Malware Analysis Report

2025-08-05 23:22

Sample ID 250120-n837xaxrhx
Target JaffaCakes118_e69c5c6b034d010bb57126bf82813198
SHA256 72f754ea837eebc99d547481ad5d74d4722269363d04bef454a35c2d3b699c4e
Tags
discovery adware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

72f754ea837eebc99d547481ad5d74d4722269363d04bef454a35c2d3b699c4e

Threat Level: Shows suspicious behavior

The file JaffaCakes118_e69c5c6b034d010bb57126bf82813198 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery adware stealer

Loads dropped DLL

Checks installed software on the system

Installs/modifies Browser Helper Object

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Enumerates physical storage devices

Browser Information Discovery

Suspicious use of SendNotifyMessage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-20 12:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-20 12:04

Reported

2025-01-20 12:07

Platform

win10v2004-20241007-en

Max time kernel

91s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 120.250.22.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 83.137.101.95.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nss7F54.tmp\System.dll

MD5 b9f430f71c7144d8ff4ab94be2785aa6
SHA1 c5c1e153caff7ad1d221a9acc8bbb831f05ccb05
SHA256 b496e81a74ce871236abcd096fb9a6b210b456bebaa7464fa844b3241e51a655
SHA512 c7ce431b6a1493fd7d1fe1b1c823ad22b582c43c8eb2fb6a471c648dd9df9953277c89932c66afd598d43ea36f4a8602e84cd175115266943071cbc8ce204099

C:\Users\Admin\AppData\Local\Temp\nss7F54.tmp\installhelper.dll

MD5 91b0372096274dbd47395aa8b28ffedb
SHA1 05d79ba090439c2898d8ad480355c08091acee55
SHA256 0411ab18ecb0d3d6292eabb89b4c8e41112b3e0be272b087555c2cb8cb0bfc28
SHA512 c40b9eace25b6c871eee9b4186181268de7463c4fe1c4c19372413989489fa891ebd528175d15df031dc768613a81c619acce0981a4c29d475e795d18b1aff08

memory/3016-17-0x0000000002C30000-0x0000000002C53000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nss7F54.tmp\eula.ini

MD5 6a82b6a0fe6138096e549bef053ca02b
SHA1 af3bba863d0e78d85a3fc9da7ea3da1f1ff5c2c3
SHA256 974ff69ea21ffc3f5cb32db5536eed7d685120726eb6413c2040116a5016b26c
SHA512 c425cf0a340b44819ffe65a3da58f790223956d0da13a1176e6fa9f3a4a61da057b1cf2515b3cf7be8105c4f9279bec81d7589ee41373dc2d3d142289397294f

C:\Users\Admin\AppData\Local\Temp\nss7F54.tmp\InstallOptions.dll

MD5 6e663f1a0de94bc05d64d020da5d6f36
SHA1 c5abb0033776d6ab1f07e5b3568f7d64f90e5b04
SHA256 458b70e1745dc6e768d2338ccf3e6e86436488954ca3763472d8ffec4e7177e4
SHA512 2a037c39f3a08d4a80494227990f36c4fef2f73c4a6ad74dcc334317a1372234c25d08d8b80d79e126881a49fa4b3f2fffe3604c959d9ceceb47acc7192cc6a5

C:\Users\Admin\AppData\Local\Temp\nss7F54.tmp\eula.ini

MD5 d2a7861bcdaeb7f3eb07e4d40aca9950
SHA1 2b07cf0b5add8b0a33c329136490fe6a73b435af
SHA256 a337c01fa4ce487a075cb7e8fe1106a914a545885ff50234c82037683abe3663
SHA512 a47f61bce3c8604d2dc93f6e3d5599e0f1d710c0552f0bfa936a2896e886bbbd62f360d60c7dee25966f0616ef5d2d3da93b7b585eefbc83aa8697e00a94c468

memory/3016-163-0x0000000002E50000-0x0000000002E51000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nss7F54.tmp\eula_en.html

MD5 f8aee788c2a09699cd4d607e1db670c8
SHA1 6457b766f043d901a6dd204d00626c4bea02d503
SHA256 503477569d8a48c47c4febbfd4ae6d3cb036856432c8212dcb0226580e7034c9
SHA512 424ef5a4f2653b27b3ca921c35e5e36f28c41ddfe9bcd6b5aba7968d87129826770777fbbfcdc78fce8512c1dce819be0e355282d4a729580591ff296a751162

memory/3016-183-0x0000000002E50000-0x0000000002E51000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2025-01-20 12:04

Reported

2025-01-20 12:07

Platform

win7-20240903-en

Max time kernel

120s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 224

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2025-01-20 12:04

Reported

2025-01-20 12:08

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2304 wrote to memory of 1396 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2304 wrote to memory of 1396 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2304 wrote to memory of 1396 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1396 -ip 1396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 120.250.22.2.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2025-01-20 12:04

Reported

2025-01-20 12:07

Platform

win7-20240903-en

Max time kernel

120s

Max time network

127s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\eula_en.html

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a1e022dd528bec41a6c6f90e91b11f460000000002000000000010660000000100002000000023607231daebfae8e6387c89503c102baf173ece06157fba52353d0856952eb3000000000e8000000002000020000000d13635ef45bfa2dfea5b5cd8a767b8dac21371f7502c4d479aeb62543b71925b200000000fb97ecbd7f8afe8a222224e6c86f8e39ee4f5eadbe56ca7c7fe6e72053ee91540000000577f73c55aba32fd705833ed303e9947f3f8a6a52d1f7b43679511512d1727fb4a19122a73863e0aed8cd6224d954f8954cbe717fb11b2684ce8a6b503ab1ae7 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a1e022dd528bec41a6c6f90e91b11f46000000000200000000001066000000010000200000008eb9e7b06fc0e4ee00a4584265edf11105097b0ce5166f21efa2d928c37ae01f000000000e800000000200002000000067ae203f9726514c33606c78821380372001183ec891237b12ec20356e1d953b90000000df746f8e6fcfc5e1b28e0270124e528923357bccfc65951bccb80cc22518aecdf313ca39231c4435cbfd1cf023707016cae2009a4a0cb32b8361db203b4d2f1a0bbb2c9847644505b1d7e70bb7caca662dde1e83b5221e07c7f900a1531efd1047854fe3179be6d8a7aa836c0099bc30cf45c283029757ab6ef58079cb5fe6c005b8e0386030ce08d02ba7778681367540000000ad10cbfb23b42e7666dd84efaad6786923a2c43eecb7307ca4849dcbffcdec45c3b8cd822459d509cb20f129240704128f19a5ebbe02bfa6269514569216535a C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C449E951-D726-11EF-9303-EAF933E40231} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443536565" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4000bf98336bdb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\eula_en.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1696 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabD655.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarD6B6.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b2bcdffdaa40a94e8a5b490fb3b9f0bc
SHA1 22b011d86af2ff7e5937cd2f12c6e4cc7bbf34eb
SHA256 a0954f88d1fa1663bd96ddbf0c3468ba6b8c5bd11d235456287e84981113c371
SHA512 69621e609a778bfaecc3ebb4e0f25f7159bc3cc2190512154e7612e404d3a0a3e0286cea6c6c277569d32fe528bfdb0507e85b315cef2800956beaf6c7b01b7a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9ad6cb1984505edb873b4557f2f9e0b8
SHA1 45a824a039c2d2c13e3ff025b547cb601ed112fe
SHA256 e195d93290f4975d48e45bf58e6395780dbd92d5ffe3da652665e8f806b66534
SHA512 95f426d712432a0af0789cf3c4d4320f264080c8e8a4ff9df1a24247bea669713d2c1fae5919286d56749eb162f34fc88e2a7dd58c39dbd53d67c796c99386d3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 34490fbd1e2bc26aadf72b1b14f58605
SHA1 8dcc11fbf84f1d26d0a9c4e5bde3eb0baed1617c
SHA256 ea2cbd10ed2daea2222407619884fc365f2b2030a823179a11bdffbb61064a04
SHA512 9d7eee449a65531ecf0c346cc4a6b20a250a16fd8a13a4984aefddb1cbbbcf015a908db2dfc8b1e34abd08b323b7a35f7f9eca7d21b9cf37e53303ddb95474dd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cec89b0d615d4a0e037253a1c4bccf6d
SHA1 ffef05feca64f6eedfd6da43b7a481b134c63132
SHA256 865897bef18942ed7c06c0b70db899b48bab9a1b132ab4d0b93cef7c8e1380b1
SHA512 a1dfbff92a5586a49940d0f6edc321087332b151c496a17101e9a47ff3381793d58d128492ba65a9875d7b4621317ab910bdeb64f8f6f81e49f69105345c1a85

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c25cfad2bbde6482b67cbeb2021f5bb4
SHA1 712a382428800e829fa68cda67158cc5ea4a2ced
SHA256 fd0d37e70dc428919711dae3304584b901a70c5215d2a264861710f950da124b
SHA512 eb1ec8ebc40c4afba67d16883c43add63e77346e182d2841fa5922a17edfe42d19b3062cb1611d7b9900b6a05a6b456a0c56e6480a855b0038efb30058261a7c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f008b4ce51d3cf20ef728fcff2c2cdbc
SHA1 d00c4e60c9244ebf7d4e0661665ced32c037a421
SHA256 8c20794f2aed5c2c0d004e0c17854cf42b59732779bd5830c7ee4f6242aef05b
SHA512 9b9c1cd5bc045d83819913f6af6a7e9722eeb957625cf0d704687395648947b5ca76d98e7bdd932d2f1cd6da0227b1cf1137735f6a3557d6ab385f6c7b38b7db

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c5312f9dbe01ffeb1436cb335044e414
SHA1 dde51d67e612090c0a029ac28853ea9ea89d2b83
SHA256 e9b74277c1c2ae55791d57dae8ab8b8e9a724e9b26950611df4ef7ba38caeadf
SHA512 ad8e39894fb64aa3dd01ede99abfe6ede195ada0f51ebdf3e3193367226ba8e792fa5494875de76a4390a3b0d95c3afb66cd0b30226d84bda20c236264965f06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 65891464663a214cb4bb024de319823f
SHA1 b2c6de0986d7f72526f1ac0f6a80fdecf2e6b4ed
SHA256 39760f438f01fc2c66259a7ef74eaf2e5ff747db923843465501b03bd87d811b
SHA512 8663bd215855a700b751661b3fee5d35929f036c1ec397b8537c3dc56f8b20363ffddd5902718ad0a5117dc0b4629a9a701452aa4d76d1ce7f2ca4446acadd99

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a4432b97a18d691c9205c39af8859412
SHA1 e3b1edb0088ec265aa1e816bc6658e0584e61374
SHA256 aee5408a91267c1b43e4b996df8c61d00320faeee8fdb45e48652f48bb04f031
SHA512 74590acd4961024be7fd4a00473fcdd6f2fc372078a1008269e0bf1d8f71e92924884613045e5794bff10129eb6b0c350ca7b694e584e55992ad1490fb1d0bd0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7b0762eaf72dff2d3096cec53f09f9f9
SHA1 790903604d84e62e7aa3fb7a516ac6f9d86d5785
SHA256 2e24498ca25cb1ab5925e15288ab00dc928d34fea91854ee590addaabc4ab37b
SHA512 3eaaa1ffbb35f29d8878d1e49256ac8816fb99be4d0cb19f5f19ee467ddaa42e2cd8cec37cd358e8348dddade25e74b99bc8dbfe1f0bbe8433ee03d479a38781

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 127088a6bebf68e8ae7084cbcc13281e
SHA1 e6beafa2fce2044c853a6b32e5489f685d40adc0
SHA256 17f54c8355efa50a3eb32aa56af0183056667204ff3cc6e62076f2492530bf2c
SHA512 2a9ec16c61057413b0412c9b8418704c064765a11c177363aaa5789316536137d711e9f2eccc219c91161c741c5cb746079fa2fa604cab3f320904d4a5d4843f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dc78b7a86edbfe50b766dc349126f253
SHA1 99d74b5f3dd53872bf42f08926bc97cd25d2ed36
SHA256 9207e46663d148174f936cdab0eda9dab8e3f7d9b502f50c1043c4b2c1b8468a
SHA512 2f4ff33c7f6d45993835bebbd786311810190f45b4618336bc888fa2fc07279db5f7311a64f9bc181fd56a686a545822a69842eb2eeb7170ef903554a35a0ad2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d1d25f82d29134c2a06f0d0de27d3530
SHA1 2765945128ade3d2f64478af91454a6ef3b224e2
SHA256 2939240419e38db88fecaa50b8d27cf23cb468a5c151f838b0510e7024f55b53
SHA512 dc9e6a7cc799aaa1e5d38e1ed6ce1953824e9b5569a2529db4cc92482a6075787bec75feb5780ca64509d50e805337819e5c294babf79460d2b2e1d745395b25

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5c97a2cbb5406a0721f25450eec2f5ec
SHA1 e5ba0a5fd71930f1ca4d675499af44e9de837cf1
SHA256 486d39d028800081a404baf51e885ac8179edd503b7338f41079286d0dba7abd
SHA512 043d184e877da6f45f7fd0f0f123b6d761c80604b06a080e8c86fa29c7a277a075c96b3e51ad06abc7aa88563f8a8b9db0c63d89fb3e9d0e33ea88c5aa8691b8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ffe2a868daf75bfa4426b2a58be6bb6f
SHA1 3104a0fc4174eae9b93c15c3909c6241b129c4da
SHA256 90cb75b9769848f67d3d8f1bbf8209d2dcd330b746f4846c9f8198c970f90e62
SHA512 77b41cd246776176a225bdab01b4307df2b1210813b479a6c8738a86c55c9d4f72b382b77c22a5b18b361a51fd939dab80380a85da417ced3c329675d77ee6f0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 958241f8f8c2198890fc349953c78c67
SHA1 9a160e20a84fb220a5d747d3f32ecf3bcd7968c9
SHA256 8f5d4886f9a4ada8cde70201e53914c2841952c3285ef9fb80f420c6bd998758
SHA512 f60a4b2f3ef4ce083b98964bbd8f2873c555b1c1c90cf830ca615b0556e55d7dfb8d381016b5d17a6b36289501bcce64f1667548548a188fde9625315ad86347

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 22907219f506eb7625bbd80331f9552d
SHA1 9df9c3013abca07a3a70cd0549e5d0b63d580f47
SHA256 4974f08c701bba39ed9a7c213391f4b2d52e5b9514a191b0632574e83b0bed1b
SHA512 decdc641830e2b3071f2f6e8f91d33993fb0b67c1cb9e608cb22048de76604a6295b8371606e8f6ea5f908b28899ca758fcae933c673576f96120d4aa3c233ff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c987899cb10774a4d31cf48050ee31a7
SHA1 195a2a3b2bb28b03c726a8d8cf2cd8c675b7805a
SHA256 d509be7a6752293459ccac0fdcbf698754af45998dcd04276a8611c376e9e3d7
SHA512 52c9185c96360ef184d791e66d7a4d94f5e22e7e031f1fd9ef3077c4f014648b3ff5a3abb4aea7a654d6d693daad8377ef8622a66a77ac09a52ae6f32e516039

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e172971c7a8fafc9b9dc754c85fada7d
SHA1 e960838caa43e667d1547146aefecdabbf1e4ec6
SHA256 780ec35c6f6fe8b70725249451cc505d8bd4687e6cd45d8751a9dcf7de490248
SHA512 f1996d49b392ed00a360c76fed1b2b11eab612a172d26a0d1920398762cd7eca669c3bffb10e1ba1d612b180d91313e62edd300c2f8a829b764eb1ddd433a981

Analysis: behavioral12

Detonation Overview

Submitted

2025-01-20 12:04

Reported

2025-01-20 12:08

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

141s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\installhelper.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4184 wrote to memory of 4676 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4184 wrote to memory of 4676 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4184 wrote to memory of 4676 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\installhelper.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\installhelper.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/4676-0-0x00000000013E0000-0x00000000013E1000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2025-01-20 12:04

Reported

2025-01-20 12:07

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\installhelper.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1260 wrote to memory of 1232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1260 wrote to memory of 1232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1260 wrote to memory of 1232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1260 wrote to memory of 1232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1260 wrote to memory of 1232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1260 wrote to memory of 1232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1260 wrote to memory of 1232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\installhelper.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\installhelper.dll,#1

Network

N/A

Files

memory/1232-0-0x0000000000190000-0x0000000000191000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2025-01-20 12:04

Reported

2025-01-20 12:07

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\alot\bin\alot.dll

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 2940 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2192 wrote to memory of 2940 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2192 wrote to memory of 2940 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2192 wrote to memory of 2940 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2192 wrote to memory of 2940 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2192 wrote to memory of 2940 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2192 wrote to memory of 2940 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\alot\bin\alot.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\alot\bin\alot.dll

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2025-01-20 12:04

Reported

2025-01-20 12:07

Platform

win7-20240903-en

Max time kernel

121s

Max time network

127s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\$0\Resources\BrowserSearch\alot_search_defend.html

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003d5b8e31d7414645b7c49b7c649e47dd00000000020000000000106600000001000020000000ac6a9214955b024e8a7923840532428a2ed157890c55bf4573af33db93008af7000000000e8000000002000020000000060641f5264a89c97b7850cad85fd56a9ad2131e547d2c08be04e8921dc1f11820000000131ccab3d9aa15ed88c8b59650bf5fb58fc73ace446b5f3ccdedbcce974648d6400000001e672505b3b76c8aeb4e8b7596b47b33eeecffcb04e96953cb0e9568d401e266b1bdc9c36e1a07f6082d03df1bcd3c9a43fb8c343fff9719ce556b0cff09e5dd C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003d5b8e31d7414645b7c49b7c649e47dd00000000020000000000106600000001000020000000b9d5fa8e6bc43cb2aa219b6b94bf396e5a2047c4ba9d71cdb92e30ae460c21d0000000000e8000000002000020000000fe6ff93957c2ac6b85f20aade23467403e50cb3104d3cd5c9c13703644f363b1900000002188da25ebf0c73a387f4279beb57ae434ba71411fedc19efd180f93ba0e60e10eefa6a68139c42a0a489f8044e5f31e7af724fde698d3756bac5adb231fe3ed4d18d0d8cd24241bfa133c98a413936f370a795f5be845abf854b3178165969501a5e17d21b856af2a450e26c1fb3498c4d0925fe9647cbc82f649296c8d1f484c7624f6b1ee5d04dcbeae1954bcc4ea400000009c0d9cc07bcada9b7fbcf250bca4420bcb12145f5d87584be8dbad1fa9f959bad42c0d0d6475ba209884b033dd53773e4011424b78746689b6361c3d7a4429ee C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443536565" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C45664A1-D726-11EF-A6BD-E67A421F41DB} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0c4d198336bdb01 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\$0\Resources\BrowserSearch\alot_search_defend.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2400 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabA048.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarA106.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9c1e3f771f83d07f7927f1c2b484102a
SHA1 2dee6c4e23779f3608fd30d9ee5fbc03c39fb841
SHA256 0f7826d69d61ed0e188a07dd5c128a55b2b94458a8c99bcf02d3dbce4722fe8a
SHA512 f7fd5bc0a7a223c51bae9484357cb52fec5d7a0d046eac45735bd97ee0293082d65e32995a86455434ad5ddf5bf0b2731e3440a5bc0480eae3f6ab38b18ae9bb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ed696ca1778325ae34260ade5e5be6af
SHA1 eca8f9c539d58ecec54bba1fd1ba28894ec36937
SHA256 6c9796647479173f43217784985cd2da111782c6f6943444b7ddba3543a309f5
SHA512 af9f8985f23ee10fd7e615393c2d8295972ffb86035c7336dc32ca80301255257c19cb62746a8082b66b967ea341b111d7b9de64a302f50675bff13c8602bd17

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 60219023c5f31345241eb17b14ee5b71
SHA1 bbbc0962bd1f82d856b6966686c8ed726f6f0061
SHA256 f5740011a803bee0142211e4989baaf17213d7f0622d6f5639ff48fecaa84900
SHA512 d8c82dba1666618ce956b9457f9e3a40933283a1b70202cece867d5568a094b68c5cba205a82be4818fa3cddc8b63392b7d41d7c2b4073e5334fce75ab677e74

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0989033652e6b2a4228692e933ff22f5
SHA1 6cc521ec116ceb30cb934d902f03c20ced62bd23
SHA256 11e81c42043c52d77c3f68e30cf5d04a621bf27c9252a983004c890380437a10
SHA512 ad99d5c552fbd58f0119a3665c5091741ad34af8d428d3fe9e8859798f8632f389e1010827401de1f2ab4784cccf801df7c60ab1d32cba96fb924c9986f35442

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c671236dd89c056f4ae50ad15e566809
SHA1 d1b2cd38b15682a71559db93ba5aae2c718fd552
SHA256 a592012c468e9ae22e7fdc0a0dcce6d59f767dfbe1388de90a5bde98913ee728
SHA512 080eadb3251078c03c8b3f0a38eb8e4db8240a8071311934e422fdf63fbbf09fe83fdfeddd67696534600ba1f317edc85a24720b2f0c35078360f5e55b6dde79

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b98eda7ab67545e50dd6cf6708bb77c1
SHA1 a54bfd05c08937e6e380933a34f0b9f5ec0bc960
SHA256 5e93010119b7970abda3e0b6ff45139d221da67178da57214b22e58172c4e29c
SHA512 74b43c29cc821ffed7dcd649f17786d8e4bf11ee5b544ee40cd731279736d040975417e3302a8f5a5b071c55790d417a4635b20fa92100dada0fb6caddc30a27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aafd7095850ff7520ca86ba6156ecf0b
SHA1 32a7149e45356587604c4f856219662d4deac29c
SHA256 586a8b6bae3953d64d38085c564d6080e9386f9b43e451f8f0a039eab2b061f8
SHA512 b9645375c6358d4c1279472aa3ef55f174fca68565a1c8f9b064dd78103ba25ccd5b8b418c9414c2490a2f3b4d2ec3eea6b74990dd04a2981753be2ce2d70ab2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7e9f7f748554bdda8e0926d0df24c80a
SHA1 809a53182e79590225e1b4df5d61e2274b7589bb
SHA256 ad42134dc254edb71f18b543f58da5516199e836c9461bd715a43ce3adc9dbb3
SHA512 bac6fc823df4a38bcacd3ce8a16a48b29efca7c6f1e965c160d523883f789f4687d7eb889d62170dff2e038ac6651177df29b41e9d99f034a8fa1ed604139175

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f08894648a5e7e58581c8a57cdfd9db3
SHA1 d04594556e238badfd12aca6e0f0d733a243d66b
SHA256 f44f47af1a2b91c8fa3a8673edf88ed81e69595eb9fcd4d6682c68b28697fa10
SHA512 6aab4aadaebccff38b70b335772078ac92dde9bd70b142e4dbdaed7a4dd1215a869a76c0ec94f408bbbe43467e042efcdf93d3fb45e37864535acc824d5b6d17

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c76dcb27ff7fa93e86e029357953e98b
SHA1 3b679ec2211dc8809ac1193ea925e666a0b3532a
SHA256 fcd5aa277a388fd1b3477b94fc73b4f4b0adc6cb8e893f9274636c29dba3d712
SHA512 0ab99d045722ad54cfef5bdb8143990af581df6dab45442f53a8cdf435c12dd0ef205ceeddfede12f3534f0d235b5dac8ff95209dc6498937be93bb1a2034a78

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7cfc74f2335fb6fb2d662c4b20198558
SHA1 0fd5237b0a0a13d5e47092150fe32d750d099711
SHA256 76b860121fd9335d0d4c807bb84ec59fafb33dbc0e230b71926c0c080e51015d
SHA512 22d3317b34a52d35314ad2390930e7998af151fcd3997aef9f411bb1d7259dbe73b77532c12a7ea684340a93b198193d4e419b9c1ab1afe918a5b21fc8c13802

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c71688e0add556d712ee42d3ae7a2755
SHA1 c3be7e3172dd201c0c11e7129ed95ddcd09c31ed
SHA256 552afb5f81d84315db64c909f7f0ae96f83387b34e0b9f2f10888fcfc72c4088
SHA512 249012266d41d9b483edceee1ada7724938b60c0b909139e8bb3c1e053d0c70ef312585fc0c54e87b8c48adffb1ba9b25e59a2f226f795376c28f4c6cb5571f8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 df3ced767a86d2ec6c1d03847ee9f936
SHA1 77356eab5eeba05dc6a5b84813e3acb3fc852842
SHA256 1de20ca7f7a30e76933be662f94586cd89e30e90fc1bc325c1e32236690c2a61
SHA512 e5afd14a1bfcfd15833b586da9d397c735533c9c0c5c9934cde4266aebd871dbe4f99bc4f3c1369ad2e0ae60f97230c7055af05530cfc384435289a048ab9f91

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c969de67598ad8f5d07ce15cab56915c
SHA1 da476c1f31adaad8bf4fb4414f9db89559b18d2d
SHA256 6c1d51a874015e68d79556016e17e19bcc24321f4248061c4f0df03449645f1f
SHA512 17a7922d42d1c0bfee14ad91cef616e655bbaf8c3db12f8df021902528eff772b8b13715d7163ad316c8fef2334d0debc038e0df1173d405a8624f57957677b7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e6692c06fd16fac7eb60261f7c67fe83
SHA1 d92bb9d68f25501801877bc9883946e14ee7aaf8
SHA256 5ce6314736326b455de111b617bffec697b38565a604b86759ff7a6388fa76bd
SHA512 b0c46966c0b51751bbf56494390cfa07b1c68dbf7915d4fa446eb16edaea816978b7d776d6917b7a8ba7aef4c3c6a961190b35f9a75c0859dc0c763c23b2fcfe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 548879cfc4bcfcde1b5e9a23ff12539d
SHA1 3edd5980d19f712037ca7832896c7e8011d50363
SHA256 50c520de3b83e6ea06f840a4944d1e2e639a06add4342f3b6748ff842b6ef005
SHA512 d17bb25b6673d7f059102ec4df6b68c40f13af195977e6c6de3aad3e594a2a433c3048e54443b1fa6af7a74a21dfdf573e6d81bbd73cb4a0aaf1f85341064a39

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e882fc52d7a3f20f62001a261e3da42a
SHA1 3cd74682b6762f05ffeae73e3b9da8fa475c1b16
SHA256 dfcc0da5fb99df160e9456a7c025939a15ef7b4c0ac21fbbd91b4c52ee8d6578
SHA512 ca2461a9f435265c74cb18130104fd388c31b8ea91ec69753375ec58c9b56f025515b9cb2c6d68fd85da979f06c033b03c30a6a190e33adb7372180a2096fa28

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 58be22b55b56b36e46ea268b30854b39
SHA1 2d5cb892f9bd05f7c03644170ce1d8da2fe33694
SHA256 70e99482a1ec6bc9195dfc8ac8b543e61909e4869659b0543c21d3ec6534d919
SHA512 f8635f1ec6ae872f5e75629e803a272224be2bd1d5d1d781538bbe80170bbb6328c130d88eb0ad49984571821d410e0c6a10d7cfe61f67f39f0c7290e41fd9ed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 543f1fa16f5396585ce9d03c99db2b9a
SHA1 4a4725076bb6a49a3e6d226b516994e8163fcf2f
SHA256 9b4b91317dedb9d50b4e4938989be07058e8184b5cab326fc51ada0ec87bb540
SHA512 59eb602e6f0d3d80f379959549ddc92838df4833d9e5bc601ebb3b3cf86218cfadf99a8f1bbe84fb8ad462049af7b0e8ccd8f57a2df78e4509370f20b6ef5aa0

Analysis: behavioral14

Detonation Overview

Submitted

2025-01-20 12:04

Reported

2025-01-20 12:08

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\alot\bin\ALOTSettings.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\alot\bin\ALOTSettings.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\alot\bin\ALOTSettings.exe

"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\alot\bin\ALOTSettings.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 5.114.82.104.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 167.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2025-01-20 12:04

Reported

2025-01-20 12:08

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

144s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\alot\bin\alot.dll

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1608 wrote to memory of 2024 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1608 wrote to memory of 2024 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1608 wrote to memory of 2024 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\alot\bin\alot.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\alot\bin\alot.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 5.114.82.104.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 166.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-20 12:04

Reported

2025-01-20 12:07

Platform

win7-20240903-en

Max time kernel

144s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe"

Signatures

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6} C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6}\ = "ALOT Toolbar Helper" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\alot\bin\ALOTSettings.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
File created C:\Program Files (x86)\alot\bin\alot.dll C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
File created C:\Program Files (x86)\alot\bin\BHO\alotBHO.dll C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
File opened for modification C:\Program Files (x86)\alot\bin\BHO\alotBHO.dll C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
File created C:\Program Files (x86)\alot\alotUninst.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce00000000020000000000106600000001000020000000f725d79886e35367b5fa4d77e8b72fe81cb44f58eb66b312e678d62f5ea53275000000000e8000000002000020000000a845548493292fa7fced146ae238b6f13ae4719fc907e8306a32edac19f6ed0110000000c330a423a7b4084381a73bc95d5db15f40000000ce80e6e355afbc604f6f1533cc04e8eb1f8b01ce5d588590ea55cfac958d681a3d4d8331714126c33c7dcbdd6405c46dbe416d17083ee343083ca8cc3682c8f4 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce00000000020000000000106600000001000020000000db281290863af43a93c4b2b42389de60a2698c31619d74c86c55c11141bd652d000000000e80000000020000200000005b132d9b44a58a95a3b831f28e85f723fe67c68431346da7f4a386dfcd686acd100000008d43092c2d131367de2d03df2c46402d40000000a4c9fdc0ad13e05a868b77deaa50d1a90ba40d9c72ec0468e36b07b4646ab5cc0b357594edf96b37b10cb2c7149b9462ad7cd8b8f9c697a59788773599c63bf6 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce00000000020000000000106600000001000020000000a75f4403091fb48f91ae0e8a851da72f7f5b76a3f8c6e00b4395977cf48ff7bd000000000e80000000020000200000005ba667ced36e6d2b01d92198d4ff06d1e043e97efb90929e9fdd142f02c4e41c100000007f7da44400b57ff27079d56661e4ca4a40000000b4e9a7f9c509dba065f8dab85f81a01ac6476943b897d880340d25e9196d2c5613f07cb5b0fe4bb03bdc6272cd159f8c69ea55827f53711482d97344c3c92947 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6795114A-1CC4-462b-99E6-2C7B0FA69CDC} C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7}\URL = "http://search.alot.com/web?q={searchTerms}" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce0000000002000000000010660000000100002000000004086dbd902451598816d61951c7a4246cdeb050e29fed9e0b5a3ed6ef24ad0c000000000e800000000200002000000053ce0dd18814339cd464aa3d5acc59fece1d60c9482cbf9f60e3597c9ed53fc5100000006c8fa6e909e6213c944e9a84ade7976d400000006575991b5b875b5ee394f34586421ba634527a03232235e4a0beba3fadba4a6bc2a466eac9dbf7422c434284ca93377952655486eb8978d08c47a8cdac14d42a C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce00000000020000000000106600000001000020000000ed0f39da9d511338556445262a05f8f803372765d55f1fa5ff6270db0e84054e000000000e8000000002000020000000a6e6aade5d73b568c5701749cbefa278534c8b33f5169b588a88bf02043c12c21000000070cba144b8233a812808fc27999f138340000000225de6b3c863b3846662a2c84661fdf08c1c894303397c1239ffbb9ec9fdec7dff9f21d551957642844f8fe88bc560dfd55c5195e1f55a988589a107ffec8dfc C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce000000000200000000001066000000010000200000007950ccafe02a4db80a37478e82f19d11f1013748293909c1e81b27b9811a0c4c000000000e8000000002000020000000ee0ef146ad48d1035838bfbebf14ccc7810ddbb239831943b4f2d2651b420ad610000000fd4dd3a829bb038edf9ec546a74b2eb9400000003ec615a6161d51afb4a525ac4c138e021ef9512397c6568dd0d5869ad2a01b56b47ab2ad07b2f38e2d11efeb3693e18ce742f45f02327773b6be4e2d3fa22fed C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7}\SuggestionsURL_JSON = "http://sugg.alot.com/opensearch.php?q={searchTerms}" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce00000000020000000000106600000001000020000000b3e1ac29810a003f4a9898249142dff740a5bd066ecf47aedd5f8731cae3ee2b000000000e800000000200002000000081f374f6d2445183482be8d3e1a5fc6709e4b61cffc1c33ea7d5dc5588cb361510000000856efe66b88cc1a46b6ad6bb184bb3bb40000000723282b134628f122a074f7b55720dbe03150f137c45e815ee7a4dd849463619bc7cfe7a27aa87248012af34ef5ee392702189f2cfbdc6289a821ccadd18c62b C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7}\DisplayName = "ALOT Search" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce000000000200000000001066000000010000200000002696e99a0072302a840b65a72f0374b8721fed7a97694c5a4bcc46ade32a0786000000000e8000000002000020000000a15d6cc930707f4be74a0e5202662bb8d13e302c455dcc430cbc21c8bf67532a100000009f5415eaa101a7224fe94b84b896d3444000000086905db57669ae34c37d538f7f3273f90c6ab8d5d88d014af5675c4ecabd40edae4b607d3e601c4912999fb7b4265e77990a0434837e2d45aa9181c33d03541a C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce000000000200000000001066000000010000200000001b67f5acf8b3d1a324547028021bfaa619314b435fca172e78f1fded9f3dcb4b000000000e8000000002000020000000ff9131ba144884e2cc4c4bb9b9300aec20c3f87de3b8e841dd01346258d3ab2510000000a60bb969dd0f13dce9927c11d49a462040000000c568bf75c783d34e1953aa7fbb55f11e902891cb0c60ddc4e03082af86bec9daefd7fddde760292a3e5e095e169c2e3eeb54856ed770ab3965e9aec9f6a1a342 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce00000000020000000000106600000001000020000000b170bbee3caa662d1cb30d71acd140521992ed3a8be7dfe741f2537dcb14c60a000000000e8000000002000020000000e5bdcdc87c0863a6b68731b32359dcfa77d66d93f645a5d3560ac71aff917002100000001abb1beb3ac28a2b5435d5c6187034ad400000007066f705c4e6f05a0064a1a7ee8e1515d212495890ba6b141eddb7c3ee326f80a736c1314ab833755753052fd1b168ccd16af6a52455412bb278d9d12b77b9ab C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} = "ALOT Toolbar" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce0000000002000000000010660000000100002000000022001230875af6ee63eb0caf1b72d6e0154724bbec591391866f024ebb054065000000000e8000000002000020000000e394925a90abed365ed11120b475aaee9d3c7d172d1f9464aff847f33905bcb21000000024d4898bb0a326ca282f3e391d7bf28f40000000e95383017909d07f06dac45f9a5272fb8df9022b35f53a81231ff5f48e13f537377d83eb1943ecd0723d2037c008233cdb097f5e8427655866052a0107da427a C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce000000000200000000001066000000010000200000004b9c8289e15ca33c622a5a944bfdcb2a8a4004f345683bf928f110c7df6ac447000000000e8000000002000020000000343b06c0414859a0ef294c9384a45492cd219f7dbf16d81b56d0d0bffb306913100000005fc989d59822d8a863df95aa0c5fe5ba40000000780f7dafd70f3e82322aecf3b9dfcadef51917ec1da346bfa73f4310cc06c17586084664f743c4e0010d8f71df5e1f24a7a7cafd26a2bf585d9958e0dd70fe49 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce00000000020000000000106600000001000020000000d3dcc5aae01e1e9da89edca56d28f36a163c9c6dc442360735b52616c099c83f000000000e8000000002000020000000463159f6ca180cc888b5a033ef51a448685b37c6640a12e5a389db7e15eaa0e21000000073dbc767b39c09570f592900c177b23d40000000b351c84facaea051b577d66335d6440d523da0d0d380f90e887d0600346ba02a7bfb8efd8f81e7f54ce136a7324ee30bae3a3b46a6675d47f5012ce8ddd79285 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce000000000200000000001066000000010000200000001e367d32f53271c2e5a18b612c3b51ca3e23f1fd6721294fd2ccc0f5d8673b31000000000e80000000020000200000001b8b9cee8e537c84b8a83652bc2bf6fe7cf518e12b72dbefafd24dcfed84c65510000000930ff434ddeb40f95d6c534b218b975a400000009c039d9871658a7d91d33dfa6df31b492d1165ec75530deaf6534fcfba3ebaf7ad4023b046e3712ff105cd49f880db2233ad479e7a786016e48b8cdc923b69cb C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6795114A-1CC4-462b-99E6-2C7B0FA69CDC}\AppPath = "C:\\Program Files (x86)\\alot\\bin" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce000000000200000000001066000000010000200000002d8049dac3fa524c4a1adb30324e64c62a99268e4a9560d9a4d218d4df08e2e1000000000e8000000002000020000000f31a3a5f2ef6b4809fd43a35c43d0a40f8962ce80402fe036fe4f7c1f905868b1000000091c6d14ecfc0cfc867c0b67da7c7c99a40000000c584dd58cc0544855e28c405709c7df9cf49533df87f421da61b4776519de5407295ebd36cf5d21834003b298a21234e441f2b8e13161bc6f3749f0776ee02b9 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6795114A-1CC4-462b-99E6-2C7B0FA69CDC}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce00000000020000000000106600000001000020000000e5e11fb88a7e33168842892d26385c269b5c5e21c627557a7ee30c4a18f5dcd3000000000e8000000002000020000000342c81dd3f737a357a6e84f67d104c04d678e87c5f84ce8c52799808cc96c71810000000b04155d00e7553e3d4c6a7435eecf08d40000000f059db64fe8800aac398388da681c45091fa0bb59c6d14965fb15859c2ae1d44e7dbc4dfb4f6e425437991e3646f9f767bd6b61e5db43723aa22f5008e1a1517 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce00000000020000000000106600000001000020000000846bec7ddcc52b80dc89ad7c726353779f6fe8aaa4c297c3fba40fc510de0491000000000e80000000020000200000004f8a0becbf30f68151845f3f396e75051394452a76e171e3314a21db386e9c0c10000000031edf2f9d95b6176e93ed550e92897740000000b4fe385886d59196ed056b168ea7b9b06fdcee688d06d241259809a2e2d067bb499b6262f0c5dcd60026d22aadf9d68ac1e6535023c8779d13a43466c2ab93a1 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce0000000002000000000010660000000100002000000069999699b738af10a3b293d149bd49b47a4c599ed91b18f991d32ef107cb9221000000000e8000000002000020000000c994d1b765f05b2ba4bf56234bd0320f28f1605949237cdcfe1b11a6d5281e7110000000bdb8e46f7b4d17283001464abf01d37840000000713aa0d2cfe56f134dc0d6856a31586886bf531742c62cd53ddb2bdfb938b3cb0c6dbc51ce0c189e80895d5a6423c1eb486b6a2cd462ec127d1756c7c502cae7 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7} C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7}\FaviconURLFallback = "http://files.alot.com/1/update/buttons/favicon.ico" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce00000000020000000000106600000001000020000000795e786675d768dafbf29309d0473395a162f44d57ffea1835280a93f3f60030000000000e80000000020000200000005ce3f7419f5f6dc1c2909bf6eabda2a6ba3752a6878d5e190f5fa420d263ce411000000017da8381ed98ed9e916d3b515b0cce94400000009311329db7340f5fc010356b0b3bf00a4e2b11ec5fa0dfb5c5071df00bffa792860793af7c58e96f09603db8cb34407b4557b7de5887fd3c543ef5af4c219cf4 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce00000000020000000000106600000001000020000000b41304661d26795e17eed879e85f8bc9697cd6d0a6da15b5470823365baf2795000000000e8000000002000020000000fd08b4ada6b77ca70e57c4e37c5c2675e53e2c9b183d022ec0d8eb43778d7ce010000000251d0a97da833c0f6089e6175a526ad340000000383669223dbc404033ebfc4cede071af988f4d511d6bc1e142d437c2d34a91edb9903edc1a0ea7eb6d1d6b1a863a9ddbc3acfff493ff685052e7c1b4ec4034d0 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce0000000002000000000010660000000100002000000050e211d12b938800b7a8234cffe036eae97f37792b8767ba195c2053bb463425000000000e800000000200002000000072cd3903f629f263f977d54b57aadcdee66914bef6af0aea5ea90e9bda072a7e10000000b2ec338706189aa2d19668c509fcbe5a400000009aaba860cb2aa9293bcba9cecd14898683fb1cf05a0501782a6c84ae0e521046bd9a55600de96b6c5444b26f1109113c09e58b48199c0f1228a51b2b9c0c52f8 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6795114A-1CC4-462b-99E6-2C7B0FA69CDC}\AppName = "ALOTSettings.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7}\ShowSearchSuggestions = "1" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce000000000200000000001066000000010000200000007ff3d5ecaf494a6c1813f535897642bf80a38c5c279c4a650d01b5475f45393e000000000e80000000020000200000006390c77642cab2c610ca118ebe5d9421c4a720569397df21791184279020df1b100000006e29275703aacec7c35ad7dd1542fca540000000356241ef61741a96613e2a0788ebc61d9b0b07a9150bc9079720c300a60ba6fd0e30e8f67eb6072150dde699488b29802a8261bc465baab992c96a69c6cfae89 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5AA2BA46-9913-4dc7-9620-69AB0FA17AE7}\ = "ALOT Toolbar" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5AA2BA46-9913-4dc7-9620-69AB0FA17AE7}\InprocServer32\ = "C:\\Program Files (x86)\\alot\\bin\\alot.dll" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6}\ = "ALOT Toolbar Helper" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5AA2BA46-9913-4dc7-9620-69AB0FA17AE7}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5AA2BA46-9913-4dc7-9620-69AB0FA17AE7}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6} C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6}\InprocServer32\ = "C:\\Program Files (x86)\\alot\\bin\\BHO\\alotBHO.dll" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 csc3-2004-crl.verisign.com udp
US 8.8.8.8:53 crl.microsoft.com udp
FR 2.22.255.150:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
RO 2.20.118.102:80 www.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\nsj9F1F.tmp\System.dll

MD5 b9f430f71c7144d8ff4ab94be2785aa6
SHA1 c5c1e153caff7ad1d221a9acc8bbb831f05ccb05
SHA256 b496e81a74ce871236abcd096fb9a6b210b456bebaa7464fa844b3241e51a655
SHA512 c7ce431b6a1493fd7d1fe1b1c823ad22b582c43c8eb2fb6a471c648dd9df9953277c89932c66afd598d43ea36f4a8602e84cd175115266943071cbc8ce204099

memory/2916-15-0x00000000005A0000-0x00000000005C3000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsj9F1F.tmp\installhelper.dll

MD5 91b0372096274dbd47395aa8b28ffedb
SHA1 05d79ba090439c2898d8ad480355c08091acee55
SHA256 0411ab18ecb0d3d6292eabb89b4c8e41112b3e0be272b087555c2cb8cb0bfc28
SHA512 c40b9eace25b6c871eee9b4186181268de7463c4fe1c4c19372413989489fa891ebd528175d15df031dc768613a81c619acce0981a4c29d475e795d18b1aff08

C:\Users\Admin\AppData\Local\Temp\nsj9F1F.tmp\eula.ini

MD5 6a82b6a0fe6138096e549bef053ca02b
SHA1 af3bba863d0e78d85a3fc9da7ea3da1f1ff5c2c3
SHA256 974ff69ea21ffc3f5cb32db5536eed7d685120726eb6413c2040116a5016b26c
SHA512 c425cf0a340b44819ffe65a3da58f790223956d0da13a1176e6fa9f3a4a61da057b1cf2515b3cf7be8105c4f9279bec81d7589ee41373dc2d3d142289397294f

\Users\Admin\AppData\Local\Temp\nsj9F1F.tmp\InstallOptions.dll

MD5 6e663f1a0de94bc05d64d020da5d6f36
SHA1 c5abb0033776d6ab1f07e5b3568f7d64f90e5b04
SHA256 458b70e1745dc6e768d2338ccf3e6e86436488954ca3763472d8ffec4e7177e4
SHA512 2a037c39f3a08d4a80494227990f36c4fef2f73c4a6ad74dcc334317a1372234c25d08d8b80d79e126881a49fa4b3f2fffe3604c959d9ceceb47acc7192cc6a5

C:\Users\Admin\AppData\Local\Temp\nsj9F1F.tmp\eula.ini

MD5 a34c3aeca76e7bc74297a272d7c34522
SHA1 cabe469ba2681d487fafdf8bd92bf6899e134bea
SHA256 e11cee5be2b9ea2a238d0a1700af18a231f13cff5a86468bfcdd3c6865a6ac3b
SHA512 62c08dcb7f06674568c3bd794cf823dd1850d3179e334688727b7484f517a11e3f7de91298bf9889ccf13701b2999761ab874978204b42a9be6db24d7fbfd032

memory/2916-158-0x00000000003F0000-0x00000000003F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsj9F1F.tmp\eula_en.html

MD5 f8aee788c2a09699cd4d607e1db670c8
SHA1 6457b766f043d901a6dd204d00626c4bea02d503
SHA256 503477569d8a48c47c4febbfd4ae6d3cb036856432c8212dcb0226580e7034c9
SHA512 424ef5a4f2653b27b3ca921c35e5e36f28c41ddfe9bcd6b5aba7968d87129826770777fbbfcdc78fce8512c1dce819be0e355282d4a729580591ff296a751162

C:\Users\Admin\AppData\Local\Temp\nsj9F1F.tmp\eula.ini

MD5 1bfc333220308823791c96d52ab9bee2
SHA1 7672c3f7aa2459baba59b7d8c6a3172feb6c4899
SHA256 83b0f42ccf3172baf19897138a6c2b2a670b58e7e81e35e0172f92c1462dd6a3
SHA512 c531fc3f2f8f4125d9def6901177c40f2386693443a76c3a988d808c0ca6d5a427360ff93f55ec29dfb398e5923f50618e9fabd11ab6bcf4f49f42f51292f751

memory/2916-198-0x0000000010004000-0x0000000010005000-memory.dmp

memory/2916-197-0x0000000002750000-0x0000000002751000-memory.dmp

memory/2916-280-0x0000000003560000-0x0000000003632000-memory.dmp

\Program Files (x86)\alot\bin\alot.dll

MD5 acb423998044f7dcc904a43419ef2d78
SHA1 7fec3d6d444c8f3fef32b6634901fd010b0295bb
SHA256 03707a3959ee86ab624d805a399b839d9b2949875f79940026f63a96e6be740f
SHA512 f037a03564f3608dc69deef46aa63b9250721f4c16aa882054b8eae8a34842a2f7b39910abe47141b549e276b9316ad731056674b9c76bbf5991158ec2c6170a

C:\Users\Admin\AppData\LocalLow\alot\toolbar.xml

MD5 94cd2434f802cc1d795d5fc2965ad827
SHA1 bcd3ca114373d07b84aa6e2d2e249ad9d80838b9
SHA256 82c4b7fc52038a34414fb8f7fb328289e0516f3a5e209f12488417236772794d
SHA512 4c94214015beb2cb6914605b1d4acc10470299f3d4dda7c2c6cdd2fde5ed663a77bc7da3f9ba65876a7712eaaa0c3e80026930e8a4d9ed6bfba00428e145a134

C:\Users\Admin\AppData\LocalLow\alot\toolbar.xml.backup

MD5 e6a20b68ab7ebfa534eb020e84aacfe6
SHA1 5e1edd6166e586bb72f759104edefc754f344d33
SHA256 2001499108e66e5ac01a657149af97e71e1f8c584c4b9d1c44757b598a24da74
SHA512 9991a8bd8f0832e0b8333abf378479a163afb18d2a051791e6e9fb023f46f17865ccb13900121c1c40f302c9449ac4f79f142bca2a397d6b41016191d77c6fb7

memory/2916-314-0x00000000003F0000-0x00000000003F1000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C3948BE6E525B8A8CEE9FAC91C9E392_0C493B6872FE216C47DE50A9F8E11760

MD5 5bfa51f3a417b98e7443eca90fc94703
SHA1 8c015d80b8a23f780bdd215dc842b0f5551f63bd
SHA256 bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128
SHA512 4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

memory/2916-335-0x0000000010004000-0x0000000010005000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2025-01-20 12:04

Reported

2025-01-20 12:08

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

148s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\$0\Resources\BrowserSearch\alot_search_defend.html

Signatures

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1936 wrote to memory of 1096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 1096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 3768 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 3768 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 2024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 2024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 2024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 2024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 2024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 2024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 2024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 2024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 2024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 2024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 2024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 2024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 2024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 2024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 2024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 2024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 2024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 2024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 2024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1936 wrote to memory of 2024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\$0\Resources\BrowserSearch\alot_search_defend.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff99b7b46f8,0x7ff99b7b4708,0x7ff99b7b4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,15753463453747274438,12780226515720749064,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,15753463453747274438,12780226515720749064,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,15753463453747274438,12780226515720749064,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15753463453747274438,12780226515720749064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15753463453747274438,12780226515720749064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,15753463453747274438,12780226515720749064,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,15753463453747274438,12780226515720749064,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15753463453747274438,12780226515720749064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15753463453747274438,12780226515720749064,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15753463453747274438,12780226515720749064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15753463453747274438,12780226515720749064,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,15753463453747274438,12780226515720749064,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 34d2c4f40f47672ecdf6f66fea242f4a
SHA1 4bcad62542aeb44cae38a907d8b5a8604115ada2
SHA256 b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33
SHA512 50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

\??\pipe\LOCAL\crashpad_1936_OCOYSHMTVFFDNTLA

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8749e21d9d0a17dac32d5aa2027f7a75
SHA1 a5d555f8b035c7938a4a864e89218c0402ab7cde
SHA256 915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304
SHA512 c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 13858f461b2a6d639078ec37d6b4753e
SHA1 2364ad50ef096fa02fddf3ec09e22a058ac3fefc
SHA256 291731bc45039a9d197fc92d99013ee570a2ff7979af85299f02496b9f40e177
SHA512 46b7f61c1a8dfe619967a2ff2890eab550aa8ed78b9135babaf72e473876f49b9454dab6289133cd4cf89b791b76dc4377f71ba42942c268864ae9e80fe02d47

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 09039e2d6b0bda9f201bfe41e4a7752c
SHA1 713487825189d1597ae0b91702e2ef3c0bd79c4e
SHA256 9d14e1648bc52f8a805c03b030bc6a5e5c8c322e5cf9c6847a71bea57d0bcc4d
SHA512 71477d22d1db0a54f3672790025f2eb7047e5f14cc5600fbce943d1fc76ec4a334fbecc2eddcafcf12c6b5e78b371e49e4ec8656aa654b905a5267e2a30a5c0f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 35529151ac23a3198dbc06fe4a8118ae
SHA1 023e3759c8c3b164351961a1f407649935454b71
SHA256 ef92da5c1cceea83e07f731f2d67b5e08fa426592e4fd6a139a8150b0dbfc7eb
SHA512 34869c29a4a47ba2dcb9f630cb5e22b67177cae09153a84bcae4bb5b8faee4f8981c5e7275e98f54d3cbcd0903f1ed05e251aa1812ee6420bffc678a32801393

Analysis: behavioral5

Detonation Overview

Submitted

2025-01-20 12:04

Reported

2025-01-20 12:07

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 244

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2025-01-20 12:04

Reported

2025-01-20 12:08

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

145s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1544 wrote to memory of 4928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1544 wrote to memory of 4928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1544 wrote to memory of 4928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4928 -ip 4928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 217.72.21.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 167.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 120.250.22.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2025-01-20 12:04

Reported

2025-01-20 12:08

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\eula_en.html

Signatures

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4320 wrote to memory of 2108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 2108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 4108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 4108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 4108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 4108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 4108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 4108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 4108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 4108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 4108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 4108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 4108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 4108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 4108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 4108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 4108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 4108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 4108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 4108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 4108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 4108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 4108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 4108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 4108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 4108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 4108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 4108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 4108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 4108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 4108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 4108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 4108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 4108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 4108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 4108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 4108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 4108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 4108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 4108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 4108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 4108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 4708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 4708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 3744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 3744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 3744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 3744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 3744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 3744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 3744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 3744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 3744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 3744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 3744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 3744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 3744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 3744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 3744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 3744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 3744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 3744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 3744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 3744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\eula_en.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb382446f8,0x7ffb38244708,0x7ffb38244718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,12447320131399961991,17205116669284315285,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,12447320131399961991,17205116669284315285,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,12447320131399961991,17205116669284315285,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,12447320131399961991,17205116669284315285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,12447320131399961991,17205116669284315285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,12447320131399961991,17205116669284315285,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,12447320131399961991,17205116669284315285,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,12447320131399961991,17205116669284315285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,12447320131399961991,17205116669284315285,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,12447320131399961991,17205116669284315285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,12447320131399961991,17205116669284315285,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,12447320131399961991,17205116669284315285,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5440 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 36988ca14952e1848e81a959880ea217
SHA1 a0482ef725657760502c2d1a5abe0bb37aebaadb
SHA256 d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6
SHA512 d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

\??\pipe\LOCAL\crashpad_4320_IGZDBXBUQWLSIGFZ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 fab8d8d865e33fe195732aa7dcb91c30
SHA1 2637e832f38acc70af3e511f5eba80fbd7461f2c
SHA256 1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea
SHA512 39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 4448f053ba558dcb3f60dfeb72d45606
SHA1 b2531167ca0b8e2bc5d25188634b9b8ad28344f9
SHA256 d1f72c167ff4180b544531490e3a10319a9a12530703060b212e8e8a5c9cf0c2
SHA512 f50fa164ed874516c7f2740b6cec91bdbfd99200e19f5a99d2546016cd846127ae605e1e33d07818c68ee7122ac8b7c0e3ed9203405fcd2c596102443852ec9d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 91d42331303359dc9bf1479ce69963a5
SHA1 82ebda47e6b35d852dc06d61a309454635db9dff
SHA256 eb78a54883ff9218cb4c78e017bd0b431241aa2d6a926d3c22024fb2550095b5
SHA512 431b7693f65e59fc4ddfebe0ebe2c3193ec6c183d3d370c5c94d91ed7a7bf399106b72c6c7549078b3100d10ba48de538cb7fdc983ff629c6643f23052a468b0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b6d133de7288c1667a7863436d44e08e
SHA1 9a29b8f78f213287b9342edaac6cf3f8f8cec054
SHA256 d752e674412cbc15b20cecb0405993fdd3198b9909becd6db56635aef6622de5
SHA512 6c31aa70055f8632e7e0d5b266fcb96613f446e60e05a6275553b34a3b9b30c2ebbb9d61e6aea6c538ff4cb1707642e8c97ea0490b8208c499beca0af3f61157

Analysis: behavioral13

Detonation Overview

Submitted

2025-01-20 12:04

Reported

2025-01-20 12:07

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\alot\bin\ALOTSettings.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\alot\bin\ALOTSettings.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\alot\bin\ALOTSettings.exe

"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\alot\bin\ALOTSettings.exe"

Network

N/A

Files

N/A