f67acbda8342840bedddc71edc036367 |
| SHA1 | 5151ee227971caae5f62d2aa29c2c65b2978eca5 |
| SHA256 | cabcece2a231bc3fbce4df43c5c6996f4cfdc5204b9fd0c889344b15d1e1a12d |
| SHA512 | 9e8ef32d2136470990e6a8c8d977d8f532518eaf7f8b40939242a56b8dcb16c5abb4e07608f59fffff4e2cc44eb5342e5438d31feb9213fc45a9f386fbacd899 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cfd777566b9007f2dd417926df556d2e |
| SHA1 | c2abbf3ce5793c01d5d57b7e9deea8aa1b4db3ea |
| SHA256 | 1eec20e9d2abd8a28dd48f82c63df3cd011131a8ac83a1c2d30dcfa7fdb155f9 |
| SHA512 | 29d13fbeb454747784080702f904ad4d6a60f40784789ed83b83809e65d012884cad2c8d2e84b56653504d93a4e6d3e6c1821c4e6ca5a72f0f102931e497f4da |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e3cec35846638e638db043cf248135a7 |
| SHA1 | 59d3bc82c70c5d7e278748e17cfb312df5bd622a |
| SHA256 | 83321b0115ec148eb8e2e7a4586bf14a89283fa11d0f77584a58916b0bd201d5 |
| SHA512 | e907563844ba9dcf695a6a749bfaaeaff092c33dda10c1a3af4216279a30449598bc80223ad83507ba011b8adb926542d38be04ec4eaf89b1df38d85b6998c8d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8f8105da145f5c33425b37d06ea7c1fd |
| SHA1 | 2cb6be0f1dda2287cd1e5ea680ff45321ce6079b |
| SHA256 | ba552b75112016e88e0a1d91105ea0e2fc6d8548cf0568b4f89ca9835bba5638 |
| SHA512 | 7d7583c786f449dd2a4bab9573a349b2fd5fc785a8658779866b49e214c414b18b3bfc6f92e6cc559102678fc9cd0f5c75570a2876b77ff35718ff262f1af3e3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5758e03f571dc0c87679397394d2a9d2 |
| SHA1 | e5608ef5f1a3aeaa057ab0252fce89f661e7d69d |
| SHA256 | e8825ee4005167a6e9e1f7c053413e92c56f6dff224139d0f6160a4291c7e827 |
| SHA512 | 7389f4f0a0bbb591a7262d86fab2c4b033ca71caeb7793660ba49ebb77d6271a7540153c1d6b74825b3be2766eb3730b08145bc4bfec4b1f95827274e2756bcd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 28732bf8c9312547807dfc6efacadb1c |
| SHA1 | b9e2c87ed3fc7f98371d6ebec8e023b84edb4fcf |
| SHA256 | 754ae7bd790739f484e2f2aaa8a22634670d76e20830100d5a5dc73f0cac0d79 |
| SHA512 | 1e39a7a9c1534954feb748be5021c862a54d54c083701a368e84da9213dfe8a17a0af71d8c7a3e31b8957bac8f50d506f877e06832e1be6ccc130aee564debab |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b523d3ff1f588a3bf64a6e745562475d |
| SHA1 | 6e458fe333c8f167bafcae8d43b2a5e3fb321f61 |
| SHA256 | 3748b38a03136e3d6f518522e42f0cfc981b2b51536ee56726bd41d80e1d33f5 |
| SHA512 | 0b0d2fa64f59b9d3d5b746769a118ad273a7d008bbd383fafdc09ab22b2594bf831023e813c1e66798d98ef1fc9e7482c1f0c9be3d638f1f242c8bb251328d47 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 97cc69b7f6e460c6c3b7faf5fed96623 |
| SHA1 | a0b7f9a16c7ece3be7e74c3e55e247fc7620e9eb |
| SHA256 | 859759287ca93b59a97f3cfa432196fcd31e9ac018e2274cfb78908d047a74c5 |
| SHA512 | fe2eb609548f42f1cc4a5a8b2d08e9806dbd32b2c1f6e2f7cbd55e7b3e74faa0a6d6036e5de21129aa32ab3fb2e0f1e9d1f4fc246b4d1239711df5c3b5353905 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 42cdd7344e1a4d04d9fb75903c94a372 |
| SHA1 | 57ea4b26885422ba6f1ae286d320dc8cee705932 |
| SHA256 | c8408bb5faabd31d606191dd1664d2e4451ce67440811557f2b5cc9a267d64a0 |
| SHA512 | a1abe636ea5cc832ffdb0a3bd00edff1a105e476f2f4f34cfb668e0f29882d40dd22a042251cdcaaa95e4711a26a1029a23f4ffaad4fd26c301a782177e79199 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a3f6f75418fb7ce0beaf59b5c499bd32 |
| SHA1 | d417daabfc2e8e680b9eeef9a0568e7c21b34997 |
| SHA256 | 3aaf76ef7a144f6d10fa3d2fc88db446a0f5e74336a2bafa84e062ca08eb09e5 |
| SHA512 | 8d41ff26782648a16625221eb834aad3ea1c461b3f36c40b2d31429e21ce0ff2cbf13468c1a62baa8b2112f83f0b3c3ad443e53377807155ed9d41e7433cefb8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ac553586f84efbfc6cb2a156ab443585 |
| SHA1 | 9d7cfd409d3ed0ec21178d6e79e11ce8e10f7e56 |
| SHA256 | 39100669cab90e881b28f3dbcb58c7efa902abc309b06ec6f2bbfdc8d3ffd8d2 |
| SHA512 | 0a7459968bb42186f45abb64658b154698d28c3d03f5e6243f691f49f89d427ff8dd1a45149acaaec491b7b0e57c27cbe580663640ba9379816b2037fbe4ab2a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 624125cc46cc1fa06c90338f5c3a7eac |
| SHA1 | bf3873d460a2b722a3bc767632466c4510b828b4 |
| SHA256 | 84ca191b805829e00952f92ba911a52a72c73f999144abdf0690629c5d73aa13 |
| SHA512 | a219e72d379cf42aac6feb4cb68fab864d61e9831c7cc7ad49f293774a47b4d88a4d61963f682c60522c300ced47140e72df94723824b4ef574046f95fcd11a8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6cd9f0b129cc366bc10272029e49679b |
| SHA1 | 6e2518626192dfd0911d79ad4d1ad57a6db3894b |
| SHA256 | a332f437c73642ae32355cfebc5b9ffbcbb35dd69a73d5bdc63680b467bb340b |
| SHA512 | f790f8c954b4a300a74c4c361b41df841224fde99dfc9d388fb3278fb19ced49057b0b5b1b6852ad9fd50eed8ac8f69ba63507c5ec906de5271f3e7f303dfe13 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d42cb1a709ebba6c96ad961e025b9173 |
| SHA1 | 9edee664251b9ee70fa0a2140fea840c0cf479b9 |
| SHA256 | 9bae565eb05b432f13224522054871db2afe7df0aea1d3800f20a71baeced615 |
| SHA512 | 65122d179a640f870e57ef9baded370590084ac895d200ad100797095b985219b2e86715a8c6b986f050e295a28b3fbb013fc9b46b86caa496f1a6301841b9b7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | aa28f711b9954216aab391933f2e9de8 |
| SHA1 | 0b733e2f98a48328f86eb867d690d002c4e386a9 |
| SHA256 | 664a9251249cab2c066be18f4aabd1bc8f4514208b953ae2baac0247acf77b14 |
| SHA512 | d30c87321721e5d75d0997bea729c22809984521b907647aebc2159381d59ad482d7bfec81e54b3c868cd578a92128fdc87291c432138c42a9beb1b61ba8c27f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d9d4abcfc858ca7003765c0edd1fad44 |
| SHA1 | 34c9856220dc6b40bc190a45c72a9f13db21ea70 |
| SHA256 | b9bd33383c274e255490b85bd544a5a0e52b267801079e61bcfc3e5cd4e2a110 |
| SHA512 | aa2fa1dfdf2fd666e84c40e8025827ad2d138b29c34a9ca327eb8ccdde1eaf4afb7d5bdee7ac90776528a7df73e3e7a7de7d98b7fa1591322a2ceba1f2c4b948 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8d974813178e54a4c8f8330650b31a3a |
| SHA1 | c715906aefdd455cc479535e850d187e619bfb1a |
| SHA256 | 11462fb27c8023d7602186b0fa56a15ffb3007571c3d9b96a5c4f9d3efaad04a |
| SHA512 | 1ae57885a6641173086dd366e4667a1d83fb8857fc65836ce96dd2e8401419886e6420846356290a7f0d0647bed307e7ea5e1daaa8cd73e97c42d208e8f6d356 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d11a77ac06eec01e48623dc5b8aced54 |
| SHA1 | e8a533ad8caf9aa0ba8df3d14232464553fd9227 |
| SHA256 | 4d0a724761079484d07e2f4f9fb2a7e7bac89d05f9a44e8f1a292ceddb5e7ca4 |
| SHA512 | 5c73d133e14a496a39188f76c7271576744af3b83b246b1630f9ad75f18e881e552decc9a1bac07c272e59fefaaee982ba29bcbfd71e4d6e84ec586b4994e07a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 31e232c791125b320c35537531f85f0e |
| SHA1 | d9226b862600d9ebe4296a0b54bdc1fdab76a6e3 |
| SHA256 | ff87b756ea74d6c4686baa203424b53c672e662d788d3722388522acf6d44344 |
| SHA512 | 3d92cae7ff0d10d2f969a94bbb29cb59caca5809bafa3c4d68b4a7f9daf9da7ddf5b00cc650371dc9b9c11590c2de788aa930f69b1028e17d31e3e7e4028a932 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 13002bd7cf8559468ada9e7b1ee08639 |
| SHA1 | 1c0bad8b6189e35d7624415922fc258e373487a1 |
| SHA256 | 0fdad0f2edb109c3a6d7db8ed9cf843c74f95da23a5203e75bbd82b53c9feb45 |
| SHA512 | 54238233e82ed3d4b2b70f42c4c899fc97504864c019b167d782cb41a95f82948174c119d690586b7b2ca31635c31ddf31d56753f558d01d2ae04118ee8d91a3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5f87dd6c8c8d7ce90780278f18bf970b |
| SHA1 | a118971dcf4ff3b78f0f59a52db157d80f032925 |
| SHA256 | 11e9ae710d8c9c2b324fe0e4427e0f13388897a4a19c1c3e237fdc85c53c4e54 |
| SHA512 | 9996d141bb3ece3f41f23ffd8fed09ab0b06e65710c1dc84466ba9133d9b434cbe76ae6961b173ef451e22aec20e0e5246900c6401b82538ee9e0f0f6d960b86 |
Analysis: behavioral10
Detonation Overview
Submitted
2023-11-19 22:00
Reported
2023-11-19 22:03
Platform
win7-20231023-en
Max time kernel
135s
Max time network
132s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000099b8a3c6ff97044781f9dc0475faca4100000000020000000000106600000001000020000000bce5eea2c19622f4e3a871fc7fba5ed62b3f3ee62f72c080c6e2d2906d5e6e7b000000000e8000000002000020000000cb18c23d433e92da041bca3ada00fb4ab30f380dd73a8056d67805b986004442200000008412623755b001c21d9c6412aa4096ef977607076eeddfd7a1c90c2db86f25964000000044cf94a537ee84f0984b9412fa4297705de8c269c9b235041d2144b6279a4a9b82058800ba0c2d9c4e0daf7993a5f3fc9d147b4a53334777eb691107d3e9667e | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b04b6ae2331bda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0D934E41-8727-11EE-A0F8-56AB2964BB14} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "406593097" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000099b8a3c6ff97044781f9dc0475faca41000000000200000000001066000000010000200000005af9ce17d6e64bba7ad437b6b9db892cc2079e3302f966e902b76e26a2ab4ae5000000000e8000000002000020000000f3790654bc75b558352b32f058510573de990fa4cc77708a3746f8ce18afafc690000000f60cdafb1062b4132db36c42f42b27c202b6b719c6788f1a25bcf41a3de9d09a384d231e9df244abe38e73076a73f1cf79299dc1aeb3e2c57d87d217f4afeef8cf72d6301aad9c3d3b1d3f0e5b47c803e10ac4b6f8239c44a023e20ee82d1baac5e1d2e2d7721516cd834304ada7b5590a1b80f4f1ac68e8f13cc6ccaa8628629b8877ca3c8632755f4714ae3b8bb11940000000d2d824f6ee0b0cbe1f5df7878cddef90c464ae23bb2cc976ea1526bc4adf2ad3c0d0d5351b59e1cdc5ba3201cba6ff0e0c868f011a6c9c00257d56567bfc7cd6 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 808 wrote to memory of 2988 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 808 wrote to memory of 2988 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 808 wrote to memory of 2988 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 808 wrote to memory of 2988 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\scanning.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:808 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabA8EE.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\TarA940.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 473fba9c6a73b373df841a1d969bfb4b |
| SHA1 | bfb8a2ac9f6e928cd6379f414b260e53c54c53cc |
| SHA256 | 173821e6c9c0990562939e6a69349521a422236feae026d5e6beff0a4da1b4d3 |
| SHA512 | fd8c51f735e98b4aa96345afb8a5a11a9dc1ed48bc6778e9247dad3db1d412d00530a775b69cb20ad8b65d0535a92d14fa2fedc813ed81c592d4cd1e02e525e4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a2651fa8245de8c2d2c400415499c219 |
| SHA1 | f3a7a316cc1f0e62160027d89bd2340bf7f16434 |
| SHA256 | ed4e4ac5660627c8bf6f2723f077bdc31646200e2d8e2b0e2f8f2d978dd02988 |
| SHA512 | d7bbd20f6f42b9c2ef00b125003a0e865999697980edcab73af4acad0d632f44f8bde4a902bc97a463bbb84e5932c5156fa5ebbca63df99d8456a834f8bc39ad |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6a29032e62eb60e22d42b68f82d4fd2b |
| SHA1 | 90fef32fa84f956d118dc1f279ade707969d63b2 |
| SHA256 | cf33971fe1c7360b78f7070b91377dfe9f1f5f61b29b79693288b33736f05550 |
| SHA512 | 6ea766151bc61d4eb6d7fd1be89de7226535837472dc404e865656d99d22500009b43dc168b7c9dbff182ff57b70b3e8d8cc9db08b17c416e31d5ade06ad5fcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 90f0301eb622562d587bbf2ed3daa7f8 |
| SHA1 | 01a63cd727a2ac28b168455e8dbe7d8d54e683f5 |
| SHA256 | 3b96a3ed85faad4ce1c372bda040fb544f27f15bca7277b6ddad88e7f77e76d9 |
| SHA512 | 6843d440fb30a39ee20aebf06ecca74c1d2fdbc8afe899999d7a514591210f44ed06f0f65ed276b624f13b5bf7ee54a87d5dcd741de4a6e9b63268369717abc8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 977cb4c11f929c92e53e13ed6715819f |
| SHA1 | 7ecbe0e31a9e4122ba99c65366e6bc525a0f3f85 |
| SHA256 | 75ef3b8fc2cd7c0288861257f35fae71a5e0fa1d19b1aeb2fed74a183e6773f4 |
| SHA512 | 94070f6654b06b7cd591ea1a9e05cc93707321797fc35a9327f4c0cb88b320121424d10d4ff840e6cd9015d6a4b29f49d7baa419c9709828b09525614bc02bec |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e8a69bcee97b75121197e7694ed3707c |
| SHA1 | 678c50e1e7c85cfb622395562ead4899a239f780 |
| SHA256 | d2d4f81c6bc8726c818e2f2b12d721c53edb4ebc3641d3fbd4e3f4adc9be28f3 |
| SHA512 | 7318cc60c8d04957a5e51beb16a62b5dc88dafe844b821db5fe19a979821775a5cfdd117b0ceb0fdbc143e850f61682759f4d816b0397898e2da9ca87f44dfb2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8a5fa30052bafe12a2757f909702aa8e |
| SHA1 | 92906c78c019aedf21eb6d1adeb28b726622f85c |
| SHA256 | 8c5f35ef023f32e3a1959fd03069bc2e2be37b33e19ba6d0833c173c5d37747e |
| SHA512 | 5e0634237af808a346f1c81e20becfe6d30091c2bb28c381268bbff242bb2904a043389fc9ea9bfee3d2226596abc4b5563e54a8f21244fe12501abbc81617fb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 45ce729fe9fcaca52ed241baadcc1dd6 |
| SHA1 | 7e7c31453f1f2b7a03cb9da8a1151b65d6a286ab |
| SHA256 | d8bce04769a5848bac2316daefb9a1d29d8244c24a400f99b3c9af2d625f7d65 |
| SHA512 | f70402f812134d8f8a48a0353fb2461008ccc08c2aecd8ecd5e3345c2d6fdba402387410df4097b3f8cde1bdc0613bbcecc303a600b18550f21e31a55ca43752 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4d59533eda88c741b273ec5e28a32444 |
| SHA1 | 82988b03d6232fd1376dee60d04ad0fb8868af28 |
| SHA256 | 99019523f64e7eaf3a740a9cce358a97c4eeac2343796f894bc2e0c0bfb9abfa |
| SHA512 | 526a932c1af82e3657bda8c68ce74af269fa54bb35efa789285a2137bdf0b8bbf6803a47e349183b5fdc0eee13c5820356c7134e65964650d529bf6b976b5b20 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 88d1159618fc546023465e52bc28a8a7 |
| SHA1 | a8c75ed76ae5b9e0263f3bea075fb3c0a7bf8d73 |
| SHA256 | 297ab26c6d743b9dddc27d98a75be8725199f4581cb4859060bce527c919f83b |
| SHA512 | d76644ef5566218bb75675d395f30b8a7946ce54f09c85c47a47dd7ce16bc9c3dc47abb904b8ab49f7c156a697ef3189ccebe1133f5d3068ecfdf9f25cd1313b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8d1fede76f34eb206f5bbfa085bfbb37 |
| SHA1 | eb035a7873ebaa869c4da13943232b2321c31365 |
| SHA256 | 3d38085b039a189615182948e10bf3c0d9897913bc6d1ccd153a7df1dcb0d556 |
| SHA512 | 6c602c960fef99e1fb397589d144c6355fbf5a7116b94b4acd3b56a2b91a3ec98ee598f00d7cab0a38fe2528be69ae4384ec62fd2f2cc4db49d6cd576cdaf12e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 004487b4d93c413629228c4c4c1eca72 |
| SHA1 | 4afb8326dd34efd23ad7aff200cc3ac429c216c2 |
| SHA256 | 869517581bc92913231705442b710fa88dbd5a3774cad50c540c7379f3e6fc97 |
| SHA512 | 23a79a263f71f344852f8d30969adf24d018e1cc86a750c7fcca937ce8198294d8c0034acf08ac3e552bbf3481f1b15438b05d139dd7f83d2a0741725c2cb208 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4893dd31c5ff7701442a46bf43d7088b |
| SHA1 | 608897890874bc5ff15e268b9593a3dfd6179577 |
| SHA256 | 181d08d272a23847c092fc9c159c7c9d51911e6902f3afd842493782af9be993 |
| SHA512 | 3aacccc38c724ae7f6abd00f93cf30143d8bcf3485e139c3f16418499113206b35e947fe64dfc198c9d8e823ff3aa8aaafc07a3dadbc55c9ffe8bc740a86b9a8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 29cae9bd208f926b565b2b8f0f7ff4f1 |
| SHA1 | 76bb272cefe2e25a39cdec1e80b425501dae2f37 |
| SHA256 | 275ae8559fc77643a5f56df6ab21edf0a70a99da14244ef4a19dda02ad72e399 |
| SHA512 | db3b4556f2cb1301432bac7c01a28c7f0908d8865c70a3312652429ba441db8545c0c8c78cd24edee8f1f4df2b9452441b7cfd8dbdac777c3aa76553a40a8460 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 920bce1fe2e5708a77592c283865b879 |
| SHA1 | 8fc740f438ebf415c405ff99549037e3617ca822 |
| SHA256 | ac5ae0a6ec25950c1f5f64b85275149f75b4826e572f2c19c92ef1757ae8a18c |
| SHA512 | 403742f1256bf3e7b30cee60ddb1103631f775cd73a5852fb691d2b5921494a10a5b861e74a72f75b6b449ebc2d5a050d14e0ef1342ad8cd8a13f0ae8b3f73c2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b562fc9f47a8d3a0117d2492679f68f7 |
| SHA1 | eaf6e95db01b31a41313d7b0a8ee294b2c763a17 |
| SHA256 | 0ad738c50fcbde30e5eed207c4ea7648fa562971bccc086f6face291c7b7b802 |
| SHA512 | dbbaaff427211f9a9a704a2a8b0705ee20e2c5195dfa8b96b7236174f03c7be163325dc8cd69158e65028b5e114e4ad34a6724c6f22969d20f0cd8bec8f6c20a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 02c6b9e4cf418a925599beacc2cdc94f |
| SHA1 | 86c89177ef2c762e0435265ffb33330b9e6dd9ba |
| SHA256 | 174bad16e0cd18e1a47f09b4c9b147047cdbd11976544d4735bb8c3c83467a78 |
| SHA512 | 2bb47ea10d6a552e677621b3462aa6865bc9d8b736f80d4ea8651f3eb99f90f17048519f69ad6dca5e8fc6a6e430c9d936307ae9a9f47827d26747cc1c6e71a6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0ce86c66801ed608cf8dd1d4d838e664 |
| SHA1 | 1ab2ad195b0d7324f690c8405be979d238458c35 |
| SHA256 | b0db5afc08644ebb0f0fa84ba6e05900de7eb87c90c9cf9b765f4b606b4b3ab0 |
| SHA512 | 9d8078d67cba6b0b2c697409782b483421edb50f9e299083bf8e413c7e6e742d4fb238c1d4923299ed17bf1a03af96a26b8b962e7b8d41102f78a101b51725a9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f34ba5dcc0949c2fbe71d830f5a26dd6 |
| SHA1 | 66bd5fd6d21e327f1f04887bdd903ba264bcebea |
| SHA256 | aa991e421e0c1586e2e4220bcc805a2073a434a137f5d1a17a40e51cffb05c18 |
| SHA512 | 56cb58df0d4ff561fe36fc7165e00e64d07a513c0935daaab935671d12fcc6db351a961fcc07ac4030852a9d9aba3abb7a937741c4050bc184ace6687e7877a8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 93612a26193bfc3e5ce5fe93bc30e193 |
| SHA1 | 972e64ca10e5d87e49bae06211854efbe7a2eeac |
| SHA256 | 47818ddb41393d52e87702fd1150012c0cac07937437dff855f0fd4d6652c1a9 |
| SHA512 | d8d87da709b146d9a8ebb8ae991a2116ff98e76fe5cc1b2977b65e5e6f49c666e29b916b3d20ae72235d39ed7d20c81e850be5c788cbec3a3109bf78c876c731 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f736b0ef70b9d81c1b9d2018cf972f96 |
| SHA1 | 25ba7d9be8827e093a5b14f2cc6ed11f5bf13e19 |
| SHA256 | 264a6ec0f72be8e015d6ec0ea589e5e2a950e1e89f2b244947437deee4998ae9 |
| SHA512 | dfcfe2e0b8b6db71d0aed3d74def4322ce37a80ad431be17c48a268c5fdeac806fd29784507ccafa97b0ee1c62da70a22302d928b335d4c19b6eb415bb36a9e2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d95129be59b2a16a4249cc02d7be8524 |
| SHA1 | 8d88e68dc7e47a10d19b67c145722b7b9fde478e |
| SHA256 | 317d258719930edbf2263ac9200fb89b12af598a613b7816700f0043ce0e0f7c |
| SHA512 | 3a19ab89f9c2900f0073dab2b053f7fbe8cfc7716038a29e8a621c9eeac1ff344ad45c70dbad8069bbe65f72dd8e1b30b5e53aa47898c8bf7a70a8d2552a3918 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 60a7011d68f46ab7631d81394410d760 |
| SHA1 | c7bdf66ea373a460db091a69359b057554ab314e |
| SHA256 | e196871548d23551eea52eed88b623f1039b7be398312dd1b37ebc5a0505d5ab |
| SHA512 | 22f0fdba8a57e49d336f7fad44b40954b57b42ae31513ce03ea5265b1c3b13092c6af1f66f3ee4097287ef99a1913daf3c28fb4883eaba6b125dbe38ba9af30e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e19e221a8288b26dd9f02d7a08412435 |
| SHA1 | 195b0f59b4b59cdfa5ed56037fbd46ec6b77978f |
| SHA256 | 120904f11e49047edc9439e0d308a15203642ec317e597ec7aa7b9752bfbc710 |
| SHA512 | e243433092c8b5901d1ede77c0e52919d686dfcbb4df34c8e0458df451f3eaf4a93eeed1c78ee078ff34ba49a76a1ab07b3e47686cdb5233e83fd5eadb485d5c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0ea3a37606ae5b7497bdab78257be54c |
| SHA1 | 763a1744158833864eed04cf0cc8c0c26489c575 |
| SHA256 | e255b48a5369aaf22bca4a5b4d9b8dd880259c514ac805048c9cf8f5ed989152 |
| SHA512 | f29630c7d1baca3d584026385efd8615e0c5f26ade4cd394d52f51aeb7c6ab2c1e05894c74c95ff9b2c2defe1d5667fd5d376cb4b34643b76d02a6cd097ec818 |
Analysis: behavioral1
Detonation Overview
Submitted
2023-11-19 22:00
Reported
2023-11-19 22:03
Platform
android-x86-arm-20231023-en
Max time kernel
3919289s
Max time network
150s
Command Line
Signatures
Alienbot
Cerberus
Cerberus payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json | N/A | N/A |
| N/A | /data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json | N/A | N/A |
| N/A | /data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json | N/A | N/A |
Requests disabling of battery optimizations (often used to enable hiding in the background).
| Description | Indicator | Process | Target |
| Intent action | android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS | N/A | N/A |
Removes a system notification.
| Description | Indicator | Process | Target |
| Framework service call | android.app.INotificationManager.cancelNotificationWithTag | N/A | N/A |
Processes
magic.disagree.often
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/magic.disagree.often/app_DynamicOptDex/oat/x86/BN.odex --compiler-filter=quicken --class-loader-context=&
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| NL | 142.250.179.170:443 | infinitedata-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| NL | 142.250.179.202:443 | semanticlocation-pa.googleapis.com | tcp |
| GB | 216.58.208.106:443 | infinitedata-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | jsonplaceholder.typicode.com | udp |
| US | 188.114.97.0:443 | jsonplaceholder.typicode.com | tcp |
| NL | 216.58.214.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.250.179.206:443 | android.apis.google.com | tcp |
| DE | 194.163.161.72:80 | 194.163.161.72 | tcp |
| GB | 216.58.208.106:443 | infinitedata-pa.googleapis.com | tcp |
| DE | 194.163.161.72:80 | 194.163.161.72 | tcp |
| DE | 194.163.161.72:80 | 194.163.161.72 | tcp |
| DE | 194.163.161.72:80 | 194.163.161.72 | tcp |
| DE | 194.163.161.72:80 | 194.163.161.72 | tcp |
| DE | 194.163.161.72:80 | 194.163.161.72 | tcp |
| DE | 194.163.161.72:80 | 194.163.161.72 | tcp |
| DE | 194.163.161.72:80 | 194.163.161.72 | tcp |
| DE | 194.163.161.72:80 | 194.163.161.72 | tcp |
Files
/data/data/magic.disagree.often/app_DynamicOptDex/BN.json
| MD5 | ff0f495f931ba5f212613f80e7f410b1 |
| SHA1 | ada2d98ec059148e957f86307f7e5952223d996a |
| SHA256 | 55a93d0cd5a3f4e93063e93b143fd74744cb76ca893f460bf7cb3b1fbbdbbe48 |
| SHA512 | 738ab9cc6c0a92e6fc25b03f40190af3ed3c604b8d162c05974f8ce8ca6cfda1f302b7253ebf6930aa08cbe222046b5f5609b8ef9c2384e79aca551df74bbf71 |
/data/data/magic.disagree.often/app_DynamicOptDex/BN.json
| MD5 | 8ab798666cef9aba8d3b3fe22c2cc4fb |
| SHA1 | 215a4641fff65b4711b91f92dc9a42d34103a617 |
| SHA256 | 72a92d7274ad7403d45172602750fe47d512c41f616f50d0eb80809f7e388333 |
| SHA512 | b0b7dae5b63fa0e9a25b707277386ccb6d00042061907535de2ad5dff8d790f572bd84ad2b59855ccd8936f9e72cef205534e3fb0774ba21cd59991626b23e45 |
/data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json
| MD5 | 8ab798666cef9aba8d3b3fe22c2cc4fb |
| SHA1 | 215a4641fff65b4711b91f92dc9a42d34103a617 |
| SHA256 | 72a92d7274ad7403d45172602750fe47d512c41f616f50d0eb80809f7e388333 |
| SHA512 | b0b7dae5b63fa0e9a25b707277386ccb6d00042061907535de2ad5dff8d790f572bd84ad2b59855ccd8936f9e72cef205534e3fb0774ba21cd59991626b23e45 |
/data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json
| MD5 | 8ab798666cef9aba8d3b3fe22c2cc4fb |
| SHA1 | 215a4641fff65b4711b91f92dc9a42d34103a617 |
| SHA256 | 72a92d7274ad7403d45172602750fe47d512c41f616f50d0eb80809f7e388333 |
| SHA512 | b0b7dae5b63fa0e9a25b707277386ccb6d00042061907535de2ad5dff8d790f572bd84ad2b59855ccd8936f9e72cef205534e3fb0774ba21cd59991626b23e45 |
/data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json
| MD5 | 5ab478c7eed9bef922ddbff57f4da9d9 |
| SHA1 | befe1483c3e99714a949013c8dc4b8c953daa62f |
| SHA256 | 1cb2f9a55804b613e0b4f9bfa49c0e9027d3399bb828a90448a5059fc33a94b3 |
| SHA512 | c40a550fcebb48bd94fa62d35c0a0fb116dd6f8748141e6859c214f774eeb532655fc76ae6a77259434a89d6904206ba241f6dbf3f40fe33f605a952cc12f65c |
/data/data/magic.disagree.often/app_DynamicOptDex/oat/BN.json.cur.prof
| MD5 | a5b847c8a7a72b9cb0ef4e2843267704 |
| SHA1 | 7745705dc71a2b91e4edc269678996b62d6d6dc4 |
| SHA256 | b019d587466a6c0bb87a1cfa3a5b5f76e42da78c2ed4b40e4319255e5d4537d5 |
| SHA512 | d4b1a446a88b9adcefc5195772649a2c593b8b83463558bc802bc67802dc2c7fb9be7f0d667fcb95c342cba24d9edbf4181f03a17d22425cf64b3f77e41724e6 |
Analysis: behavioral3
Detonation Overview
Submitted
2023-11-19 22:00
Reported
2023-11-19 22:03
Platform
android-x64-arm64-20231023-en
Max time kernel
3919295s
Max time network
161s
Command Line
Signatures
Alienbot
Cerberus
Cerberus payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json | N/A | N/A |
| N/A | /data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json | N/A | N/A |
Requests disabling of battery optimizations (often used to enable hiding in the background).
| Description | Indicator | Process | Target |
| Intent action | android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS | N/A | N/A |
Processes
magic.disagree.often
getprop ro.miui.ui.version.name
Network
| Country | Destination | Domain | Proto |
| NL | 142.251.39.98:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.208.110:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | jsonplaceholder.typicode.com | udp |
| US | 188.114.96.0:443 | jsonplaceholder.typicode.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| DE | 194.163.161.72:80 | 194.163.161.72 | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.208.110:443 | android.apis.google.com | tcp |
| DE | 194.163.161.72:80 | 194.163.161.72 | tcp |
| NL | 142.251.36.42:80 | play.googleapis.com | tcp |
| DE | 194.163.161.72:80 | 194.163.161.72 | tcp |
| DE | 194.163.161.72:80 | 194.163.161.72 | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| DE | 194.163.161.72:80 | 194.163.161.72 | tcp |
| GB | 216.58.208.110:443 | android.apis.google.com | tcp |
Files
/data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json
| MD5 | ff0f495f931ba5f212613f80e7f410b1 |
| SHA1 | ada2d98ec059148e957f86307f7e5952223d996a |
| SHA256 | 55a93d0cd5a3f4e93063e93b143fd74744cb76ca893f460bf7cb3b1fbbdbbe48 |
| SHA512 | 738ab9cc6c0a92e6fc25b03f40190af3ed3c604b8d162c05974f8ce8ca6cfda1f302b7253ebf6930aa08cbe222046b5f5609b8ef9c2384e79aca551df74bbf71 |
/data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json
| MD5 | 8ab798666cef9aba8d3b3fe22c2cc4fb |
| SHA1 | 215a4641fff65b4711b91f92dc9a42d34103a617 |
| SHA256 | 72a92d7274ad7403d45172602750fe47d512c41f616f50d0eb80809f7e388333 |
| SHA512 | b0b7dae5b63fa0e9a25b707277386ccb6d00042061907535de2ad5dff8d790f572bd84ad2b59855ccd8936f9e72cef205534e3fb0774ba21cd59991626b23e45 |
/data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json
| MD5 | 8ab798666cef9aba8d3b3fe22c2cc4fb |
| SHA1 | 215a4641fff65b4711b91f92dc9a42d34103a617 |
| SHA256 | 72a92d7274ad7403d45172602750fe47d512c41f616f50d0eb80809f7e388333 |
| SHA512 | b0b7dae5b63fa0e9a25b707277386ccb6d00042061907535de2ad5dff8d790f572bd84ad2b59855ccd8936f9e72cef205534e3fb0774ba21cd59991626b23e45 |
/data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json
| MD5 | 8ab798666cef9aba8d3b3fe22c2cc4fb |
| SHA1 | 215a4641fff65b4711b91f92dc9a42d34103a617 |
| SHA256 | 72a92d7274ad7403d45172602750fe47d512c41f616f50d0eb80809f7e388333 |
| SHA512 | b0b7dae5b63fa0e9a25b707277386ccb6d00042061907535de2ad5dff8d790f572bd84ad2b59855ccd8936f9e72cef205534e3fb0774ba21cd59991626b23e45 |
/data/user/0/magic.disagree.often/app_DynamicOptDex/oat/BN.json.cur.prof
| MD5 | 30536a6840dccd237df127c52c7966e0 |
| SHA1 | 169234009b626455efbbdaa3ce8ab4c9677d4f5a |
| SHA256 | 3d9781f1efee3584a1109b55470440b4f40e35973b33da46bf9c886048d10117 |
| SHA512 | 9ec305f7bc65aeff50a110b049ada00876612cf58b0e30ee5bd546fbd14fdcfd7a1d5d19140636a1ca58cbf60e9183896fc11010c95f8aefda4bad5386effd8d |
Analysis: behavioral11
Detonation Overview
Submitted
2023-11-19 22:00
Reported
2023-11-19 22:03
Platform
win10v2004-20231023-en
Max time kernel
142s
Max time network
150s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0F3BC8E4-8727-11EE-B196-4AC2F9E44820} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3848327966" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31071027" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d03962e6331bda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3820826154" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008a0c380f3628804cb3442a54a74494fd00000000020000000000106600000001000020000000b0daaf90e8d99dd6e7923633c0fefa5079882f144107367a2daf7869b4b5c2ff000000000e800000000200002000000002aa738f9c2671d046d88d1992966d484de59476cc1f2fe75963fe2d4524ea9620000000c0cf427a5dbfd8d524b8d09d13c69c3907f5cc3182d475b60419626e1ef9322c40000000f1f5ae66716e63a8e4328bde6effeef4626b5415e36bb110a4f47dd24f6214a4a8ff93751982b90d6e146ce036b4b7d7faa41d266832d9a409d4642de8ee76fe | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008a0c380f3628804cb3442a54a74494fd000000000200000000001066000000010000200000001837d92a10e29cefd6358e23e0873a097f1d185aa3e917f97c029eae4e06c54e000000000e800000000200002000000007e9b28c3022db0abdec213509d236e0a4932ad11422a5de8025ef5be07526bc20000000fceaf573ec32794e7c7b5c998e870d0c526c365a093f51e1561d4911a49a933a40000000ef0cacbe3197324fc999ffdca0acf158c6a823ecc6bdbc64914d421619cf25f6cd246ff8fbce4a22c095373eef3b88bbd928156191a26db08abf71d48d56aad1 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3820826154" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31071027" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 000eebe5331bda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "407196209" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31071027" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3968 wrote to memory of 1728 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 3968 wrote to memory of 1728 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 3968 wrote to memory of 1728 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\scanning.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3968 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.254.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.71.105.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FNC8FKXQ\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
Analysis: behavioral2
Detonation Overview
Submitted
2023-11-19 22:00
Reported
2023-11-19 22:03
Platform
android-x64-20231023.1-en
Max time kernel
3919223s
Max time network
164s
Command Line
Signatures
Alienbot
Cerberus
Cerberus payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json | N/A | N/A |
| N/A | /data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json | N/A | N/A |
Processes
magic.disagree.often
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
Network
| Country | Destination | Domain | Proto |
| NL | 142.251.36.46:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| US | 1.1.1.1:53 | jsonplaceholder.typicode.com | udp |
| US | 188.114.97.0:443 | jsonplaceholder.typicode.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.251.36.46:443 | android.apis.google.com | tcp |
| NL | 142.251.36.46:443 | android.apis.google.com | tcp |
| DE | 194.163.161.72:80 | 194.163.161.72 | tcp |
| NL | 142.251.36.34:443 | tcp | |
| DE | 194.163.161.72:80 | 194.163.161.72 | tcp |
| DE | 194.163.161.72:80 | 194.163.161.72 | tcp |
| DE | 194.163.161.72:80 | 194.163.161.72 | tcp |
| NL | 216.58.214.14:443 | tcp | |
| NL | 142.250.27.188:5228 | tcp | |
| DE | 194.163.161.72:80 | 194.163.161.72 | tcp |
| US | 1.1.1.1:53 | g.tenor.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.251.39.110:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| DE | 172.217.23.202:443 | semanticlocation-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | g.tenor.com | udp |
| US | 1.1.1.1:53 | mdh-pa.googleapis.com | udp |
| DE | 172.217.23.202:443 | mdh-pa.googleapis.com | tcp |
| DE | 194.163.161.72:80 | 194.163.161.72 | tcp |
| DE | 194.163.161.72:80 | 194.163.161.72 | tcp |
| DE | 194.163.161.72:80 | 194.163.161.72 | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| DE | 194.163.161.72:80 | 194.163.161.72 | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
Files
/data/data/magic.disagree.often/app_DynamicOptDex/BN.json
| MD5 | ff0f495f931ba5f212613f80e7f410b1 |
| SHA1 | ada2d98ec059148e957f86307f7e5952223d996a |
| SHA256 | 55a93d0cd5a3f4e93063e93b143fd74744cb76ca893f460bf7cb3b1fbbdbbe48 |
| SHA512 | 738ab9cc6c0a92e6fc25b03f40190af3ed3c604b8d162c05974f8ce8ca6cfda1f302b7253ebf6930aa08cbe222046b5f5609b8ef9c2384e79aca551df74bbf71 |
/data/data/magic.disagree.often/app_DynamicOptDex/BN.json
| MD5 | 8ab798666cef9aba8d3b3fe22c2cc4fb |
| SHA1 | 215a4641fff65b4711b91f92dc9a42d34103a617 |
| SHA256 | 72a92d7274ad7403d45172602750fe47d512c41f616f50d0eb80809f7e388333 |
| SHA512 | b0b7dae5b63fa0e9a25b707277386ccb6d00042061907535de2ad5dff8d790f572bd84ad2b59855ccd8936f9e72cef205534e3fb0774ba21cd59991626b23e45 |
/data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json
| MD5 | 8ab798666cef9aba8d3b3fe22c2cc4fb |
| SHA1 | 215a4641fff65b4711b91f92dc9a42d34103a617 |
| SHA256 | 72a92d7274ad7403d45172602750fe47d512c41f616f50d0eb80809f7e388333 |
| SHA512 | b0b7dae5b63fa0e9a25b707277386ccb6d00042061907535de2ad5dff8d790f572bd84ad2b59855ccd8936f9e72cef205534e3fb0774ba21cd59991626b23e45 |
/data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json
| MD5 | 8ab798666cef9aba8d3b3fe22c2cc4fb |
| SHA1 | 215a4641fff65b4711b91f92dc9a42d34103a617 |
| SHA256 | 72a92d7274ad7403d45172602750fe47d512c41f616f50d0eb80809f7e388333 |
| SHA512 | b0b7dae5b63fa0e9a25b707277386ccb6d00042061907535de2ad5dff8d790f572bd84ad2b59855ccd8936f9e72cef205534e3fb0774ba21cd59991626b23e45 |
/data/data/magic.disagree.often/app_DynamicOptDex/oat/BN.json.cur.prof
| MD5 | d37d5def4dc95ef901709f1a2fe9fe00 |
| SHA1 | 428f282a6720b1a6b821b3413b7487d23e115f68 |
| SHA256 | c1654ca28324e52920c822e9066bdf00175026d59fb8ffd5e1072f06dbe5fda3 |
| SHA512 | 8210f1142922f3ca5c49a634c6705d3386071e700343f810396f5a3d20f7b3ce33456a42e620da428255ad727419012eff7f810a7ef56f325c4234244f5a41e5 |
Analysis: behavioral5
Detonation Overview
Submitted
2023-11-19 22:00
Reported
2023-11-19 22:03
Platform
win10v2004-20231020-en
Max time kernel
136s
Max time network
148s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURL = "http://www.bing.com/favicon.ico" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IESS02&market={language}" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c4cc62da77d25b48a952cb775bb65c470000000002000000000010660000000100002000000055d7a4276745d29753b9fcb36810cc6080b8e3503612613b04df604b2a8e9c3b000000000e800000000200002000000019859ff0a8aba00aced170309ba0f8c1fb4ae9fab5d821d3bffd4ba6570b79a4200000005176000cc99ba78909ecf7172196b87b0cdd8cf340e02d360d192a25228041414000000059ce6f9d5c593b5eeb8e216b9254abfc34c4586d2e8ac007a1c4c309a6fc57379f4917ee4c063b46abdd6ab9a72d8c5929f934ccddfb16aaf81777b469625a17 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = 6367109fb103da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c4cc62da77d25b48a952cb775bb65c4700000000020000000000106600000001000020000000cea5e8935a07202db0424c58d0c3d7325bf17788bec69530b5111a165d830be9000000000e800000000200002000000010ff73cdce1e621c7b5f685c837186733ef936db36e3fdbbc28e8fc31c54c78910000000a482774ffa20323fcc3bddb5c95c40e740000000b32cc999881779bd21d0cf04a45b11e9f8362b44c3f59006a6ff05bf1edcc3db336c3f44085a5fd466ef685ded0367cdb45773610cb9ae942c65bcc8e1ac4184 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00d8cfeb331bda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoURL = "http://go.microsoft.com/fwlink/?LinkID=403856&language={language}&scale={scalelevel}&contrast={contrast}" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c4cc62da77d25b48a952cb775bb65c4700000000020000000000106600000001000020000000d0caf672a4f38750207f5b0b98e6341d0d5a9f3abdd30b0c2a36f240581423cc000000000e8000000002000020000000ae79a6fd3010da8117c986d2668d2ab53e5444b37aafa6b82fe575dfdc3296fd50000000b57f59e01f2abe055e77f113a668941cd5f9522f59188fc7214f064ad9cd59aad3c1bd597a9ed6e4972fcd33ab92e6b771f8331219c72a98050534f7a264d0e36a4efae76cb9e5ad785914aea0cc4f0e400000006ce192f7f2fba233f09556e05ca4d7d8b632a8b9f6aad7beb01015bdf30d5e2ac6b8409fe87a093a9cb915bef2b66c924d267d6afe0fc3afbdfd83ce8be53ea7 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31071027" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\User Preferences | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3800183346" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3823619336" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\KnownProvidersUpgradeTime = 6367109fb103da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Bing" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTSR" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3800183346" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\Version = "5" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTTopResultURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTTR" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c4cc62da77d25b48a952cb775bb65c4700000000020000000000106600000001000020000000cf6844e7b42f402b362e80c135463dcd0eac3f7d6d59722b7076c8267df1c701000000000e8000000002000020000000013d8886905de4491d6a91e5bb82fb8c0941093d8bfebc382990ea27d94fc57c100000000524cb625f4c5a354cc143ff25a57d2c40000000d7b64b3770875d93e98cba8bb50eb57984a803e0a0dc0c0dbba58c5cf306b076165a5a6232be89a6c0d4acc43510a2e8b80b7742701cfeb911ca151f93270ce4 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0d1eeeb331bda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IESS02&market={language}" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c4cc62da77d25b48a952cb775bb65c4700000000020000000000106600000001000020000000577d289182ceea7f428ebe73d1371ec4053f7e9220294f141e25d9f6c484dca1000000000e8000000002000020000000cab6a41c93ebac388b36449f745eeac20e48a16d070b1d39a79b56df857abc212000000004a414a1b39ea05e8e2a9ba8c5c220b6c6079f092042e8774dd5806d3ba452ae400000007a0ea28d54d77a272f842b6294d1651e8979960fc65ba2a79f5d3082f50be4a74ea522ab3360c4a3275d5cbfb66d9b52a7b919ce6ba39433583b286adde91fd4 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "407196206" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c4cc62da77d25b48a952cb775bb65c4700000000020000000000106600000001000020000000cc0430e4374cd9eb543e691a54d9b0c4cb432dce0ee891f9a01b2d771c3817b0000000000e8000000002000020000000565d20f444c81054cc07530a2705b6d37202dd1b688d00fdb25f194d84f7b65050000000a66342a7f4e6ee0475317aebfb6c47cfbcb390046f783e72d00fc891c1dc0a689d4a78a5d3528f261b654d46e39c922bac549e7fd50d02817526649f05ad6e8c65f0732074ab18881f23c1e994a436f1400000002ccbe4536c3be10ec793ad320967a4f3a4f927a661a7bf92059eef8723df1e79d55bef5364f1a1993fd65d5576a96fea9aee5d789ae496e98f5a8e80beb6b9be | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31071027" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0DF9A0FD-8727-11EE-91E2-76B95CB0B7C7} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTSuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&market={language}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IENTSS" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 840 wrote to memory of 2744 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 840 wrote to memory of 2744 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 840 wrote to memory of 2744 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\about1d.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:840 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.177.238.8.in-addr.arpa | udp |
| US | 204.79.197.200:443 | www.bing.com | tcp |
| US | 204.79.197.200:443 | www.bing.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.2.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
| MD5 | da597791be3b6e732f0bc8b20e38ee62 |
| SHA1 | 1125c45d285c360542027d7554a5c442288974de |
| SHA256 | 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07 |
| SHA512 | d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e |
C:\Users\Admin\AppData\Local\Temp\Kno1BC0.tmp
| MD5 | 002d5646771d31d1e7c57990cc020150 |
| SHA1 | a28ec731f9106c252f313cca349a68ef94ee3de9 |
| SHA256 | 1e2e25bf730ff20c89d57aa38f7f34be7690820e8279b20127d0014dd27b743f |
| SHA512 | 689e90e7d83eef054a168b98ba2b8d05ab6ff8564e199d4089215ad3fe33440908e687aa9ad7d94468f9f57a4cc19842d53a9cd2f17758bdadf0503df63629c6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 7bc1352ddba5108aad2ba4f8dc7fd138 |
| SHA1 | 115f349b60dbda0a5be6546362a4561755ee66ec |
| SHA256 | 5880434d7a59152766862a06d0a20ef7a07c983bea04471bfc43f56ec530ec12 |
| SHA512 | 0ec0c8fdf933fff74ad0f549bf0bc8aa42d5dfb160fda7169a09db7eb35e68890c2ce90a9f9c143f19f9d832f7c19794602a83ae706ba122c39604d89e7eb113 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 881b552f9d4b4c0e9198247690bbcdfb |
| SHA1 | 89b2a8fdd8c755b116d08e18eea16d843154fc1e |
| SHA256 | e7759be3da825e3aa3eabf098b272337dc9805751a944102a32936b181617a62 |
| SHA512 | ef9d7bfc8c962ba1711fc964a0e3737e3d265bc2d507bf4594b72ef21a8755f6dcc5a52bf584e55348ae040609108bfd2b1f6d328e1cff7913a4a14f4bcd06c4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1GRKGEIB\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
Analysis: behavioral6
Detonation Overview
Submitted
2023-11-19 22:00
Reported
2023-11-19 22:03
Platform
win7-20231023-en
Max time kernel
134s
Max time network
155s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0F86F081-8727-11EE-BB7B-5AAA8EBA5435} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008d5ea254cbc3cc499365b391a5fd6692000000000200000000001066000000010000200000006eb5f4435c48a7c2bd5f92f30c328dc2da2a8ce3abcf33a485fac57dcd569c20000000000e8000000002000020000000c9c8ccb7e5925677aa3d2756f1d0dc5e2672a6d5bdcbfb0273d315cc5a949fb2200000005a69aaa9c14ef2fa65bca3132eaf8de6e5363940f7891160ab6671e481181c3240000000b0d0847934cad4de588c362de5f21b6ab3a45de4af86d40c53030b88e8c03a4003ccd033b59fffef37b93d3a4155c73a20bcc93a87ae55439a1a73cc8a5a0e43 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "406593100" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 302645e4331bda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008d5ea254cbc3cc499365b391a5fd669200000000020000000000106600000001000020000000b1a3c44c97e9a8c1a08ad5425cf2ad70b6c6371123ccf0e5e237c6a64adb6e4d000000000e80000000020000200000000a8500dda437a08aa1aae59dae54f4573b924471d3d48381609d775948d6a781900000002c881015d9d65743c490ffc8fb07df56820fd1ed0d24e9c2e8a417bbd9ed00e03c106e1ae59269ea5615d11a67ecd5adda94166b3d1112a2cd728d7cdeeb2ff2d19f91955dd6ea6b2b077e4deed8f5334256dcf08acef360b64353152a07b4110115d0cffafd69f51425afc5912ef4adb5083247fd1ea0305cc2438107f413e4efc18b7b128b5336070791578b069a3240000000639d2b801087b783199b1ee797f4e1fa87afecf75cd2e96b0a7d7e70f36f7a3d1eb36154bbe46d4e98f9f34c0253f3a8e1fbebc530dbce5a78662302ad27899b | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1956 wrote to memory of 2732 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1956 wrote to memory of 2732 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1956 wrote to memory of 2732 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1956 wrote to memory of 2732 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\about2d.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1956 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab6A3B.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\Tar6AAB.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2e67f7390a25a9c4056961e26268106d |
| SHA1 | f2d3af8c4e82c959234e7132fe32b7de9a8c5c38 |
| SHA256 | ed5bd4c536738349fb6f963444d64ceb38f32c90c506ec69ed27dd40c54782de |
| SHA512 | b39db0c886644c00641f75108e5e77bab8549f45534f7569ec2f9b06390876001d80341cc2fe99f53986d108225f77334ba87a4b2b8f8266f18872e3d74b427a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 838d35029d861426aab3f717c8dab19e |
| SHA1 | 9948fc64a4133a6bb0ac5a093091d05bc344f720 |
| SHA256 | 5023b7e8d5922512632446e1499ba14a4b6765aaec608a97d467072160db9ca0 |
| SHA512 | cd7b13dfba4da60b15d29ff91ea47b1c8fab0cdd1f6e33098c4f912fc9a65b6fe503b91296de4857a94cd0835e2229c66a903eb7249bb5f6c1a42d1f1e5d9016 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e9ff01c4b803be6330fd1566948368f3 |
| SHA1 | 3e6e9bcba79a0442ed9d205fa057c921ac31c9fa |
| SHA256 | 275bbe16cc3d0b6c0e630adf9a078badc225038b86bb2881e2d2a50a954b868d |
| SHA512 | cb84cdbec822588c2f69172c26cc639db1e24d93fcafd883cdaa317a1c6c668992ed5bbec79850cdbb6ec886282ac57e9ead961f24e4ea3c11cff095685cb5c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1a522d807202411ea4f3f3d5d771f6af |
| SHA1 | c5a2aae5d0ae2406d993560dcbfef734eb3fced9 |
| SHA256 | 7fa0db4f1abfab99ee19d3202650707cd459500fb51e8e49355a11935b36a6fe |
| SHA512 | e1cf1fde9c6650f1428f4eac997c260153e9f4d275c96cdf709f20e13cc5d16fdd4653d1f8e9866d8e0dc07f94d9780f984fc6b54fb1046b713463f035cc7d41 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bce38a26de8bd3007a2919941b9f7e26 |
| SHA1 | 9a430dc826503b1b6e0e53a68eeb1dd49b8cb8f2 |
| SHA256 | fff2e4ecc11906adc22179d2a1d35e73cbb689a726fdf7868ede366f854d8efc |
| SHA512 | 0df8ee628f545f27c117feadfdbc92383555eb8c9694eccf2cfe0849e45ce4044c2bb766e86b2b495655a10a01de72290058d0ceb35350bc4d4749a55305e935 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | accf7c45ec93598ca7fecd552cb6cd9c |
| SHA1 | 1ca0545e02f97c86fb1c12421ba4bb0aa399f69f |
| SHA256 | 88a6bc0eb08c633acd5821c439d334bd6f446f1e03f9f2318a663371d04270e2 |
| SHA512 | 63c1b22ae30d2563036150ecb934622f25aca33a8e03553f91061ce815b5146220bfe3bb0b31ace33c2ed0b41cecfb39749c4664cdc8eebd497b7b130803dac6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 24ef1f669893ca6a706a1426bca28ce6 |
| SHA1 | 28b4948719a9322f96399ec51fa3f5436ff4d0da |
| SHA256 | a07a55d516a2c3b9a516e06cb3492bdc8dc98dcb382b5c5753f4b9efd6527508 |
| SHA512 | db8957c3b8bc2d2750b5f8f6e1edd0f7d4b6f96dee58619e1e49aed8b7558ec1088302d561705572f35d0a40a47ecec5130937befa390f822453e6c75d8035e4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2b76d6993fb208be2e3ec96d1274214c |
| SHA1 | 081b95cc265e7c7fa83a8d4e8889ec7b85bb9dd8 |
| SHA256 | 14517509702903272bf196f34506271c852e6f789dffb553f3e3d4e392e422bc |
| SHA512 | 3c9185f9e50539c694b4a7a7ddb7c7c546eb4af35ad2f51ff206bfba1b8be74f14d98a1b77149ad4f7844b75ba20112d807e831ae5dbc291853923fef1883ea5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f9867942227c1eefdb801cd5fcebe3ca |
| SHA1 | 152565896343131102e037659ca79061d22c7262 |
| SHA256 | 8cc4738cdf32cabf23f82abe22303885cb2f3639840d4538d811119fced3350c |
| SHA512 | 20484ec0f63731c214c50db1f13e8df35c06727466430aa30cd1320376cb3e5dce4ffc7e9cbe71d66efb9f9ca8524c3196b3136030ff7ca85439862e9fd318fa |
Analysis: behavioral7
Detonation Overview
Submitted
2023-11-19 22:00
Reported
2023-11-19 22:03
Platform
win10v2004-20231020-en
Max time kernel
135s
Max time network
151s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3814943924" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f07da5e9331bda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31071027" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3838850362" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "407196211" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31071027" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31071027" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3814943924" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c79fe21d651d6c4bb8d4cd4060a2fb910000000002000000000010660000000100002000000039c29be0711cde47cc11295125176e957708cf814fce43833bd38b46447229f8000000000e8000000002000020000000984c15ad54a8f217de212f10ff2753101d1a195f1f6d67f12fe8096df7638ce220000000426ed437540f0b0279143fcde093a8f950f9cccdf292a883922723ab3539fa92400000009dbaef43531b7ec1d9ce3c663ae71eebc2a889f8106a248f835f59659cfbd8d0f7b28a356a1cb3e308a4fa68aeb5a4837bfc41647854aad2eb1324db09974490 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c79fe21d651d6c4bb8d4cd4060a2fb9100000000020000000000106600000001000020000000c6083c907d78b01366d9d6d1ea9e10491c2a39b899da1d413a79c532994d0b6f000000000e8000000002000020000000a75f19e3c1f4d766f55e0645098f45ab5f7252aae77f757bc76aaac214e7d11d20000000da5ed3e5f341b312cd60d74b3de2dc54629c44484f5dcac4e515e381ef2d694840000000b85d63121a4eced082abf4882ce48d9faf862445b7906b3bc8a7bcb98c60ae561be70fb4fde4559f4ab5fb446a980d0bbe2e87c87c558a54586fbc174061803b | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0bcbfe9331bda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0EF2B55D-8727-11EE-88E4-CE69B3638587} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1432 wrote to memory of 4840 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1432 wrote to memory of 4840 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1432 wrote to memory of 4840 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\about2d.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1432 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\80UBY5GD\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
Analysis: behavioral8
Detonation Overview
Submitted
2023-11-19 22:00
Reported
2023-11-19 22:03
Platform
win7-20231023-en
Max time kernel
134s
Max time network
153s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79072038c960342ab421b8facb933e9000000000200000000001066000000010000200000000e825ddb08402c6636e625713d4dff620851f959fc641c48006dfe90596d113e000000000e8000000002000020000000e027c0537935fbe23d680988fb44beff98734cc896fccb79d2add0a2ad15793d90000000bea357a4b6c90b9d3eb747bef37661cbd173186bd89ebe1972aec927c4355cd3c3bff794e6a08de3e6d8f1cdce372b69863117d725f8735b1271d625c3e99a9d23dead348996addf6444164c360cbab51f71d980a3a1dadf7600058572f66d418d880dff05e42806edb23865c0b57364f97a140944fe47ae108ec25a6c56a00f5f10aacb844c3ea6d34cec434a59009940000000becaee87e2adca4d2db3b005c6896073a3efa64be567bf76fee5ad194e0fff1f52f743f139fd1822b8d1edbba72c19403f23444ced0955c341f42bac4c70dbeb | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79072038c960342ab421b8facb933e900000000020000000000106600000001000020000000ebab805e71bb797c651374d65e15a61bb5e5f1994ce92b17a4e6b02709eb10af000000000e8000000002000020000000fc76532c01b311a5ad78eba03075fe6a99e7deb79fa2fb1d1e08c410b12089b120000000936fddfe797852ba1fbc01bc1a789eb89545e02d46f2d1c98ef6f3f9bcb2563340000000e2586a21575e33e694b4a07cee3ab5b5f9ca640e26cd285e2861068fd3242c4145d202d99106bc3e023e1a048f5563fe6aed2a85b2c4fe3f06b5e4987a052f3b | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "406593119" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0D4BECD1-8727-11EE-A268-46832863ABDE} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0a7aee2331bda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1140 wrote to memory of 3036 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1140 wrote to memory of 3036 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1140 wrote to memory of 3036 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1140 wrote to memory of 3036 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\index.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1140 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab51EA.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\Tar520C.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cc0e0b2c6469ebfe3cb979f000da47e1 |
| SHA1 | 9a5389dcb0bd8827e0f5d26b69ca2a8d605efb9b |
| SHA256 | af72e66296b66131a819a743b74c0dfb1895e5fcb5d760b37fb4e9c1343b140b |
| SHA512 | 7afd1d51ed01aab7494182c5966a260c242f24f0b8426778959568cd46fa449f3b594dc994808d454685cddf726a65f6c8de307a3e29e44ee11fa5cb6aa626ed |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e9c8a94e2667c07cf6bd4d14948762a9 |
| SHA1 | f068092a29a10eb0b8ffe20dd6a4c2d83e1e6011 |
| SHA256 | e7cfd6063c9eb08174383e22f31970b3843a8e4d47315b6378b9a6eee2f4b9a8 |
| SHA512 | f962ebf3289274f58674bf5058adc5e047550d981b62b1a7a1f700e5131d16b0caf6918b4126240cccb55742fdf0a2b17e9bce017a0ed9a46380e657ebe12592 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 525b1cea91cf8c5f57a9d0d5a8a71fc6 |
| SHA1 | 65d2e895efcd21b6d137e74b8e33dedd6240b5ed |
| SHA256 | 697311f44f4f2d51e9da67bffae1647b63f581ef4066c4a31977d5988e0bee0c |
| SHA512 | f3663249d3f7cee528cafe8e9d5b92189b4a3762c04236bfba1482c3e51034f72dfda57dcd09c58fb475982cca71a612879eea6dae3def3711e7dedcb8a1f4bf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 26db05a7791d4d93252afdd080375036 |
| SHA1 | 5d01dc4c3d8e16d07d16730c15704dbae745489f |
| SHA256 | 30f60e65968db2427b77798da031b0ebf93a08930fd05a401dc0c6c5d844f6ba |
| SHA512 | 84270aa9c2777ca22193727e66c1932fe61714676ea95bfaa7b5000aa3338f7b5b5c35e5e11409a07c03b6511b3997b6286600200b8d3c2f737a2375c73f3025 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b489b8f282859efc022be8ed795c676a |
| SHA1 | a2756aef39bf6512338a51b3b683447e0256d42f |
| SHA256 | 4f1e9a04072e5a6dbe9ef93f1f879b14dcbbf594e631fab35a6be4b8e18edaaf |
| SHA512 | db35d9177b86486f4427c090f197985fb0073d8dedd7a046b386e02d4298297cae5da312a07fbdd292368961aa60f2cb7a630ea5b032a89eb26eaae75e5a58c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d4416eb3d9bcdc8485d41682d2cd8882 |
| SHA1 | 1ab206da55ea5a34e3ee6d243ef0bc71c18692a1 |
| SHA256 | fac32b78643d5512189567820392e3decaabbcfdf70b82fe6ef25b0483875ddc |
| SHA512 | 127603a2f9c3ce0e3921214b45f8a026d7b8d212a52927796978cfcb47c79275712a45f3861ef4ffbab69ae5e837e07c2eb6f2ad557a60091249c5d88b0eeb7c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f959ac4651a89e4028a8fee3cad8ee2e |
| SHA1 | b718538eb718b4405c5d84e5ad6c66a991d6eebd |
| SHA256 | 70b74cf094c0fd2d36568f0285b0a1eec4c9270c5f00e11751678ff4ba8fae34 |
| SHA512 | 6ee9616d2e70910b783098c9bf7c0c8a1dd0c01582de5a42b306d768523f9e12f78a5ca1568bef8ba7d13b508830ae5a3129b06d1845469583b8e18cc443ebde |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 50ba4e0898da0eeb649dd96e23d11251 |
| SHA1 | f0bc81f132b3042f7abee78f3c9f605667027d3e |
| SHA256 | 8079e6be73cc30e848e0afad360d279324071055600d9b86e120fd22b3106152 |
| SHA512 | e9b2fbd8438725db919718a2c8c28df3cda3c27aa45c2fae0e448ab7870e94d1da74496263e8da7430814bbc06bdb98e6a2f5b13e9c8a41d0dc0eed13aee03fe |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a0c883e7f5ee98b6a1f93d5a3010f144 |
| SHA1 | 53374505ec9ffa8c2f573153948258eb0ad33fc5 |
| SHA256 | 73bfc54cc12b1c349b7a134c8feba0367db3f276ab5b76338a2d5c7b15675e4d |
| SHA512 | 7c8ec5f929e0e3ffa7c9a378cb85509628d46af1699094c88db73c8413d5e0f0797e0e19716dc11fd5cba54f841ab18e8082c91aa502e057efd2499cbee9146b |
Analysis: behavioral13
Detonation Overview
Submitted
2023-11-19 22:00
Reported
2023-11-19 22:03
Platform
win10v2004-20231023-en
Max time kernel
124s
Max time network
148s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31071027" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c060d2e6331bda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31071027" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3829743388" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "407196209" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0FDBAF18-8727-11EE-AEA7-5E82B88FB323} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1049b8e6331bda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3843337315" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a786c536d7cd7e4ab8c0af0cd6cbb43000000000020000000000106600000001000020000000331f23ea279d297f354de2b04e3fcba9a3f7945fa5c03a852fd8598ceb9c7148000000000e800000000200002000000062831954ff2ba4a3ce0719ada5aa6a29c7865129d3cd2d1caebbbdfcbc4a33d720000000b9d024fba22cb8403d71fd3fefd23210273ba01ec3e860a8b5b1631426f187b240000000a5d236a478f346a11f95d10d384ececd3affd12d89414e8615c00ab2834d111ed09f082ffb2f7c8c4743a287b7996456ff90b2cd5f94368ff382cd1cd02f70f8 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a786c536d7cd7e4ab8c0af0cd6cbb43000000000020000000000106600000001000020000000c72df163572888088121d0d4bdd77d8fc94fdb4812f8694850b876c467549296000000000e8000000002000020000000c2748ab62c8e313bfbf49d49491db979729c2989f744f0a79ef624837843e11b200000001a01bb821dfc3b9b347c868369a315ee0da44183d6127afe1a8470f7a3ec065e4000000078a4c4dab6b805d621d1645709678daef9f127af434ae98584b4879661e316921643af278fcc8247cb8bc36b96c471c1db452dd94c04f48cbcb06345613d2564 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31071027" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3829743388" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1444 wrote to memory of 3608 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1444 wrote to memory of 3608 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1444 wrote to memory of 3608 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\sharing.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1444 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.23.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.240.110.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 7bc1352ddba5108aad2ba4f8dc7fd138 |
| SHA1 | 115f349b60dbda0a5be6546362a4561755ee66ec |
| SHA256 | 5880434d7a59152766862a06d0a20ef7a07c983bea04471bfc43f56ec530ec12 |
| SHA512 | 0ec0c8fdf933fff74ad0f549bf0bc8aa42d5dfb160fda7169a09db7eb35e68890c2ce90a9f9c143f19f9d832f7c19794602a83ae706ba122c39604d89e7eb113 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 593ea0124cbd56f6b383afdc809c0263 |
| SHA1 | 3f200b3ccbf7316bdbda09b4e226549f335a28dd |
| SHA256 | 70b4a069077bbc36214de707b48f0e78493975de0d5226a929b9ca8d6cb8d2f2 |
| SHA512 | 5b63cdac6677b4e811fd736bd30b2f8ff92bdddaebd7f62858f1a67a8bf26da5ef12001fde1176b51e21520e5cde69aeea39e879981fc6bdd5d7bfe86bbec459 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5T0U3BIO\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |