Malware Analysis Report

2025-08-05 21:11

Sample ID 231231-m9xwvadcc8
Target 33c2aa83e945b2646c37497c6cdfda32
SHA256 86061892174dc7d8676a442ca95188648db1cae98e2a4b4c7ef16248d54faf60
Tags
upx vmprotect
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

86061892174dc7d8676a442ca95188648db1cae98e2a4b4c7ef16248d54faf60

Threat Level: Shows suspicious behavior

The file 33c2aa83e945b2646c37497c6cdfda32 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx vmprotect

UPX packed file

VMProtect packed file

Unsigned PE

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 11:10

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 11:10

Reported

2024-01-10 10:26

Platform

win7-20231129-en

Max time kernel

140s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Terminator.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terminator.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terminator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terminator.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Terminator.exe

"C:\Users\Admin\AppData\Local\Temp\Terminator.exe"

Network

N/A

Files

memory/1684-0-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/1684-1-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/1684-2-0x0000000000400000-0x00000000004CC000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2023-12-31 11:10

Reported

2024-01-10 10:27

Platform

win10v2004-20231215-en

Max time kernel

198s

Max time network

214s

Command Line

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\.chm

Signatures

N/A

Processes

C:\Windows\hh.exe

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\.chm

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 16.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2023-12-31 11:10

Reported

2024-01-10 10:27

Platform

win7-20231215-en

Max time kernel

118s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\սV1.0ڴע.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\սV1.0ڴע.exe

"C:\Users\Admin\AppData\Local\Temp\սV1.0ڴע.exe"

Network

N/A

Files

memory/2064-0-0x0000000000400000-0x0000000000410000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 11:10

Reported

2024-01-10 10:26

Platform

win10v2004-20231222-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Terminator.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terminator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terminator.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Terminator.exe

"C:\Users\Admin\AppData\Local\Temp\Terminator.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 59.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 195.178.17.96.in-addr.arpa udp
GB 96.17.178.195:80 tcp
GB 96.17.178.195:80 tcp
GB 96.17.178.195:80 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

memory/2224-0-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/2224-1-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/2224-2-0x0000000000400000-0x00000000004CC000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2023-12-31 11:10

Reported

2024-01-10 10:26

Platform

win7-20231215-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\.chm

Signatures

N/A

Processes

C:\Windows\hh.exe

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\.chm

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2023-12-31 11:10

Reported

2024-01-10 10:27

Platform

win10v2004-20231222-en

Max time kernel

146s

Max time network

93s

Command Line

"C:\Users\Admin\AppData\Local\Temp\սV1.0ڴע.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\սV1.0ڴע.exe

"C:\Users\Admin\AppData\Local\Temp\սV1.0ڴע.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 147.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
N/A 52.165.165.26:443 tcp
US 8.8.8.8:53 udp
N/A 40.127.240.158:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.123.104.105:443 tcp
N/A 40.127.240.158:443 tcp
N/A 40.127.240.158:443 tcp
US 8.8.8.8:53 udp
N/A 23.44.233.195:443 tcp
US 192.229.221.95:80 tcp
US 8.8.8.8:53 udp
N/A 20.123.104.105:443 tcp
US 8.8.8.8:53 udp
N/A 52.165.165.26:443 tcp
N/A 52.165.165.26:443 tcp
N/A 52.165.165.26:443 tcp
US 8.8.8.8:53 udp
N/A 52.165.164.15:443 tcp
US 8.8.8.8:53 udp
N/A 52.165.164.15:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 52.165.165.26:443 tcp
N/A 52.165.165.26:443 tcp
US 8.8.8.8:53 udp
N/A 93.184.221.240:80 tcp
US 8.8.8.8:53 udp
N/A 92.123.241.104:80 tcp
N/A 92.123.241.104:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 96.17.178.194:80 tcp
N/A 20.123.104.105:443 tcp
US 8.8.8.8:53 udp
N/A 20.54.110.119:443 tcp
N/A 96.17.178.194:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 52.165.164.15:443 tcp
US 8.8.8.8:53 udp
N/A 96.17.178.194:80 tcp
US 8.8.8.8:53 udp
N/A 88.221.135.217:80 tcp
N/A 88.221.135.217:80 tcp
N/A 88.221.135.217:80 tcp
N/A 88.221.135.217:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 88.221.135.217:80 tcp
N/A 88.221.135.217:80 tcp
US 8.8.8.8:53 udp
N/A 20.105.99.58:443 tcp
GB 96.17.178.211:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 88.221.134.18:80 tcp
N/A 88.221.134.18:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 88.221.134.11:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.211:80 tcp
GB 88.221.134.11:80 tcp
N/A 88.221.134.18:80 tcp
N/A 88.221.134.18:80 tcp
US 8.8.8.8:53 udp
GB 88.221.134.11:80 tcp
GB 88.221.134.11:80 tcp
GB 88.221.134.11:80 tcp
GB 88.221.134.11:80 tcp
GB 96.17.178.211:80 tcp
GB 88.221.134.11:80 tcp
GB 88.221.134.11:80 tcp
GB 88.221.134.11:80 tcp
GB 88.221.134.11:80 tcp
GB 88.221.134.11:80 tcp
GB 88.221.134.11:80 tcp
GB 88.221.134.11:80 tcp
GB 88.221.134.11:80 tcp
GB 88.221.134.11:80 tcp
GB 88.221.134.11:80 tcp
GB 88.221.134.11:80 tcp
GB 88.221.134.11:80 tcp
GB 88.221.134.11:80 tcp
GB 88.221.134.11:80 tcp
GB 88.221.134.11:80 tcp
GB 88.221.134.11:80 tcp
GB 88.221.134.11:80 tcp
US 8.8.8.8:53 udp
GB 88.221.134.11:80 tcp
GB 88.221.134.11:80 tcp
N/A 20.86.201.138:443 tcp
N/A 20.86.201.138:443 tcp
N/A 20.86.201.138:443 tcp
GB 88.221.134.11:80 tcp
GB 88.221.134.11:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 204.79.197.200:443 tcp
N/A 204.79.197.200:443 tcp
N/A 204.79.197.200:443 tcp
N/A 204.79.197.200:443 tcp
N/A 204.79.197.200:443 tcp
US 192.229.221.95:80 tcp
US 8.8.8.8:53 udp
N/A 88.221.134.18:80 tcp
N/A 88.221.134.18:80 tcp
US 8.8.8.8:53 udp
N/A 96.17.178.195:80 tcp
N/A 96.17.178.195:80 tcp
US 8.8.8.8:53 udp
N/A 96.17.178.195:80 tcp
N/A 96.17.178.195:80 tcp
N/A 96.17.178.195:80 tcp
N/A 96.17.178.195:80 tcp
N/A 96.17.178.195:80 tcp
N/A 96.17.178.195:80 tcp
N/A 96.17.178.195:80 tcp
N/A 96.17.178.195:80 tcp
N/A 96.17.178.195:80 tcp
N/A 96.17.178.195:80 tcp
N/A 96.17.178.195:80 tcp
N/A 96.17.178.195:80 tcp
N/A 96.17.178.195:80 tcp
N/A 96.17.178.195:80 tcp
N/A 96.17.178.195:80 tcp
N/A 96.17.178.195:80 tcp
N/A 96.17.178.195:80 tcp
N/A 96.17.178.195:80 tcp
N/A 96.17.178.195:80 tcp
N/A 96.17.178.195:80 tcp
N/A 96.17.178.195:80 tcp
N/A 96.17.178.195:80 tcp
N/A 96.17.178.195:80 tcp
N/A 96.17.178.195:80 tcp
N/A 96.17.178.195:80 tcp
N/A 96.17.178.195:80 tcp
N/A 96.17.178.195:80 tcp
N/A 96.17.178.195:80 tcp
N/A 96.17.178.195:80 tcp
N/A 96.17.178.195:80 tcp
N/A 52.165.164.15:443 tcp
US 8.8.8.8:53 udp
N/A 88.221.134.18:80 tcp
N/A 88.221.134.18:80 tcp
N/A 88.221.134.18:80 tcp
N/A 88.221.134.18:80 tcp
US 8.8.8.8:53 udp
N/A 96.17.178.176:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 88.221.134.18:80 tcp
US 8.8.8.8:53 udp
N/A 88.221.134.18:80 tcp
US 8.8.8.8:53 udp
N/A 96.17.178.173:80 tcp
N/A 96.17.178.173:80 tcp
US 8.8.8.8:53 udp
N/A 96.17.178.173:80 tcp

Files

memory/2496-0-0x0000000000400000-0x0000000000410000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2023-12-31 11:10

Reported

2024-01-10 10:28

Platform

win7-20231215-en

Max time kernel

141s

Max time network

208s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\˵.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a883829c536588438b4279b7bc6c19300000000002000000000010660000000100002000000048a6482652416cd5f0b89d3998c18ac6d95f9105d574bd1f01a954659792a422000000000e80000000020000200000001ca282857778662d8a99c5a31c1f98942d4291b8a1cf7aad3579300b584771c320000000144addba40efcc44e1cdf6e6ebf7bf560e4752b78a21d57353063058eff755e240000000b105077524823a9e96b662c01e01736d6844da69c738c4ffe097430fc581940ecf4d81029bcdd73e0d08ca846ec1b0619ae446cc0d2f25ede86f8408d77bb131 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8FFD9721-AFA2-11EE-8097-6E3D54FB2439} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a883829c536588438b4279b7bc6c1930000000000200000000001066000000010000200000009bd807f65c3cb8b0e3e4af1f0385705ed790b4f93b62e588e59a335cd3d859e2000000000e8000000002000020000000c517c9044f4ead264cf08d71624ad2f2c083a223f0d8543b0db4cbfe80993e3990000000098c1dca4fd6a4c379a2824d699a163c3759327015cd266248b8b147c8bc43262c6c3f3c81b5c42c3adaccca64e8e89eb461eb1b3006652db6906ea6f0a09f4d027f5c9203b10cd1047f05ede2a54bd767d3073cbdfad96af92dc07a62b5cb79a8841e845c67dc24d491744f80b9dee47aa913ce3c4008e9249fe59a89df538f098160204f6cc0d2cd9b2aef528b443540000000bd691c5baeede04db792fd86c45eb2b678b6391e8d9a11413b1c1e858bee386e0ef6119533f7887244aa61d289d890cda6d0ef32d5a4fd61ba028e93bc8be0ca C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "411044216" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\International\CpMRU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0817d66af43da01 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\˵.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1892 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.haote.com udp
US 23.224.59.54:80 www.haote.com tcp
US 23.224.59.54:80 www.haote.com tcp
US 23.224.59.54:443 www.haote.com tcp
US 23.224.59.54:443 www.haote.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab69AE.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar6CCD.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 19cb6f6f9f6f20b56352f5680058b460
SHA1 df49b7c6d9b20001a5a5a694bcca45198514e51a
SHA256 13d6c92b6bf686411c7b0e724dd955bd77079ef783e6bb52b6b9ffd0540925dd
SHA512 618e87fc833177aca6c67d7cdf5e92b3eed57cdc510b3402682691ca33110b7efa83f754a7622566eb1ac306bdfc8102835f1a9e52b74754421918d4bc84d81a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cd9cf50a1fbecb58fc407e8b6849e3fd
SHA1 e285839bf69cae9c9ed0132bdbfb5ed051614ee5
SHA256 ecdb02bc1deba0590f7424cb97847e2d1a52082dfda2483bb00c884fe9c1d941
SHA512 798efee3ae28e27043930271b15410b5c98a2b5f272fc0b693cd5757862d037794d2b0792f8d8422ed924c37674223efa57865e20c75dade88c7fb613521fe67

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 042f90f9605b6b8c91162867a07b2406
SHA1 5079b2f984f0103fb468b3cf2109b5e87798f51a
SHA256 8aedc9c50fe99475ff6783ef153235d44ab14e1af46cdd3f68bd4bcfee8bc2bd
SHA512 0de1216afa799c2b6370f871fac67b4ea7db39f0ee5f3276d45b1eda1d5023c8c557bb9eca73bda678a9c5f3cbb6f8a745d93badf663787021770e7147497ee4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9c4178c7b9e6d0ce0a3f139ba4806439
SHA1 0bb7ea5402cd2c6c272a7ab809b12f4a45d29c25
SHA256 2e27188c0db7d98733f82368adf12fe5995eb681f7902f8e47fcb26f6a2506c1
SHA512 e569f04460017a5cfd1610bea1da28bab4d9c82e6568946e19e57fa30cca428c1a9e8b08f6563e4b0f0375aa948003da0fe0a64f298e0e4f7f7dd7bb2fda4685

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9f3f648d4d3d8a3a741dffd5f52c898b
SHA1 a3b1352a7f88d63523296c79a88a7c45fd0e52de
SHA256 30b74015cbfe605f12ca8090ce47434ebf4eeb32ccd2360c4fb4781e13da7bfc
SHA512 9929ea37695e288d504d99575788a53b9f82637f3fd9cf00b4c684ab94a674a61ad0bb04b0f4fa1a4b1f9f618a669c70fed68e7aa50a897ca2d06acb25ef3b9a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4a25a67028ebb978a1a8d11bab756e45
SHA1 5a35e05f40a6c780aa3e1e0941b844469fe3b712
SHA256 2aec7b1fe823e5443e89004eb920af288cfd54e56069a348070d0511e8cc18fa
SHA512 f88d9b4ec36e6f3be0bf9e8a16a269d2fc842b95eb652ca7146751a53b8bb39deab8281245132e1cfd7075066ff2cd0280b367391ac965235b506520979a9042

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 def0af9f0e7d0488ef7d44a818a97dda
SHA1 ee1e4a0df437f7f459aeba713e9cdc2f4e320bc3
SHA256 7039e5ee3e77707cca8252c44d0455cfc485c4120b5849376a3751fb746fc0f7
SHA512 4bcb8098c1990bc9e75b54893893ca25d60e2762a638a1d950ec2d102544662bb27e15a3548ec68ea63c89690fc497a75adb6f5c947421395d881cb00d798637

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c5972fff2bb656b7a9f0cd2ba101c515
SHA1 a7e1f8cb9f97caf68d8b5dfd950e827ff60e35d2
SHA256 7483871d700c5a426966f00eeba4eaf0d4931e9cc7d913186ac6dc0652a163c1
SHA512 ca9870930d7dca983ed247144be51122963b259a1c1d03b3baadd1c1ea3173001914603646cf4134ccfd645014283c25caa5ee75ba3afccae75282e15c52b23d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4caa126717b2e524b295c82ae72bdcc7
SHA1 454a87a2517a67119869b91e6da0ee6c6ba29c09
SHA256 843c6f250a0813a2c46d0e3a037ff8a07194669f4e96f4e3be3e9a8f65c0aeca
SHA512 cadc42c3e1e46ee008ea0ee705ba5f3129d03ebd029cc3c9e3464b0f359f8e2f9a562cf28db1435aea7175b97014b0444898268df839c2656a79a949a919ec3d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8571aad1215ab2883a05fa4fe0d2d804
SHA1 fc7f63a12537b4d29b8059ca0da905d2228f2584
SHA256 88c27e225951ba51b94afecb7d4adfcd4167d91897fc9b3097add22f8b4bf25a
SHA512 b30f4f56719dd45a9b2571bb9b654d1b376b2560424c8dde88e180a19ec0d16ffe5b33f538813ac0a0296942e6858e04a66e7c2493324e4ac2e0e27f25203fc3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ea4d12ecdc36794250d2a4890f3cb7f9
SHA1 ec7438e1e09405c30ce237f10e2ea7774f3852fd
SHA256 65136bc00e6b321941150dee68b3a833f2bae945959743b32adcc15fec971773
SHA512 73effe160b70688d6dd24b55c5452d6182a585b05d9f9c562cdf1415a85ac1ba6861d126ae14ff718ea935370829e9e4a1ab67d003aac8f51a2b6fe211fbddc4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c42f9cd877d61c2109ee1bcd4ed4facd
SHA1 eec278472e052a58ee28d5f9ff419b176652321a
SHA256 940dce65389687b38d28899cac31184c9f06a3df8581417ed5618b43e8a582eb
SHA512 5ed3dd4e8a568fd265c22d69fb2e44967530fdd14ae751078389ab113ce8274618c97ca5f02e2d1cc61e4f0ab8883f18b12294fe3776589b29d88d2eb9a1b8b4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 98ff31291c08d21ae27a4b77af2ffad1
SHA1 5ccabb6d7ee8dc082fff7cc52e5a3e8c40b77f03
SHA256 5ed39bfceede62a69e6eeed90188dbc9a3f3d0ce0e6354d121ab72ea5ce747c6
SHA512 08f67b44350edd2579c1a5faf59a7fe78c253142624567d1e97e4bb3aa7feedf388f724f38f04ba002c99db75d0f4e8e401e16d9e660431132781d6a6517c2a6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1cded0b1f4c45f5903e0ab62b3750b0b
SHA1 5f10ae729b7625336e2f310b73f1c226aae6d7a2
SHA256 f5f28f91ce372b618bcd2516a8b9c8e29e81c818a94b5e382d5c0967708c56dd
SHA512 550fa8c8babf2f6195890098664277596ed121c8f49daa8ce4b2b5ec0e05f2997959b260fc73d0960bb6847a74e4b947e850ab312faa3286985c80954d125346

Analysis: behavioral8

Detonation Overview

Submitted

2023-12-31 11:10

Reported

2024-01-10 10:27

Platform

win10v2004-20231215-en

Max time kernel

166s

Max time network

174s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\˵.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1246009525" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1248196172" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "411647267" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30e1bc4eaf43da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c47f1af20644814589e7a32def35942f0000000002000000000010660000000100002000000049f1a935accf57c9d71c23609765738078fa7c74ad99303ec07419fe3aa2ed7a000000000e800000000200002000000072deced029b963af9ecd8388889edbe7b1bb29a4d5849b6ee2bae3bdb3eb3b0520000000383daff4b85f791591b65bcbcc006f7ce68f29c93e23eb3bdc99578b221bf44e400000009b650ba9913f983f4aae580ed62fe8d5289b5e4dc6f3cb9e7b8eea9b979629f62587cc802403b211fa87496327cc4741d0659a4d910434fc4df92cb0b275b2e3 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31081391" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1246009525" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\haote.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\haote.com\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31081391" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\DOMStorage\haote.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "63" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.haote.com\ = "63" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c47f1af20644814589e7a32def35942f00000000020000000000106600000001000020000000a0874975dfbfccab81c9414bcf415a322ae149a992bcd501a6dd4fc021c453d9000000000e8000000002000020000000762ae4714acf7a2afb4afd817b8c5732e1128f01a1f0b4868c7786e02a5d5ee12000000021516e31ae9888a819caab19dc6842ceb437b98b93f56c6303369489a02a52b640000000e047302bffc21c32aa0f07b2d125af59473e4a06e4553fbe20e32f0b2e40ddccabe0fa6b0bd517a0ae48de4f274c2fd6eb6fc2eb25cdddcf472fbb1fb5204845 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31081391" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\International\CpMRU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0ea004baf43da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c47f1af20644814589e7a32def35942f000000000200000000001066000000010000200000000908a827a21b66b571f0c12b528024a121d8633b92d224be6077e832a67dfa10000000000e80000000020000200000001027f94f6322b97fd0016f4b8b68cc785824310fcffa4153c61d010e683976e7200000001f1938f58fa7d61838c37ce8a94378ad15921ea800fa12032b0cad69b60704f240000000da09ce38f7f2e9b1c9f525db8c5debb4d4b7f13cf2ea8da3ff672ac0d5ffa7526dabe14cc43507f730ad4ad9398d5f861861b31a28648a87ffaf40cb8360e625 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60bdaf4aaf43da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{73E3FAAE-AFA2-11EE-9A4E-524326B4BB5C} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1248196172" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.haote.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\haote.com\Total = "63" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31081391" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\˵.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3884 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 www.haote.com udp
US 23.224.78.190:80 www.haote.com tcp
US 23.224.78.190:80 www.haote.com tcp
US 8.8.8.8:53 190.78.224.23.in-addr.arpa udp
US 23.224.78.190:443 www.haote.com tcp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 135.223.24.100.in-addr.arpa udp
US 8.8.8.8:53 static.haote.com udp
US 8.8.8.8:53 img.haote.com udp
US 23.224.78.54:443 img.haote.com tcp
US 23.224.78.54:443 img.haote.com tcp
US 23.224.78.54:443 img.haote.com tcp
US 23.224.78.54:443 img.haote.com tcp
US 23.224.78.54:443 img.haote.com tcp
US 23.224.78.54:443 img.haote.com tcp
US 23.224.77.238:443 img.haote.com tcp
US 23.224.77.238:443 img.haote.com tcp
US 23.224.77.238:443 img.haote.com tcp
US 23.224.77.238:443 img.haote.com tcp
US 23.224.77.238:443 img.haote.com tcp
US 23.224.77.238:443 img.haote.com tcp
US 23.224.77.238:443 img.haote.com tcp
US 23.224.77.238:443 img.haote.com tcp
US 8.8.8.8:53 54.78.224.23.in-addr.arpa udp
US 8.8.8.8:53 238.77.224.23.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 hm.baidu.com udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
HK 103.235.46.191:443 hm.baidu.com tcp
HK 103.235.46.191:443 hm.baidu.com tcp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 191.46.235.103.in-addr.arpa udp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 195.178.17.96.in-addr.arpa udp
GB 96.17.178.195:80 tcp
GB 96.17.178.195:80 tcp
GB 96.17.178.195:80 tcp
GB 96.17.178.195:80 tcp
GB 96.17.178.195:80 tcp
GB 96.17.178.195:80 tcp
GB 96.17.178.195:80 tcp
GB 96.17.178.195:80 tcp
GB 96.17.178.195:80 tcp
GB 96.17.178.195:80 tcp
GB 96.17.178.195:80 tcp
GB 96.17.178.195:80 tcp
GB 96.17.178.195:80 tcp
GB 96.17.178.195:80 tcp
GB 96.17.178.195:80 tcp
GB 96.17.178.195:80 tcp
GB 96.17.178.195:80 tcp
GB 96.17.178.195:80 tcp
US 8.8.8.8:53 73.239.69.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
NL 52.142.223.178:80 tcp
GB 96.17.178.173:80 tcp
GB 96.17.178.173:80 tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver407F.tmp

MD5 1a545d0052b581fbb2ab4c52133846bc
SHA1 62f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512 bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Q9YQXK50\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee