Malware Analysis Report

2024-10-18 23:04

Sample ID 240122-d6qhxsgab4
Target 6e9fdbd85c3f5e072b9cbe6a5fe316ef
SHA256 73f84fd9e2c75fa1296a1b2b1c2bbc70892acb2cfb33a3c372cf047d6e650d63
Tags
ardamax discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

73f84fd9e2c75fa1296a1b2b1c2bbc70892acb2cfb33a3c372cf047d6e650d63

Threat Level: Known bad

The file 6e9fdbd85c3f5e072b9cbe6a5fe316ef was found to be: Known bad.

Malicious Activity Summary

ardamax discovery persistence

Ardamax family

Ardamax main executable

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks installed software on the system

Program crash

Enumerates physical storage devices

Unsigned PE

NSIS installer

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-22 03:37

Signatures

Ardamax family

ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-22 03:37

Reported

2024-01-22 03:40

Platform

win7-20231215-en

Max time kernel

119s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe"

Signatures

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe

"C:\Users\Admin\AppData\Local\Temp\6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-22 03:37

Reported

2024-01-22 03:40

Platform

win10v2004-20231222-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe

"C:\Users\Admin\AppData\Local\Temp\6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-01-22 03:37

Reported

2024-01-22 03:40

Platform

win7-20231129-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\_AKL.dll,#1

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1936 wrote to memory of 2408 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1936 wrote to memory of 2408 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1936 wrote to memory of 2408 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1936 wrote to memory of 2408 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1936 wrote to memory of 2408 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1936 wrote to memory of 2408 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1936 wrote to memory of 2408 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\_AKL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\_AKL.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-01-22 03:37

Reported

2024-01-22 03:40

Platform

win10v2004-20231215-en

Max time kernel

147s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 976 wrote to memory of 4212 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 976 wrote to memory of 4212 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 976 wrote to memory of 4212 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4212 -ip 4212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 105.246.116.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-01-22 03:37

Reported

2024-01-22 03:40

Platform

win7-20231215-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AKV.exe"

Signatures

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AKV.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AKV.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AKV.exe

"C:\Users\Admin\AppData\Local\Temp\AKV.exe"

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-01-22 03:37

Reported

2024-01-22 03:40

Platform

win10v2004-20231215-en

Max time kernel

130s

Max time network

186s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AKV.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AKV.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AKV.exe

"C:\Users\Admin\AppData\Local\Temp\AKV.exe"

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-01-22 03:37

Reported

2024-01-22 03:40

Platform

win10v2004-20231215-en

Max time kernel

128s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\_AKL.dll,#1

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2700 wrote to memory of 3276 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2700 wrote to memory of 3276 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2700 wrote to memory of 3276 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\_AKL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\_AKL.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-01-22 03:37

Reported

2024-01-22 03:40

Platform

win10v2004-20231215-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\_AKL.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\_AKL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\_AKL.exe" C:\Users\Admin\AppData\Local\Temp\_AKL.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\_AKL.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\_AKL.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_AKL.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_AKL.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_AKL.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\_AKL.exe

"C:\Users\Admin\AppData\Local\Temp\_AKL.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 105.246.116.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-01-22 03:37

Reported

2024-01-22 03:40

Platform

win7-20231215-en

Max time kernel

118s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 248

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-01-22 03:37

Reported

2024-01-22 03:40

Platform

win7-20231215-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe

"C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\A~NSISu_.exe

MD5 c30a8655799cdcf83ff2ac51af7da1f7
SHA1 f1a817a066e8f6e1c5472d484c9a38e54a1c348e
SHA256 d0bdf661871582c8086e5c753ba4d4d725371e3a5612a377cb41f2d144189594
SHA512 b13a422c7eff9b7bd4b391b854735317143ba321cb40a155df05dc2240f9653eeca67dd230117f606baad0832066073926030d4168f6f4d658ab347fde0aa33d

Analysis: behavioral21

Detonation Overview

Submitted

2024-01-22 03:37

Reported

2024-01-22 03:40

Platform

win7-20231129-en

Max time kernel

133s

Max time network

127s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\qs.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000046332ab722508540bf00312f0a24f12000000000020000000000106600000001000020000000739fa4ae0f87ff30a4e93cb2799143ff3e7c51e18851f9a505263a7538022737000000000e80000000020000200000008e90a81be85a0453b5ac5f80df43eb77c2948459113d4c4c4ea58a517789907520000000d23a9714d56a4eb293e5e72c92f8147b7effc79a5cf1f3f4d70c58919249e39540000000d253d7dd0030f4826e583dc78ea7be69d94eb89a210e3f7c7174c1764b97e54b03f79bc2893151514d8ce3bc93737daaa71fdcf4c6300a1c4c6dfbe0b383bfbe C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{947DAE01-B8D7-11EE-BB35-72D103486AAB} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000046332ab722508540bf00312f0a24f120000000000200000000001066000000010000200000009249a1a3ef7bf13d0d185f13f43fef81b1100ef8ac411d553fed987aead1ae06000000000e80000000020000200000008991300c538940fe4509fba08e132ef8149ff301c46258498c3fd9bff68f8d6790000000f35b47d5b290807045a5e4944feba69ab5ab9fad4d90dde53e6fa6f6457a1a8125e1df0a791d0b4a3e3d184bd29b471c6366da8f31e672ef17ab2bd60bbe8b926490c511ab6443f17b20c0d90b0d8767e8a965cfe51281b88d2eab5c467ed089865b579089fcaa547a5b055aec8d34837405b76aed65c84f5b656cd527d832060f649dfe8194882345e28766f261977e40000000492053fbafddf4cf3f06a3ce94087ed8aff4cccbc8a060ca46d590e866d3b07633f65468828b9d2511cbb68f87dfe0f9ba5a043f72d91f2f58acecbc94082376 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40b70069e44cda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "412056521" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\qs.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2932 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
GB 92.123.128.167:80 www.bing.com tcp
GB 92.123.128.167:80 www.bing.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab140E.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar152C.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ccce599212dff7259641d219b078b1d2
SHA1 c325dc8954b9d8030fe67930848e8e1fe87c7331
SHA256 cf56662c1c61fe3badc7ec5769d2937075d2d50204420ad61038487b90157158
SHA512 eaf3000546c60ac182e2f24db46a22a3071add873042e0a76a16adf97dcac1be4e58f162d0c8ce093ba4f08ecf1b76a4cb1b0fe375c0a6f2e4b93163163c17d0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 f70b185c96d7ad6872e2a57e9adf0bb3
SHA1 6d279bcd0e4e32b5f84462e2cc16137930f4e362
SHA256 a3d1e622f2714bcd563ec733b0c595a7511b59c1a49a88b760580e44109230fc
SHA512 ecd5bed7814ea8e6bd0a4623b108c8d02605ae278ec3e99573bf4088c43729d1d99494db091cdd766b08a9ca44ec56a62956dd4e263485e0ccf7686fc387e269

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d14d941af8ddc723e9643c9e4c8ddd2e
SHA1 f1d11298982373eb6bb2f0f505dbbe8ce15b1010
SHA256 16b8dba3593b6cd14ded05c8fa838177ed2f756d76e909460a4d47520801df5e
SHA512 eb15c425a62024ed1d3d74aa045788107d0446b95669a0631f4eb0c9a0cdbe4d03fedf8d669da6be7962a128e5e031f12a39306d26eecaeb4a1c93b36d64fe41

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 026de2d5c8ffa516ab818475c0739f57
SHA1 2cf2702c0d7cba3a8b97c94e769c0acaad8aec3f
SHA256 a81d0ff1e402c9ba422c9182d496dfb690dfd275a198fa36f5f7430778c54451
SHA512 ddc51b046f40fafc40372437d495520874f532cb191a353675d7a1e124b7aee6106c74636d7931b32cfc994d61d5cfa74e52b4b58d468a9d735ed58444c81efe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d24ba7add75d48a6a4f6ade7a3ce194a
SHA1 44ac0f6ce8bc735c80b8e6798f7570ab6fdc1ede
SHA256 1ef953a941d12dff7d23b2d64022e3538d36d04bf2fd58ca0323f7bd41dd0e02
SHA512 8e85d18e5202c5c3c4d83cd6cc4a3e5c8cf6a1a4141cbccdff2495736ddff4d6f15ec5d76e43776fed50322c6b716c168dc3c0a104b0830b485a35b31e57ad08

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1bb2eea17329e29a78b531f5b992ab80
SHA1 2adf873a4d430e6a6ffffb9ea5f0ac056d9b22f0
SHA256 88ec65c2894c839935bf82a5049f7fb4c6f0f29bf352fb448e0924aead8b7982
SHA512 34848d0c46046c7f907f927a2e90e1dc537c3f4ebe6d027ee3200edb05da3d6f1cd2c9a241c01c799ca623055d20c487ebf875d7b576b4a898846c7d4f0c1399

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 a87d9dfd890338b1c48b8f3f998cdf51
SHA1 c00227adcba23fe94ccca0add6cf863592bfcb77
SHA256 d3ed6b18b962ba8c6d0d14ef85bedc6f11c06edf5d102142cd42626a3fd53443
SHA512 eb38cf7de56a2c55c45770802cdab10da3e8b4355f77109d2a221a9e08ed9ced947e6eb44ee608bc55ae292278a77107c0e9fda5918ab163f032612af6a8a35a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4f0fe5c5af1c41182d662ec52dac2282
SHA1 2f30aa7d99e9dc300ffcb2c60543e697432721ec
SHA256 88365bd330a5b63c8807c8f19639a943905e812e5ce68058726be1bc676462cd
SHA512 d98d06ba750390d89debe8303013f68fe8519f41a05d1954f08eea6b5aecf6216e3759f271acfe25947d3ffb26aae1c760660d3ebffd58b0d73fafebe94588b4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 506d0b059ecf1a95ca22cb36961fc970
SHA1 dc1dc157cd1af5b21dcb204e3825b449f0ba649a
SHA256 bb2c0af693c7c9019fc682e855852c46febdff486655dc4b56ba08cdaf347afa
SHA512 d0abae0544863345b4621c99c014a453127a29474b80758729a5012e78080dcb3eac9f194540cee7d5712008fbb11ccbf8cf50f1c080365dc47359f5ce73fc78

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7b238d6013059071f9df8069ff72dfe9
SHA1 bb6c5019371691835d5289430e5a4d1232caddaa
SHA256 a834840300e5e92c5fad5c469ffacb68a3fa8fbcd3ef09da11117e31ca78e813
SHA512 0dd9232a913aaa00d4f1461c0e123f82bc62a826654366052bd0169ea58890378f5ea9a913e1cb9200795948cd78c04e606646be3cc489c295a9eeb9b251e5f1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 65fde50ea66a094afb5a825a2d2568e8
SHA1 6595113427ff1bd6f1c5c6f5752b3da64f95e986
SHA256 c85f41ca96094005a066c1f3b5a0c2a38a738f6658cfc958801f50e2f5f8cf38
SHA512 19f96b63ba20cbb989702506508639234a4671cc3ba4608539be3f21d73d93a41328636bf23b0a174d7c20362bb575cb2c4b45c79dc5fc11180d1d6962ef2d06

C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

MD5 da597791be3b6e732f0bc8b20e38ee62
SHA1 1125c45d285c360542027d7554a5c442288974de
SHA256 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512 d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d68ec3ca1078a3f0f0d5bc72751c7ff1
SHA1 a3f3b4c67116a31da02751ad1de38fb9fc5c2adb
SHA256 73337e9f862e78a1abded48bf4f12329219f5de9b182cd23f28e9b4245018ce7
SHA512 112bd5f5e5e38475cf83e9045f35db67cd7593ff9441291532a939c023e5ea40d516a822c45bc0db45c4c5f815b9f3fc4a3bce105525cf62899d8485f54679c0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b597e2078e962ec0431072565b4cdb98
SHA1 87ce66186446c4011e5b6834b3474e73ab82df85
SHA256 05ae49d598cef0b307659d0f4b9f10ec4c3f1a132ccb1d4a15dcc7c5c2531d77
SHA512 9c3c08ad9f36e182ff1a6c4344256f6b42726013342b0c29211601e9ef48687f770e35850ecb2e56440f8b79573e2440e3c2aa7a63ea94a32e58af0cf2f40176

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e56de4aebc23f83eb078bf8e494c8e49
SHA1 2f9285daca51b037e6e25b4cfa7aa9a1d49a0e21
SHA256 b2408112763c8a5f6309331e147dfe4c6e03a63a569f9242afd118b8146f61a8
SHA512 b21dd2ccaecadb5b5ef0c3e35055d61a170ab1ebced370efc1e9edc8360120ecabf78da9c4f89fbc603872f3efbbd68c2ccaedcafd88622615d01aa5f21f7926

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4019b878273e4bb5215095c3096e4441
SHA1 1b1b3848880e7cb5671a1b00f7211301d708c4c6
SHA256 d35e23734419c60a5c2c17239a71603f3aa496ef786ff10a7d65f15b0529a677
SHA512 6a09f0ffb0bd7e7e12560f31c67eb440c048da656c1f0a305b7675dcc8c54f352eb29a4686e9935a5dd2453fffe7baee028585d91d578623d275357f738a0fe8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8643a3bbdedfa23f5e7bbe8ceeec8cbf
SHA1 a70bcbd9a5bedb0fdc1b153a25579bf88fd1089a
SHA256 2e9eea35b58f1e10a690fd14368ade2a34ee9673042b4b245c633529ab2f246d
SHA512 dd02ed38fb202531bb4fd5f346f58a6de75e0e766ada484fff6b1c4cb088d2819fe475fc0c3edd1bf8c8f47ac0dfca114a55bad468602add96f2d44968b3b9dc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 08916645093eac7f4a9087dfc7c036ed
SHA1 5365118532cb4e6796856c8dfe8122383e964739
SHA256 78e32c23a396be5069e3441a864fca8bced0a34113e2655b1e21849382a72736
SHA512 5049224a19eca30a315cf23beda2a644c1efdca1b64e722a6c2d54e6f556aff450a0a3b2a37b94cc40adae5aa6d8e03dc2f7350a6e024ee82965b8826b696b15

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 782e3662e77fad560a8c0a3cd3bb089e
SHA1 65656e5bc4a7b73bb1618c3d10fe6ae92910186d
SHA256 924a0b3135cc4d73d5a4820d623e721fa8d052aae24a511cf4509f95c057a6f4
SHA512 489b2aceeda5903a6efafa545bc4072becfb8801dcdd7d0c4067724e8ef6db86593f79b83fe03b4a0a854c267b307ee196ae017e1c40fcc7312d56ca2c543601

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0b4315279f8194a42fb42d38e74c95e2
SHA1 2282af95c534c972a6eaedcd0f44f40f9046ae61
SHA256 3efc5ec1f8722484ca7318624165721fd65f94e940a149cb0ae9ec09b4dc7d27
SHA512 045c018bd768b20680559d327f90962a536e20a893b46fcd75d0bb5ce1fad6e0880f9879808d9d7144d3620fdcd9842fe37b46c29d23a8bac89a5467536cff74

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2bbec8340e4c0bfee156c4f99bfd225b
SHA1 de3509a057f22a9a489a82cd33d4b4e38d2dfc38
SHA256 622978590b325ac4d7d605babf182acbac5a42cc277e9c7d174172c88dc06fb8
SHA512 d86662ddbcbec442035cc395b43edda99a0c883866002bd61144c857e2513693bf0bedfd4e4b6ffbd9127158918778c5c2cd5d42e012df831afc5b1f1bd3b849

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 51d2f98b1f231ee26b81377c20622ccd
SHA1 4e94b0b016279debbade28c24add3124f157b19d
SHA256 53825c781fd37168c2660b0b5b92bf561dc4d54ef6dd61370729a92cd13efe42
SHA512 1f6f640d7c9fea9c29c63b2b31d295cf92806ed0ee9878e86dcd34f51e4c345b9ad13ba321b5ab7e3938570e1620f4b1d58951585c4e8e3c7c9abe101964637a

Analysis: behavioral22

Detonation Overview

Submitted

2024-01-22 03:37

Reported

2024-01-22 03:40

Platform

win10v2004-20231215-en

Max time kernel

94s

Max time network

146s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\qs.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31083748" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000046600867cea8cb4995f7301d78886de600000000020000000000106600000001000020000000f732d62c8879048373e8f934231cab1775b33af0c3bec75f887da4d76e0d4179000000000e8000000002000020000000aae772400257b63983cd008f60c4a30289a41a65c8a8a54ec99482ca8ab23d482000000014b68257c4524bbbc2ffd8de7f5ae8816e5695c995adbbd8b8d8845959fcef4f40000000b85e8edee1b217eb628d90e82af64a27ee786ae71af9fa5c56b725eb4205e8494b4c1edc1525d50c14bef23e8463749224bd86b991de075a068f7ffcee9d22be C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31083748" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1808814784" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0c2426ce44cda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1812408540" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000046600867cea8cb4995f7301d78886de60000000002000000000010660000000100002000000070716d5109d69e176e35d838475c5bb7eeeb3d68a5c91178e7c7efbcffd8a6a6000000000e80000000020000200000002a6f74809521f996b9aab83933a94cd77d5144caa292adf275c08e2c3a74bb4e20000000f380e5bd3e687ed22de0f804e1b4b8cfec39a6329be708e3d027fb5644cde41a4000000040fcba745dbe387d586b402a37ae3d5681c88abec5b3208d2fefbb264a4d4ea0bd63d0960c3b3df2b0aadda3fadf0eed54356aa413566cc9054f5e85da1a3c0f C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31083748" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d00c456ce44cda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1808814784" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "412659634" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{976B89E7-B8D7-11EE-BD28-EA184F49D407} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\qs.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2472 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 dc16303d7ef66092791e6aada7e90c01
SHA1 60535157bee27ac8c4f5bde3ab87d9b383994924
SHA256 755c82491b700943501170a1e5962098c2a1f75c9463e493c254c4bc88fccf77
SHA512 28d4e4f9acebd996b29145337add25ea63e39b57424a09e4b4336122ba2110ca2c7e5c3509241dffde8682a1d542c88fedaa631b2ab059302880645837041be6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 ecbee8be1b3e68b8e56274a975f204a9
SHA1 1f1c78785a4971aa3f1bb35fe28417795ecfd6a4
SHA256 39266a7cfcf244879b79c5d99dd6b259063f954bfc47640558e773810eab1be3
SHA512 eabc00ddaa5d31c3b80515f9923ff193e89c1561e3f65dadde2e52d91ad249f6c215d34971b58e54d2643368e3712a01c1dfd7ec362f651f8ac3cb4bc8aeea3d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UG0DPB4T\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral6

Detonation Overview

Submitted

2024-01-22 03:37

Reported

2024-01-22 03:40

Platform

win10v2004-20231215-en

Max time kernel

135s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\_AKL.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\_AKL.exe

"C:\Users\Admin\AppData\Local\Temp\_AKL.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-01-22 03:37

Reported

2024-01-22 03:40

Platform

win10v2004-20231222-en

Max time kernel

93s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\_AKL.dll,#1

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3432 wrote to memory of 2972 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3432 wrote to memory of 2972 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3432 wrote to memory of 2972 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\_AKL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\_AKL.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-01-22 03:37

Reported

2024-01-22 03:40

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

153s

Command Line

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\_AKL.chm

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\hh.exe N/A
N/A N/A C:\Windows\hh.exe N/A

Processes

C:\Windows\hh.exe

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\_AKL.chm

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-01-22 03:37

Reported

2024-01-22 03:40

Platform

win7-20231215-en

Max time kernel

122s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\_AKL.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\_AKL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\_AKL.exe" C:\Users\Admin\AppData\Local\Temp\_AKL.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\_AKL.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\_AKL.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_AKL.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_AKL.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_AKL.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\_AKL.exe

"C:\Users\Admin\AppData\Local\Temp\_AKL.exe"

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-01-22 03:37

Reported

2024-01-22 03:40

Platform

win10v2004-20231215-en

Max time kernel

132s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe

"C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe

MD5 c30a8655799cdcf83ff2ac51af7da1f7
SHA1 f1a817a066e8f6e1c5472d484c9a38e54a1c348e
SHA256 d0bdf661871582c8086e5c753ba4d4d725371e3a5612a377cb41f2d144189594
SHA512 b13a422c7eff9b7bd4b391b854735317143ba321cb40a155df05dc2240f9653eeca67dd230117f606baad0832066073926030d4168f6f4d658ab347fde0aa33d

Analysis: behavioral5

Detonation Overview

Submitted

2024-01-22 03:37

Reported

2024-01-22 03:40

Platform

win7-20231215-en

Max time kernel

119s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\_AKL.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\_AKL.exe

"C:\Users\Admin\AppData\Local\Temp\_AKL.exe"

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-01-22 03:37

Reported

2024-01-22 03:40

Platform

win10v2004-20231215-en

Max time kernel

134s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\_AKL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2236 wrote to memory of 2216 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2236 wrote to memory of 2216 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2236 wrote to memory of 2216 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\_AKL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\_AKL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2216 -ip 2216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-01-22 03:37

Reported

2024-01-22 03:40

Platform

win7-20231215-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\_AKL.dll,#1

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1940 wrote to memory of 1884 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1940 wrote to memory of 1884 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1940 wrote to memory of 1884 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1940 wrote to memory of 1884 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1940 wrote to memory of 1884 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1940 wrote to memory of 1884 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1940 wrote to memory of 1884 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\_AKL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\_AKL.dll,#1

Network

N/A

Files

memory/1884-4-0x0000000074E10000-0x0000000074E23000-memory.dmp

memory/1884-3-0x0000000074F50000-0x0000000074FDD000-memory.dmp

memory/1884-7-0x0000000074EF0000-0x0000000074F41000-memory.dmp

memory/1884-6-0x0000000074EC0000-0x0000000074EC9000-memory.dmp

memory/1884-5-0x0000000076D40000-0x0000000076E0C000-memory.dmp

memory/1884-2-0x0000000000930000-0x000000000093E000-memory.dmp

memory/1884-8-0x00000000763E0000-0x00000000764D0000-memory.dmp

memory/1884-1-0x0000000075540000-0x000000007556A000-memory.dmp

memory/1884-0-0x0000000074ED0000-0x0000000074EE2000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-01-22 03:37

Reported

2024-01-22 03:40

Platform

win7-20231215-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\_AKL.chm

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\hh.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\hh.exe N/A
N/A N/A C:\Windows\hh.exe N/A

Processes

C:\Windows\hh.exe

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\_AKL.chm

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-01-22 03:37

Reported

2024-01-22 03:40

Platform

win7-20231129-en

Max time kernel

120s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\_AKL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\_AKL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\_AKL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 224

Network

N/A

Files

N/A