Analysis Overview
SHA256
86061892174dc7d8676a442ca95188648db1cae98e2a4b4c7ef16248d54faf60
Threat Level: Shows suspicious behavior
The file 33c2aa83e945b2646c37497c6cdfda32 was found to be: Shows suspicious behavior.
Malicious Activity Summary
UPX packed file
VMProtect packed file
Unsigned PE
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-31 11:10
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-31 11:10
Reported
2024-01-10 10:26
Platform
win7-20231129-en
Max time kernel
140s
Max time network
118s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Terminator.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Terminator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Terminator.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Terminator.exe
"C:\Users\Admin\AppData\Local\Temp\Terminator.exe"
Network
Files
memory/1684-0-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/1684-1-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/1684-2-0x0000000000400000-0x00000000004CC000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2023-12-31 11:10
Reported
2024-01-10 10:27
Platform
win10v2004-20231215-en
Max time kernel
198s
Max time network
214s
Command Line
Signatures
Processes
C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\.chm
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 16.234.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.109.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2023-12-31 11:10
Reported
2024-01-10 10:27
Platform
win7-20231215-en
Max time kernel
118s
Max time network
142s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\սV1.0ڴע.exe
"C:\Users\Admin\AppData\Local\Temp\սV1.0ڴע.exe"
Network
Files
memory/2064-0-0x0000000000400000-0x0000000000410000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-31 11:10
Reported
2024-01-10 10:26
Platform
win10v2004-20231222-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Terminator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Terminator.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Terminator.exe
"C:\Users\Admin\AppData\Local\Temp\Terminator.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.233.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 195.178.17.96.in-addr.arpa | udp |
| GB | 96.17.178.195:80 | tcp | |
| GB | 96.17.178.195:80 | tcp | |
| GB | 96.17.178.195:80 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
Files
memory/2224-0-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/2224-1-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/2224-2-0x0000000000400000-0x00000000004CC000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2023-12-31 11:10
Reported
2024-01-10 10:26
Platform
win7-20231215-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Processes
C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\.chm
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2023-12-31 11:10
Reported
2024-01-10 10:27
Platform
win10v2004-20231222-en
Max time kernel
146s
Max time network
93s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\սV1.0ڴע.exe
"C:\Users\Admin\AppData\Local\Temp\սV1.0ڴע.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 147.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| N/A | 52.165.165.26:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 40.127.240.158:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.123.104.105:443 | tcp | |
| N/A | 40.127.240.158:443 | tcp | |
| N/A | 40.127.240.158:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 23.44.233.195:443 | tcp | |
| US | 192.229.221.95:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.123.104.105:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 52.165.165.26:443 | tcp | |
| N/A | 52.165.165.26:443 | tcp | |
| N/A | 52.165.165.26:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 52.165.164.15:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 52.165.164.15:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 52.165.165.26:443 | tcp | |
| N/A | 52.165.165.26:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 92.123.241.104:80 | tcp | |
| N/A | 92.123.241.104:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 96.17.178.194:80 | tcp | |
| N/A | 20.123.104.105:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.54.110.119:443 | tcp | |
| N/A | 96.17.178.194:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 52.165.164.15:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 96.17.178.194:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 88.221.135.217:80 | tcp | |
| N/A | 88.221.135.217:80 | tcp | |
| N/A | 88.221.135.217:80 | tcp | |
| N/A | 88.221.135.217:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 88.221.135.217:80 | tcp | |
| N/A | 88.221.135.217:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.105.99.58:443 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 88.221.134.18:80 | tcp | |
| N/A | 88.221.134.18:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 88.221.134.11:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 88.221.134.11:80 | tcp | |
| N/A | 88.221.134.18:80 | tcp | |
| N/A | 88.221.134.18:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 88.221.134.11:80 | tcp | |
| GB | 88.221.134.11:80 | tcp | |
| GB | 88.221.134.11:80 | tcp | |
| GB | 88.221.134.11:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 88.221.134.11:80 | tcp | |
| GB | 88.221.134.11:80 | tcp | |
| GB | 88.221.134.11:80 | tcp | |
| GB | 88.221.134.11:80 | tcp | |
| GB | 88.221.134.11:80 | tcp | |
| GB | 88.221.134.11:80 | tcp | |
| GB | 88.221.134.11:80 | tcp | |
| GB | 88.221.134.11:80 | tcp | |
| GB | 88.221.134.11:80 | tcp | |
| GB | 88.221.134.11:80 | tcp | |
| GB | 88.221.134.11:80 | tcp | |
| GB | 88.221.134.11:80 | tcp | |
| GB | 88.221.134.11:80 | tcp | |
| GB | 88.221.134.11:80 | tcp | |
| GB | 88.221.134.11:80 | tcp | |
| GB | 88.221.134.11:80 | tcp | |
| GB | 88.221.134.11:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 88.221.134.11:80 | tcp | |
| GB | 88.221.134.11:80 | tcp | |
| N/A | 20.86.201.138:443 | tcp | |
| N/A | 20.86.201.138:443 | tcp | |
| N/A | 20.86.201.138:443 | tcp | |
| GB | 88.221.134.11:80 | tcp | |
| GB | 88.221.134.11:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 204.79.197.200:443 | tcp | |
| N/A | 204.79.197.200:443 | tcp | |
| N/A | 204.79.197.200:443 | tcp | |
| N/A | 204.79.197.200:443 | tcp | |
| N/A | 204.79.197.200:443 | tcp | |
| US | 192.229.221.95:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 88.221.134.18:80 | tcp | |
| N/A | 88.221.134.18:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 96.17.178.195:80 | tcp | |
| N/A | 96.17.178.195:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 96.17.178.195:80 | tcp | |
| N/A | 96.17.178.195:80 | tcp | |
| N/A | 96.17.178.195:80 | tcp | |
| N/A | 96.17.178.195:80 | tcp | |
| N/A | 96.17.178.195:80 | tcp | |
| N/A | 96.17.178.195:80 | tcp | |
| N/A | 96.17.178.195:80 | tcp | |
| N/A | 96.17.178.195:80 | tcp | |
| N/A | 96.17.178.195:80 | tcp | |
| N/A | 96.17.178.195:80 | tcp | |
| N/A | 96.17.178.195:80 | tcp | |
| N/A | 96.17.178.195:80 | tcp | |
| N/A | 96.17.178.195:80 | tcp | |
| N/A | 96.17.178.195:80 | tcp | |
| N/A | 96.17.178.195:80 | tcp | |
| N/A | 96.17.178.195:80 | tcp | |
| N/A | 96.17.178.195:80 | tcp | |
| N/A | 96.17.178.195:80 | tcp | |
| N/A | 96.17.178.195:80 | tcp | |
| N/A | 96.17.178.195:80 | tcp | |
| N/A | 96.17.178.195:80 | tcp | |
| N/A | 96.17.178.195:80 | tcp | |
| N/A | 96.17.178.195:80 | tcp | |
| N/A | 96.17.178.195:80 | tcp | |
| N/A | 96.17.178.195:80 | tcp | |
| N/A | 96.17.178.195:80 | tcp | |
| N/A | 96.17.178.195:80 | tcp | |
| N/A | 96.17.178.195:80 | tcp | |
| N/A | 96.17.178.195:80 | tcp | |
| N/A | 96.17.178.195:80 | tcp | |
| N/A | 52.165.164.15:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 88.221.134.18:80 | tcp | |
| N/A | 88.221.134.18:80 | tcp | |
| N/A | 88.221.134.18:80 | tcp | |
| N/A | 88.221.134.18:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 96.17.178.176:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 88.221.134.18:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 88.221.134.18:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 96.17.178.173:80 | tcp | |
| N/A | 96.17.178.173:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 96.17.178.173:80 | tcp |
Files
memory/2496-0-0x0000000000400000-0x0000000000410000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2023-12-31 11:10
Reported
2024-01-10 10:28
Platform
win7-20231215-en
Max time kernel
141s
Max time network
208s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a883829c536588438b4279b7bc6c19300000000002000000000010660000000100002000000048a6482652416cd5f0b89d3998c18ac6d95f9105d574bd1f01a954659792a422000000000e80000000020000200000001ca282857778662d8a99c5a31c1f98942d4291b8a1cf7aad3579300b584771c320000000144addba40efcc44e1cdf6e6ebf7bf560e4752b78a21d57353063058eff755e240000000b105077524823a9e96b662c01e01736d6844da69c738c4ffe097430fc581940ecf4d81029bcdd73e0d08ca846ec1b0619ae446cc0d2f25ede86f8408d77bb131 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8FFD9721-AFA2-11EE-8097-6E3D54FB2439} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a883829c536588438b4279b7bc6c1930000000000200000000001066000000010000200000009bd807f65c3cb8b0e3e4af1f0385705ed790b4f93b62e588e59a335cd3d859e2000000000e8000000002000020000000c517c9044f4ead264cf08d71624ad2f2c083a223f0d8543b0db4cbfe80993e3990000000098c1dca4fd6a4c379a2824d699a163c3759327015cd266248b8b147c8bc43262c6c3f3c81b5c42c3adaccca64e8e89eb461eb1b3006652db6906ea6f0a09f4d027f5c9203b10cd1047f05ede2a54bd767d3073cbdfad96af92dc07a62b5cb79a8841e845c67dc24d491744f80b9dee47aa913ce3c4008e9249fe59a89df538f098160204f6cc0d2cd9b2aef528b443540000000bd691c5baeede04db792fd86c45eb2b678b6391e8d9a11413b1c1e858bee386e0ef6119533f7887244aa61d289d890cda6d0ef32d5a4fd61ba028e93bc8be0ca | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "411044216" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\International\CpMRU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0817d66af43da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1892 wrote to memory of 2152 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1892 wrote to memory of 2152 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1892 wrote to memory of 2152 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1892 wrote to memory of 2152 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\˵.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1892 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.haote.com | udp |
| US | 23.224.59.54:80 | www.haote.com | tcp |
| US | 23.224.59.54:80 | www.haote.com | tcp |
| US | 23.224.59.54:443 | www.haote.com | tcp |
| US | 23.224.59.54:443 | www.haote.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab69AE.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar6CCD.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 19cb6f6f9f6f20b56352f5680058b460 |
| SHA1 | df49b7c6d9b20001a5a5a694bcca45198514e51a |
| SHA256 | 13d6c92b6bf686411c7b0e724dd955bd77079ef783e6bb52b6b9ffd0540925dd |
| SHA512 | 618e87fc833177aca6c67d7cdf5e92b3eed57cdc510b3402682691ca33110b7efa83f754a7622566eb1ac306bdfc8102835f1a9e52b74754421918d4bc84d81a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cd9cf50a1fbecb58fc407e8b6849e3fd |
| SHA1 | e285839bf69cae9c9ed0132bdbfb5ed051614ee5 |
| SHA256 | ecdb02bc1deba0590f7424cb97847e2d1a52082dfda2483bb00c884fe9c1d941 |
| SHA512 | 798efee3ae28e27043930271b15410b5c98a2b5f272fc0b693cd5757862d037794d2b0792f8d8422ed924c37674223efa57865e20c75dade88c7fb613521fe67 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 042f90f9605b6b8c91162867a07b2406 |
| SHA1 | 5079b2f984f0103fb468b3cf2109b5e87798f51a |
| SHA256 | 8aedc9c50fe99475ff6783ef153235d44ab14e1af46cdd3f68bd4bcfee8bc2bd |
| SHA512 | 0de1216afa799c2b6370f871fac67b4ea7db39f0ee5f3276d45b1eda1d5023c8c557bb9eca73bda678a9c5f3cbb6f8a745d93badf663787021770e7147497ee4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9c4178c7b9e6d0ce0a3f139ba4806439 |
| SHA1 | 0bb7ea5402cd2c6c272a7ab809b12f4a45d29c25 |
| SHA256 | 2e27188c0db7d98733f82368adf12fe5995eb681f7902f8e47fcb26f6a2506c1 |
| SHA512 | e569f04460017a5cfd1610bea1da28bab4d9c82e6568946e19e57fa30cca428c1a9e8b08f6563e4b0f0375aa948003da0fe0a64f298e0e4f7f7dd7bb2fda4685 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9f3f648d4d3d8a3a741dffd5f52c898b |
| SHA1 | a3b1352a7f88d63523296c79a88a7c45fd0e52de |
| SHA256 | 30b74015cbfe605f12ca8090ce47434ebf4eeb32ccd2360c4fb4781e13da7bfc |
| SHA512 | 9929ea37695e288d504d99575788a53b9f82637f3fd9cf00b4c684ab94a674a61ad0bb04b0f4fa1a4b1f9f618a669c70fed68e7aa50a897ca2d06acb25ef3b9a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4a25a67028ebb978a1a8d11bab756e45 |
| SHA1 | 5a35e05f40a6c780aa3e1e0941b844469fe3b712 |
| SHA256 | 2aec7b1fe823e5443e89004eb920af288cfd54e56069a348070d0511e8cc18fa |
| SHA512 | f88d9b4ec36e6f3be0bf9e8a16a269d2fc842b95eb652ca7146751a53b8bb39deab8281245132e1cfd7075066ff2cd0280b367391ac965235b506520979a9042 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | def0af9f0e7d0488ef7d44a818a97dda |
| SHA1 | ee1e4a0df437f7f459aeba713e9cdc2f4e320bc3 |
| SHA256 | 7039e5ee3e77707cca8252c44d0455cfc485c4120b5849376a3751fb746fc0f7 |
| SHA512 | 4bcb8098c1990bc9e75b54893893ca25d60e2762a638a1d950ec2d102544662bb27e15a3548ec68ea63c89690fc497a75adb6f5c947421395d881cb00d798637 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c5972fff2bb656b7a9f0cd2ba101c515 |
| SHA1 | a7e1f8cb9f97caf68d8b5dfd950e827ff60e35d2 |
| SHA256 | 7483871d700c5a426966f00eeba4eaf0d4931e9cc7d913186ac6dc0652a163c1 |
| SHA512 | ca9870930d7dca983ed247144be51122963b259a1c1d03b3baadd1c1ea3173001914603646cf4134ccfd645014283c25caa5ee75ba3afccae75282e15c52b23d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4caa126717b2e524b295c82ae72bdcc7 |
| SHA1 | 454a87a2517a67119869b91e6da0ee6c6ba29c09 |
| SHA256 | 843c6f250a0813a2c46d0e3a037ff8a07194669f4e96f4e3be3e9a8f65c0aeca |
| SHA512 | cadc42c3e1e46ee008ea0ee705ba5f3129d03ebd029cc3c9e3464b0f359f8e2f9a562cf28db1435aea7175b97014b0444898268df839c2656a79a949a919ec3d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8571aad1215ab2883a05fa4fe0d2d804 |
| SHA1 | fc7f63a12537b4d29b8059ca0da905d2228f2584 |
| SHA256 | 88c27e225951ba51b94afecb7d4adfcd4167d91897fc9b3097add22f8b4bf25a |
| SHA512 | b30f4f56719dd45a9b2571bb9b654d1b376b2560424c8dde88e180a19ec0d16ffe5b33f538813ac0a0296942e6858e04a66e7c2493324e4ac2e0e27f25203fc3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ea4d12ecdc36794250d2a4890f3cb7f9 |
| SHA1 | ec7438e1e09405c30ce237f10e2ea7774f3852fd |
| SHA256 | 65136bc00e6b321941150dee68b3a833f2bae945959743b32adcc15fec971773 |
| SHA512 | 73effe160b70688d6dd24b55c5452d6182a585b05d9f9c562cdf1415a85ac1ba6861d126ae14ff718ea935370829e9e4a1ab67d003aac8f51a2b6fe211fbddc4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c42f9cd877d61c2109ee1bcd4ed4facd |
| SHA1 | eec278472e052a58ee28d5f9ff419b176652321a |
| SHA256 | 940dce65389687b38d28899cac31184c9f06a3df8581417ed5618b43e8a582eb |
| SHA512 | 5ed3dd4e8a568fd265c22d69fb2e44967530fdd14ae751078389ab113ce8274618c97ca5f02e2d1cc61e4f0ab8883f18b12294fe3776589b29d88d2eb9a1b8b4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 98ff31291c08d21ae27a4b77af2ffad1 |
| SHA1 | 5ccabb6d7ee8dc082fff7cc52e5a3e8c40b77f03 |
| SHA256 | 5ed39bfceede62a69e6eeed90188dbc9a3f3d0ce0e6354d121ab72ea5ce747c6 |
| SHA512 | 08f67b44350edd2579c1a5faf59a7fe78c253142624567d1e97e4bb3aa7feedf388f724f38f04ba002c99db75d0f4e8e401e16d9e660431132781d6a6517c2a6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1cded0b1f4c45f5903e0ab62b3750b0b |
| SHA1 | 5f10ae729b7625336e2f310b73f1c226aae6d7a2 |
| SHA256 | f5f28f91ce372b618bcd2516a8b9c8e29e81c818a94b5e382d5c0967708c56dd |
| SHA512 | 550fa8c8babf2f6195890098664277596ed121c8f49daa8ce4b2b5ec0e05f2997959b260fc73d0960bb6847a74e4b947e850ab312faa3286985c80954d125346 |
Analysis: behavioral8
Detonation Overview
Submitted
2023-12-31 11:10
Reported
2024-01-10 10:27
Platform
win10v2004-20231215-en
Max time kernel
166s
Max time network
174s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1246009525" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1248196172" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "411647267" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30e1bc4eaf43da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c47f1af20644814589e7a32def35942f0000000002000000000010660000000100002000000049f1a935accf57c9d71c23609765738078fa7c74ad99303ec07419fe3aa2ed7a000000000e800000000200002000000072deced029b963af9ecd8388889edbe7b1bb29a4d5849b6ee2bae3bdb3eb3b0520000000383daff4b85f791591b65bcbcc006f7ce68f29c93e23eb3bdc99578b221bf44e400000009b650ba9913f983f4aae580ed62fe8d5289b5e4dc6f3cb9e7b8eea9b979629f62587cc802403b211fa87496327cc4741d0659a4d910434fc4df92cb0b275b2e3 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31081391" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1246009525" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\haote.com | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\haote.com\NumberOfSubdomains = "1" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31081391" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\DOMStorage\haote.com | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "63" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.haote.com\ = "63" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c47f1af20644814589e7a32def35942f00000000020000000000106600000001000020000000a0874975dfbfccab81c9414bcf415a322ae149a992bcd501a6dd4fc021c453d9000000000e8000000002000020000000762ae4714acf7a2afb4afd817b8c5732e1128f01a1f0b4868c7786e02a5d5ee12000000021516e31ae9888a819caab19dc6842ceb437b98b93f56c6303369489a02a52b640000000e047302bffc21c32aa0f07b2d125af59473e4a06e4553fbe20e32f0b2e40ddccabe0fa6b0bd517a0ae48de4f274c2fd6eb6fc2eb25cdddcf472fbb1fb5204845 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31081391" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\International\CpMRU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0ea004baf43da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c47f1af20644814589e7a32def35942f000000000200000000001066000000010000200000000908a827a21b66b571f0c12b528024a121d8633b92d224be6077e832a67dfa10000000000e80000000020000200000001027f94f6322b97fd0016f4b8b68cc785824310fcffa4153c61d010e683976e7200000001f1938f58fa7d61838c37ce8a94378ad15921ea800fa12032b0cad69b60704f240000000da09ce38f7f2e9b1c9f525db8c5debb4d4b7f13cf2ea8da3ff672ac0d5ffa7526dabe14cc43507f730ad4ad9398d5f861861b31a28648a87ffaf40cb8360e625 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60bdaf4aaf43da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{73E3FAAE-AFA2-11EE-9A4E-524326B4BB5C} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1248196172" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.haote.com | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\haote.com\Total = "63" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31081391" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3884 wrote to memory of 3520 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 3884 wrote to memory of 3520 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 3884 wrote to memory of 3520 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\˵.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3884 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.haote.com | udp |
| US | 23.224.78.190:80 | www.haote.com | tcp |
| US | 23.224.78.190:80 | www.haote.com | tcp |
| US | 8.8.8.8:53 | 190.78.224.23.in-addr.arpa | udp |
| US | 23.224.78.190:443 | www.haote.com | tcp |
| US | 8.8.8.8:53 | 16.234.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.223.24.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | static.haote.com | udp |
| US | 8.8.8.8:53 | img.haote.com | udp |
| US | 23.224.78.54:443 | img.haote.com | tcp |
| US | 23.224.78.54:443 | img.haote.com | tcp |
| US | 23.224.78.54:443 | img.haote.com | tcp |
| US | 23.224.78.54:443 | img.haote.com | tcp |
| US | 23.224.78.54:443 | img.haote.com | tcp |
| US | 23.224.78.54:443 | img.haote.com | tcp |
| US | 23.224.77.238:443 | img.haote.com | tcp |
| US | 23.224.77.238:443 | img.haote.com | tcp |
| US | 23.224.77.238:443 | img.haote.com | tcp |
| US | 23.224.77.238:443 | img.haote.com | tcp |
| US | 23.224.77.238:443 | img.haote.com | tcp |
| US | 23.224.77.238:443 | img.haote.com | tcp |
| US | 23.224.77.238:443 | img.haote.com | tcp |
| US | 23.224.77.238:443 | img.haote.com | tcp |
| US | 8.8.8.8:53 | 54.78.224.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.77.224.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hm.baidu.com | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| HK | 103.235.46.191:443 | hm.baidu.com | tcp |
| HK | 103.235.46.191:443 | hm.baidu.com | tcp |
| US | 8.8.8.8:53 | 195.233.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.46.235.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.20.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.21.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 195.178.17.96.in-addr.arpa | udp |
| GB | 96.17.178.195:80 | tcp | |
| GB | 96.17.178.195:80 | tcp | |
| GB | 96.17.178.195:80 | tcp | |
| GB | 96.17.178.195:80 | tcp | |
| GB | 96.17.178.195:80 | tcp | |
| GB | 96.17.178.195:80 | tcp | |
| GB | 96.17.178.195:80 | tcp | |
| GB | 96.17.178.195:80 | tcp | |
| GB | 96.17.178.195:80 | tcp | |
| GB | 96.17.178.195:80 | tcp | |
| GB | 96.17.178.195:80 | tcp | |
| GB | 96.17.178.195:80 | tcp | |
| GB | 96.17.178.195:80 | tcp | |
| GB | 96.17.178.195:80 | tcp | |
| GB | 96.17.178.195:80 | tcp | |
| GB | 96.17.178.195:80 | tcp | |
| GB | 96.17.178.195:80 | tcp | |
| GB | 96.17.178.195:80 | tcp | |
| US | 8.8.8.8:53 | 73.239.69.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| GB | 96.17.178.173:80 | tcp | |
| GB | 96.17.178.173:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver407F.tmp
| MD5 | 1a545d0052b581fbb2ab4c52133846bc |
| SHA1 | 62f3266a9b9925cd6d98658b92adec673cbe3dd3 |
| SHA256 | 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1 |
| SHA512 | bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Q9YQXK50\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |