Malware Analysis Report

2024-11-30 05:43

Sample ID 240619-l99pzaycna
Target malta_scanner.zip
SHA256 3cb59e70d49226c59e439c065817db704ee03896491181474320fafe2b906e19
Tags
agenttesla
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3cb59e70d49226c59e439c065817db704ee03896491181474320fafe2b906e19

Threat Level: Known bad

The file malta_scanner.zip was found to be: Known bad.

Malicious Activity Summary

agenttesla

AgentTesla payload

Agenttesla family

Unsigned PE

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-19 10:15

Signatures

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Agenttesla family

agenttesla

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-19 10:15

Reported

2024-06-19 10:19

Platform

win7-20240611-en

Max time kernel

134s

Max time network

133s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netcore50\de\System.Xml.XDocument.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000b2968c6cf60b74b94229c882944fb8100000000020000000000106600000001000020000000cf290375abe30b871f8ae566007d52c81a3d99e145cc35fd6efe895324952dac000000000e8000000002000020000000b5dd660c5a115d10db057f14661a05e5eadbfa9f822bb230243cef030341059e2000000071543850ad8a7b4e3161f765d579ef5d21d09b1bfe6e78e2a04b0a0e9889e4e04000000095d3ad050d88f0ab44f9f537e444297db9af091011987d67ce0e2d912a90f6a1dd0007503b82a7a92f04f7f4ff5b1291b99dbbbabea21656dff0df6ddc8cb752 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000b2968c6cf60b74b94229c882944fb810000000002000000000010660000000100002000000064e30ec084a498ac09087dfbb0f9483de5bc01f48d9382135cfd0921f53e0371000000000e8000000002000020000000dc664af9b1851ce054702dbbf399c9fbfb19b0cfbd13a93d8f130b096961f5e9900000005e8a064d5af669491f3a777a4c7c5dc8dfc1b19ca38cde3b97c6f90f2abc99b424a2e890aa2989c7d94d9dd1114305a36b478e8810238d082265f67e02fd2e0d6169dd5d6a3a75d684f13cef473ae34b4d90d931617b4c24a7481c5347e15f4100971e415919d0fd8f9ac8c53f1e7b41b83a55905f5dc8d0f41c931688a09bb1c087c5ecb6c329509544a7bbbef00f9d400000009ab293b50d3f84d66eee9196d229ffee70ec76c39330f8ed0dc52af73101dabf91ecf76d89d4a7e70d25cc66bf18e8eeec44c123ba4b217a8eeff59f74816f3d C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 206f02f331c2da01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424954110" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1E1D7F61-2E25-11EF-90EB-D671A15513D2} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2332 wrote to memory of 2944 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2332 wrote to memory of 2944 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2332 wrote to memory of 2944 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2332 wrote to memory of 2944 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2944 wrote to memory of 2056 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2944 wrote to memory of 2056 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2944 wrote to memory of 2056 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2944 wrote to memory of 2056 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2056 wrote to memory of 2748 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2056 wrote to memory of 2748 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2056 wrote to memory of 2748 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2056 wrote to memory of 2748 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netcore50\de\System.Xml.XDocument.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2056 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab41A5.tmp

MD5 2d3dcf90f6c99f47e7593ea250c9e749
SHA1 51be82be4a272669983313565b4940d4b1385237
SHA256 8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4
SHA512 9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ef4b073c8b14d65e0dbcbed0bab66f70
SHA1 6f7c320acafd6d3acb39d4dd5f8e3b0cbe49cba4
SHA256 9273b1d6877333942c1f3673f60eaab0d3a04c72ead49c3fc4fbd3459aade60c
SHA512 a84afb851ab8ff73aafb7c06d268be2f63ab14aee24c7557443f1a00c0a13b0861773687cf4bc6a8179cc9f8279dee2577f0a94d63b5d935642851b86d1809b6

C:\Users\Admin\AppData\Local\Temp\Tar4267.tmp

MD5 7186ad693b8ad9444401bd9bcd2217c2
SHA1 5c28ca10a650f6026b0df4737078fa4197f3bac1
SHA256 9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed
SHA512 135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a811f980f85fe5710e1a8934194f0a1e
SHA1 ac98462758aa2d2a7b10a9a5f29cae37445f2f09
SHA256 883b6fedbcbbd273e745d9933b486813f1aea41ea18e0b4721e0eee7ae896531
SHA512 8dd4b6836806e48ee1b60cc585b070d2025d7bb8120bb41391e97c1364735ef4696e7377ef7e8584a91ab4a43d5e656b822b20a825dafc785e5ef90dad35c463

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2b4ca99aa536140f59d12c507cd147a6
SHA1 1e9802a669245b08cddaba6ad39c18c15218e8d5
SHA256 d213aef3ff4653c5639b9096e46e3cf49e21a00c67ab5d6a6eff65b77e088a7a
SHA512 9f8f12cd9f451c9c4d5748ed8447bf0f6b8487100c77bb51d583d3cbcb63ea08a89ef88048e687bfedc9144e19f70f121b0a3fce3a54ef489e699a97a9b1aa0c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 94c5e02ca6c17bfe169719d6e4775365
SHA1 e80fe610227b23fcb19bbd1e6d9c4af204dee44b
SHA256 4a1f8e0cfc59783e1dbb64af048437950f8a100af80f2dc261724f09708ec016
SHA512 a1d07c421220f9bce00f142fbc9dd527254281e5f69138fbf998d8aaee61b15641959b407207f855667c43bcba7185de896e416c629332b508caa88b254b5934

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 75fbe946598bb57c7bbd7f77340027c9
SHA1 0d814182c3608380b20304e11cc418fbd24b1711
SHA256 2d480640eccb51fa981dbeed2526b32ca2a5e41485bf7b2e34a3e6c3af7e7c2b
SHA512 b5803dc4c09bd3d7d9311b5f6a016aef67e86c3a5b813ff2eadda415ffcc7092cab1db611f0805ec824583d552be41681f6322d2533c6250fcf2b373af94f827

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 999d6e1017e6086c0c6f395cc1f7fd8b
SHA1 baab9d2a3a0d47f3318f7edfa4faa8692b24f89b
SHA256 0ec1db183cc3d8638bc6e225392375096bd5a7ccfd0d068ab6d92d238685488f
SHA512 38a191ffb8a383e56c3328181f672a08a54b291f3e76a234ae6b3c2994d41431ad46462a80bfd9f695f0018b361243828c792c441076186d62a48a11af48ed2e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 33515631d68c3bee65e905e5777dfc60
SHA1 ae8b420482fa689b75316a43e2af8858eb7624aa
SHA256 d702f30363294c91a7bdb5e57adcebb0299b3ae40d6d3aca62eef6ee133fc093
SHA512 4e495f75c86d0785070e3fd87020a52707ece43b4e51439ad1b8d0b597b31ba9d35e1cb415a1a729f126ea15a90adcd518af7f72cc06602099f35fcbeec1ccce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f376dee94d124c1ed01d6edebc85a357
SHA1 7fd4fb05180581b14283b894bc84d3a0bda3add1
SHA256 531842e2e962f3ec4f07775eaa3dfb0de20f8cc4ce0c739fe68cf936d6d8bb7d
SHA512 544ae1df215319bceb22f5b5653eb06d79f4d75e4a76f43ad79e7514230eb5a2d1e6017b3246a7fc162ee63fbe38e1f1d4013076e05f527cbad395b8fae70f89

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 04e49124d61889be50d0e3b5462ee3e5
SHA1 4863e589037acd97e827a285396fab3d03c2b220
SHA256 60a5a5761ab07f1af4d0d88c64aa892c376f57eb988628ff5e46028ec186386d
SHA512 7a08eb9f5ea55abf883384a0991d80f57b2bf277fc81fb5e2af764f9e8e0381ce4ab7ad756e4e800cecf5004593de132ef8b35884985145f25df3d0bcd30b10c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7796cb20558f80c0993893533c974a77
SHA1 c159fea9c6474cbb39e6b7c64009212541a5628f
SHA256 37e35c0ffd75e812ab8b98ced0a3a15d4cdead628ac232f461a600f55a5ccd28
SHA512 8a664769322536b6061abcc069c3c464e0ecba4ea0428e8afc1c1795b54e3111bb0b32efcea901e5538c0b654ddd98e41193126ae4f749eaa67c976213016ec7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7a1d0a896fd34b7465ea9587bbf0cc82
SHA1 d1942f03b3317421b2d906ace855315e9cde59a1
SHA256 11414ebeb5a3f99a4ec5ca7b11e0976ca09747618a64ae879ae8c9b48d063664
SHA512 c2c8e59a28367763e8463de36d1d0bbac18315dc12ff5f6d6ca8f7892a0f909c371f2dc8db3eddaede6bcee38effee56fb1e78247a6a5a741745f6f643020b10

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fca9d476061e570b95b327c7d6877a4a
SHA1 7b3694fed4a88860c7527347be13ee1f486df5bb
SHA256 c95317bb5285d11c1ece1d4eb0ba420d815091c4e5c8d67c933799af8259e010
SHA512 ad4d30605afb39e1dee2243f124910542ae6ec50c3821ff51b609395b8cee0de0ea4dfde9cc710414451a07ac26a410bec24c42b8091cac11b79718bed61370d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 40a9f3745a664123cb849c06e5b4a11c
SHA1 2c921d872248a9e61b8f21e736b4e101c10eead9
SHA256 3705c3c8d0b76cdce5ea1ef7d51b104efa163c1ba994e802c4f9d81ce45e81f4
SHA512 58edfaf42a7a28a2e9e095a107509cb1aa1a3981e6cba32eebadb4e63cb46ff65fc83da5979fc7fa0d65e1dc7d5475c2fcb7eff353eb6bd2218fd6b28b995a8a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bd48cc6f82ca18f009c31f49069bc1e9
SHA1 5c4c9edc50050be2f6281f6c9c6b56ec04517d5f
SHA256 0605e36981608564d6b1695d0667a987a8f756f3ebe91d46c6ab9ba7ca30acd5
SHA512 2f2315d4f590584b94e17855d470d4c6e0951f9db66ec42963d582191ebef756b9b3477c17d5a9fefc6fc74381b2a077284c061c3fe94247aca5e6b09335c640

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2c6b5531447fbbc6f7b01f9fea7dc6c3
SHA1 c95ef6476ea3646e44ee4693380851cd6eec6ae0
SHA256 cacd80d30ad2c0df81e61d1026ba24f521714fa96d4c32289e803ea4efa6044b
SHA512 c55490a7b38fb8e7192def928fdb04ad54113d1366433acc80dd95349c667c3eeeae33a3a52c572eaa830c41fffd3a7e8417d169fa6dff7d4fa90f6fee64329a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 195d51985378e26426f593d2743ff695
SHA1 e82dd3b2d78ec45a9839e3e10ed54628b3bd8e9e
SHA256 2320e1b8be17200757aab38f2dbb008806778210ebdd9e4c817a0d992ea94c10
SHA512 f2ec522979590a4587158b7f1855221d903fb7429378c170a33a5091e2c1969a1f85f00de66292a4c424a6e3a51a5dd7ec4ebd63ed53b071a84cd55bb07a6fbc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4a17640d356242bad8e91ebc7a20c479
SHA1 c736dcb5305edd15ce2a220655dae6cd99019418
SHA256 e6ddb034d2636e67bb75f9c1f81501b0a65a89cd82f18a7e438ce011d3a31d45
SHA512 92223c3ef9352dda1d09c58c3c01333cb455d6dd66ffc91c446cbde1f04435c80964c1965c6e86fbc701d023964e8f9f3f4342ebcd442c42f69799650bafbc30

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d595ff713f5e62edc25eea6973155504
SHA1 b1d9ad824ebe544c9f9d7514086607ffcb744e6e
SHA256 924abcb5cc94627cfab3efdc003f17d5ab890fa56d773cb21c9b9d135909c537
SHA512 da5ba57772d4a2654f11b822480329cc1081462257d1f555d833a1efe6f4960126b67598ab5cb0faf089380f30e28de5e26f462bbe4a7501f6a5759a5e28d077

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e020bc427c4534dffd346d19edf36f33
SHA1 d3a8eb68e4301825715363bb645988c18945cf6f
SHA256 6c619730419d2757542ed47cad8998fdfb1b22415c146834877a8ddc0726d40f
SHA512 5d07d4bbefe129f6925b8bf706152d2bb8ddaf00e985c1c707f8e30b258abc359ab2bec07591fb30827bb04251341bc855adc8d72545556b9d24afb3fd575e3e

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-19 10:15

Reported

2024-06-19 10:20

Platform

win7-20240611-en

Max time kernel

118s

Max time network

136s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netstandard1.0\System.Xml.XDocument.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netstandard1.0\System.Xml.XDocument.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-19 10:15

Reported

2024-06-19 10:19

Platform

win7-20240220-en

Max time kernel

134s

Max time network

133s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netstandard1.0\es\System.Xml.XDocument.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c07bc4f231c2da01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424954110" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005a9384f4ce73d14cbdf07ed7047a6b17000000000200000000001066000000010000200000004e3b62e1b83a1c526f4f5456e9154ec94b66cd71824ff22a018778864e5211fc000000000e800000000200002000000022b881af1160d8430cc36f464764e691d571c7b13d34281a6ece052c19a233cb20000000a17486ff0168b125943bb9ecec64778e3da435b5da8b085f4cd880da6c1c63fd4000000052e190f1c71cd7bf24b324f2559b1c53f5ee88b5745726fc9a0fecb256c4345157513e159e95894ef362bf200d2d8a095317861ec83d73a44be93156a8da8858 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1DEDBCD1-2E25-11EF-AD30-660F20EB2E2E} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005a9384f4ce73d14cbdf07ed7047a6b170000000002000000000010660000000100002000000030547c11744dcc45a33a3fc781bfecf7cc33b5d1b4f3f6e5d29ea5944a79fb38000000000e8000000002000020000000dcb86cb09e9edeaf96644a7f84ef97692bdd2a20e718a5057372e7d0e66b0f57900000006a9d2fadd28fafb00e28e85130081e538e50c7fc18e3deae360cf5194df7800f20775488be4ac1b21960aa50f99b517b2e490aef495bfe5d1b3df52e5016c4a96beb23c31af56163bc1f64d1bf32458f57ba33f569a822d063dc5d436ccc5ca61f88f47b4871c1475b7b452bd208eb3c9c92b340c5d0de45bd65e5a058dcdcccefc0bd4b41127b62943169b58973723f400000001d9c3c865caf8ef11859c16018e4f93c4f4875c80f59853fd00e68a7ffb3a58a4716f5e6b5c0dc984a940288a4240f97126fdf426947da8bc79a86a53503b313 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1780 wrote to memory of 2476 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1780 wrote to memory of 2476 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1780 wrote to memory of 2476 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1780 wrote to memory of 2476 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2476 wrote to memory of 2856 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2476 wrote to memory of 2856 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2476 wrote to memory of 2856 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2476 wrote to memory of 2856 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2856 wrote to memory of 2592 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2856 wrote to memory of 2592 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2856 wrote to memory of 2592 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2856 wrote to memory of 2592 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netstandard1.0\es\System.Xml.XDocument.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2856 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab459B.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar468C.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 081b7bf23b437e8cec34e3814885be62
SHA1 8d4c6c7a03ea553daf15bf606557f27ae512401d
SHA256 d113705924a08b26f05d726fd1b45c4b37aaa59b95ed276cae87abd1eb49e6d1
SHA512 506d0b27e0b8dd8691c2ff54f5fca3582ad46fbb7162163d0506e7b4d97dd2d1a434b4f35d3d467ed8feb8fd56c015ebd65e54212a34b1eda1ed535ccccf110a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e9c7ed6c7533911200bdeda851dc8829
SHA1 41e1a928f638cff383e0f64ca97240b6228ae103
SHA256 61ccbd5166ed0aa7a25ff010a1309364fd465227230b30af446bb762aea74aa9
SHA512 894304e2bde0d3826c9446398408802ed75f4fe448aac6866d91d38d981be2db5cf525c4cf2f77498406adcf869b59b55de5415bb744cc145af745c6472be353

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1dd99f1ed24ba79324f27f70341e1f46
SHA1 9c4bddb1e4733035a1b3d1e19f43bbcf17481f4f
SHA256 55769d96cc0658815352a69425851d87dc7ab33f611232a0c69f5ff6c6c799c6
SHA512 2dbed783ab8618a52b1675bedaabed626eea02d85c374b258d58588b81ba2a46d8d759bc1c31ec06f0de21720b9360445f082f800d8d096e996f104c1a4a13df

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f63f627d9f6464500186fa98efa14239
SHA1 98e291bc1743f426005f03717fda8dfb658d1408
SHA256 8527e447369a3896fb649cd5620abb2fd3e1185f2101064d254acbc3c199f6cf
SHA512 079c859949b6f481e36adf91c75a27b222b3820f4bd0aec96ebcb3ee83f3b15352789c3f45d5647deffb481efc3a2794e5e5b934241656c0249a737f0aa52b7f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1aac20e2b734dbcd0ee1339a44e12ebd
SHA1 81c47d4161aff21798fc2212e66885030136a7c7
SHA256 773cf07380bb5b2b4976edbcb96d38f0b83c57a70715bf1615d88740196d0a67
SHA512 5cb29521a182e3cb194b901bdcf90e61b944a778a4c113f973810cab328a0711248d49a8b75c6fa395d131ecdd2b924877ee74826e09e8dd1104c4c972961080

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ff87dbaa263dd91b0b60f114948efe9a
SHA1 81627d1f0cdfa1cf241eceabb5f526a84fa04dcc
SHA256 6ef44daedf077d2734f3624418a9de640a2cef41e6d66af2595a595824fd4006
SHA512 102ae4bfce23041ac07db0232021174abd91012aaaf66f25173bc4dfe0536e09b0b6fdba6d75f941b397ad5aea39a6e1c5c3f29f0e22efe2d62f771f342e17ef

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 207b9c8eb23db4055a38718b506b0cf0
SHA1 4dad982fe78abc3c7da284770ac60252bf4b0bb4
SHA256 0cdf1eee7b70bf3f05328e0ccfea0b7b2eb6d61d92b6913069b705b9b9defc43
SHA512 060e1aa81ede596671a2366a4e26ed2578beac872443cf3654e1a8d79b0d0d9b1b67b9144d7f937db594e2ba30d4cf509483bbb16e4027b38312fbaf7540b887

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 07094740fec09b70d6fd979bd1b19b8e
SHA1 205d46399cc9328e05f12aa402d061f63b799d69
SHA256 df9eb57e3aa76c7795d40c9f15af271bf177aa1728d45b7a4bdce6f66842626e
SHA512 f631757acf5a46bee810945d3af584c9a5487a80fcbc414697a5e7e4795b4a7855b9c924c2d9bded99dbd5c3f5321c8ff474defcbe026612ba7923be69e3c56e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4948addfe46d000f8020dafc088ed514
SHA1 50c83a16a94b11ff717fbb6d4c0100fff1babd48
SHA256 719317e80a7c6363e2f4ac4c0f1e0a265d151becd3928ecc8aca67be1b7bd196
SHA512 e47835ca1c68bba734c8f00dc11e215df43e2d946a8b407283312e79652a1168568e45f9359e0e309ad1680e01dcd74b2a3aa58774bd8512550cf30ec1bf2ec4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f96875bd3d66e64d0d34890f1cf403e9
SHA1 71a783e74e41649b51a7c8dc67aa8780b84c7ed3
SHA256 d3e19f755828a54b66e864900ffe6de00009a60b9b7abb6d498fc045a22ebd6e
SHA512 633590b47f4e61bb6560ba9cc25699fef0276ac8f58b891e38321823937474ac6b660d6b0ecff6a8249256d2ba0399227de774aa3067d15a713ece3de2b7fef2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a7a79cd0fcfe3e15676f2b7e200b583a
SHA1 e1ac914ad3a3dceb85b4d29f54a97bdda555e81a
SHA256 f9f5b0f83ec6abe233bac5aab96c14531f0e538fe10cc35e50f900fc94ed4943
SHA512 b9355de66226618ec606fa1f2c4a7d23c69f23837f212372910b1deca241d4164cbcb5dc34ae6026f3b8fd80675ea30d69f069c01f5e386b8fca117d4ac5f197

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d4207406fe3eeffc3cd260056b83fcd7
SHA1 512efe28188d052c483f7552bb83e6149d8812a3
SHA256 d14eb9bb3a8984ab8f3bb79e34301125c79414627c55fbb0adeba608a3194325
SHA512 c454a0236a10d48097673a0aae5ee4139754d2e9d99fc32236ba671ac607700a9035f3bb74d7915964236c3752e1fb2bf0a12f656ecf0bcd98630a4032fc689c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 40f93fc61171049d2b4c08ef7e20a204
SHA1 2306cf2d1ceedf4b02fad85b7d5dca474f4bebe2
SHA256 444bf55beed9a4456589f17cf2615a8e13541477716a661f1fbcc3f87db1638c
SHA512 78e3b47b9599a731573e67487295f589173f35da85cc8b43cbfb6fa1879b6206c259b243e888b40c4c69ea12521fe645414d594434ac4d9ebe5038f72e0e0fea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a7134f91dce41de2360429c1f8e032f0
SHA1 021ab4d810125fe3967c180e26bdd6c385f17630
SHA256 cbcf2931d65f55900a50c0993cc57670b1f6fb4ffe07f06eee6a747b7f82c02f
SHA512 8c0f503fe86741c9ac11119c2d67d54abe19dd7e4d0d3ea636c7ce26e52511919f3e9ae3ef33fcafaaa5b78d0209c4b174a03467c7846c5ab95d161406d8ffec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2cf18a980150a570f608ac6e52c3bc74
SHA1 35050072394b6ab3041ca237e893d1b64a3bf0f0
SHA256 f3934de7e29c8864a88f0d5d22cd7c9d73e0b5c3350c27f3317226a920f9465b
SHA512 b2be25909b2b4a843be6569d7bf9ffe784db9bb187745bb38783c8f9e09c77f4f12a1dff9b549fb60e73d54229d21f01e1f4f46f8ef626a3b8395456db77d7fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ecc7252b7be02a897e971e4e92de24b0
SHA1 60eb59d9c4a57855832d3e642f13617081916b29
SHA256 feac1dc3901c8f82da924d2d5cfbc0717a86f3a7841e1e3a3b01ad42ed1bfa6e
SHA512 177633878de24b2fa8c954177b32d2eb23761daae7aa64a17962ca8f4239657120e24acb4c3beca8ff1763be68d9b12890be9bdf34e0cda6b176fea58d7b5d87

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b42e94c8274eb1de2ca2da63a2351258
SHA1 9bc5bdf342667e47eeaf03a69e61e179f9f2c916
SHA256 36980ca343f61cbca8370344448ad99b2594e809154200af0157184e09796751
SHA512 196a5669f57dbb29f0cb20cb82a7c8e3b08f899361878cdf56f9fb941f5e490be0865632daddde1ae73ee7bdeef43c83b55760ba0ec8367f0f177d205da51d50

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1326d7f616e1357526b8e4104a8f7780
SHA1 b3cdf9cf283fc5aa4e9563310fde467a5639be8b
SHA256 10e05c014e4381ab0c46bc54c53a074557052846f42217545428ba2a5f8e24da
SHA512 70ef8a559472098633799bc04105c3df3cf00aca5af59118f389ce09619906cc66775d2e5fb4ef5e4c7b8bdf837e7b06485bf99ca0227af7f7e22c497b5ac560

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aef5afc598429f728b94f0bc9d01c079
SHA1 6c96ea7d47965924519391e1b6785b477dd9c910
SHA256 7644af83f62480d6dd222900a6ad56273a96cddc488c4aebca0f055770019e2b
SHA512 c99d72ae6e6bb80771febc78b2664d6632ff22507c5e4b26eae1c6437b1b00fabd1d78c8b446f5384842334c1a08cd392ed38f996fea48c336093a58309f5e91

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-19 10:15

Reported

2024-06-19 10:19

Platform

win10v2004-20240508-en

Max time kernel

47s

Max time network

54s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netcore50\de\System.Xml.XDocument.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netcore50\de\System.Xml.XDocument.xml"

Network

Files

memory/4876-0-0x00007FFD8C4B0000-0x00007FFD8C4C0000-memory.dmp

memory/4876-1-0x00007FFDCC4CD000-0x00007FFDCC4CE000-memory.dmp

memory/4876-2-0x00007FFDCC430000-0x00007FFDCC625000-memory.dmp

memory/4876-3-0x00007FFDCC430000-0x00007FFDCC625000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-19 10:15

Reported

2024-06-19 10:19

Platform

win10v2004-20240611-en

Max time kernel

145s

Max time network

152s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netcore50\fr\System.Xml.XDocument.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netcore50\fr\System.Xml.XDocument.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 19.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 113.61.62.23.in-addr.arpa udp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp

Files

memory/4168-0-0x00007FF9703D0000-0x00007FF9703E0000-memory.dmp

memory/4168-1-0x00007FF9B03ED000-0x00007FF9B03EE000-memory.dmp

memory/4168-2-0x00007FF9B0350000-0x00007FF9B0545000-memory.dmp

memory/4168-3-0x00007FF9B0350000-0x00007FF9B0545000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-19 10:15

Reported

2024-06-19 10:19

Platform

win10v2004-20240508-en

Max time kernel

140s

Max time network

156s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netcore50\zh-hans\System.Xml.XDocument.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netcore50\zh-hans\System.Xml.XDocument.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/3196-0-0x00007FFD2D290000-0x00007FFD2D2A0000-memory.dmp

memory/3196-1-0x00007FFD6D2AD000-0x00007FFD6D2AE000-memory.dmp

memory/3196-2-0x00007FFD6D210000-0x00007FFD6D405000-memory.dmp

memory/3196-3-0x00007FFD6D210000-0x00007FFD6D405000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-19 10:15

Reported

2024-06-19 10:20

Platform

win7-20240611-en

Max time kernel

122s

Max time network

149s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netcore50\fr\System.Xml.XDocument.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a80760000000002000000000010660000000100002000000034f75a6f4896ca67973a6ba3bc14ac50d18f4e4c31d985e66f194a79f448c53c000000000e8000000002000020000000f79cc1ec0a2b1a9a542a80f292c7759cb40bf8a614ea0590ab4a31a05ea19623200000007e383f6be31e15ac72dcd6c9ef4f63b0e942d004756523b45d30113ae573ca02400000008636e639325f6ee4f5469cae04bb29fa47f92ecbb8f8b1bcadb032869c344aa9befa37de350f27c0f118de03456e0a9de2b17beb0386991256a95dddef23985c C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 709c1bf331c2da01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a807600000000020000000000106600000001000020000000161614eadb4fed170e333d5dbee06eedc623cb0a352e10243a9d250ea9907948000000000e8000000002000020000000d41eba19e2849eab2e2ebaaa4bd9dbbe5060988c91cb8dde4a90e4ff62368bbb90000000b843a1145b0a240b74aabdbd400da433409f7877dfe5ee46cd6cfb03a42b93818fa5426687b4bd01c74e7ea1e0f0b1764fdfaaa55ef5a1e572be7209243fae4164d380f568617abdb870c40c96a6242f29cf0d21b33599ced5d34a0aa622f8aeee1d0a47b49d3cad98e35d4b9e893a63522339c7f8a34addd851b135b46c2061c63aff43c287dba6939040165d6ea6f440000000f8c443c4c579a4eeb426b485151246892dec71d7e65a0cb94bdd563fc076582e68780efa8fe95e44eb6ca04fe4ff97a080201ab73387c22d1984147d40ffb345 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1DF18D61-2E25-11EF-8B35-D2952450F783} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424954111" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2260 wrote to memory of 1588 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2260 wrote to memory of 1588 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2260 wrote to memory of 1588 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2260 wrote to memory of 1588 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1588 wrote to memory of 2788 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1588 wrote to memory of 2788 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1588 wrote to memory of 2788 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1588 wrote to memory of 2788 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2788 wrote to memory of 2604 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2788 wrote to memory of 2604 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2788 wrote to memory of 2604 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2788 wrote to memory of 2604 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netcore50\fr\System.Xml.XDocument.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2788 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabBB85.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarBC24.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 61260c723e6fa3c4f8b41d4c822d24fc
SHA1 a7a68577301d03b419ec43b76178a6324d9bdf83
SHA256 97036078667e3695fa780550b55a28d91bffe7c99b3973299469b98ba4e38f2f
SHA512 816c0470a663a0dc104104780b676253844d2501521f86fa9366491c1e1c66dbb3d1da859bfbb9daec3be43ed4abb93c6bbd7ec0a95b1005ca1626476f6fe697

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0d78276fa019197ac48c44cc5421f045
SHA1 68f5dec67384fc59746ca983eb4e33c32d1fc06a
SHA256 9fdede2b9f7078127101c5319f599a64ae261c01b26aef8b52e66b555f10a052
SHA512 c56c15b92ec555d0f41abe6e48b25844783781bb1d88a2f42e8063a560d5661b2391ddc2d44c29e622a73f811768d6d4a0e013a67492a05a87c529a43e280644

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e5e1fe0354431eaf55299bf6799d9f3a
SHA1 37fb97ba2a18aa2a99d57c79d5423a02c684fd73
SHA256 35e98130f95823e418349f84b5a81bcccdebe8f4a0aa6856d091cd5691f94456
SHA512 c234ac5c114fdd7e3615b0fe7212188dfd80d4d83364f8773f9a72289238801e23ca13275a594e34956c15217870e42e6a4c2dc086633c684728ff293e47c6e2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 58ec4d0f83a2714f84cc55a489361ddf
SHA1 8c9efc72a58034877361c7d792efd28536a134a6
SHA256 d482a321a3ceafe1134f0142bc46f1cd3886bdb77a5db30b9b465d06bb6136e1
SHA512 2133433902a42475580bd61cee408e50807d317f2b94c3421ab2d4131b0fb61f52ca144b15cea2259e916ccbfbb36983b59cfec9479d636e00d3a6aa15c1e28c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bc4da733e78a50017776c6a1c7b715fa
SHA1 9afccf6e855e661750bfc23744ebf9c3799a43df
SHA256 bfab3f4afe8e162ddfd274d9e4cf9e19fbb059f5daf84334751c97914da7b003
SHA512 ff89b55c4b7bdb1a9f38eea4e6dd8d11caf5fdd029d3382ee22512afb3d88daca33857b278d39b9c49afb64dc75259a6ab9c2fde6e94d0ae23cbf656ae15f544

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7550b2d231d40ee3c6f31c42b0b4dd50
SHA1 95a6a9e5b317d901e75b032e7c9432db87b24740
SHA256 90ddfbf41e3f15f5cbcb4a631a0f301b378a31fe3c7fa45ef4304f9b379034a0
SHA512 567a850e5d0a1081b52da45f6d37814b3cee61c946b3375e7268834e08a0f8ca952e818087771ca1dc03385390f74937af32755f6b0b7356c1cd5fb739312118

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1cad9f612ccfe4c55a7a388ab4666e0d
SHA1 b8f2fb5482641874dc828e8bd1256a541875c04b
SHA256 2f91c930f2ad6393030463e9be51cd4ef1cc5f0cdae9ca80ca48540854006c04
SHA512 f0030d45fab1e71fece6837cd2e864878d3d3469a7084a3a8f83e2d432c47d737075a5eda0c12966a78663d395a37bfe873d877758cdb7e4a9e3817aa48ff41c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c1f63a0010b3c882316de1dcbdd3336b
SHA1 df504bf01d742f2c429cb6aff203ae53f401f0e9
SHA256 247b3c0103e1ce715479c1110fdce6e9dab6681dd32bc821488c7e59f9981f60
SHA512 c898b45174f53e645915abe85a0bdd9400ae41f6a5e6164b57fe0414b23461e62349af002c8e5bee4950d47682c4edc1a175fcf10ba6b901e9bdb812ba342b4f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 13b61054a0484d635cd315ce13f2826a
SHA1 210e53d454f3614fa4101d1fced75664efe78a53
SHA256 1c53294d56fb763600cf93b3edd36eb9894bedd1c6711b2df38778f0fe587e89
SHA512 f7f48407f458070f3b02211c050f81c42d1f51728f54b83731e852a6d8936f6fb81da8aa808246472ad4b890ef7576fa3b1423f99200947c92978aea111c7f58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5c458ef2fcdc8e2f23fd7d6de124e5f9
SHA1 0cd72055472aa42ba8805545c00d5e79382d031b
SHA256 dbaa8a9491af166e25aa816a1f82626fa08ced41420c8f6b27e5c01f3b70511a
SHA512 a8239f56eb8cc8732bb846d6ea113e4e64f75f9feb16a63e7565bb161318c2663c9deb27dfe0e5c90c1f030f90bf2b43fdc4b40caf7623cb9080cfc690f05812

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b4768ec2e22fc721edbc9c33a1e08224
SHA1 3831091807cf4598471c4382e32cc33194a2bc04
SHA256 aea1ba9c4c4df70b24853fb4e27f068f9dc43eda7bafdb34a7f527f60bd0f890
SHA512 0b5a074c8369ecc55072ccdf1f5c78d86c4a0cd9fcb8513b4db8efdbcce7a735415f766c80a97a8b8ff7224befcc56b34894bd27e35480e3dd7e6f9948b27ce7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 94e94343ce0614f345a58dbd5700fab6
SHA1 19d5478115d92e4e4631f7c9c77e271ab2388b06
SHA256 c222770ae233e278c8fe4cf1ce23a05bc41a2f7038911199ce2ff43b1653d3b8
SHA512 f070c87d1b4d589704e7071feef4571b5b4522c9abef273bef12b09ed0d4e26fa95e552035a79b50621f56c8f298803da18e75c3349dad98f68d29a43e28773b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4b2272125a250a3ba41898b41fd7abc8
SHA1 e29ba4098c4d1d991fdaf579b3332fea39f71703
SHA256 ede4dd2de13c6e0f34e54c5154b9d188ac7680aeefdf6a170c3203afa11d3d4a
SHA512 24dd9f26006d541a578007b13c07940e3ea971e7fedeb8f8a338fad00876ef27e7ab8ebfe67587bd7a45e457ba24205e518d3d03c3a7419ea73c4ab46cc77b56

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 45229e3d04c2c123a959ea3374d8e3c5
SHA1 38e1d17b51a59ae34f4736b8d77bc071154d5c23
SHA256 0801d484d9f1dcd983900b2df6b9412287af37e0ab0e135857125bbd953dba3c
SHA512 ca0b4771a6caf4ff83bc6682cf253beaed4e2d2ce0b27537a4632eebbc47480b256c4b6acfeadfff0640694ed770e508cca834a7c1b2d901af9a951b105b578b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4028c426c305c06414a762dba9f01713
SHA1 b3695eda35e5c479220541bbff45368c67e740ff
SHA256 ba0d4939c16090d8fa7193dee6c0cdf2dd7bc2056a5ae04ff1ea37d6292fbcc5
SHA512 0e65d84e054690422a6c5cd53a347936d7cfb26a72e34c0fdd26b370cb93eb34eb207aa46da3095fc373d97edf53ec616f139e2445b8595aea073143fdbd1298

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fe39a05332a9ee5a0910f53e41fc15fe
SHA1 1e5315a5aa33bea32e44d314eb21ef4e29ff58dc
SHA256 b15f9ded49cfe0cff7cd146423d3c4815080763de787511c9e23160a7fef62b6
SHA512 14bc8f76b6cf901888ce1e09991c8c35e555f7d287f424b4b710c0b02164a72e6f023b2cf92c24048fb50312de2c9c0989379e7788e62cb2eab0e3463fb6f589

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 da5f85a77885f162947fdaaca7c20e0b
SHA1 f92195d782a74f67b3872505d1d2b68a594eb6e0
SHA256 28473bebb67e41e44bdd63e84e1fbffbf111fa211c3d8fb2c2af46e6cbbfdeaa
SHA512 0a3cba582138358776080917fe1e092d9d3193fb904fb46d5e22b187ec0a079d1bda0bf3b04e64e3aa056573aae21e70b319c33b5a3bed73f3ff1fa1b1bb2e26

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d79d1f1bab7e686fb6f58354025b2585
SHA1 b34a7e7c969a81e9a7ab76e48ad2695a0f7ada9b
SHA256 03192bdf950287c7fcba8fd7a6e9d1dd7bafa64eb9d08159cf51bfec78ff634e
SHA512 1dfc893bff47c8e3b7f1886361891a8b0186eba927125254706c6f4567fc9e9f5ed4e1c13eace9fd5c1912526e5ad948e0cf74a8cfc745c6390fdfdfaae8f7b1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bb0ee65630105f950f4f90dbe4e117c3
SHA1 08cd5bdbb3c52d579d9d3522f3baa5a00c37eca3
SHA256 cfa6c0687e82fae3f1f53c8cb99b18fbdb21238cf9e2759a1fb5eec03329d0c8
SHA512 5c7686e07ae57d8a37404dd8c55183b4f4ed9ca715c9238ce2e3b5489e205782cddb89b75e6ad5c4e64fe80b73376e89bb68bfe3d9877648a2d93841c5e098aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b0b9bd8b51743414ffc9420440f7222a
SHA1 3e855e63d68d51462aef4dabbae5d4f35a4e63e6
SHA256 66230ac43e52a37e69396e43146571743e54fc2c090b191a4e824c09fc79affa
SHA512 df74e32e7a30fc9f3d0b7c14ce3a2b9f6f39b4eaecda9a2755bdba9abf5799b91fa04b93956938af701852d9ddc9db8638c53c1e867f7ded2e971aaa4e89edbd

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-19 10:15

Reported

2024-06-19 10:19

Platform

win10v2004-20240611-en

Max time kernel

133s

Max time network

127s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netcore50\it\System.Xml.XDocument.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netcore50\it\System.Xml.XDocument.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/3024-0-0x00007FF946E90000-0x00007FF946EA0000-memory.dmp

memory/3024-1-0x00007FF986EAD000-0x00007FF986EAE000-memory.dmp

memory/3024-2-0x00007FF986E10000-0x00007FF987005000-memory.dmp

memory/3024-3-0x00007FF986E10000-0x00007FF987005000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-19 10:15

Reported

2024-06-19 10:19

Platform

win7-20240508-en

Max time kernel

134s

Max time network

134s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netcore50\zh-hant\System.Xml.XDocument.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e93610000000002000000000010660000000100002000000010b2ba798eec3dfe43ebd2b078a6386114e1083bec272b715e87fb60aced32a0000000000e8000000002000020000000166c68b211b4b26f1eeb5a76e1e2a660cd7cb141431ed62396334d5ceb29acb390000000b45e31afa69512e67d3cc5050660c85430c1325df99d9780dae9a01adee8678a16311aab4ed5af32589933db3de33cd5d2cd57ccd27b64aa9042d15792b485be62381137ba55bd4d7e939a88381b746d2f581daa6e048edcdd8cd37c59df5598b8a52f3b4d4f08216af66e3a0b351099679733048146c6f345959e5ca6a6872136cf5330b8853162257cb5a47b25e40640000000d9741f34a15fe31895a47569b3d140cbe648f45fa74208e977963eeb55ad4d42335f48690c9df44eae8f55e29161d9fbc1e1b4ecfc634bba6094d3cf1ab3d020 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424954110" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1E115A01-2E25-11EF-B6D8-6A387CD8C53E} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e9361000000000200000000001066000000010000200000000a424113ce535fdf02bc1000bee0453872ce5ff3f3ddd96f2cf3188cdb146128000000000e80000000020000200000001f70ddb719255b0333498f603d2beaee130b9ab877626f91ec0bed73eb75ed7f200000006c361d629f4fa62d07f03559e8d4bc0344ce8ee11756ed9a5f494635b0f0e894400000006d8862944a52eef7c11113182003a50e73d3dc64f7bd5936af6858da42100e87a3ec323aa4f0a3d806c040df9dbeabdef5713a672cbf04d40b786630bf7c281a C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60dde0f231c2da01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1672 wrote to memory of 848 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1672 wrote to memory of 848 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1672 wrote to memory of 848 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1672 wrote to memory of 848 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 848 wrote to memory of 1344 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 848 wrote to memory of 1344 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 848 wrote to memory of 1344 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 848 wrote to memory of 1344 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1344 wrote to memory of 2668 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1344 wrote to memory of 2668 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1344 wrote to memory of 2668 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1344 wrote to memory of 2668 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netcore50\zh-hant\System.Xml.XDocument.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1344 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab4C00.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar4CA4.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 06fecfa041ed94ab88c1c4a173ab32b7
SHA1 28a8afc1ae62eee8dcc8d6083f9fe2a346e30a0a
SHA256 a80e2686d7bae4b3de7775cfa52641f35b9cb0773970cedd52b995541dcc178f
SHA512 99c66b11848805d425287b75729d5c381f741186768adbc6ea3265823ea67e1c2527f6d74b79264c0d7535522fd9275bdbb63f58eec0d255613670cbb4fbc064

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c2c3b54fabc5d662bb50ef9e894ace1a
SHA1 921111454d5cc590d7040050ad4b4fe22f7bf66c
SHA256 8418c9c49c5433f89d42c66f54e76a0450dd42eae85cd4d92164737fbbc352b3
SHA512 09843b85da63eea9a9f1c6a53976d57641b46c7b8ef1213053b8c6b79756285bed45d35e9f6d9c6d2fe73250ba8715cfed1bf73f940fe541277aff6ed2b14162

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6c9f022af8dd5cbd3cfdeb1a5e2fcf87
SHA1 235d8c0b4bfd7667561d49b1e84f5cc634d66e6f
SHA256 c2fa3cb3085b1907e1b3d05c9b6e7388fce4a7e4c29de7b604c0e9775756ec32
SHA512 c1084847c2fcc9e49bdd9c60007b6c74e13b3c7645b63c0e5e34cede5d62e09bd38b714741e91feab106a59ccbda4acb1bb1a8d20151a0401bb587f0537537f6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 27f04298d35d3ddb99a203d77c36c981
SHA1 4469941e0eb03a6795786b1d604ed8b59eb8b1b2
SHA256 0197c43f0d2ee3c0571933dd04dbafab0004f5227c79c5f55f8b8955d68485ed
SHA512 9ce41b7910fd25f52fdaea810ce56df0f067bc62ae9bde73a8229f0f39f64d896646062ad3ab3b4034f761b530f3452f0c06f60d8ead064bdf8d0ebdea067aa3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 36f97eda29cfbf1aa267aea5336ac3c2
SHA1 730b5d1209b678985b6395b0bff9f6d6453f469a
SHA256 dbfe3a26b7de77b2a41e773f0921c6a776f2052752ba3bc1337778ab5577b5b2
SHA512 334129e7dc273e75412e42ae0736e69f50ab9a0d8fd87e45304d453dbf6cfd717607484867de996d71bd5a6663b4e219bfea099bbcdca96c75aed845d5e07eb4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f8c7720d522429ec3743f9c8e03c8a1c
SHA1 4138e5774d565788f9d55d94022abc050208254c
SHA256 159089c326a23ff84c045e9eede19ed328b6aafe8580a07c2998a9cf3dc4b0a6
SHA512 dd721a6305427714d22d905e36e6607bb12322eb8af9f0b10d5b483082e9f1f0d56ef478f95b722663d2f43c3f7b92b0bc0cd3b8ac87df4933df3c784c4edf97

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 22a9bc1ba896d1497a160f5cfd3c3314
SHA1 33d8c5a9e1a4d6a830376b1731a1509ff255b04a
SHA256 4ac2de02d427cd31bb499b6f4bf802c93e84d0121901c24b257db425a1cce468
SHA512 7a871ed6eadb492c8ad370ab92a1288a3caa18dc8cf7151c99e2686e1e22b09cdb71972c274a6c80c15221fb4ae65efa084dcfd4325fe409bfecef5b763b31a1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c176d03b85df15d6eba537fd6a7c15f0
SHA1 b2bd35111c8a837a4393d78415e48b17b63c2305
SHA256 bb93759cd3d77218b917b65cd004b0b8bf8edab34adfd36d2e0fb62d9cb75934
SHA512 5c0187d2be0e1e792053104079bf77d60bf31315c4cbb226fced16a82f1904f8d074613b4cebc9e4b1d8fa595aaf2b74bcac498bb50e58a8262089c989d72290

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dfdbf16172ba1c6e1c4e4fae68387336
SHA1 1b147746e16979d0f81e562845a8b4e51bbe9d3f
SHA256 3546b5f53540cf569803d10f6eaae86961005390293806ff7deb0d983b605ce4
SHA512 c6f9c8e34bc1dc270275f558c05c6a9f322af095bc0888b384eb0de48e8890eb918956a8ace9286258b5d17ec2ca50219e94df5c4b976d75c093ea1e97b17010

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 72272b1a2be9facb45dc78c6a1f74521
SHA1 f40c3857bfdf117b9f26798c3070c7186c9e0641
SHA256 a52a9f53e1e38fd64a8e821cc0ee6709c0b3d9c81a1044666966753afccbbd1f
SHA512 b1c1d78f7b0c990d6a979af086b63a02a20f11e3aa50394549c6b958e2808a0b32ddea0276f070026d68518541832946dbb79db86ccab59f19e7b69512795e7e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a1afb3d3c831951ca38a3375128fef9a
SHA1 d68cb792704a5a040cf164113c26e6e3b1b9a05d
SHA256 672258c02250866c01782eb8f2fae257891a460859432cdfea89580519f4497b
SHA512 7bd5a919935a461f0bae692dd106258cdd8b22ed137f629c166321bd342aabf01e3180ba4dadc3088518bb9677eb081cc63d72581cffdcaa98f05258d91f86c4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7f4e1897ecfb3a0c9c630243042f2d92
SHA1 c296af4ecf696b14f54a543ce236067f4d8fa9e9
SHA256 15a484a863aa3320ad96c5d7fdaa8c11a527a64b60161b481ebf8ee01f082412
SHA512 2218f36f2300b9698ea1d983545f0d6ea076ca0f2e7e0fbf73d3f6c9dd08d9f96d45d8272b6a713c3d13eb66164f5404a18941875ebecdcb3bf8a46952062a7f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d3926a72614023a7af6acf3cb6f6ea2b
SHA1 c4a4d628ce7ae0b1f07640a9d3ddddcff98dde7e
SHA256 33c622341bc36abb42e930ce1723772f93f0ed47d612a2f7752ee66f85f242c2
SHA512 9b6a6115bc63758d6f479df8486a1cc0fb097d33e70012f4ddc437fe0239737935c4ae03e2fccf9d9e9af9939049a273e482441987a395a52b86dbc7c8b5652b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fff25872c54aa02cac4c7a31b115161e
SHA1 c4f10be737cd1c8cc7198c784b26a2a1c57fb9d1
SHA256 dbae785508673c836a5ec12697f8e24025e6bf8fbc41d87fd70585bd77d1c2b3
SHA512 614849e897afbcfe43e8404ba183a4fe8140524f4038bb419aee521a6214ee38eeb2bb89a8acf6fa90c5ad444c0a4e8c7986e2327bca6c99e9a42a05df6458b1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5519d9692ca365fada7df554a8c33595
SHA1 fcd15ae66ebf9aedd9552704a8ecadf85ddd46e7
SHA256 07de96e6b02f1f004867f42fb03e3eef732459156e5e8588ccc27bf7180038f5
SHA512 dc3415779878858faa8f4e8fe988d97557bebdd6a7b60aa033adf52c4ca09ff321615dd1f83647e72debea9843b3285f5e9b48ab59c7c33f5e564e65b25e7160

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eb303cb03e2499a81e6da88eaaca9de7
SHA1 032869da538d5674492ef97fe960314203269ed9
SHA256 4d4e2deea603ce6c978039cec47238e48e96bca26a2577d5922780f43cac59fa
SHA512 45c4d7bc6795b0464ed106084b5bb1079d04627648fb6d95685f3a33a6867e69041c2d45f45c8a0b1f47012f8277de410fde7634f6197cc299d6ada2d3d9f4fe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3173d81036c34aa8f87e134cd21191c7
SHA1 6338c414b2aa6ceeb1a5dad184de4f05d0a6ba91
SHA256 9569c08acd376c3140e757c89ca2a212b79df01aa05c26a72b76f3575a3e553c
SHA512 86e7960c62a0e544c3aa127ff709ad94f11c51477548f6c50346cb2e89f31436da3f41ac56cd65c56cf28bc9f645950ac3de8634ee304caedde8b4cf12bcaefd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 97ba7ae62a992fc8c6ffc77dc47c4088
SHA1 b45c693109b38b185157c08e7c61ff3847ef6647
SHA256 18ed9227136e2f94ebcfc2025e41eca4355d73bca1a08e020ce77ed680516116
SHA512 ec1896a340bccf3be5c4fd25f27ec3422b1cedbc4c2f80de7b402b4f9e92244ec25a4f71740761318619dcf3edfc49c2951744a0ae7e14c63c70cac0d9d8d793

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-19 10:15

Reported

2024-06-19 10:19

Platform

win7-20240221-en

Max time kernel

117s

Max time network

135s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netcore50\ja\System.Xml.XDocument.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000040f5497ebd425640bf32eacae3d7506e000000000200000000001066000000010000200000003496bbab17b2c6762ee14684fcbdf5b39d2d98488eb1a09283bc9dab67a6addb000000000e80000000020000200000009878c3b2c7077e6d9aa79a5980cad6e8b7aa16344627b9d739d8ba87487766f9200000008a7986d74e3e8a31ca0aca0fd0f7e795e2b23cb408948e68d98c7338f604892240000000da1b1da75e78ea3ba8246f4977fc736466c3cd153dc82f2eaa9853356d11f8bf922bc5b6fc7499158fb6321cb7c95f0462aa0c23ea7885e7020d07d0791b4390 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000040f5497ebd425640bf32eacae3d7506e0000000002000000000010660000000100002000000060408fe3e3c94d2ac5956c97be30c5dd8bb69af1b1eaf8dbda511f6a107f0fae000000000e80000000020000200000001f8413dec54a79a371b0bf20d4c670fada27a89b586ae40876ab3970dc5a6ca790000000c376460e4ee22c90ce061c782679b3c00a7569481f8ed07cd27bcfc927ff28d339e191a700fec840297926fef993817dc11bcb963cb52caa4404680793a534e0db757a356e428b19d0c25056744cf654399c0c44fa5cd06e45b8c4e37a9bd8fe09a65e183408e9f37eb0b57093df260ea4539105dea78b5ba7f467ec747414efe77a2035b6456bf331ec56575799e41d40000000b0c4b66a6c2ede9e0dad32eb4851626310e086d83d17929e6068e5db0d26b02fe6c7d61356284b4487b7fc1248f80e5b570331719cda3abb0be9dea93fbcb490 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 305c5ff331c2da01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1E6E8591-2E25-11EF-A38F-E61A8C993A67} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424954111" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2748 wrote to memory of 2184 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2748 wrote to memory of 2184 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2748 wrote to memory of 2184 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2748 wrote to memory of 2184 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2184 wrote to memory of 2216 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2184 wrote to memory of 2216 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2184 wrote to memory of 2216 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2184 wrote to memory of 2216 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2216 wrote to memory of 2004 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2216 wrote to memory of 2004 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2216 wrote to memory of 2004 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2216 wrote to memory of 2004 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netcore50\ja\System.Xml.XDocument.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2216 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab5785.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar5867.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f032588c4719bd90dff096313fb2bc83
SHA1 b26da4e316fdf01d11df02d7f409859b793ff6a6
SHA256 562ab11da7c585b9eedf87c4ecc90010ebeefed65ef6fe8eaec0bc96650a1a24
SHA512 a6d6af53561cffdbd3091849450403680ae4dbf34acc809c4ded8e0b222f87aadd1dd22d2892882a3d3431830bf080dc5c45b7d2fd57a3e56442495c6bc9f304

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 213cbba512386bb7c111cb866d18c248
SHA1 134faa6c94476bf7501e5e5aeddbf019298ad6e9
SHA256 ec7f09d953a64dc9aef9cbff54916b9c608872d77ae7eadc4032b27fcff0cbc0
SHA512 efc9371ba4e6dd1a50caf1780d1855c755f1e9800ed0270d37925fc89e8181a46c4002e2cf0eb110fca4b7d51a5de92e95d28592b79592882f29acb4e3fc6c0b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cdf083d2bc3b57206f3e656d94ef88f3
SHA1 e4693124fe3163b6afab61902cae0cfcd463cb2d
SHA256 08decf15cec3643639abce220ba992cc242c44118b987d4e0cd1b749eb3d478c
SHA512 a2db6dc350aba147e18dcbe6e2bc90c7fd28992352b3682375571f9bccdfee2fea9f8bf0bdfd1e249e0c006321601751cb0833e0a13acfe44c4351c64d729bb0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d77633e84ebd6b9926bffb56deb7bb64
SHA1 bf6127abe52855a119acd3ae616be871f5d8347d
SHA256 aa04f872033c11866f213da50c2606d1bb57cefa567343a89b857ea13e241632
SHA512 0bf3e9b62c40d2f3b9ab1bcdbd0c38a61f73067dbd66a4ffcf3cfa30e020cac273ed730641ecc8485fd0a1f86704763db70664be9375bd2c12513884c3daab16

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 88f7633f5aaebdda648d4493c66f08a2
SHA1 81379a0669f338b509b9a72ce458103539db3f18
SHA256 1580035e7b1b9f29e8d65516f853d0fce87f23432c7c0ac0bef15a58b498c845
SHA512 60b054931bec5cf73a0947b2e9774c01409b4ced9d37c79153b82de5d4b011457672d92c80627ab5cbb5313bb109d73e1b21eaa253844fbe4319e7a6a914bbb9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dc677527a77fe11bfaf51ba4ebe35dc9
SHA1 7ae7a4916d3737861d6b41b3adf12a243238afff
SHA256 18afe62157a5231f8c5d5fa2f634f778f07903756739472a6b8160795b774d02
SHA512 b26b590cade4302d528c9b7d7bbff8b888c7ac7012e152b7da38783509092574af5172f1f0aa56f311e468d77cbe291c88a53b1c7fa77512de9eab4d2ae0c93b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b7a30765882066aee0bd0951230a7c39
SHA1 5e0d1cf176e17363c2a286b07c4c95dffc59f0cb
SHA256 04e5af05aabf25e4b68addd811abffdc0cf7d84c747705af61e3968ec5fb2c32
SHA512 673c2862eb07e11c648d4cc518bf9f0a031e07ea74505e21448cb04cd86892c844367107f25179eabc62801d0a6deec7efc62d691759d39978ff7caacde848cb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6d806074a53da59cd12fcd344ec29145
SHA1 d68a6ce0866870a8665c7a5f52d1bb0ccf806226
SHA256 e3f95afc07b8a993ecf1d644715d921dae61ab77510302f2cff41baf512b297d
SHA512 eb5072f9655a112b0d70565532641df665640a1bc3ea35dd6b34413619b8fa22e857f8880c110db3f06aed0beb3f47fb86a13d5319e2d6fd6069c51e27328654

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7bff59659085a65249fdbf5504bf7154
SHA1 cf7d4eb6c27c51b7a142412c1789fdc5959cf7c3
SHA256 cbaae6f64b028667c3f972cf6f64da3a0e1c2d86f3503fb951108e3d7549eea0
SHA512 319ab86970f6f08b2c7fb17874a1c36d7bd3e59c8e1ce401d9700a5c691367bfe38a5f75ff1a9e7344bcf7f177f95c8e34c06406dc15a7246662ec4abbfa76af

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b041f247fd2d2dd810e91f2fb27a8428
SHA1 c6ffd6d9fd136e4d2e7db3c6c3adb9901df87347
SHA256 3b91331bb2e210fb697e4d8766970bc39769b1cb83b1ee825c1c265b9f8d7f07
SHA512 721a0bb1e81546dd66918f5a9e1d8f04fd6f911af99e92d042ba06ca4ba758d8c30e679c9cf2f706b6ba54cd630f91507ae280fded7348016fd58e4c92184563

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 66d2221c3d300e9f58f4d5fbb32c4a44
SHA1 765c7a22ba1957b3647d8bbff4e21030e36e4d0b
SHA256 691eb8a34ab354f683a3c1808ad7fc7534cae6c6d82c5a34a0a147243c836415
SHA512 afaaa672310e688103cb3e3c3b2f1b8ed1d4e97508a7ebabefd33940d6624446ee2381411553db0a9061ea0f424a474169cae0d30d7cea60ae3cb745a184d0fb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 626bee994be217e5dd10e253234c2ece
SHA1 3a6b2205b78cd4ed62f586bcb2427e17abec0a52
SHA256 ecebe7180a37eada91addeb3f3eaaa671282d7f59121a5f2b13723f7b76f3348
SHA512 ab3f58bc6d296f236f593f8f3856eb3277a435c3c57133135017a0d50c5efeb9601fd7b06cdef126da6acddbb8f21fa4726644460a6de6029cbb30c72182e1a5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8e4ccd2f4a4471a61bcbd134f6562765
SHA1 ec583cfb15bc857c126cd49f5c2f34f2b9262d00
SHA256 c95a92af4ae5aa16b7439c8e6f633ae21b3a5be398e7d8df0c6053c34e5ae4c3
SHA512 0d44093da3da0e3f7ff080533296c67906b5add54ed7d5f1a75671b90e029eb3f9ac713c127e08193812523f83e1d0ecd8e8f2939d92a54022660c80028ee0ab

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 64cd9716bac60620b37aca9b2834b3cf
SHA1 0645248d12f7e02ec90c4ea85471f32825219c24
SHA256 308d3ce2ede6f75868a3f081fd00034dd3e177320f87787c5f367cef4d5c8553
SHA512 770a6dc337e1c3ed113e88a3e8b5144f33ea54d57a7fdc71e150b866e4b4ef2a10fa8511b0fcff0151472e4160a46f89adcdbbd714a5dbd8910cc09829640ea8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a88791df318f9dd37462e3f83af8e911
SHA1 ce03a67173df5d83dfabbc5d1ce665fa0fa12e51
SHA256 25b45c014e68ad2e4c1f35193deb9cf17bef63deed09134e222319732167edbe
SHA512 053530e3dabd605ec8d73e6ea089e2e223e89ba0c28392fabbf20825142d3b15e5536ec250c4adbec51b691eb177fea89725389bb9b4e02fc0b747e12bc1f103

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 49fa9622282f367eedc7828d78e02dfb
SHA1 5950011667bc057139324fb9e670037e906cfff0
SHA256 5398ff5fb0df652c90e68b4cd63215bafe4cb6e027bc807a532bc2971991aa14
SHA512 e36c71efe05938946c133fa3a4ff88ed4201f8b173182e68a2d7e9c36fe644e498a0ac444037579757b16876a63e0049564bde97e397ccbb901d6fa90d7392ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 89b4754bd83f58a0ce7796d8a2b5ec14
SHA1 5d2c121c3ca30a1df2b166c95336b7266713ae73
SHA256 67f7e7bddcab176249a5e63fd79e0e6ea3364e6dc439228c90713e0caa3fe0c8
SHA512 237a8b086738fe63f0bb4126247e183da1754d159b3ce3939f11b6680af87c0ff3cb14098aae76be5c3e83ee774fe855ed654ba43050cc65389626e9b82390ac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 27df5ec108e6a26a1165b60ff55a1e93
SHA1 4027e60ba9242061c2a5d3488f162e273c4908dd
SHA256 c98d71130e544c6306a05465007a4a83e4111587fc963418bd6983e4664fbed8
SHA512 d619970f75ba1e926a47fe59a6418781ab8172946fade2e86afd85335cb6020a46015e79c2f09179c0326332c3f3b63d6555e9db5ed775e0450c2b5002b08e81

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f1fc31f1dd00c74b432d566e0b6d1c34
SHA1 afb23c73dbe3843206d4e1f63fcdc02347311619
SHA256 4cea888efb815b2e32f93af70fe8b6d69227d50de5b07f6fdc77c9f1e38dc068
SHA512 f265924fef803b5b57c83c8b5601828450d7faee83401440cfdda570e94dfd62796404b3d89e40042a78baaa2ada4c7b6f37c0be011820f997a505aa65a5664e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2fce0bce592938add8fedf21caca6416
SHA1 73fe437c89457f631d67e33abb7bcedc29e30423
SHA256 ab6f18e720a33886d9b6aa1be574f7b0965b61f075d5a57406d6815a31afa58f
SHA512 6ff374874a336d76327f942181573c8879722cfca2eeb3c6308cc9c1a1d6afdd4fd65ac71185d7e9087fb3d436c7cf40c823c8d2bcf5309a28b92fb3e1ffbbf0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8634fd0e919ec861c32889c3a5e6f025
SHA1 738bc63e1a3a846630921ff15db0d8fa569b455c
SHA256 6b190ca3ab276e5b8b12b7327006c8970cbeba7d64882bb1e7464945c6331ce0
SHA512 1f6945fa34dc1b0885167a0b3e8b534ddf9cee6886567247aa4c0ee5081d9e0ad87991bc2553c153a1439b59216900a5351cc0c848a29e7dce74bf15e565e8af

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-19 10:15

Reported

2024-06-19 10:19

Platform

win10v2004-20240611-en

Max time kernel

147s

Max time network

154s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netstandard1.0\System.Xml.XDocument.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netstandard1.0\System.Xml.XDocument.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 113.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-19 10:15

Reported

2024-06-19 10:19

Platform

win10v2004-20240508-en

Max time kernel

46s

Max time network

53s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netstandard1.0\System.Xml.XDocument.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netstandard1.0\System.Xml.XDocument.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/440-1-0x00007FFFB688D000-0x00007FFFB688E000-memory.dmp

memory/440-0-0x00007FFF76870000-0x00007FFF76880000-memory.dmp

memory/440-2-0x00007FFFB67F0000-0x00007FFFB69E5000-memory.dmp

memory/440-3-0x00007FFFB67F0000-0x00007FFFB69E5000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-19 10:15

Reported

2024-06-19 10:19

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

154s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netstandard1.0\de\System.Xml.XDocument.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netstandard1.0\de\System.Xml.XDocument.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/2540-0-0x00007FFABF110000-0x00007FFABF120000-memory.dmp

memory/2540-2-0x00007FFAFF090000-0x00007FFAFF285000-memory.dmp

memory/2540-1-0x00007FFAFF12D000-0x00007FFAFF12E000-memory.dmp

memory/2540-3-0x00007FFAFF090000-0x00007FFAFF285000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-19 10:15

Reported

2024-06-19 10:19

Platform

win10v2004-20240508-en

Max time kernel

119s

Max time network

154s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netstandard1.0\fr\System.Xml.XDocument.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netstandard1.0\fr\System.Xml.XDocument.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp

Files

memory/3632-0-0x00007FF929FB0000-0x00007FF929FC0000-memory.dmp

memory/3632-1-0x00007FF969FCD000-0x00007FF969FCE000-memory.dmp

memory/3632-2-0x00007FF969F30000-0x00007FF96A125000-memory.dmp

memory/3632-3-0x00007FF969F30000-0x00007FF96A125000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-19 10:15

Reported

2024-06-19 10:19

Platform

win10v2004-20240508-en

Max time kernel

47s

Max time network

53s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netstandard1.0\it\System.Xml.XDocument.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netstandard1.0\it\System.Xml.XDocument.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/3512-0-0x00007FFE0F630000-0x00007FFE0F640000-memory.dmp

memory/3512-1-0x00007FFE4F64D000-0x00007FFE4F64E000-memory.dmp

memory/3512-2-0x00007FFE4F5B0000-0x00007FFE4F7A5000-memory.dmp

memory/3512-3-0x00007FFE4F5B0000-0x00007FFE4F7A5000-memory.dmp

memory/3512-4-0x00007FFE4F5B0000-0x00007FFE4F7A5000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-19 10:15

Reported

2024-06-19 10:19

Platform

win10v2004-20240508-en

Max time kernel

118s

Max time network

155s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netcore50\es\System.Xml.XDocument.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netcore50\es\System.Xml.XDocument.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp

Files

memory/3832-0-0x00007FF970870000-0x00007FF970880000-memory.dmp

memory/3832-1-0x00007FF9B088D000-0x00007FF9B088E000-memory.dmp

memory/3832-2-0x00007FF9B07F0000-0x00007FF9B09E5000-memory.dmp

memory/3832-3-0x00007FF9B07F0000-0x00007FF9B09E5000-memory.dmp

memory/3832-4-0x00007FF9B07F0000-0x00007FF9B09E5000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-19 10:15

Reported

2024-06-19 10:19

Platform

win7-20240508-en

Max time kernel

119s

Max time network

125s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netcore50\it\System.Xml.XDocument.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424954132" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000b55bc09d84cc1d1ac67d7e1c57b17dde9f7ba096f69cd30e6287e0d1ebcbc24a000000000e8000000002000020000000bdc416001b60b569938368953129cc323de961b0a1c2ab1ca6ee4e2ba6ecfe4020000000a0d170c1bd9ebec8c769a76152a8a64cdb8ee5bea72a81f082c59005ff5a072c40000000c9b7ac6613467a894b1c01296470cadc272c3d4982c99f20737a04229e24c4ff6e79acb09e85d3ea159ef526ab80a451bd1e4305b6bb05d4ea68953c299dbdf1 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 909cabf231c2da01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b000000000200000000001066000000010000200000002f3ab21e6cb01b914db1c3d8b86f90767b6f5c3c64a2cacad3d2394cd4a46fd4000000000e800000000200002000000025248dccda0ebfcf45d664f2be43c7f8af2f608f54c6149df900f7f101f7dbd0900000009247cb08b1f4ecb6f818fbcd15c3b354b2ec523a1eafecb20088c31d3e15b139906c07d5bfe6c111e23396ead4bd197cd66bd0ccd00a881d4cdc910d7c8ea9c25c7d6fbdf222ecb959f6b7c22f09e65d5981365caf821fb60f1feb59caf81ff1b8e7f1ccd221480d90adf5d13c29a816ae0ee3f5bceb6ac0302907af714794080c320358a35e46a231013cf067d86b9a4000000040af0d82c9e7686c197f3f19fd0b0a562abcb36276acf2868e3d6fc4839db8a7707e7ece4fbf13c712071569c582ed77bd6a7c598711a467d083c4f6afddbc38 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1DCDD0F1-2E25-11EF-8962-7678A7DAE141} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2036 wrote to memory of 2084 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2036 wrote to memory of 2084 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2036 wrote to memory of 2084 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2036 wrote to memory of 2084 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2084 wrote to memory of 2312 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2084 wrote to memory of 2312 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2084 wrote to memory of 2312 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2084 wrote to memory of 2312 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2312 wrote to memory of 2676 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2312 wrote to memory of 2676 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2312 wrote to memory of 2676 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2312 wrote to memory of 2676 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netcore50\it\System.Xml.XDocument.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2312 CREDAT:275457 /prefetch:2

Network

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-19 10:15

Reported

2024-06-19 10:19

Platform

win7-20240220-en

Max time kernel

134s

Max time network

133s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netcore50\ru\System.Xml.XDocument.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424954110" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5020f9f231c2da01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a69260b98522794b9defd9ebe1e4f4a100000000020000000000106600000001000020000000e3eb723cf3957d0825f4919a9623c6397294c3cb3f3e9491d68dcafac78eb7b9000000000e80000000020000200000005c1cecaa3de69ecc1075726e4c598499d5d290645ebf9a8f8fb408f19d9b96e8200000002a461fa14c870c615222f31cce2bf0b12b630f99a61f7dc61379946f4ce1865640000000315796854338867d2ec9b3ca908604cb9c0fe17d765811ee564abbaaad1e23d633d78aef1255f3ea304bfcd54fc043543e8a4f4e6f997a4eac163bfaaa9e3bcd C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a69260b98522794b9defd9ebe1e4f4a100000000020000000000106600000001000020000000d1576d0af4897fcb645015930d0dd20c8b04205b72a5c94d1e2d99c06ede3fa3000000000e8000000002000020000000d6ebaa6da0e0c74bac4b3be9c7679cf596ddd96e8a1747acb09792cabf650095900000003cceb3c976251e8872eb282ec03467efa0791cb8d94233d29e78fd58ee5ffbe3f18bb70737be9cc9fbacc2be0f2e73f956e1cf0187766d9d24b9601848636bf88092ea1d5559cd73184584603ec5f92cc1e95e3b1b7f4a7d639d31d27cf61c221175d173c144e24ac30335d911206e98ba0fbcbb187c76f4206d91380675f50992f5f720d68d66b6fdffe939683094484000000099248c8d0a28a488283cc34920ddbd881a80fc9e951be13df2c75d0391597a408898df0c2dd18642a4903e525ad9835bdc8c0ffdbd2331d051b8709b3101ff81 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1E18E3B1-2E25-11EF-B54F-5EB6CE0B107A} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2944 wrote to memory of 2532 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2944 wrote to memory of 2532 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2944 wrote to memory of 2532 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2944 wrote to memory of 2532 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2532 wrote to memory of 2528 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2532 wrote to memory of 2528 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2532 wrote to memory of 2528 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2532 wrote to memory of 2528 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2528 wrote to memory of 2780 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2528 wrote to memory of 2780 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2528 wrote to memory of 2780 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2528 wrote to memory of 2780 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netcore50\ru\System.Xml.XDocument.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2528 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab38AE.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar39A1.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 050351f1acc5befc5698c8a5647ec990
SHA1 c6c52ea15a51f112bdd591eef2199023b79b1073
SHA256 a0aa72e6f8a13b63a478debe5df2fd26b27591adf3445dfd4f3890c94901142b
SHA512 0e5bc3d72a790aeaed9fe66e6639f3854c72ee33994775d7b73d3ec25a8f9ced0f3f487f7eba6fc8987d0adf527c7081b6a92c5f40b1fa2f8a706c86a001eedd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ace81162d36be5f314dcccedd5b8f501
SHA1 6cc86e401bd2ef2f6ab0aa1c6a9e69eb384169d8
SHA256 1f60a9b4552099a6f6745f91209cfb0867ad670b56b5f648e27d78fd6c4c28b5
SHA512 79d5dbda268a3e6208e990808f29806d2438b596fe5ec817165b25cf65cbdf6217852916ae9dc715acd08dc6f1bd10cad8b3e741b566d6cac6da5c56d0abfc45

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0445a4b139a7d6487ef260b12b806ae4
SHA1 4441f0795e5b1052680f493aad3025d139735db2
SHA256 976715319d2ad4239fabbd02f1d76342499b457fbcb1612ecdf022748fd8df77
SHA512 e30116e7756e4cdcd7f52b0724a994d5fa87d25956eb5b9e9f9e011a47301a5a546b0afb2d22588eb8ec9c1b36a29a9dabb3fa1f0bbe62f6bb5166d00c5bdc40

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f67ccdd3790cd3fdf377c3974139bac0
SHA1 6cfb97b99fd7a5744f55c5e41e28221cb693b7c7
SHA256 6785b1e87177d98a9d47dcce9aedf125598cea8f0f167809880a53c6b44f380b
SHA512 aae118347c7b297671b4ac12739ec11eadd1b360eac619ec8689982c1c16ffc3385752fa5645439af4b4fd32de41ac54c55d0343fa30cbfab698700e52e9fc3d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d84730febd4b21f94c9835c18c22e514
SHA1 4bd382c308e9ff0c88f65a5680157be9dd324fac
SHA256 0af2b6eb1bd34ef2eeb99bcb472e42e4b30dbad9282971acf1822fcca6aec70d
SHA512 cf303a420f172a81d493635d69b140ec16d2d05cd56e7ca5e681ccdfa735566ea8187712fee48604c3d6fbab31e2f361fa5902726ee794bb670af20207aa6148

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bb405b5860dd1d2a61c74f1d5d7d13bc
SHA1 df83309e23672f68074f1103177cc2fec427b07c
SHA256 62bee67afe5c2618887bae278250a9d48018e90d2e93323594ab5520cc6c19e2
SHA512 10144c3dacc01284c1b8ea6a68a16405802ae3c2c8af898a37d77c5c15ac7ae07b2301bb76d5acca8557a9928116d9adcb55fa0f92d44b976f306cd24bfd9122

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b704023a1d87c216dc7d9ddb9f2b7148
SHA1 f0986d20e0b2063ddc4f6840264a6db728356c8f
SHA256 21da8302b2347a26f8236be244864b773f0f29fb7076d337e0ceeb27182d3be6
SHA512 aa1b093a202627b20582e172c0b6fb953eb72196d16bbc6d0be5fa670eaf7f2834a45afce690133e4fe6b802c51edc16f686e21089ddbb5fccbc0174c1331ea7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6f9fb9715e9aba73e985e613ae5d13da
SHA1 d05d63cc1aa70985d57b5413729f34eedebfb87b
SHA256 0748e79aa528013c10a0cea6dff934a5f3e0217c442d95d18a240c1868ee3082
SHA512 c65739c9ba1f339b7a959d2abc8ebb54a08dbabacda302a041150d4cf4b3d9d9a76ebacd0d696019f9cd1cb10bec00ec8271436d0ae229f7928815ba87f6e5a7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dd20dc396835add1446740dc326233e4
SHA1 9eab7022cd6a244ec9e8cc1f773befc5657bfdf4
SHA256 42253ccbb60698c13585b2abe9e0215970895eedfa8268390f0b8b26d1ef3ac8
SHA512 4a0b56743287d5eee5dec4866a9aa071056285eb56393ebef0f7012cdac24fa21626274ed2bbb0546413cd115ba472c7a1775a3f7d9e42ab27cced52f2aa8a74

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4dd95b23a3b311a05782fb8492e11ae2
SHA1 8923f847841ba63da630e80e463207ef263bbed6
SHA256 0d19eb5230ce5aa6a72776aa15c901fc9dd3917a9e69f29ccac92e2b7c88b97c
SHA512 e6bf7df56cf6dc02e2e820b1bcb6d12eced90e7bb9f648f25d4779f2adac6d29916fa8429624a8a34ff6f99a6ee583c071f6f073f5af3b7719d752f54beca5bf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 db2d5bff9eb0f79969eb475968724982
SHA1 7b80636940928e90e107c8125fd72a9c5b1d4bf6
SHA256 aaee75171bda825267d4fc36fcdffd33adc83979aac610eb447142747737d919
SHA512 ed77e20d4b392d61197fcdd81b02b30daa78f8e779c095f7c3171353c69018886cbd3a3ba6afcd6346c29f2d1187340eada730c868405a98fa8b3cc970118ce3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1748e6dfff16e1ad803f76ff19ea63db
SHA1 24b0c18a786029368f2ca538afc992cdc5da44e7
SHA256 4ca658b3d82409f3e695199291a72c46297277656b54a99e81e0b97d158b58c5
SHA512 aa0fc4b1ca16a4e596249eb5adbcc0d277c4460ea0d7ae15db6dcafdda9d6d2dfe1cb950319a9c905eb9393e30fc639ac78cf55fb6646a8413de4a3a3fb361ec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c4e7d2f09b0900cb0ef3cbd3990648fc
SHA1 5c471fb5ad3c3bd3d19cb550292f53746e840d33
SHA256 c5c088e7dc7589668aa27367016b95965e9027d381c36ab7b6acf6ac7ef1d182
SHA512 c856f18b207c2a40050dbef0d76bf00f7827e895140373a482199d466636a1e1d063e1ad629013fea480bc528ac09d13677ce600fc04d2bc1e88e6bbfbe8f7d6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3b99023dbef752734aeddccd2b959510
SHA1 0a1dd70b88bf327847523abd55678421e80a1bd4
SHA256 fba4ed489d3ef099d5e1eb1484559717dd0762dabed46f7c4811879ccfab7bc0
SHA512 31449c0c0b11df3c99c15bb79d87116d86afd6ff7ffd9c94aebffe5a11a5b94f1ccbd0269ae7e124a12c8b6e1a20e910ccd3447a16b947e73e4bb95db3525ff7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 27641ee7f5a7a07f5169d1b9cc10f9a7
SHA1 287e3dcb4e156a61b4632a894837181c149e1ce5
SHA256 de2010288e70b9e2910759aa766ffe2407f53c674d9c1e927dc3f7bc36c52c34
SHA512 38491d3370e001f964815de15ed5f914342c9c44411b1a503c9adb68154132e6efa7a2a60ab416b98f7705ebcadfbec9cba86bf397a6f92a0487f4cdb0dd0698

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 670e29cb51b9424c83adfbce23075d1e
SHA1 c4ee4a4ae82e44cac7ce3b56889c801ab796d394
SHA256 97a08c00445b6a6052a690542151f212f6bbc106f51b01dc84285274a5612a8c
SHA512 16110432acc7849f03b66f669921194b83c2451d7148792a14b16e523f2f193c4d3453bfda7f95dc5610acb1ed3d954d0b20b5ef91fdd098973ea4a67c68450b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 536e2ec8323f791d4d6ce0b8be134a61
SHA1 a27dc9696e7e75a9562aa506163bd8c0b81ab501
SHA256 423b2fe970f988337a28a1aff822c752696195f8bcfe87285472d5c0b1b29612
SHA512 9570ec83836cce1ca3de5aefc969eb9bf20040945da97e55e97e9ed2170cf3906484a8717f59f21edc02a1f644d79bebe26522e054aaa714eebe53ba835a6784

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-19 10:15

Reported

2024-06-19 10:19

Platform

win7-20240221-en

Max time kernel

134s

Max time network

132s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netcore50\ko\System.Xml.XDocument.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{170E5691-2E25-11EF-B5E8-DE62917EBCA6} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a16825a89dcbc49918749bbb24ff12400000000020000000000106600000001000020000000be51ee06d87cb18123d5b98915eaa60ab2ada4251f70da09d666d23d1638bac2000000000e80000000020000200000009219d7e14c22fe9bfce0ecc557a74af2cec3909ad786d84e97e9c69b396c57449000000082b0079ea6e3bcfa7604a6cbe733f168d4d86e637a53a26cc89413f6d9b96cf5588eaf9993166f16fa9504b591626abedd42357fe7f8e0f6d9e7a52989c99a6ab28bd3a3f4ef132905c2ccba3ce83dfc28df283e7ee50cdef7b824e0f9038f7b2b7f757580c2deeb665ad7eefb6e90a8c87e478d0803b585630a2664dc7630d273ec0b244e5c4339d6686c79081ff62440000000d33ff07f9108474485244010bfb936b23c0b3f0d01edf9d2a69630c3ec9f8c893676185bafd08901b94b5a7732d5ae04e239a6ac844910afe76682c9aa8f96e6 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a16825a89dcbc49918749bbb24ff12400000000020000000000106600000001000020000000e194a931690c11c8d557901b07d65291aa8962e163e6f89d51ac32c91e454571000000000e8000000002000020000000fc5342cca8d99b27d8c8814e73abb61615ec0b4331915fded4eafe97454d398920000000129b8475a435b4a04ebd76151b375b31ae243261b56b0a009788ae1cb3c7c8d940000000318a66491aabc67933cb3f88b1cabcb1ca872360aa0a595f58a08860e2c488a0bfbc29a8a7f05157bfdd0616fb67a52115a710f63fefe6a71af0e690697690b5 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3088dbeb31c2da01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424954098" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2940 wrote to memory of 2972 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2940 wrote to memory of 2972 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2940 wrote to memory of 2972 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2940 wrote to memory of 2972 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2972 wrote to memory of 2804 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2972 wrote to memory of 2804 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2972 wrote to memory of 2804 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2972 wrote to memory of 2804 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2804 wrote to memory of 2648 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2804 wrote to memory of 2648 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2804 wrote to memory of 2648 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2804 wrote to memory of 2648 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netcore50\ko\System.Xml.XDocument.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2804 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab435A.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar444B.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8fe1f29e7214ddc1462a1ad92f89e3bf
SHA1 e95918071bbafdbc37de3a02fd14b70fe55906c4
SHA256 a392d73a1851a04523b7c6ef959acd6d342a21e66f629ddb009c1ede150cf0bb
SHA512 7de8c46e70483e408c4cff17e15d7b2a69e7df5ddf26af9c5ab954feb6ff48db96c7d844b59cb33174bce9236299ad680be023c12ecfe852ea635ae96a12de4c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fe857f11fc51373de8dd5d1c0ac0295b
SHA1 c99a78cc522bc4d893534fbe371155939a283430
SHA256 68390d25a45ec041b45b186b51a57ce3d8cb4bf0d4500bd813f8c6cf02664854
SHA512 dd7b7041d9784a4069c471f59bdec12515b9371120a8771c5cbcd89ba36c84a3a6babdea7e019547ce438a06fbdcb2cda108734ad51a11ee6489687ee8acfe46

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6524d9846c5526beaff656056a881081
SHA1 16da4acb3cf9288c9efa35d58ec793151163ceee
SHA256 8385eec6fe926fb16d87656887d8147f7fd52099784ada61dec84ec562d910f4
SHA512 99ff23e2a5781b39e6531a4c1a751ea4e0798bb0a85071d27995b1cd88b78ea13163c2eaedf84bb95354804d2da4c52808e129e56fc1a3b26299f7ab2df5363b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d4ff004013d33d74907e1cdac4357fa5
SHA1 8194f3c5534e5967bb867439865ea1f8fbad7509
SHA256 864e18653eeb90931d9fd6967ccfbc7316d19322afd384c3e22cc212ec83b82d
SHA512 0dab98187d73248b5ee57f787cc5609be459214fe894f6a9a265e6861555e0540981116834c3502de424763a790f77b495ffa96466f57a685dc3c67e1c71998e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 80e4c77c749aecd5292fc60cbeba9190
SHA1 e4948a8aba950c7ba7f375878bad230a9226f142
SHA256 bade5bf634d1cead9006ee15b78bdbf726d9935a5e0426fde2072e2ff0f60056
SHA512 5e0ed82728763d766b34c63f944361a353146cee45003b705491bb86e46bc48ef60ec1a99ba9b5832236d419865a9e6c19a4ecd489fd02f350243ab97c1325fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5e3385ec0d29ab1301ec43b0f3edfc87
SHA1 3430d4f399769705f3802ad8ffd084606d683986
SHA256 1576672ddc8652866cdf565ee87e1acf3b4db9aaed0a7b08aeee3fe0caa61404
SHA512 0aa8977c0eab72deacd34548fb4b5482a12ca9aeaf237d9b5c434347b16d14cda2f3e5825cf6f720ecc729443f0b5fd1190c99eec56980127d7394b3135b7ba2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b4d81700d7af7a657cbaf681349a8719
SHA1 dcac1394b98e0721eda342c37bed2597ae72f75e
SHA256 f08787fde8d5b75865e1de48f0ecc3bf69454fe9f6f72d6b449a54d86f200079
SHA512 e8e96d75a695bc979a8dacce5373c4d884a9be8c3600351a6b5be6d85bb818e1a8158fa20b84b497db87f226e7dd551ee9db362f14d66495fb9e4c7c636d33c0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eb93a78ed3b7979da29ed946d25ef1cb
SHA1 bad8b609fc48721120c648be9d143641bee18a1a
SHA256 f0d5c3a831e71b9ae3c55bc1f2c8d1b8f8f137918ed3354976d00ee0afcb85a2
SHA512 4cda64d71b2ea827a40406e9914f6194e367efd829d32500fd549a6d1f4d649b6e3ebc2d1460140952bcbcdd41c94a4481d339e2c1c52ab130156658fda068b0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e89201b91c41f27c67eb5aeead50bea3
SHA1 15c7f5544f66fe4c7477cbd4321be327f00a780c
SHA256 422c045da0d6f0d3b15a210b92ee71efef6fc8c626402f0a9a6696066b92b96f
SHA512 fd7d2a47d19a3c1b2ab8b44a9f208eef1abd3c7338e652ffec5166936ab753932d4b0202f623195b867b8d1583599df95eb4d797d94cf229c1fa07534b7a26dd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 37e6858da1c0b6035823f6a988ba5ae8
SHA1 df1f27d0be13a085d2a18fbed46c7766c90ff965
SHA256 c3e7e6ee1bc53841e5fe5b95580cb48de93fe75ab6a611c13be60f132e57c570
SHA512 9bd94b46c7218950c776fc3292552eaa494a6b1edbaeaf639accba665ca146fdeedc3a5266f93077184cc9e5f5de52a7c04a2c837958c67d88c2c8633f9bb5a9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9d7efea767f90d6e4d29b7ffc6b4d0b5
SHA1 8bfdbdb86d2072350048299dbbf1e3b42cd38581
SHA256 93262d02a1a9cc5900f4881d76792e328a6159fdaa6a019651a34a6fcc8f1e39
SHA512 6b7b4ce0b4ddbebc5f312bf3301f8e63c8abf1a635977867d47d1ef256f3cc147effb3bc1fb88f939b2968efde70f9812216ffedb9401e92c1b8aeb6966b0f47

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cc6828df8797ba936bcf6f743142ca5d
SHA1 a128f48ecd33646e398ea2b572ce3fb6acb89b84
SHA256 316178b5abfb6037be3a04910300df73e67645af7a90384ca20db3e58cc468bf
SHA512 862d8e83f96bd5c9316fbbd559bc35516652f4cf8f41f8c1c436223c13f1436b4f65fcdb4378990b5f8d31310e66959cc10cd18911cffc369001bda4feb9cb66

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1dc5fd9030ead674f4d6525102984a85
SHA1 2ff796b0fa814ea360b02a3a0ea648f584d6ead3
SHA256 556311d5f5598e9194ac7ba0ee6cb0006033ff3bd2dd22455547818b9a88dd56
SHA512 6371197219d799d7004a8cb62a3dd902877d34f3669d961033d38b57ce2bf27d6357b5a1fcccccdf5f0638b1e3c7501d50dd956d3d7db58b4581e878f383e57e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9dc57736d9ebfd5627adc7ffe76ce390
SHA1 71fc9dc2014ec6115b9630777e550ac4b1c9cafd
SHA256 0165852cb0334ff78bd0823456f1e68cb5721ff70f2eff5a33753b268e00c1b7
SHA512 25c0e3bee4ba971e35a445af53240291de272dc2a898a00a14b5c264eddd5b6d16d1e5aecf189bec6e2c30001fd11877d1a7b79c59a18a7006f9e9abb73342d3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 343ebf32d34ceff6759964b197c7d0af
SHA1 f64e62ebbaf39bb845793f4fb1d935a51e435ec2
SHA256 fcba04cafc55e14f5f7c6327c634ff037ba51b7a463eee094d1807cba2091f82
SHA512 c800842283ae50a273bcad27b92ea35fa4766117c6e7ebadc3b78b51dfbb82179bd4fbdda75b409b804ecc6cac35f9bc3c9da76eba5e4e3b6390b157c5d98181

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 184ebc478f59339014a8771ac1030592
SHA1 fd7332c91ad3a6c84c1b6c6c6adbb300b43a7ca5
SHA256 c24c00185feabae024aef5e7809aaddcfcfda8b346b29f06c987b966251d9d32
SHA512 01e3e537063a51f67cc42209f7de4b456066d7f77239e65d96de79279a15393710849ed5595d01b8230e0ce157268284211f09c12959359205a9608c48171db5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 40850edb662bfc4a2d8c555f73757996
SHA1 be8c33a2c770c1383eaec80febcb592d7d686322
SHA256 0e2c4d659d833512bb467dff60dc44584145fe6a30f59c5f020bdea75ca42e4f
SHA512 8270cb84af6ab3a4a7fbd70bf7d5aa88ab3cc3c55462ea470f74a431a47c395bbe0ff5f03d7ffd9a169425fbfdfecacb077a65fa543e3fafd7b9d22bc8a60bbb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 82d243936550ebe358d0abd5d9e037d5
SHA1 c6d25e27634bb921c9f4c52e6bad8dbb72dfff7d
SHA256 5657bf2112d4522cd2bbaa5ac79a54f2113e466e66c898316430424d50a71881
SHA512 4b7558fa3dfebf658e990c69f881dab4e32d089b984346d4ed6b5bd891df2cd81e2e6ed3e1edd4017d505d58496820f815299fdc14fcf79bb939703c84cb1a5e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fb9433ee0b4c72ec52b79afaeebf5e2e
SHA1 5796b468afc39b4cb39891f187f1d6625df2c093
SHA256 26c8b60c93fe69c7df19fecb397bb0149b89d9f8acff336d670e615cd4da1bda
SHA512 682b2c8c16805d72364e24f46bd30c1147189d2391ae389be7d60a892490df7675b60675f1911479470be3a3a873943802a688203f2f47b4fa2d2b124469f73d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ea48617a08348d36a553599cd63c70f2
SHA1 071e04590a0cb33c482dcd56b162af2bf3009fe0
SHA256 fd3bd7f7f01b18c5873f883854d7b03f899d8c0f1e2bc1790bc98443fc099e49
SHA512 5648c6d24705866f6ef436f858c7dec30ca1cfd25d464aa56b099eda1485d32fea5ae64f3a127d20392537938bc62b745eb4a3ef00b5a2562bcfef613d111c8c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 80f81dd50af3461fefa1af4d899954e4
SHA1 ae4fc1fd19b3d36b29d40cdceb1013e16068fc3a
SHA256 978495f1fc2b3a0331a05d30d8a80ca1c00ce9f81fabbba2107179f4f760bf5b
SHA512 3f6543c3cd27e5864140fd60a86d3f0d9170577abc6f89f15692a97d675965f7b5adcfcfeee1a487485b80a7e89e88f39b04231f7bc3875ccb41bbbb3c9de7a9

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-19 10:15

Reported

2024-06-19 10:19

Platform

win10v2004-20240508-en

Max time kernel

47s

Max time network

53s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netcore50\ko\System.Xml.XDocument.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netcore50\ko\System.Xml.XDocument.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/372-0-0x00007FF8C2950000-0x00007FF8C2960000-memory.dmp

memory/372-1-0x00007FF90296D000-0x00007FF90296E000-memory.dmp

memory/372-2-0x00007FF9028D0000-0x00007FF902AC5000-memory.dmp

memory/372-3-0x00007FF9028D0000-0x00007FF902AC5000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-19 10:15

Reported

2024-06-19 10:19

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

154s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netcore50\ru\System.Xml.XDocument.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netcore50\ru\System.Xml.XDocument.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp

Files

memory/2068-0-0x00007FFEAEE70000-0x00007FFEAEE80000-memory.dmp

memory/2068-1-0x00007FFEEEE8D000-0x00007FFEEEE8E000-memory.dmp

memory/2068-2-0x00007FFEEEDF0000-0x00007FFEEEFE5000-memory.dmp

memory/2068-3-0x00007FFEEEDF0000-0x00007FFEEEFE5000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-19 10:15

Reported

2024-06-19 10:19

Platform

win7-20240611-en

Max time kernel

134s

Max time network

133s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netstandard1.0\it\System.Xml.XDocument.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60c822f331c2da01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006fb3d087c4ee9c4bb22550fd83a0390500000000020000000000106600000001000020000000eeeea795118de64eecdede0c64499972d45d9d17d1140e1a2642bed79e799040000000000e8000000002000020000000f9fa9a85ba7def9e8fd4e6c7ab983f4d99d03c32e979844913e0bf9e7c0e040a900000006ede568c359ec376ba8589a8cef9531ba56e758df82bd16f87535747b090182be38e9e81c00e9bdecdc746780cc2bc8e437eec1db611a3d5670a6f69bea5e244f3ba3510fa73c35732629f9ecf905649e02b9ab733f21adbe2af06576b68cca07f07ac7acbea204a9c8c5c7887418177ce9f65f17e9d14dd9bd42ad371757f0ed995d45953b49b7a147f82fcedd77d9140000000e59d6c1853941ec8ba82a4b66e03f0dc5c947fe8d11caac144291bedef0718da3b042e440467800ce2a8483aade03f57d4d4fb1dd78aeb813eccc720521da154 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424954110" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006fb3d087c4ee9c4bb22550fd83a0390500000000020000000000106600000001000020000000f86e2fa9feb8ec3f07500230e6a98aaa16067c082494b3ca8ec415cdb7c12706000000000e80000000020000200000008232e18cfe4e78a43438cc25835e80de8d733a7775b797b802e9e8d6db33e7b12000000042fcd40cebe1b557d63cd8c3d3352c196cd737c9866efe7d5da5bb8834f9f99240000000722bb2a9431f1a5f573d3c5667bc1b6d2ee8801434570ffc1736e3b41419953b3494d5e063829687199d2020f0903c26ca495fb8fadf426990d1936debb38cab C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1E3B5801-2E25-11EF-A13C-DEB4B2C1951C} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2016 wrote to memory of 2944 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2016 wrote to memory of 2944 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2016 wrote to memory of 2944 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2016 wrote to memory of 2944 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2944 wrote to memory of 2988 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2944 wrote to memory of 2988 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2944 wrote to memory of 2988 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2944 wrote to memory of 2988 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2988 wrote to memory of 1388 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2988 wrote to memory of 1388 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2988 wrote to memory of 1388 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2988 wrote to memory of 1388 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netstandard1.0\it\System.Xml.XDocument.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2988 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab450D.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar45BD.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f6e37b6c66f3038cda30f24dd504088d
SHA1 e564e1f392996c67cd60613b62e8f917e9924167
SHA256 d1fc55d38bcb51f37ad8c29b60b8f79e5a3751d4eac4aee53e16fd138ff38a30
SHA512 881393074d331a116bb54863f09e2d98e8a96b7403d8fd541da139fe95ab34286ac63881ed293e468838d5953af029e21313bd9336f27b3a2089aee09f6c2f94

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 972369f7463f4f3957e91b1009de3aa1
SHA1 d8ca273bcbdcaf36daf9d842504371a23dbe804a
SHA256 6a4eac147f5148b0273f2b0ca1ef800badb8c8bb01f4f065e2a0411f0eaa053c
SHA512 e910c30496f11ce8a88f896467554ab29d42dc95302112bcde1fc26bdca067b6ba3bdcd1feb50b51116303a2325463d7edf4f33b8d23f58cdbeee1f86ae69646

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3bfa15d974fb7d64d49a7c1f897244c1
SHA1 23a26935012374aa2fa3f6ed5c41cd07b398e650
SHA256 cec89e538917ccdb27fabe93129d47713ce219967cec1dbdf2dcda29f7135a97
SHA512 7ac078f4589d6fa4bf75f38efc82fd0300346907cc3758464158dd9f0452efce79f6992fb0ca427b4e31952ffe78fa778537d8c0c39abe5166f493e9a2900d6d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3e459b405e622ed9a9949e6d80f9ec61
SHA1 6a93226fc3ec902d6fd02a07dcd2a0a9992da4cd
SHA256 3e4cb7423dfae82525d33d0dfda3ce8038eeb272716b56d89c05628704d37688
SHA512 4ce7356e98c8980667e379ad6c41797a69dd20e888f1bdbcc1b076a3aa9d5ffcd9a22c0673f4dca4a7a23b33236aad81ae954a7097231963ca907c7240c8da16

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dad462e10c3d72f5bf83c2d447b6b4e5
SHA1 09b863eb7865ca0202fb6f318be7b4191f7257bb
SHA256 8edcfa1ddfc830456114ce99d3225ea10a4dbac7954ba2e0dc375ae034a8385b
SHA512 bdefe29635d255da118e5fd1f83d561efbb49a4bfe5ccedae0e5f4d30df4377822d67950cadf5c648e29960abad71855a3aa31d65e1f383edce67c55a7ccae97

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ba864ba2d3a9f65d81bd87bfffe4216c
SHA1 9fc4bb92d91b4249e5cb58cdeb905bd48d94deea
SHA256 43c05e3540ddd20bcfe560af7d961e55e2d86cb1ede488af3b107dec40ed435b
SHA512 c37ca51cfa5ba2543b700e53d9054009592247379f97de0045acc582a5af69c47281fa1d80439553134abdd4c28d13f3f34a7135637572761954103946a51671

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f1e05f684b64c9cbea35edf9d468eb78
SHA1 dae87018abf7b8ec3dd9d93878dacdf93381a117
SHA256 5821449124d064e2980b6a8c4a8a3ffa1882ba09b56e55dda3831dff7df8860a
SHA512 ce78ee5d995e72af3c966d6a1649195a831f3720912dead0260d2cfaf32788b093a1791864ba598fefa57729f847c80ab4eb7e3067b844e8a1369b45a67a72a5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 be3f080cb5e33e6d6cfeee1eb7e88954
SHA1 bc1fac97e04c2dcb44708ac653103f372efe9c1d
SHA256 d84d7efd3689461f7aa33ad319a31f551e3e9d52d04d3949d501aeca9a136415
SHA512 21b34e2f478d595f69a90be1702861cbf9f863aded9111d5d971e302677f69aff7ed372198973f8031a56a360df0c2ae286c7c3359a652038f0a44c3512ce3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f5bcf285a03022f262d7b6ef2fa1c6e2
SHA1 7f9406f729d20351bf89c4ae7e61cc1742a4366a
SHA256 99a2c15b6ed094fe51faabb3e6e9c8fd85c8c435a56abfd8afe27f2548a693ce
SHA512 5b17455f278f853b0fcf5f737ba7a27adcd059556022d1f86505c5b52a920a153756ccbcb3ff16572173edd0a8e925719a3dfc42bf32c6cb4f8cd006585f0d6e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1951c16a8758e2928bdf3109c064beca
SHA1 dbdf55cf2843d5cf5d11acc5c1936e4458e4c56e
SHA256 c22683dc4fb778b1947138ec866ca7beab5d3c2fb4f9bd615f00fd6077f92700
SHA512 da7bcff699c94e4e962859e1bcbbe7816977e5cc00169d362f17b40682ea653ef4cd95bb642e9a6c34d62775ce57223938f52981a2f8090d9500dedab5f792a9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 15174e0b467b0a4b0b01a48176b5221c
SHA1 32c1f8bbb4d334addd2595aea82f8d6097671410
SHA256 bfdcae54c260e436e9fade60f0a1fe8f5e92a16bc2ed7c1f38a86584a97bb5e3
SHA512 bcbfc6fd7955e90e31dd507207cf8df107d813630fedf91ebc966cc050a35bd4811b57d64fb80fc8867ccd570aabd78f20851c6b8fc42fdc415f1ecb93847f61

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 955d3c8218aae2888b42a83adcc3915a
SHA1 1d1f7f3c582f5686043d876f7852618815336f5b
SHA256 dc137c1690d755f46d23b8abce4cabc93072f594f5a316d4daaed7df5fa6efb2
SHA512 c26d077e3adc2e79d529a7ad37101f2d9f2baf6a0d8e01f2f7a7a063162ee7de750bd3a893dcea6bbd662ed256a294525c63ca8041a56f1cd8414c0331a7d6f0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 adc7ee0120e3e1680bf2570afbd8f66a
SHA1 b03382e9f478b13b2fc19fda87a4a32a38e8ff5b
SHA256 0a7ef1e70c741b31d988ada1f12723db28cea16c0d49bcb7c2df654c41941348
SHA512 ffb627fe0ffc2d6b8380b66daa6c8bd1afb560cf7b839f7d1852af3770bce220771a69051745e4c428415fe4c7c17ed130d1bf27106a8612b4a264a17baa4b6f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 42b9c10f6113184b75b7994310c86968
SHA1 c37a72ced5ae528208f3cb494fdb5933f26930c3
SHA256 1990baa47e8de5838a6518d42f884348548b2108b273bd5033276adb21d97ef1
SHA512 2b0914e46c48ee9d2019f69a954b9a24cfb0fffe50e6f69652e10ea856a7b85878cfb9a2a044ca8092205a5e58f49fbd7ee772035a1afa18a774dd91e17341b8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b82ad44651e4a3a580fb0f6575708dd8
SHA1 59c97e155054247fc6957457ca1afaef64675cbe
SHA256 e5edc7a5cc7df392e65e2b93f5becf761044dc06f61a20f858889cb6116a4da5
SHA512 684f9c27739e7294ef8ccd1f9872975c2d57291fee99580278bfd5dcd092739ce8cbb42da7be204e4debe721e275bdb62022eb268485b0610c363cecef2c7fed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6231da81bba4a2a2133c635d73c9272a
SHA1 8ec4febaf06c4b537ce2972ba0889e8c856b54c8
SHA256 ad0429584fce75c7fa12d9b4c050e4a5d2643a70737b5fe37ab48b22d3cfb298
SHA512 e1b100a92b7f0dd14658f1e0ee6df85de2ebb3d000dc02d2573a66f76350e24ec466fa9a51206ff720a13b77f4f8518b8ef2c798461c6b9e04b38e519e945891

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 08b6100cc7b95debd01a1c74bb7c2d41
SHA1 e2dec46d21b316090343d144a8a4addf54144244
SHA256 b66b24b60c313d7eb0118266a2ebfa6f55b561e4fa384639c8792cfad45c8aee
SHA512 a80eabc91ea2658dba490c25cf10dbff49781e0b5cea9272a3b35b87c7601ea6a77fbf31ca095a5ce86e487c569548a0ba0238ca4138c8a20a6261893c49b1b4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e7ad4894dc23e85fb93ca7417993499d
SHA1 9e2a7dde9543f0db7bad3ba8ca592d5fa02bf4ae
SHA256 0e94c1f90cdab614ecb20f8421a10dcec931f2ae99df750209020899c727ef68
SHA512 1852b788320d0b1b74ba8a1feedecb0fc9f8a62a66205b7c4b1c45b481e9f05dca4924ac687939dc041c6122a7de55d70bc1c3e1c87150a4037e650fe0a922d4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e5e261fc86dc9900461f49efbf47dbbd
SHA1 60c0ea54667e1a07a8bd973f5ecd2b66d11104dd
SHA256 6e173e149edc595b9069780675eb54bf1723ecd7494f2be09f7f1e767c7ce6b6
SHA512 a107a7130617a8c2f42300b096b1e02b77a94d5522925f660a65357d13a28e8979035e78a0df97a289035ad7bd03efe3ce762d4e0c2ebc71dd21cc457ad1509f

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 10:15

Reported

2024-06-19 10:19

Platform

win7-20240419-en

Max time kernel

119s

Max time network

122s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\malta_scanner.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\malta_scanner.zip

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 10:15

Reported

2024-06-19 10:19

Platform

win10v2004-20240611-en

Max time kernel

145s

Max time network

153s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\malta_scanner.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\malta_scanner.zip

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-19 10:15

Reported

2024-06-19 10:19

Platform

win7-20240508-en

Max time kernel

122s

Max time network

128s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netcore50\es\System.Xml.XDocument.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a2300000000020000000000106600000001000020000000dc8e80967fbcea00c96c44fbc89e4b2cc51563e60ded4209d09368f95420cfcd000000000e8000000002000020000000996e7c13b33611e4cd2eb4664f93ae5ef0c3a228308f143c9ed1c9e62211375690000000f9cd0e9c3c564f0c4c1bee075fdd7774aa5b1b436c32f4413aaa3172bfd08c5f6d18b59a67fc0702bd7b087e3b3697a4be87fb2bbdb0be459b5bcd1ee53af720b7cee2a788ffc6252d16d00fd726c8f454ed22e8dc62329b7c87846ae038f9937bb1b70290a4f6c7b21584c700608d3993e0c1da7178394102d67f44069e652bdcc13140396c6706881b7c915d53cfaf40000000f28ea39fea6da1a69d1b34f5d45a47c7996079d6c1ed210fc208b206c1bc2eab586632d4236ed2c4d3f7d27f45e1f2f1b154ef061352a8b041012c7442f78f98 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f00ec0f231c2da01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424954132" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a2300000000020000000000106600000001000020000000c9adcc34063a3b31723643c06140f99fed9010973da40039a3294b20705839dd000000000e8000000002000020000000d349a4e1669e8b5e6c3c2df163b78a2b01fa667c763271613ee94234f0a594e020000000eb671fd1dfac475316a7607d955881862f8a2bca6bc75c69480b437db90d86a64000000070d1c65bbe9779510e4d3fe67bade171bdceef96dd95654f11a3dd954425fe8d5ea8d4f54f3c698a4cca3786212237e3a16fad8be73309d58644b55fbfb0dc51 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1DDB07C1-2E25-11EF-A002-FED6C5E8D4AB} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2740 wrote to memory of 2224 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2740 wrote to memory of 2224 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2740 wrote to memory of 2224 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2740 wrote to memory of 2224 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2224 wrote to memory of 2412 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2224 wrote to memory of 2412 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2224 wrote to memory of 2412 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2224 wrote to memory of 2412 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2412 wrote to memory of 1556 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2412 wrote to memory of 1556 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2412 wrote to memory of 1556 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2412 wrote to memory of 1556 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netcore50\es\System.Xml.XDocument.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2412 CREDAT:275457 /prefetch:2

Network

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-19 10:15

Reported

2024-06-19 10:19

Platform

win10v2004-20240611-en

Max time kernel

144s

Max time network

152s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netcore50\ja\System.Xml.XDocument.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netcore50\ja\System.Xml.XDocument.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/3480-0-0x00007FFAEA6B0000-0x00007FFAEA6C0000-memory.dmp

memory/3480-1-0x00007FFB2A6CD000-0x00007FFB2A6CE000-memory.dmp

memory/3480-2-0x00007FFB2A630000-0x00007FFB2A825000-memory.dmp

memory/3480-3-0x00007FFB2A630000-0x00007FFB2A825000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-19 10:15

Reported

2024-06-19 10:19

Platform

win7-20240221-en

Max time kernel

135s

Max time network

135s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netstandard1.0\System.Xml.XDocument.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1E1E8901-2E25-11EF-822E-56D57A935C49} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000020868dad1bd2324f9db4e599a9c9255c000000000200000000001066000000010000200000007294c044cd4cde09b01bc2df30e76750e06b1757d6deb1c4fb2ff255d4bdec1d000000000e80000000020000200000009d540a859d8ca39d7264859118a2547d27ccce8a1faa38d2aab72553e738680090000000b2c657403b35f136946de0be734b8bb8d778ac5cd908406353c19d3a756e4fdf5de6895a71da860142c2128cf26d5cc22d7d9d1312852531ceedcf2d8047a582d8ce657aef7411868e7950af645776cec8cb6740da53707f7af98ca2c39a2a65e347be4d4f0f271db04e25f6115df01597ee1c3551c629b555e19e8f34356d3e50e4aade97daab821948ef1b8ae4d400400000005c8f12f357dfedca45ebd47d5b22b33b28194bb87057e281cc948bc1d492e0b75b727c6f7d5d19f7f61aa531169a31250515aaf2b845a5c1dac486c77220abce C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c06df0f231c2da01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000020868dad1bd2324f9db4e599a9c9255c00000000020000000000106600000001000020000000a89b8161e9e349afb9e5fdfd6bd0a91a34cfcba321ec75b08315aaecca0b5c2d000000000e80000000020000200000004eae36e51bb2a87d1c8440c9d85453321df3ee459ad2cb9dcc954d68896bdf8820000000d6bf27267b7248029fdbb762df194fa820486bb603aa599bc9138de0252abc2e400000001331b3cc3eb1cecd8942b3168d4eba90f67abdac8509a6e185f2cb470912b91b09fba388a7185bb59133ae153ed7d78b01f8c4da42dfc0a25b614c0eaf6f36d5 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424954110" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3020 wrote to memory of 2324 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3020 wrote to memory of 2324 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3020 wrote to memory of 2324 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3020 wrote to memory of 2324 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2324 wrote to memory of 2176 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2324 wrote to memory of 2176 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2324 wrote to memory of 2176 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2324 wrote to memory of 2176 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2176 wrote to memory of 3060 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2176 wrote to memory of 3060 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2176 wrote to memory of 3060 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2176 wrote to memory of 3060 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netstandard1.0\System.Xml.XDocument.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2176 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab51EA.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar52CC.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 721851f1c2b18603c448a08d7a58b06a
SHA1 331864d943b5a01112083b7cb6f7ec1c246402ec
SHA256 7a9e942c91c549f2cdfd2105390b820943b694e69ddbff3303046b884c1b9439
SHA512 d63fa34350ffb41b20f671fb25795fb5377dc59ffb9c2027c4dfa6a3ac9c3ebbef352d9e97bd61600409fef6c1b4897bc1f96fe59576a38b7c87f19f9518daae

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d891b99e14729133fd3414ba508ae2ea
SHA1 1e9970ac03a166ad8d9fdb8f50a222742f1e40dc
SHA256 6d48f743fa5483e9dd89f726fd3b0166ff8896210d92498a91ae84e06572ffcf
SHA512 4f335c1736bdb5adc1ae563f84538eda2292e8d150e27612b678793268b8a77d056f750466f6d2df50c093456b3385bdfa7deb252a2283e849968d0a4b6b30a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aa8f3ef47b3491fbf7ff5cbb24a2e053
SHA1 0670ffb50f69b532d923f3d4c091b39b6929adc4
SHA256 d891c923e63584b12eb0a02d3a69ba61ae69f46d897dc8c5d55dc2bfb19c86fc
SHA512 48b22afcff5cf6e568ee0facd975ae00916289c0151987f67d82925239fd13a50a6d96bb3d20ba7b615ec6b2583d798d65453a1d6f68bb33ace6e0977af1c6f4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d0dd3eec91768b6fa99a4481b9211c3e
SHA1 f04f438da6549656256e5cb850a233670271c153
SHA256 d2d6aa86081b3d6f8f60d8b2e86aacb285c1f4cc07781e1d071d3e743d653898
SHA512 039e3381dec7ff4d1ac6c3a8596ad88843c1948008acb6c1205836f6ad824f22f09d032e95951e34a18d2310f590b5f4d31d8014e9f79a7b6b8cbb9abb7bb096

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b69c73c72ebcb1cde48827bde9454806
SHA1 690547304cd8e3a9172ec2e2ce99b6c0162bdecf
SHA256 28b5d0c3e8019daf38bf0659e010f5404365342e844787a17602fcd72f8ba125
SHA512 d8bf7c87341e1a8e230ff52edf1d913f78e6daefe96142bc2788159b5d8d77124125c73091c78c4f15edf6535433eedf80b6c0296529ae51229adf8bdf504ce8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e2404a67fe0401753fd23589efb5bc2b
SHA1 48146ead0dfc760a19bff18771a6b249aba28d62
SHA256 9e938b95ac4f6c95f193c561809546c05750989ce9edf461c4ada6e258367fd1
SHA512 92c176c76a0017dc064192efa40f6612e240ae63f16746ee81b62b8503f8e7ca009119ec8de99832e54ec762e280faa2c3ca8df014de2233e47b4b5a1dca4030

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 78dfcb8949f0c8de0d936b8b9c33a51d
SHA1 88f311e1bdcf1231c854834bedfbe1d20eb882fe
SHA256 1d8dca3c3dc74a7b973b5abc0306f208f6b92d0ba872e32e41dfc1a3dbc26980
SHA512 4343c8a5fcb97dad7595dbeec50dbc1fb5b17ae53a69979cc50fd567ec5605906c8719f9a036c9dbd20adf11c6ffea92ea6b75edc0d78e8e58b2940b09424785

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 86aa22aab81da03d8c5eea2c07be67bd
SHA1 f7653d5435a532821d3f2d8f35070f5bb2660d1e
SHA256 6bac88675273262b32a7205565029cc9611526d74de9b2211734fd72969dcebd
SHA512 953aec941f9c0a8b8e430eebf025cdd8a44dea89a888c8d8aec24dd40a60d682f1b333537a7a22c410d76ec1b22e7d166ed328d111f526d1f901ad34ea848e96

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a61c76c91767c5bfa9d43ba11c28b264
SHA1 d91d2e9d5b802159d2918095d8d193ba03948994
SHA256 c65e1f348c495d33269e33c8cb383da533e79cd11678d2aaf0657f7ca0d99d23
SHA512 ade01936d2c4e24d31e7ab337fc9c79f27d472fd6ed068b9c4e8c6803a0351d010c47a4c095aae47f23bfba93fa6baffce25fdef18d9c7f7dc75a28988df6639

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6c677d2a2cfd5544ba501b12c06598c0
SHA1 372c93397ba60d73ed48877aa4cbff09680eaa45
SHA256 5b85a761ba549e374737714fa9100a0de812553ce2d70e393ed173feea9cbb09
SHA512 deed2f19890d82cb913a8d80e1bf1a10aa6767814279e3de7d89f04c5efd50cd2f9356dacb959263e2cadeb353b149c500e3e6254d276b184edcc4306b974429

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 00256467417fb23a02b2867a0b530584
SHA1 6c3d6589f4a9cb22bc5ee69a1d8de8ac7cf81a7c
SHA256 7882d0339e30ea90903947f3d088142c2d342333ef3a3159574e9aef5b7454f9
SHA512 df5f59c675834eab995554912f8b9b9f66044b9c86bd940db5c0f9fe0efceb5d3f5dc972eb36cb61623db4dd3cd6618b64ce8823ead366f0584b76be6bbbd7a5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d9bbc051690da6c5f99882ac1cf49895
SHA1 0ead8c8a84695105ed1129eb377e2e34398053de
SHA256 a6f3766593e532f468fe78d085ad8d00be1a595e53048653082b40fa5ba82676
SHA512 75a936d4e3b0c79ee29c16ff719392a27ace4dc6be82846a3d673e63fdda2e8112a516950a55a55216aa5f19da035d7cfb01a6b7d83b8885c224b87aa3919369

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 caba858095f2ae88592a1fc0589ba014
SHA1 70cf4587feea97570d3868c7b12ee92ab9d9a654
SHA256 65a124e0e905504da7187bcf08f5aec8c4131c95b0f55a5b2ba7c8651090a7d0
SHA512 f8abfd38d68414a3cdc62e77fdf8887e2aed0cd00d2c59e1adc14ed77e68df47de4a66b8ca3a845fb9588de617d2962f42775e6588fe6e058907da77dc44c1e0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 14e20d0c0103deb756e9d81a939d5cab
SHA1 fe7c52eb0d42315f035467e2379118e9286ef6ea
SHA256 a589b36063dd9276eacd6b3f11637501aa07474552a26c45b6ecd3bfb59de435
SHA512 311af014a744b146310e650230c74d371c34b22f857e3648ffec05a7817fb6de35ae90545fa9c94dfb30489255b81f1eae3dccf7d7070cabe891009f797460f7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fe14429e1d0fe6eaa6f4277b0843ba43
SHA1 aee3a0461371c6e829393fe1fbf3ed6b57cbf006
SHA256 0c45f5e3c7c8d78c41eebafb13063eaa54e49dcfbb60ae683044bf293ef85c60
SHA512 8a04c61dee48beecaa8e262aeac2b9e6ab8c6cc7f859f0e78213eddd12279d39f8bf4193e9b4f27a699ec1e9aebd77263426ea98fc673a24767e38aeee251fd4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 587dabe8e0015d876aeb4fb89816359d
SHA1 5628827addceae7ac0da85c23d69de1ac6ab7d21
SHA256 798d635f7248f66170f242c2bf316bbce26c01d85f2c7fc54cb8f9fd4742fe87
SHA512 0b82488ead76374008080f94a4bd1589537bffa29351f3c324143a994429aff65aa8b74c0fbaba215e2ec31fe172a098b9810ee4943540b326b0d693f82bd389

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 524742d00306942fe90344a60bc97893
SHA1 6f9a6ce2e8b11971b0cc6896616c5e7ad87c9992
SHA256 500dbcf1fb0100e6907bc9c53774e7ce1e02ea184c58ce2c6979e1c79eeff70d
SHA512 631870bb995d83c5c7eefc6a83b83018a88b751ca73e749a486037023624c2f66f0bcc061b4c1553f9928b36c537a0049523584fe02de8b32009e0bcb24a889f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 01bc4dd853b8eaeab35af5f91f5f4863
SHA1 29223846da1a5abe734117c3c5ff60be6fa7dd01
SHA256 c02864e36417c474e619b41475841ca5cbf3b4092159da9099633074ce0584a2
SHA512 6a84ac66f90ad353423b99247005cdaaed443020ae77b16ba409f36adc2c35e0ee7f9c615b8a05fad9b37a83972f241ecebec418bc9deb2d26a47000b5ac5cc8

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-19 10:15

Reported

2024-06-19 10:19

Platform

win7-20240508-en

Max time kernel

122s

Max time network

128s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netstandard1.0\fr\System.Xml.XDocument.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1758D4E1-2E25-11EF-B02E-F637117826CF} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a2300000000020000000000106600000001000020000000687ab49dfb588703dba9b7f471edacca011875071c60ca5f363b88cd02afed57000000000e8000000002000020000000f33052498e5b3af26b886d3214d516054876be93a2758472c44aaeea0392131e9000000012b869486aaa035f4e67336c7ed0ff2643a8410dba9c678571e7413fc5f5ed8fef46e2fa6c2f5c71377cd8fe808149baa59db7407397cb1354e5a2343f9d3c192973af902d17103d06cf74a81ef2402513cc32249e011fa8ba5f05a898e34af212ce2eec402c8d15c7661de957e0d9b28beb992114f6c172fe2a92da42d4e0632367e0e3fb686c3f951e758a38cca19140000000e41d2039bde31d14bc0df6829eaf8d083e39152337f87e63a8ec85b3ed586632b83381fcadc527508502c5a99f1666f12dd1327de996b205f10acd8aa8ee772a C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b06f28ec31c2da01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a230000000002000000000010660000000100002000000047e8594bb2ece922604387e1d8e6c02bd6b0c6cbf627f572f2d3bae8758b2b4b000000000e800000000200002000000063b2a6236cbc4c33fe3c632f291498944592122822c5d707309121a53429e1ae20000000a21a3ea0a2314d468b929f64c84b62cdad39e223da273594cc9921774f446bf640000000335487668577ce6d6a024dfe42aef72309c7c3e1f267a6d7a36ec0c24b774a32144dd582b3037381df454bfe55b76bb185a4b1a215a9638580a89cb8fda5646e C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424954121" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3052 wrote to memory of 2936 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3052 wrote to memory of 2936 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3052 wrote to memory of 2936 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3052 wrote to memory of 2936 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2936 wrote to memory of 2704 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2936 wrote to memory of 2704 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2936 wrote to memory of 2704 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2936 wrote to memory of 2704 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2704 wrote to memory of 2652 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2704 wrote to memory of 2652 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2704 wrote to memory of 2652 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2704 wrote to memory of 2652 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netstandard1.0\fr\System.Xml.XDocument.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2704 CREDAT:275457 /prefetch:2

Network

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-19 10:15

Reported

2024-06-19 10:19

Platform

win7-20240508-en

Max time kernel

119s

Max time network

125s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netstandard1.0\de\System.Xml.XDocument.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b0000000002000000000010660000000100002000000034b4b2182e413af9f08a73427901c7e75bcb576c2fae6ee277b38d13c160ec83000000000e8000000002000020000000c623d55f727681a1efc98193cff3db34d905edd8bd1bd4f2f0f20f4c61df4de390000000f8789b89d42e23c2a5a2dcd18eca6cb4eb7b928286e0362cc7e605750f1635af370fdd9a220762ffb75dd0e1759afa6a437c45f21d37aab1276d101dbca254c68b400d010ae84ec586aa6ba49b061657d0c67bfcbd1db81f15035f28eb9f1b5ac02eeaf26a95cc616f02b749432391022127952c52e5f6a8d2c2569f53faa2ab4d94d61e56a554597112a1d590f9de1240000000c766935a763fdaed8ade693dd9ed97c234613f394e55206000b51ea96874db15f6a9fc0cf802c0f2f855cfe08b39e3e18136ffe40f4e852c453c346abb42874b C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8093a6f231c2da01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1DD24D61-2E25-11EF-A5E3-DA219DA76A91} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b000000000200000000001066000000010000200000008da5c6232ca1de62b0811ed5b86f9930aa6564104919cfa05246ea53626aaa49000000000e8000000002000020000000b30801248a0ec7715b37ff6192730966162f858143873b13c58d98c5f1af393220000000cbd6b86f09fcaf0b11e31576565a18e4dbee37652ac3105f88b4efe7a7c20f6e400000002341f6263ad7ffdcb8ec02fed24c268b54411d825d259df839735a88cbd609e9b2bc2b1cad5b4ac18a0948ab1e0999510cc3fe0bdd60f3aab3edfbef3ae37d00 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424954132" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2008 wrote to memory of 2996 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2008 wrote to memory of 2996 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2008 wrote to memory of 2996 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2008 wrote to memory of 2996 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2996 wrote to memory of 2984 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 2984 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 2984 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 2984 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2984 wrote to memory of 2720 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2984 wrote to memory of 2720 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2984 wrote to memory of 2720 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2984 wrote to memory of 2720 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netstandard1.0\de\System.Xml.XDocument.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2984 CREDAT:275457 /prefetch:2

Network

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-19 10:15

Reported

2024-06-19 10:19

Platform

win10v2004-20240611-en

Max time kernel

135s

Max time network

133s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netstandard1.0\es\System.Xml.XDocument.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netstandard1.0\es\System.Xml.XDocument.xml"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1304,i,12594301322143882025,16832588342008839449,262144 --variations-seed-version --mojo-platform-channel-handle=4108 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/4484-0-0x00007FFF8AB50000-0x00007FFF8AB60000-memory.dmp

memory/4484-1-0x00007FFFCAB6D000-0x00007FFFCAB6E000-memory.dmp

memory/4484-2-0x00007FFFCAAD0000-0x00007FFFCACC5000-memory.dmp

memory/4484-3-0x00007FFFCAAD0000-0x00007FFFCACC5000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-19 10:15

Reported

2024-06-19 10:19

Platform

win7-20240508-en

Max time kernel

120s

Max time network

126s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netcore50\zh-hans\System.Xml.XDocument.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1E059261-2E25-11EF-8FA5-CE57F181EBEB} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7004e1f231c2da01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a2300000000020000000000106600000001000020000000ee1a4a948a9ec8e4981cbad8d2a31f8fcbb19b2333614a5e61c873e2acd3f244000000000e80000000020000200000006ddd38319d3a08a743b2b8bc8d300e7e469aa1c985dc5b0c4a58296b69d2cf589000000031a26a71c9b8cb1916c50febe90186cfd0b0e776877ac6739667db5317b6e6b584f0d819753947566272702f49aa51247f1191b461ffe8b6e3fb98588b3e550dd585e616ee38d0e893d04cd15fe9262e72f7f6529d2c89c1b890d92d1bcb45cd515787d2df902c88f415ad6de165b0efcc43271c525ccc98aa7b6f5fa7cf920eaa636bae1a524657167985052988f8dc400000004947199aff910c0e87d4dd2db08e5523bc855f2646d3bdfe13e08d01fc7c62043b67d6046c1bf3775a6c980898d5ce7c02a0348408825e6f6cb401af457f6fac C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424954132" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a23000000000200000000001066000000010000200000009a579466b789c4db83c498bc9c6494e87248e20e4b5e002eba88bba8720020b0000000000e80000000020000200000002ed87ae7aac144d1ac484ef9c97c92e3bfc27ed9f98404e58e8b9c19b37c8207200000006fc599b32aa6287a18942c07c1ec490621587f2ecdc7b5d981a1d0e7334ce29840000000149839079975eb45215ea160aa3948421c648b3f805b24d007a6c1b294f32b183b8ac4611c0dc76de5bb952a9ce43926b432b4a590a51f969d0ed85b18941f9a C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1704 wrote to memory of 2072 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1704 wrote to memory of 2072 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1704 wrote to memory of 2072 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1704 wrote to memory of 2072 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 3012 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2072 wrote to memory of 3012 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2072 wrote to memory of 3012 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2072 wrote to memory of 3012 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 3012 wrote to memory of 2664 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3012 wrote to memory of 2664 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3012 wrote to memory of 2664 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3012 wrote to memory of 2664 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netcore50\zh-hans\System.Xml.XDocument.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3012 CREDAT:275457 /prefetch:2

Network

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-19 10:15

Reported

2024-06-19 10:19

Platform

win10v2004-20240611-en

Max time kernel

146s

Max time network

153s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netcore50\zh-hant\System.Xml.XDocument.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\malta scanner\packages\System.Xml.XDocument.4.3.0\ref\netcore50\zh-hant\System.Xml.XDocument.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp

Files

memory/1992-0-0x00007FFEC1D10000-0x00007FFEC1D20000-memory.dmp

memory/1992-1-0x00007FFF01D2D000-0x00007FFF01D2E000-memory.dmp

memory/1992-2-0x00007FFF01C90000-0x00007FFF01E85000-memory.dmp

memory/1992-3-0x00007FFF01C90000-0x00007FFF01E85000-memory.dmp