Analysis Overview
SHA256
9970a6d977cd5ac8672bd6a84790d7974f8d04533c9b8b2611152c9f74ea153f
Threat Level: Shows suspicious behavior
The file 9970a6d977cd5ac8672bd6a84790d7974f8d04533c9b8b2611152c9f74ea153f was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks whether UAC is enabled
Unsigned PE
One or more HTTP URLs in qr code identified
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
NSIS installer
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Enumerates system info in registry
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-22 12:43
Signatures
One or more HTTP URLs in qr code identified
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-22 12:43
Reported
2024-06-22 12:46
Platform
win7-20240508-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\System32\rundll32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b000000000200000000001066000000010000200000000602902a5da78600bf4e8d8a6204362065d3375f23713523f2479689c85992c6000000000e800000000200002000000026346dbaff0840e27c2bcc466a3ca5f63767b77a2302f45051d250f62badb0c790000000bc2fc6d44d22cbfab863a3e2ff09edcc3529e3ae5b937342cc26fb1aea5a69f9c7d3d47ceac5cf179015c448e6e5d764e2cc947f45038b9f27b4811c4e239d31bfcac4c052b498531a0335f0276be91f9dc8523f075964df26def53fe9e56a89c4905e2e3fced98464f0925e6e965f70aea34387816457d4fdc3f1e564b266dccf19702c00e78f85e16c2889d89e6a3c40000000d91082135cf9c0e30ea6baef33662ea848cbe18faf0d659a433c6566c4f24771b8604ce566809f93f76ea47dd5875fd8ab0cdaa83d7b444b1729b031af5679b1 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425222102" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b000000000200000000001066000000010000200000002fec1bba044ceed7db59e68e2d5f1c4134d04082ad36843bc689cacf5fd0831f000000000e8000000002000020000000cbf140609bb81bc9c4051f23b315a22a69390942d95c4e44cfd1122a2968186720000000d75d3a2853e31f82c1524237f884e067b263ef470ac54cb60a26ec3a5a3a645a400000001eb5eb202701488488c56700b7f6b54e0a29e581272f4b87d3bf18c6f9d93e409658dcf8b905665a8e4d41b471e7947f5cb3c20398295eabcdff9815f9ec64c2 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 608a2deba1c4da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0856E6E1-3095-11EF-BB1E-6A387CD8C53E} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2672 wrote to memory of 2620 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2672 wrote to memory of 2620 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2672 wrote to memory of 2620 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2672 wrote to memory of 2620 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\__.url
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2672 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | fang.adminbuy.cn | udp |
| US | 8.8.8.8:53 | fang.adminbuy.cn | udp |
Files
memory/2264-0-0x0000000000150000-0x0000000000160000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-22 12:43
Reported
2024-06-22 12:46
Platform
win7-20240508-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\apps\admin\controller\content\SingleController.ps1
Network
Files
memory/1808-4-0x000007FEF567E000-0x000007FEF567F000-memory.dmp
memory/1808-5-0x000000001B7C0000-0x000000001BAA2000-memory.dmp
memory/1808-6-0x0000000001D20000-0x0000000001D28000-memory.dmp
memory/1808-7-0x000007FEF53C0000-0x000007FEF5D5D000-memory.dmp
memory/1808-8-0x000007FEF53C0000-0x000007FEF5D5D000-memory.dmp
memory/1808-9-0x000007FEF53C0000-0x000007FEF5D5D000-memory.dmp
memory/1808-11-0x000007FEF53C0000-0x000007FEF5D5D000-memory.dmp
memory/1808-10-0x0000000002BA4000-0x0000000002BA7000-memory.dmp
memory/1808-12-0x000007FEF53C0000-0x000007FEF5D5D000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-22 12:43
Reported
2024-06-22 12:46
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\______.url
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.adminbuy.cn/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe6b3d46f8,0x7ffe6b3d4708,0x7ffe6b3d4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,16441255561219338588,16049553102675720664,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,16441255561219338588,16049553102675720664,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2508 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,16441255561219338588,16049553102675720664,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16441255561219338588,16049553102675720664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16441255561219338588,16049553102675720664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,16441255561219338588,16049553102675720664,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4720 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,16441255561219338588,16049553102675720664,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4720 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16441255561219338588,16049553102675720664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16441255561219338588,16049553102675720664,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16441255561219338588,16049553102675720664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4444 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16441255561219338588,16049553102675720664,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16441255561219338588,16049553102675720664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2348 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16441255561219338588,16049553102675720664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16441255561219338588,16049553102675720664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16441255561219338588,16049553102675720664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1728 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,16441255561219338588,16049553102675720664,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1304 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16441255561219338588,16049553102675720664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.adminbuy.cn | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.4.4:53 | google.com | udp |
| US | 8.8.8.8:53 | www.adminbuy.cn | udp |
| US | 8.8.8.8:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.adminbuy.cn | udp |
| US | 8.8.8.8:53 | www.adminbuy.cn | udp |
| US | 8.8.8.8:53 | www.adminbuy.cn | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4158365912175436289496136e7912c2 |
| SHA1 | 813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59 |
| SHA256 | 354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1 |
| SHA512 | 74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b |
\??\pipe\LOCAL\crashpad_5000_NNIURTMIVDEUVUJE
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ce4c898f8fc7601e2fbc252fdadb5115 |
| SHA1 | 01bf06badc5da353e539c7c07527d30dccc55a91 |
| SHA256 | bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa |
| SHA512 | 80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | eb19fc1a6e9228e3dbb7f084d35ecded |
| SHA1 | dc6af375340274eab518352383bdb31da2887d87 |
| SHA256 | 2ed9366653ee78316d51d96b36a6f1c0390893c48803ca2243c635c19a66f832 |
| SHA512 | 52ba3698c4e750f5e2195c1f36955cc4a218b286117d93072084394c378814c02f447cbd4f234f72818da7448bfc4c6b11c135fcc5ab41149ff66997af3d1c25 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 87ac194098713a5d9216f5688825d93e |
| SHA1 | d063caab293edd5d92b54dc84568937d94461063 |
| SHA256 | e1a42e3c7ebd0e3478beb9bbbc61d2c469ff7010bceec9ffe034bbd89e37ecc3 |
| SHA512 | 8d4ff3071c5eef6532371c42238d38b9fd7b3ae59769903ba1a8c787a15e1b4a9b21d0c6b0408e230a3eed3cb4666836f7dc616be7cbcd08547fd7b67f10871d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 41d1159cee7324d84b2eedde5d67c67a |
| SHA1 | f1c978ce051e5f6fa9b1d85db648ca4ab0b102cd |
| SHA256 | 169685e84f166cc34442582fb4f7144b35650a14681b2c9f79bb07318bbf6aec |
| SHA512 | 2f11e357e2ecc4a05e59fdfe95837a7e150910439077ebd9ea8fe38d5125c2f43f918c0d1bfc1f51641125068eda82a65fcae7a6c88783867191708211a417ef |
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-22 12:43
Reported
2024-06-22 12:46
Platform
win7-20240611-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\apps\admin\controller\content\ContentController.ps1
Network
Files
memory/2160-4-0x000007FEF54CE000-0x000007FEF54CF000-memory.dmp
memory/2160-5-0x000000001B750000-0x000000001BA32000-memory.dmp
memory/2160-6-0x0000000001DF0000-0x0000000001DF8000-memory.dmp
memory/2160-7-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp
memory/2160-8-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp
memory/2160-9-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp
memory/2160-11-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp
memory/2160-10-0x0000000002CFB000-0x0000000002D62000-memory.dmp
memory/2160-12-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-06-22 12:43
Reported
2024-06-22 12:46
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
125s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\apps\admin\view\default\common\foot.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff095146f8,0x7fff09514708,0x7fff09514718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,2790446447252501129,13113988504411696210,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,2790446447252501129,13113988504411696210,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,2790446447252501129,13113988504411696210,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2790446447252501129,13113988504411696210,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2790446447252501129,13113988504411696210,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,2790446447252501129,13113988504411696210,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4468 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,2790446447252501129,13113988504411696210,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4468 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2790446447252501129,13113988504411696210,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2790446447252501129,13113988504411696210,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2790446447252501129,13113988504411696210,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2790446447252501129,13113988504411696210,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4224 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,2790446447252501129,13113988504411696210,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5012 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 52.111.229.43:443 | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 87f7abeb82600e1e640b843ad50fe0a1 |
| SHA1 | 045bbada3f23fc59941bf7d0210fb160cb78ae87 |
| SHA256 | b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262 |
| SHA512 | ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618 |
\??\pipe\LOCAL\crashpad_4416_QUWKOOFLZHIJUFYN
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f61fa5143fe872d1d8f1e9f8dc6544f9 |
| SHA1 | df44bab94d7388fb38c63085ec4db80cfc5eb009 |
| SHA256 | 284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64 |
| SHA512 | 971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | c63123e9e042d5a0b4b3983ab0572731 |
| SHA1 | 30e66244300cf5dd16287fb9749fc2acdfb07555 |
| SHA256 | a0f23f457c363cb99a140049cd9b7723201b79a9819e76d3e3f67c8d48b7804e |
| SHA512 | fa3e4e0a47e349110d4ffc21d9abf0514076270525da1cfd63588dc582b8666db7d8aac2942142bec72561177451db07f4936356a9b3ad306fd64f8f84ba233d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | d3c8e6e04d6231e5806c95beb9ea2806 |
| SHA1 | 4f9b4b8c991e66253618100ef2714cc57e0de5ba |
| SHA256 | eefc47586a0c8710117aee278adb22bd8df848e4da37f1ffb011810528c48839 |
| SHA512 | 5e98c0f3a7106f710d65bb4cc81b8491d9a233bd04c3a06af894c19f92fdc42af3743fac5d8274b5cdced2e4237ca910d793804aa9012094ef3cc9400277dca8 |
Analysis: behavioral29
Detonation Overview
Submitted
2024-06-22 12:43
Reported
2024-06-22 12:46
Platform
win7-20240221-en
Max time kernel
134s
Max time network
129s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000072556a3333cf7049a58a355ca21f1145000000000200000000001066000000010000200000005c69890c5f4b33012b5d22aa4d8f3cd4925b3a89f2836861ab526c56baa2798c000000000e800000000200002000000057144e1de62df71dc5ab4fba65577e3153d005ede8c4d60d2933e2082cba0ec8200000004ee2cf92ac89650689c0d95b2d6af39757450a88ceebec67513befe201892edb40000000bcf5be50e91203f7987aee4c89fdb474f76c5d2ce25690a1112c30fceea1aa7705e105a9968f9f4f4bc80eace507b65f80e0fac3e07adcb708d3a971ea684c81 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 705e80dca1c4da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000072556a3333cf7049a58a355ca21f114500000000020000000000106600000001000020000000ce584ecc264c78434a3831c19c6d9e665edf32d60fe31a41573911c096468075000000000e8000000002000020000000ed622391acb2619577c3578fac245529b3627672be8535db973bb3ad8dc7ab0990000000f4615f4538878eb238eb0525d5cebb374f9a466b5757d98ea189574c6245733e2e3a341d80e4b4991a82bf392c9142addeab5071c0bb85bf8c3230dab9303c0076ea488679171871a73d54a3dccde76bbdeb4744ec03a8fcc05366ae994407ba66ed9baa6a71800968da1dfa5ce9e84c6c2c63f5e6edd249c6d6942249ee64ac578fe98bf0d9917c0292dc20842776c240000000838345977851d8d6dadd6082fecab2684f9a33b710d994dccbcb6557a0cefb09425905723b8f956ed0cfb4fcfa92349a6677715fa5c0d96de82aa6db05305d8a | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{07E95801-3095-11EF-8303-EAAAC4CFEF2E} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425222079" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2836 wrote to memory of 2940 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2836 wrote to memory of 2940 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2836 wrote to memory of 2940 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2836 wrote to memory of 2940 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\apps\admin\view\default\common\head.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2836 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab44B1.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar4593.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cefa325df8d0c12459f0e93cc3f6a9b2 |
| SHA1 | a8ce69e1f6637e0474b6308925ce03eb72157058 |
| SHA256 | 547ef8f73b6dbf4d5a0859b52787d2314ac43788e9a11daab3625bbc93bafcbe |
| SHA512 | e404b2f30846d65d87db8eeceed9708ea3779309dc883ed50fffb2030c5a187615270799aa384979340109606c665b518012fc4ae3352df3bf9b7a1af4304ff9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9c92a5ab90f0fa09992d6201256b67c1 |
| SHA1 | 3e9d557ee0c9be4bbfcb8bdc29dca7d57005208b |
| SHA256 | 147e105f1f06d516d7568d21df3b8f4627195c13c295dc630f4d905e071ddc75 |
| SHA512 | 090ea6256fa8e2fc493c78d7efa524d318b0bc50790c74357e8382bdc304b2a0f52eff14574f736a1150af9e03951029383392ef3e8a23845cc0fef4cfdc2b92 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 58a865bdb7f7e60ca1c1cef5c71ffe20 |
| SHA1 | 82209e9c943580a01087ac5dec239f633fbc6000 |
| SHA256 | 2465b6ebb6581c6ff0dcbcaaea726475b63cacf96886cbd8ebc2611ee05489fe |
| SHA512 | 0e3664a3a188852bb1590e027b82e803fe295a11b979815528768ca981755a9997a6fd442e51762f9b699c7450875882394e8a9dfcb3338084982801102b1624 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5ddaf51f929166722df2e2e14c30cfc5 |
| SHA1 | 8cc3dd0a99f424e661fe47678886fa09fc18d448 |
| SHA256 | 6a4442cdd5eb08de51dddb500633eef8944567f91196cddb470ec50bf2d17831 |
| SHA512 | 9360d88a07f77471533e8e8890e0df2cd7c3964a57f9502b163ebf3e725410bb999343a394379e41455494b704e582c92a08003fedcdcb4d3364f17e7f786ae3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0bcb1e08d90c15f84c4703991a3d909a |
| SHA1 | 6fb7d4ed24f7fe264a2ceeae0b80860c933995a0 |
| SHA256 | 8fea2405dd224fb84dbc73b2171b05c1afedb076593738ddbb69861bc81b1ccc |
| SHA512 | 92bce10cc70cec5bc7fea5ca6ed39492e8302c04ea8a06fdb5aac00f126f19a60200d23fa562f9c6acbc820e6679df5c1e19ad39ec79b6b6fecca56b171adbef |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1a3dad848bb4e37ff577aa24dc82e181 |
| SHA1 | c0dd52fc0d54487c9887824bd2c333ae17ee7471 |
| SHA256 | 95b50808a048227b449235ab2282c1f7d6df840c0de7f8aa2ee90f6e29255df1 |
| SHA512 | c52f5a06d1d5258c05a4efe0c74702becabda46a5c1efc134e627d5a4dd2a51e9bce90baad76f6d21874839e26a50bc94d4def5b8a02670074d37745bb12157f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ace8f4ee0c5974154e858f2c957ddd63 |
| SHA1 | e7bd41a64ca3c1ba84958e5152da38013e86fe1e |
| SHA256 | 689c83ccf8bf65444ffef470cf32c47fc0da815cc6487c9be323c1475748541a |
| SHA512 | cf6c30ebfcdee867acb90dc671e4de375363bc5d27d97b1e4090563203c03618bec3b9f70c4ac6f48a6d7614fb970ab46c8f2346d03fd54fe7a097f41cdab90e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 115f68079b59e770e5e94f4b2a94b684 |
| SHA1 | 669de79c7f70ed0164ad40df0e9b336be9d394f1 |
| SHA256 | f7067c923483876de1f1982ed7637e148a7c6798d4c3350c6261288023e664d1 |
| SHA512 | d110d4fb4629692d4c0542893ebbd026907d2626e4390f362c32ef3a4e5b22ef5a266aef2632226722756d68b06598e1e8a215d250fe3bc5d3cde374568a10f8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d70ba7da8e047029c4fb02ffe989c73f |
| SHA1 | 012e0f1cec4dc1274cf2282cc46e6adf5238106e |
| SHA256 | f5cfcf279677372f8f0efb42c938d58050092fae5d4b1116abc21a3d0a7de7ab |
| SHA512 | aa4e7e321a5fe613e59287bc6d8011143f82a9f9e7e29c9ca01409820454e23da2ac8f9e15574f63451df8193e70e434a7b1301a3a3625f81c9a4575a791ba15 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 77bf85a86bd104c5b82a2e2a982e52b0 |
| SHA1 | 9a6530a0f03524e6ba01e8d2b4a5c357f6e68aba |
| SHA256 | 654ee396ecb619a8cd4fe8d6e0fa6e36ad420e54f79d7d2953cfa6561e5b5d49 |
| SHA512 | 25d997522b36496ec9c5c8e97083258772bbf732f3abae91eb38c7c4215cd21ddd8dee59341f0ab8250af657d86ab826103427d262c3278c484f93a0ca615cc2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7069524eb6889311b286a859a54fdf3a |
| SHA1 | 140697c1fcaf3138c163a4d6f7c71cea993b1c93 |
| SHA256 | c0a9c1cccd8885f68b39dd76242bd493ec8d005a4ebe5075ebf3206872b3d474 |
| SHA512 | f946938cd3a2a67cbf2b591eedb81b44d0450c059d2569a74fd8a39bdd3cfad02aa95925f51b1d603eec47bf33e91df9729552d5e70d85aa50c630274526de60 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 427c6edb50c83a3a8a7976905cb3126b |
| SHA1 | 070c80daf5a6f479bb8de128055dd8bbd056ab03 |
| SHA256 | 85057157863c893477dcf3821e36feaaa9e8a5a98e49427bddf59084318df35a |
| SHA512 | 7d48f636d43425d97b839cdcbceb4aeffc1fdd85997d80f3b9676c6f0f1bac600a1e5926c2d486e6695dd7a170040a6ef88003320fd94511491cb816fe2559bc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b310286d54055188a669bd20836c2314 |
| SHA1 | be36727f142fe8aa8e3c412211923ede17b9dff5 |
| SHA256 | 9b26a48bef737e17cba6808fe91b00bdbcad6748e220ae9929078b2ac9fdaf71 |
| SHA512 | 19a0f70e822d8be7f3ddf77ceec6a0c6f6e136be39379cdc52cdc64486517a8c726051960ff638968a144e51e6efb078669865acb38780067747fefa07e75b63 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f40a720cf4435d0facbc5b8913f68af7 |
| SHA1 | 67c7c2567d3b85ef3e436e764ed42684759dea01 |
| SHA256 | 9af890fa44f5466153cde5b568c3d244e46eacac3e52ebddd649a0cd3b30cbe5 |
| SHA512 | ec61e6c160f0af2d01ec4f8053c717a67d7c3c65d7109a04db4e964841d092f2cba1b9af62d7db9c2e8bb4631feb0f652a0441aa61f446de448245a268222c3b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0269a1b480f83f1194cad3dca9dff673 |
| SHA1 | c3b936fb8d2b24a1e79ac2468a0ecfd8c65ebe9c |
| SHA256 | 78ffe25fc1eed2bd2307be887090566143a4b0c81221c41c9e6393e0bdc0a3cb |
| SHA512 | 946339af30d3ba30f3d4c002b386529a7060ebde3cd141efd69193f5ce232f2464756f2ec768780f4a7e933611d0be67782af7fe5bafe6251d321b2282b2af21 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2cb5b4d7498b6c1f250b8ef9c16af2a0 |
| SHA1 | 2e0a167e389e52e4099762018a396b60ab382e1a |
| SHA256 | 742e4efa8b0b6b4fc69a5357ec2fef684d534f9d2be174c7d423048b451fa90e |
| SHA512 | 9cf542a9e2bbae8b96fb106bba7bf763ee8cd7a0f95baf69f2f4ba2d2f31d465f82012ec9b2b1dadc311e6882ecfccd121a9339da3179fee194b233f0830d363 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d7e0090d97ec28b92593836e7faf51d2 |
| SHA1 | 46d3853553ad1969bf8f4e4210ac5412bb2bdca3 |
| SHA256 | a27cc1dc79db9ba265bb1104d2a212511eec16e80d9dde3445b9b3e8a2f4ff4e |
| SHA512 | 23272bac994c4bc506790f8fb84813fb4c4c3a8af6520dee358e63f11ecab3d6bf21bf30a4be0f2a65fb76035bb2bb82c60d3236786a9369b1b2b8c04c267570 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 63a92f9bc2dba956effa55df9ef4298a |
| SHA1 | 031489ec39ea8262e2d9d66bac468408a8baa2c1 |
| SHA256 | 7345d3ecb7b3a85307bc5631adb8cb8dcc55136d67fd27aa2da0766373bd1903 |
| SHA512 | 3bc7b72bc04fae87f79ac225831047d6f752c79c7b29cd8c098b4fdf5b198b1a6cd46baa54908996b60b614363c91789af98e9eb6fd3c9d27a1177479f3181da |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 59a533b415d69107659c26d4f0d3ce10 |
| SHA1 | 722ff43d4d819783e964fd089a884c71aa68d387 |
| SHA256 | c5f4d2ca04d16d9cf59c5aa29147b2b8cd50d416f29fc4bf656265685f2df8e7 |
| SHA512 | 3b2a6e691c33ce6de8e3a21a9925f87dc304ffdf03b9a58bfdae511adc9954a7d5ddc314230b0a8392fde812afcdbe5994a1584cec43e588bf317ef75c9619c1 |
Analysis: behavioral21
Detonation Overview
Submitted
2024-06-22 12:43
Reported
2024-06-22 12:46
Platform
win7-20240508-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\apps\admin\model\content\ContentSortModel.ps1
Network
Files
memory/2076-4-0x000007FEF5C6E000-0x000007FEF5C6F000-memory.dmp
memory/2076-5-0x000000001B630000-0x000000001B912000-memory.dmp
memory/2076-7-0x000007FEF59B0000-0x000007FEF634D000-memory.dmp
memory/2076-6-0x0000000001D20000-0x0000000001D28000-memory.dmp
memory/2076-8-0x000007FEF59B0000-0x000007FEF634D000-memory.dmp
memory/2076-9-0x000007FEF59B0000-0x000007FEF634D000-memory.dmp
memory/2076-10-0x000007FEF59B0000-0x000007FEF634D000-memory.dmp
memory/2076-11-0x000007FEF59B0000-0x000007FEF634D000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2024-06-22 12:43
Reported
2024-06-22 12:46
Platform
win10v2004-20240611-en
Max time kernel
145s
Max time network
127s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\apps\admin\view\default\common\ueditor.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa8a846f8,0x7fffa8a84708,0x7fffa8a84718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,4867519286496565743,3922270011745371728,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2016 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,4867519286496565743,3922270011745371728,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1996,4867519286496565743,3922270011745371728,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,4867519286496565743,3922270011745371728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,4867519286496565743,3922270011745371728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,4867519286496565743,3922270011745371728,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,4867519286496565743,3922270011745371728,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,4867519286496565743,3922270011745371728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,4867519286496565743,3922270011745371728,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,4867519286496565743,3922270011745371728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1976 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,4867519286496565743,3922270011745371728,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,4867519286496565743,3922270011745371728,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4448 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| BE | 88.221.83.234:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | b704c9ca0493bd4548ac9c69dc4a4f27 |
| SHA1 | a3e5e54e630dabe55ca18a798d9f5681e0620ba7 |
| SHA256 | 2ebd5229b9dc642afba36a27c7ac12d90196b1c50985c37e94f4c17474e15411 |
| SHA512 | 69c8116fb542b344a8c55e2658078bd3e0d3564b1e4c889b072dbc99d2b070dacbc4394dedbc22a4968a8cf9448e71f69ec71ded018c1bacc0e195b3b3072d32 |
\??\pipe\LOCAL\crashpad_3216_QGNMWWHDXGOVVENN
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 477462b6ad8eaaf8d38f5e3a4daf17b0 |
| SHA1 | 86174e670c44767c08a39cc2a53c09c318326201 |
| SHA256 | e6bbd4933b9baa1df4bb633319174de07db176ec215e71c8568d27c5c577184d |
| SHA512 | a0acc2ef7fd0fcf413572eeb94d1e38aa6a682195cc03d6eaaaa0bc9e5f4b2c0033da0b835f4617aebc52069d0a10b52fc31ed53c2fe7943a480b55b7481dd4e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | a9f7cd779a4dfcf85039cd4179d987fa |
| SHA1 | 7ee8a06f6e75d780f1bb1989ba1727c632fc6f35 |
| SHA256 | 6d5504e5f9ad0b9a1d279ed55c4f2d6e9f479e312ed891d198edc4935bf7edd4 |
| SHA512 | 852c5bd001a06e0ba288ab0226ea12c3f1dae8c8cbdd61c02125c65f0b0cb36341a6da13d64339561204e721a188aba98359849221414a7561e162d69215f7f4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | bafeb8e61ddfb92f99d334a7459bcc5c |
| SHA1 | 17a9b70f63f5e989047f48f756cb1b82f412ff25 |
| SHA256 | baf14368f37a9e5dfc919ea905fd4686a40be2228f2f6394407d39795b8eefc2 |
| SHA512 | 48579ebc210919534f31b03f1038bff5b1c160ca2388e1269c89f14c1b1362b6bc1373cde873b09350769dd0ed2eaa44fed00651039f79bf0d675b435328bdda |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | c9f90c34839ef4b6f3ec2e894e0159fd |
| SHA1 | 57312427bc6d80548dc14202ebc5a805c1c80bcc |
| SHA256 | 430cc856140d075a76e92f9e62f1cd7cb3cdd68fa2e68ba0eebbba3c7c8d389c |
| SHA512 | adf64ec83a1949d1a6789f014e1c60d8f029d24f9d802ca4052be8009e98f1ea43c695fc4924c3ab100ebfb54089202f2a33f52cae00fc4ab5db0432ed7bbf4e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-22 12:43
Reported
2024-06-22 12:46
Platform
win10v2004-20240611-en
Max time kernel
139s
Max time network
142s
Command Line
Signatures
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4024 wrote to memory of 1116 | N/A | C:\Windows\System32\rundll32.exe | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe |
| PID 4024 wrote to memory of 1116 | N/A | C:\Windows\System32\rundll32.exe | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe |
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\__.url
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://fang.adminbuy.cn/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --field-trial-handle=4296,i,11749492925348081608,8895412282206755658,262144 --variations-seed-version --mojo-platform-channel-handle=1412 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --field-trial-handle=4376,i,11749492925348081608,8895412282206755658,262144 --variations-seed-version --mojo-platform-channel-handle=4748 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --field-trial-handle=5028,i,11749492925348081608,8895412282206755658,262144 --variations-seed-version --mojo-platform-channel-handle=5304 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5320,i,11749492925348081608,8895412282206755658,262144 --variations-seed-version --mojo-platform-channel-handle=5444 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5432,i,11749492925348081608,8895412282206755658,262144 --variations-seed-version --mojo-platform-channel-handle=5556 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=5952,i,11749492925348081608,8895412282206755658,262144 --variations-seed-version --mojo-platform-channel-handle=6004 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=4940,i,11749492925348081608,8895412282206755658,262144 --variations-seed-version --mojo-platform-channel-handle=4080 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=5644,i,11749492925348081608,8895412282206755658,262144 --variations-seed-version --mojo-platform-channel-handle=5760 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | api.edgeoffer.microsoft.com | udp |
| US | 8.8.8.8:53 | api.edgeoffer.microsoft.com | udp |
| US | 8.8.8.8:53 | fang.adminbuy.cn | udp |
| US | 8.8.8.8:53 | fang.adminbuy.cn | udp |
| IE | 94.245.104.56:443 | api.edgeoffer.microsoft.com | tcp |
| US | 8.8.8.8:53 | fang.adminbuy.cn | udp |
| US | 8.8.8.8:53 | business.bing.com | udp |
| US | 8.8.8.8:53 | business.bing.com | udp |
| US | 8.8.8.8:53 | fang.adminbuy.cn | udp |
| US | 8.8.8.8:53 | fang.adminbuy.cn | udp |
| US | 8.8.8.8:53 | fang.adminbuy.cn | udp |
| HK | 85.8.182.182:80 | fang.adminbuy.cn | tcp |
| HK | 85.8.182.182:80 | fang.adminbuy.cn | tcp |
| US | 13.107.6.158:443 | business.bing.com | tcp |
| HK | 85.8.182.182:443 | fang.adminbuy.cn | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.104.245.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bzib.nelreports.net | udp |
| US | 8.8.8.8:53 | bzib.nelreports.net | udp |
| GB | 104.91.71.133:443 | bzib.nelreports.net | tcp |
| HK | 85.8.182.182:443 | fang.adminbuy.cn | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 2.21.189.233:443 | www.microsoft.com | tcp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | nav-edge.smartscreen.microsoft.com | udp |
| US | 8.8.8.8:53 | nav-edge.smartscreen.microsoft.com | udp |
| US | 8.8.8.8:53 | fang.adminbuy.cn | udp |
| GB | 172.165.69.228:443 | nav-edge.smartscreen.microsoft.com | tcp |
| GB | 172.165.69.228:443 | nav-edge.smartscreen.microsoft.com | tcp |
| GB | 172.165.69.228:443 | nav-edge.smartscreen.microsoft.com | tcp |
| GB | 172.165.69.228:443 | nav-edge.smartscreen.microsoft.com | tcp |
| BE | 88.221.83.218:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| HK | 85.8.182.182:80 | fang.adminbuy.cn | tcp |
| HK | 85.8.182.182:80 | fang.adminbuy.cn | tcp |
| HK | 85.8.182.182:80 | fang.adminbuy.cn | tcp |
| HK | 85.8.182.182:80 | fang.adminbuy.cn | tcp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.182.8.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.69.165.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | edgestatic.azureedge.net | udp |
| US | 8.8.8.8:53 | edgestatic.azureedge.net | udp |
| US | 8.8.8.8:53 | c.s-microsoft.com | udp |
| US | 8.8.8.8:53 | c.s-microsoft.com | udp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 8.8.8.8:53 | 218.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| BE | 88.221.83.224:443 | www.bing.com | udp |
| BE | 88.221.83.224:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 224.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cloud.video.taobao.com | udp |
| US | 8.8.8.8:53 | cloud.video.taobao.com | udp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 13.107.246.64:443 | wcpstatic.microsoft.com | tcp |
| US | 13.107.246.64:443 | wcpstatic.microsoft.com | tcp |
| HK | 47.246.103.58:80 | cloud.video.taobao.com | tcp |
| HK | 47.246.103.58:80 | cloud.video.taobao.com | tcp |
| US | 8.8.8.8:53 | tbm-auth.alicdn.com | udp |
| US | 8.8.8.8:53 | tbm-auth.alicdn.com | udp |
| US | 8.8.8.8:53 | 58.103.246.47.in-addr.arpa | udp |
| US | 163.181.154.215:443 | tbm-auth.alicdn.com | tcp |
| US | 8.8.8.8:53 | 215.154.181.163.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| BE | 2.17.107.128:443 | www.bing.com | tcp |
| HK | 85.8.182.182:80 | fang.adminbuy.cn | tcp |
| US | 8.8.8.8:53 | 128.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| HK | 85.8.182.182:80 | fang.adminbuy.cn | tcp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-22 12:43
Reported
2024-06-22 12:46
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\apps\admin\controller\system\AreaController.ps1
Network
Files
memory/1508-1-0x000001662D4C0000-0x000001662D4E2000-memory.dmp
memory/1508-11-0x00007FFB552B0000-0x00007FFB55D71000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fmcwojtr.4ah.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1508-12-0x00007FFB552B0000-0x00007FFB55D71000-memory.dmp
memory/1508-0-0x00007FFB552B3000-0x00007FFB552B5000-memory.dmp
memory/1508-16-0x00007FFB552B0000-0x00007FFB55D71000-memory.dmp
memory/1508-15-0x00007FFB552B0000-0x00007FFB55D71000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-22 12:43
Reported
2024-06-22 12:46
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\apps\admin\controller\system\MenuController.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| BE | 88.221.83.241:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 241.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.239.69.13.in-addr.arpa | udp |
Files
memory/3392-0-0x00007FFAAECE3000-0x00007FFAAECE5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dgowsdxi.5ka.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3392-10-0x000001BEE9A90000-0x000001BEE9AB2000-memory.dmp
memory/3392-11-0x00007FFAAECE0000-0x00007FFAAF7A1000-memory.dmp
memory/3392-12-0x00007FFAAECE0000-0x00007FFAAF7A1000-memory.dmp
memory/3392-13-0x00007FFAAECE0000-0x00007FFAAF7A1000-memory.dmp
memory/3392-16-0x00007FFAAECE0000-0x00007FFAAF7A1000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-06-22 12:43
Reported
2024-06-22 12:46
Platform
win10v2004-20240611-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\apps\admin\model\content\ContentSortModel.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| BE | 88.221.83.241:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 241.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
Files
memory/4284-0-0x00007FFF7D4A3000-0x00007FFF7D4A5000-memory.dmp
memory/4284-6-0x000001F571460000-0x000001F571482000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5anesdeu.x0p.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4284-11-0x00007FFF7D4A0000-0x00007FFF7DF61000-memory.dmp
memory/4284-12-0x00007FFF7D4A0000-0x00007FFF7DF61000-memory.dmp
memory/4284-13-0x00007FFF7D4A0000-0x00007FFF7DF61000-memory.dmp
memory/4284-16-0x00007FFF7D4A0000-0x00007FFF7DF61000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-22 12:43
Reported
2024-06-22 12:46
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
154s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\apps\admin\controller\content\SingleController.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.239.69.13.in-addr.arpa | udp |
Files
memory/3408-0-0x00007FFED0E03000-0x00007FFED0E05000-memory.dmp
memory/3408-10-0x000002395C5D0000-0x000002395C5F2000-memory.dmp
memory/3408-11-0x00007FFED0E00000-0x00007FFED18C1000-memory.dmp
memory/3408-12-0x00007FFED0E00000-0x00007FFED18C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kulvnph0.so4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3408-13-0x00007FFED0E00000-0x00007FFED18C1000-memory.dmp
memory/3408-16-0x00007FFED0E00000-0x00007FFED18C1000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-22 12:43
Reported
2024-06-22 12:46
Platform
win7-20240611-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\apps\admin\controller\system\ConfigController.ps1
Network
Files
memory/2200-4-0x000007FEF600E000-0x000007FEF600F000-memory.dmp
memory/2200-6-0x0000000002720000-0x0000000002728000-memory.dmp
memory/2200-5-0x000000001B7E0000-0x000000001BAC2000-memory.dmp
memory/2200-7-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp
memory/2200-8-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp
memory/2200-9-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp
memory/2200-10-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp
memory/2200-11-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-06-22 12:43
Reported
2024-06-22 12:46
Platform
win10v2004-20240508-en
Max time kernel
124s
Max time network
127s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\apps\admin\controller\system\UpgradeController.ps1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4176,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4084 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
Files
memory/2244-0-0x00007FFC06943000-0x00007FFC06945000-memory.dmp
memory/2244-1-0x0000027DC4180000-0x0000027DC41A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bhw5egqq.knm.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2244-11-0x00007FFC06940000-0x00007FFC07401000-memory.dmp
memory/2244-12-0x00007FFC06940000-0x00007FFC07401000-memory.dmp
memory/2244-13-0x00007FFC06940000-0x00007FFC07401000-memory.dmp
memory/2244-16-0x00007FFC06940000-0x00007FFC07401000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-06-22 12:43
Reported
2024-06-22 12:46
Platform
win10v2004-20240611-en
Max time kernel
139s
Max time network
125s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\apps\admin\model\content\FormModel.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/716-0-0x00007FFE61263000-0x00007FFE61265000-memory.dmp
memory/716-1-0x000001C90D290000-0x000001C90D2B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aqhvv5bq.vcd.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/716-11-0x00007FFE61260000-0x00007FFE61D21000-memory.dmp
memory/716-12-0x00007FFE61260000-0x00007FFE61D21000-memory.dmp
memory/716-15-0x00007FFE61260000-0x00007FFE61D21000-memory.dmp
memory/716-16-0x00007FFE61260000-0x00007FFE61D21000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-22 12:43
Reported
2024-06-22 12:46
Platform
win7-20240508-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\apps\admin\controller\system\DatabaseController.ps1
Network
Files
memory/3008-4-0x000007FEF616E000-0x000007FEF616F000-memory.dmp
memory/3008-7-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp
memory/3008-6-0x00000000021D0000-0x00000000021D8000-memory.dmp
memory/3008-8-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp
memory/3008-5-0x000000001B860000-0x000000001BB42000-memory.dmp
memory/3008-9-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp
memory/3008-10-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp
memory/3008-11-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-22 12:43
Reported
2024-06-22 12:46
Platform
win7-20240419-en
Max time kernel
120s
Max time network
122s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\apps\admin\controller\system\UpgradeController.ps1
Network
Files
memory/2364-4-0x000007FEF460E000-0x000007FEF460F000-memory.dmp
memory/2364-5-0x000000001B600000-0x000000001B8E2000-memory.dmp
memory/2364-6-0x0000000001E80000-0x0000000001E88000-memory.dmp
memory/2364-7-0x000007FEF4350000-0x000007FEF4CED000-memory.dmp
memory/2364-8-0x000007FEF4350000-0x000007FEF4CED000-memory.dmp
memory/2364-9-0x000007FEF4350000-0x000007FEF4CED000-memory.dmp
memory/2364-10-0x000007FEF4350000-0x000007FEF4CED000-memory.dmp
memory/2364-11-0x000007FEF4350000-0x000007FEF4CED000-memory.dmp
memory/2364-12-0x000007FEF4350000-0x000007FEF4CED000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-06-22 12:43
Reported
2024-06-22 12:46
Platform
win7-20231129-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\apps\admin\model\system\UserModel.ps1
Network
Files
memory/2184-4-0x000007FEF5B2E000-0x000007FEF5B2F000-memory.dmp
memory/2184-5-0x000000001B5E0000-0x000000001B8C2000-memory.dmp
memory/2184-8-0x000007FEF5870000-0x000007FEF620D000-memory.dmp
memory/2184-7-0x000007FEF5870000-0x000007FEF620D000-memory.dmp
memory/2184-6-0x0000000002790000-0x0000000002798000-memory.dmp
memory/2184-9-0x000007FEF5870000-0x000007FEF620D000-memory.dmp
memory/2184-10-0x000007FEF5870000-0x000007FEF620D000-memory.dmp
memory/2184-11-0x000007FEF5870000-0x000007FEF620D000-memory.dmp
memory/2184-12-0x000007FEF5870000-0x000007FEF620D000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2024-06-22 12:43
Reported
2024-06-22 12:46
Platform
win7-20240611-en
Max time kernel
133s
Max time network
128s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000b2968c6cf60b74b94229c882944fb81000000000200000000001066000000010000200000004cb03d5b51ede9a4bd2f3236ee8c842372b776195c38a5ef9dfe3cad7ca958c0000000000e80000000020000200000007f6e53ffd1d955e223ea6a4aab1e1e8589b8f3c801e672df2ed13ff76aef5d8420000000ee7baabd352a20391b4e260c4c27c571b60f4f83b71ee7cdc89a263f2a5df15740000000147a817b02ea4d76fd5a82937dd24cb5b59c903fd79dd655a95aefb706813f83d12884bdbc536e2e374a99f8dc3f6a836b9bdf6313aa81ba05ad966159ac37fc | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425222078" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{07C7FCF1-3095-11EF-AFF4-E681C831DA43} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30a231dca1c4da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000b2968c6cf60b74b94229c882944fb810000000002000000000010660000000100002000000049df87eea325395dc042385ca25c633ecced6fbb5c54416c008968beb7cf48ad000000000e800000000200002000000018c0eea6e11ffef012d49c722f8609483a40216109e3c815b6184d1b748760d0900000009a8d1f27d198bfd38927e98cd5ea72502965e8a1b28c43dad9b603ed52a36583e3987dd4d9a38caf13f2ab283cee39b544d189a42e5483b2d9b89f3d0a25fcf3745be386ba625d16db8c80c6ff8882903e5da612e0b706ac20826c3922de9d2e09073411dafa7ba69204b87b8a43d57dd5b153430805f54325fa36b98d7be3aefee96de38b982b79df6cd772a2798d6c4000000081a6513cc47cde9b40ee6489be8676ae5c592cc2f8c7f23e68a3f02b5f534d6c3fe145652c95a26fda9eee3d9dc155ff84b2218ec41af2c01bda7bb68a318adc | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2900 wrote to memory of 2768 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2900 wrote to memory of 2768 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2900 wrote to memory of 2768 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2900 wrote to memory of 2768 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\apps\admin\view\default\common\ueditor.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2900 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab22AF.tmp
| MD5 | 2d3dcf90f6c99f47e7593ea250c9e749 |
| SHA1 | 51be82be4a272669983313565b4940d4b1385237 |
| SHA256 | 8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4 |
| SHA512 | 9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5 |
C:\Users\Admin\AppData\Local\Temp\Tar2353.tmp
| MD5 | 7186ad693b8ad9444401bd9bcd2217c2 |
| SHA1 | 5c28ca10a650f6026b0df4737078fa4197f3bac1 |
| SHA256 | 9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed |
| SHA512 | 135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f66f52eca3a62bbe5da0fa6c653382d2 |
| SHA1 | c448ef81e821df1c234fd3f5076c9aca4420399f |
| SHA256 | ab88b19f7b62d765ad87ad80e62df267fcb0cfdb07128986aab302120c13226d |
| SHA512 | 9cc7cbc064d26cca7fb54d7c4ec8ea4d6ba7abe3ec5a758c3da009809118c8adf7898ba881633044ac0c9d190dca2ab6f9ffe0c0928b7f819d4cdde9ac2e258a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b1d9037f7a4fab3f7a293d1315ffc555 |
| SHA1 | 97eee69ec34dbd9f397209bf0d34f64b4aae3546 |
| SHA256 | 69b747ba8507f6eb681919591e14beb942e7d92d59049d3d9811b4b238da678e |
| SHA512 | ae5332a43a57c22ac4f5261481e67efeb92371b8e9d493dfa602a4dd7f411158bcf804c23367e3b8c28a5854bdd400815aa27ad16ee1f805e128ea0ee9c798b3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9881e021fc96ba81c531209c732fcb8f |
| SHA1 | cd187faae975354ba45df625f3a356ae9c62d023 |
| SHA256 | 1b81e2a9662baaae57ef67d7e516a0bafb8dc152d3fcf7dbd4223f727444539c |
| SHA512 | f27dd83659ebfab4ad8cc270b6bfc812bb15d74e4d0a379131c52b93ccfdf5bbc0dfb0f2addffbb8601641750aa47541b60234c3b5299a13106fcf7952bcd328 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f941cd143469d13af5a94e2ad5207d7e |
| SHA1 | 6ae6e666f6f2877a6c6222c9cd21bbf2a3fb5e10 |
| SHA256 | de49286cbdc2f8bafe716e69b8a774bf8325d8b2b18591ed92248be30d5a9600 |
| SHA512 | 37e78c408b45ae6c17f6daaf1a46af384b408bd3f25dd71db5310ca9621769f37ff7b5ffaa7e16bbfc4bab9aedc191c6a8bd1a9ea0cd9ef68f29d591a01689a9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2b64e5a4ad46d9fc4715178e58f7d901 |
| SHA1 | 4c1dbc1f56e8db329d70f8c2558c1d4be9acf787 |
| SHA256 | 890f965de2008d8d1161f8f63e4b5a875430c6cfee584f26185b74c9f3ad00a8 |
| SHA512 | acf55267017a7956295ff243c9f0bcb69a70bd83140d6b0af5c63a4494b011ad471dbc0611e9fbad950a6289058f56d46e76f1236f6243bf081891759cc5b7ef |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6590d8a4babf303fc6a8756e7268664a |
| SHA1 | 62531eca64f115773f651d1572b7749827223f6a |
| SHA256 | ec6e5bae1700d0ebb7a2d6754a515d81bb28068e71e6dbcf1a8597e59244edc2 |
| SHA512 | d17c15cc0659d45c8d394b34bfd941a1050ad78b1fd8381a2083515e61f1c60296778bd732d6776c53d91435764738a19a155cd63fa858ec28f86c9b0be85a10 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | af257469d9ef509c3d9d7942da0fab1c |
| SHA1 | 3ec8e9d4302a6f55f29b8f1afed1d70b5ffbf2ca |
| SHA256 | c0e5bb826bc155298d08579d3782cd3c20521d81322a81b99228b86cac5eabfa |
| SHA512 | 1b1ac9295988c76b871b5f185000675f9522bc4ffd8fd5949fd88bd8da20d06063458934a2eeba5da19b61696488a17037d686edadafa2e4669c2bff5e023f30 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 23a11087f88576e81868a9851dc1b396 |
| SHA1 | 3a3e326db6540c07eb9f340b10c7b0d24e3c5a97 |
| SHA256 | f94d6ab421dd3a780b91f45b827548c12e80765479c9c011ec5cb3e0c7b9bdb2 |
| SHA512 | 6195024517eabd110ad7e429aa7e8aec6a64b030308525f5030b94e440bbdf2354fa60564546a05783e0b50e587e49a3900612bca2976686a65c2470a4f0d83e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 47a4330f2176f675cfb60c4d97458e2d |
| SHA1 | 1bc18706619fcfbf05b248c696e6193219de8858 |
| SHA256 | 6d763916114de23f52a2c669765f28d51cc61052dddce892ee18b2bb13d396e0 |
| SHA512 | d5daae009a2799c6d8a7f415156ba3f6a63e28b9152e0e50555bda8f8ae51008b51aa6e08b414a58b3ba29e19b522e25e92ec6faba37612274b0e0ba7d9bc9e0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 782ec9dc3dbbe8b5053a23d92947cb35 |
| SHA1 | 46bbce1fcd4170ffda7cffd4d8bc46d98c4c6221 |
| SHA256 | ce8fd13052e301dec2ad9a77b8384cf113e072ddbc889c026e83214b743cd59d |
| SHA512 | e1a9522219652be29320e3fda410ae3ff96097ae10ecede3190fcd9554dffcfe4a5c0b41be74356f03b65160ab2b16f89d7d2de027305ad0089329a91b76ebd0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9678b26e0f75c7d289f77030bd28e82b |
| SHA1 | 0f9b0cb6401168489b997e5967ec6b801cc14366 |
| SHA256 | aef542864a7f13dca5eb7426568c64926a0f5c8a6db33c85753660e3723cbdfb |
| SHA512 | b47a9cf622472c79da8b5c7fdc8eb5dd331207da6a554d365c4423b091f714cb26109d5bdb4dde85ac2ac3f6c68bd0392cbc233452ce9fcb9575da904c0b4cac |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dc3b14a17a1c64258e91a79784eaa3d6 |
| SHA1 | ef14f4fadc10a27198613932f8fcf2955eb3e0a5 |
| SHA256 | 0f8da8e407955a0c1263a4f80facbbc8179b66507cbb831bfbf4abe9dd521097 |
| SHA512 | 218e108dfcb6e394902233211aa8a9f6063df88b8ab45bcd6ba92fb205d997dcc3cb405dfd0db17afae87defcb19102f1a34c93a14dc4a5974f46a06693b8a7a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b5b060da705decb544ec4c96f5abc820 |
| SHA1 | cb06d07f94d4768f66ae81e33713845b367dec03 |
| SHA256 | 4eebf7bf06578ee06d20725ffdb61ba803730bb7df4786132423e51117e32f08 |
| SHA512 | 6628910fd195df0f7177671df9d10f6fe4240ea2f1c67e0bd9174bdbfc7ec5a5cb3cde05859c76b5ce0cebdc4ced93c0880cc2eee20ab4f6605316b4bc573310 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7671206271e0ac737647b3b997cfacc2 |
| SHA1 | dc5a6805152b671ad397ef4bb01896a4d35c6f90 |
| SHA256 | 5738a78ccf843c26f51f42c32e9bc8c8a3c5e1c53454add579bf9ad7b98ed22c |
| SHA512 | 0f6ff94ab76706fbcb4f1a8422a0db741613a7deeefbceb4d890be6d15b9d3cb72886d775bafa19f380f52e0ac363c7468513f4a8cf0805f0560eefa5f4d480d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 892a8b121b2f66f660a9a712524867d0 |
| SHA1 | 42aab08d973d9d3cce1c8fcc2e0c74766fef2db3 |
| SHA256 | 7983af4dc36e556579adfd06c450139c42bd5b3468c1eb055debb75e8b506f14 |
| SHA512 | 7d11bf51d41c19603d34cf2d4ecc3d4f6c452ce0af4a3c9b3c3f5c1ffa5ca94fcb61596571cd9ead7063018438997f8d8e660df3be181081f4a2dbafc135c090 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e05d72e52f6cfabed94e943fd7d18980 |
| SHA1 | f0efc7993a2debb14b1d34f376dbacbf0437fb86 |
| SHA256 | 6f43ca1330ad6942429c192fb22edf22cc70ec44961b1799dce789ee58e63268 |
| SHA512 | 231fcbad70dcd26d4e8978d6bda0b10048c6bc6dc8fc5cf389f85ad0508fef3943201c1c679844d26539f1c7dc7147f6c0b1b78a7a8efe691d7d5ef766ae03cd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 839fe406aa1c46678489608ddb466723 |
| SHA1 | d061673ee9d27b91282d3f0e01268f66a56eefa9 |
| SHA256 | 23e51dcae6714944b4c91db4329c2908715ac56c61a814d6991286f681de81fb |
| SHA512 | 2e67dedbc946a2f71a0dfbe0b9ccd2e9166cdb6b51f4ab31a6aa03115b74c6abfd2997d267266d4c6a933eac57b96e6117609dd601323d41a7e4a9d1606a5413 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e9088084bef1a85adfb575f614cd210e |
| SHA1 | fe0eac472962fd975ed6e229d255a9acc46bfaa8 |
| SHA256 | 5500dc55463b79da76e0f1136d7b2f2fee6c5f8e05c4afcfd5660cc96ae4b6a9 |
| SHA512 | 6c4b55370317ca253deeb4004786c5ef9e9f3912488d07cd35339d5abbef71e4ecee4b9835883cdf6f977d5262f764589f01f1f3ffe3f2025083f0b3e1f3b897 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e28cd301c23238715759b8ba3223f635 |
| SHA1 | 7d5056c93fa4af1b6df3f17311561cee569e85ce |
| SHA256 | 82a61e5b95c0fd707c7f723162c3fe09b448b49bd880a74d90f6018592b80b05 |
| SHA512 | a62361b14da56adaec4d7251af300b72313c243a7f37a2e7d25f0272998ad9dc8a7dfbce6760bb97368d845d3d6e46c08ec38a31b9e48adbb88b19d7327a7528 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2b8a3d0846597f2625248b4b25454780 |
| SHA1 | 06cf14cf33c9c820864349d195670fd001d90ab5 |
| SHA256 | 5690c7c127d57c3413d36910d25d593b0a2c82d59f7451f78f51ab349464849d |
| SHA512 | e1539d3985988cbfa44cd63635a5fdf20fa5e5020a350e77286d5678cf435c8eea08ae2fffe7142b60a37fcb473f765fd5a3883ce57a4e9245cb2976793d897f |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-22 12:43
Reported
2024-06-22 12:46
Platform
win7-20240221-en
Max time kernel
121s
Max time network
130s
Command Line
Signatures
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\System32\rundll32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002c890d18dc0e61438bd1cceb3572067a00000000020000000000106600000001000020000000527ea5b6999afe1c55151d27d61c484beaef6b921b3c7f6a84cc863a6a138837000000000e8000000002000020000000b411e8c7c773eb2fe4c4f4cca71f590c99b27efc0665529982b7849bbf8b3e77200000001760cb969698c2a2f4112651a7e54813b863b233836739b71e59f84b8a887dac40000000abd21c2dea96a99bd1b97f05de87d2f95dd8b6294ead17329cc157c54ce4915d852899122d2cc5f57b3837b9887e48c6ade45e6249df988b59b6cfef8d9b1d00 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425222079" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{07DF74C1-3095-11EF-92D3-66DD11CD6629} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002c890d18dc0e61438bd1cceb3572067a0000000002000000000010660000000100002000000060985a180b38df113837614fac3dc48f90727dec7f7065ed1449ef8e9e080d6f000000000e80000000020000200000005626c395ec7d90e904fc3c7a1013add7cc884f9f6df686e3e12a685f07d69e50900000003d75748c73e6db3c5f2ec880ea447eec9782dcf7ddd3c8703c8645388a9ef4c2fd79c078860038a3d37c3b352291b7e36516b9cc9b5a2527b3e3b8def9adc1253216cab3aee1f5550803c3e48a569529dc9879534a5f15da4a36abe10db0c3b272579437102981eec4ef33f4b3759a69bd1641b0ae6193aee057c5b28279f5e2d04e3da1680f382b5d2bc487d6b07b9e40000000a57c860b5f130449c351e577e0651ae9ba16904cf707bac4cb0c8d3821a955fabfd5fd7d0e364ba2a24f7e02b0b160201940cd8995f83ddcbbcffbaa2d53c310 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30b8bbf5a1c4da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1644 wrote to memory of 1248 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1644 wrote to memory of 1248 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1644 wrote to memory of 1248 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1644 wrote to memory of 1248 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\______.url
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1644 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.adminbuy.cn | udp |
| CN | 61.160.192.101:443 | www.adminbuy.cn | tcp |
| CN | 61.160.192.101:443 | www.adminbuy.cn | tcp |
| CN | 61.160.192.101:443 | www.adminbuy.cn | tcp |
| CN | 61.160.192.101:443 | www.adminbuy.cn | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
memory/1976-0-0x0000000001D30000-0x0000000001D40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabE4C7.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\CabE593.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4a69fbe61f3fa84c68e174c5f702a6cc |
| SHA1 | 7440155182981ce6efc602b7a2519e28fc772cac |
| SHA256 | 90f6ef8d21569e8abaf7a0d30a2bd661f45de173ba1c7d8a1931de9ae923bc98 |
| SHA512 | 18695bee02077c5a239f5941a80fec78f4b8ff7495b7802d6e0dab8f82274f27f3511933942ced8945373de748bd0fbd7b2b2e0ccba575d05fc5422e62e93889 |
C:\Users\Admin\AppData\Local\Temp\TarE5A8.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 81b653af5bd6dea3f99d100bfaaf658b |
| SHA1 | 398a9e78b52f3b12b0ef6dd6a0395bc2864204a6 |
| SHA256 | 2179bafa0a4b0c8eb790654aef4d8c90e10a1e32b8d105ef3e84ebe6914cdf89 |
| SHA512 | b590c26749ed5a1e0305e9c27001830e1ee2817de87a147092bf658988efabbba6102cb3a71d539dc089c1f691887126d364c188a8d6b7f8bee6f8c0667567eb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | aac2cc4369dbd3776838843c01d92a2d |
| SHA1 | 1acb2d5c6926b39d51236af7abe87fd9af6fd186 |
| SHA256 | 816cc83750eee62203fcb69ab23d6dae6a3ca38eca3c1135da5a2bd12ea0fa04 |
| SHA512 | 756afa543a2278e77a623125309a33e42899134384091031ec0250def8c18f63d0fd8d3d82e9a0b11aad8016f35d4eebae9a6a970882855bacaae8a0b1ba2de2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e2a867700a38efc895278a0273bfcf7c |
| SHA1 | a98c0996a8a0cd39e00299f0fadb22906c79ca8e |
| SHA256 | 0fbf010b854e4768c1ee86fea7078066f392316be88684b3e9e6f5acd71fa398 |
| SHA512 | 4ce54ba9dd840f38c9c2cd17a10c1a26c8bedcc743e954eea35cdfc71d9c66484cd3800198d3fffe502305b7e852e09d49aa300bd21bb35d10facba008ea1be1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2a98565d069424d6ab54a9e4d3217bbc |
| SHA1 | 7219ddf0663ff0b9c3871782fb48e74d8a166410 |
| SHA256 | 6a009f0507da6f6094d641d831ecba785483ff1040da5408b51f33912125676e |
| SHA512 | 2caba9a208d225f90bc8aca51d69bf34eda404954dc64dcce2d54a660d283f11c979610e4a053b20e2e394105b56fad7583e93b281c34986671d80f56503de46 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 00ddaa585871e1fcf48e2ccb26053c0a |
| SHA1 | 8c45df85dbf2b5eea4852af2fda2235ce7605504 |
| SHA256 | a3c69cb07216d36612cf39973845d01aa59cce3963a1b4c93bbef44035b9bdc7 |
| SHA512 | 86f3e62eff7bd1ddedd29544f34027cd0c9ee3c95f343c780c4d18b5ca50f80e0e8abc75b6cb158fae98021548ab9e2c860069af1b1a4f9d5d6cce6629e03523 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 64d769380f351c20c86cc9144e0f80e8 |
| SHA1 | 7c6308c94558f3f8218235e9cb8b10420742ba35 |
| SHA256 | 86a13480e584c449ef0e281df492bd0c2162dcf02baa18843ed031d14d3415a6 |
| SHA512 | c5fc0b1574d6f1dce27b1eaed5658111a12d56da134ae46c8f53a567e754263640a981d22c57fff40d0e78c37ed4d2037098b6f57014e9b25fec65dcd0d2bd27 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 65a7210c8927c7b82346f11bf405427a |
| SHA1 | 88bebebab86a5c8da408543db148fdac65f20c4b |
| SHA256 | 350e3394e0fb43fbf58efbef5de62bc4452cc72d247011c9ce8ed4aaa4c879ac |
| SHA512 | a4a10d1803feb53133023d19db70f4ee5bde703817b9eefe53cc5de41ad3756f528de0cba22e688a01c697f9ca1b381c18f7bdf72600c2e8dda0c0772c51050b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e73e7451d75a16d10c1d704ded3f2d71 |
| SHA1 | da027c4487b8e58438c5374e55a986d9b93effc3 |
| SHA256 | f2c86b5b65bbfea9e266cd4339b83b1784e7c672e78a5e5b1e03885dcb50f15f |
| SHA512 | 6c62cc7acd7a4272a8c162a69b231a60a77df1b264cb53f6232ae7a73ebbaaa764a763fdd13440b79829a190323c56d19e1950feb36e06d7e34e6a30d3881823 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 831c1fc28e03b995cb726b8fd87b7655 |
| SHA1 | 0d83e436b8f52bf4e456290b81c47e751ab24518 |
| SHA256 | 99854c5899c471da452cd18f12a69114a256c1e29397af21ed9451afd4c14c6e |
| SHA512 | d6515d9c02a75d9e589ca274d716842228bcc3660cc1f07f8bd69dc8ff667d6aaeae0a7787d552e83550006190de96d127a2bd0fcf76c2784a331a157da42581 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ca65939849b3403a353705b778d2cc7b |
| SHA1 | 95e1608e5401bda9837ae5b4c82287e9d7cc58fa |
| SHA256 | 25ce2409f0142bd5cc0ecfff1e89f339fc2272c1df88f3b5bf57f9a4180b940e |
| SHA512 | 76a2c41cf12ac72e4951916d281cd3cefdb7d95c0a415c2dfd80ee6a4557ceda462a6294cde801ef1de5342c23b3676a83be73c0871b23112007a5b9604b2e97 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 505313706ffc1f2b0957dfd150cd91fc |
| SHA1 | 4daffee6ef3bc63cf4de61efcf7f1f74814bc227 |
| SHA256 | e26012aff3bd8e2dab250db16e7b393bb3fcb60bb443582667387b2782875cb5 |
| SHA512 | c9f29963dda0e6a147d7fc92e3f4b6846ca46494b872ce7d544affae664b72289fa4d6439b43d633b1ef0d401e859444b55f43db2f771fb3b54a2a4f2fed5372 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 26d5f11798d64e20200bfbbe0804739a |
| SHA1 | c4b5b199c7cd40c3574c4b4e803da4868ab269c4 |
| SHA256 | 312446a74d3a0d75dbfdedca072e6bd3ae5ac9ccb70fbac8cbb7329616dfb08a |
| SHA512 | 8eca233a0cd3c8a56cdb64243ec94aed94fefaf5fee6252b3ffcdc0736334407027c5e856a63bc5477fff845fe2082b05316453535129fa71d835bf8d4477a43 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fc7c498b8893b79cebd4848f1235fd6a |
| SHA1 | caff862cdd67961f2a3a3d4ce42cc2b54103b508 |
| SHA256 | 01641832f9125446e2f2df2c4841174ed1ee9cce5eedd02eeb7e6c93dc7a8820 |
| SHA512 | cc3a102fdc6f5870d3c53ddd25410444ae63fa9c551e2845298458a2ba2b968e3cf7d2d3ae6305351d67300d73349af9a85212ae9af79e97c903968c5b213009 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 62934e564ef8951b27240d52864a0bba |
| SHA1 | 42c8040efacc923b02aae8f2131ef86e104e31b5 |
| SHA256 | 9cbd2f0840db862c1584d65d176866c083e7ff06888f61d634e63747681e9660 |
| SHA512 | b6e3c7bc9f10744750add9a7fc12a585b91b65b5f63ee371056f45e11fd86d4b238cc0c0aacdf089d878b250cb4ea776d434d3be7bad265868516da44cd22f42 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2e16d56daff1ff46e6dfa35c4970c61b |
| SHA1 | edbd179b31671fce7c7a0068dee6ba826800fd8a |
| SHA256 | a7d99c43cdf2f60a890048a3c31cb392e3dafb9a4832ee009b1b39fc5dfe1a57 |
| SHA512 | e9c099a39a29a94a385495eeab6d8a941d026ef441ed1818b44099b8e5487616e8943e535f648bdcc182c2226dff263c7268317a0fe8d906bf390d6b246be9e6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2187f8337ac65ee43a78437c42ac982e |
| SHA1 | bc8ab398a77aada56cbb620a927d863767bb8347 |
| SHA256 | a402b8ba30cee1448c32eaaadf740cd8ebe950e8ea2ffe4d1cb96ff1de863048 |
| SHA512 | e3c9389c6328278999f683743fc9fd0b395383c7c18f584ac304ff02c703b84abd646191e6712cca6b64448c80af151377d64a4c317f196e6fd6829444e08450 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b234224e29f85edee37181a4114beb18 |
| SHA1 | 0ff119af9a79623e839b029b37f76aef33a479ab |
| SHA256 | 297a9fa69f1b75031291aa13452e66e1cdffeadb8db1f543ec86cdc7174ff518 |
| SHA512 | d380b0cb58c721045647ec18ad8bd43fa4b6d756ee28590b208ff3ab96a1250e71272711f9825ba093fadfb65a98f0b9155612124c5905c5054e014eebb74a09 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 616afa25a496287d0af6f73f02480e34 |
| SHA1 | b5c752dc8a0e52cfd5e80e0ac82beb191ad67fa9 |
| SHA256 | e34524c6cbf16571173f199c877b4d5fd53fbe7c6244c405507b0d2ab54cdcb1 |
| SHA512 | 36cbdda106eb4938a7a747c1253f68df7de00fbb97270d13348251a737f3faba0ae8908321af64fb291ddc982b8d95be4857029edc3b07e01a9c28e1c34030f5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 79322d0422083d229eba9d3ac2373102 |
| SHA1 | ac63aceaaf1fd759cb9edf9f74702395bf297f9f |
| SHA256 | 044ac16cc22356262083d5286d2751081dfc9533ba4aeae40864743043c400ba |
| SHA512 | 2093ae259f842ceef5f49a4363cee73157bb397f1f96aa51fd30bf9db61441ee0ff070f0055cfa774eb5e299ba3d7e80248562cb0926a2c8a201d928adee61e5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c5e533490cbbc78761c80c9eae7d37a9 |
| SHA1 | 407e10bfd838478ec8b8429aeed5c7eff6353500 |
| SHA256 | a3f6c4009a6b761e4f3c6e0e3b561954a68bd6813f2379a459bd5dd184b6cd1b |
| SHA512 | 8a06c8b609948e02bb666b629b66aae105446dbb812e045af5bdb3019e66a0782b50c6c82399c75fdd181ca2c809d71db500d00a8492f126a5938b43c90b7195 |
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-22 12:43
Reported
2024-06-22 12:46
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\apps\admin\controller\content\ContentController.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| BE | 88.221.83.218:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
Files
memory/1696-0-0x00007FFCCD113000-0x00007FFCCD115000-memory.dmp
memory/1696-2-0x0000029D68560000-0x0000029D68582000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4a4gda50.ipk.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1696-11-0x00007FFCCD110000-0x00007FFCCDBD1000-memory.dmp
memory/1696-12-0x00007FFCCD110000-0x00007FFCCDBD1000-memory.dmp
memory/1696-15-0x00007FFCCD110000-0x00007FFCCDBD1000-memory.dmp
memory/1696-16-0x00007FFCCD110000-0x00007FFCCDBD1000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-22 12:43
Reported
2024-06-22 12:46
Platform
win7-20240221-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\apps\admin\controller\content\ContentSortController.ps1
Network
Files
memory/1724-4-0x000007FEF5BCE000-0x000007FEF5BCF000-memory.dmp
memory/1724-5-0x000000001B7F0000-0x000000001BAD2000-memory.dmp
memory/1724-6-0x0000000002670000-0x0000000002678000-memory.dmp
memory/1724-7-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp
memory/1724-8-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp
memory/1724-9-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp
memory/1724-10-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp
memory/1724-11-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp
memory/1724-12-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-22 12:43
Reported
2024-06-22 12:46
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
51s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\apps\admin\controller\content\ContentSortController.ps1
Network
Files
memory/3984-0-0x00007FF8B1253000-0x00007FF8B1255000-memory.dmp
memory/3984-7-0x000001EC385B0000-0x000001EC385D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wq25m135.afe.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3984-11-0x00007FF8B1250000-0x00007FF8B1D11000-memory.dmp
memory/3984-12-0x00007FF8B1250000-0x00007FF8B1D11000-memory.dmp
memory/3984-15-0x00007FF8B1250000-0x00007FF8B1D11000-memory.dmp
memory/3984-16-0x00007FF8B1250000-0x00007FF8B1D11000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-22 12:43
Reported
2024-06-22 12:46
Platform
win7-20240508-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\apps\admin\controller\system\AreaController.ps1
Network
Files
memory/2400-4-0x000007FEF5EFE000-0x000007FEF5EFF000-memory.dmp
memory/2400-6-0x0000000002690000-0x0000000002698000-memory.dmp
memory/2400-5-0x000000001B730000-0x000000001BA12000-memory.dmp
memory/2400-8-0x000007FEF5C40000-0x000007FEF65DD000-memory.dmp
memory/2400-9-0x000007FEF5C40000-0x000007FEF65DD000-memory.dmp
memory/2400-10-0x000007FEF5C40000-0x000007FEF65DD000-memory.dmp
memory/2400-11-0x000007FEF5C40000-0x000007FEF65DD000-memory.dmp
memory/2400-7-0x000007FEF5C40000-0x000007FEF65DD000-memory.dmp
memory/2400-12-0x000007FEF5C40000-0x000007FEF65DD000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-22 12:43
Reported
2024-06-22 12:46
Platform
win7-20240611-en
Max time kernel
118s
Max time network
124s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\apps\admin\controller\system\MenuController.ps1
Network
Files
memory/2200-4-0x000007FEF5C7E000-0x000007FEF5C7F000-memory.dmp
memory/2200-5-0x000000001B3D0000-0x000000001B6B2000-memory.dmp
memory/2200-6-0x0000000001E10000-0x0000000001E18000-memory.dmp
memory/2200-7-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp
memory/2200-8-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp
memory/2200-9-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp
memory/2200-10-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp
memory/2200-12-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp
memory/2200-11-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2024-06-22 12:43
Reported
2024-06-22 12:46
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
131s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\apps\admin\view\default\common\head.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa811c46f8,0x7ffa811c4708,0x7ffa811c4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,12976632123781254573,2478462133382076477,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,12976632123781254573,2478462133382076477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,12976632123781254573,2478462133382076477,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12976632123781254573,2478462133382076477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12976632123781254573,2478462133382076477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,12976632123781254573,2478462133382076477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,12976632123781254573,2478462133382076477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12976632123781254573,2478462133382076477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12976632123781254573,2478462133382076477,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12976632123781254573,2478462133382076477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12976632123781254573,2478462133382076477,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,12976632123781254573,2478462133382076477,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5464 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | eaa3db555ab5bc0cb364826204aad3f0 |
| SHA1 | a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca |
| SHA256 | ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b |
| SHA512 | e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4 |
\??\pipe\LOCAL\crashpad_1832_AVSBPDEOEUAKSWOC
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4b4f91fa1b362ba5341ecb2836438dea |
| SHA1 | 9561f5aabed742404d455da735259a2c6781fa07 |
| SHA256 | d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c |
| SHA512 | fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | faffb4e61cbb2e2190c983fc539921b4 |
| SHA1 | db1723cc609f9a6c98fa7e2e9abb8e23f1419307 |
| SHA256 | 2de4e04ba5274f76789802a3c6698bc02253fd59f6180de745dabe85a98ffa8d |
| SHA512 | 7f681b2571c96162fe0a0c673539a91f5fdb1c878f4f74e7963e1f3ba61621373c74494d785ddd27a4feb7ba91e1de1ed38f36b63bda5a3d08a7b1d56f01516d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | f55dad7e6667947e1323110923cc9103 |
| SHA1 | 71a4a38923df4596e40045b92e8f0d1db6d706cb |
| SHA256 | dc50ab242fa72b5b93a994b0d8943685bcba76b2cb431337349f7be8ce2b62c1 |
| SHA512 | ee27a3db60ac80fb2ba692819a1131149cbb14aca662aafc4e643ca9fc8e56e3aafcbaffcba1813f2aaf721358dc46788a5dbb4caa48f28e1eba936e70750fa9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e50ddb47fac4195674d0bd77e7007ddf |
| SHA1 | 57a6177e63ea590931d625ebe012c3037495561f |
| SHA256 | 69e9b526d05233a4756f8133ff979e882d92461886e81d0ac5bd09ceae6db164 |
| SHA512 | 98b172770e11a278bf99681da83a8242fced992fc10cdbecae7055b781c851b04f499dada5d7435f407047324f6f34df587fefd745f51e784881a983ca6b8708 |
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-22 12:43
Reported
2024-06-22 12:46
Platform
win10v2004-20240611-en
Max time kernel
133s
Max time network
135s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\apps\admin\controller\system\ConfigController.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 20.189.173.13:443 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
Files
memory/3056-0-0x00007FFB16EF3000-0x00007FFB16EF5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4m4nqbrj.2x2.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3056-6-0x00007FFB16EF0000-0x00007FFB179B1000-memory.dmp
memory/3056-7-0x000002BCBE480000-0x000002BCBE4A2000-memory.dmp
memory/3056-12-0x00007FFB16EF0000-0x00007FFB179B1000-memory.dmp
memory/3056-13-0x00007FFB16EF0000-0x00007FFB179B1000-memory.dmp
memory/3056-16-0x00007FFB16EF0000-0x00007FFB179B1000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-22 12:43
Reported
2024-06-22 12:46
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
53s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\apps\admin\controller\system\DatabaseController.ps1
Network
Files
memory/4364-0-0x00007FFA03793000-0x00007FFA03795000-memory.dmp
memory/4364-1-0x0000016D4D520000-0x0000016D4D542000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y0h2ao2o.pnf.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4364-11-0x00007FFA03790000-0x00007FFA04251000-memory.dmp
memory/4364-12-0x00007FFA03790000-0x00007FFA04251000-memory.dmp
memory/4364-15-0x00007FFA03790000-0x00007FFA04251000-memory.dmp
memory/4364-16-0x00007FFA03790000-0x00007FFA04251000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-06-22 12:43
Reported
2024-06-22 12:46
Platform
win7-20240611-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\apps\admin\model\content\FormModel.ps1
Network
Files
memory/1936-4-0x000007FEF629E000-0x000007FEF629F000-memory.dmp
memory/1936-7-0x000007FEF5FE0000-0x000007FEF697D000-memory.dmp
memory/1936-6-0x0000000002860000-0x0000000002868000-memory.dmp
memory/1936-5-0x000000001B750000-0x000000001BA32000-memory.dmp
memory/1936-9-0x000007FEF5FE0000-0x000007FEF697D000-memory.dmp
memory/1936-8-0x000007FEF5FE0000-0x000007FEF697D000-memory.dmp
memory/1936-10-0x000007FEF5FE0000-0x000007FEF697D000-memory.dmp
memory/1936-11-0x000007FEF5FE0000-0x000007FEF697D000-memory.dmp
memory/1936-12-0x000007FEF5FE0000-0x000007FEF697D000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-06-22 12:43
Reported
2024-06-22 12:46
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\apps\admin\model\system\UserModel.ps1
Network
Files
memory/2588-0-0x00007FF85B423000-0x00007FF85B425000-memory.dmp
memory/2588-1-0x0000026B06EF0000-0x0000026B06F12000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ohlclzwx.2ts.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2588-11-0x00007FF85B420000-0x00007FF85BEE1000-memory.dmp
memory/2588-12-0x00007FF85B420000-0x00007FF85BEE1000-memory.dmp
memory/2588-15-0x00007FF85B420000-0x00007FF85BEE1000-memory.dmp
memory/2588-16-0x00007FF85B420000-0x00007FF85BEE1000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-06-22 12:43
Reported
2024-06-22 12:46
Platform
win7-20240508-en
Max time kernel
118s
Max time network
127s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{071AADC1-3095-11EF-B393-E64BF8A7A69F} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e936100000000020000000000106600000001000020000000cca90c185c55cd3c73fad4b66fa5d7f22d7f6c2fcf195dc1f2bd5549d21cf72a000000000e8000000002000020000000be8e00e7a5859b2c5068ebcb265fec1450c344302b243b192159b6693d3e761b200000002b3a7930d0bbfd41d385fcf524c676e810e0e2fa41d79f7a4a8036e38207364c40000000af2eac1580b0dc243e72a25d8e09d28a5ba92ccafefae0718c8c710bc4236c00ebfc288e13a0fe5020fc301f1addddc3e69aebd184cbcb8d73876db17acd63a7 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e9361000000000200000000001066000000010000200000008dbd481fbd57110a24bde1dd899dcf2ef33e22ff743810ddc24fa6023a5ad384000000000e8000000002000020000000bec74ea5bd386939356087b79ee31eeabffb47116650bb3b2034942eb23ae14490000000e8cf0ba8ea17d6146b9ff735601cad8d91497156e8b94a999efc93c2bc172d552339477e7dbde0f9a6078f435b01b62127edee9731df88638c7e800c2513e7f77847736bf5f561a233f5d0432e1d03c3ae3a3186bcfb8fbae858556eb702b0975609077d23773a590a28ddcc918c2e9924764f2aaa4537d86199efcfae64c88096f9fef90c3ada80f740482ab6f03acb400000005e3f828e1e0a1e69c462dac0b67a6ff98527377e1c6e5c3dbe14247a72c53d19ba391797233f94d2e6ca435ef1c3e693d1da575a1600625c84692081e78d155a | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 309e8bdba1c4da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425222077" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2932 wrote to memory of 1316 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2932 wrote to memory of 1316 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2932 wrote to memory of 1316 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2932 wrote to memory of 1316 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\apps\admin\view\default\common\foot.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2932 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab3AA2.tmp
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 59669a84a5c25e2b520ef0124e6b4ea2 |
| SHA1 | 2c2895a1a29836210bba2b655c138adee3fddf19 |
| SHA256 | 9c50f9552903b8369a46cb7413b46fbd5013ec317fd9a2718d8cf6a59758b356 |
| SHA512 | a40e6143134eeaedaa1e018762554105b2e24cfbe5183c05114314cfe156ecbb51248beb6488e73497b965ac64dce592aa8e76b4983bf0c4e1abbb7c4d759856 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 155638bc37578fe5a702a08da1ae199e |
| SHA1 | 8303b60a2cfb5044e2879f6560b37817df1babb6 |
| SHA256 | 89bae0c56956677fa760d4a0c6a51fd3ffdab78c04cc99621090c5c714fca7c9 |
| SHA512 | 9a0d9eaa649b7960f29851a80b64e84a70fb4fd98a0f5d43905c1dca3ddea20c41416a67213124e9dceeafe75c4eea9453f2da73c1b56a80f1e0f81f3ef8507d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b2f342ad3dc218df12dd0addfbde22ee |
| SHA1 | ef37404bc2f6a3ea9bae78d815bb4fa2bdad425b |
| SHA256 | d01bd67b064392a554b9d25feea27bea865b6acddf4867a45d82804f5866ecda |
| SHA512 | 3bb586ffbabf8ccd45cf7cb361c97ea134f107e8542b4344ebd3b0e0181e4ce8a43cb4204a789c767162444a56eb178226ac1e25235371aa5e985e964d5a97be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4705f4fc0c62ad21cb044e3697f66578 |
| SHA1 | b150e60a507b1f9d795d820ab4ee1c621ec41077 |
| SHA256 | 2e732ff519588760321b086b9a401823c4e247b3f4610e3979a9797e5b68c08e |
| SHA512 | dd4dfc082b8a0e75965733cf2116348b7d1e02359d2621d8d4b928d44e409a1810b7f9a4c94970431133166fc039368093ce2aa9e6c39001b654620a6ed96c7b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 95eb4252213ed07170cfc6820b39d922 |
| SHA1 | 4c7873d6c4515828fe661bc66b8c855a312fbea2 |
| SHA256 | 0ec6d2ca8548cf8b81fb27534f107eb740fa3486ed553ae8baae9175a9751d5f |
| SHA512 | 8925d278fcac8e2572c36bb63df4533109c15338abd938a6482df78f35c5610327b2d6b7180522a4dedf61074156606ba872ef3ee364f5698c7470dbec927edf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ab8a4ebbd57506ff9acf80b8b410b626 |
| SHA1 | c24ba922a70a116a24e64374d4c5ec978d25268c |
| SHA256 | 60db033ec0f10af16208ef54310991ffdc82a0bcb6b7230006295271ecf10f02 |
| SHA512 | c390c81b786400d9a0fda096a1b87fe5027865154ed0103520236a864f5ba0f3ea643950108cdbaec611df3b35247a4fd057b1521f8070ad6352f08c2bda7b7a |
C:\Users\Admin\AppData\Local\Temp\Tar3B27.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3791447c50c492a4288eae8f263db5d7 |
| SHA1 | 3f1074830581d84b48d7a1520a02941e9034a8b5 |
| SHA256 | b6d4b404e436787130bc59f9c2b6d44a1e023dbb7fbefd17796ef04ad2a7ea32 |
| SHA512 | 32d14a717ea76d020ceb0618101f1b8ad435f169f282e96c175788d1981ad41dd853f2ad5481c778293a63b31bed4ca428a0ef0372eefeecce6f1b64382128ce |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 641b5cfdae56fb45966e38d94a6c5135 |
| SHA1 | ecf920e12302b983795c10f88138710827b556a6 |
| SHA256 | ab9d7dcddef56da64e8cc90546780c81c42f900f36fe1b58f62bb487ee945481 |
| SHA512 | 2459e34fe6e339111b4941616d4d2191607af916ab9e8ab6826f127be3c101b08083df24ba2c8cab8430eff5667764822a9eb56e8aef9c9fb805a90f776f8e24 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8600f4ea26e1fbed46b094648dd947f6 |
| SHA1 | a685da266a76a1b8c1e84e28dc37b1aac1829118 |
| SHA256 | fc5af5fe92c96f078364c2d7014f8dfdd5941a1846eec5cc498d6ec47292e41b |
| SHA512 | b015c578bdfaf772aba2c91f7d938f0ba8171ab146f57b42cb37c509c28a56c4da9e8b2a522f8d1d57ac1807adc33326cc71ceb89bc72fa6b2905fb50649b00b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 54752ddb18d33957f3b2953be98187f1 |
| SHA1 | ffa0c057d327e9cd39e306b2cd24fbd0dea25d6d |
| SHA256 | 8d0083f32258710daeb42a6ece2486161e5bc3ab5dc1be3dee74ecc67518369f |
| SHA512 | 8673309bb7cf212bd7e8f7bfa88f41fb3572ed50cad29c80afc87ad450a27aab8f9fa37cba829e8afa217ba26d0e0871e337ddfeead515131277cd13d1512770 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6234092a639872b1b7b5638382b589dc |
| SHA1 | db47b59debbd28e8933e1666349fca767bc8d592 |
| SHA256 | a2eac292dd63473f29d001e5665a3ae7506d85253e1b16215283ffc70b082e5f |
| SHA512 | 9481b2343c10d7a275f0d2e8955c5d46d0250e0f0bea082445d940562e5e192828ff7dd1c9e55a3837544150deffbfd4e1d0175e867a3a4b85b5396718360933 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8d72835bc556a14ebbd62fd14ea21974 |
| SHA1 | de6aa4e1fd0185022cc2c17369bf803cb3a608a5 |
| SHA256 | ac233b2f4d48960085575c673c235714fe79ca313ea6492e514d94eebcfdc151 |
| SHA512 | db5c7704142591c9ec0c206f19f854422983325825579f47d8beebff1b6c7aca341c1a696bcf7d66906ec712c50307b8cb770a94247e629a30abdcef13eeea09 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2d66f4b892b6ea27813590930178c1fb |
| SHA1 | 4105af7f2601635586d40c6b29e3cdb132bf51e4 |
| SHA256 | a725bdcbf07f6c43ae942886fc4f0f8f72992e6bb9b78f865eeed4fd5964d228 |
| SHA512 | 647b7f6c5af0b1c8cf8827464d53ce535b7e127cbc5b438825f13ba58cb599fb92d7a815004268e6837e8bb3f496e71e2c2698b72994db1533d3d7440c14db91 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0c8450c82085022d549a5ef725e81427 |
| SHA1 | 799974c4fb0d163ddf88520b2c1142a6d289dde5 |
| SHA256 | 8b3048a4ed21ec57db31f050ff12453f47a047c016626d1f25095c144c016b03 |
| SHA512 | 8ad09f9f772e083a0bdc1407a4062720383c949997f77d0ac44359b4d2fb15e71dfaf8a8d9b76203d2ca3e5ff2094c192a7898347627325b258a8df29b872d42 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bf005d3ba92a7a5f0ae006bd1f6de26c |
| SHA1 | 6a87491f97f111a219819f42b68da73ac8f3ef99 |
| SHA256 | 931888dba78dac5e1d370552e57bfeeb9571e947e0a38dc2ab7c21a45b4569f0 |
| SHA512 | 7903ea5f27deb2fc5306acf63228bcd518c1d7426378db4a36cd9fa308ca37d3deb9875cfa0534fed97305e8ac48e7925f3025d619a8edc729d08f0e3a75b26c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ac3f1c91a4c1478d6072eda06defe5b4 |
| SHA1 | 07514b28115a94cd7f89a59a89d41f3455b6c056 |
| SHA256 | f3ccbdfdc0803fe160c083cf210f23c2897bf197b2193e852bfb92d7c15c9a0c |
| SHA512 | d88052adb0d60ddcf43f0fb6f4316be198774f68758d64f13770b4cb3b92e1af62b33bd5227f83971f6c97e383c681570df1a2d497a00517c5715bb619b6a8d1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 59c5aeae0c4ca2dc8fc33c28e2431e6f |
| SHA1 | a9ddf61a4a9e4a3c770744234f7816d0200a38ec |
| SHA256 | e063a7dc1fded8570b713037c17a7738f0e99d826373055f0e220f8966f41d3f |
| SHA512 | 717c7861b47fdfdb7477cb53283ed306cdfa79db5b4d3751041b57769db2a973e9f4d858e882d37249387d4810065d63b89d646d5b8cc16f84cf5f5de28fd86a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f25b27726fda02581c9e5516b9f135a1 |
| SHA1 | 7aef67013a28f5051a8bff9e7d9c53b15f61688c |
| SHA256 | 58930c1ef8c7235b0ac57c41c9934f2b9bfedff4e4985cbc64709bf7d07b9465 |
| SHA512 | afd2ee6cca2031dde9e279af56f20b2bcd7f10a69677d449e0412e2ac0375bfbd2d0bfc38aab465445a137df8256e67bf0a6282e57acd433648ad14f4ffa9fd6 |