Malware Analysis Report

2024-10-19 11:56

Sample ID 231119-1wth6aca89
Target 3f39c2fc43173b203a6a0b0331adb6ad265f0ee09fbab56ff25f18dec4fb805b.bin
SHA256 3f39c2fc43173b203a6a0b0331adb6ad265f0ee09fbab56ff25f18dec4fb805b
Tags
alienbot cerberus banker evasion infostealer rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3f39c2fc43173b203a6a0b0331adb6ad265f0ee09fbab56ff25f18dec4fb805b

Threat Level: Known bad

The file 3f39c2fc43173b203a6a0b0331adb6ad265f0ee09fbab56ff25f18dec4fb805b.bin was found to be: Known bad.

Malicious Activity Summary

alienbot cerberus banker evasion infostealer rat stealth trojan

Cerberus

Alienbot

Cerberus payload

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service.

Acquires the wake lock.

Loads dropped Dex/Jar

Requests dangerous framework permissions

Requests disabling of battery optimizations (often used to enable hiding in the background).

Removes a system notification.

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-19 22:00

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2023-11-19 22:00

Reported

2023-11-19 22:03

Platform

win7-20231025-en

Max time kernel

135s

Max time network

132s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\about1d.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002e1e81ecbc95de49994f369c3e71718400000000020000000000106600000001000020000000198b080376238195f707ced99d26442c89b5b4af7beabc73486b86202a941372000000000e8000000002000020000000b4968f065fd6d8a21d8efe3576870552b963ea9c12c472cae9f34756083171dd200000007370d4e502f6b44c7508caa6a967511f9ff36cd0081ea74cd6d8c0693acdba0a400000005055098e270f1201fd42a3e31c484100cb67a617b2ab029f90ca342356f7789ecb05e316aacc82c111bc07ff517e9f555635462cf7042b22241cb3410cdf1bff C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5045c1e2331bda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "406593098" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0DFD0C91-8727-11EE-B466-42BF89FD39DA} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002e1e81ecbc95de49994f369c3e717184000000000200000000001066000000010000200000007b25a0648f4a8417a08331388ce8dcd5bd9f503b750123c92b6dfc10d1d3fa09000000000e80000000020000200000009444641253be0ac16660f7664bdbe8f5b31c8be6714344cbce631b9001eb1c4f90000000ad46736458c4954515c3915bb827847b8f9f995e411d815f5305777c9f238e17759172c17156a8df9f6a44a560bf8aae4ee9d638cf4934ca2fa98271ce2581b218b46b705b424717598050cea5b450137415feb25253a88b8287178304d3830d736d46594cfb825bb913113b7ca86a29d1de0a58f2c921603adb248b586dc67a6151da8ee107228220c7a915d7339e474000000009a21d595f699319f2a5f2263d9935be1ed50cfaad4332301f048e5042edc3cd8b70b4ab7dca5ea01cf943c3738e5f26e504637e846ef7eff2f8f5e0d4e796ee C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\about1d.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2944 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab5026.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar5048.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fc619f9cd0f92b2914f9961bdd71bb14
SHA1 28b272bea907fef3089597510b070526e6814e24
SHA256 8a764a10761b6b9ce9b94b9c01996a0444153b220cc72055cc92504ace5e4672
SHA512 b93b25b57ce5cbde66418194f9acf58deebcad3d2d9526fbf96ac56d4c18f8d63b55db16095d1d7ac9fb6f5f595d8f4a050211c56d8f6e41ec68dd25e70d3cfb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e9879d3a41fd91b9242931b2c10ed9b8
SHA1 0b65a3209214648643c73a56c493e25218e5b9cc
SHA256 e223233da87d1a45977870ef083d0ec884f0558468403934117376501d19d19e
SHA512 2897b1fd5a605f9c1f9c46029d21b685f731249a3d38d8715b5f7d5c19df5082c794ba8de12b12c8905a7061e08b45496b092fd07eaf4642bba39dc74a47e3b1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7cb83ebe81c759bf79a76d24ad448d2a
SHA1 a02870092fa944e2f8f498890459e520fb4e5f53
SHA256 aeb7b8121f5a74114c50d9c29d0f4185c1ccde64469ad55fec6fd4d91a73796d
SHA512 c6f0aa6431556f26a273dbd64b966a34ab1fa8b91dee2431fc13f0ccc0836195f176ad76c90088266def936977efe017ed9a98d3c8d3cdc78619b25a1a8de56d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c0277d7e3eb450eeeccaf37dd4c5a589
SHA1 815f53252bdf22f44953b55f7fb71bcf575cd6be
SHA256 23d411431fd704004e44607be3d414b82ca77f0138a234ea1caa3d1ea9e69d2e
SHA512 6ae5a904aa0d23b231b3996dfe5bcf2635590f25347a13acde875f4c492f6bb40179ceac4fc27e345d91e6493f4dd8c769697e2cb407297eb515ec2df74a117e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a892f1ef831110715565bb6acfcd3ac8
SHA1 e0fe07a1242350c5d837bc7574497d8df35da4dd
SHA256 c6b7cbaf25bc23ef6ba162991f835779683be9d9d4081c6c071e55cf1e7120f6
SHA512 5fc65638e16e77887a55f84afdd1f55dfe0af94bb7e6d223b746c00310ddf81f38dae8351969d4146dd2094262a29e9e4cbd4a51a1e999d88c6e5c0700a6f292

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d639e4f161fab7d78bd053d64c733756
SHA1 42a4b8e5c18f6ea6d72dbd747c1529b6c053abfb
SHA256 7ac33adb83d03752f46641e7bdd164694801b37bbf8b7e3b1d634212d19e8096
SHA512 27781b897ca4b7dbc36dc978c24a9cb4cd29aeaf596ab52352b60a4ee3d4c8f231d29c331d7dd5bbbbb0d4d27f6bedb15b220d19b4048f5d524fd79baa516914

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6438ab0c4faa12b9ce6e34b9107f8890
SHA1 7a3f73e625a2e4e04e950fab250ea223ca087167
SHA256 08df419170e3ce57564607babb88a9432b5b92566686971da5d140d2b1312c3e
SHA512 679e78cd5b4af816bb7404271cfaa53483efa99c4c54e6f7bfaa4f2a8e239a9b33d8d58da78eb9fd3a97d53f268c9d0419ddb6beebfe8839ddae23cccf6c39fc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cac3ba3ef28c7b479a73600307a666ae
SHA1 7259473fa8eb49578f0b4c0f730d7ddd053d6843
SHA256 0e922531cdbe456f878a98496c3b68c7883d18f60adff57790df527d2f55c66e
SHA512 5a979aca4c1cc40d7b6fab6ae3ecd339e5abba79f4ecefa03ed4fc721a6aa4c82d5fece914af63e3b408db6194e0b24b193dd765dc45e8dd1aa7f7f47be849dd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 472b14c46a68a55a3fbea130d9089623
SHA1 7ca156585073c8600f84ec2a9d98a3fbeb76c04f
SHA256 de676cdb4dbc0d70d136b2943c24039ea3c34ea82a520400789662c0585a6fc7
SHA512 eaa89bdb2f788cc595c76910795a73bf0641ee496c374e2de38a136b8d4f956032c18b83123e835f1ab2644147ecf64ccc36dcb0cb7f7b903c4310fbc96ee1a3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e7e0c82dde8d6a592007851288698351
SHA1 eb17a6676fbe9932c4e2bd26220aa8f0fac29cb0
SHA256 e302e6bf477a390d003dd1deaa08123bee4e4d444727043a1df6a3c5beb39561
SHA512 71f8401e9e9d0e483e0439bdc0d25d76b42bf07e8b94406cbeb8d637c3351afdc9ef81e1a3b0c54241e5bc41394740080b2ac5540ac544dae590aeda93842ef3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 66ef9b2aebe9d9c008b8d586ba9f1dce
SHA1 cf1bd0af1e43b8bf68ce6d20170aaef694b65839
SHA256 b5305e3d538ecef636dfe4b2feebb084a6163a4d557a3f194a45bc1f3b257518
SHA512 6ea988247f1579161f1e451be8f162212e24e36b5a8432db2fb9ddd1f669e3eeac2e729268ba3955175eaad19d46fb085aca06053060cc3a6a7106e97bb3fac2

Analysis: behavioral9

Detonation Overview

Submitted

2023-11-19 22:00

Reported

2023-11-19 22:03

Platform

win10v2004-20231020-en

Max time kernel

138s

Max time network

150s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\index.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3886249304" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3902031618" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31071027" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003b97c1da6bd61743bfb3911f85184de2000000000200000000001066000000010000200000005fee33f611ea28af3429438890b3e76ff8de604df9741e74c25bed230466fa24000000000e8000000002000020000000b8554e232458d1e0af499a6a9047c3d2a3022447f143eaec3fde2628eea2d09020000000ec6a55ddcb49ad0a536f38a76069c4a3ebef731d4c00fec7cb713a96446557a040000000dafe9c9468f2ae876a94cf553295f4af8bd082a9c73b12d9279b7f965ec658eb207ea98578ba39da3f02c2e57c5bc02826bc6cb623e6d44f2f3de52bab9c3607 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3886249304" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31071027" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003b97c1da6bd61743bfb3911f85184de200000000020000000000106600000001000020000000b86fe6ac31dbf16d84f99306313f2c73666c55cbed59a9fe6313010111fcbb38000000000e800000000200002000000065bb646fc99b0f19be96fe0baaa7018d0f1a74e462a0bc369169d2b1303b22482000000032ab20f9699b4e8e1bb8da1a28b020994cd013d1832c1b06244f58c4f98892b9400000005546ad2aa8b1b2c9c3bc921add774cb8180f75f0e1abefa64daa1bcd1ebd886d49de31224ba4754bf6db783154a87e227f4e4571978cd8cf757f2321b5fbc6bb C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "407196215" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0ff68eb331bda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{13486429-8727-11EE-BDA1-F6568660663D} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31071027" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0d361eb331bda01 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\index.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:436 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 67.254.221.88.in-addr.arpa udp
US 8.8.8.8:53 126.23.238.8.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 9.73.50.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PVJSO5VT\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral12

Detonation Overview

Submitted

2023-11-19 22:00

Reported

2023-11-19 22:03

Platform

win7-20231020-en

Max time kernel

117s

Max time network

133s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\sharing.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0D0E5731-8727-11EE-A9F6-F64027C77725} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009159649b912a9140bf53d83809c5b2ac00000000020000000000106600000001000020000000022756fc3329beebb22801270699c4d5c92529c016399b8ca88e63b0e6d48703000000000e800000000200002000000009fdc2e73be7b23f75eb9e6e4011ea4810a7b36635c656b45decb9d9bcfae9249000000014eceea6a2071fa008a720eae741b28f61488fbbae7e6278a7ebe6867cc4494d7da089ed8734a6468e0d2a9c3e5a9a349d56c750061fbda5666b7604039db88753c942557619ee70134a916c36f51071c7465f30032a7a8ae221b56fb8d341300fd50cbac6f84dbe6b4610a9f9a066e871d28fc16fcd6104da9434996b71def56d5b90e362e345a71bc49ab3bbbdfa1f400000009643d64381c4fca96a20212823113e605153fda8038afe121fc208ef68d6860e3bb6f74360913697366f5a1d4d69b6a9160cd092c3dcba6fe2e3666f80872d2a C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f06f7ee2331bda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "406593098" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009159649b912a9140bf53d83809c5b2ac00000000020000000000106600000001000020000000081bac74434e53522f4a6b9ad20f09a1ff919eed8fc50f20857f15fade593e64000000000e8000000002000020000000c6b5db29465d2280f9e5203af8b8c2b16ba3ba8ca4859096de1198000e0aacbc200000009a36904c4a2a835b1b6de874a6eecc9dbe9737cad759f20a742adbb0698774e5400000001c39d0a7edb60b04b45d14b3829fb1b874080b90d296281507b60cb7c4ad934bf9782ab411df74b68edd483b912f12d388a38898a86bce3e0c5b78801bc2e57a C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\sharing.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1956 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab738C.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar8D96.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 10815de4f50b52a7ec31a3ecc447556c
SHA1 6046ea2fca5041726e71a2f0cc4b058bbcc9beef
SHA256 e3a1fd744895cd4443bf7cf00cae2bd7663c20fe26774dfdd3e7036bacaac17f
SHA512 7ef1227af7c64a69e403280cd24977b0eb0ab0cff4cd3b3395bae815d50268a25847764aa67b3226e59e8bc22ae3f25f8f7874352c68078d12a239c384779710

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b7f8652953d1cf5c1d3c797d24c9b6d5
SHA1 3b63a3fe8b4063d9953568aaedb05b249733a8d4
SHA256 d5158e2ad0f2e1d2478e4402e85f2d414be2fb13060a87f1ef28cdda7c179d4b
SHA512 c738280e79a261482937960e7a4d1d6c168a611a4b556eff78c4e21317e45b20651394674dcedfc3bed14c2b7fab80345c58e9de41a09026cf7b6933aac5fee2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f67acbda8342840bedddc71edc036367
SHA1 5151ee227971caae5f62d2aa29c2c65b2978eca5
SHA256 cabcece2a231bc3fbce4df43c5c6996f4cfdc5204b9fd0c889344b15d1e1a12d
SHA512 9e8ef32d2136470990e6a8c8d977d8f532518eaf7f8b40939242a56b8dcb16c5abb4e07608f59fffff4e2cc44eb5342e5438d31feb9213fc45a9f386fbacd899

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cfd777566b9007f2dd417926df556d2e
SHA1 c2abbf3ce5793c01d5d57b7e9deea8aa1b4db3ea
SHA256 1eec20e9d2abd8a28dd48f82c63df3cd011131a8ac83a1c2d30dcfa7fdb155f9
SHA512 29d13fbeb454747784080702f904ad4d6a60f40784789ed83b83809e65d012884cad2c8d2e84b56653504d93a4e6d3e6c1821c4e6ca5a72f0f102931e497f4da

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e3cec35846638e638db043cf248135a7
SHA1 59d3bc82c70c5d7e278748e17cfb312df5bd622a
SHA256 83321b0115ec148eb8e2e7a4586bf14a89283fa11d0f77584a58916b0bd201d5
SHA512 e907563844ba9dcf695a6a749bfaaeaff092c33dda10c1a3af4216279a30449598bc80223ad83507ba011b8adb926542d38be04ec4eaf89b1df38d85b6998c8d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8f8105da145f5c33425b37d06ea7c1fd
SHA1 2cb6be0f1dda2287cd1e5ea680ff45321ce6079b
SHA256 ba552b75112016e88e0a1d91105ea0e2fc6d8548cf0568b4f89ca9835bba5638
SHA512 7d7583c786f449dd2a4bab9573a349b2fd5fc785a8658779866b49e214c414b18b3bfc6f92e6cc559102678fc9cd0f5c75570a2876b77ff35718ff262f1af3e3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5758e03f571dc0c87679397394d2a9d2
SHA1 e5608ef5f1a3aeaa057ab0252fce89f661e7d69d
SHA256 e8825ee4005167a6e9e1f7c053413e92c56f6dff224139d0f6160a4291c7e827
SHA512 7389f4f0a0bbb591a7262d86fab2c4b033ca71caeb7793660ba49ebb77d6271a7540153c1d6b74825b3be2766eb3730b08145bc4bfec4b1f95827274e2756bcd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 28732bf8c9312547807dfc6efacadb1c
SHA1 b9e2c87ed3fc7f98371d6ebec8e023b84edb4fcf
SHA256 754ae7bd790739f484e2f2aaa8a22634670d76e20830100d5a5dc73f0cac0d79
SHA512 1e39a7a9c1534954feb748be5021c862a54d54c083701a368e84da9213dfe8a17a0af71d8c7a3e31b8957bac8f50d506f877e06832e1be6ccc130aee564debab

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b523d3ff1f588a3bf64a6e745562475d
SHA1 6e458fe333c8f167bafcae8d43b2a5e3fb321f61
SHA256 3748b38a03136e3d6f518522e42f0cfc981b2b51536ee56726bd41d80e1d33f5
SHA512 0b0d2fa64f59b9d3d5b746769a118ad273a7d008bbd383fafdc09ab22b2594bf831023e813c1e66798d98ef1fc9e7482c1f0c9be3d638f1f242c8bb251328d47

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 97cc69b7f6e460c6c3b7faf5fed96623
SHA1 a0b7f9a16c7ece3be7e74c3e55e247fc7620e9eb
SHA256 859759287ca93b59a97f3cfa432196fcd31e9ac018e2274cfb78908d047a74c5
SHA512 fe2eb609548f42f1cc4a5a8b2d08e9806dbd32b2c1f6e2f7cbd55e7b3e74faa0a6d6036e5de21129aa32ab3fb2e0f1e9d1f4fc246b4d1239711df5c3b5353905

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 42cdd7344e1a4d04d9fb75903c94a372
SHA1 57ea4b26885422ba6f1ae286d320dc8cee705932
SHA256 c8408bb5faabd31d606191dd1664d2e4451ce67440811557f2b5cc9a267d64a0
SHA512 a1abe636ea5cc832ffdb0a3bd00edff1a105e476f2f4f34cfb668e0f29882d40dd22a042251cdcaaa95e4711a26a1029a23f4ffaad4fd26c301a782177e79199

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a3f6f75418fb7ce0beaf59b5c499bd32
SHA1 d417daabfc2e8e680b9eeef9a0568e7c21b34997
SHA256 3aaf76ef7a144f6d10fa3d2fc88db446a0f5e74336a2bafa84e062ca08eb09e5
SHA512 8d41ff26782648a16625221eb834aad3ea1c461b3f36c40b2d31429e21ce0ff2cbf13468c1a62baa8b2112f83f0b3c3ad443e53377807155ed9d41e7433cefb8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ac553586f84efbfc6cb2a156ab443585
SHA1 9d7cfd409d3ed0ec21178d6e79e11ce8e10f7e56
SHA256 39100669cab90e881b28f3dbcb58c7efa902abc309b06ec6f2bbfdc8d3ffd8d2
SHA512 0a7459968bb42186f45abb64658b154698d28c3d03f5e6243f691f49f89d427ff8dd1a45149acaaec491b7b0e57c27cbe580663640ba9379816b2037fbe4ab2a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 624125cc46cc1fa06c90338f5c3a7eac
SHA1 bf3873d460a2b722a3bc767632466c4510b828b4
SHA256 84ca191b805829e00952f92ba911a52a72c73f999144abdf0690629c5d73aa13
SHA512 a219e72d379cf42aac6feb4cb68fab864d61e9831c7cc7ad49f293774a47b4d88a4d61963f682c60522c300ced47140e72df94723824b4ef574046f95fcd11a8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6cd9f0b129cc366bc10272029e49679b
SHA1 6e2518626192dfd0911d79ad4d1ad57a6db3894b
SHA256 a332f437c73642ae32355cfebc5b9ffbcbb35dd69a73d5bdc63680b467bb340b
SHA512 f790f8c954b4a300a74c4c361b41df841224fde99dfc9d388fb3278fb19ced49057b0b5b1b6852ad9fd50eed8ac8f69ba63507c5ec906de5271f3e7f303dfe13

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d42cb1a709ebba6c96ad961e025b9173
SHA1 9edee664251b9ee70fa0a2140fea840c0cf479b9
SHA256 9bae565eb05b432f13224522054871db2afe7df0aea1d3800f20a71baeced615
SHA512 65122d179a640f870e57ef9baded370590084ac895d200ad100797095b985219b2e86715a8c6b986f050e295a28b3fbb013fc9b46b86caa496f1a6301841b9b7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aa28f711b9954216aab391933f2e9de8
SHA1 0b733e2f98a48328f86eb867d690d002c4e386a9
SHA256 664a9251249cab2c066be18f4aabd1bc8f4514208b953ae2baac0247acf77b14
SHA512 d30c87321721e5d75d0997bea729c22809984521b907647aebc2159381d59ad482d7bfec81e54b3c868cd578a92128fdc87291c432138c42a9beb1b61ba8c27f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d9d4abcfc858ca7003765c0edd1fad44
SHA1 34c9856220dc6b40bc190a45c72a9f13db21ea70
SHA256 b9bd33383c274e255490b85bd544a5a0e52b267801079e61bcfc3e5cd4e2a110
SHA512 aa2fa1dfdf2fd666e84c40e8025827ad2d138b29c34a9ca327eb8ccdde1eaf4afb7d5bdee7ac90776528a7df73e3e7a7de7d98b7fa1591322a2ceba1f2c4b948

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8d974813178e54a4c8f8330650b31a3a
SHA1 c715906aefdd455cc479535e850d187e619bfb1a
SHA256 11462fb27c8023d7602186b0fa56a15ffb3007571c3d9b96a5c4f9d3efaad04a
SHA512 1ae57885a6641173086dd366e4667a1d83fb8857fc65836ce96dd2e8401419886e6420846356290a7f0d0647bed307e7ea5e1daaa8cd73e97c42d208e8f6d356

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d11a77ac06eec01e48623dc5b8aced54
SHA1 e8a533ad8caf9aa0ba8df3d14232464553fd9227
SHA256 4d0a724761079484d07e2f4f9fb2a7e7bac89d05f9a44e8f1a292ceddb5e7ca4
SHA512 5c73d133e14a496a39188f76c7271576744af3b83b246b1630f9ad75f18e881e552decc9a1bac07c272e59fefaaee982ba29bcbfd71e4d6e84ec586b4994e07a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 31e232c791125b320c35537531f85f0e
SHA1 d9226b862600d9ebe4296a0b54bdc1fdab76a6e3
SHA256 ff87b756ea74d6c4686baa203424b53c672e662d788d3722388522acf6d44344
SHA512 3d92cae7ff0d10d2f969a94bbb29cb59caca5809bafa3c4d68b4a7f9daf9da7ddf5b00cc650371dc9b9c11590c2de788aa930f69b1028e17d31e3e7e4028a932

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 13002bd7cf8559468ada9e7b1ee08639
SHA1 1c0bad8b6189e35d7624415922fc258e373487a1
SHA256 0fdad0f2edb109c3a6d7db8ed9cf843c74f95da23a5203e75bbd82b53c9feb45
SHA512 54238233e82ed3d4b2b70f42c4c899fc97504864c019b167d782cb41a95f82948174c119d690586b7b2ca31635c31ddf31d56753f558d01d2ae04118ee8d91a3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5f87dd6c8c8d7ce90780278f18bf970b
SHA1 a118971dcf4ff3b78f0f59a52db157d80f032925
SHA256 11e9ae710d8c9c2b324fe0e4427e0f13388897a4a19c1c3e237fdc85c53c4e54
SHA512 9996d141bb3ece3f41f23ffd8fed09ab0b06e65710c1dc84466ba9133d9b434cbe76ae6961b173ef451e22aec20e0e5246900c6401b82538ee9e0f0f6d960b86

Analysis: behavioral10

Detonation Overview

Submitted

2023-11-19 22:00

Reported

2023-11-19 22:03

Platform

win7-20231023-en

Max time kernel

135s

Max time network

132s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\scanning.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000099b8a3c6ff97044781f9dc0475faca4100000000020000000000106600000001000020000000bce5eea2c19622f4e3a871fc7fba5ed62b3f3ee62f72c080c6e2d2906d5e6e7b000000000e8000000002000020000000cb18c23d433e92da041bca3ada00fb4ab30f380dd73a8056d67805b986004442200000008412623755b001c21d9c6412aa4096ef977607076eeddfd7a1c90c2db86f25964000000044cf94a537ee84f0984b9412fa4297705de8c269c9b235041d2144b6279a4a9b82058800ba0c2d9c4e0daf7993a5f3fc9d147b4a53334777eb691107d3e9667e C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b04b6ae2331bda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0D934E41-8727-11EE-A0F8-56AB2964BB14} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "406593097" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000099b8a3c6ff97044781f9dc0475faca41000000000200000000001066000000010000200000005af9ce17d6e64bba7ad437b6b9db892cc2079e3302f966e902b76e26a2ab4ae5000000000e8000000002000020000000f3790654bc75b558352b32f058510573de990fa4cc77708a3746f8ce18afafc690000000f60cdafb1062b4132db36c42f42b27c202b6b719c6788f1a25bcf41a3de9d09a384d231e9df244abe38e73076a73f1cf79299dc1aeb3e2c57d87d217f4afeef8cf72d6301aad9c3d3b1d3f0e5b47c803e10ac4b6f8239c44a023e20ee82d1baac5e1d2e2d7721516cd834304ada7b5590a1b80f4f1ac68e8f13cc6ccaa8628629b8877ca3c8632755f4714ae3b8bb11940000000d2d824f6ee0b0cbe1f5df7878cddef90c464ae23bb2cc976ea1526bc4adf2ad3c0d0d5351b59e1cdc5ba3201cba6ff0e0c868f011a6c9c00257d56567bfc7cd6 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\scanning.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:808 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabA8EE.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\TarA940.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 473fba9c6a73b373df841a1d969bfb4b
SHA1 bfb8a2ac9f6e928cd6379f414b260e53c54c53cc
SHA256 173821e6c9c0990562939e6a69349521a422236feae026d5e6beff0a4da1b4d3
SHA512 fd8c51f735e98b4aa96345afb8a5a11a9dc1ed48bc6778e9247dad3db1d412d00530a775b69cb20ad8b65d0535a92d14fa2fedc813ed81c592d4cd1e02e525e4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a2651fa8245de8c2d2c400415499c219
SHA1 f3a7a316cc1f0e62160027d89bd2340bf7f16434
SHA256 ed4e4ac5660627c8bf6f2723f077bdc31646200e2d8e2b0e2f8f2d978dd02988
SHA512 d7bbd20f6f42b9c2ef00b125003a0e865999697980edcab73af4acad0d632f44f8bde4a902bc97a463bbb84e5932c5156fa5ebbca63df99d8456a834f8bc39ad

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6a29032e62eb60e22d42b68f82d4fd2b
SHA1 90fef32fa84f956d118dc1f279ade707969d63b2
SHA256 cf33971fe1c7360b78f7070b91377dfe9f1f5f61b29b79693288b33736f05550
SHA512 6ea766151bc61d4eb6d7fd1be89de7226535837472dc404e865656d99d22500009b43dc168b7c9dbff182ff57b70b3e8d8cc9db08b17c416e31d5ade06ad5fcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 90f0301eb622562d587bbf2ed3daa7f8
SHA1 01a63cd727a2ac28b168455e8dbe7d8d54e683f5
SHA256 3b96a3ed85faad4ce1c372bda040fb544f27f15bca7277b6ddad88e7f77e76d9
SHA512 6843d440fb30a39ee20aebf06ecca74c1d2fdbc8afe899999d7a514591210f44ed06f0f65ed276b624f13b5bf7ee54a87d5dcd741de4a6e9b63268369717abc8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 977cb4c11f929c92e53e13ed6715819f
SHA1 7ecbe0e31a9e4122ba99c65366e6bc525a0f3f85
SHA256 75ef3b8fc2cd7c0288861257f35fae71a5e0fa1d19b1aeb2fed74a183e6773f4
SHA512 94070f6654b06b7cd591ea1a9e05cc93707321797fc35a9327f4c0cb88b320121424d10d4ff840e6cd9015d6a4b29f49d7baa419c9709828b09525614bc02bec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e8a69bcee97b75121197e7694ed3707c
SHA1 678c50e1e7c85cfb622395562ead4899a239f780
SHA256 d2d4f81c6bc8726c818e2f2b12d721c53edb4ebc3641d3fbd4e3f4adc9be28f3
SHA512 7318cc60c8d04957a5e51beb16a62b5dc88dafe844b821db5fe19a979821775a5cfdd117b0ceb0fdbc143e850f61682759f4d816b0397898e2da9ca87f44dfb2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8a5fa30052bafe12a2757f909702aa8e
SHA1 92906c78c019aedf21eb6d1adeb28b726622f85c
SHA256 8c5f35ef023f32e3a1959fd03069bc2e2be37b33e19ba6d0833c173c5d37747e
SHA512 5e0634237af808a346f1c81e20becfe6d30091c2bb28c381268bbff242bb2904a043389fc9ea9bfee3d2226596abc4b5563e54a8f21244fe12501abbc81617fb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 45ce729fe9fcaca52ed241baadcc1dd6
SHA1 7e7c31453f1f2b7a03cb9da8a1151b65d6a286ab
SHA256 d8bce04769a5848bac2316daefb9a1d29d8244c24a400f99b3c9af2d625f7d65
SHA512 f70402f812134d8f8a48a0353fb2461008ccc08c2aecd8ecd5e3345c2d6fdba402387410df4097b3f8cde1bdc0613bbcecc303a600b18550f21e31a55ca43752

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4d59533eda88c741b273ec5e28a32444
SHA1 82988b03d6232fd1376dee60d04ad0fb8868af28
SHA256 99019523f64e7eaf3a740a9cce358a97c4eeac2343796f894bc2e0c0bfb9abfa
SHA512 526a932c1af82e3657bda8c68ce74af269fa54bb35efa789285a2137bdf0b8bbf6803a47e349183b5fdc0eee13c5820356c7134e65964650d529bf6b976b5b20

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 88d1159618fc546023465e52bc28a8a7
SHA1 a8c75ed76ae5b9e0263f3bea075fb3c0a7bf8d73
SHA256 297ab26c6d743b9dddc27d98a75be8725199f4581cb4859060bce527c919f83b
SHA512 d76644ef5566218bb75675d395f30b8a7946ce54f09c85c47a47dd7ce16bc9c3dc47abb904b8ab49f7c156a697ef3189ccebe1133f5d3068ecfdf9f25cd1313b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8d1fede76f34eb206f5bbfa085bfbb37
SHA1 eb035a7873ebaa869c4da13943232b2321c31365
SHA256 3d38085b039a189615182948e10bf3c0d9897913bc6d1ccd153a7df1dcb0d556
SHA512 6c602c960fef99e1fb397589d144c6355fbf5a7116b94b4acd3b56a2b91a3ec98ee598f00d7cab0a38fe2528be69ae4384ec62fd2f2cc4db49d6cd576cdaf12e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 004487b4d93c413629228c4c4c1eca72
SHA1 4afb8326dd34efd23ad7aff200cc3ac429c216c2
SHA256 869517581bc92913231705442b710fa88dbd5a3774cad50c540c7379f3e6fc97
SHA512 23a79a263f71f344852f8d30969adf24d018e1cc86a750c7fcca937ce8198294d8c0034acf08ac3e552bbf3481f1b15438b05d139dd7f83d2a0741725c2cb208

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4893dd31c5ff7701442a46bf43d7088b
SHA1 608897890874bc5ff15e268b9593a3dfd6179577
SHA256 181d08d272a23847c092fc9c159c7c9d51911e6902f3afd842493782af9be993
SHA512 3aacccc38c724ae7f6abd00f93cf30143d8bcf3485e139c3f16418499113206b35e947fe64dfc198c9d8e823ff3aa8aaafc07a3dadbc55c9ffe8bc740a86b9a8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 29cae9bd208f926b565b2b8f0f7ff4f1
SHA1 76bb272cefe2e25a39cdec1e80b425501dae2f37
SHA256 275ae8559fc77643a5f56df6ab21edf0a70a99da14244ef4a19dda02ad72e399
SHA512 db3b4556f2cb1301432bac7c01a28c7f0908d8865c70a3312652429ba441db8545c0c8c78cd24edee8f1f4df2b9452441b7cfd8dbdac777c3aa76553a40a8460

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 920bce1fe2e5708a77592c283865b879
SHA1 8fc740f438ebf415c405ff99549037e3617ca822
SHA256 ac5ae0a6ec25950c1f5f64b85275149f75b4826e572f2c19c92ef1757ae8a18c
SHA512 403742f1256bf3e7b30cee60ddb1103631f775cd73a5852fb691d2b5921494a10a5b861e74a72f75b6b449ebc2d5a050d14e0ef1342ad8cd8a13f0ae8b3f73c2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b562fc9f47a8d3a0117d2492679f68f7
SHA1 eaf6e95db01b31a41313d7b0a8ee294b2c763a17
SHA256 0ad738c50fcbde30e5eed207c4ea7648fa562971bccc086f6face291c7b7b802
SHA512 dbbaaff427211f9a9a704a2a8b0705ee20e2c5195dfa8b96b7236174f03c7be163325dc8cd69158e65028b5e114e4ad34a6724c6f22969d20f0cd8bec8f6c20a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 02c6b9e4cf418a925599beacc2cdc94f
SHA1 86c89177ef2c762e0435265ffb33330b9e6dd9ba
SHA256 174bad16e0cd18e1a47f09b4c9b147047cdbd11976544d4735bb8c3c83467a78
SHA512 2bb47ea10d6a552e677621b3462aa6865bc9d8b736f80d4ea8651f3eb99f90f17048519f69ad6dca5e8fc6a6e430c9d936307ae9a9f47827d26747cc1c6e71a6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0ce86c66801ed608cf8dd1d4d838e664
SHA1 1ab2ad195b0d7324f690c8405be979d238458c35
SHA256 b0db5afc08644ebb0f0fa84ba6e05900de7eb87c90c9cf9b765f4b606b4b3ab0
SHA512 9d8078d67cba6b0b2c697409782b483421edb50f9e299083bf8e413c7e6e742d4fb238c1d4923299ed17bf1a03af96a26b8b962e7b8d41102f78a101b51725a9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f34ba5dcc0949c2fbe71d830f5a26dd6
SHA1 66bd5fd6d21e327f1f04887bdd903ba264bcebea
SHA256 aa991e421e0c1586e2e4220bcc805a2073a434a137f5d1a17a40e51cffb05c18
SHA512 56cb58df0d4ff561fe36fc7165e00e64d07a513c0935daaab935671d12fcc6db351a961fcc07ac4030852a9d9aba3abb7a937741c4050bc184ace6687e7877a8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 93612a26193bfc3e5ce5fe93bc30e193
SHA1 972e64ca10e5d87e49bae06211854efbe7a2eeac
SHA256 47818ddb41393d52e87702fd1150012c0cac07937437dff855f0fd4d6652c1a9
SHA512 d8d87da709b146d9a8ebb8ae991a2116ff98e76fe5cc1b2977b65e5e6f49c666e29b916b3d20ae72235d39ed7d20c81e850be5c788cbec3a3109bf78c876c731

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f736b0ef70b9d81c1b9d2018cf972f96
SHA1 25ba7d9be8827e093a5b14f2cc6ed11f5bf13e19
SHA256 264a6ec0f72be8e015d6ec0ea589e5e2a950e1e89f2b244947437deee4998ae9
SHA512 dfcfe2e0b8b6db71d0aed3d74def4322ce37a80ad431be17c48a268c5fdeac806fd29784507ccafa97b0ee1c62da70a22302d928b335d4c19b6eb415bb36a9e2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d95129be59b2a16a4249cc02d7be8524
SHA1 8d88e68dc7e47a10d19b67c145722b7b9fde478e
SHA256 317d258719930edbf2263ac9200fb89b12af598a613b7816700f0043ce0e0f7c
SHA512 3a19ab89f9c2900f0073dab2b053f7fbe8cfc7716038a29e8a621c9eeac1ff344ad45c70dbad8069bbe65f72dd8e1b30b5e53aa47898c8bf7a70a8d2552a3918

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 60a7011d68f46ab7631d81394410d760
SHA1 c7bdf66ea373a460db091a69359b057554ab314e
SHA256 e196871548d23551eea52eed88b623f1039b7be398312dd1b37ebc5a0505d5ab
SHA512 22f0fdba8a57e49d336f7fad44b40954b57b42ae31513ce03ea5265b1c3b13092c6af1f66f3ee4097287ef99a1913daf3c28fb4883eaba6b125dbe38ba9af30e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e19e221a8288b26dd9f02d7a08412435
SHA1 195b0f59b4b59cdfa5ed56037fbd46ec6b77978f
SHA256 120904f11e49047edc9439e0d308a15203642ec317e597ec7aa7b9752bfbc710
SHA512 e243433092c8b5901d1ede77c0e52919d686dfcbb4df34c8e0458df451f3eaf4a93eeed1c78ee078ff34ba49a76a1ab07b3e47686cdb5233e83fd5eadb485d5c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0ea3a37606ae5b7497bdab78257be54c
SHA1 763a1744158833864eed04cf0cc8c0c26489c575
SHA256 e255b48a5369aaf22bca4a5b4d9b8dd880259c514ac805048c9cf8f5ed989152
SHA512 f29630c7d1baca3d584026385efd8615e0c5f26ade4cd394d52f51aeb7c6ab2c1e05894c74c95ff9b2c2defe1d5667fd5d376cb4b34643b76d02a6cd097ec818

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-19 22:00

Reported

2023-11-19 22:03

Platform

android-x86-arm-20231023-en

Max time kernel

3919289s

Max time network

150s

Command Line

magic.disagree.often

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json N/A N/A
N/A /data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json N/A N/A
N/A /data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Processes

magic.disagree.often

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/magic.disagree.often/app_DynamicOptDex/oat/x86/BN.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 142.250.179.170:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 142.250.179.202:443 semanticlocation-pa.googleapis.com tcp
GB 216.58.208.106:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 188.114.97.0:443 jsonplaceholder.typicode.com tcp
NL 216.58.214.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.206:443 android.apis.google.com tcp
DE 194.163.161.72:80 194.163.161.72 tcp
GB 216.58.208.106:443 infinitedata-pa.googleapis.com tcp
DE 194.163.161.72:80 194.163.161.72 tcp
DE 194.163.161.72:80 194.163.161.72 tcp
DE 194.163.161.72:80 194.163.161.72 tcp
DE 194.163.161.72:80 194.163.161.72 tcp
DE 194.163.161.72:80 194.163.161.72 tcp
DE 194.163.161.72:80 194.163.161.72 tcp
DE 194.163.161.72:80 194.163.161.72 tcp
DE 194.163.161.72:80 194.163.161.72 tcp

Files

/data/data/magic.disagree.often/app_DynamicOptDex/BN.json

MD5 ff0f495f931ba5f212613f80e7f410b1
SHA1 ada2d98ec059148e957f86307f7e5952223d996a
SHA256 55a93d0cd5a3f4e93063e93b143fd74744cb76ca893f460bf7cb3b1fbbdbbe48
SHA512 738ab9cc6c0a92e6fc25b03f40190af3ed3c604b8d162c05974f8ce8ca6cfda1f302b7253ebf6930aa08cbe222046b5f5609b8ef9c2384e79aca551df74bbf71

/data/data/magic.disagree.often/app_DynamicOptDex/BN.json

MD5 8ab798666cef9aba8d3b3fe22c2cc4fb
SHA1 215a4641fff65b4711b91f92dc9a42d34103a617
SHA256 72a92d7274ad7403d45172602750fe47d512c41f616f50d0eb80809f7e388333
SHA512 b0b7dae5b63fa0e9a25b707277386ccb6d00042061907535de2ad5dff8d790f572bd84ad2b59855ccd8936f9e72cef205534e3fb0774ba21cd59991626b23e45

/data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json

MD5 8ab798666cef9aba8d3b3fe22c2cc4fb
SHA1 215a4641fff65b4711b91f92dc9a42d34103a617
SHA256 72a92d7274ad7403d45172602750fe47d512c41f616f50d0eb80809f7e388333
SHA512 b0b7dae5b63fa0e9a25b707277386ccb6d00042061907535de2ad5dff8d790f572bd84ad2b59855ccd8936f9e72cef205534e3fb0774ba21cd59991626b23e45

/data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json

MD5 8ab798666cef9aba8d3b3fe22c2cc4fb
SHA1 215a4641fff65b4711b91f92dc9a42d34103a617
SHA256 72a92d7274ad7403d45172602750fe47d512c41f616f50d0eb80809f7e388333
SHA512 b0b7dae5b63fa0e9a25b707277386ccb6d00042061907535de2ad5dff8d790f572bd84ad2b59855ccd8936f9e72cef205534e3fb0774ba21cd59991626b23e45

/data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json

MD5 5ab478c7eed9bef922ddbff57f4da9d9
SHA1 befe1483c3e99714a949013c8dc4b8c953daa62f
SHA256 1cb2f9a55804b613e0b4f9bfa49c0e9027d3399bb828a90448a5059fc33a94b3
SHA512 c40a550fcebb48bd94fa62d35c0a0fb116dd6f8748141e6859c214f774eeb532655fc76ae6a77259434a89d6904206ba241f6dbf3f40fe33f605a952cc12f65c

/data/data/magic.disagree.often/app_DynamicOptDex/oat/BN.json.cur.prof

MD5 a5b847c8a7a72b9cb0ef4e2843267704
SHA1 7745705dc71a2b91e4edc269678996b62d6d6dc4
SHA256 b019d587466a6c0bb87a1cfa3a5b5f76e42da78c2ed4b40e4319255e5d4537d5
SHA512 d4b1a446a88b9adcefc5195772649a2c593b8b83463558bc802bc67802dc2c7fb9be7f0d667fcb95c342cba24d9edbf4181f03a17d22425cf64b3f77e41724e6

Analysis: behavioral3

Detonation Overview

Submitted

2023-11-19 22:00

Reported

2023-11-19 22:03

Platform

android-x64-arm64-20231023-en

Max time kernel

3919295s

Max time network

161s

Command Line

magic.disagree.often

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json N/A N/A
N/A /data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

magic.disagree.often

getprop ro.miui.ui.version.name

Network

Country Destination Domain Proto
NL 142.251.39.98:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.208.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 188.114.96.0:443 jsonplaceholder.typicode.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 android.apis.google.com udp
DE 194.163.161.72:80 194.163.161.72 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.208.110:443 android.apis.google.com tcp
DE 194.163.161.72:80 194.163.161.72 tcp
NL 142.251.36.42:80 play.googleapis.com tcp
DE 194.163.161.72:80 194.163.161.72 tcp
DE 194.163.161.72:80 194.163.161.72 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
DE 194.163.161.72:80 194.163.161.72 tcp
GB 216.58.208.110:443 android.apis.google.com tcp

Files

/data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json

MD5 ff0f495f931ba5f212613f80e7f410b1
SHA1 ada2d98ec059148e957f86307f7e5952223d996a
SHA256 55a93d0cd5a3f4e93063e93b143fd74744cb76ca893f460bf7cb3b1fbbdbbe48
SHA512 738ab9cc6c0a92e6fc25b03f40190af3ed3c604b8d162c05974f8ce8ca6cfda1f302b7253ebf6930aa08cbe222046b5f5609b8ef9c2384e79aca551df74bbf71

/data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json

MD5 8ab798666cef9aba8d3b3fe22c2cc4fb
SHA1 215a4641fff65b4711b91f92dc9a42d34103a617
SHA256 72a92d7274ad7403d45172602750fe47d512c41f616f50d0eb80809f7e388333
SHA512 b0b7dae5b63fa0e9a25b707277386ccb6d00042061907535de2ad5dff8d790f572bd84ad2b59855ccd8936f9e72cef205534e3fb0774ba21cd59991626b23e45

/data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json

MD5 8ab798666cef9aba8d3b3fe22c2cc4fb
SHA1 215a4641fff65b4711b91f92dc9a42d34103a617
SHA256 72a92d7274ad7403d45172602750fe47d512c41f616f50d0eb80809f7e388333
SHA512 b0b7dae5b63fa0e9a25b707277386ccb6d00042061907535de2ad5dff8d790f572bd84ad2b59855ccd8936f9e72cef205534e3fb0774ba21cd59991626b23e45

/data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json

MD5 8ab798666cef9aba8d3b3fe22c2cc4fb
SHA1 215a4641fff65b4711b91f92dc9a42d34103a617
SHA256 72a92d7274ad7403d45172602750fe47d512c41f616f50d0eb80809f7e388333
SHA512 b0b7dae5b63fa0e9a25b707277386ccb6d00042061907535de2ad5dff8d790f572bd84ad2b59855ccd8936f9e72cef205534e3fb0774ba21cd59991626b23e45

/data/user/0/magic.disagree.often/app_DynamicOptDex/oat/BN.json.cur.prof

MD5 30536a6840dccd237df127c52c7966e0
SHA1 169234009b626455efbbdaa3ce8ab4c9677d4f5a
SHA256 3d9781f1efee3584a1109b55470440b4f40e35973b33da46bf9c886048d10117
SHA512 9ec305f7bc65aeff50a110b049ada00876612cf58b0e30ee5bd546fbd14fdcfd7a1d5d19140636a1ca58cbf60e9183896fc11010c95f8aefda4bad5386effd8d

Analysis: behavioral11

Detonation Overview

Submitted

2023-11-19 22:00

Reported

2023-11-19 22:03

Platform

win10v2004-20231023-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\scanning.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0F3BC8E4-8727-11EE-B196-4AC2F9E44820} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3848327966" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31071027" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d03962e6331bda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3820826154" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008a0c380f3628804cb3442a54a74494fd00000000020000000000106600000001000020000000b0daaf90e8d99dd6e7923633c0fefa5079882f144107367a2daf7869b4b5c2ff000000000e800000000200002000000002aa738f9c2671d046d88d1992966d484de59476cc1f2fe75963fe2d4524ea9620000000c0cf427a5dbfd8d524b8d09d13c69c3907f5cc3182d475b60419626e1ef9322c40000000f1f5ae66716e63a8e4328bde6effeef4626b5415e36bb110a4f47dd24f6214a4a8ff93751982b90d6e146ce036b4b7d7faa41d266832d9a409d4642de8ee76fe C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008a0c380f3628804cb3442a54a74494fd000000000200000000001066000000010000200000001837d92a10e29cefd6358e23e0873a097f1d185aa3e917f97c029eae4e06c54e000000000e800000000200002000000007e9b28c3022db0abdec213509d236e0a4932ad11422a5de8025ef5be07526bc20000000fceaf573ec32794e7c7b5c998e870d0c526c365a093f51e1561d4911a49a933a40000000ef0cacbe3197324fc999ffdca0acf158c6a823ecc6bdbc64914d421619cf25f6cd246ff8fbce4a22c095373eef3b88bbd928156191a26db08abf71d48d56aad1 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3820826154" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31071027" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 000eebe5331bda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "407196209" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31071027" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\scanning.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3968 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 67.254.221.88.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FNC8FKXQ\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-19 22:00

Reported

2023-11-19 22:03

Platform

android-x64-20231023.1-en

Max time kernel

3919223s

Max time network

164s

Command Line

magic.disagree.often

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json N/A N/A
N/A /data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json N/A N/A

Processes

magic.disagree.often

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

Network

Country Destination Domain Proto
NL 142.251.36.46:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 188.114.97.0:443 jsonplaceholder.typicode.com tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.36.46:443 android.apis.google.com tcp
NL 142.251.36.46:443 android.apis.google.com tcp
DE 194.163.161.72:80 194.163.161.72 tcp
NL 142.251.36.34:443 tcp
DE 194.163.161.72:80 194.163.161.72 tcp
DE 194.163.161.72:80 194.163.161.72 tcp
DE 194.163.161.72:80 194.163.161.72 tcp
NL 216.58.214.14:443 tcp
NL 142.250.27.188:5228 tcp
DE 194.163.161.72:80 194.163.161.72 tcp
US 1.1.1.1:53 g.tenor.com udp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.39.110:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
DE 172.217.23.202:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 g.tenor.com udp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
DE 172.217.23.202:443 mdh-pa.googleapis.com tcp
DE 194.163.161.72:80 194.163.161.72 tcp
DE 194.163.161.72:80 194.163.161.72 tcp
DE 194.163.161.72:80 194.163.161.72 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
DE 194.163.161.72:80 194.163.161.72 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp

Files

/data/data/magic.disagree.often/app_DynamicOptDex/BN.json

MD5 ff0f495f931ba5f212613f80e7f410b1
SHA1 ada2d98ec059148e957f86307f7e5952223d996a
SHA256 55a93d0cd5a3f4e93063e93b143fd74744cb76ca893f460bf7cb3b1fbbdbbe48
SHA512 738ab9cc6c0a92e6fc25b03f40190af3ed3c604b8d162c05974f8ce8ca6cfda1f302b7253ebf6930aa08cbe222046b5f5609b8ef9c2384e79aca551df74bbf71

/data/data/magic.disagree.often/app_DynamicOptDex/BN.json

MD5 8ab798666cef9aba8d3b3fe22c2cc4fb
SHA1 215a4641fff65b4711b91f92dc9a42d34103a617
SHA256 72a92d7274ad7403d45172602750fe47d512c41f616f50d0eb80809f7e388333
SHA512 b0b7dae5b63fa0e9a25b707277386ccb6d00042061907535de2ad5dff8d790f572bd84ad2b59855ccd8936f9e72cef205534e3fb0774ba21cd59991626b23e45

/data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json

MD5 8ab798666cef9aba8d3b3fe22c2cc4fb
SHA1 215a4641fff65b4711b91f92dc9a42d34103a617
SHA256 72a92d7274ad7403d45172602750fe47d512c41f616f50d0eb80809f7e388333
SHA512 b0b7dae5b63fa0e9a25b707277386ccb6d00042061907535de2ad5dff8d790f572bd84ad2b59855ccd8936f9e72cef205534e3fb0774ba21cd59991626b23e45

/data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json

MD5 8ab798666cef9aba8d3b3fe22c2cc4fb
SHA1 215a4641fff65b4711b91f92dc9a42d34103a617
SHA256 72a92d7274ad7403d45172602750fe47d512c41f616f50d0eb80809f7e388333
SHA512 b0b7dae5b63fa0e9a25b707277386ccb6d00042061907535de2ad5dff8d790f572bd84ad2b59855ccd8936f9e72cef205534e3fb0774ba21cd59991626b23e45

/data/data/magic.disagree.often/app_DynamicOptDex/oat/BN.json.cur.prof

MD5 d37d5def4dc95ef901709f1a2fe9fe00
SHA1 428f282a6720b1a6b821b3413b7487d23e115f68
SHA256 c1654ca28324e52920c822e9066bdf00175026d59fb8ffd5e1072f06dbe5fda3
SHA512 8210f1142922f3ca5c49a634c6705d3386071e700343f810396f5a3d20f7b3ce33456a42e620da428255ad727419012eff7f810a7ef56f325c4234244f5a41e5

Analysis: behavioral5

Detonation Overview

Submitted

2023-11-19 22:00

Reported

2023-11-19 22:03

Platform

win10v2004-20231020-en

Max time kernel

136s

Max time network

148s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\about1d.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURL = "http://www.bing.com/favicon.ico" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c4cc62da77d25b48a952cb775bb65c470000000002000000000010660000000100002000000055d7a4276745d29753b9fcb36810cc6080b8e3503612613b04df604b2a8e9c3b000000000e800000000200002000000019859ff0a8aba00aced170309ba0f8c1fb4ae9fab5d821d3bffd4ba6570b79a4200000005176000cc99ba78909ecf7172196b87b0cdd8cf340e02d360d192a25228041414000000059ce6f9d5c593b5eeb8e216b9254abfc34c4586d2e8ac007a1c4c309a6fc57379f4917ee4c063b46abdd6ab9a72d8c5929f934ccddfb16aaf81777b469625a17 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = 6367109fb103da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c4cc62da77d25b48a952cb775bb65c4700000000020000000000106600000001000020000000cea5e8935a07202db0424c58d0c3d7325bf17788bec69530b5111a165d830be9000000000e800000000200002000000010ff73cdce1e621c7b5f685c837186733ef936db36e3fdbbc28e8fc31c54c78910000000a482774ffa20323fcc3bddb5c95c40e740000000b32cc999881779bd21d0cf04a45b11e9f8362b44c3f59006a6ff05bf1edcc3db336c3f44085a5fd466ef685ded0367cdb45773610cb9ae942c65bcc8e1ac4184 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00d8cfeb331bda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoURL = "http://go.microsoft.com/fwlink/?LinkID=403856&language={language}&scale={scalelevel}&contrast={contrast}" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c4cc62da77d25b48a952cb775bb65c4700000000020000000000106600000001000020000000d0caf672a4f38750207f5b0b98e6341d0d5a9f3abdd30b0c2a36f240581423cc000000000e8000000002000020000000ae79a6fd3010da8117c986d2668d2ab53e5444b37aafa6b82fe575dfdc3296fd50000000b57f59e01f2abe055e77f113a668941cd5f9522f59188fc7214f064ad9cd59aad3c1bd597a9ed6e4972fcd33ab92e6b771f8331219c72a98050534f7a264d0e36a4efae76cb9e5ad785914aea0cc4f0e400000006ce192f7f2fba233f09556e05ca4d7d8b632a8b9f6aad7beb01015bdf30d5e2ac6b8409fe87a093a9cb915bef2b66c924d267d6afe0fc3afbdfd83ce8be53ea7 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31071027" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\User Preferences C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3800183346" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3823619336" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\KnownProvidersUpgradeTime = 6367109fb103da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Bing" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTSR" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3800183346" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\Version = "5" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTTopResultURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTTR" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c4cc62da77d25b48a952cb775bb65c4700000000020000000000106600000001000020000000cf6844e7b42f402b362e80c135463dcd0eac3f7d6d59722b7076c8267df1c701000000000e8000000002000020000000013d8886905de4491d6a91e5bb82fb8c0941093d8bfebc382990ea27d94fc57c100000000524cb625f4c5a354cc143ff25a57d2c40000000d7b64b3770875d93e98cba8bb50eb57984a803e0a0dc0c0dbba58c5cf306b076165a5a6232be89a6c0d4acc43510a2e8b80b7742701cfeb911ca151f93270ce4 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0d1eeeb331bda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c4cc62da77d25b48a952cb775bb65c4700000000020000000000106600000001000020000000577d289182ceea7f428ebe73d1371ec4053f7e9220294f141e25d9f6c484dca1000000000e8000000002000020000000cab6a41c93ebac388b36449f745eeac20e48a16d070b1d39a79b56df857abc212000000004a414a1b39ea05e8e2a9ba8c5c220b6c6079f092042e8774dd5806d3ba452ae400000007a0ea28d54d77a272f842b6294d1651e8979960fc65ba2a79f5d3082f50be4a74ea522ab3360c4a3275d5cbfb66d9b52a7b919ce6ba39433583b286adde91fd4 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "407196206" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c4cc62da77d25b48a952cb775bb65c4700000000020000000000106600000001000020000000cc0430e4374cd9eb543e691a54d9b0c4cb432dce0ee891f9a01b2d771c3817b0000000000e8000000002000020000000565d20f444c81054cc07530a2705b6d37202dd1b688d00fdb25f194d84f7b65050000000a66342a7f4e6ee0475317aebfb6c47cfbcb390046f783e72d00fc891c1dc0a689d4a78a5d3528f261b654d46e39c922bac549e7fd50d02817526649f05ad6e8c65f0732074ab18881f23c1e994a436f1400000002ccbe4536c3be10ec793ad320967a4f3a4f927a661a7bf92059eef8723df1e79d55bef5364f1a1993fd65d5576a96fea9aee5d789ae496e98f5a8e80beb6b9be C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31071027" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0DF9A0FD-8727-11EE-91E2-76B95CB0B7C7} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTSuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&market={language}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IENTSS" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\about1d.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:840 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 126.177.238.8.in-addr.arpa udp
US 204.79.197.200:443 www.bing.com tcp
US 204.79.197.200:443 www.bing.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.2.85.104.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

MD5 da597791be3b6e732f0bc8b20e38ee62
SHA1 1125c45d285c360542027d7554a5c442288974de
SHA256 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512 d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

C:\Users\Admin\AppData\Local\Temp\Kno1BC0.tmp

MD5 002d5646771d31d1e7c57990cc020150
SHA1 a28ec731f9106c252f313cca349a68ef94ee3de9
SHA256 1e2e25bf730ff20c89d57aa38f7f34be7690820e8279b20127d0014dd27b743f
SHA512 689e90e7d83eef054a168b98ba2b8d05ab6ff8564e199d4089215ad3fe33440908e687aa9ad7d94468f9f57a4cc19842d53a9cd2f17758bdadf0503df63629c6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 7bc1352ddba5108aad2ba4f8dc7fd138
SHA1 115f349b60dbda0a5be6546362a4561755ee66ec
SHA256 5880434d7a59152766862a06d0a20ef7a07c983bea04471bfc43f56ec530ec12
SHA512 0ec0c8fdf933fff74ad0f549bf0bc8aa42d5dfb160fda7169a09db7eb35e68890c2ce90a9f9c143f19f9d832f7c19794602a83ae706ba122c39604d89e7eb113

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 881b552f9d4b4c0e9198247690bbcdfb
SHA1 89b2a8fdd8c755b116d08e18eea16d843154fc1e
SHA256 e7759be3da825e3aa3eabf098b272337dc9805751a944102a32936b181617a62
SHA512 ef9d7bfc8c962ba1711fc964a0e3737e3d265bc2d507bf4594b72ef21a8755f6dcc5a52bf584e55348ae040609108bfd2b1f6d328e1cff7913a4a14f4bcd06c4

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1GRKGEIB\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral6

Detonation Overview

Submitted

2023-11-19 22:00

Reported

2023-11-19 22:03

Platform

win7-20231023-en

Max time kernel

134s

Max time network

155s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\about2d.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0F86F081-8727-11EE-BB7B-5AAA8EBA5435} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008d5ea254cbc3cc499365b391a5fd6692000000000200000000001066000000010000200000006eb5f4435c48a7c2bd5f92f30c328dc2da2a8ce3abcf33a485fac57dcd569c20000000000e8000000002000020000000c9c8ccb7e5925677aa3d2756f1d0dc5e2672a6d5bdcbfb0273d315cc5a949fb2200000005a69aaa9c14ef2fa65bca3132eaf8de6e5363940f7891160ab6671e481181c3240000000b0d0847934cad4de588c362de5f21b6ab3a45de4af86d40c53030b88e8c03a4003ccd033b59fffef37b93d3a4155c73a20bcc93a87ae55439a1a73cc8a5a0e43 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "406593100" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 302645e4331bda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008d5ea254cbc3cc499365b391a5fd669200000000020000000000106600000001000020000000b1a3c44c97e9a8c1a08ad5425cf2ad70b6c6371123ccf0e5e237c6a64adb6e4d000000000e80000000020000200000000a8500dda437a08aa1aae59dae54f4573b924471d3d48381609d775948d6a781900000002c881015d9d65743c490ffc8fb07df56820fd1ed0d24e9c2e8a417bbd9ed00e03c106e1ae59269ea5615d11a67ecd5adda94166b3d1112a2cd728d7cdeeb2ff2d19f91955dd6ea6b2b077e4deed8f5334256dcf08acef360b64353152a07b4110115d0cffafd69f51425afc5912ef4adb5083247fd1ea0305cc2438107f413e4efc18b7b128b5336070791578b069a3240000000639d2b801087b783199b1ee797f4e1fa87afecf75cd2e96b0a7d7e70f36f7a3d1eb36154bbe46d4e98f9f34c0253f3a8e1fbebc530dbce5a78662302ad27899b C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\about2d.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1956 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab6A3B.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar6AAB.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2e67f7390a25a9c4056961e26268106d
SHA1 f2d3af8c4e82c959234e7132fe32b7de9a8c5c38
SHA256 ed5bd4c536738349fb6f963444d64ceb38f32c90c506ec69ed27dd40c54782de
SHA512 b39db0c886644c00641f75108e5e77bab8549f45534f7569ec2f9b06390876001d80341cc2fe99f53986d108225f77334ba87a4b2b8f8266f18872e3d74b427a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 838d35029d861426aab3f717c8dab19e
SHA1 9948fc64a4133a6bb0ac5a093091d05bc344f720
SHA256 5023b7e8d5922512632446e1499ba14a4b6765aaec608a97d467072160db9ca0
SHA512 cd7b13dfba4da60b15d29ff91ea47b1c8fab0cdd1f6e33098c4f912fc9a65b6fe503b91296de4857a94cd0835e2229c66a903eb7249bb5f6c1a42d1f1e5d9016

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e9ff01c4b803be6330fd1566948368f3
SHA1 3e6e9bcba79a0442ed9d205fa057c921ac31c9fa
SHA256 275bbe16cc3d0b6c0e630adf9a078badc225038b86bb2881e2d2a50a954b868d
SHA512 cb84cdbec822588c2f69172c26cc639db1e24d93fcafd883cdaa317a1c6c668992ed5bbec79850cdbb6ec886282ac57e9ead961f24e4ea3c11cff095685cb5c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1a522d807202411ea4f3f3d5d771f6af
SHA1 c5a2aae5d0ae2406d993560dcbfef734eb3fced9
SHA256 7fa0db4f1abfab99ee19d3202650707cd459500fb51e8e49355a11935b36a6fe
SHA512 e1cf1fde9c6650f1428f4eac997c260153e9f4d275c96cdf709f20e13cc5d16fdd4653d1f8e9866d8e0dc07f94d9780f984fc6b54fb1046b713463f035cc7d41

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bce38a26de8bd3007a2919941b9f7e26
SHA1 9a430dc826503b1b6e0e53a68eeb1dd49b8cb8f2
SHA256 fff2e4ecc11906adc22179d2a1d35e73cbb689a726fdf7868ede366f854d8efc
SHA512 0df8ee628f545f27c117feadfdbc92383555eb8c9694eccf2cfe0849e45ce4044c2bb766e86b2b495655a10a01de72290058d0ceb35350bc4d4749a55305e935

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 accf7c45ec93598ca7fecd552cb6cd9c
SHA1 1ca0545e02f97c86fb1c12421ba4bb0aa399f69f
SHA256 88a6bc0eb08c633acd5821c439d334bd6f446f1e03f9f2318a663371d04270e2
SHA512 63c1b22ae30d2563036150ecb934622f25aca33a8e03553f91061ce815b5146220bfe3bb0b31ace33c2ed0b41cecfb39749c4664cdc8eebd497b7b130803dac6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 24ef1f669893ca6a706a1426bca28ce6
SHA1 28b4948719a9322f96399ec51fa3f5436ff4d0da
SHA256 a07a55d516a2c3b9a516e06cb3492bdc8dc98dcb382b5c5753f4b9efd6527508
SHA512 db8957c3b8bc2d2750b5f8f6e1edd0f7d4b6f96dee58619e1e49aed8b7558ec1088302d561705572f35d0a40a47ecec5130937befa390f822453e6c75d8035e4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2b76d6993fb208be2e3ec96d1274214c
SHA1 081b95cc265e7c7fa83a8d4e8889ec7b85bb9dd8
SHA256 14517509702903272bf196f34506271c852e6f789dffb553f3e3d4e392e422bc
SHA512 3c9185f9e50539c694b4a7a7ddb7c7c546eb4af35ad2f51ff206bfba1b8be74f14d98a1b77149ad4f7844b75ba20112d807e831ae5dbc291853923fef1883ea5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f9867942227c1eefdb801cd5fcebe3ca
SHA1 152565896343131102e037659ca79061d22c7262
SHA256 8cc4738cdf32cabf23f82abe22303885cb2f3639840d4538d811119fced3350c
SHA512 20484ec0f63731c214c50db1f13e8df35c06727466430aa30cd1320376cb3e5dce4ffc7e9cbe71d66efb9f9ca8524c3196b3136030ff7ca85439862e9fd318fa

Analysis: behavioral7

Detonation Overview

Submitted

2023-11-19 22:00

Reported

2023-11-19 22:03

Platform

win10v2004-20231020-en

Max time kernel

135s

Max time network

151s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\about2d.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3814943924" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f07da5e9331bda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31071027" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3838850362" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "407196211" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31071027" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31071027" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3814943924" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c79fe21d651d6c4bb8d4cd4060a2fb910000000002000000000010660000000100002000000039c29be0711cde47cc11295125176e957708cf814fce43833bd38b46447229f8000000000e8000000002000020000000984c15ad54a8f217de212f10ff2753101d1a195f1f6d67f12fe8096df7638ce220000000426ed437540f0b0279143fcde093a8f950f9cccdf292a883922723ab3539fa92400000009dbaef43531b7ec1d9ce3c663ae71eebc2a889f8106a248f835f59659cfbd8d0f7b28a356a1cb3e308a4fa68aeb5a4837bfc41647854aad2eb1324db09974490 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c79fe21d651d6c4bb8d4cd4060a2fb9100000000020000000000106600000001000020000000c6083c907d78b01366d9d6d1ea9e10491c2a39b899da1d413a79c532994d0b6f000000000e8000000002000020000000a75f19e3c1f4d766f55e0645098f45ab5f7252aae77f757bc76aaac214e7d11d20000000da5ed3e5f341b312cd60d74b3de2dc54629c44484f5dcac4e515e381ef2d694840000000b85d63121a4eced082abf4882ce48d9faf862445b7906b3bc8a7bcb98c60ae561be70fb4fde4559f4ab5fb446a980d0bbe2e87c87c558a54586fbc174061803b C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0bcbfe9331bda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0EF2B55D-8727-11EE-88E4-CE69B3638587} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\about2d.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1432 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\80UBY5GD\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral8

Detonation Overview

Submitted

2023-11-19 22:00

Reported

2023-11-19 22:03

Platform

win7-20231023-en

Max time kernel

134s

Max time network

153s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\index.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79072038c960342ab421b8facb933e9000000000200000000001066000000010000200000000e825ddb08402c6636e625713d4dff620851f959fc641c48006dfe90596d113e000000000e8000000002000020000000e027c0537935fbe23d680988fb44beff98734cc896fccb79d2add0a2ad15793d90000000bea357a4b6c90b9d3eb747bef37661cbd173186bd89ebe1972aec927c4355cd3c3bff794e6a08de3e6d8f1cdce372b69863117d725f8735b1271d625c3e99a9d23dead348996addf6444164c360cbab51f71d980a3a1dadf7600058572f66d418d880dff05e42806edb23865c0b57364f97a140944fe47ae108ec25a6c56a00f5f10aacb844c3ea6d34cec434a59009940000000becaee87e2adca4d2db3b005c6896073a3efa64be567bf76fee5ad194e0fff1f52f743f139fd1822b8d1edbba72c19403f23444ced0955c341f42bac4c70dbeb C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79072038c960342ab421b8facb933e900000000020000000000106600000001000020000000ebab805e71bb797c651374d65e15a61bb5e5f1994ce92b17a4e6b02709eb10af000000000e8000000002000020000000fc76532c01b311a5ad78eba03075fe6a99e7deb79fa2fb1d1e08c410b12089b120000000936fddfe797852ba1fbc01bc1a789eb89545e02d46f2d1c98ef6f3f9bcb2563340000000e2586a21575e33e694b4a07cee3ab5b5f9ca640e26cd285e2861068fd3242c4145d202d99106bc3e023e1a048f5563fe6aed2a85b2c4fe3f06b5e4987a052f3b C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "406593119" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0D4BECD1-8727-11EE-A268-46832863ABDE} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0a7aee2331bda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\index.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1140 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab51EA.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar520C.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cc0e0b2c6469ebfe3cb979f000da47e1
SHA1 9a5389dcb0bd8827e0f5d26b69ca2a8d605efb9b
SHA256 af72e66296b66131a819a743b74c0dfb1895e5fcb5d760b37fb4e9c1343b140b
SHA512 7afd1d51ed01aab7494182c5966a260c242f24f0b8426778959568cd46fa449f3b594dc994808d454685cddf726a65f6c8de307a3e29e44ee11fa5cb6aa626ed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e9c8a94e2667c07cf6bd4d14948762a9
SHA1 f068092a29a10eb0b8ffe20dd6a4c2d83e1e6011
SHA256 e7cfd6063c9eb08174383e22f31970b3843a8e4d47315b6378b9a6eee2f4b9a8
SHA512 f962ebf3289274f58674bf5058adc5e047550d981b62b1a7a1f700e5131d16b0caf6918b4126240cccb55742fdf0a2b17e9bce017a0ed9a46380e657ebe12592

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 525b1cea91cf8c5f57a9d0d5a8a71fc6
SHA1 65d2e895efcd21b6d137e74b8e33dedd6240b5ed
SHA256 697311f44f4f2d51e9da67bffae1647b63f581ef4066c4a31977d5988e0bee0c
SHA512 f3663249d3f7cee528cafe8e9d5b92189b4a3762c04236bfba1482c3e51034f72dfda57dcd09c58fb475982cca71a612879eea6dae3def3711e7dedcb8a1f4bf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 26db05a7791d4d93252afdd080375036
SHA1 5d01dc4c3d8e16d07d16730c15704dbae745489f
SHA256 30f60e65968db2427b77798da031b0ebf93a08930fd05a401dc0c6c5d844f6ba
SHA512 84270aa9c2777ca22193727e66c1932fe61714676ea95bfaa7b5000aa3338f7b5b5c35e5e11409a07c03b6511b3997b6286600200b8d3c2f737a2375c73f3025

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b489b8f282859efc022be8ed795c676a
SHA1 a2756aef39bf6512338a51b3b683447e0256d42f
SHA256 4f1e9a04072e5a6dbe9ef93f1f879b14dcbbf594e631fab35a6be4b8e18edaaf
SHA512 db35d9177b86486f4427c090f197985fb0073d8dedd7a046b386e02d4298297cae5da312a07fbdd292368961aa60f2cb7a630ea5b032a89eb26eaae75e5a58c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d4416eb3d9bcdc8485d41682d2cd8882
SHA1 1ab206da55ea5a34e3ee6d243ef0bc71c18692a1
SHA256 fac32b78643d5512189567820392e3decaabbcfdf70b82fe6ef25b0483875ddc
SHA512 127603a2f9c3ce0e3921214b45f8a026d7b8d212a52927796978cfcb47c79275712a45f3861ef4ffbab69ae5e837e07c2eb6f2ad557a60091249c5d88b0eeb7c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f959ac4651a89e4028a8fee3cad8ee2e
SHA1 b718538eb718b4405c5d84e5ad6c66a991d6eebd
SHA256 70b74cf094c0fd2d36568f0285b0a1eec4c9270c5f00e11751678ff4ba8fae34
SHA512 6ee9616d2e70910b783098c9bf7c0c8a1dd0c01582de5a42b306d768523f9e12f78a5ca1568bef8ba7d13b508830ae5a3129b06d1845469583b8e18cc443ebde

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 50ba4e0898da0eeb649dd96e23d11251
SHA1 f0bc81f132b3042f7abee78f3c9f605667027d3e
SHA256 8079e6be73cc30e848e0afad360d279324071055600d9b86e120fd22b3106152
SHA512 e9b2fbd8438725db919718a2c8c28df3cda3c27aa45c2fae0e448ab7870e94d1da74496263e8da7430814bbc06bdb98e6a2f5b13e9c8a41d0dc0eed13aee03fe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a0c883e7f5ee98b6a1f93d5a3010f144
SHA1 53374505ec9ffa8c2f573153948258eb0ad33fc5
SHA256 73bfc54cc12b1c349b7a134c8feba0367db3f276ab5b76338a2d5c7b15675e4d
SHA512 7c8ec5f929e0e3ffa7c9a378cb85509628d46af1699094c88db73c8413d5e0f0797e0e19716dc11fd5cba54f841ab18e8082c91aa502e057efd2499cbee9146b

Analysis: behavioral13

Detonation Overview

Submitted

2023-11-19 22:00

Reported

2023-11-19 22:03

Platform

win10v2004-20231023-en

Max time kernel

124s

Max time network

148s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\sharing.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31071027" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c060d2e6331bda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31071027" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3829743388" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "407196209" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0FDBAF18-8727-11EE-AEA7-5E82B88FB323} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1049b8e6331bda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3843337315" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a786c536d7cd7e4ab8c0af0cd6cbb43000000000020000000000106600000001000020000000331f23ea279d297f354de2b04e3fcba9a3f7945fa5c03a852fd8598ceb9c7148000000000e800000000200002000000062831954ff2ba4a3ce0719ada5aa6a29c7865129d3cd2d1caebbbdfcbc4a33d720000000b9d024fba22cb8403d71fd3fefd23210273ba01ec3e860a8b5b1631426f187b240000000a5d236a478f346a11f95d10d384ececd3affd12d89414e8615c00ab2834d111ed09f082ffb2f7c8c4743a287b7996456ff90b2cd5f94368ff382cd1cd02f70f8 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a786c536d7cd7e4ab8c0af0cd6cbb43000000000020000000000106600000001000020000000c72df163572888088121d0d4bdd77d8fc94fdb4812f8694850b876c467549296000000000e8000000002000020000000c2748ab62c8e313bfbf49d49491db979729c2989f744f0a79ef624837843e11b200000001a01bb821dfc3b9b347c868369a315ee0da44183d6127afe1a8470f7a3ec065e4000000078a4c4dab6b805d621d1645709678daef9f127af434ae98584b4879661e316921643af278fcc8247cb8bc36b96c471c1db452dd94c04f48cbcb06345613d2564 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31071027" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3829743388" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\sharing.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1444 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 126.23.238.8.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 192.240.110.104.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 7bc1352ddba5108aad2ba4f8dc7fd138
SHA1 115f349b60dbda0a5be6546362a4561755ee66ec
SHA256 5880434d7a59152766862a06d0a20ef7a07c983bea04471bfc43f56ec530ec12
SHA512 0ec0c8fdf933fff74ad0f549bf0bc8aa42d5dfb160fda7169a09db7eb35e68890c2ce90a9f9c143f19f9d832f7c19794602a83ae706ba122c39604d89e7eb113

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 593ea0124cbd56f6b383afdc809c0263
SHA1 3f200b3ccbf7316bdbda09b4e226549f335a28dd
SHA256 70b4a069077bbc36214de707b48f0e78493975de0d5226a929b9ca8d6cb8d2f2
SHA512 5b63cdac6677b4e811fd736bd30b2f8ff92bdddaebd7f62858f1a67a8bf26da5ef12001fde1176b51e21520e5cde69aeea39e879981fc6bdd5d7bfe86bbec459

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5T0U3BIO\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee