Analysis Overview
SHA256
39a9f8c96ce9f7ecf2f2424ce0aea2db15df3f6b75bb543218dab48a8d1fceba
Threat Level: Known bad
The file b7938b29a73c948e483937740e10f679_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Troldesh family
Troldesh, Shade, Encoder.858
Deletes shadow copies
Executes dropped EXE
Deletes itself
Loads dropped DLL
Adds Run key to start application
Enumerates connected drives
UPX packed file
Suspicious use of SetThreadContext
Drops file in Program Files directory
Browser Information Discovery
Program crash
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Command and Scripting Interpreter: JavaScript
Suspicious use of WriteProcessMemory
Interacts with shadow copies
Modifies Internet Explorer settings
Suspicious behavior: GetForegroundWindowSpam
Modifies data under HKEY_USERS
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Uses Volume Shadow Copy service COM API
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-02 07:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-02 07:49
Reported
2024-12-02 07:52
Platform
win7-20240903-en
Max time kernel
150s
Max time network
139s
Command Line
Signatures
Troldesh family
Troldesh, Shade, Encoder.858
Deletes shadow copies
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\F: | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2128 set thread context of 2956 | N/A | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\daisies.png | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\calendar.css | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\vignettemask25.png | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_down.png | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-3.png | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitevignette1047.png | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\720x480blacksquare.png | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\1px.gif | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\highlight.png | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\settings.html | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\main.js | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\it-IT\gadget.xml | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-hot.png | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows NT\TableTextService\TableTextServiceYi.txt | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_SelectionSubpicture.png | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\weather.js | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\highDpiImageSwap.js | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\background.png | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_right_mouseover.png | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_left_mousedown.png | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\localizedStrings.js | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\icon.png | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_notes.wmv | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\14.png | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\slideShow.html | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\init.js | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\settings.js | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\gadget.xml | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\drag.png | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\gadget.xml | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm_cmd.xml | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm.xml | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground_PAL.wmv | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\gadget.xml | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\main_background.png | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\performance.png | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Star_Full.png | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw32.jpg | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_settings.png | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\settings.js | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask_PAL.wmv | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\gadget.xml | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_m.png | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_down.png | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\calendar.js | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\15x15dot.png | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\drag.png | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\settings.html | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\cpu.js | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.png | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\gadget.xml | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720_480shadow.png | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_docked.png | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_rest.png | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\31.png | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_right.png | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\redStateIcon.png | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-full_partly-cloudy.png | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_h.png | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\settings.html | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.bmp | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\slideShow.js | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 432
C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe List Shadows
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe List Shadows
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49214 | tcp | |
| US | 208.83.223.34:80 | tcp | |
| US | 154.35.32.5:443 | tcp | |
| DE | 131.188.40.189:443 | tcp |
Files
\Users\Admin\AppData\Local\Temp\nsyD2AC.tmp\System.dll
| MD5 | 3e6bf00b3ac976122f982ae2aadb1c51 |
| SHA1 | caab188f7fdc84d3fdcb2922edeeb5ed576bd31d |
| SHA256 | 4ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe |
| SHA512 | 1286f05e6a7e6b691f6e479638e7179897598e171b52eb3a3dc0e830415251069d29416b6d1ffc6d7dce8da5625e1479be06db9b7179e7776659c5c1ad6aa706 |
memory/2128-18-0x00000000027E0000-0x00000000028AB000-memory.dmp
memory/2956-20-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-23-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-21-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-24-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2128-25-0x00000000027E0000-0x00000000028AB000-memory.dmp
memory/2956-26-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-27-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-31-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-32-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-33-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-34-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-35-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-36-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-37-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-38-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-41-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-42-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-63-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-64-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-65-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-66-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-67-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-68-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-70-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-69-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-71-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-73-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-72-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-74-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-75-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-76-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-77-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-79-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-78-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-80-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-81-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-82-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-83-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-85-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-84-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-86-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-87-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-89-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-88-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-91-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-90-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-95-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-94-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-93-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-92-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-96-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-97-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-98-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-101-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-99-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-100-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-102-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-103-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-107-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-108-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-106-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-105-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-104-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-109-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-110-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-111-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-113-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2956-112-0x0000000000400000-0x00000000005DE000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-12-02 07:49
Reported
2024-12-02 07:52
Platform
win10v2004-20241007-en
Max time kernel
145s
Max time network
144s
Command Line
Signatures
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\1916524053.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff1bea46f8,0x7fff1bea4708,0x7fff1bea4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,10321786882345729163,12179487576672514559,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,10321786882345729163,12179487576672514559,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,10321786882345729163,12179487576672514559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10321786882345729163,12179487576672514559,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10321786882345729163,12179487576672514559,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,10321786882345729163,12179487576672514559,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6084 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,10321786882345729163,12179487576672514559,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6084 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10321786882345729163,12179487576672514559,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10321786882345729163,12179487576672514559,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10321786882345729163,12179487576672514559,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10321786882345729163,12179487576672514559,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,10321786882345729163,12179487576672514559,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3324 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | img01.static.yohobuy.com | udp |
| US | 8.8.8.8:53 | image.tuolar.com | udp |
| US | 8.8.8.8:53 | s21.mogucdn.com | udp |
| US | 8.8.8.8:53 | images1.monteamor.com | udp |
| US | 8.8.8.8:53 | img.taodiantong.cn | udp |
| US | 8.8.8.8:53 | mmj.hk | udp |
| US | 8.8.8.8:53 | cdnimage1.jackjones.com.cn | udp |
| US | 8.8.8.8:53 | media.lanecrawford.com.cn | udp |
| US | 8.8.8.8:53 | img1.mbanggo.com | udp |
| US | 8.8.8.8:53 | assets.burberry.com | udp |
| US | 8.8.8.8:53 | img3x5.ddimg.cn | udp |
| US | 8.8.8.8:53 | file.cbmall.cn | udp |
| US | 8.8.8.8:53 | pic.35pic.com | udp |
| DE | 185.232.59.134:80 | s21.mogucdn.com | tcp |
| GB | 23.52.176.140:80 | assets.burberry.com | tcp |
| GB | 79.133.176.223:80 | media.lanecrawford.com.cn | tcp |
| GB | 79.133.176.223:80 | media.lanecrawford.com.cn | tcp |
| GB | 79.133.176.223:80 | media.lanecrawford.com.cn | tcp |
| CN | 148.70.222.6:80 | file.cbmall.cn | tcp |
| US | 8.8.8.8:53 | pic11.shangpin.com | udp |
| US | 8.8.8.8:53 | dapei.86kx.com | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| CN | 148.70.222.6:80 | file.cbmall.cn | tcp |
| US | 8.8.8.8:53 | a.vimage3.com | udp |
| US | 208.98.43.75:80 | dapei.86kx.com | tcp |
| US | 208.98.43.75:80 | dapei.86kx.com | tcp |
| US | 8.8.8.8:53 | img.meicicdn.com | udp |
| CN | 115.231.97.101:80 | img.taodiantong.cn | tcp |
| CN | 27.25.152.241:80 | img01.static.yohobuy.com | tcp |
| CN | 223.167.85.225:80 | img1.mbanggo.com | tcp |
| SG | 170.33.13.246:80 | pic11.shangpin.com | tcp |
| CN | 27.25.152.241:80 | img01.static.yohobuy.com | tcp |
| CN | 115.231.97.101:80 | img.taodiantong.cn | tcp |
| CN | 223.167.85.225:80 | img1.mbanggo.com | tcp |
| US | 8.8.8.8:53 | thumb1.yokacdn.com | udp |
| CN | 111.31.112.81:80 | a.vimage3.com | tcp |
| SG | 170.33.13.246:80 | pic11.shangpin.com | tcp |
| US | 8.8.8.8:53 | images.moonbasa.com | udp |
| US | 8.8.8.8:53 | pic15.shangpin.com | udp |
| CN | 39.173.186.94:80 | img3x5.ddimg.cn | tcp |
| CN | 39.173.186.94:80 | img3x5.ddimg.cn | tcp |
| CN | 111.31.112.81:80 | a.vimage3.com | tcp |
| SG | 170.33.13.246:80 | pic15.shangpin.com | tcp |
| SG | 170.33.13.246:80 | pic15.shangpin.com | tcp |
| US | 8.8.8.8:53 | 134.59.232.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.176.52.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 223.176.133.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.43.98.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 246.13.33.170.in-addr.arpa | udp |
| CN | 221.231.39.69:80 | thumb1.yokacdn.com | tcp |
| CN | 221.231.39.69:80 | thumb1.yokacdn.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| CN | 39.173.186.93:80 | img3x5.ddimg.cn | tcp |
| CN | 39.173.186.93:80 | img3x5.ddimg.cn | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 34d2c4f40f47672ecdf6f66fea242f4a |
| SHA1 | 4bcad62542aeb44cae38a907d8b5a8604115ada2 |
| SHA256 | b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33 |
| SHA512 | 50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6 |
\??\pipe\LOCAL\crashpad_3144_NLKLFGKMRQCVDGAQ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 8749e21d9d0a17dac32d5aa2027f7a75 |
| SHA1 | a5d555f8b035c7938a4a864e89218c0402ab7cde |
| SHA256 | 915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304 |
| SHA512 | c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 06730f0693dfc99a9f7ffd53e9facc33 |
| SHA1 | 9088f293075b4f749b2371c1f8ad576c5fc12e18 |
| SHA256 | 00b8c767cbd67233e0425f5ae99cae62ec4bb91b1813129bc4932927a43d3e71 |
| SHA512 | f6c15118b8b3e8c6ccbc1090dce59b06b549fba50dc31ddaf98039fe3eafdc4ac1c82646542de3477e71822542285d8dc3295bd57ce857cd4304ea64b2024f26 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 63f3a7742bea4824bdd260c4c3b79aae |
| SHA1 | 502d12232bab16cb8c3064698027e358f1101652 |
| SHA256 | 3d3a766b522d8d8bb9e86f082e7255d483702e3e4139eaf09c0d54977786e7d3 |
| SHA512 | f4a4ac080b8fc7208c91c4fa4cb9a21e0e3e3ca0ec2d4894755178b79f3e4c1dac88f94e579ae72a24261f521d624c897b2f3374e162a1d5b87924d03dfc308f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 301b9e4a833a71a999756d8060cdc193 |
| SHA1 | 57a3a64245f3f547b45adf353bb5e4828dc119c0 |
| SHA256 | 041d5e9f479303b943635daade63dba531b7500c513b33fe7c9b158a2f8d66a3 |
| SHA512 | 9ae74bde2b1f68d15d0b7a2842581d368e6e85cb7667c9936b3c22d84423e07ca6b50c9384110b2a1ca810a19306870ae9c93165d98510c6464383a62b67f60f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
Analysis: behavioral10
Detonation Overview
Submitted
2024-12-02 07:49
Reported
2024-12-02 07:52
Platform
win10v2004-20241007-en
Max time kernel
145s
Max time network
145s
Command Line
Signatures
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\3072838935.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a2d746f8,0x7ff9a2d74708,0x7ff9a2d74718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,8524023050140844043,10882942713030574882,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,8524023050140844043,10882942713030574882,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,8524023050140844043,10882942713030574882,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,8524023050140844043,10882942713030574882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,8524023050140844043,10882942713030574882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,8524023050140844043,10882942713030574882,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5852 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,8524023050140844043,10882942713030574882,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5852 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,8524023050140844043,10882942713030574882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,8524023050140844043,10882942713030574882,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,8524023050140844043,10882942713030574882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,8524023050140844043,10882942713030574882,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,8524023050140844043,10882942713030574882,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3132 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | img00.hc360.com | udp |
| US | 8.8.8.8:53 | smt.114chn.com | udp |
| US | 8.8.8.8:53 | imgtest.meiliworks.com | udp |
| US | 8.8.8.8:53 | fashion.vip.com | udp |
| US | 8.8.8.8:53 | www.cnxz.cn | udp |
| US | 8.8.8.8:53 | art.cfw.cn | udp |
| US | 8.8.8.8:53 | www.opaif.com | udp |
| US | 8.8.8.8:53 | img4.tbcdn.cn | udp |
| US | 8.8.8.8:53 | img6.shop.xilu.com | udp |
| HK | 18.162.119.222:80 | www.cnxz.cn | tcp |
| GB | 79.133.176.234:80 | img4.tbcdn.cn | tcp |
| HK | 18.162.119.222:80 | www.cnxz.cn | tcp |
| GB | 79.133.176.234:80 | img4.tbcdn.cn | tcp |
| US | 208.98.40.210:80 | www.opaif.com | tcp |
| US | 8.8.8.8:53 | www.cmdfs.cn | udp |
| US | 8.8.8.8:53 | i.mmcdn.cn | udp |
| US | 8.8.8.8:53 | www.tcx88.com | udp |
| GB | 79.133.176.234:80 | i.mmcdn.cn | tcp |
| US | 8.8.8.8:53 | kr.nzw.cn | udp |
| CN | 81.69.144.167:80 | art.cfw.cn | tcp |
| CN | 81.69.144.167:80 | art.cfw.cn | tcp |
| CN | 81.69.144.167:80 | art.cfw.cn | tcp |
| CN | 81.69.144.167:80 | art.cfw.cn | tcp |
| US | 8.8.8.8:53 | img4.makepolo.net | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.176.133.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 222.119.162.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.40.98.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | z3.tuanimg.com | udp |
| US | 8.8.8.8:53 | www.fsnfs.com | udp |
| HK | 45.199.33.53:80 | kr.nzw.cn | tcp |
| GB | 79.133.176.243:80 | i.mmcdn.cn | tcp |
| HK | 45.199.33.53:80 | kr.nzw.cn | tcp |
| CN | 43.228.79.239:80 | www.fsnfs.com | tcp |
| CN | 43.228.79.239:80 | www.fsnfs.com | tcp |
| US | 8.8.8.8:53 | www.xuepinba.com | udp |
| CN | 140.143.220.127:80 | z3.tuanimg.com | tcp |
| CN | 114.113.231.164:80 | smt.114chn.com | tcp |
| CN | 121.40.42.56:80 | www.xuepinba.com | tcp |
| CN | 140.143.220.127:80 | z3.tuanimg.com | tcp |
| CN | 114.113.231.164:80 | smt.114chn.com | tcp |
| CN | 121.40.42.56:80 | www.xuepinba.com | tcp |
| US | 8.8.8.8:53 | img.china-ef.com | udp |
| US | 8.8.8.8:53 | 243.176.133.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.33.199.45.in-addr.arpa | udp |
| CN | 117.62.238.67:80 | img.china-ef.com | tcp |
| CN | 117.62.238.67:80 | img.china-ef.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | a0486d6f8406d852dd805b66ff467692 |
| SHA1 | 77ba1f63142e86b21c951b808f4bc5d8ed89b571 |
| SHA256 | c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be |
| SHA512 | 065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a |
\??\pipe\LOCAL\crashpad_4736_DXFJCBNVRSFNXILY
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | dc058ebc0f8181946a312f0be99ed79c |
| SHA1 | 0c6f376ed8f2d4c275336048c7c9ef9edf18bff0 |
| SHA256 | 378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a |
| SHA512 | 36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 974a08efea048b0f059702f023f80b73 |
| SHA1 | 12dcc0d64cbc0ee1ca5d25b033aa2ee20442bcc9 |
| SHA256 | bb9b564d1fa9ddc95106888fb7324f32c3370ef8474a0eb0cc38641c79317dfb |
| SHA512 | a96a902ef4a276bc7105e8092b62ef8f6adf0713e09cd5372fb6a7a15d0262e5733e56cf410a444f3c69915897699e53a8ce07927283f5d24eef7af4fdc01585 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | aa7cb00e7c476c7ebeae4ed4f0876370 |
| SHA1 | 774e12c65a50acec23591f12f9a706be47391eba |
| SHA256 | e13903320480d3962d2aaf74449a8ec66b8f9cb9363044ba0c0a19cc965b436d |
| SHA512 | fc6d6f93ad3063b58968dff194786e13bd72ee502f7975c9074ce3f33113d244ad649a4a3b9adf902338f06ef266385041896ccd26887e49ab483bddd063f100 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 532abcd27d57f0637a58778c4a33d3fb |
| SHA1 | 15803d5c664755a1b151a12a3e3300199495c7d5 |
| SHA256 | c54ab3d36f50d9204466aa53ac8ec0f78849d02e243e2e514354aa9b70c09182 |
| SHA512 | 0eca5ae1aff15269c14a35606c72197d1930e0a39c7bb76148cfb6c2e939796bfc204167cb3563b5429f2a2e09a1dbb16e9f860847f783bd1fb716a9daaaf49f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
Analysis: behavioral13
Detonation Overview
Submitted
2024-12-02 07:49
Reported
2024-12-02 07:52
Platform
win7-20240708-en
Max time kernel
138s
Max time network
121s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 103246178f44db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{025C7EE1-B082-11EF-9D58-7EBFE1D0DDB4} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009f33a434f4a7f2408d91f42a9e5b4e8600000000020000000000106600000001000020000000b04158cdba6cc8df70a78a9af9e99d477f0f7da7729d1541fd101b1286c6a09c000000000e800000000200002000000030e551ce9370bdac2ad9f2b3958cdb7cabd0583e351c70d797153de59c0faa01900000004e477bf2ece1fae91720fd5ff9999c8772d01eef4d1cbab37804ab5aa3dba446c5757ad50ce78708b8309aebb3837f6b545f98d52cf6f2bc748ff2a8a5cabb198fdc1c6e8a6b825404dfa56297fa1cbb846ccf569fe982375d8ec6fc442c4b8d685e6d1410b555beedf58317fd733e2c572ee54b9e16931310c3e3724c90f6b20cb90cd755df3aa145b79cbba01b4ed74000000012c358f6f8be78bd87beed439e99103b84607197a6c9f77c8e1245599218f29dbf7a855bba82a507580af4788abcc5744b2b9f1c1adc6f111a8eeb0ebb737414 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009f33a434f4a7f2408d91f42a9e5b4e8600000000020000000000106600000001000020000000f905ee40cda8ded91e29222d514bbd0068f1c6437db96b32498659c71a21b05b000000000e800000000200002000000048e60d39a5ebc6ea04e62b6cf628b8c7105c58dff10dcdba6e37e13e56ce3b9520000000bcaec24c7bbaf60ba60bae4c2ba9d1d771c607fe2805f8cdc3e3b6f115afa33f400000002b05d126cd5c26672f240cc8ee8fd48d4bc5490c12357b72070befd1495d497eac24e082556a7525bc41d204acee097a8a9d1cccb54e684812ec56d6d69a9f4f | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439287658" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1728 wrote to memory of 2152 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1728 wrote to memory of 2152 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1728 wrote to memory of 2152 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1728 wrote to memory of 2152 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\910218026.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1728 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | img1.nz86.com | udp |
| US | 8.8.8.8:53 | img.chinaluxus.com | udp |
| US | 8.8.8.8:53 | i1.hexunimg.cn | udp |
| US | 8.8.8.8:53 | www.cnfzflw.com | udp |
| US | 8.8.8.8:53 | www.shhbm.com | udp |
| US | 8.8.8.8:53 | y0.ifengimg.com | udp |
| US | 8.8.8.8:53 | img00.hc360.com | udp |
| US | 8.8.8.8:53 | asia.media.fashionmag.com | udp |
| US | 8.8.8.8:53 | images.vsuch.com | udp |
| SG | 54.254.162.44:80 | asia.media.fashionmag.com | tcp |
| SG | 54.254.162.44:80 | asia.media.fashionmag.com | tcp |
| US | 192.151.217.17:80 | www.shhbm.com | tcp |
| US | 192.151.217.17:80 | www.shhbm.com | tcp |
| CN | 114.55.112.10:80 | www.cnfzflw.com | tcp |
| CN | 114.55.112.10:80 | www.cnfzflw.com | tcp |
| CN | 114.55.112.10:80 | www.cnfzflw.com | tcp |
| CN | 114.55.112.10:80 | www.cnfzflw.com | tcp |
| CN | 124.221.101.8:80 | images.vsuch.com | tcp |
| CN | 124.221.101.8:80 | images.vsuch.com | tcp |
| CN | 116.172.74.214:80 | y0.ifengimg.com | tcp |
| CN | 116.172.74.214:80 | y0.ifengimg.com | tcp |
| CN | 221.231.39.69:80 | i1.hexunimg.cn | tcp |
| CN | 221.231.39.69:80 | i1.hexunimg.cn | tcp |
| SG | 54.254.162.44:80 | asia.media.fashionmag.com | tcp |
| SG | 54.254.162.44:80 | asia.media.fashionmag.com | tcp |
| CN | 114.55.112.10:80 | www.cnfzflw.com | tcp |
| CN | 114.55.112.10:80 | www.cnfzflw.com | tcp |
| CN | 14.205.93.60:80 | y0.ifengimg.com | tcp |
| CN | 114.55.112.10:80 | www.cnfzflw.com | tcp |
| CN | 114.55.112.10:80 | www.cnfzflw.com | tcp |
| CN | 124.221.101.8:80 | images.vsuch.com | tcp |
| CN | 14.205.93.60:80 | y0.ifengimg.com | tcp |
| CN | 221.231.39.69:80 | i1.hexunimg.cn | tcp |
| CN | 114.55.112.10:80 | www.cnfzflw.com | tcp |
| CN | 114.55.112.10:80 | www.cnfzflw.com | tcp |
| CN | 124.163.195.65:80 | y0.ifengimg.com | tcp |
| CN | 114.55.112.10:80 | www.cnfzflw.com | tcp |
| CN | 124.163.195.65:80 | y0.ifengimg.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| CN | 124.163.195.67:80 | y0.ifengimg.com | tcp |
| CN | 114.55.112.10:80 | www.cnfzflw.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| CN | 124.163.195.67:80 | y0.ifengimg.com | tcp |
| CN | 61.241.178.243:80 | y0.ifengimg.com | tcp |
| CN | 61.241.178.243:80 | y0.ifengimg.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabB5CA.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarB67A.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 37726e8fd25c78ca80d225f2bf48093d |
| SHA1 | 28444c40e190615ec5172c9ed7da1be6bed74d76 |
| SHA256 | e32588deaa5dab1457f9f315a1e95d5cd4dcbe073f08521d13e6fe46339c4dde |
| SHA512 | d0d3b52fbb31400eb384ea985260b8ed0101e143aa99ef8f08e6ef453aa571744e59d865ee83b7e270efad12ea9eca8b1a3bc3d6528c0291ba15627cafec48fe |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 925b2ab70642fb94f4dede41473947e9 |
| SHA1 | eba698220cb825d44d897f14a75c6eff4dbfedf4 |
| SHA256 | 2a3bb6b795d4235a99dda4a48615cd2d9f984b42cb83f1fbeb907cca5db89308 |
| SHA512 | 1665d72776399f863464f8c4dc073e4bf71465a6f2fff78ca0c844648e424eb9fbf2798d5f33d3e84d61bc7d7ea6038257a934f7baee68a0230f13336788e0e0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3172de4728852ebd8a5bd6e40e0af4ca |
| SHA1 | 5f1df6a6a9a078feaf6462e2ddde396178315c54 |
| SHA256 | 7994f3fdd662340a8accbff0ccb8a259b55e675ac282cdfdffd9d1daa0839c09 |
| SHA512 | d6e132a3fc81098e078b4291d2363a927f85c94879cedabaf97e468f72bde24baa45c8567a58dd4acc942e3a4357b8bc860b543aabf36abaec489048f871c515 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 886d37d2dc478b11de0b0a7671184a06 |
| SHA1 | aa1cb42f57430b17d3204e581ab0bffdf188d125 |
| SHA256 | 9b3a3ef953e63a9913196d1006867166ffd43556016eb04723d637455d615865 |
| SHA512 | 59fa36f4f453a9a3380d7a8704bccce1514eaa041b6d1cb01e1d696188ec7d2111f6e0f6f26842e6aa4455fd75b6853b7358d65a829813f81eecdf99df85d378 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b1dd8858dca417cadb0b6e800691b912 |
| SHA1 | 85203ddc12dc74b4d85a62dc2e15430c48316dad |
| SHA256 | d63a25fbcb98bb299513a1af9318130554eaab8d4a4cb2efaa980a682e68c5d6 |
| SHA512 | bee3f50bde54f97aea331a7c93481130095a058272627c892358a6d3dd1cef35a32abde3fef85ffaffa117f3e84879d92dc616f8c400d860ce13dd19797ebde3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d8a73be3f831af048a2659900a6adbcd |
| SHA1 | c86b3a1ddeacf27ff4468076ea76d3bca461a666 |
| SHA256 | 4585d3d1ae2af60008668230b688d8b1067387ef8aff556109a5f97faa1ed0e0 |
| SHA512 | f906de4b32652ab32635564082bd92317a5fb9873924af79c52baa737ef2e084449b61018bfd582cc113d2fb5f2ca7c9e4151ab108a9b28d389478a2e588d1a3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 222b1ecc460b1b767f06b2fd77061983 |
| SHA1 | ddf25b5653cd37a6d9f4467c0f465e8c7a76cf34 |
| SHA256 | cb44a63fda2f998d4c0d8525879447341c7ddbbcfe4729061a8cefeb775e75bd |
| SHA512 | 1aaab25e3d98094c1622a55a70b3fd4f1f63609b880f238371daf6fcd1d49db1cd4c30c6bfdf9742e9dc7320942d9bd487245b6c72326fd0ba83cd46dfdb2d54 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4ca3e4c9fb07881cb6cb1bdfdaf74f6c |
| SHA1 | fb39354cc9c46b9893298529075e1ac97ff1d072 |
| SHA256 | 531518c98a1a3fd059d53ae6c788d5a6071350d29e78e553ef6865cf5e55b202 |
| SHA512 | 4e6e6a2d8398b2c81190ff249477b584848fd823acc069aaa6e0fecb31231b9077f799f84db54f4ef762740cbbe85e7d6f1dcad17645b1125e676b58d77beaf1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2b9c9937ad4be8a004e26f051d648753 |
| SHA1 | ba386b4bad1046a52458d5e5b30c1481b575417c |
| SHA256 | 13da4bb6d3f40e8a569d4a72c910df661cb7240f002f4d1abc8c0c9999e2712e |
| SHA512 | 2ec757ccf6d8882c75daff5be258a9b4e8f5eea33e247ad18e7813ab7b44dcb6308c86e6db64b8c6f32c8b4a8ec798e502b9486f5de4fcc660e21569c171bacd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 115493d278a5e71a50610eafbe90b648 |
| SHA1 | a60c397614984574519a9ae6f1ba4a1665f7d06e |
| SHA256 | 755198513c5ac8f7913fee578cd9925e008d0c1b79888465226e2a51d3587881 |
| SHA512 | 142dec1d690af8b7459f424308cf75ce82366d88d99b667629de17958d8b679e75c6432e847d581cb10b5f813df04ef152b47c24f0127766a2f5216aa96ad48b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 752920573db37e9dbabd64c549355248 |
| SHA1 | 33875bd9ed616c627a55f1c0ed17601a06d46914 |
| SHA256 | 4525bc33bae11ef813d35514ae6a7d81e96475dbff3a9349339e3d76c1698f2d |
| SHA512 | 7061a03394809d6dbcb63e34f3f75a9ecbfc6e76222c22b46f9ba77ac850473c022f8740012dbaf656491d3e653479b26b193e00f41ae6df3883ad1e0be37e6d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6d9e1b5399a300a5ec510ec14a70b733 |
| SHA1 | f2563d967ff329a11ddf4311d65a4cc381ff63c4 |
| SHA256 | 0ee02525487eeb3dbe50fa462c10cd5afede65759ee7354dad60235c5b026795 |
| SHA512 | 6c6a9f60e0ea5f07b55a6a6a01b413cd1c3f0bc5546710999d1d44c7eb2166f3b63c5856a61283e218cc93299df10e4489a1e5ea30c796bf9416b9c1b5c919f3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fa3fa53aa50a6768ed29aa49e5741cac |
| SHA1 | 686439404e27e3177cf29770e6b671c8b4899f52 |
| SHA256 | 384327adb861bbaadca0c34d16a964fdaa97f9474d1df7ffe4edc224056e71c8 |
| SHA512 | 0a33f56bd4e7f79e7ab1f5f8a75e3b90fa873c5b1a28c9cf41188f35f795d58f4e18d6088cf4fb2139add5e8d9efe9c2a9a899960fd0ec9848a2259f484bed90 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 504c881d597fc42f4b2a4dc14147ed61 |
| SHA1 | 9e4c907979d4be53624980fc66d9d3b4bacac135 |
| SHA256 | fdb0a99b14dcefd403b3c5579bd3467f711889fb4856ca53f2af807382721798 |
| SHA512 | f115b802016906a9aa99dd0adb2ab51d750cfe8cf89c76a6f2519984f0b4093b9c7dd96d09e5c43c46de958d662ef9c177bb77b4038a4aee5eb28a55b53d946b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 96b0f32874859fe992535e4d6cd12f57 |
| SHA1 | 85e69cb89c7378b26a6c443dde36aa6600852a9c |
| SHA256 | 1614b1be6ad0e7fde2a140baa9798a637585779b95103f3047b02ea8127dcbe0 |
| SHA512 | 8f46e06e2c27536a2893e1ddfac5735241c33b21e0c9ca5ae78c135c378716993ca3fff032aa69d7df9f92a465ec8cfa27b2f7a5511d5b0bffa2c8bd8c209816 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5fba5d6d4117bf3c12cefa72181c3cee |
| SHA1 | f11ce3a6d6557a0cdb245b3b25f0f6b390a678a6 |
| SHA256 | 53e9d0ded3d675101fcbe406e3c65532320b310c1fc04402b9a48416796b81cb |
| SHA512 | d09634ba8879e4e5c58a0bb6cd6036c1a96e3a143020730bd7ce2250cfd64852a731d5ae6ee4ecb583f6d920f98788514ceea423a9ed80b209c266f5b2e93a05 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 76ca18daa345a72cf59c1bb57ac7c80a |
| SHA1 | d34de6f4fa17369bdc251dbfdf18892b2aa7e258 |
| SHA256 | 933eb2d0a9c62bab8b554acbad5b26934af74fa7057c26d64b7a00d28394fee4 |
| SHA512 | b19c0daa3384decfad03212ed9606c6a3ba3d283602398d50067032798bf286bfa7f528888ada1e16c6435e139c4c83605ec4f9e2056d867ea8c038498fca2e4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9e12da6bb8e38242a25d0e677fb70fe7 |
| SHA1 | 891e5edc8e4ac6c56e75a131cdc4bfd1430dd05d |
| SHA256 | 57925a01886a8293aea1b862dd267b0f77584d02d4a9cd78d1bdc3f1cbf84126 |
| SHA512 | b9ad1e8861fc4646544227546f933f235dbc645d665f454d5edec67647728a9eee944e1a1d847af41ea8c221e084f1fde05bceafac9fda9082f0d726665be85c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c5e0e36c7dac3c947dbcea2cb968baac |
| SHA1 | 156ba994be1cc10be6bbf49a166773faedeeaeb1 |
| SHA256 | d004acaea6accd8e98401d38be7a09e08267f432f461d751f44deb7e636a3346 |
| SHA512 | ce8023a79e4a5902a7d965c0b71d15d16ff67b655a929ee24e9762a444d0509b3351dd53c1f9b2c5436313ddbabeb1dd150f787be12c7c096c781aafea8df852 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7cc8ec9b5a3d5e254679f13dfa74fd77 |
| SHA1 | ac4374967cdb7cfb1c751ae1ded558307d95b9ac |
| SHA256 | 4119f59fd3510bbfa1d113dc4d853b3e753c171446a4a7459f48d4c1c62408dd |
| SHA512 | 2cf529ba6820d29152d68d8be30b79723ac7b69a5fd546a25694ae6269c3f0ee91b310954bc573f05bc3f609823ae23d8b69a02cbc4648861b9ee57c582877ff |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3a49a0811de2f188aa407ef120c9a4ef |
| SHA1 | 6c8303c1abaedf6b5134bffc42369535749a3009 |
| SHA256 | 2307132106b36310d6cbee8c7582da0a1cfbd82176014db0bd94ece833368ec3 |
| SHA512 | 318a5ea8650a12220c683582d043cadd8897dc0b0b64f301456ae8e50578656f7fe162a4300beb731fe6c951cf2e7d8c5a08afc749154f3f244ddef74ab81c32 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 874a89752374d89cc752b1b4fc8beaca |
| SHA1 | d138b780a04eb2e87ab0dbb548b50a732c4cbbe0 |
| SHA256 | f19f6af3e8f8df5f0a154dc26a4836526cf45ec01a8314caadb6f072a37df9d7 |
| SHA512 | aa9711111d090de816233c3fef9b679a2d42c89e874ecbaea9e09ded5222d5c31c09affc162ff2eb0ca3b00922d309a1bc2f0fdfa65a57f9f096da37593debcf |
Analysis: behavioral15
Detonation Overview
Submitted
2024-12-02 07:49
Reported
2024-12-02 07:52
Platform
win7-20241023-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\SuggestBox.js
Network
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-12-02 07:49
Reported
2024-12-02 07:50
Platform
win7-20240903-en
Max time kernel
15s
Max time network
16s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Uninstaller.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Uninstaller.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2388 wrote to memory of 2084 | N/A | C:\Users\Admin\AppData\Local\Temp\Uninstaller.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 2388 wrote to memory of 2084 | N/A | C:\Users\Admin\AppData\Local\Temp\Uninstaller.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 2388 wrote to memory of 2084 | N/A | C:\Users\Admin\AppData\Local\Temp\Uninstaller.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 2388 wrote to memory of 2084 | N/A | C:\Users\Admin\AppData\Local\Temp\Uninstaller.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Uninstaller.exe
"C:\Users\Admin\AppData\Local\Temp\Uninstaller.exe"
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
Network
Files
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
| MD5 | 4a269bf092c7ac2df634e87f5b3351af |
| SHA1 | 554216db1084068ae2c93a19ca15359031ee169f |
| SHA256 | 4005800e476d055bc524bf46624a854f24de0e7912bfe7f5b9bbec841b1516da |
| SHA512 | 7efcb35cfaeaddda7245fc43baf3752fc9d44e73bdd9d4a5356efda72de219b72f07ca2fd75312198a8310b5e773ba2a1f916e967d878a34ca3ab12f8ed96d6d |
memory/2840-14-0x0000000002E10000-0x0000000002E11000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-12-02 07:49
Reported
2024-12-02 07:50
Platform
win10v2004-20241007-en
Max time kernel
16s
Max time network
18s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Uninstaller.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "218" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3096 wrote to memory of 2152 | N/A | C:\Users\Admin\AppData\Local\Temp\Uninstaller.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 3096 wrote to memory of 2152 | N/A | C:\Users\Admin\AppData\Local\Temp\Uninstaller.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 3096 wrote to memory of 2152 | N/A | C:\Users\Admin\AppData\Local\Temp\Uninstaller.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Uninstaller.exe
"C:\Users\Admin\AppData\Local\Temp\Uninstaller.exe"
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39a6855 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
| MD5 | 4a269bf092c7ac2df634e87f5b3351af |
| SHA1 | 554216db1084068ae2c93a19ca15359031ee169f |
| SHA256 | 4005800e476d055bc524bf46624a854f24de0e7912bfe7f5b9bbec841b1516da |
| SHA512 | 7efcb35cfaeaddda7245fc43baf3752fc9d44e73bdd9d4a5356efda72de219b72f07ca2fd75312198a8310b5e773ba2a1f916e967d878a34ca3ab12f8ed96d6d |
Analysis: behavioral22
Detonation Overview
Submitted
2024-12-02 07:49
Reported
2024-12-02 07:52
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\locales308946821.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa333046f8,0x7ffa33304708,0x7ffa33304718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,1533824382623675647,13036384136265733824,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,1533824382623675647,13036384136265733824,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2452 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,1533824382623675647,13036384136265733824,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1533824382623675647,13036384136265733824,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1533824382623675647,13036384136265733824,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1533824382623675647,13036384136265733824,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1533824382623675647,13036384136265733824,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,1533824382623675647,13036384136265733824,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,1533824382623675647,13036384136265733824,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1533824382623675647,13036384136265733824,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1533824382623675647,13036384136265733824,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,1533824382623675647,13036384136265733824,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4800 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | support.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | mozorg.cdn.mozilla.net | udp |
| NL | 18.239.69.26:445 | mozorg.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 18.239.69.45:445 | mozorg.cdn.mozilla.net | tcp |
| NL | 18.239.69.127:445 | mozorg.cdn.mozilla.net | tcp |
| NL | 18.239.69.129:445 | mozorg.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | mozorg.cdn.mozilla.net | udp |
| NL | 18.239.69.127:139 | mozorg.cdn.mozilla.net | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.optimizely.com | udp |
| US | 104.18.66.57:445 | cdn.optimizely.com | tcp |
| US | 8.8.8.8:53 | cdn.optimizely.com | udp |
| US | 104.18.65.57:445 | cdn.optimizely.com | tcp |
| US | 104.18.66.57:139 | cdn.optimizely.com | tcp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | support.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | d22073dea53e79d9b824f27ac5e9813e |
| SHA1 | 6d8a7281241248431a1571e6ddc55798b01fa961 |
| SHA256 | 86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6 |
| SHA512 | 97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413 |
\??\pipe\LOCAL\crashpad_2260_ZAFUBBGEJDTODLYK
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | bffcefacce25cd03f3d5c9446ddb903d |
| SHA1 | 8923f84aa86db316d2f5c122fe3874bbe26f3bab |
| SHA256 | 23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405 |
| SHA512 | 761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 92b7e7f5f77c334abda1096d6179b3d9 |
| SHA1 | 555af743b161dd6830cef421edf5db4cf06200ef |
| SHA256 | 74ec9b7305a73cfac07c84fed52c85d3c1aab09aff3225dd66404487a3288a14 |
| SHA512 | c50880822ca2ccf86a619f4afea8123ad33f95469cde91880e2fda2ac8a40d27b53e358390a2ba5f9a84eb72e7e3ba9917afbea301abd3c1a027b30c2ebe4eb4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | ea332fa0b34d358a487cd3577fd4e3c0 |
| SHA1 | 58500d4b889dbc27f57a934d850f00649b3ab375 |
| SHA256 | 6663791caa8292759303ea63e70ce57de3a04f7b209d6b4acea138a27a145af2 |
| SHA512 | 4c4c4f01a5c41167c369b37ea6671f42ddaad7f2dfc04957ca2ba7adeabeeed3f6103736b04df777c939628b19583f77b3f8707b7be0223b3b47cafdeaf8743d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 4d39fb3955d39ac1fccebf99751261a3 |
| SHA1 | 997a822c52d5bdb1f342ac1e0aa56921448adf11 |
| SHA256 | 984aee09f0a96e22ec6f86f198c2dc11d18de288d2b587207bd128473eda95a5 |
| SHA512 | e7135acafbaae38bf372e0dd8b28f703d3e3dacc84ab0eeda7e11bf88daa0e5c3b2994228dfef639d8fac2feafc701a7b61d28ffe045ee1d1084eab75b782c63 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 041c89c227d0c398eafe81681128b3cd |
| SHA1 | d5e9d8c4216a3f8ef292c93025459ff5caf4096c |
| SHA256 | dae627be5a3fe3e3e53978e790eb9a7c567f2a938377e55380bebb8bb4bca900 |
| SHA512 | 5fbad720303f5864ac2e8c1433f781e7ab87447c49610f48fabe5847024c1298d16bd5be6275b299a5f090d49e7b2d763b7d78ea6c0d6c0f4bdabd8969acc18d |
Analysis: behavioral9
Detonation Overview
Submitted
2024-12-02 07:49
Reported
2024-12-02 07:52
Platform
win7-20240903-en
Max time kernel
136s
Max time network
134s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045ecd82e4bb2de49af048dff261f64d6000000000200000000001066000000010000200000006ec533bafe393500605d2c66be69d161bbb9aed26dc3567a2d28a04ef5a7bbc7000000000e8000000002000020000000beb387000292a94015f00a36d0df35faea1233caa9572a030a329c431d4b7b2b2000000012bc21b4ff45e1587516f140b008096351287e3b4eb50bea93ea454f502cca3b40000000f1d25930530960559578ab419480d496fafc38618f6ada101bfc55f0dee5c3627eba49e6f4acfd171110558144a97c9df1c618a11197a924a5719114ce32abe5 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439287661" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a06eb5178f44db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045ecd82e4bb2de49af048dff261f64d600000000020000000000106600000001000020000000743801c0c8d326d79bf761cc725f6b66040cdbeba4bb7a48aec1fd5bb427cf69000000000e80000000020000200000002b0c44920a4a875892475dd0a8befb5fc49a63d16f639c02b66cc94c0ca0549290000000386ef7655ea0742224715d94696af8aebc7392a361174225c9000bd847d5372e68b69bed29f87442130460324a0789ee941ebfa9f0193a70f4041187aef7f5775dccf053f74c0a9ff7d3b1d98eb1dcc1fed4d844085567089fe5a4128be49c9368f206b4d6c3d7b31493e223711fba5d0eaa0ea08886e462e5f9fd8a8dbc015b18a448467d0b747772569cb9a0a5724f40000000c13a5d1b7e7fdd4f69b52a2a9aedb6cf3c8346a785eeb7a483e08ea4ab7edfd3626e1901e82d1ac8163522d0a372f0bec0f19e633a84bf71ffb4e455997d9614 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{042DB4A1-B082-11EF-80B1-FE6EB537C9A6} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2412 wrote to memory of 2844 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2412 wrote to memory of 2844 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2412 wrote to memory of 2844 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2412 wrote to memory of 2844 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\3072838935.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2412 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | imgtest.meiliworks.com | udp |
| US | 8.8.8.8:53 | art.cfw.cn | udp |
| US | 8.8.8.8:53 | www.cnxz.cn | udp |
| US | 8.8.8.8:53 | www.opaif.com | udp |
| US | 8.8.8.8:53 | fashion.vip.com | udp |
| US | 8.8.8.8:53 | img4.tbcdn.cn | udp |
| US | 8.8.8.8:53 | smt.114chn.com | udp |
| US | 8.8.8.8:53 | img00.hc360.com | udp |
| US | 8.8.8.8:53 | kr.nzw.cn | udp |
| US | 8.8.8.8:53 | img4.makepolo.net | udp |
| US | 8.8.8.8:53 | img6.shop.xilu.com | udp |
| US | 8.8.8.8:53 | www.cmdfs.cn | udp |
| US | 8.8.8.8:53 | i.mmcdn.cn | udp |
| US | 8.8.8.8:53 | z3.tuanimg.com | udp |
| US | 8.8.8.8:53 | www.tcx88.com | udp |
| US | 8.8.8.8:53 | www.fsnfs.com | udp |
| US | 8.8.8.8:53 | www.xuepinba.com | udp |
| US | 8.8.8.8:53 | img.china-ef.com | udp |
| CN | 140.143.220.127:80 | z3.tuanimg.com | tcp |
| CN | 140.143.220.127:80 | z3.tuanimg.com | tcp |
| GB | 79.133.176.234:80 | i.mmcdn.cn | tcp |
| GB | 79.133.176.234:80 | i.mmcdn.cn | tcp |
| GB | 79.133.176.234:80 | i.mmcdn.cn | tcp |
| GB | 79.133.176.234:80 | i.mmcdn.cn | tcp |
| GB | 79.133.176.234:80 | i.mmcdn.cn | tcp |
| GB | 79.133.176.234:80 | i.mmcdn.cn | tcp |
| GB | 79.133.176.234:80 | i.mmcdn.cn | tcp |
| GB | 79.133.176.234:80 | i.mmcdn.cn | tcp |
| US | 208.98.40.210:80 | www.opaif.com | tcp |
| US | 208.98.40.210:80 | www.opaif.com | tcp |
| CN | 114.113.231.164:80 | smt.114chn.com | tcp |
| CN | 114.113.231.164:80 | smt.114chn.com | tcp |
| CN | 81.69.144.167:80 | art.cfw.cn | tcp |
| CN | 81.69.144.167:80 | art.cfw.cn | tcp |
| CN | 81.69.144.167:80 | art.cfw.cn | tcp |
| CN | 81.69.144.167:80 | art.cfw.cn | tcp |
| CN | 81.69.144.167:80 | art.cfw.cn | tcp |
| CN | 81.69.144.167:80 | art.cfw.cn | tcp |
| HK | 18.162.119.222:80 | www.cnxz.cn | tcp |
| HK | 18.162.119.222:80 | www.cnxz.cn | tcp |
| CN | 121.40.42.56:80 | www.xuepinba.com | tcp |
| CN | 121.40.42.56:80 | www.xuepinba.com | tcp |
| CN | 43.228.79.239:80 | www.fsnfs.com | tcp |
| CN | 43.228.79.239:80 | www.fsnfs.com | tcp |
| CN | 117.62.238.67:80 | img.china-ef.com | tcp |
| CN | 117.62.238.67:80 | img.china-ef.com | tcp |
| HK | 45.199.33.53:80 | kr.nzw.cn | tcp |
| HK | 45.199.33.53:80 | kr.nzw.cn | tcp |
| US | 8.8.8.8:53 | imgtest.meiliworks.com | udp |
| CN | 140.143.220.127:80 | z3.tuanimg.com | tcp |
| CN | 81.69.144.167:80 | art.cfw.cn | tcp |
| CN | 81.69.144.167:80 | art.cfw.cn | tcp |
| CN | 81.69.144.167:80 | art.cfw.cn | tcp |
| CN | 81.69.144.167:80 | art.cfw.cn | tcp |
| CN | 114.113.231.164:80 | smt.114chn.com | tcp |
| CN | 114.113.231.164:80 | smt.114chn.com | tcp |
| CN | 81.69.144.167:80 | art.cfw.cn | tcp |
| CN | 81.69.144.167:80 | art.cfw.cn | tcp |
| CN | 121.40.42.56:80 | www.xuepinba.com | tcp |
| CN | 43.228.79.239:80 | www.fsnfs.com | tcp |
| CN | 117.62.238.67:80 | img.china-ef.com | tcp |
| CN | 81.69.144.167:80 | art.cfw.cn | tcp |
| CN | 81.69.144.167:80 | art.cfw.cn | tcp |
| CN | 81.69.144.167:80 | art.cfw.cn | tcp |
| CN | 81.69.144.167:80 | art.cfw.cn | tcp |
| CN | 81.69.144.167:80 | art.cfw.cn | tcp |
| CN | 81.69.144.167:80 | art.cfw.cn | tcp |
| CN | 81.69.144.167:80 | art.cfw.cn | tcp |
| CN | 81.69.144.167:80 | art.cfw.cn | tcp |
| CN | 81.69.144.167:80 | art.cfw.cn | tcp |
| CN | 81.69.144.167:80 | art.cfw.cn | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| CN | 81.69.144.167:80 | art.cfw.cn | tcp |
| CN | 81.69.144.167:80 | art.cfw.cn | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabEF10.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarEF82.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0c42d4fa69a0d7a0fdc3c431a3de421b |
| SHA1 | 30801dfc0b904476dafb1cb4501ca2ed43fc42d9 |
| SHA256 | 38d8b9624927205c138bed69bfed912b21310fed81ac87fcf16d67fdc2e65ac6 |
| SHA512 | 14880775b041b2ec69909175a685c67e112c24aa532a0ea915b86c94e21c8ab83c8b223879e240f51b3eddd3c4ad3fa4622dcbcacc6fc238321d3e39c8ad4c50 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 141a24d2e23aa51eec55cec66c8278e4 |
| SHA1 | 4f35dfe1baf91a2dc3647794d55c781173be3d37 |
| SHA256 | 57ef475cefc210c717abf706d56eef7fc53dfe1d4c595cbf9b10e0b05adb3336 |
| SHA512 | de3eb6b507fc8866b2fb7a4bc36c62d165ac585b0ecbe822fde58e5b676fb21642a166e99c9f742345e1189514bd76f9275d012f3c190a68ba5c9d39bb95291e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b1b2cf8ec16627c751467dd8aeb52330 |
| SHA1 | a95043b46fca8a4da59415533d2d307324691413 |
| SHA256 | e6641acdbca210a7a6c5bb4aea35756e507d6afbea1146843faad2b179e12ff4 |
| SHA512 | 2229c95122c3d3da6ba06a06003b52fe55b24d0c124767496b9665c403493852be8cdb82f35583fd1ed8c3d9c3f489956efc6b8368f402a94925fb99b228d702 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 23c49113779ff0f14d47c5b23af451c5 |
| SHA1 | 3742c4fa0e2679a30f8dfa7580bc864ae757afc3 |
| SHA256 | dfde8b4c5f270b8cf8c1563d748fcf911bc7ec2313bffc128cefafc33960ee90 |
| SHA512 | 68c68683a53a2b4be28f06ebbbe102224380a14654e9633fa8e51f90a2003bd005343435a6c5456adc88c3000230bb99718a0fdb7a8284dd2e93da16ff4047ee |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0a11e1bd905849c7d69f594c7bfe620e |
| SHA1 | 0a082cb646eaf107b1c8078784c7215e6def1643 |
| SHA256 | 72d3b694d74666e140e8c31232faaf96e7c6daffcff800f1b5d1ff9f4198305e |
| SHA512 | 3fc8f957de2ca4f80f6780ec3f5b08ffa3b6c90fafab2d78f3d28d7996a025f5f59b5f578dd70429eb9d3e5c66b780db6d1fc3a3754e39dd9db160d78701cca7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 441d4f35cc5760c1a3f9ce7e0091bd04 |
| SHA1 | 01f4d36156dca35c6f62c6e1b4aadc6fa0ac159e |
| SHA256 | 8423daff6e3058bbbe89516c220400231168607899f374ec653bf080159c9912 |
| SHA512 | 14f86a3a33e86f22cb4d57adc6203ad55d0b95fccaa8602b14dca35fd0c66f9a59a7b33197b94b10bca3cf2f8c12181156d7fe29dd7d92b2ffd0454e2d0b54c2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7517339d690b22a37d2bf147995cca17 |
| SHA1 | 9da73530a9dcd9e7b919d0860613308eab951fac |
| SHA256 | 0c71871d39b9d572b6124981709165c7077f84e2283c4281e02f24427b15167e |
| SHA512 | 7750e7f0d5973d4bae5ef053b7fea0535677bccdbaa853e53d1f5473dfaa569cf231289f0fb86186dd35821c79f8333ac4cd3e7a8b9ffbc120030234e1748e31 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 29e33c2bff9063c561c509ae611c6e17 |
| SHA1 | dcc55af3acc670637d478718a4e1913a24103032 |
| SHA256 | 4f3868d9a082024fdd08cc2fa73a4834edff2048381e5ab3614f00910fad1f71 |
| SHA512 | efc45ac86cb3d0350a99e22da93c237c2924de421e8ada276571b7c99e68b5d888114a2831bf8b043f3c070fbda551d7b5bd65007d63cf6aa3e8a410dc8b7810 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e4ef23762ff6da781459638a1abec1f2 |
| SHA1 | 8b0b14402af6e6c00ac5f2dc3b14f79cb8ce58fb |
| SHA256 | f869181720bb5d8974e86cad3fdfe00cb648e6e9d46942905e3bd360f3429d40 |
| SHA512 | ef5880378e4cbb624a5ced944586cf4565e9e2d2c9411a17d859be2903ef1c2d04c5f321eb7a0bd00cc96ccad062b7d8a882494fdcf59d6e041245f3159205cb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | afdb8509e7d309b7863be4f6fac4175f |
| SHA1 | 67ccb00777ee7a4b80e8ee89a165b7256694ab2b |
| SHA256 | 19030b215c551e401a114b580fe8f4214e9ad99a6d396debdecb5adcafdf96f7 |
| SHA512 | 44f06c864b110fe770ac5fc9dc3c483828dd7fe56d3c0207e85f0689af469f77c6a4ca7e0cd58a522385d767786e7737a431f261de6267c693ea866eeb566ea3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8d4516864e62a889d57491138b4a033c |
| SHA1 | 3c1892077ad66934f0d8cb1f3a27b6d8ae6eeedf |
| SHA256 | 2ab2a67b00acbf59b1ab3d7e7e5768f8c65a8469d44cf283c8f6763ea944259b |
| SHA512 | 06fafbfa1af6710c59d4703a4ffc7d9522579c9dab35b3ba7b1e9caad7aa6ee80249269bd75316e79bb8086a0a6712f313b09c6050818a0abff99f2dccaef939 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d25242c613f4739bd906fb98c3779b01 |
| SHA1 | c9515da170d45a3694fc4ad392be02f404b79c27 |
| SHA256 | b9c082b168ab574ce76ad61084a733e5248a29a2f54fea53d461a6edeed1f368 |
| SHA512 | 5363d6ba1d8c9a324d6498f25bf50586bab7f2ba293c421cd1a07d75e64891ba2cac0b332ef505c1ad77e61a7e40a90a74286f9fc54b5601990991637efc8f24 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 153343b6519cc3fecfd2e1d7519efcee |
| SHA1 | 3c2f1d32c59ca923255adc95d240fbe6f9369558 |
| SHA256 | 47472c37eafdfea364f279cce8e7b83f07f7b3a59cd4763304e4d4e6cf81d6fc |
| SHA512 | e26b009ca7a3f08044ba0b2b05a7e123fab1ae3042c6660032c396ddafa744dde7a04b2f704e2672d13c21696227304f675da3a924b20a75508b5945314a7409 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 25859feff78dae85038e10d8226f8ad0 |
| SHA1 | e521ee3804aae821a874ca68bc0e651925f7bff7 |
| SHA256 | 4e68e2060175e36b1790ba8eb6bbb2eb1a6d3d5af03b05cba52af7e651cda3d1 |
| SHA512 | 4bdc6c05b36ccacb868cb7a50099c0d0d5cc8e09dd3bbb44d3dfeab0a234f52053333f670777e7e8d765bfcf48a64757413c2d9b16f6c6768424feede59cccd5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0a095c8f3639631a77f5860aac9accf7 |
| SHA1 | da8795019d0fc8ff0d8534dea8f5d9d01b7d3be7 |
| SHA256 | f81b1be0dc6646227e63b84fca51a756c988ae12679c1496404df5cffaad38f7 |
| SHA512 | 08d5ec40757b4bd0a305b61ae3bdd6ebc15033e33d950de01a4637c356068b5fc78509df5ffb04144ee015f167f4a4f11e3e1679c171f6d8cf7ae23a53bf4ae0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3799bd18435a75b3fd726c745ac1ab05 |
| SHA1 | c0055ad863e8616cd3470fd63bac1dfc2a869496 |
| SHA256 | 389a1db8b63e75916050aa8a2934067dcc3af87fac80a33706c66f1ceaae10fd |
| SHA512 | 6151c71f64fff0913ac000bddc556b72e4b819592b526fef26bea4b8326bd338464515c30907903e48e596073fba1f2ff50724cf7cae89b74284c302b0cad50b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 847ef8efdcdd4823671583481af1929c |
| SHA1 | fe69e4cf7ec7059aa556eaeb5f834610e1a47c5f |
| SHA256 | 56a539628e8927a91aa5da1c90bc810ae802df38366b553e61c32322e31f1759 |
| SHA512 | e6dee99f313c1c942144bbb18bd47c35e69b62eece9430081d2a2942a74519d48899011c9174d263e879e4e3406c40114a568e01e7c07f3620a7f8c0105facf1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f8802e94d4f78592a380e0f0b9d9b298 |
| SHA1 | 023178904822dc8259836fb9d393ed346e93c876 |
| SHA256 | d7f8c3ebd84e1bed5212be39682cb988bff8968c09516a8dbad51562dd5f8087 |
| SHA512 | cd59854347aec7c2294903103949903f01a3ad786573dedfb0339f04495ac82517771812187acf1576ac9863f5566490af891bf66d79cb3c85fc3e027b4d15ca |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 282a0a2f11f839c12dd1e33490f46c00 |
| SHA1 | 74995e4ec5f87fd56503cf628e652cfd3519b531 |
| SHA256 | d62a5b6c5441c799adecc3dcd7c287f5ff3d5465cc1920e48952bfda768d3d93 |
| SHA512 | 23194453d67b721c8aa9bd9722eb49b6fa9f5b1e28a2af0c74e925fb97ac40c4dc8299d1afd6b12fea06fbb892a5730bc0ea6bb865e859afe36d966b7054e117 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 82cf6f294918e8d4896e2f72f954b805 |
| SHA1 | cf6d626682e4d2b66db61810185e85ce50374076 |
| SHA256 | 33e9ea1b50ad6cc8c95ae4bde9dfa2151bf9c03b18b00a6505199af910130576 |
| SHA512 | efb110e31314182d77f5d5301510e4ce83ca48893d0a3b50563ad01a4ac65a5360be492574f4ca5692d13500ba5f7ac3316b61a31160bf6264649f05c4af3205 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5780b522728f951a343c41ac8f49dcf9 |
| SHA1 | 85d9d62d26eb2f9b693c1de76ab7c192db6f7a0f |
| SHA256 | 7ebb0527290e4f64065e08dc4aabc10e302ac2451eadd51430b8e5ed7dad120b |
| SHA512 | 339efcc66b2d7f28d43dd8e3a01daea43a0a3ac92ca924fac46e929114a7c8822a3cdd1f7c4bf5d281c2579e8f21e03f8747ae7dcd7cfd523741750329a3bb30 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ee84e00253f8b24e4d43ee86d6a00cf0 |
| SHA1 | c636a348f3434823cd188e534c6d37b9ab8f013e |
| SHA256 | 29aea971fffd937cd824345c018ddf6f1e1d2de645e95d763e9a9da9447f8db9 |
| SHA512 | a948e38bcf63ba63441c3e8e3ccf5c98f9b7784ff5317bd211cabcdf8f4650d52f303456623a07b20c10c54a5d7aaea974f000f20e9a1a10edaf0d766506c655 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c17666c462052c6a6dc5cc26d7cde1e2 |
| SHA1 | bc2442a8a413bc90852def5c7a3c08c62b0880ef |
| SHA256 | 4d15c15faf87355b49c0e3bc53be1a2e1abfccbbb4b4d91dd1264764b3f85e70 |
| SHA512 | a1544c82fd90bef8c9bcf0c465f6ead4741ee58006233b5094e04967ad48bb71fae9954c09ff94cc4930f20256e3a8491f56c8acca25cd7612f25d0c5047cfa5 |
Analysis: behavioral16
Detonation Overview
Submitted
2024-12-02 07:49
Reported
2024-12-02 07:52
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
144s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\SuggestBox.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-12-02 07:49
Reported
2024-12-02 07:52
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\ads-the-internet-the-icon-revealed.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffedd6d46f8,0x7ffedd6d4708,0x7ffedd6d4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,4306835918764255229,14969343836277696760,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2220,4306835918764255229,14969343836277696760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2220,4306835918764255229,14969343836277696760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,4306835918764255229,14969343836277696760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,4306835918764255229,14969343836277696760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,4306835918764255229,14969343836277696760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,4306835918764255229,14969343836277696760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,4306835918764255229,14969343836277696760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,4306835918764255229,14969343836277696760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,4306835918764255229,14969343836277696760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,4306835918764255229,14969343836277696760,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,4306835918764255229,14969343836277696760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,4306835918764255229,14969343836277696760,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,4306835918764255229,14969343836277696760,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4708 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.youronlinechoices.com | udp |
| US | 8.8.8.8:53 | ajax.microsoft.com | udp |
| US | 8.8.8.8:53 | p.jwpcdn.com | udp |
| IE | 40.85.112.191:80 | www.youronlinechoices.com | tcp |
| IE | 40.85.112.191:80 | www.youronlinechoices.com | tcp |
| IE | 40.85.112.191:80 | www.youronlinechoices.com | tcp |
| IE | 40.85.112.191:80 | www.youronlinechoices.com | tcp |
| IE | 40.85.112.191:80 | www.youronlinechoices.com | tcp |
| IE | 40.85.112.191:80 | www.youronlinechoices.com | tcp |
| GB | 216.58.212.234:80 | fonts.googleapis.com | tcp |
| GB | 216.58.212.234:80 | fonts.googleapis.com | tcp |
| US | 152.199.19.160:80 | ajax.microsoft.com | tcp |
| US | 151.101.130.114:80 | p.jwpcdn.com | tcp |
| IE | 40.85.112.191:443 | www.youronlinechoices.com | tcp |
| IE | 40.85.112.191:443 | www.youronlinechoices.com | tcp |
| IE | 40.85.112.191:443 | www.youronlinechoices.com | tcp |
| IE | 40.85.112.191:443 | www.youronlinechoices.com | tcp |
| IE | 40.85.112.191:443 | www.youronlinechoices.com | tcp |
| IE | 40.85.112.191:443 | www.youronlinechoices.com | tcp |
| GB | 172.217.16.227:80 | fonts.gstatic.com | tcp |
| US | 152.199.19.160:443 | ajax.microsoft.com | tcp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.112.85.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.130.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.249.124.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 142.250.179.238:80 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | yoc.edaa.eu | udp |
| GB | 142.250.179.238:443 | www.youtube.com | tcp |
| GB | 172.217.16.227:80 | fonts.gstatic.com | tcp |
| IE | 40.85.112.191:80 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| GB | 142.250.179.238:443 | www.youtube.com | udp |
| GB | 172.217.16.246:443 | i.ytimg.com | tcp |
| US | 8.8.8.8:53 | 238.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 246.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| GB | 142.250.178.2:443 | googleads.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | static.doubleclick.net | udp |
| US | 8.8.8.8:53 | jnn-pa.googleapis.com | udp |
| GB | 142.250.178.2:443 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | yt3.ggpht.com | udp |
| GB | 142.250.178.6:443 | static.doubleclick.net | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 142.250.200.33:443 | yt3.ggpht.com | tcp |
| GB | 142.250.200.42:443 | jnn-pa.googleapis.com | tcp |
| GB | 142.250.200.42:443 | jnn-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.187.206:443 | play.google.com | tcp |
| GB | 142.250.187.206:443 | play.google.com | tcp |
| GB | 142.250.187.206:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | 2.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.187.250.142.in-addr.arpa | udp |
| GB | 142.250.187.206:443 | play.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| GB | 142.250.187.206:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| GB | 142.250.200.2:443 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | 2.200.250.142.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | c2d9eeb3fdd75834f0ac3f9767de8d6f |
| SHA1 | 4d16a7e82190f8490a00008bd53d85fb92e379b0 |
| SHA256 | 1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66 |
| SHA512 | d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd |
\??\pipe\LOCAL\crashpad_1800_AKYXPKUAZBTOUDEX
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e55832d7cd7e868a2c087c4c73678018 |
| SHA1 | ed7a2f6d6437e907218ffba9128802eaf414a0eb |
| SHA256 | a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574 |
| SHA512 | 897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 6ec4641779576fe2317c0b2699e3dbc9 |
| SHA1 | dea8278899ac5ed3aa517dec407e9ee680dab481 |
| SHA256 | 36872558f22ae1e39ad511efc7788dc1888c8f9267ceeb7c7c21746b70877750 |
| SHA512 | 7f2f5394bdd6d19a411b01b5acfb21e3769cf35f4f3793751f8c4e2b0f37e69470088a79f33cc870539e7b55b743d929d96195fce47d5685945a729e4c38d14d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 466e1f97cf8e8659c545652dc8d23b0c |
| SHA1 | 434d8bf04cc2b7181f4dde7b0cffb8352f675826 |
| SHA256 | 52cd48f1d87a8c039d4261f85580d479802a95bf3343670dd4ea58a17663a3c5 |
| SHA512 | 64a18ccb4878676315893eab78edf40b2de0026c618f3c3d80b9be83368a7718936fd1a383df74907c899d87213c9fce9b1ceb441210c59e2573063a409c88fd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | d2211a4ee5e6698e3d221584214a876c |
| SHA1 | cf1dc0572c4c2a6e7afae50e1658eb0ad39fbdd1 |
| SHA256 | 0e5cb568284eb87a8bb9bda112730824ff9ac8caae907f1868c93f55c03d8dc5 |
| SHA512 | 0d962fbe40ad07830be5058972a62a9cefc8f6e06f6d329da96c4b6d467f8bf11a157a108fba509d4245fcf6f593ce7037c7582d369bf1f570f321e78706e10a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 228b1a6f9da59b171d4e4e3879ebb296 |
| SHA1 | 192093cfa61cf5d5cf50f28b3d9e8f8b56b1572e |
| SHA256 | 9f7320390932853b94f463b227422c7b0e3c1ba5982ae37bf853eae56c37e9b6 |
| SHA512 | f0ffea058fab732f7b726f8e7441db081b89e235678b3a0dc1fee402235a5a657c23aceecf092da22ee0e6df89a02c1d3e829a50c0619d1a4f2cca12c5c588fa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 0ed6cf773456b727f74062049d7105c0 |
| SHA1 | 2f60aadb4aa98aca5129d8f43d28279aafae6ed4 |
| SHA256 | b0af3f2f0182015c67102aab02a1e709f0cfd2e1cc500bb2bfd4215eb2c2cf2e |
| SHA512 | 21b8c316e7d9d1bf9cca72bf12a70f6e4c85f1e73701c592968480698a19b43d053374908a66852b5105e4364c0981bc3990e1c71266ec56bd8011b44779d72e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | ea75ca45237ad073a6129492be567e12 |
| SHA1 | 92915452f1e4e29de94cc7d3d119ee716fc7dcf9 |
| SHA256 | 539c98c1603dfde91ce269e322697ccde6f6df6518bb2d31fba1f298a14c50ad |
| SHA512 | 536461be3ee58d929ccdd23138a4a07cfd41cf5b843bba193aff01329b20fb9f8fb161b209c990e2a7aab3977da2f09bf4f70c69c152a6c173ad181bc1faacb8 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-02 07:49
Reported
2024-12-02 07:52
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
142s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b7938b29a73c948e483937740e10f679_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nspC565.tmp\System.dll
| MD5 | 3e6bf00b3ac976122f982ae2aadb1c51 |
| SHA1 | caab188f7fdc84d3fdcb2922edeeb5ed576bd31d |
| SHA256 | 4ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe |
| SHA512 | 1286f05e6a7e6b691f6e479638e7179897598e171b52eb3a3dc0e830415251069d29416b6d1ffc6d7dce8da5625e1479be06db9b7179e7776659c5c1ad6aa706 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-12-02 07:49
Reported
2024-12-02 07:52
Platform
win7-20240903-en
Max time kernel
117s
Max time network
120s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 224
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-12-02 07:49
Reported
2024-12-02 07:52
Platform
win7-20240903-en
Max time kernel
136s
Max time network
120s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005a7bf47032d1414898a22237a3b314b000000000020000000000106600000001000020000000d786ec95eeafc6b77d4fd988d144985b8f102f538037a49138ae64e049dc867a000000000e80000000020000200000009a9a3418175bf5b4182df40fd6544198b8bdc574b6701ff7ae65d20df4a794e1900000007338c1d3ab5ae41447b23f22d6d80d7846e43d90b0e3f4e4393092e930c023e684636dc13be0a0f52a543aa04a699cb10a7be9f4c60d5a9e03883f81302b934abc75c6fc031b028471a0c16afb332cca124d398b76801888b0a03c5e3e732420c75da305b4a764ca94fe13d06cc87cf5f6a5484b4fceb10f08cef43705a5f99f150f1d4d255df014e550568f7996010840000000f958aee4a63671bb1ba94bccf6c4dd924aa0a1508df768506327aef2649dd2e398446e8bcbbd5aac4b42d207d31a99118ee44aba2eeb3cb62c8a6e153df03bab | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005a7bf47032d1414898a22237a3b314b000000000020000000000106600000001000020000000f44476a45b4ec2ee96442f43c46bdb4a3b4ff93097c48bf5214174b68216e67d000000000e8000000002000020000000c66ad74492cc0fbe9cebce7df5be626e655d2163453e742f7be5ff14958a65d7200000000f77e6fcf4a4ebd6632e9d5e312b83c4ef9f96f2ac39ec4c233b2fcaf39916d640000000eb8a6b53fde2ff50b6b7c15ef0d608e4537c8cda5d1e994d501ab6aaa128753236b7ff68fd8e61db0be1d543b44935ab63329412d21098ea4b83c9080569fb4b | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0263D1E1-B082-11EF-9917-D686196AC2C0} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439287658" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50dd0b168f44db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2400 wrote to memory of 2728 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2400 wrote to memory of 2728 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2400 wrote to memory of 2728 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2400 wrote to memory of 2728 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\152605369.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2400 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | image6.huangye88.com | udp |
| US | 8.8.8.8:53 | img.fzengine.com | udp |
| US | 8.8.8.8:53 | img.61ef.cn | udp |
| US | 8.8.8.8:53 | pic.chinasspp.com | udp |
| US | 8.8.8.8:53 | cdn6.haibao.cn | udp |
| US | 8.8.8.8:53 | img1.nz86.com | udp |
| US | 8.8.8.8:53 | upload.mcchina.com | udp |
| US | 8.8.8.8:53 | image5.huangye88.com | udp |
| US | 8.8.8.8:53 | images.rednet.cn | udp |
| US | 8.8.8.8:53 | pic.pingpingw.com | udp |
| US | 8.8.8.8:53 | www.lzbs.com.cn | udp |
| US | 8.8.8.8:53 | sx010.img.diexun.com | udp |
| US | 8.8.8.8:53 | www.51fashion.com.cn | udp |
| US | 8.8.8.8:53 | img1.efu.com.cn | udp |
| CN | 117.157.80.67:80 | www.lzbs.com.cn | tcp |
| CN | 117.157.80.67:80 | www.lzbs.com.cn | tcp |
| CN | 140.210.65.66:80 | image5.huangye88.com | tcp |
| CN | 140.210.65.66:80 | image5.huangye88.com | tcp |
| CN | 140.210.65.88:80 | image5.huangye88.com | tcp |
| CN | 140.210.65.88:80 | image5.huangye88.com | tcp |
| CN | 121.12.125.229:80 | img.fzengine.com | tcp |
| CN | 121.12.125.229:80 | img.fzengine.com | tcp |
| CN | 121.12.125.229:80 | img.fzengine.com | tcp |
| CN | 121.12.125.229:80 | img.fzengine.com | tcp |
| CN | 119.96.23.210:80 | img.61ef.cn | tcp |
| CN | 119.96.23.210:80 | img.61ef.cn | tcp |
| CN | 119.96.23.210:80 | img.61ef.cn | tcp |
| CN | 119.96.23.210:80 | img.61ef.cn | tcp |
| CN | 119.96.23.210:80 | img.61ef.cn | tcp |
| CN | 119.96.23.210:80 | img.61ef.cn | tcp |
| CN | 211.97.92.110:80 | images.rednet.cn | tcp |
| CN | 211.97.92.110:80 | images.rednet.cn | tcp |
| CN | 115.236.59.156:80 | pic.chinasspp.com | tcp |
| CN | 115.236.59.156:80 | pic.chinasspp.com | tcp |
| CN | 115.236.59.156:80 | pic.chinasspp.com | tcp |
| CN | 115.236.59.156:80 | pic.chinasspp.com | tcp |
| CN | 115.236.59.156:80 | pic.chinasspp.com | tcp |
| CN | 115.236.59.156:80 | pic.chinasspp.com | tcp |
| CN | 115.236.59.156:80 | pic.chinasspp.com | tcp |
| CN | 115.236.59.156:80 | pic.chinasspp.com | tcp |
| CN | 39.105.51.46:80 | upload.mcchina.com | tcp |
| CN | 39.105.51.46:80 | upload.mcchina.com | tcp |
| US | 8.8.8.8:53 | img1.efu.com.cn | udp |
| CN | 117.157.80.67:80 | www.lzbs.com.cn | tcp |
| CN | 140.210.65.66:80 | image5.huangye88.com | tcp |
| CN | 140.210.65.88:80 | image5.huangye88.com | tcp |
| CN | 140.210.65.66:80 | image5.huangye88.com | tcp |
| CN | 140.210.65.88:80 | image5.huangye88.com | tcp |
| CN | 121.12.125.229:80 | img.fzengine.com | tcp |
| CN | 121.12.125.229:80 | img.fzengine.com | tcp |
| CN | 121.12.125.229:80 | img.fzengine.com | tcp |
| CN | 121.12.125.229:80 | img.fzengine.com | tcp |
| CN | 119.96.23.210:80 | img.61ef.cn | tcp |
| CN | 119.96.23.210:80 | img.61ef.cn | tcp |
| CN | 119.96.23.210:80 | img.61ef.cn | tcp |
| CN | 60.221.17.65:80 | images.rednet.cn | tcp |
| CN | 119.96.23.210:80 | img.61ef.cn | tcp |
| CN | 119.96.23.210:80 | img.61ef.cn | tcp |
| CN | 60.221.17.65:80 | images.rednet.cn | tcp |
| CN | 119.96.23.210:80 | img.61ef.cn | tcp |
| CN | 115.236.59.156:80 | pic.chinasspp.com | tcp |
| CN | 115.236.59.156:80 | pic.chinasspp.com | tcp |
| CN | 115.236.59.156:80 | pic.chinasspp.com | tcp |
| CN | 115.236.59.156:80 | pic.chinasspp.com | tcp |
| CN | 115.236.59.156:80 | pic.chinasspp.com | tcp |
| CN | 115.236.59.156:80 | pic.chinasspp.com | tcp |
| CN | 115.236.59.156:80 | pic.chinasspp.com | tcp |
| CN | 115.236.59.156:80 | pic.chinasspp.com | tcp |
| CN | 39.105.51.46:80 | upload.mcchina.com | tcp |
| CN | 121.12.125.229:80 | img.fzengine.com | tcp |
| CN | 140.210.65.66:80 | image5.huangye88.com | tcp |
| CN | 121.12.125.229:80 | img.fzengine.com | tcp |
| CN | 121.12.125.229:80 | img.fzengine.com | tcp |
| CN | 119.96.23.210:80 | img.61ef.cn | tcp |
| CN | 119.96.23.210:80 | img.61ef.cn | tcp |
| CN | 36.248.43.254:80 | images.rednet.cn | tcp |
| CN | 140.210.65.88:80 | image5.huangye88.com | tcp |
| CN | 119.96.23.210:80 | img.61ef.cn | tcp |
| CN | 119.96.23.210:80 | img.61ef.cn | tcp |
| CN | 119.96.23.210:80 | img.61ef.cn | tcp |
| CN | 36.248.43.254:80 | images.rednet.cn | tcp |
| CN | 115.236.59.156:80 | pic.chinasspp.com | tcp |
| CN | 115.236.59.156:80 | pic.chinasspp.com | tcp |
| CN | 115.236.59.156:80 | pic.chinasspp.com | tcp |
| CN | 115.236.59.156:80 | pic.chinasspp.com | tcp |
| CN | 115.236.59.156:80 | pic.chinasspp.com | tcp |
| CN | 115.236.59.156:80 | pic.chinasspp.com | tcp |
| CN | 115.236.59.156:80 | pic.chinasspp.com | tcp |
| CN | 115.236.59.156:80 | pic.chinasspp.com | tcp |
| CN | 140.210.65.88:80 | image5.huangye88.com | tcp |
| CN | 121.12.125.229:80 | img.fzengine.com | tcp |
| CN | 121.12.125.229:80 | img.fzengine.com | tcp |
| CN | 119.96.23.210:80 | img.61ef.cn | tcp |
| CN | 119.96.23.210:80 | img.61ef.cn | tcp |
| CN | 140.210.65.66:80 | image5.huangye88.com | tcp |
| CN | 119.96.23.210:80 | img.61ef.cn | tcp |
| CN | 119.96.23.210:80 | img.61ef.cn | tcp |
| CN | 115.236.59.156:80 | pic.chinasspp.com | tcp |
| CN | 124.163.195.64:80 | images.rednet.cn | tcp |
| CN | 124.163.195.64:80 | images.rednet.cn | tcp |
| CN | 115.236.59.156:80 | pic.chinasspp.com | tcp |
| CN | 115.236.59.156:80 | pic.chinasspp.com | tcp |
| CN | 115.236.59.156:80 | pic.chinasspp.com | tcp |
| CN | 115.236.59.156:80 | pic.chinasspp.com | tcp |
| CN | 115.236.59.156:80 | pic.chinasspp.com | tcp |
| CN | 115.236.59.156:80 | pic.chinasspp.com | tcp |
| CN | 115.236.59.156:80 | pic.chinasspp.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| CN | 119.96.23.210:80 | img.61ef.cn | tcp |
| CN | 119.96.23.210:80 | img.61ef.cn | tcp |
| CN | 119.96.23.210:80 | img.61ef.cn | tcp |
| CN | 123.6.37.172:80 | images.rednet.cn | tcp |
| CN | 123.6.37.172:80 | images.rednet.cn | tcp |
| CN | 115.236.59.156:80 | pic.chinasspp.com | tcp |
| CN | 115.236.59.156:80 | pic.chinasspp.com | tcp |
| CN | 115.236.59.156:80 | pic.chinasspp.com | tcp |
| CN | 115.236.59.156:80 | pic.chinasspp.com | tcp |
| CN | 115.236.59.156:80 | pic.chinasspp.com | tcp |
| CN | 115.236.59.156:80 | pic.chinasspp.com | tcp |
| CN | 115.236.59.156:80 | pic.chinasspp.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab7580.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar760F.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6cf780bfbffb4c8e03bb31ff960ed87c |
| SHA1 | 475bdf24a83f6217ccf785fab9d1a79bed69c9a7 |
| SHA256 | fa9f79359b6d447e305683fca03e29c1fda586c17dd937ba43857e31c9fcab0f |
| SHA512 | 2d3865de5ea97fe56197958aeb5125782d1080b8683e2eb39449a6e9956ea41574f1cc97aab2f56cfdbdb42aa58d3d2a66bf23b716d1b02929c809f259fc240d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 18b84ca1baa2544d163963baaaa1591b |
| SHA1 | 5865ed82f3ffdd85368e58d959cde9b3ebeffa6f |
| SHA256 | d510472bb1fe3303122230878785826be0f460dc3f0cd7f7592c786dbaaaceeb |
| SHA512 | 9154d61cfaf2e0ffd378567fb1461758878e3fc7c6fb960ab4291d307ee5b9899d5ec2cca0dc46e0e4dc4d06e8b38c7253c5cdd357d1f75e168d983136ee2deb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5053091fa5f318f0e1f5d258676827ec |
| SHA1 | 3bd8fbb73c2c9a88bb0dc81107b87015c28c9491 |
| SHA256 | 112a3424c30313efcd98d0412a70ffefbc5396aa103162b7e4640ae0bdc96b24 |
| SHA512 | 67d0196a2dd1ce503ced2296120f9e324944ee197bdd234998d23bf4c49fc9a216fbb3da8858fbd3caadf37455e954252f97a7b277874409d22e1088e2b417b7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8f5ea33d38e8f1b535bddd3ba149b8a9 |
| SHA1 | c0741fd04f46d5a172c9af500ba8d497c84fbebf |
| SHA256 | 68053980f8ecbfac07ff6e265193bd6593e4696e73a6308ebf41d87fe3ae06fc |
| SHA512 | 373078fd1fa860cac1dc3667a401920314b220ae19c6ca2d0a06c6d73c5a4813ac1c57a716fb8a661f957975a3074e5180ba4486af5efa4fd9204217bf5964a1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 61b8b0008a2ef52d9d9a3040a781842d |
| SHA1 | 252a0d2192f72c458be8ffbbe1d60bd54238dd2d |
| SHA256 | 67b2023d04444704b18a4ffde73f40e91d3a3d2ec4452c9e1d2092ad9e070d86 |
| SHA512 | 7cabea9e7d2d43cfdfa4ab8fccfee5dfc9995448bb13d2dd09be9732d33b4102c8d7a40f17c6028ee127703961678bdd26a25cb43ab716f648e15f9d381e8eeb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6b73d5df2b1bf7c0076cd614cb97c466 |
| SHA1 | 5084d52320444fe79119414d87b5c06054d14eba |
| SHA256 | f09ba640f32b7125f95adf8c39fd865b6b435c5ef4650a5b94f7da6de96d7417 |
| SHA512 | 83cd8e58b24b5c3d033819f2f2c151a0df7be17ebe0c48641c37901e021c4bf86da02450f3b726c73faa5c72845e24f0b1e917d23b13d853fd0c1287d2da2faa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ad6bb1d7c335dcd9d0355bba94c5368b |
| SHA1 | 49761b48a3c11628ceccc50155815cdeb3685dc9 |
| SHA256 | b3fe079b47698682bf3718a04f34ea4d62436ac65bc1ade4bdb71b835163a546 |
| SHA512 | 777525e8022f24eb65c6da8f715453b9bd1d834bd2a1b6bea53db91ba33ab49df3da9e8b39fc8707fd46bad19959ec0dc11d8c85dde91933f2aeafebd69527ab |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 655414865ff1246ae0600d1fbc6fc0c2 |
| SHA1 | 14a4ab4d1c4b10ce6e2b7e21409b9e64c8484f08 |
| SHA256 | 4e646d99cdeb89d57f3d5a70eb9b66c52b193bc7d17e84e4f96ba4e3552a5d28 |
| SHA512 | 84b40c7a4b61a348d36a5999c491eb93c5440c4a6b748474f510772a7a336f3d8a6eda2d9f03f345a06e4e2ea132cbb1271e0e181f97f891b2301a55bc3d74eb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 94d34dad176a3ac5e81f4b641a911600 |
| SHA1 | 343ef8fbd31382b812748b3b238ab24bcdbd6f0d |
| SHA256 | cf36c1e5f1fefb02d9db7fa9100533d48b9a3611c875c0758dd7337d3b244223 |
| SHA512 | 52acad20e18a4542d49159a47ec24885ae4749f44f3e87b87db24ed4e2e8f704d66a317e088235b44bb185322f6869bcfde5ee42aea879c890dbf07a23b54b2c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 679c466deda0f525a462f4e764a72999 |
| SHA1 | a139b229605a3cb00114712642b67ec95966aa8a |
| SHA256 | 637cb4bcff6239ae2daac59c714fb274dd752e8b53cfb2fc1dc9662c41a78145 |
| SHA512 | df449b77083a2c3f44859c2764200903ac0259552810fc9f86e62220fd0f7e205bf7664ff5f21cc53da921e22b4b6041c6f725e6bb8f5dcab26ade0af254de33 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7b4598227fdbb648061779a88e8d4c69 |
| SHA1 | 7941e60bf0db6499b570feebe73e3a6ea660adc3 |
| SHA256 | 2fd28532e27a353d97c72f1863115e77dbf4ffaee4c2bc251c571697882763d4 |
| SHA512 | 6b1780abb725ff7af904792de0bae0fb231ea30dec34c8a1c9d7cd5a05732594790473d1ac77623ff430f83e4797a54adb4fd87a692180d8c604701938fd9146 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e1a7ae64ff9418973f5e8d4435146c3d |
| SHA1 | 2c55e895347725961f640c1c65747c241892d74e |
| SHA256 | 8b2244ac2190759647ce0e4391723b2577d308dd283ad04f7a21e1b79e320558 |
| SHA512 | f3f08ad225a699a90cf1eef9a3b58b7a2e4b3df2cc2e07361418578d4a118685d9ed5d145eb849f2ad6cd9e1142e737858d41ff1e4ce6afed5583cf8c09f540a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cc598dbed4b4c3bec7d150797c4c33ea |
| SHA1 | 0f2142c54d18d47aa92da185b1e13b039420970a |
| SHA256 | 96b081eae027160235e2bf199fd66e0da7d753f5a44169e1efec4bf2e73ed70b |
| SHA512 | 74e9f62ccb70a9a8f7378889c9ae29930993e21dc20040ee53b1354b367c4fd4a2ea59f0eec12bac04b16f46c7f0817b6f2f88f0ab7ac8d75c5cc032b87354fd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0fee97e5e1933a272b31dbdd0cb9177e |
| SHA1 | 52a9fbcfdf439007b8d88b8877ba904c376c8738 |
| SHA256 | faa089b8ba5d10e2bf960d555f327878f45b2e81a17889acef5bced55ab82310 |
| SHA512 | 33580f913da2b851ec76aceda4ecf87138b4d355411a0c3ed9102efcf031cdd69451163d0da1de5bd94a8f77313f754e108ff27cf8edd88da2adfc871aa86a8a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cdcb25b525ccfac87434c6b28cf640ea |
| SHA1 | 7092d593de35dabd52e77f7507756b8c73baa027 |
| SHA256 | 68b6fa50084810b0a60f3a8f6bdbf146b1e45e7a2014ee9f5405702bcdbc0ede |
| SHA512 | 844ad6fe5ab32a097f5b663868ffe20a283de113f633234c99be0a04cf4c19898da10969b9572fdd2eb76c4452b5b0186d174a9e18e8a5eeb1bae557fa2e175f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7460b1774701f44efd13421cbde72865 |
| SHA1 | 378fb856353a35397e2dd0a33b17e0a269c04713 |
| SHA256 | 3504cb6c3a08473eba0cf1c07e24ebd82540d97225ac0aff91a7b10104cf2cdf |
| SHA512 | 1ccd78e90357776389dcdeb8560f45b79bd58fe9f3231f15e367859dd83e5bc38a2c40ddcd1891f5755c94ccdbdc7c0adb9f4d07cf29dc30294dd5cf56fe2afb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4b4da799545dff29f724597926cc7fa5 |
| SHA1 | fa18ed495046484275dcf8a8df672e54a42b5ada |
| SHA256 | 38aec1c5297789b182b874167c8077b09d23460e9438e7f720bd3ba55c72eab3 |
| SHA512 | ed25b8a0172893c126f1cdb6ae73641d2bc6f3f8bdbd9b5c783172097a63dc8dae9e6c4da2a7cef7783a55fd6e226cd6563fc6c5283bbb096ea802ba280139b0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 800fb62f6ee6f01373a0874ec8863516 |
| SHA1 | 4b1deb5e7450d1af81dbee4302552ad448db0a13 |
| SHA256 | 3edc1f3582e5afdaf1cdd84059c330365050c726dc72d518295277970150ff30 |
| SHA512 | 50dc2314b491ea2dd69161c52c6f9e2dd579110cb3cab4540237bbc6288c617ef35b47f9f3acf1c918d81e834807776538e8316b745fca5a42863f1a97f9744f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7432af8cc2e789de6247ea3c64f50cec |
| SHA1 | b9ece57367298dff01fa9b2014d90f4bf3cf9878 |
| SHA256 | fbe93804afa530f7c934d942b4d82fa392ae6376eb454cbd9cfdbf9796061e6c |
| SHA512 | b598959ae7fa7b4add5e345e1cea136ca71f6af301cac03be4fc710f968c14652938b45cef830bf1ae81cda2dc59da7827cdad22a64bc0ecd8be93bc55f5ab0e |
Analysis: behavioral6
Detonation Overview
Submitted
2024-12-02 07:49
Reported
2024-12-02 07:52
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\152605369.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd426a46f8,0x7ffd426a4708,0x7ffd426a4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,8864421699769876667,5519684791987501170,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2228,8864421699769876667,5519684791987501170,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2228,8864421699769876667,5519684791987501170,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,8864421699769876667,5519684791987501170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,8864421699769876667,5519684791987501170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,8864421699769876667,5519684791987501170,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5056 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | image6.huangye88.com | udp |
| US | 8.8.8.8:53 | img.fzengine.com | udp |
| US | 8.8.8.8:53 | img.61ef.cn | udp |
| US | 8.8.8.8:53 | pic.chinasspp.com | udp |
| US | 8.8.8.8:53 | cdn6.haibao.cn | udp |
| CN | 121.12.125.229:80 | img.fzengine.com | tcp |
| CN | 121.12.125.229:80 | img.fzengine.com | tcp |
| US | 8.8.8.8:53 | upload.mcchina.com | udp |
| US | 8.8.8.8:53 | img1.nz86.com | udp |
| US | 8.8.8.8:53 | image5.huangye88.com | udp |
| US | 8.8.8.8:53 | images.rednet.cn | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| CN | 140.210.65.88:80 | image5.huangye88.com | tcp |
| CN | 121.12.125.229:80 | img.fzengine.com | tcp |
| CN | 119.96.23.210:80 | img.61ef.cn | tcp |
| CN | 119.96.23.210:80 | img.61ef.cn | tcp |
| CN | 119.96.23.210:80 | img.61ef.cn | tcp |
| CN | 39.105.51.46:80 | upload.mcchina.com | tcp |
| US | 8.8.8.8:53 | pic.pingpingw.com | udp |
| CN | 140.210.65.88:80 | image5.huangye88.com | tcp |
| CN | 140.210.65.88:80 | image5.huangye88.com | tcp |
| CN | 119.96.23.210:80 | img.61ef.cn | tcp |
| CN | 39.105.51.46:80 | upload.mcchina.com | tcp |
| CN | 140.210.65.88:80 | image5.huangye88.com | tcp |
| CN | 221.204.16.62:80 | images.rednet.cn | tcp |
| US | 8.8.8.8:53 | www.lzbs.com.cn | udp |
| CN | 221.204.16.62:80 | images.rednet.cn | tcp |
| CN | 115.236.59.156:80 | pic.chinasspp.com | tcp |
| CN | 115.236.59.156:80 | pic.chinasspp.com | tcp |
| CN | 115.236.59.156:80 | pic.chinasspp.com | tcp |
| CN | 115.236.59.156:80 | pic.chinasspp.com | tcp |
| CN | 115.236.59.156:80 | pic.chinasspp.com | tcp |
| CN | 117.157.80.67:80 | www.lzbs.com.cn | tcp |
| CN | 117.157.80.67:80 | www.lzbs.com.cn | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | img1.efu.com.cn | udp |
| US | 8.8.8.8:53 | www.51fashion.com.cn | udp |
| US | 8.8.8.8:53 | img1.nz86.com | udp |
| US | 8.8.8.8:53 | sx010.img.diexun.com | udp |
| CN | 140.210.65.66:80 | image5.huangye88.com | tcp |
| CN | 140.210.65.66:80 | image5.huangye88.com | tcp |
| CN | 140.210.65.66:80 | image5.huangye88.com | tcp |
| CN | 140.210.65.66:80 | image5.huangye88.com | tcp |
| CN | 211.97.92.110:80 | images.rednet.cn | tcp |
| CN | 211.97.92.110:80 | images.rednet.cn | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| CN | 14.205.93.60:80 | images.rednet.cn | tcp |
| CN | 14.205.93.60:80 | images.rednet.cn | tcp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| CN | 124.163.195.64:80 | images.rednet.cn | tcp |
| CN | 124.163.195.64:80 | images.rednet.cn | tcp |
| CN | 36.248.43.254:80 | images.rednet.cn | tcp |
| CN | 36.248.43.254:80 | images.rednet.cn | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| CN | 211.91.65.232:80 | images.rednet.cn | tcp |
| CN | 211.91.65.232:80 | images.rednet.cn | tcp |
| CN | 124.163.195.65:80 | images.rednet.cn | tcp |
| CN | 124.163.195.65:80 | images.rednet.cn | tcp |
| CN | 60.221.17.65:80 | images.rednet.cn | tcp |
| CN | 60.221.17.65:80 | images.rednet.cn | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | c2d9eeb3fdd75834f0ac3f9767de8d6f |
| SHA1 | 4d16a7e82190f8490a00008bd53d85fb92e379b0 |
| SHA256 | 1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66 |
| SHA512 | d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd |
\??\pipe\LOCAL\crashpad_3576_POAOWGSVQGGSJEXA
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e55832d7cd7e868a2c087c4c73678018 |
| SHA1 | ed7a2f6d6437e907218ffba9128802eaf414a0eb |
| SHA256 | a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574 |
| SHA512 | 897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 866d9533265d1508dc604c12a5c2a31d |
| SHA1 | 2615c1b2ad91b8f3870155eabe2abe40460f763a |
| SHA256 | 51dad943884809e19523a65873220b4d7d95c44211918d34b038eeddfe9247b4 |
| SHA512 | 010126291e276a08d73c2804bf2b3fb72df4c34b3d07c262533dffe912dc60233e3348ee5d0e81acaf28fa56bb02757db35f830b73282a877726d5b86e21a908 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 237fae3d00023f4e81e414c7b98cbfb9 |
| SHA1 | 4de6d204475a421281be4d1e94a4b81fbadd8a98 |
| SHA256 | b5c072ace270bd5e9f68fa6faaeb5334ef1d5ee339e85162851ee43657281234 |
| SHA512 | d0bac7dc72e78f96cc41d4cf9dc1e05d78f2e251b74d25da3488c852c585067f68a85a0af86fdc5e37a65f1452aa790cd6f1b07a471d5e5532c5f62a3c94eae5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 8a91783d36853b76b2149e4b5801e813 |
| SHA1 | a7785cc3ff7eddd19d3f5ddd8362ceb494415435 |
| SHA256 | 69e577f275c58f1674cb0189a8d8a63ebae4e02a322478020f29e12416b73cc3 |
| SHA512 | 98d08bbe9742c32b2650f36f59da9500e04f3665e8e70dee828e5676273ca19520f41a508fc4980f130fbf1c15b015a5696be3ed971102515d18c164d17891f9 |
Analysis: behavioral7
Detonation Overview
Submitted
2024-12-02 07:49
Reported
2024-12-02 07:52
Platform
win7-20240903-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60c02af08e44db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bba26d5bca7583449e20ba45539dac5a00000000020000000000106600000001000020000000d3a4b695360e1a23c7c98cc657063f7d3b6d86a20667fd016aece2d966b251fa000000000e80000000020000200000005ce0e2b26b3441baade5dac0d0eb08d2c1193960ff7ef93064696bcd6c74e05f90000000f3a324c47ab08eb5948ec1ebe0647333c9e0f17c5b00585cbee7f3c9fb6140fd969e8d3f7d84d56dd73af4dbeab297d946e7d968fb96a2e335ed98b7f9149bd2a0511595d45b3590fa67239e82520d7a929c6f0716db1b908210b92a0e9b061348e9d6130f4f0a20bab66cce276075b47b69296646f6f8dc673f13ef7e08dba8b12e35bd309f54281d641645021b78cd40000000a6817eb8af4098f0d6fe35f474d4513ed8fec2ee802f778d7071e32ba46af5a987d940bdcc016d5f509dc518042410fc9caa484ac3b3d165ecb389266da13964 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bba26d5bca7583449e20ba45539dac5a0000000002000000000010660000000100002000000000044b25501b51a63cfa733cfe9a7f63e80e5aa8395552dfa8e66cb7251dcdc1000000000e8000000002000020000000b5abbd164d7c08543c6fdcd709c57756411721cb40aaa3747dff697fe6902ce7200000006d77cd4ac816658b60d2ef2f5e72a02a43f1c610419bde379c393d454a6dc54b40000000f8480d86af85b6254deb7aa2566292e9352f2e2ac30b0270e6c2d4a94a52c223e8a9aa44cf22551f8f54f5e003a2f698f6b487c6d4f525497121c20bb5f5f619 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439287658" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{026018C1-B082-11EF-8778-C60424AAF5E1} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2700 wrote to memory of 2772 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2700 wrote to memory of 2772 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2700 wrote to memory of 2772 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2700 wrote to memory of 2772 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\1916524053.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2700 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | image.tuolar.com | udp |
| US | 8.8.8.8:53 | mmj.hk | udp |
| US | 8.8.8.8:53 | file.cbmall.cn | udp |
| US | 8.8.8.8:53 | pic.35pic.com | udp |
| US | 8.8.8.8:53 | pic11.shangpin.com | udp |
| US | 8.8.8.8:53 | img3x5.ddimg.cn | udp |
| US | 8.8.8.8:53 | cdnimage1.jackjones.com.cn | udp |
| US | 8.8.8.8:53 | s21.mogucdn.com | udp |
| US | 8.8.8.8:53 | images1.monteamor.com | udp |
| US | 8.8.8.8:53 | img01.static.yohobuy.com | udp |
| US | 8.8.8.8:53 | media.lanecrawford.com.cn | udp |
| US | 8.8.8.8:53 | assets.burberry.com | udp |
| US | 8.8.8.8:53 | img.taodiantong.cn | udp |
| US | 8.8.8.8:53 | img1.mbanggo.com | udp |
| US | 8.8.8.8:53 | dapei.86kx.com | udp |
| US | 8.8.8.8:53 | a.vimage3.com | udp |
| US | 8.8.8.8:53 | img.meicicdn.com | udp |
| US | 8.8.8.8:53 | thumb1.yokacdn.com | udp |
| US | 8.8.8.8:53 | images.moonbasa.com | udp |
| US | 8.8.8.8:53 | pic15.shangpin.com | udp |
| CN | 148.70.222.6:80 | file.cbmall.cn | tcp |
| CN | 148.70.222.6:80 | file.cbmall.cn | tcp |
| GB | 23.52.176.140:80 | assets.burberry.com | tcp |
| GB | 23.52.176.140:80 | assets.burberry.com | tcp |
| US | 208.98.43.140:80 | dapei.86kx.com | tcp |
| US | 208.98.43.140:80 | dapei.86kx.com | tcp |
| CN | 223.167.85.225:80 | img1.mbanggo.com | tcp |
| CN | 223.167.85.225:80 | img1.mbanggo.com | tcp |
| CN | 115.231.97.101:80 | img.taodiantong.cn | tcp |
| CN | 115.231.97.101:80 | img.taodiantong.cn | tcp |
| SG | 170.33.13.246:80 | pic15.shangpin.com | tcp |
| SG | 170.33.13.246:80 | pic15.shangpin.com | tcp |
| GB | 79.133.176.166:80 | media.lanecrawford.com.cn | tcp |
| GB | 79.133.176.166:80 | media.lanecrawford.com.cn | tcp |
| GB | 79.133.176.166:80 | media.lanecrawford.com.cn | tcp |
| GB | 79.133.176.166:80 | media.lanecrawford.com.cn | tcp |
| GB | 79.133.176.166:80 | media.lanecrawford.com.cn | tcp |
| GB | 79.133.176.166:80 | media.lanecrawford.com.cn | tcp |
| CN | 27.25.152.241:80 | img01.static.yohobuy.com | tcp |
| CN | 27.25.152.241:80 | img01.static.yohobuy.com | tcp |
| DE | 185.232.59.134:80 | s21.mogucdn.com | tcp |
| DE | 185.232.59.134:80 | s21.mogucdn.com | tcp |
| CN | 111.31.112.81:80 | a.vimage3.com | tcp |
| CN | 111.31.112.81:80 | a.vimage3.com | tcp |
| SG | 170.33.13.246:80 | pic15.shangpin.com | tcp |
| SG | 170.33.13.246:80 | pic15.shangpin.com | tcp |
| CN | 39.173.186.93:80 | img3x5.ddimg.cn | tcp |
| CN | 39.173.186.93:80 | img3x5.ddimg.cn | tcp |
| CN | 221.231.39.69:80 | thumb1.yokacdn.com | tcp |
| CN | 221.231.39.69:80 | thumb1.yokacdn.com | tcp |
| US | 8.8.8.8:53 | images1.monteamor.com | udp |
| CN | 148.70.222.6:80 | file.cbmall.cn | tcp |
| CN | 148.70.222.6:80 | file.cbmall.cn | tcp |
| CN | 115.231.97.101:80 | img.taodiantong.cn | tcp |
| CN | 27.25.152.241:80 | img01.static.yohobuy.com | tcp |
| CN | 111.31.112.81:80 | a.vimage3.com | tcp |
| CN | 223.167.85.225:80 | img1.mbanggo.com | tcp |
| CN | 27.25.152.241:80 | img01.static.yohobuy.com | tcp |
| CN | 223.167.85.225:80 | img1.mbanggo.com | tcp |
| CN | 115.231.97.101:80 | img.taodiantong.cn | tcp |
| CN | 39.173.186.94:80 | img3x5.ddimg.cn | tcp |
| CN | 39.173.186.94:80 | img3x5.ddimg.cn | tcp |
| CN | 221.231.39.69:80 | thumb1.yokacdn.com | tcp |
| CN | 39.173.186.93:80 | img3x5.ddimg.cn | tcp |
| CN | 39.173.186.94:80 | img3x5.ddimg.cn | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabC68B.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarC70D.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c0dc80eec5560620787746f8f0bbe708 |
| SHA1 | f40e6de61bf4f6398cbcfc145ae70b3171c45ba6 |
| SHA256 | 38b45dd2ba644c69f8b4b4f71be1defcd11dd9ed58fcd64bf86fd7ef573028d2 |
| SHA512 | 9bbef1e6266b7a73c9de8b0b79d9189bd967710e28904b8d1fc3c3a2c458f9e7a571d8824293a68897c0d477f641e8edf3b062f0e1291b493b0dbf8cffa551b2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 94b9e55e5854ec08d197cf7bb5d2bbce |
| SHA1 | e0f789a27a564611480742472426be6497d9af36 |
| SHA256 | 45526dc6949353a60f9ff9d19f07dda2172be3b47f11e26e9297fe5220fe7b0b |
| SHA512 | fa9b915c44d7e44989b921fdd99621d09ce9bbd0a2104e211331f99056f8dcf147eaff878261f746acda99b0032094c246b135494e39e94ccb7d2faf93a04a9c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 485547a53de37de0025b67c0d7070223 |
| SHA1 | 5870ceef97d7967bb7eac8f645af19b7256c8029 |
| SHA256 | c002b770636a77946c2909e33662a6f0f31821a7776d739acf028dd991c70a4f |
| SHA512 | 14e8359c10200500d2c143d2ca528d9da0156533d6ca87d072e6f2a2c913c645ba78e823e490dfc8be715400105a1ea6fea99490a3fc677d5f9fe17cb6efc764 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 52459303c432d6ee204a60b50bd0673b |
| SHA1 | 8c3b5714cc28920defc560ec69c86589426bcb23 |
| SHA256 | 67d216613e08a89e19a372d5a30d494186e210b878c32504d814e213ff7f150b |
| SHA512 | 7b8af42369371410e20e1743e5ee4627464a9319142ca82c4864499fbb42b5710485447c4fbec40ae2d121d474e0a5165883a30cc9bb37d7814061976dfcd9b1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4e8b81d6a025b2547ee322172a63c210 |
| SHA1 | 40e58d1511a45f95cbf6df94c7b9d6d3cb2a6e84 |
| SHA256 | bc688b134f264403ed9531659637ae12b817768ba1eb2184b04237423939e36e |
| SHA512 | d28dd75f490a202248778b4f761a759dd876a2ffc329cbd683beea740c895fec2d574f1fe8f75618caebc522975519e5e58808f162894ad3a36fbd01a12c1adc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e9820b9111fdeb907575a370f18f3ee5 |
| SHA1 | d324be8a3f34511f43c3fcd6da6214d2cdd26b94 |
| SHA256 | 56f9da10be4698106cbc1728b7385f2609950b9f7627c826a480f2ee094d73b6 |
| SHA512 | aa39c48bd43cd17f2ef261f9e170c02226ac09095769fd2505bfae35cddcdba848ad3a84da50fcb85834360d71feb39fba580b15d8d3be6af07bfbecf74251f0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ddbe977183207184d701e92407d92a69 |
| SHA1 | 7d203abd56cc52dd30fd58e989cc584025de7bf0 |
| SHA256 | c4f794b9f3055abe8b0af218c269ef884eb6223a5cdaed206fe9b8cdb5b728e6 |
| SHA512 | bf98ab92d2821d1bc5b205ed7615bb583312dad521d406f83c546ca4e4357fcac00bbc7ecb36914feef36f3995ccd29928441a528d04865c8e46b79d95f037fa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2891b8dcaca7c35f271b859622814084 |
| SHA1 | 26f7b6bcf8db6522e903e10da8eb4872ae66540f |
| SHA256 | 3b388b9f711c965dbcad8afb5fd67360bfcc3e83181bc8a03779fad58d7957ab |
| SHA512 | b358d740a45d9d32f2e9245347174ec1cca841a94aca2eab1c1ef4dd60c2396cb1f6b5da2072a08e74c081732a895efaa9398d8caefaeacd14f482b30799e59e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 43189161c74f51b7afb55207f79fe360 |
| SHA1 | 09b4842adfdc7734fd7793ad2af86ada90ded44b |
| SHA256 | a6542401fce9e9142992e16805444b4a9bf3dd0d18d5e4009edf987f67c98a7a |
| SHA512 | f32aecce5f2f67fe983d0a8abc7a2c9ef1dce5aaa1d3b4499123cba359e99d51f82f4d9a36140b1dba4bb2d629a4250c430c51c0129ab0f58e321142ddd883e2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 24da35c667818f67873287a427dead24 |
| SHA1 | d9e63deef6b58362f46e07a6bd557d605e572ff4 |
| SHA256 | 38f89d2fe15ab9faa357a3d84515a1b45fac17fb58876f00fdfe48ffaef8494b |
| SHA512 | 216c3080218478046767d523286175a2988d8ff9776c4c0c6bfe1684710bfb369b20bb3c433ccdff4bf9c48a49e60c02b2e8fbe249077b1c39720a3b628e294f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6f0511f096368911ad5fd61fde222891 |
| SHA1 | fa75381f7163080865f6c2e72e26a15fe4c3ccf1 |
| SHA256 | 1dcfe2bae65a0671ddb84b2c83c56d2ed5ae9972d2ff0573ded3ee7fbd8203d1 |
| SHA512 | 3cf394e61a850c19ff7a67b6d989c94618916b8b506fa1417d5a7ebca0906e767d18282c1b79fd55bb83fffcb40bc94914224510aad392367f95d374c4640786 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ba44b0c58f3b3839bea0fe9b93a36348 |
| SHA1 | 154148f0098d00fa241ad7aafc5ca09a68203177 |
| SHA256 | 401396bbd889dcc000869f60f54143c016e8729495e8f2f3862f7fe4c3363ee1 |
| SHA512 | 6292be9c570834df1c8c271850bb67981277c8a79b9bd8d949d42f4f04d6c6da1a0d8725fdb16fc7670951d8aa2a4dea0b353fa953d86ed7847514e5114f77ba |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0145bb76185bba0291e24e641e258798 |
| SHA1 | 106c1273a20861c58d6ea649885c60a1c7f83767 |
| SHA256 | 5a4b201cc47cc5f88af97dec855af95b3b6f3982e1fcfdf5fa35d6a60e0703b8 |
| SHA512 | 7895eb1c6d568d175870bbd2cbb7c599aa6d03843fd4a3d3445607c473fdff682b0cbb81c12c130bf578864e33451663a60776cc0937507eeab14d10157f2cfb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a0adddc1ca7dab80b3fafa33cf0e00ae |
| SHA1 | 99697c811196e6dee1f03eeaac12c2e69f87adfc |
| SHA256 | 16b83c3ac2ab6a7bfd838ab82342030d6bd0adf53b092d96166fc4036aa482d3 |
| SHA512 | 1dd8e8b192fe9e8673359ef23d059fe5692c4a375ff5a13ac95bfba35ca28c19571facbd30a366edca631acca752c558ba860782976d4e60f677dc5ef841dbd1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6529850ddd21148fb08a530f63984e7e |
| SHA1 | 4de1dc4dbe0ad3fc84b6ac9a71e8549806efb40f |
| SHA256 | 7f416e4156459a0ba987426445085155485b268c9a5a277d0af6061f5802e0fb |
| SHA512 | c757a4bf700312a2cc2a76029f366524009efc03163a26e5177dbbad13f82e2a4caab3887245f74479bb949af218d2c2dc0c9d1d74639a1c24090150590c3192 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 781876f232a30f7c3e371c4e3e7cefa4 |
| SHA1 | ea37a6b782dc62a6f96aef3c2bb5d7a564e5d1d4 |
| SHA256 | 12ed0ec29226e09acc901cb2f2b1e6cf5e6b104440b8c0d566a479b1a125a7c4 |
| SHA512 | 29ac528c79cd27c27fcd854b2dea7c51c625d1dc0e978e61218b8c347fb247d1cd9599a0771771b0a59ced946305e2bb7a805f09fd81c864580506ab4f9d55c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 529c8499c20feba48e0d317322af91b2 |
| SHA1 | a5dafa8fa87d49d07c5e945ac13654a72249c118 |
| SHA256 | 2486829ad76267482f819eb036ef38a513c2a5ac21baa2c5e88aa5470d1a4609 |
| SHA512 | 1c664c1a280229f0c3a3f23cae8f4e8f39e42d1bc1635dbc8f82e45d847e91c9497d782dccb14ae5d8b8f5788acc892e757404bebeb10236470d259bb8359674 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1b195d52a02ec597c1495667886c15d0 |
| SHA1 | c8c7c5dcf7f036a64bd4ec5d93c488ff041f8b7f |
| SHA256 | 4f809ec787f2b77e9aec9696a406093bbc876524cb8e578924b54eadd4e62331 |
| SHA512 | 4a0cbcf6afca1576913402c9de916824cc739342595b3c26317fae59504f4a17a975bca77dc8f45cc8004ae2c631f32a89119c244ce72ac8ada31b01d85b759b |
Analysis: behavioral12
Detonation Overview
Submitted
2024-12-02 07:49
Reported
2024-12-02 07:52
Platform
win10v2004-20241007-en
Max time kernel
145s
Max time network
154s
Command Line
Signatures
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\32093631739.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcc2d446f8,0x7ffcc2d44708,0x7ffcc2d44718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,11001390343070722919,17629596133727316923,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,11001390343070722919,17629596133727316923,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,11001390343070722919,17629596133727316923,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11001390343070722919,17629596133727316923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11001390343070722919,17629596133727316923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,11001390343070722919,17629596133727316923,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,11001390343070722919,17629596133727316923,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11001390343070722919,17629596133727316923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11001390343070722919,17629596133727316923,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11001390343070722919,17629596133727316923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11001390343070722919,17629596133727316923,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,11001390343070722919,17629596133727316923,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 7de1bbdc1f9cf1a58ae1de4951ce8cb9 |
| SHA1 | 010da169e15457c25bd80ef02d76a940c1210301 |
| SHA256 | 6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e |
| SHA512 | e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c |
\??\pipe\LOCAL\crashpad_2944_CQBDRHZFPCBCFAIE
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 85ba073d7015b6ce7da19235a275f6da |
| SHA1 | a23c8c2125e45a0788bac14423ae1f3eab92cf00 |
| SHA256 | 5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617 |
| SHA512 | eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b6160d33b22386a5f110c6569d9e6b88 |
| SHA1 | 39d33666e66f4232ea5b5b552ae91855d0050ca5 |
| SHA256 | cd446ea6376049614e58b2e62043c55470c529444fab5833856fea3ceadc0dee |
| SHA512 | e8c7610d180d984261c1ca6812066fd1e853bd11c658bb6404230c13ad4f510945c68781ae7eb62f3a9cf382319122e419277705380ddcf7ffd46f48c2108b03 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | fd295af73c11e45dbe796ab123f99385 |
| SHA1 | a5b947b608d4eb18962a0a8c620ec91a32e86a21 |
| SHA256 | 04031efabae3d0dc505bfdbabb4712f38ada069967704d5e09cdf3529743d12d |
| SHA512 | a0c5e11c00aab301848f1a50c106e52b8b11775b786f8b101655a17573dcbf30c3650da8920cf5474ae60f5cd5266f2e3ac6e9e94416a49d4e6306f8ff751251 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 6f50f55ad3def1856393fd0aba3974ca |
| SHA1 | 10ee9e70d32a5520ea4477d237c51d1900384556 |
| SHA256 | 7e990c3305093be3e46a9c8ed0984b85df10e48deb2c401ca3b2723576b7959f |
| SHA512 | 07bad7082d6115573fabc0b88511c9cb9c0f18f3a86290b2bfc47264c254f7f191efd819578d2a44d5178ecdc2a84e3507cc180293a791c0dd7fa4bf65788ce4 |
Analysis: behavioral19
Detonation Overview
Submitted
2024-12-02 07:49
Reported
2024-12-02 07:52
Platform
win7-20240903-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439287657" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{025F8C21-B082-11EF-BDF2-7E918DD97D05} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "282" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "197" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d029d1d98e44db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "6" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "282" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000058c3f231875fcf45b25dc7da3f984c150000000002000000000010660000000100002000000028e1096147a41551b8e8596509bb5603c04a6e1eb46fa9d483eceb57e541011d000000000e80000000020000200000006056f20cef42c33ac3a53272b73ea0eeeb5270b7b5829224f12def15bcb2a24a90000000ab84397a8fdc2322e232a392992c3979fb82cd17cbb42c9e84be27ffcc3219f542ee966f36251f14f9452f12515c0196269cb7d82c6dacbc33393527e6d2f020ecf60a414061fa1e79e06c019f312abe071ec84a1726c0b2a9d8cb4a5a3aea9870b53823398e8b960868c96ed01dd8f39a9792663eae9fcb8978793bde05e3880b06c8f286b4ec49b75590f9e3cabe8340000000e42f0c45c5b028b7bc015051783d041c7a0b250533ddb92361fce263c8e6160186d6ccd650c4065557f797c554f92c7a8137773f9bd4268c81932795a17174ec | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\NumberOfSubdomains = "1" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "115" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "197" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "0" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "115" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "6" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "3830" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "197" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "0" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "282" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "115" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "121" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "121" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "6" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "121" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "3830" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "3830" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000058c3f231875fcf45b25dc7da3f984c15000000000200000000001066000000010000200000007f484e3aab69c3bc3ed5c3f0ebe5d922fdb52b9094d7da88a2abf45b67d419b1000000000e8000000002000020000000c508594c5f17831fecb8760ebe24c438fd59d77ce1f1522662af6af21c5ae56c20000000801e69a13bb04bf5aee91114620c9ed4faa11c1070575f345a0456d4903600af400000002f7f0019eb3ff8be9c283ddcbfd2f33a098b1fd96e6bf0ff17a966e1fd5e0d20eb5d018bcd5734a89340657cdbc8255a9527d01089a0fe7c9a9dbc4e0ef79ab8 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2612 wrote to memory of 1532 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2612 wrote to memory of 1532 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2612 wrote to memory of 1532 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2612 wrote to memory of 1532 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\ads-the-internet-the-icon-revealed.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2612 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | p.jwpcdn.com | udp |
| US | 8.8.8.8:53 | www.youronlinechoices.com | udp |
| US | 8.8.8.8:53 | ajax.microsoft.com | udp |
| US | 8.8.8.8:53 | yoc.edaa.eu | udp |
| GB | 216.58.212.234:80 | fonts.googleapis.com | tcp |
| US | 151.101.66.114:80 | p.jwpcdn.com | tcp |
| GB | 216.58.212.234:80 | fonts.googleapis.com | tcp |
| US | 151.101.66.114:80 | p.jwpcdn.com | tcp |
| IE | 40.85.112.191:80 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:80 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:80 | yoc.edaa.eu | tcp |
| US | 152.199.19.160:80 | ajax.microsoft.com | tcp |
| IE | 40.85.112.191:80 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:80 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:80 | yoc.edaa.eu | tcp |
| US | 152.199.19.160:80 | ajax.microsoft.com | tcp |
| IE | 40.85.112.191:80 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:80 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| US | 152.199.19.160:443 | ajax.microsoft.com | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:80 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:80 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:80 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:80 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| GB | 142.250.178.14:80 | www.youtube.com | tcp |
| GB | 142.250.178.14:80 | www.youtube.com | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| GB | 142.250.178.14:443 | www.youtube.com | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| GB | 142.250.200.3:80 | c.pki.goog | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| GB | 142.250.200.3:80 | o.pki.goog | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| GB | 142.250.178.14:443 | www.youtube.com | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| GB | 142.250.178.14:443 | www.youtube.com | tcp |
| GB | 142.250.178.14:443 | www.youtube.com | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| GB | 142.250.200.3:80 | o.pki.goog | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| IE | 40.85.112.191:443 | yoc.edaa.eu | tcp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | static.doubleclick.net | udp |
| GB | 172.217.16.226:443 | googleads.g.doubleclick.net | tcp |
| GB | 172.217.16.226:443 | googleads.g.doubleclick.net | tcp |
| GB | 142.250.178.6:443 | static.doubleclick.net | tcp |
| GB | 142.250.178.6:443 | static.doubleclick.net | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 88.221.134.83:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 95.100.245.144:80 | www.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| GB | 172.217.16.226:443 | googleads.g.doubleclick.net | tcp |
| GB | 172.217.16.226:443 | googleads.g.doubleclick.net | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\swfobject[1].htm
| MD5 | 3ab6f5be614b8ac15e638fb95da4dc52 |
| SHA1 | 31e0b3cd726a28231c3a5fe4346461d7fcf1cf0a |
| SHA256 | 65393b031c68ba38a91fb25892ef1cbd4ba6fb91d442a2b390b46e81285effb4 |
| SHA512 | 2810da0df736e43f64265f5d1f8794317d4f3ed0d049663978994829babecf124f24ece25e6faee411605872a980715aeee19df83a7bbb6a2304156252fcd989 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\N3I46LI5\www.youtube[1].xml
| MD5 | c1ddea3ef6bbef3e7060a1a9ad89e4c5 |
| SHA1 | 35e3224fcbd3e1af306f2b6a2c6bbea9b0867966 |
| SHA256 | b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db |
| SHA512 | 6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\N3I46LI5\www.youtube[1].xml
| MD5 | 690417e767466a5af0bd78bd457b47f5 |
| SHA1 | 96c838bf83610c1428f2b03507fe4ee32652432b |
| SHA256 | 7138fca3ecca2df2f2b066e11719fd4fca48ac90e0e759c4789008aa62cb1fb1 |
| SHA512 | 6b3ae4e06c4441bd5e786a4f9b920b99c4365d88031846c03321ebf0fdc2980675e4956c44e00d1ade5d849e1d704fbefaf318449d3881cc53c6d682c2413053 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QS2MOPHD\www-player[1].css
| MD5 | 828639263d49db46e9f0b7fa4e1f9057 |
| SHA1 | feb5e04f2278ad38a312ed071e300f22a8b95f00 |
| SHA256 | 8de0f35864d037ac6cba40ac659bec048c067b129d0b5eb1c8248ba282322d89 |
| SHA512 | d01b2414150fc381c58f06345723177f91e033a50725400be748f3c4a9dc5d46a1c4f99973fa5cc00ca330d62ce13a6c789529cf4cc05ebb2ad27796ba790213 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QS2MOPHD\base[1].js
| MD5 | 2237de17fcfc8162685924bb0fd157ac |
| SHA1 | dd2e3941eb4a13889e749d0e9634c2700b9e2ccc |
| SHA256 | 014f35b959ff277530025a7d6620319033d9e019879e10346dd1997d14e1b34d |
| SHA512 | 9ac9c0edeab4cf0d884a4df77d6b1899f4f8437554fc00fdd29df382878f6b451d8e6c019f1bbb77d252f7d94d9a0163a231df185b7dbd960ece0db4ef597e0d |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\N3I46LI5\www.youtube[1].xml
| MD5 | ab08604791c88ba97a4362e4b3119aa7 |
| SHA1 | b739afd2b3eeb1bb61e534587b107584bc08a9cf |
| SHA256 | 857301b20a72f63287906199a39609b119b022554873222d098b12e3571ca30a |
| SHA512 | 51f52da260f636aec5c65bd906a52e9e0dbbed2654ef8f2ea31838d0829c3c95f1956ddc2826ebb81f6ea01d2d6e6652601f54b93f86d3dca6259d5c1f9009f0 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\N3I46LI5\www.youtube[1].xml
| MD5 | fe59d8be9ea9c87ed4f02fea6bcc209c |
| SHA1 | 91cf1facf62031aa261bb9476d6b5709e77190fe |
| SHA256 | 584f6d1120a89a2902c8c6876b7701ab16428bb17d7c362caff8cd4309542c9a |
| SHA512 | d27abbe53575b4e1fc89745144b763e15bca1526d52857ade0862bf85d9192d04e58d737ed3212617206033a07ca0504db8880a9714b5b3dde2dcba37af3bd29 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\N3I46LI5\www.youtube[1].xml
| MD5 | 02a3475ec59ceb32e1f7a4b08d6cbc12 |
| SHA1 | 528f70a8bb43ae6269267f46543649c8fd3e181b |
| SHA256 | 8f1202ad0246f7bb1601943d74610b35a4a6569adc2e9b1b1dffcb09cd148a6f |
| SHA512 | 73c6a78f236e9f617e123caa53b69b3e50b48cf164761d6e1cbd49069b83ef2f0931337955c2d98619d0413295c99561414e22a409e21e9fa3ec30db9ea49fb2 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\N3I46LI5\www.youtube[1].xml
| MD5 | e9befd3becf4ca600bd9a0d09473a170 |
| SHA1 | 50e36137350420864a5d0400c95f4d44ec74b97a |
| SHA256 | 6443e274c0e16bf1fa4e3ab2ece60b748c2a6b06756daa8cc3aafbe80bc3e614 |
| SHA512 | ae7a1368e9a09466ea1e318174623004ca91d53286865bb4876d4ef0ac245e6d174bd1263962d3460d8ce153a391c104dcc570ec13d65ed99ca9c9a5485e14d1 |
C:\Users\Admin\AppData\Local\Temp\Tar59E.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\Cab59F.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b6896523533d60457de837c6e22e693a |
| SHA1 | 61c0bf146c673ce320f606d1d8765967c78bf6cf |
| SHA256 | 9c1c64e3706164dac633caf9c87d09539b763e322027d9fd829c47cca413e34d |
| SHA512 | a047072fc2c9cb5a99aedc056934fd7c1a8dd0e36e872a7059748eaa6959e7367978d7e066e2d608d6a9b798a581908aba64128b12aaab44d19f39292a43cf69 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d582ad561d93ba2423660087583cd08a |
| SHA1 | 1a010b30b122609f60c4a4069488ae0488e5c3d6 |
| SHA256 | 0388b6bac3bc2f033a62f7f9b74f78c370a179ce64d3229ca4e420cc8d88773f |
| SHA512 | 271a4251ab875e5d581f1478844e299e1e3598610ff21ad3af9e1c4a622ceb25a7e6bf819ba8abf53d697b8963239ff3bb1c6ec786b88749e565c2b851967c5e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 609eda8cb4195a86703bb9858ab91030 |
| SHA1 | 410cc5c2922b7c4df0572e0edff2c8786d17c8d5 |
| SHA256 | 4277e952c587f9218b9eef9c5ae6d86e7a12602d04b1b289e9e4cd95be0c9476 |
| SHA512 | 26e2a9e39fa1156ef1ba78be1fa016661175a64c6bea4a5aa7f74e5f3f2b0ee5de7713a20c7347361f61b7dd8d77b5958ce480f805f776a13fd29135085d8631 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 370219f4dca20e32e14d52399e6dd365 |
| SHA1 | 580bde2bfb17aefa78fc6be814f9c67ee60d0139 |
| SHA256 | d865d1a32ae49249758d6699e04bdc0914f72d66a4a87030c69585f4209a4a00 |
| SHA512 | d2b43168017e8d1e7f6026d0c027e4a2324aec72d0f0fbbaee22c3b7fc39f28cc6ed3f53c53766f6d6a8f2cfe75f96e89338c3e1e58861659ebcf3514e6799b5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5532f7f537a2842244493d2efdb791bd |
| SHA1 | b0f83ffb46e404671962f144960c730abf2259d2 |
| SHA256 | e77f3a8b3936600951c17067e1dd29f7ecaa8a659a3263c8384e42b52d5c32c1 |
| SHA512 | cb542e00d825a18df6b84b1b772ee088ce23a554e6c09f5831355754aff4ed383a532665bb087000613ceb2f04cc1768d2975e8d549cb8f59b552924e0ec323a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c4119c2a85abb0f9eb300c9876b36962 |
| SHA1 | 989e3aaeb5b403d5d816dedaf9cbebe7a9162545 |
| SHA256 | 04138763617f5f1aac6ecef3cf1ecd0290d6d0e2477fccf06e07033476053486 |
| SHA512 | d86109c32bae0f5ef1d73c03bb6e55ac5368760061dbb7514be31b9f2742afbcac8f3431826a2b511becf21996ad8c52696ecb13300a65335d1efca539e0df14 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 12ac684ad034d570fba406048f3ec2aa |
| SHA1 | a6fa08c66f8ba335a950dd5ede8fd802643d59cd |
| SHA256 | dc58a0432405f456b51aff5ed7179111105bac021481168203e2be6fb17e2151 |
| SHA512 | 823783a51bf9d839eabd0961d60ca5c6badd200c5acfbc175154e44f0155cf386c41b5e825dc04c04473f5f8de1ff73fbba30343e4fe49979f9a23dd965964b9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 913e560adf6c19ebea10c421535eeb21 |
| SHA1 | 2767462c50ea494406e89b7e331a9ebdb3b2f80f |
| SHA256 | 17c215d57cda9f9161529358adb4a3c651efc14c1d2de05107b850aca0301bf9 |
| SHA512 | 614e3b9459a0260c53ef36d2dd85cb1cf90f1bfe5c8f166f1ecfbf74de790a13980d6be203f16faa1335fa57c674684c11980686a48ce920e1bc2e8d1e1b0a71 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cd6189f40ee7866011185aca25abca9a |
| SHA1 | d18b3253d65a09329d2a0fa6f04aba1d498a1875 |
| SHA256 | 4fe5f0b596de055d59c41d94525bb540add9aa3c2809752c496720856e551ca2 |
| SHA512 | 8b91e652802d41e288c77b10d34d9029954d49bc3a9ced621672668224019075b22fadfa7e035a861660d2005f2d4ba1fbfeef4fcdbb9b13dfa8e7d544994a27 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3df47295876f5bd57a068053633b2a93 |
| SHA1 | c636185f78e0f4ae4f12a60c3e60fa1e4fd5e025 |
| SHA256 | 305507efb3c2d512221f73713bb6e7d5a365c8693cc5320024317ec447c6ddf5 |
| SHA512 | c3ef7fe4b7204a7c45b1f9ca40a8c7c0e308637b731c5c4867ca3e6df7572d7b05581b9477edb09b449d23be43600a8a48da66b90fccdbb6d0fe1657a97ba46c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d5da87e1d61354f14851800e96d36a5a |
| SHA1 | 3126f69a0dbfdacf19b67c78cd48a3fef92f176d |
| SHA256 | e8f3b1f23c59f0fcfbd96ae688101023e8bbae4a8cb9d4cafb1aade01c34ab42 |
| SHA512 | f72231b70461714460f4fe5392a0a22be09b57e02c460b42049a76ead2bf45a7e62b229b5b9d69bab344e9a28cd16cc8d40728b1cb7f7f09020e16e809a9a823 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 23935fd9e7e06a611a824b0ec6d1b9b9 |
| SHA1 | 131e1ce8551b3b7978b03f46ece51ba2decef0e8 |
| SHA256 | bad2f45911d5b02a8931f9d2692de97f6c74886f443750b881b39242567b986e |
| SHA512 | 42020e1a1e49a1eceb96d92e893f0619e341d8b4a50eecc1f1df38bc4c50d25f92a4c0bad2df7441cf4d9f86cc9c2a7b42a84395301a43029876edd014fc0a87 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | c5208868a3653d78053a915ecb200529 |
| SHA1 | e005b7d14873fe08a8140d17e180e44bd770a60e |
| SHA256 | faa76e0cef9925b3ee4139718a76f419f0acc98f6fccb2315b82cdbc2dd69b1e |
| SHA512 | 75e0b6d1db1f0ef1ed341f8fa1de7217ca4469f218079489c9a0becdad43472b62944d421e4d0c7b7a6ab648506d7fbc2adfa2cfb4fd736c7dc002033f4f37a1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3bc40efbd8ebfba4634ebe7c1c4bd0e1 |
| SHA1 | 5b02ee4761565f5dcc7b13091a21c6c97a7a4515 |
| SHA256 | 0340cebf96b62b8db787fb02b423a57ea0550f09ef3d4430052142608b6b5fcb |
| SHA512 | 599d0c088d2c8ed4e1c3e9730b82c83183b3ecce21ecff2842a95eeb6c33b37f3b136acae7b9e9e73226adc8f7b980326d471486ddd29a747e170d07ed4516c5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ad425a9f63a873dd2a9ea6de948c22e2 |
| SHA1 | 9797c012652182ad5ca7f66925f7fcf8b361d821 |
| SHA256 | 8ba4f4c96afe5d84dfc999cd06d42d5b0354ccf1588de52a083ecc9b9455ed7d |
| SHA512 | 51a570b9a6b7c82d69043ac3baaf829112490eb83eeb517bdb7e99235e2a20c6dc5d4ddeeaba6a97d55e987f720e5fec9d78bf5bbf10850d7af5a6414ce634c2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3ed525f4de32044d6086ef5d2172b747 |
| SHA1 | 65e8994c5807efbc02bcb9af55a7bd92b87f5ace |
| SHA256 | 35e7d2b0a803597aed89acc0f5be0fdc4bcf79646cbce78d6d5139d040267fc6 |
| SHA512 | b34120943d89782784da6bc3a57072b4565ddc9dadc620b5ff460c7c22c4bd72d49865bb0a381b729458d96c304f6f1b49fef15eed033c69d4a0253cef428dc7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 567a4422275b1bdb216a1b4fecb83c81 |
| SHA1 | ea12af425fa794d84e76922d649dc28209c1e82a |
| SHA256 | 1137bd11aa974b941079384d3ed318bfac8539a14ed05b241c56f09c00af96e8 |
| SHA512 | c94ac38c9baf1f79350eff4c0d3d2046ea85331b2d229cbfe9504a93b014fb1162a3590e942d0c80655c82fb1513c1f40b171a0cde0d0be187ef2f10e22e27ec |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | 15f4f04b41f3520c614cdd65b9159b38 |
| SHA1 | 9629a1f5ecda1a58d96bc8baa4ac3973fabc5b97 |
| SHA256 | 86c2b24e5c76f1768260b825ff26cbec67c851dc32ff4d15d4fd5e50f8f7d18c |
| SHA512 | 74d481c61ddda1b9c22280dfadad606f4e9b358a68e659bb4d474773145ebbbb49952e4e94dc4b4fe7529e3a78f5885a8007ccc67e09c08c9c59590c58eb94c5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | e4a68ac854ac5242460afd72481b2a44 |
| SHA1 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |
| SHA256 | cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f |
| SHA512 | 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8b4b4706f19143595e134cd7a7912bc8 |
| SHA1 | a3e1572cf79245812546d5d13d9ab3fc8684bd59 |
| SHA256 | 691fb08dbf5c18a6c291b1359adfebb936a29631be25de68f4377182722d5034 |
| SHA512 | 47374a31d489a0c6b3493480d6aefcf5c16c20251f87e5a4557cda1952a4a6d4c588fc9134b839695f93f565a45860c1c5671866059898ce57fd5caf58d979df |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3b38f3d7b8a0f267a25b83918359ee21 |
| SHA1 | 6b377ae25c8eb27b4a67c1767134dc2da4ff2197 |
| SHA256 | fa068aa5de2fe3079826a554316385a3ed299f184698d54feb993d65bde8199c |
| SHA512 | 27f6af67d8fb666472911a998a48ff198dee9b55223809c73d1ae55df83651af1ddf978b3629db8aca24a7aef27e369f1bf5086d03390ce44a1e4ced52b8913f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4b42fe45f3ab84f5fab8cdb5cf607c69 |
| SHA1 | fe8db72a191ca560c07641b67978851d03c40d2a |
| SHA256 | 4b5b4ad3029e4a23b6f9a1622e8527718fb22477501be5e3a57f73544601e7bf |
| SHA512 | e188740fcdbdac2a14c5fcab96a6a6fcd6cde5a53f2a542d056ffd4c86d03b02a04afba4796678966babc4b857315c1b1d3b99412a8d07fe0d278ece50cfd431 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d967bf136b3f6416bb4abc24b4ecea39 |
| SHA1 | 57a8ab5d162ba98013627fa450a4453721108a9b |
| SHA256 | d88f650020828103bc7ffff979511bd500821fea7b914cf8497569f2f4eb6bf5 |
| SHA512 | 464225b822366a868b596e164888a0c623bec1730a076d84954ed498bf3f522aff7ac5d559f91c6d2f172abcd96404df34a99f66146506b2355ff18bcbb1f2a4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | da2d5df16c43ba042329b16167026cb3 |
| SHA1 | 67d571b84d818b6494beefa149bcf3743316416e |
| SHA256 | 01a6a2a63cc1f5f12b43f6199ea811968f649b851d2b29432b9af7477f65c5e6 |
| SHA512 | ab37fe363d8bdc20cfec7162b0f10b6e6e8c513170f22bb3713526a9c148a7a731342af767019ab4eb4c7c7c1ee1092d801d9b127f091a20bd6a94c99e47b021 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 28632a22b1eb0c1e5703d430bbaffa70 |
| SHA1 | 479358599c24b3196b60e08f270cff806129aec9 |
| SHA256 | 7332c7f94b080916d1cd964291e6597e2c606b04c87132258d550c2c9d3b2f4d |
| SHA512 | 6be0c12ca54b1d2ab7beee39e8e62ad6bb1321ab69e98dd75645dbb92df2a16ba0b4c3b1a54186c1682b98de52685df55e8167eb619bf818a26de4df279ea416 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4a11a9e8c92a2067564462a1449f98db |
| SHA1 | 87a0691caf8aedbdd3eb282f9041fbd7d1b55cb4 |
| SHA256 | 5256444228ce5f6bff8f51738970abeb7dbec979ff5d500e1541e41f1719dcef |
| SHA512 | 41ebfa3f10267181e7e7ff8fcfb843598b4123310bd6dbff54beaf291d208faed1a50d402ce2767aea2001758857d250ba994008562364fce29add0b55cc852a |
Analysis: behavioral21
Detonation Overview
Submitted
2024-12-02 07:49
Reported
2024-12-02 07:52
Platform
win7-20240903-en
Max time kernel
133s
Max time network
132s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000010dade9d5086af45a0d79d5abd5e0911000000000200000000001066000000010000200000008db1a85b66cc96dab013d2c64d4cef27274d86e37957b8d67965772875f1131d000000000e80000000020000200000008554b200d9304eb738e202515851eaaeb91690656cff68a35a34e30d35eb4ae2200000009fde2c5f8169c7742e792e741a4507fa06c191eec293acdb4641c87c9bb3d62e40000000b6e8ef9f7f391e30d79b337803b1606b6fae5b8811d030a5386a54a2d39addc4d5d41ed91678f58ae0476ad36c97f91879f82d88c7526862e451a87c02cd667e | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f08ee2d98e44db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439287663" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000010dade9d5086af45a0d79d5abd5e091100000000020000000000106600000001000020000000264c5b06171542e939354b2b7978d38cb7f4d44705407c88d7151eb35b2b4f6e000000000e8000000002000020000000390a14a109435d66993ccd6701d611ba9b8a383268d894917cd498eb87fac5e090000000ec51aef484dcfcef71033152ff6223b52c68cc2c911116c79f9fbdc7779d3a43ef66abdc779d7f24a7818e40265aaeff16aaa1740e00607ff29504c6a6d51c609bc5deadb92ef03e21042711d7bab7deb7b405ecd4060c4e8e782bd3a45c7f33563ed2566358ae7f29bdeaa1eb8cc5d6ad7594bdf0b5742875f607ef70971f518468179355f6799ab08f71c2cd4b086f4000000038e2ae01444cc458ab305e9d0d7ca8c2e9d266458fd0323ff705835a93ffa19d98721b55141124de8bdc821587d8db1abd79c863cc893ffb4702d1365845406a | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{05541401-B082-11EF-BF61-EAF933E40231} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2236 wrote to memory of 2912 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2236 wrote to memory of 2912 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2236 wrote to memory of 2912 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2236 wrote to memory of 2912 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\locales308946821.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2236 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabF1E1.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarF260.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 738ad48b0667fac3340ad0bdc32888b3 |
| SHA1 | f974e918968a66e352bf1ecf40cce6e6e3be2ebd |
| SHA256 | c8b63798b9b3b169d0d22b8a3e0e1f3ef38b0b98f30d16a962d6ca305f66b725 |
| SHA512 | 62d68a39c4ff4b8314249b4048e03e9953ee678c6f69f9e50d3842994a272f0225fabe30788c3cc587ac633374a0edb49c9f3587470d575ea4c2b1f16c640f46 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 50b49eb0955d87b4f46613f4a2e1ef38 |
| SHA1 | bb1db25ee6fd35285c1f924c11305e9f4be2f79f |
| SHA256 | 3476080fefd00177feead0d3b4037c25223b1045be8634b018e20d0bf839df72 |
| SHA512 | 1be179108184fb6be2171d401e78f42dc47eedab28a0acb974d5aa6c068d8688a960ea59f06dfe08c3f8c8c8177fb21048fd97b49f30500e1f33808863712a1d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ca6ad2c8e42d6b36095fa1535fb5baa9 |
| SHA1 | 94b0a11ad6638a58f6ba8a6d6bb2dd1ded26db18 |
| SHA256 | 7e2d41eef8d64a54bd65eed83be6b26668ba3ad37793edc87b6436aff7e008f1 |
| SHA512 | 96c4ac9bc707160a49276c9ddf57695dda09be0630385fe46970dac8bb4ed4b56de5849243b5a04242d21904643659d36cf9c6a74fbcd4bdf698a54f85fa4b28 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c581872551f78c18103269a7a53d22a8 |
| SHA1 | 190b3f9a2fa16a5684b45e6f1d87a607b38c1870 |
| SHA256 | 979147cfb07907eadcab0d29c3d81da7d3663a249d15267b05cfa9289c0869c2 |
| SHA512 | 11c6369f00a60f70b6399b2d659c74a39171bdcd4fa1d25b2833e9ff89357ba125059ec413f4c46c7af0dc0002ef3c1efb7facf3c256e645d6470e2df2eda611 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9139f36667f40d86f5e9a2b81c396678 |
| SHA1 | 6788b4cbef2d80d92ef0bf87865df14eaf6505a2 |
| SHA256 | 484257f5cf15351807cb5916dd905fb155445c4971222047baf644e1c895a592 |
| SHA512 | fc6156d4a0d786c5e948bfebce676543ee89dbf3b9f4080c2a9e8fd5a6fd2ea39434a082f7cd8d89c5e5994632eb5f8f735751530fed5c1b428c42006d962e4f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 23a27b29fe6f71a80c454b3a48aaba15 |
| SHA1 | 8024b7f6b01a46faeae1dec4af472159a64add4d |
| SHA256 | 7cd8cafe40d6da5070c73348652434ee5f8d266494cf8a71ef6a96b77f130bab |
| SHA512 | 619f2130c81d89f4d424a6c85d530379375a3bb02a6df54f5f3f10ea15a9315353fe515fd2122250bcd50aa883f3b16ab428e7eaa1312e18bfec15ce2597169c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7d0c8a910dab9d0f192489ea737d6f7e |
| SHA1 | d49c79371381281a6a9d42a936d474bbad4e77ef |
| SHA256 | b24ca84da3ac9ec1ca4c23b5caac0d6a041ac7a171f743dbe063934ed777134e |
| SHA512 | 834776ad8fb60bd7666a302cb75cda51a4e593b4fe1eca3f8a75b69b1759260d90483811feb24b2510e05d431b61497b4f18e434273a496390a0d95fd42f82a9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7b1ac7202d10b1fa9f5524f110aeaddc |
| SHA1 | 94fbf163efbd22256857a787b9630ca98b6869c8 |
| SHA256 | 2aea9aa1e74a8a0b1c82dc39d69cf9a935b7a7060006cc4498f52dfdd17d26e6 |
| SHA512 | fec025c1f88c6c520cd7f2d0b1c2074fc71fc9aeb22121b183769d44baed885daf8d8ece2f0fc7027abcafda58a7d6491fdd2159f14622afbdec75702e98d43a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1eb8ef180ddcf620cec0bc915dfaf115 |
| SHA1 | 474fef4b6bf45352d40a1bc3c3f21d130629088a |
| SHA256 | b7f592082334da98fe33c53ec2326290364d0ac9f4513db67f6377b5975c9ad3 |
| SHA512 | 8beec1977d0896ba5187839c44f20192aa7b50552c92cc275a03960c6fcbac80994866d31054fde7aa036439ca62e13d4f75ac2122d23176b6310b2f986ab337 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 80f25c04955b63c4be5585715bb6cdaa |
| SHA1 | b84b9d42fbc3af0b0693a35e2c314488fcdf5201 |
| SHA256 | 759fbcabc22f8b922692279f9b86c58dffc19b31a89219adcb49b66b8b78a8c1 |
| SHA512 | 63087f0eda40f0fc671759eec26498984bab8a9905f7997f17c2c16caa56df4b3e236ab5733639bc45341e88de2979f03c300536dff7effcb3451ca493e8f698 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 562a03ef29984b6d802244711b785550 |
| SHA1 | d52e9ecaa5311e44dbaf4a204e5307a3711c63cf |
| SHA256 | 52328cb0e9bb06cc6b7c5fb909f0c0bb0b2caabea46eb6709028322e02f4307f |
| SHA512 | 231eb3e06bb16d996b293dce6d6ce0185823e1f0fa3a28edcbfc66ad146bf5bb9e39f40a5b7e1568aa569cd95cd871f662049bd54697aa64def39a81b6d8a395 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ece8e763584296614330dfdfebb9aaa2 |
| SHA1 | 3d5eceaecd3c15a4eadb3bc4eabbcaa71724a538 |
| SHA256 | a3dd0f94f421bcf9ed5373670368a308bbfbaa9d9cb498595232b780b5d5993b |
| SHA512 | 994603d8b3086133136a450062cd5a97d79c4b6bd32ae11373e2770c65b76975ba061fc90b33accc10d07deb6e385754940f008711495568bcc86b7bcbf89d4a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | af3836b2968a9562e7afae1fb7e20355 |
| SHA1 | 62544f3536a6983185c66c3feb0d260669400119 |
| SHA256 | 057e27e9e36582f15faeacd6e21e13b35b330762114e3f84761a6f4a8aa28cd4 |
| SHA512 | b0ee17229c85326eb52717d8a689d850af02c976aff71872647f26bd37215340ccaf9f73b4a010a6407da33c97c995fa238be15492c8c02ad13543389b1d2c28 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 724466a3e0afb178381a83bfbcecd6cb |
| SHA1 | 436472715e9619bdd57c7535da25972562c30932 |
| SHA256 | 3e23a24d1e987c12e014efb52a472c55d19d0354a6e73450b19d70c56b1accaf |
| SHA512 | 913996268813d36f7494ae576a5eb3bd84b915a952621234d10ffe073c76d7dcc3be2cb198c912dfdf98a355a25828953bbed482403e5b8290614856895be52a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 446804bf8c242ca8384ac7edab2dedcb |
| SHA1 | 86fd87dcd531156d824f47a8f2660f8b8c2005a7 |
| SHA256 | e8e2d90248aea1795ca835869567cb11311c98024b8c5a65975c1cf137f9d4a1 |
| SHA512 | 7f9128f0e27ba1f42c4f6fc7deeb024e248e149b12220afb6eb355b591bf67831531eba83eb9a8693c6d722ffdcd9ca577469262d2ccd61a03b468d50d533612 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bdab8ac540ac778db484e63495c69a82 |
| SHA1 | 2a46d4f4f7217cfae8f032253a9230ab1777b74c |
| SHA256 | a064e45f7c1df1202610424c46ab76519cee5e397947546d6c06ddbfae688eca |
| SHA512 | c5958b0997270b69bfcb07c669b4f4f762c77c6a84cd7348e6dc7ad2a5909fafee418166a4541109d027506dd7642e6a2c0767a6f97c69683e6bcf656f4cf7d8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0512313bd5812b4a9aaaea412ef2d913 |
| SHA1 | af93f78f1aa0434cfe56b358620915a9e1068287 |
| SHA256 | cad97eede79292223d1a93b8225a85d6c9138dc5b1d5614d3d827d1c10dde55e |
| SHA512 | cf821e6a6a2f564c09f232e20193596e904f7e3831392b71bdf516f418dcfe5bc7ba3fac18ee007598a400d5dc1bc2c31fdaccd19f63157e8673aeb8d2a08cec |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 501765d27a6d715d48297657069cf1e1 |
| SHA1 | d3835374052c6ab2a1d26f2d259f23c9bca0dc01 |
| SHA256 | 0c1807ea6c7964c630db143a836006f99138e4f78c45695e2d6baa66d8426339 |
| SHA512 | 4cb8164b847f1cf2dc0f2f5f45f01dd468844b91f798712377957ac83f9aa38dcd76151d4104716a2498a290900dd155c23b8dede701505d158a9ef9b563294f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d03376c4dd9a1dd13f84eb33258bdfac |
| SHA1 | 3bb5074ce62df0a950aa757eee0c9e7b32a2b45c |
| SHA256 | 50dddd3d055c344525700276158113459334260cc49dfbf163626244295203ac |
| SHA512 | 2671f5c6324b9f7e79c73272a8992a2fc634277b03891254892c37037098d04fea7b1933128c88d617e7a30a34a08becfd1f2f39f732df9958fc90f6e449fa4e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 245f0a612e58971f762145fa6480889c |
| SHA1 | 632f0d39999f848b03225f27520e66fdbf48824c |
| SHA256 | d8d6d556386579c508ef52cb8f9b5c37e9d63b5bcea8f970821cac179e9225af |
| SHA512 | 2c59a722287c3d0904b6870db6be1cb00150f71f4d6f863accfce3f7dccb52b5db99b14ec9e61720493aab51b864335a5406c7f931073235241f87774888b00d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4c2610369b4e07b095a4b3d110925db8 |
| SHA1 | a01efb94b417fc21fc7a286411b542f24a49b3a6 |
| SHA256 | f361083bf6043f4019f6b9f535feb60ed9cfeed70c8f26369304799bc3865a87 |
| SHA512 | 8921e82bf9d20c8a3c4f7171fff99ac5b5ba25366cef2fbbd0292eea293bf1d7002ede63c7b98fe6ba4c093cc2e5deba1d211e6a3d0431979294a4c1aa24b4b8 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-12-02 07:49
Reported
2024-12-02 07:52
Platform
win10v2004-20241007-en
Max time kernel
96s
Max time network
143s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3540 wrote to memory of 2448 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3540 wrote to memory of 2448 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3540 wrote to memory of 2448 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2448 -ip 2448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-12-02 07:49
Reported
2024-12-02 07:52
Platform
win7-20241010-en
Max time kernel
134s
Max time network
127s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{025BD301-B082-11EF-ACA8-72B5DC1A84E6} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b9600000000020000000000106600000001000020000000fee25150e6dce1c0991e3b92d868f3d89179951a6e4eeef7ef155d36e97ebf20000000000e80000000020000200000001ab117122c4e1d43362941a7a1c265b78b5e362384f326772f94042eff9c5f572000000058c3c8a12683d1786af87819664261a39e2fcdbd2bb568f07b999431c0d4b96a40000000b3fa3e7bfa2fb716e28a22a9e281123bcc534a6d135f98ae074086ae564e2145215f61a8ac9d97e5ab28ebdd5207368219d4c29e9cce67fcf5082b0fd41f0e50 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d08fd2d68e44db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439287658" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b96000000000200000000001066000000010000200000005a9765b675be831fa86f491a6356d3d09620fb4625ecccca0a71ac0ed8ea4cc5000000000e8000000002000020000000336e51693d8cde7699807d5fa20b9542b5e5b232330745b91b2981284749d83290000000053a3d090abd878ed84a5f8c50ccc1c8c9f89033daab59bada87b9f4ba6f3cc25a9e6b3a1b6774b60ac03994b314a96977e0ed2626b6dbad3af9539b36a0e4e21a67adc4ed8126a89d45081863a1eef49e3fd05b7506ea3a474773f26e481fb7cefdd2bf93fdc8e40abe6a9c073e7a9c6291ff63efc5529c2ee1ec8b26f4c67bfd84fda7f2fc205dde39fd5b033dd95e40000000058bd63ff4f0a84671754470ccc8ae5a7ae947a3387d11ca4e362e3ec2e239532debea46d14b55321d62c463c4336fd0eeec3891d8c625a4844e1e2580555502 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2716 wrote to memory of 2740 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2716 wrote to memory of 2740 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2716 wrote to memory of 2740 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2716 wrote to memory of 2740 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\32093631739.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2716 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab5D01.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar5DC0.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 13d2dfbab2367766327ef4bcc1ba7f73 |
| SHA1 | a0bb0e0035e4f401aaab3ce4f23fa035724ba129 |
| SHA256 | 8eb8e4a221a663ddd23d3f1cc41b21527b15a104459d584f5f26725f0a903002 |
| SHA512 | 692558b35f1d43f5f5c2e0b8b727cab2e48936e24630a5e23c895ec75c19684398556ba08a2093d4888c0bdf5d9ba82cc0b5ea48276f1bc7a957a5986b103c7a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cbc4f8d96e01f28f04280ad783b9b642 |
| SHA1 | 40c8300c4720b35a491250f6fc9f1619f44243cf |
| SHA256 | dcd9ea36a2e458b2a551eee58a3b4ab8b0d40146c88ba1dea47c8a6dc294f0b1 |
| SHA512 | ee3008f39dc9ef6117d6328ed7bd5faf0f1c9155d2870b6084692cc7111772b4c422ae908a7eb284f9c28503efc9f8098a978b9aacdf201da8f62f8c9543af34 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 331153a1a68d0a624c42f4d6633db4d2 |
| SHA1 | 397892852891f6117dce98a3fb178bd8ae17be9d |
| SHA256 | cc2d779dbc8b3d04b05f305ad8681f899c95847b63cadf64c763ccab8abfe0ae |
| SHA512 | 784317bf59653f1647f4e44b086da1883bc2aa52c850f9bdf09496b90a0e57c07e6b5a624b703e8e4f10a2c835bf4686c27f9a563cbf8e75b5948989de6ded26 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e44c0099ee1cec3abb5912c62c56f445 |
| SHA1 | 2bc9de8928c5b0b18802fbe8ff931d2e536458fc |
| SHA256 | c70f52daa115684f67be27e2396734a4d7e0efb0461dcdcd333bb587e8210002 |
| SHA512 | 219a949470469dcd9196cedca08aef8395d31b618525587a6760c88e8f8dd82a0fae0a569caf961c5d7dbcd7ba68c539f17b6fb8b5ca98989acc7325b9beeaee |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3f2647d38081de48a0613e28c2a63bc7 |
| SHA1 | cefb89bbc9ba1d2a5422b20ad481671cb4eb340f |
| SHA256 | 1418d71b28e9a120788b296dd1c44b3222d630c99a000f49b67b11d9bfe65822 |
| SHA512 | f1c80d3ba94d48c0003babea0d693d9f02c2bf1ec840ea412d4c164a691f621e4f12b03cd91ace09cd55d9e69ddaa2b8877af6e5ad342eba3466d117b27d8e7e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f9494493c62191e738292e3c8a20d5bb |
| SHA1 | 32639a5bd47de4e9632ce03ad6d3217cdd55c4d5 |
| SHA256 | 7ef9259f379d7412d474faed3f2be24d56a2a5afd751977de7ece9bd7ac0da71 |
| SHA512 | b6828c20e8877104b22411ceecf9e712cd31da4ee977d5e2a1809f77c2fdc335fd365e7b5fd02808e3403f1156b9e23a9917391ef4ce22c435b5bf2a1d1b386a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 712b59a394d343c4148c4cfd80ac9ebd |
| SHA1 | 767d51b341dc9cf2b72081eefeceb01745f9bdeb |
| SHA256 | a4f683008a90636e2a866916522246af4aee6f195b0868c9b4a3eb074b834223 |
| SHA512 | 29a79bf9b06a78b64fc7c540ef40018898cf6b6e2b77018cebc1c9082092624a28f352864a37e1eb88ecc6575065ab3726804d8a66229ce69820e8a0b2505f67 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 66054890e4c550cb81ab4fabf7666a5f |
| SHA1 | f851f2058ce8fa497b86e7eb143b3a305fd742d8 |
| SHA256 | c191461dcde03cfcd680b9128aed2eab209d17fc3f837f2792006dacffd1c926 |
| SHA512 | 038552d2becee1a5ad6dc6f4f342bd93a3eeefb3fd311cce2f35d9246a97fb9c928e53615614d6b5b02a03406a406aea3d8381d180dbf083edf9f9ac843751fd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9dd304034b2f3acc44f3b72abe696079 |
| SHA1 | 209e042083d9a1332390c3fc2fc341d89beaa977 |
| SHA256 | a6e2b237d167a610a40417fe147d98995f7f224b36029d7837895ff043129e8d |
| SHA512 | e5dcc78759c9f51e188f2533dae0da9016b535f3590f66754437b407d74efcf3cd6a15e337286ca3d1265e9f32397307282e41a30c318c32105ae922a6513b37 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 63b873362318c78b401e7e03050f1086 |
| SHA1 | bdc49751cfe5b4218384f56e829b10a686c715d6 |
| SHA256 | e3dac012424a629db6d784aac5b16b8cfada08d2716e480a3bebd313d44d32c2 |
| SHA512 | 85b44483dfa414f855d1c18ed02a663899da3392d179cf50cfd1dfd3e97c37af82fe0054eea57b1bb7bdddf3a52439e790a31edd4ab6ca284510534f8f99cd4c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ea713ca151f67a633b7dc5658127710d |
| SHA1 | 59400f18f9c6628a804b7649016e2207d7d48fb5 |
| SHA256 | bdd6ddc4b6428ac6db7452873431689a895e505e816c636f93432b5109b8dfd9 |
| SHA512 | 0aa37175d556079febb3d0a7de1dff54225169c117f697c1c3f81dc0804eba1eed78b4385c4dd07385040d5adce5501d47321be622ee13e58576be588d92961b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f4a2a6c7c6092f6b08e0727a6e0d79f4 |
| SHA1 | d74937078d371817df629ccfef514b2274927071 |
| SHA256 | 669f459f7afce2f15e2d9932626076a1a6a9fc693801e136826be1255c4c5cf8 |
| SHA512 | 422db749538ba7c0b20052ff8bf6c5bf97565ca0368860247980c0010b8c0477ffe76909363a9ecbac22e85a991f5e9cd079bb63e1ad382fcd7f5049eff2ca72 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 346251e56f95a70effe436faefb27cce |
| SHA1 | 6e6125b2c4f6182443e74d4b8fa62ce79d34f78d |
| SHA256 | 6b38c6b3d6624ae27c66526559720409396005dc64f328dfc3152d867891d07e |
| SHA512 | 5adc11b3e62314d3eab50081f6c34e79fc8ceb90f45d5734fe579d3edcb0edb752c947a0ac4866af66bd4ccc0903f2e2a18222c2d258a89eb9e1dff9e0fe7309 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 89b79d7b41997108b88562b65eff1405 |
| SHA1 | c3d78a86b207b5ce5d635d60ac6ff56c8f1cfbb9 |
| SHA256 | b10d38e05eed3b4ea8a080ff82f5e9379df3f815ce52db018d2d1347442b61a2 |
| SHA512 | 9cd8e895a0873d4d4a9e261070067fe9a2fa42b300610c2839b3ab1883748bd9c20915e685d7d93624e8311e23f3439233dd0cebe99ee75550da5aafb766edec |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 587683db201a441a1b59846727debe88 |
| SHA1 | 26b8f65b6c5dfa181a5c195b7183933feb36ed35 |
| SHA256 | 561cfd110f225e6f30fc348465de5adbd1dc3f26be7390f19a8c022366124de4 |
| SHA512 | 5c458dd466ed0e63872710d04d00bc0e43e60b3ee54cc383e0f63dc5f7f7a26748fca3107e77af5ca21573d4125f9943e9db760034bb141cee351fd7f937158c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e5dacf86f90dfe86c25d684e4dd2c9db |
| SHA1 | 13a0f09c6bbc58fb8fe4a1edf905617f6e2c81ad |
| SHA256 | f88b7435617a7aa7b3cb31eddf4ff819c71a77ff2126e06c6f623e5b1a8b999d |
| SHA512 | 7eb1e39969f894453e78f25536741b4552d40cac482c097cead1f036a178be48865de2e0f8f88e1386c620981e8680b51fab82c60b6ee3da513ec3fbbe4a7ff4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | abff8b26697f8f9f2bb763b01323ed8f |
| SHA1 | ed96d20ee0326856889a8a07c868179fe47cb319 |
| SHA256 | df7f9714afd0f994c08f2879f1c31ebd265b116fc99dc07bfb84041b2ee7426a |
| SHA512 | 046bfc91c8f2c4be5b2ed0a7d3a7fd702c89488f3306844586679634542ffe32293a156d009df844762c5a9cc77a27d82b332ac24b356f29b6662acb193c7736 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a8fb50fb3de91f429b55a2c61d6b4ef2 |
| SHA1 | 16c170baf282a6094240c1053ae64ca2fcd8604f |
| SHA256 | ac8d7ee1fd74812287a4a20cffad6d00be99e5db0f86264fca735166dbbaa1d5 |
| SHA512 | 7aed00a97aca6ef70f113a1579f1d3deacea22a9fd4836d48c97439a1c027d92d83c86191a58988107dba3ef2bd0f2e399de922965399ba3fb467cc7be9ee412 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 27c7a6ec85d4a3e191afeb9d311da464 |
| SHA1 | c91a73ff2ad3848c5107fad4552c73f087f95348 |
| SHA256 | 10cc03a1ccad5e0c3ba7543232fdc2899f3572ed588b70a76e4e649977d6f7f7 |
| SHA512 | f92b5d4eca100d2ff6c6ea67865b9555c8844a62866b664608ba7fb3f36955c55af428bceadfc4b4ddcb702745a1ace70654b9ce55a05dc9d3bad933451910b5 |
Analysis: behavioral14
Detonation Overview
Submitted
2024-12-02 07:49
Reported
2024-12-02 07:52
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\910218026.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdcf3146f8,0x7ffdcf314708,0x7ffdcf314718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,11112140951660262290,230387237731966024,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,11112140951660262290,230387237731966024,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,11112140951660262290,230387237731966024,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11112140951660262290,230387237731966024,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11112140951660262290,230387237731966024,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,11112140951660262290,230387237731966024,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4932 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.shhbm.com | udp |
| US | 192.151.217.17:80 | www.shhbm.com | tcp |
| US | 8.8.8.8:53 | i1.hexunimg.cn | udp |
| US | 8.8.8.8:53 | img.chinaluxus.com | udp |
| US | 8.8.8.8:53 | y0.ifengimg.com | udp |
| US | 8.8.8.8:53 | img1.nz86.com | udp |
| US | 8.8.8.8:53 | images.vsuch.com | udp |
| US | 8.8.8.8:53 | www.cnfzflw.com | udp |
| US | 8.8.8.8:53 | img00.hc360.com | udp |
| US | 8.8.8.8:53 | asia.media.fashionmag.com | udp |
| SG | 54.254.162.44:80 | asia.media.fashionmag.com | tcp |
| US | 192.151.217.17:80 | www.shhbm.com | tcp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| SG | 54.254.162.44:80 | asia.media.fashionmag.com | tcp |
| CN | 114.55.112.10:80 | www.cnfzflw.com | tcp |
| CN | 114.55.112.10:80 | www.cnfzflw.com | tcp |
| CN | 36.250.243.20:80 | y0.ifengimg.com | tcp |
| CN | 124.221.101.8:80 | images.vsuch.com | tcp |
| CN | 36.250.243.20:80 | y0.ifengimg.com | tcp |
| CN | 114.55.112.10:80 | www.cnfzflw.com | tcp |
| CN | 124.221.101.8:80 | images.vsuch.com | tcp |
| CN | 221.231.39.69:80 | i1.hexunimg.cn | tcp |
| CN | 221.231.39.69:80 | i1.hexunimg.cn | tcp |
| US | 8.8.8.8:53 | 17.217.151.192.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| CN | 211.97.92.110:80 | y0.ifengimg.com | tcp |
| CN | 211.97.92.110:80 | y0.ifengimg.com | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| CN | 124.163.195.67:80 | y0.ifengimg.com | tcp |
| CN | 124.163.195.67:80 | y0.ifengimg.com | tcp |
| CN | 116.172.74.214:80 | y0.ifengimg.com | tcp |
| CN | 116.172.74.214:80 | y0.ifengimg.com | tcp |
| CN | 36.248.43.254:80 | y0.ifengimg.com | tcp |
| CN | 36.248.43.254:80 | y0.ifengimg.com | tcp |
| CN | 60.221.17.65:80 | y0.ifengimg.com | tcp |
| CN | 60.221.17.65:80 | y0.ifengimg.com | tcp |
| CN | 124.163.195.64:80 | y0.ifengimg.com | tcp |
| CN | 124.163.195.64:80 | y0.ifengimg.com | tcp |
| CN | 61.241.178.243:80 | y0.ifengimg.com | tcp |
| CN | 61.241.178.243:80 | y0.ifengimg.com | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 61cef8e38cd95bf003f5fdd1dc37dae1 |
| SHA1 | 11f2f79ecb349344c143eea9a0fed41891a3467f |
| SHA256 | ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e |
| SHA512 | 6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 0a9dc42e4013fc47438e96d24beb8eff |
| SHA1 | 806ab26d7eae031a58484188a7eb1adab06457fc |
| SHA256 | 58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151 |
| SHA512 | 868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f |
\??\pipe\LOCAL\crashpad_4084_BUKDLRAGXVQFVSQI
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | bfadebef57a6a77907e1d9031cfb36ab |
| SHA1 | 2114d21bb249d288808276bd674209e2cc6d6fd6 |
| SHA256 | 62a23e909e23ea9d78f54607145ac416a03d289e9571f87ea8408c7c8b3c081f |
| SHA512 | e7f05ce7e29d17aa3019d794ce2b3fa2eeaabf9f4b1499c9c6f92f26ddf84050e7b14898815b81aad9ce141292745310fe5e4b75b54b9d0aa330e735c1cc2c0c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 8d04b70ac1f1c05b024b1471e0103544 |
| SHA1 | 9c0067cb4189b49f2c8b6339e473c181f33ddaae |
| SHA256 | ae8929c0bb583a19ed60ce3e4aaf18f8545d796e353c5e2b25b50b7e94562023 |
| SHA512 | 1f7fe1a13613a92448f4fd01a84a15ee2893b2cde1d50a072d048d149de7caffe824bec9c160600f55e8a74828522c05204a3e247f67f3c43643f3dead278bea |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 869a7a90fdba547475dc684f0498122d |
| SHA1 | c317e92e29422c2c8617ca005bb239fe46956ae6 |
| SHA256 | b78bb975d0c8e49a3ca3f46e65fc77402ce3ac5aa29d8d4d52f9bc17398165df |
| SHA512 | 72a323582b40f0faf4b57864771f44770bdab8b4e63a170d948c4d68c526ac33c19fdfef0bf8e3a123b8b1ccf8c88a38c866268601038e4e0d0807ebe96ee84d |