Malware Analysis Report

2025-01-19 00:33

Sample ID 240506-bly88afb44
Target 93d70baa688005e9b89841e37e33c30f1e9f14e305e638f94eebd4866176af60
SHA256 93d70baa688005e9b89841e37e33c30f1e9f14e305e638f94eebd4866176af60
Tags
microsoft phishing agenttesla
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

93d70baa688005e9b89841e37e33c30f1e9f14e305e638f94eebd4866176af60

Threat Level: Known bad

The file 93d70baa688005e9b89841e37e33c30f1e9f14e305e638f94eebd4866176af60 was found to be: Known bad.

Malicious Activity Summary

microsoft phishing agenttesla

Agenttesla family

Detected potential entity reuse from brand microsoft.

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-06 01:14

Signatures

Agenttesla family

agenttesla

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-06 01:14

Reported

2024-05-06 01:30

Platform

win10v2004-20240419-en

Max time kernel

139s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\93d70baa688005e9b89841e37e33c30f1e9f14e305e638f94eebd4866176af60.exe"

Signatures

Detected potential entity reuse from brand microsoft.

phishing microsoft

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 320 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\93d70baa688005e9b89841e37e33c30f1e9f14e305e638f94eebd4866176af60.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 320 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\93d70baa688005e9b89841e37e33c30f1e9f14e305e638f94eebd4866176af60.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 1420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 1420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2428 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\93d70baa688005e9b89841e37e33c30f1e9f14e305e638f94eebd4866176af60.exe

"C:\Users\Admin\AppData\Local\Temp\93d70baa688005e9b89841e37e33c30f1e9f14e305e638f94eebd4866176af60.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=93d70baa688005e9b89841e37e33c30f1e9f14e305e638f94eebd4866176af60.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe8,0x108,0x7ffa3a3a46f8,0x7ffa3a3a4708,0x7ffa3a3a4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,14023120864110914042,18415069944497366281,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,14023120864110914042,18415069944497366281,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,14023120864110914042,18415069944497366281,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,14023120864110914042,18415069944497366281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,14023120864110914042,18415069944497366281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,14023120864110914042,18415069944497366281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,14023120864110914042,18415069944497366281,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,14023120864110914042,18415069944497366281,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,14023120864110914042,18415069944497366281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,14023120864110914042,18415069944497366281,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,14023120864110914042,18415069944497366281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,14023120864110914042,18415069944497366281,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=93d70baa688005e9b89841e37e33c30f1e9f14e305e638f94eebd4866176af60.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa3a3a46f8,0x7ffa3a3a4708,0x7ffa3a3a4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,14023120864110914042,18415069944497366281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,14023120864110914042,18415069944497366281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,14023120864110914042,18415069944497366281,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 learn.microsoft.com udp
BE 23.55.98.77:443 learn.microsoft.com tcp
US 8.8.8.8:53 77.98.55.23.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 13.107.246.64:443 js.monitor.azure.com tcp
US 13.107.246.64:443 js.monitor.azure.com tcp
US 8.8.8.8:53 mscom.demdex.net udp
US 8.8.8.8:53 target.microsoft.com udp
US 8.8.8.8:53 microsoftmscompoc.tt.omtrdc.net udp
IE 52.213.103.114:443 mscom.demdex.net tcp
US 8.8.8.8:53 64.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 114.103.213.52.in-addr.arpa udp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 20.42.73.30:443 browser.events.data.microsoft.com tcp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp
US 20.42.73.30:443 browser.events.data.microsoft.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 919c29d42fb6034fee2f5de14d573c63
SHA1 24a2e1042347b3853344157239bde3ed699047a8
SHA256 17cd6de97a0c020cb4935739cfef4ec4e074e8d127ac4c531b6dc496580c8141
SHA512 bb7eadd087bbcec8b1b8a49b102b454333f2f9708d36b6ffc3c82fdc52e46873398d967238c3bfe9ac6caef45b017a5fe3938ebf5f3053e4ef9be7b2752b563d

\??\pipe\LOCAL\crashpad_2428_EBONPQRCWUPMERSE

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8b2290ca03b4ca5fe52d82550c7e7d69
SHA1 20583a7851a906444204ce8ba4fa51153e6cd494
SHA256 f9ff4871fc5317299de907489d466e630be63d698c8f7cb77cc81faddbecc6d2
SHA512 704ec8122cc1c263dff67ddbb5c20ee0db8a438674d716bc3be5b266ee5629a219b0049d721f9eb2dd8f2d8fda0163659eaa4d3e1f0a6e9072a8ffb92bb2b25d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a073b6609df5168d46ed753df2c4f848
SHA1 bb7afa06c876c231ac0861927e3d03b8d430ba53
SHA256 4cc4fb08f5edad33071b453c9b083fb5e3911722608e095501d7cd89557c7e13
SHA512 5e151418ba37b243abbee1a9665c544fc1d60f9b25e495e7ef5b4228b9306a0c371369a337d447ad3561eb8f9f34474ba87b175716e890029faf433c66deb9f1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a5c559a999d9b18c1c17a50758ba9094
SHA1 9c4816c542e18653f5d71405a21d631345cb35d2
SHA256 e9b99a3aafc7f878eb9d0352a4ee7e1a4a894d29c2ee887f0b42f2f1a0f8fff6
SHA512 6de5704071d6d8fe944680af2b9c7de743b138a98865e79b5930e98bde66c6a63fc4ac4a059a82b54f52c65a84fbc5f0fe1997145f85b74661781d23d4896c16

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a4390a98902baf4cb21793eed6c324fb
SHA1 84682d4b955c7bfa484a266d1091d2375afe4876
SHA256 4c6201e7b6b0e15748c85e923ca6fe96e34fd5b61865e23eaea200e9aabc59fa
SHA512 9c53e7da1d83dcffeb28df8e119017aa8148c0e449fa27079ed8e1a89380fd3b23085d820f087921ba0652d2494218b0b803a50d16caf4207263645caf6653ce

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 72d64ab3144fdddfe6235eb012e3f7f9
SHA1 313faadfd27fa2ebbd7b41524066b405bfce854f
SHA256 6e59c2c8035f7d2c908a93aa9038db554e7a95f2c938ba1bbe5e708e746873ac
SHA512 8c058a958e9cb30c66b82a74887f339b02d6b0e69d69d09234e99b4a6d11fcd3fabc93f349e060fe193ac622a94b1b68e39957bba2a14c75e55f29d33ff0e1e6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 fe7e4311d4d389dce20c2d975fd3b370
SHA1 fc9de512c970b0bcd312c7544e47aecee045338a
SHA256 51afa6afb2f9dafadea16f99301b138b2ab15deae66fdc0131b35ea7b8f68478
SHA512 d8b73c58fb0cf1555483975210b6ce5ed37ceab2ffc26e6791f0cba54ee3bfe2ce80a060178879dbc5893654e4e409b994551c367f655d347178bcfeb2d696fd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57b314.TMP

MD5 d035107627a9e34bcb6b3d8e49e20d20
SHA1 790e2dc489252bca4a73043ed0e165f3b7b49f06
SHA256 b39bd4abe8071a1994d69dad767809d26291360f8804f4e29c63e83409fccb9a
SHA512 ed106f03ac67e4a4755aab86dcbddd212437fe5bc7bcf5a2f67b63d2497c333e195cdc34e9fef72bbc65db1262e93e6d017dd982d952d1445dd2e2fb33e84e9d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 45ace9f3e445a67f2d0038c327ccdb6f
SHA1 938c3013cc523c40d032c80594abcc99b7ea6671
SHA256 f34a64255c71d85b43b5d213a44dc55737eede5052ea0430d3cf113fbe27b2dc
SHA512 811e4651dc5da08f22e0034a4fead7658b8b2432a29a2a7cdfdf9a2d5d3170c1ccb7bf24145a1b97a60da501d3e6ac5a3546813d3cfc3fffd1d38a57e3c7b063

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 05592d6b429a6209d372dba7629ce97c
SHA1 b4d45e956e3ec9651d4e1e045b887c7ccbdde326
SHA256 3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd
SHA512 caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-06 01:14

Reported

2024-05-06 01:32

Platform

win7-20240221-en

Max time kernel

119s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\93d70baa688005e9b89841e37e33c30f1e9f14e305e638f94eebd4866176af60.exe"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{230BDE91-0B48-11EF-8442-DE62917EBCA6} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b00eb4f8549fda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002dcc56832ee45b40af0f973e997a3e3e00000000020000000000106600000001000020000000add8d8f6ef540c895f3e27c7caeed3eab640b4a82ab3dabf57a9447496c591f3000000000e80000000020000200000006a645ae3231361aa9e2bf259d5199cc435a45441e629faeb614b1172d661830a20000000bd8ad2f45c9affc3348dec3d834b0b1f351c756422d7fc53d74cabdf0b59b6044000000099785b877eee713a318fa9296281f0fafed4caf0d97924010ff8bb261f828b032bbee4b232b9d452cc5e328c39594e7a4abefbdfbd3aac42925b53ccb6268707 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "421120860" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002dcc56832ee45b40af0f973e997a3e3e000000000200000000001066000000010000200000002b3c32e5a39721dfd0f36dc248755aaad1827309c3db9ce18befe3de5fe2f3f2000000000e800000000200002000000093786a569cb883643e31768a13dd39e57fa541e8772dd6da146fe61733922f82900000002442a27b325dbe31b6a4eec5050441df5cab776bcab40e8e956725b20f1aed1d0dfb263958afde907accf858f788cabaf1051fd7b4098f88021546315f5be33fbd96ffb31f116b1dc91aab5a7a321f182a6d4a3c9476d3690fd4e5b4c6b0eced0714a6b15afa2fc89a761495dd341cb2c83447cf221b22e2481beba7f3a84d57ab39fd567216540c8a1b5b987fb22719400000001c8c5ce9d4692ed2de63e683d68e33b42c8894b485cabd9156fba21eec852b1825220af020bfbd22ae13d340de12ef92c255e3c2b9ab393aca461f1d519aa5b5 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\93d70baa688005e9b89841e37e33c30f1e9f14e305e638f94eebd4866176af60.exe

"C:\Users\Admin\AppData\Local\Temp\93d70baa688005e9b89841e37e33c30f1e9f14e305e638f94eebd4866176af60.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=93d70baa688005e9b89841e37e33c30f1e9f14e305e638f94eebd4866176af60.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2404 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 learn.microsoft.com udp
BE 23.55.98.77:443 learn.microsoft.com tcp
BE 23.55.98.77:443 learn.microsoft.com tcp
BE 23.55.98.77:443 learn.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab40AA.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar417C.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b77c934bd2e738b17155a80d9b586f62
SHA1 b3bf0122f0ba14ca4f70373e2b2652adee45b95c
SHA256 d62955e81756f257b928ddc0b0441a4e1f9dafb868c211fbfc89d0437accf5aa
SHA512 abb317e7f0a5e9ba2825e6994dfc3784ee1e07073b7e3424e3e5f5495c0ce32e6e3d9c68c8b3d07be4b4642cb92215c276227e66536b3a3d58d357b434d02809

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dc731ee173641c057aec37035a6db055
SHA1 5aad0b2a80ef8db22698c6b0542d7aadce813a2e
SHA256 c7475e88280e68c126e85b7561be3340ea7f5773b16820dff41586c079801f8a
SHA512 ef05ec9c8e6322e9e76e3324835da7a86002ee4fc2ec85bb85e220c43f9c7b9d7302c3b789b0fb9aed73e0c8ec13d01e9117410bef841b5005d0bdf79a67bf21

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ef7e3348adc5f54303016f6cdd6ebb57
SHA1 aed76b76f10f33c2533a79711b203c15441aa630
SHA256 9dbe96a61addaec6575939cdcbc273e71e91cdb79e38d05a1929b88b7c03d428
SHA512 a378808004ca06d9a7352cc05c31d103432b95eb809797d58cbb1524c756f9f69c8198b83cdc10c6d5e4e4ea53e08af7a1694275ac8c5278e1a8a720d0000f02

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8ecc3249c80c9766114469d188eb081e
SHA1 53bf89ba42f1be7688042ebbafb7100b10906087
SHA256 920b7c171380c4894e0dc65cb09b5e5270d862de666ef9cfa22fdd36d2fb4e30
SHA512 645d1dfdc3f20c1d9fa05952d09b452902e56ba12dff69b86bb9522706ec0f16a599f32d7cabcdcc302c95f2dffcdeb04f4227b53c06ae2557a4e9366cee3ef2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 368979ca8c8f94e87e97d5262b3e1279
SHA1 7507c58639aa0c5281cebd1de923483278c010b8
SHA256 17405542eb45cc180e226da76edfaf591d17d76c51b9e41f57ae300e12a8e2e8
SHA512 b9e36fd551a438a13c37495edf595222461b46dbf18b96e9c929ba84a24694223971a451dc6dc89da5e593b7174d3899c3050ea8087729872ff888c9202ccfc6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

MD5 f55da450a5fb287e1e0f0dcc965756ca
SHA1 7e04de896a3e666d00e687d33ffad93be83d349e
SHA256 31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0
SHA512 19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

MD5 b4a1d422ab5f6e7617aa4d4819645e35
SHA1 47cf8b464a574b6331811cc3d90f3d41cda85e55
SHA256 96448bf3d1ff5e8c5ca828d4c5a392adf46a67ed2d903cd6d0acf52a7b726f06
SHA512 b6e52b2e4c309e75a7a182614d25a22812577a21c806d5bc2940d5330f11cc5cd11dce9f9b5b0329b4bed918e634371342597998e183859f620fe8fcf5dbd717

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e8bf3dc67eb24d7085a3efd5f52742c1
SHA1 84713682434558b75cb1617d2912d46448a241f9
SHA256 f1511ce75021bb79a8be396c5ed34fa6b3323fa7b4c9606b8dd5f28890de127a
SHA512 fc2ad2215d98764c5378ca16ba83b90fcca5963c4e6dfc84f068081fd0d7b490e2b041276454c913e19c1677346a3f10aa5a80168b4a431493e037f1f0effab2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1937eff55980b1e0e44456fc41612b81
SHA1 71aa18b170b1f25ad1dbe21d3abfc17660f69916
SHA256 e04320296497c8db18c26874a7a673623f2495c5d9460e6198ae43f168afbd73
SHA512 a49b029cf7f2c432d0225073cda0d4f3403046bd1b3626a791ffc7b4ddfa726efaae1367690d67b92d0742d5f735a8dce82ee3875d81d8e508fe6889696c3c17

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eb39610068e5047757e7661d3775ad81
SHA1 1a42fb06e3c098ba1d03cf144716a81f6a3b4405
SHA256 43dc9f046949847afc6dc3d766544c6502d7659a028edb3d7294b10b4e5a15fa
SHA512 3565036ded30a5c68673c63b1c7fcc611a4dde5510de2ce0678cefc8484cf67334e885e8b372867f332b4f7bb0f91b761dd7daab909aaa65267ecad0515fafb4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1fedfbb8ab8d1fc2ef445aab059ac124
SHA1 021b98410eb940d2bf359d6db9c919fd143fcc1d
SHA256 471e490bbddcb7e08bd31d2208ce7c9f6d5a8d1a880e9ecaf57dec780c8d8182
SHA512 447b7a3e0e7dc4fe6fd49e814f6e37877388485e235d09537adbabc8757cf8834b53592aa4b1a2d3364485c375aa0090c0ffe04c3822b83ee4343f8dd82e28f0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b8b0966514079f672d3c4db5240f77f8
SHA1 04b0a1f238edb6377392e42af336535bd2a39af1
SHA256 1a84c09c52506e3d705a4ecb8de70f56669d5f33e4bcbf98b950c479c3bec652
SHA512 902f096fd9ce734da51a4866e08c8ce9bb1e9f76153faa9e519b2c74ceef35a616d413f28db518e81152dee3644d6f0de61c6f78f28a34c7877ece68f824c5b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c9d976fddbd60661dd0925432ee34943
SHA1 35f909d518070935d8de760b8d085ef9c2d42135
SHA256 a0e0331b485b776b44fcc4a3a05874cfb0bc9006d3aa73fcee82083ab5c1be5c
SHA512 cc3fad1cb91097c743595321b6e0e14039e1c93614458c91dad6e7edb66e53abb67adac0222c146c47c058b4938c6cac5a0051bc4b4a7f82ca7c8b47c6b203c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0b0e159602834f10a57288497f0e0b02
SHA1 dafd2db3a92da8fea7168d59e7403111be4805ef
SHA256 5fb03b016a63f5b9b0d3fd0813b3f95d9254399e17f039de668320d8f4e3ce8f
SHA512 1f1633af8f413e25a8cab92e41f8db94d525dea5b5e733ed78b5a1bbb2f044d07b5e96f09799e050a287fc142be80ab61a301c071ce8c4248493747aca64e19d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5de37398abdc42239ff682c8b5ce2d54
SHA1 0e0ad006bafeebfafb1935f618afdab13e0faca6
SHA256 cd4ced16d2e47ed579a72008d43d1b5efb6adddb973ff2aab661ea765ddff167
SHA512 733cec0672a2718ae552121f84528ad869182aedd545bb8660f723b2bd40b6baa5f6175e7f5f853319d99dd40dbf33563f9f6e5a920ff867e954bb8ddcdfdd29

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f0a6d414084456826b18d6d18ec03f0e
SHA1 22b9efced6780913a734b80f143aaf026d26edb8
SHA256 ad6e8c1f4fde354ada08f6c74adbe172734d00dc97474f2a0b8978e9f92af61f
SHA512 661687c90cfea3d02b2cc7eeed86a61eef857efb4c65326758df087ce83455153a34202cd27b31ab195087cd30c87cf55f6cdba91b476cc7423d749d956889ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e894ecf6fcafd60d2c0ec9bed8819acf
SHA1 79f53767e50969f6c412220b7f231639bffab9ef
SHA256 8354efd7f675ac25911a59ba274d35a4eea15bf07d3058bba3597963768f7331
SHA512 f95d6c7695cb67e333deffc34bb3ced318c380663add0c0aafd55602224c21842e41f2ad11b837b4b76d3cd0c2d54f79fa331ebe5578475fb2c3cd20f5c5c419

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 44440651a5bab5217f90f8c9773556fd
SHA1 cc42c2877e09f4e8ed07f12e4f2d80946b652f70
SHA256 9772fe0b9fa25016135f0450310f6037599ad5104ddc70f92e2fd37eb25ede9d
SHA512 f3e057bdd0b46896832496647dea5e95f617b59a801ecbffd0c0097f9c4fd910a6c33ae79ef52e0bcdfba98e7d3451f8f496f63f296e53087d59a7825bbb043f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c5ffdb1a4060e08a1f56321d2ef71a1d
SHA1 0edc8728123075c0786e0e3f5157d569d90c35a3
SHA256 84542603049f6267b3395ddcc5cbb953131c5ec97eb233305ea74c3b7022bd11
SHA512 0c76199b977df4644aed81dba6ab283cebea397bc11bf31ef28b1bc2e83b0c7af2c6333a3197254c5fa5ecccbebae0c26b7475dad8038191fed0b55e72b7bf67

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b3106c223bd1b9300319683e51ae3aef
SHA1 44477e4af3fa6c0ed1d4c5a8d4a269805d9c993b
SHA256 5de7220c7aaec87b00eb29637ad578a0b5b15b18c4463d1a7c49fc3a079277f1
SHA512 bbee6354942f2ebdd042ef0804c9caeffff22286cfdbb1328ea7642339c0adeee0b4030eb97b8861b2357fb03e145c806b1ba73825393ca750a58251be6a4c73

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 150da7fe6a5ddecf38adb8369e87ec94
SHA1 48554dbb421f454b0281f276767193ddc5355b2e
SHA256 22bcf835188fdadd29c1a261c0296b4b8005283380a363df8ca6a88caf84d3d5
SHA512 a4ea5f35d82dcd943f9a659955a6e6dcd2daf9d2c70ce62b19ee624a43869e8422ad45d8f8a434ff08dc8cc67bbfc69fdd37713d11d7ce0a9b823579e68368fb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c493aa2ba42f0f86d230d7b1b18d889e
SHA1 d81134dc28eded4fcebebc6887415a74ea9d3e03
SHA256 4150b8d17e44421e9f2ccdbfb24a4077b557687fa52f6d6d0c12b6c376eb121a
SHA512 cb49269171bb39033fd7aa84708e69a34009d2bdd832e8f7d80c23d47e04d16901bf02508bcfc86990f6a5a273756c664d15f273d5838a353283106dce524733

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 486128ddc43f26a5a1b7868f271d7e31
SHA1 1b66ae2d96fd3062d9de913f8203f1f75c0ddc05
SHA256 965910f81d8103cf954906f3f2946692c99eff38dd2ae991042b6a6b04efa094
SHA512 573c5240bc94e1fae068e087e700f25126e7069ba6da26c8e30b99ed01811279e8e6badd9a5d0f44cf30efa3c422d793aa3ee640b6fc482031c290c211dbeb35

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 203d4a57d3f237d50a2e787320fc75a2
SHA1 5d431c1ac9c08a9d49072a6c87a7cef7e11b3ff3
SHA256 f509cb6df52c5d78112484d50f4a96dcf451a8cb0881f8573a46a36d9cfa8724
SHA512 73e4deeaed0e555a1e3cee9794eff33b00f71c6752fc42be96f5939683ff4ca88f1853794074ecb7420e65640fc890e0eb868d34bb12338b55e28205fa686f68

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 36ea3d7aa19f7d2d5419c47bdacb5c9b
SHA1 8c8eff9737ab8dcaa9d62cfbf96026ef9287eb71
SHA256 b4d0191b5589403c3c6d2abc35100cf1403c7e24313d00b4636ad27f08743499
SHA512 4628559b5598ad3254db68b081f709bd049d7a0c20c46a93a3c01660e51de79e2c7dc578c195fff46d3cbe1b4d47fdefb97a47c6e0fa049e4f307f9698690942

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5240bd72078fa72e90121217285dd925
SHA1 f8e09e6ac2d7022f94ea5b829667d6c4279e15d6
SHA256 ae3011a5188264f357ab79e47ceeaf0f014df9cae73d39cb46d539af0ab93609
SHA512 2ca9be3731bdc5bf430e95be6c65ac3b3e52197ac05a4dc1d49079ee31db4fd07188e18d211613bc5e5a1978a967d7c8d6a98fc37d403b52695a07079e9ca141

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f0c428066a531264410c4d51d2b603cb
SHA1 7945d081984644cb8bc3fc1446a9a6636d9b52fd
SHA256 5cbad02fb69192114ed0d2c5386f5f781aa9b7a66f662d3e7ba201cc58f6060e
SHA512 ef7f08a706e58dfe5cd782f4957d011021561329a157caa4e4aab3123ce42926774f0561e7d17d181441c336d7fbab7a7df77981a38767d93be4c30d7b848d6b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6bb2778c608d17058daecff859626968
SHA1 01e8ee3a31702af6805d9306cdbc7b5753898499
SHA256 cc7201ebcfd431e696b08748ad12fc2dcc558a41ed1731d3136e2bd37c9b5a47
SHA512 8caa0a4e37037275919e00111af193a862f3e8ffa65987064c83d523cf068d9b1597fe9ce9f36371f1aad62fbcc2939cf2bc6bd23f460a6efd3077842dcfd351