Analysis Overview
SHA256
72f754ea837eebc99d547481ad5d74d4722269363d04bef454a35c2d3b699c4e
Threat Level: Shows suspicious behavior
The file JaffaCakes118_e69c5c6b034d010bb57126bf82813198 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Checks installed software on the system
Installs/modifies Browser Helper Object
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Program crash
Enumerates physical storage devices
Browser Information Discovery
Suspicious use of SendNotifyMessage
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-20 12:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-20 12:04
Reported
2025-01-20 12:07
Platform
win10v2004-20241007-en
Max time kernel
91s
Max time network
142s
Command Line
Signatures
Loads dropped DLL
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 120.250.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.137.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nss7F54.tmp\System.dll
| MD5 | b9f430f71c7144d8ff4ab94be2785aa6 |
| SHA1 | c5c1e153caff7ad1d221a9acc8bbb831f05ccb05 |
| SHA256 | b496e81a74ce871236abcd096fb9a6b210b456bebaa7464fa844b3241e51a655 |
| SHA512 | c7ce431b6a1493fd7d1fe1b1c823ad22b582c43c8eb2fb6a471c648dd9df9953277c89932c66afd598d43ea36f4a8602e84cd175115266943071cbc8ce204099 |
C:\Users\Admin\AppData\Local\Temp\nss7F54.tmp\installhelper.dll
| MD5 | 91b0372096274dbd47395aa8b28ffedb |
| SHA1 | 05d79ba090439c2898d8ad480355c08091acee55 |
| SHA256 | 0411ab18ecb0d3d6292eabb89b4c8e41112b3e0be272b087555c2cb8cb0bfc28 |
| SHA512 | c40b9eace25b6c871eee9b4186181268de7463c4fe1c4c19372413989489fa891ebd528175d15df031dc768613a81c619acce0981a4c29d475e795d18b1aff08 |
memory/3016-17-0x0000000002C30000-0x0000000002C53000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nss7F54.tmp\eula.ini
| MD5 | 6a82b6a0fe6138096e549bef053ca02b |
| SHA1 | af3bba863d0e78d85a3fc9da7ea3da1f1ff5c2c3 |
| SHA256 | 974ff69ea21ffc3f5cb32db5536eed7d685120726eb6413c2040116a5016b26c |
| SHA512 | c425cf0a340b44819ffe65a3da58f790223956d0da13a1176e6fa9f3a4a61da057b1cf2515b3cf7be8105c4f9279bec81d7589ee41373dc2d3d142289397294f |
C:\Users\Admin\AppData\Local\Temp\nss7F54.tmp\InstallOptions.dll
| MD5 | 6e663f1a0de94bc05d64d020da5d6f36 |
| SHA1 | c5abb0033776d6ab1f07e5b3568f7d64f90e5b04 |
| SHA256 | 458b70e1745dc6e768d2338ccf3e6e86436488954ca3763472d8ffec4e7177e4 |
| SHA512 | 2a037c39f3a08d4a80494227990f36c4fef2f73c4a6ad74dcc334317a1372234c25d08d8b80d79e126881a49fa4b3f2fffe3604c959d9ceceb47acc7192cc6a5 |
C:\Users\Admin\AppData\Local\Temp\nss7F54.tmp\eula.ini
| MD5 | d2a7861bcdaeb7f3eb07e4d40aca9950 |
| SHA1 | 2b07cf0b5add8b0a33c329136490fe6a73b435af |
| SHA256 | a337c01fa4ce487a075cb7e8fe1106a914a545885ff50234c82037683abe3663 |
| SHA512 | a47f61bce3c8604d2dc93f6e3d5599e0f1d710c0552f0bfa936a2896e886bbbd62f360d60c7dee25966f0616ef5d2d3da93b7b585eefbc83aa8697e00a94c468 |
memory/3016-163-0x0000000002E50000-0x0000000002E51000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nss7F54.tmp\eula_en.html
| MD5 | f8aee788c2a09699cd4d607e1db670c8 |
| SHA1 | 6457b766f043d901a6dd204d00626c4bea02d503 |
| SHA256 | 503477569d8a48c47c4febbfd4ae6d3cb036856432c8212dcb0226580e7034c9 |
| SHA512 | 424ef5a4f2653b27b3ca921c35e5e36f28c41ddfe9bcd6b5aba7968d87129826770777fbbfcdc78fce8512c1dce819be0e355282d4a729580591ff296a751162 |
memory/3016-183-0x0000000002E50000-0x0000000002E51000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2025-01-20 12:04
Reported
2025-01-20 12:07
Platform
win7-20240903-en
Max time kernel
120s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 224
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2025-01-20 12:04
Reported
2025-01-20 12:08
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2304 wrote to memory of 1396 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2304 wrote to memory of 1396 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2304 wrote to memory of 1396 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1396 -ip 1396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 120.250.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2025-01-20 12:04
Reported
2025-01-20 12:07
Platform
win7-20240903-en
Max time kernel
120s
Max time network
127s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a1e022dd528bec41a6c6f90e91b11f460000000002000000000010660000000100002000000023607231daebfae8e6387c89503c102baf173ece06157fba52353d0856952eb3000000000e8000000002000020000000d13635ef45bfa2dfea5b5cd8a767b8dac21371f7502c4d479aeb62543b71925b200000000fb97ecbd7f8afe8a222224e6c86f8e39ee4f5eadbe56ca7c7fe6e72053ee91540000000577f73c55aba32fd705833ed303e9947f3f8a6a52d1f7b43679511512d1727fb4a19122a73863e0aed8cd6224d954f8954cbe717fb11b2684ce8a6b503ab1ae7 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a1e022dd528bec41a6c6f90e91b11f46000000000200000000001066000000010000200000008eb9e7b06fc0e4ee00a4584265edf11105097b0ce5166f21efa2d928c37ae01f000000000e800000000200002000000067ae203f9726514c33606c78821380372001183ec891237b12ec20356e1d953b90000000df746f8e6fcfc5e1b28e0270124e528923357bccfc65951bccb80cc22518aecdf313ca39231c4435cbfd1cf023707016cae2009a4a0cb32b8361db203b4d2f1a0bbb2c9847644505b1d7e70bb7caca662dde1e83b5221e07c7f900a1531efd1047854fe3179be6d8a7aa836c0099bc30cf45c283029757ab6ef58079cb5fe6c005b8e0386030ce08d02ba7778681367540000000ad10cbfb23b42e7666dd84efaad6786923a2c43eecb7307ca4849dcbffcdec45c3b8cd822459d509cb20f129240704128f19a5ebbe02bfa6269514569216535a | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C449E951-D726-11EF-9303-EAF933E40231} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443536565" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4000bf98336bdb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1696 wrote to memory of 2376 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1696 wrote to memory of 2376 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1696 wrote to memory of 2376 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1696 wrote to memory of 2376 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\eula_en.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1696 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabD655.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarD6B6.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b2bcdffdaa40a94e8a5b490fb3b9f0bc |
| SHA1 | 22b011d86af2ff7e5937cd2f12c6e4cc7bbf34eb |
| SHA256 | a0954f88d1fa1663bd96ddbf0c3468ba6b8c5bd11d235456287e84981113c371 |
| SHA512 | 69621e609a778bfaecc3ebb4e0f25f7159bc3cc2190512154e7612e404d3a0a3e0286cea6c6c277569d32fe528bfdb0507e85b315cef2800956beaf6c7b01b7a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9ad6cb1984505edb873b4557f2f9e0b8 |
| SHA1 | 45a824a039c2d2c13e3ff025b547cb601ed112fe |
| SHA256 | e195d93290f4975d48e45bf58e6395780dbd92d5ffe3da652665e8f806b66534 |
| SHA512 | 95f426d712432a0af0789cf3c4d4320f264080c8e8a4ff9df1a24247bea669713d2c1fae5919286d56749eb162f34fc88e2a7dd58c39dbd53d67c796c99386d3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 34490fbd1e2bc26aadf72b1b14f58605 |
| SHA1 | 8dcc11fbf84f1d26d0a9c4e5bde3eb0baed1617c |
| SHA256 | ea2cbd10ed2daea2222407619884fc365f2b2030a823179a11bdffbb61064a04 |
| SHA512 | 9d7eee449a65531ecf0c346cc4a6b20a250a16fd8a13a4984aefddb1cbbbcf015a908db2dfc8b1e34abd08b323b7a35f7f9eca7d21b9cf37e53303ddb95474dd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cec89b0d615d4a0e037253a1c4bccf6d |
| SHA1 | ffef05feca64f6eedfd6da43b7a481b134c63132 |
| SHA256 | 865897bef18942ed7c06c0b70db899b48bab9a1b132ab4d0b93cef7c8e1380b1 |
| SHA512 | a1dfbff92a5586a49940d0f6edc321087332b151c496a17101e9a47ff3381793d58d128492ba65a9875d7b4621317ab910bdeb64f8f6f81e49f69105345c1a85 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c25cfad2bbde6482b67cbeb2021f5bb4 |
| SHA1 | 712a382428800e829fa68cda67158cc5ea4a2ced |
| SHA256 | fd0d37e70dc428919711dae3304584b901a70c5215d2a264861710f950da124b |
| SHA512 | eb1ec8ebc40c4afba67d16883c43add63e77346e182d2841fa5922a17edfe42d19b3062cb1611d7b9900b6a05a6b456a0c56e6480a855b0038efb30058261a7c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f008b4ce51d3cf20ef728fcff2c2cdbc |
| SHA1 | d00c4e60c9244ebf7d4e0661665ced32c037a421 |
| SHA256 | 8c20794f2aed5c2c0d004e0c17854cf42b59732779bd5830c7ee4f6242aef05b |
| SHA512 | 9b9c1cd5bc045d83819913f6af6a7e9722eeb957625cf0d704687395648947b5ca76d98e7bdd932d2f1cd6da0227b1cf1137735f6a3557d6ab385f6c7b38b7db |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c5312f9dbe01ffeb1436cb335044e414 |
| SHA1 | dde51d67e612090c0a029ac28853ea9ea89d2b83 |
| SHA256 | e9b74277c1c2ae55791d57dae8ab8b8e9a724e9b26950611df4ef7ba38caeadf |
| SHA512 | ad8e39894fb64aa3dd01ede99abfe6ede195ada0f51ebdf3e3193367226ba8e792fa5494875de76a4390a3b0d95c3afb66cd0b30226d84bda20c236264965f06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 65891464663a214cb4bb024de319823f |
| SHA1 | b2c6de0986d7f72526f1ac0f6a80fdecf2e6b4ed |
| SHA256 | 39760f438f01fc2c66259a7ef74eaf2e5ff747db923843465501b03bd87d811b |
| SHA512 | 8663bd215855a700b751661b3fee5d35929f036c1ec397b8537c3dc56f8b20363ffddd5902718ad0a5117dc0b4629a9a701452aa4d76d1ce7f2ca4446acadd99 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a4432b97a18d691c9205c39af8859412 |
| SHA1 | e3b1edb0088ec265aa1e816bc6658e0584e61374 |
| SHA256 | aee5408a91267c1b43e4b996df8c61d00320faeee8fdb45e48652f48bb04f031 |
| SHA512 | 74590acd4961024be7fd4a00473fcdd6f2fc372078a1008269e0bf1d8f71e92924884613045e5794bff10129eb6b0c350ca7b694e584e55992ad1490fb1d0bd0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7b0762eaf72dff2d3096cec53f09f9f9 |
| SHA1 | 790903604d84e62e7aa3fb7a516ac6f9d86d5785 |
| SHA256 | 2e24498ca25cb1ab5925e15288ab00dc928d34fea91854ee590addaabc4ab37b |
| SHA512 | 3eaaa1ffbb35f29d8878d1e49256ac8816fb99be4d0cb19f5f19ee467ddaa42e2cd8cec37cd358e8348dddade25e74b99bc8dbfe1f0bbe8433ee03d479a38781 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 127088a6bebf68e8ae7084cbcc13281e |
| SHA1 | e6beafa2fce2044c853a6b32e5489f685d40adc0 |
| SHA256 | 17f54c8355efa50a3eb32aa56af0183056667204ff3cc6e62076f2492530bf2c |
| SHA512 | 2a9ec16c61057413b0412c9b8418704c064765a11c177363aaa5789316536137d711e9f2eccc219c91161c741c5cb746079fa2fa604cab3f320904d4a5d4843f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dc78b7a86edbfe50b766dc349126f253 |
| SHA1 | 99d74b5f3dd53872bf42f08926bc97cd25d2ed36 |
| SHA256 | 9207e46663d148174f936cdab0eda9dab8e3f7d9b502f50c1043c4b2c1b8468a |
| SHA512 | 2f4ff33c7f6d45993835bebbd786311810190f45b4618336bc888fa2fc07279db5f7311a64f9bc181fd56a686a545822a69842eb2eeb7170ef903554a35a0ad2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d1d25f82d29134c2a06f0d0de27d3530 |
| SHA1 | 2765945128ade3d2f64478af91454a6ef3b224e2 |
| SHA256 | 2939240419e38db88fecaa50b8d27cf23cb468a5c151f838b0510e7024f55b53 |
| SHA512 | dc9e6a7cc799aaa1e5d38e1ed6ce1953824e9b5569a2529db4cc92482a6075787bec75feb5780ca64509d50e805337819e5c294babf79460d2b2e1d745395b25 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5c97a2cbb5406a0721f25450eec2f5ec |
| SHA1 | e5ba0a5fd71930f1ca4d675499af44e9de837cf1 |
| SHA256 | 486d39d028800081a404baf51e885ac8179edd503b7338f41079286d0dba7abd |
| SHA512 | 043d184e877da6f45f7fd0f0f123b6d761c80604b06a080e8c86fa29c7a277a075c96b3e51ad06abc7aa88563f8a8b9db0c63d89fb3e9d0e33ea88c5aa8691b8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ffe2a868daf75bfa4426b2a58be6bb6f |
| SHA1 | 3104a0fc4174eae9b93c15c3909c6241b129c4da |
| SHA256 | 90cb75b9769848f67d3d8f1bbf8209d2dcd330b746f4846c9f8198c970f90e62 |
| SHA512 | 77b41cd246776176a225bdab01b4307df2b1210813b479a6c8738a86c55c9d4f72b382b77c22a5b18b361a51fd939dab80380a85da417ced3c329675d77ee6f0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 958241f8f8c2198890fc349953c78c67 |
| SHA1 | 9a160e20a84fb220a5d747d3f32ecf3bcd7968c9 |
| SHA256 | 8f5d4886f9a4ada8cde70201e53914c2841952c3285ef9fb80f420c6bd998758 |
| SHA512 | f60a4b2f3ef4ce083b98964bbd8f2873c555b1c1c90cf830ca615b0556e55d7dfb8d381016b5d17a6b36289501bcce64f1667548548a188fde9625315ad86347 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 22907219f506eb7625bbd80331f9552d |
| SHA1 | 9df9c3013abca07a3a70cd0549e5d0b63d580f47 |
| SHA256 | 4974f08c701bba39ed9a7c213391f4b2d52e5b9514a191b0632574e83b0bed1b |
| SHA512 | decdc641830e2b3071f2f6e8f91d33993fb0b67c1cb9e608cb22048de76604a6295b8371606e8f6ea5f908b28899ca758fcae933c673576f96120d4aa3c233ff |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c987899cb10774a4d31cf48050ee31a7 |
| SHA1 | 195a2a3b2bb28b03c726a8d8cf2cd8c675b7805a |
| SHA256 | d509be7a6752293459ccac0fdcbf698754af45998dcd04276a8611c376e9e3d7 |
| SHA512 | 52c9185c96360ef184d791e66d7a4d94f5e22e7e031f1fd9ef3077c4f014648b3ff5a3abb4aea7a654d6d693daad8377ef8622a66a77ac09a52ae6f32e516039 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e172971c7a8fafc9b9dc754c85fada7d |
| SHA1 | e960838caa43e667d1547146aefecdabbf1e4ec6 |
| SHA256 | 780ec35c6f6fe8b70725249451cc505d8bd4687e6cd45d8751a9dcf7de490248 |
| SHA512 | f1996d49b392ed00a360c76fed1b2b11eab612a172d26a0d1920398762cd7eca669c3bffb10e1ba1d612b180d91313e62edd300c2f8a829b764eb1ddd433a981 |
Analysis: behavioral12
Detonation Overview
Submitted
2025-01-20 12:04
Reported
2025-01-20 12:08
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
141s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4184 wrote to memory of 4676 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4184 wrote to memory of 4676 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4184 wrote to memory of 4676 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\installhelper.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\installhelper.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/4676-0-0x00000000013E0000-0x00000000013E1000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2025-01-20 12:04
Reported
2025-01-20 12:07
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1260 wrote to memory of 1232 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1260 wrote to memory of 1232 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1260 wrote to memory of 1232 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1260 wrote to memory of 1232 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1260 wrote to memory of 1232 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1260 wrote to memory of 1232 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1260 wrote to memory of 1232 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\installhelper.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\installhelper.dll,#1
Network
Files
memory/1232-0-0x0000000000190000-0x0000000000191000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2025-01-20 12:04
Reported
2025-01-20 12:07
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2192 wrote to memory of 2940 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2192 wrote to memory of 2940 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2192 wrote to memory of 2940 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2192 wrote to memory of 2940 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2192 wrote to memory of 2940 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2192 wrote to memory of 2940 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2192 wrote to memory of 2940 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\alot\bin\alot.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\alot\bin\alot.dll
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2025-01-20 12:04
Reported
2025-01-20 12:07
Platform
win7-20240903-en
Max time kernel
121s
Max time network
127s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003d5b8e31d7414645b7c49b7c649e47dd00000000020000000000106600000001000020000000ac6a9214955b024e8a7923840532428a2ed157890c55bf4573af33db93008af7000000000e8000000002000020000000060641f5264a89c97b7850cad85fd56a9ad2131e547d2c08be04e8921dc1f11820000000131ccab3d9aa15ed88c8b59650bf5fb58fc73ace446b5f3ccdedbcce974648d6400000001e672505b3b76c8aeb4e8b7596b47b33eeecffcb04e96953cb0e9568d401e266b1bdc9c36e1a07f6082d03df1bcd3c9a43fb8c343fff9719ce556b0cff09e5dd | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003d5b8e31d7414645b7c49b7c649e47dd00000000020000000000106600000001000020000000b9d5fa8e6bc43cb2aa219b6b94bf396e5a2047c4ba9d71cdb92e30ae460c21d0000000000e8000000002000020000000fe6ff93957c2ac6b85f20aade23467403e50cb3104d3cd5c9c13703644f363b1900000002188da25ebf0c73a387f4279beb57ae434ba71411fedc19efd180f93ba0e60e10eefa6a68139c42a0a489f8044e5f31e7af724fde698d3756bac5adb231fe3ed4d18d0d8cd24241bfa133c98a413936f370a795f5be845abf854b3178165969501a5e17d21b856af2a450e26c1fb3498c4d0925fe9647cbc82f649296c8d1f484c7624f6b1ee5d04dcbeae1954bcc4ea400000009c0d9cc07bcada9b7fbcf250bca4420bcb12145f5d87584be8dbad1fa9f959bad42c0d0d6475ba209884b033dd53773e4011424b78746689b6361c3d7a4429ee | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443536565" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C45664A1-D726-11EF-A6BD-E67A421F41DB} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0c4d198336bdb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2400 wrote to memory of 2856 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2400 wrote to memory of 2856 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2400 wrote to memory of 2856 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2400 wrote to memory of 2856 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\$0\Resources\BrowserSearch\alot_search_defend.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2400 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabA048.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarA106.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9c1e3f771f83d07f7927f1c2b484102a |
| SHA1 | 2dee6c4e23779f3608fd30d9ee5fbc03c39fb841 |
| SHA256 | 0f7826d69d61ed0e188a07dd5c128a55b2b94458a8c99bcf02d3dbce4722fe8a |
| SHA512 | f7fd5bc0a7a223c51bae9484357cb52fec5d7a0d046eac45735bd97ee0293082d65e32995a86455434ad5ddf5bf0b2731e3440a5bc0480eae3f6ab38b18ae9bb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ed696ca1778325ae34260ade5e5be6af |
| SHA1 | eca8f9c539d58ecec54bba1fd1ba28894ec36937 |
| SHA256 | 6c9796647479173f43217784985cd2da111782c6f6943444b7ddba3543a309f5 |
| SHA512 | af9f8985f23ee10fd7e615393c2d8295972ffb86035c7336dc32ca80301255257c19cb62746a8082b66b967ea341b111d7b9de64a302f50675bff13c8602bd17 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 60219023c5f31345241eb17b14ee5b71 |
| SHA1 | bbbc0962bd1f82d856b6966686c8ed726f6f0061 |
| SHA256 | f5740011a803bee0142211e4989baaf17213d7f0622d6f5639ff48fecaa84900 |
| SHA512 | d8c82dba1666618ce956b9457f9e3a40933283a1b70202cece867d5568a094b68c5cba205a82be4818fa3cddc8b63392b7d41d7c2b4073e5334fce75ab677e74 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0989033652e6b2a4228692e933ff22f5 |
| SHA1 | 6cc521ec116ceb30cb934d902f03c20ced62bd23 |
| SHA256 | 11e81c42043c52d77c3f68e30cf5d04a621bf27c9252a983004c890380437a10 |
| SHA512 | ad99d5c552fbd58f0119a3665c5091741ad34af8d428d3fe9e8859798f8632f389e1010827401de1f2ab4784cccf801df7c60ab1d32cba96fb924c9986f35442 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c671236dd89c056f4ae50ad15e566809 |
| SHA1 | d1b2cd38b15682a71559db93ba5aae2c718fd552 |
| SHA256 | a592012c468e9ae22e7fdc0a0dcce6d59f767dfbe1388de90a5bde98913ee728 |
| SHA512 | 080eadb3251078c03c8b3f0a38eb8e4db8240a8071311934e422fdf63fbbf09fe83fdfeddd67696534600ba1f317edc85a24720b2f0c35078360f5e55b6dde79 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b98eda7ab67545e50dd6cf6708bb77c1 |
| SHA1 | a54bfd05c08937e6e380933a34f0b9f5ec0bc960 |
| SHA256 | 5e93010119b7970abda3e0b6ff45139d221da67178da57214b22e58172c4e29c |
| SHA512 | 74b43c29cc821ffed7dcd649f17786d8e4bf11ee5b544ee40cd731279736d040975417e3302a8f5a5b071c55790d417a4635b20fa92100dada0fb6caddc30a27 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | aafd7095850ff7520ca86ba6156ecf0b |
| SHA1 | 32a7149e45356587604c4f856219662d4deac29c |
| SHA256 | 586a8b6bae3953d64d38085c564d6080e9386f9b43e451f8f0a039eab2b061f8 |
| SHA512 | b9645375c6358d4c1279472aa3ef55f174fca68565a1c8f9b064dd78103ba25ccd5b8b418c9414c2490a2f3b4d2ec3eea6b74990dd04a2981753be2ce2d70ab2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7e9f7f748554bdda8e0926d0df24c80a |
| SHA1 | 809a53182e79590225e1b4df5d61e2274b7589bb |
| SHA256 | ad42134dc254edb71f18b543f58da5516199e836c9461bd715a43ce3adc9dbb3 |
| SHA512 | bac6fc823df4a38bcacd3ce8a16a48b29efca7c6f1e965c160d523883f789f4687d7eb889d62170dff2e038ac6651177df29b41e9d99f034a8fa1ed604139175 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f08894648a5e7e58581c8a57cdfd9db3 |
| SHA1 | d04594556e238badfd12aca6e0f0d733a243d66b |
| SHA256 | f44f47af1a2b91c8fa3a8673edf88ed81e69595eb9fcd4d6682c68b28697fa10 |
| SHA512 | 6aab4aadaebccff38b70b335772078ac92dde9bd70b142e4dbdaed7a4dd1215a869a76c0ec94f408bbbe43467e042efcdf93d3fb45e37864535acc824d5b6d17 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c76dcb27ff7fa93e86e029357953e98b |
| SHA1 | 3b679ec2211dc8809ac1193ea925e666a0b3532a |
| SHA256 | fcd5aa277a388fd1b3477b94fc73b4f4b0adc6cb8e893f9274636c29dba3d712 |
| SHA512 | 0ab99d045722ad54cfef5bdb8143990af581df6dab45442f53a8cdf435c12dd0ef205ceeddfede12f3534f0d235b5dac8ff95209dc6498937be93bb1a2034a78 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7cfc74f2335fb6fb2d662c4b20198558 |
| SHA1 | 0fd5237b0a0a13d5e47092150fe32d750d099711 |
| SHA256 | 76b860121fd9335d0d4c807bb84ec59fafb33dbc0e230b71926c0c080e51015d |
| SHA512 | 22d3317b34a52d35314ad2390930e7998af151fcd3997aef9f411bb1d7259dbe73b77532c12a7ea684340a93b198193d4e419b9c1ab1afe918a5b21fc8c13802 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c71688e0add556d712ee42d3ae7a2755 |
| SHA1 | c3be7e3172dd201c0c11e7129ed95ddcd09c31ed |
| SHA256 | 552afb5f81d84315db64c909f7f0ae96f83387b34e0b9f2f10888fcfc72c4088 |
| SHA512 | 249012266d41d9b483edceee1ada7724938b60c0b909139e8bb3c1e053d0c70ef312585fc0c54e87b8c48adffb1ba9b25e59a2f226f795376c28f4c6cb5571f8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | df3ced767a86d2ec6c1d03847ee9f936 |
| SHA1 | 77356eab5eeba05dc6a5b84813e3acb3fc852842 |
| SHA256 | 1de20ca7f7a30e76933be662f94586cd89e30e90fc1bc325c1e32236690c2a61 |
| SHA512 | e5afd14a1bfcfd15833b586da9d397c735533c9c0c5c9934cde4266aebd871dbe4f99bc4f3c1369ad2e0ae60f97230c7055af05530cfc384435289a048ab9f91 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c969de67598ad8f5d07ce15cab56915c |
| SHA1 | da476c1f31adaad8bf4fb4414f9db89559b18d2d |
| SHA256 | 6c1d51a874015e68d79556016e17e19bcc24321f4248061c4f0df03449645f1f |
| SHA512 | 17a7922d42d1c0bfee14ad91cef616e655bbaf8c3db12f8df021902528eff772b8b13715d7163ad316c8fef2334d0debc038e0df1173d405a8624f57957677b7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e6692c06fd16fac7eb60261f7c67fe83 |
| SHA1 | d92bb9d68f25501801877bc9883946e14ee7aaf8 |
| SHA256 | 5ce6314736326b455de111b617bffec697b38565a604b86759ff7a6388fa76bd |
| SHA512 | b0c46966c0b51751bbf56494390cfa07b1c68dbf7915d4fa446eb16edaea816978b7d776d6917b7a8ba7aef4c3c6a961190b35f9a75c0859dc0c763c23b2fcfe |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 548879cfc4bcfcde1b5e9a23ff12539d |
| SHA1 | 3edd5980d19f712037ca7832896c7e8011d50363 |
| SHA256 | 50c520de3b83e6ea06f840a4944d1e2e639a06add4342f3b6748ff842b6ef005 |
| SHA512 | d17bb25b6673d7f059102ec4df6b68c40f13af195977e6c6de3aad3e594a2a433c3048e54443b1fa6af7a74a21dfdf573e6d81bbd73cb4a0aaf1f85341064a39 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e882fc52d7a3f20f62001a261e3da42a |
| SHA1 | 3cd74682b6762f05ffeae73e3b9da8fa475c1b16 |
| SHA256 | dfcc0da5fb99df160e9456a7c025939a15ef7b4c0ac21fbbd91b4c52ee8d6578 |
| SHA512 | ca2461a9f435265c74cb18130104fd388c31b8ea91ec69753375ec58c9b56f025515b9cb2c6d68fd85da979f06c033b03c30a6a190e33adb7372180a2096fa28 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 58be22b55b56b36e46ea268b30854b39 |
| SHA1 | 2d5cb892f9bd05f7c03644170ce1d8da2fe33694 |
| SHA256 | 70e99482a1ec6bc9195dfc8ac8b543e61909e4869659b0543c21d3ec6534d919 |
| SHA512 | f8635f1ec6ae872f5e75629e803a272224be2bd1d5d1d781538bbe80170bbb6328c130d88eb0ad49984571821d410e0c6a10d7cfe61f67f39f0c7290e41fd9ed |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 543f1fa16f5396585ce9d03c99db2b9a |
| SHA1 | 4a4725076bb6a49a3e6d226b516994e8163fcf2f |
| SHA256 | 9b4b91317dedb9d50b4e4938989be07058e8184b5cab326fc51ada0ec87bb540 |
| SHA512 | 59eb602e6f0d3d80f379959549ddc92838df4833d9e5bc601ebb3b3cf86218cfadf99a8f1bbe84fb8ad462049af7b0e8ccd8f57a2df78e4509370f20b6ef5aa0 |
Analysis: behavioral14
Detonation Overview
Submitted
2025-01-20 12:04
Reported
2025-01-20 12:08
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
146s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\alot\bin\ALOTSettings.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\alot\bin\ALOTSettings.exe
"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\alot\bin\ALOTSettings.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.114.82.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2025-01-20 12:04
Reported
2025-01-20 12:08
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
144s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1608 wrote to memory of 2024 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1608 wrote to memory of 2024 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1608 wrote to memory of 2024 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\alot\bin\alot.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\alot\bin\alot.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.114.82.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-20 12:04
Reported
2025-01-20 12:07
Platform
win7-20240903-en
Max time kernel
144s
Max time network
120s
Command Line
Signatures
Loads dropped DLL
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6}\ = "ALOT Toolbar Helper" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\alot\bin\ALOTSettings.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| File created | C:\Program Files (x86)\alot\bin\alot.dll | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| File created | C:\Program Files (x86)\alot\bin\BHO\alotBHO.dll | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| File opened for modification | C:\Program Files (x86)\alot\bin\BHO\alotBHO.dll | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| File created | C:\Program Files (x86)\alot\alotUninst.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce00000000020000000000106600000001000020000000f725d79886e35367b5fa4d77e8b72fe81cb44f58eb66b312e678d62f5ea53275000000000e8000000002000020000000a845548493292fa7fced146ae238b6f13ae4719fc907e8306a32edac19f6ed0110000000c330a423a7b4084381a73bc95d5db15f40000000ce80e6e355afbc604f6f1533cc04e8eb1f8b01ce5d588590ea55cfac958d681a3d4d8331714126c33c7dcbdd6405c46dbe416d17083ee343083ca8cc3682c8f4 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce00000000020000000000106600000001000020000000db281290863af43a93c4b2b42389de60a2698c31619d74c86c55c11141bd652d000000000e80000000020000200000005b132d9b44a58a95a3b831f28e85f723fe67c68431346da7f4a386dfcd686acd100000008d43092c2d131367de2d03df2c46402d40000000a4c9fdc0ad13e05a868b77deaa50d1a90ba40d9c72ec0468e36b07b4646ab5cc0b357594edf96b37b10cb2c7149b9462ad7cd8b8f9c697a59788773599c63bf6 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce00000000020000000000106600000001000020000000a75f4403091fb48f91ae0e8a851da72f7f5b76a3f8c6e00b4395977cf48ff7bd000000000e80000000020000200000005ba667ced36e6d2b01d92198d4ff06d1e043e97efb90929e9fdd142f02c4e41c100000007f7da44400b57ff27079d56661e4ca4a40000000b4e9a7f9c509dba065f8dab85f81a01ac6476943b897d880340d25e9196d2c5613f07cb5b0fe4bb03bdc6272cd159f8c69ea55827f53711482d97344c3c92947 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6795114A-1CC4-462b-99E6-2C7B0FA69CDC} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7}\URL = "http://search.alot.com/web?q={searchTerms}" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce0000000002000000000010660000000100002000000004086dbd902451598816d61951c7a4246cdeb050e29fed9e0b5a3ed6ef24ad0c000000000e800000000200002000000053ce0dd18814339cd464aa3d5acc59fece1d60c9482cbf9f60e3597c9ed53fc5100000006c8fa6e909e6213c944e9a84ade7976d400000006575991b5b875b5ee394f34586421ba634527a03232235e4a0beba3fadba4a6bc2a466eac9dbf7422c434284ca93377952655486eb8978d08c47a8cdac14d42a | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce00000000020000000000106600000001000020000000ed0f39da9d511338556445262a05f8f803372765d55f1fa5ff6270db0e84054e000000000e8000000002000020000000a6e6aade5d73b568c5701749cbefa278534c8b33f5169b588a88bf02043c12c21000000070cba144b8233a812808fc27999f138340000000225de6b3c863b3846662a2c84661fdf08c1c894303397c1239ffbb9ec9fdec7dff9f21d551957642844f8fe88bc560dfd55c5195e1f55a988589a107ffec8dfc | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce000000000200000000001066000000010000200000007950ccafe02a4db80a37478e82f19d11f1013748293909c1e81b27b9811a0c4c000000000e8000000002000020000000ee0ef146ad48d1035838bfbebf14ccc7810ddbb239831943b4f2d2651b420ad610000000fd4dd3a829bb038edf9ec546a74b2eb9400000003ec615a6161d51afb4a525ac4c138e021ef9512397c6568dd0d5869ad2a01b56b47ab2ad07b2f38e2d11efeb3693e18ce742f45f02327773b6be4e2d3fa22fed | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7}\SuggestionsURL_JSON = "http://sugg.alot.com/opensearch.php?q={searchTerms}" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce00000000020000000000106600000001000020000000b3e1ac29810a003f4a9898249142dff740a5bd066ecf47aedd5f8731cae3ee2b000000000e800000000200002000000081f374f6d2445183482be8d3e1a5fc6709e4b61cffc1c33ea7d5dc5588cb361510000000856efe66b88cc1a46b6ad6bb184bb3bb40000000723282b134628f122a074f7b55720dbe03150f137c45e815ee7a4dd849463619bc7cfe7a27aa87248012af34ef5ee392702189f2cfbdc6289a821ccadd18c62b | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7}\DisplayName = "ALOT Search" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce000000000200000000001066000000010000200000002696e99a0072302a840b65a72f0374b8721fed7a97694c5a4bcc46ade32a0786000000000e8000000002000020000000a15d6cc930707f4be74a0e5202662bb8d13e302c455dcc430cbc21c8bf67532a100000009f5415eaa101a7224fe94b84b896d3444000000086905db57669ae34c37d538f7f3273f90c6ab8d5d88d014af5675c4ecabd40edae4b607d3e601c4912999fb7b4265e77990a0434837e2d45aa9181c33d03541a | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce000000000200000000001066000000010000200000001b67f5acf8b3d1a324547028021bfaa619314b435fca172e78f1fded9f3dcb4b000000000e8000000002000020000000ff9131ba144884e2cc4c4bb9b9300aec20c3f87de3b8e841dd01346258d3ab2510000000a60bb969dd0f13dce9927c11d49a462040000000c568bf75c783d34e1953aa7fbb55f11e902891cb0c60ddc4e03082af86bec9daefd7fddde760292a3e5e095e169c2e3eeb54856ed770ab3965e9aec9f6a1a342 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce00000000020000000000106600000001000020000000b170bbee3caa662d1cb30d71acd140521992ed3a8be7dfe741f2537dcb14c60a000000000e8000000002000020000000e5bdcdc87c0863a6b68731b32359dcfa77d66d93f645a5d3560ac71aff917002100000001abb1beb3ac28a2b5435d5c6187034ad400000007066f705c4e6f05a0064a1a7ee8e1515d212495890ba6b141eddb7c3ee326f80a736c1314ab833755753052fd1b168ccd16af6a52455412bb278d9d12b77b9ab | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} = "ALOT Toolbar" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce0000000002000000000010660000000100002000000022001230875af6ee63eb0caf1b72d6e0154724bbec591391866f024ebb054065000000000e8000000002000020000000e394925a90abed365ed11120b475aaee9d3c7d172d1f9464aff847f33905bcb21000000024d4898bb0a326ca282f3e391d7bf28f40000000e95383017909d07f06dac45f9a5272fb8df9022b35f53a81231ff5f48e13f537377d83eb1943ecd0723d2037c008233cdb097f5e8427655866052a0107da427a | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce000000000200000000001066000000010000200000004b9c8289e15ca33c622a5a944bfdcb2a8a4004f345683bf928f110c7df6ac447000000000e8000000002000020000000343b06c0414859a0ef294c9384a45492cd219f7dbf16d81b56d0d0bffb306913100000005fc989d59822d8a863df95aa0c5fe5ba40000000780f7dafd70f3e82322aecf3b9dfcadef51917ec1da346bfa73f4310cc06c17586084664f743c4e0010d8f71df5e1f24a7a7cafd26a2bf585d9958e0dd70fe49 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce00000000020000000000106600000001000020000000d3dcc5aae01e1e9da89edca56d28f36a163c9c6dc442360735b52616c099c83f000000000e8000000002000020000000463159f6ca180cc888b5a033ef51a448685b37c6640a12e5a389db7e15eaa0e21000000073dbc767b39c09570f592900c177b23d40000000b351c84facaea051b577d66335d6440d523da0d0d380f90e887d0600346ba02a7bfb8efd8f81e7f54ce136a7324ee30bae3a3b46a6675d47f5012ce8ddd79285 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce000000000200000000001066000000010000200000001e367d32f53271c2e5a18b612c3b51ca3e23f1fd6721294fd2ccc0f5d8673b31000000000e80000000020000200000001b8b9cee8e537c84b8a83652bc2bf6fe7cf518e12b72dbefafd24dcfed84c65510000000930ff434ddeb40f95d6c534b218b975a400000009c039d9871658a7d91d33dfa6df31b492d1165ec75530deaf6534fcfba3ebaf7ad4023b046e3712ff105cd49f880db2233ad479e7a786016e48b8cdc923b69cb | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6795114A-1CC4-462b-99E6-2C7B0FA69CDC}\AppPath = "C:\\Program Files (x86)\\alot\\bin" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce000000000200000000001066000000010000200000002d8049dac3fa524c4a1adb30324e64c62a99268e4a9560d9a4d218d4df08e2e1000000000e8000000002000020000000f31a3a5f2ef6b4809fd43a35c43d0a40f8962ce80402fe036fe4f7c1f905868b1000000091c6d14ecfc0cfc867c0b67da7c7c99a40000000c584dd58cc0544855e28c405709c7df9cf49533df87f421da61b4776519de5407295ebd36cf5d21834003b298a21234e441f2b8e13161bc6f3749f0776ee02b9 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6795114A-1CC4-462b-99E6-2C7B0FA69CDC}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce00000000020000000000106600000001000020000000e5e11fb88a7e33168842892d26385c269b5c5e21c627557a7ee30c4a18f5dcd3000000000e8000000002000020000000342c81dd3f737a357a6e84f67d104c04d678e87c5f84ce8c52799808cc96c71810000000b04155d00e7553e3d4c6a7435eecf08d40000000f059db64fe8800aac398388da681c45091fa0bb59c6d14965fb15859c2ae1d44e7dbc4dfb4f6e425437991e3646f9f767bd6b61e5db43723aa22f5008e1a1517 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce00000000020000000000106600000001000020000000846bec7ddcc52b80dc89ad7c726353779f6fe8aaa4c297c3fba40fc510de0491000000000e80000000020000200000004f8a0becbf30f68151845f3f396e75051394452a76e171e3314a21db386e9c0c10000000031edf2f9d95b6176e93ed550e92897740000000b4fe385886d59196ed056b168ea7b9b06fdcee688d06d241259809a2e2d067bb499b6262f0c5dcd60026d22aadf9d68ac1e6535023c8779d13a43466c2ab93a1 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce0000000002000000000010660000000100002000000069999699b738af10a3b293d149bd49b47a4c599ed91b18f991d32ef107cb9221000000000e8000000002000020000000c994d1b765f05b2ba4bf56234bd0320f28f1605949237cdcfe1b11a6d5281e7110000000bdb8e46f7b4d17283001464abf01d37840000000713aa0d2cfe56f134dc0d6856a31586886bf531742c62cd53ddb2bdfb938b3cb0c6dbc51ce0c189e80895d5a6423c1eb486b6a2cd462ec127d1756c7c502cae7 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7}\FaviconURLFallback = "http://files.alot.com/1/update/buttons/favicon.ico" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce00000000020000000000106600000001000020000000795e786675d768dafbf29309d0473395a162f44d57ffea1835280a93f3f60030000000000e80000000020000200000005ce3f7419f5f6dc1c2909bf6eabda2a6ba3752a6878d5e190f5fa420d263ce411000000017da8381ed98ed9e916d3b515b0cce94400000009311329db7340f5fc010356b0b3bf00a4e2b11ec5fa0dfb5c5071df00bffa792860793af7c58e96f09603db8cb34407b4557b7de5887fd3c543ef5af4c219cf4 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce00000000020000000000106600000001000020000000b41304661d26795e17eed879e85f8bc9697cd6d0a6da15b5470823365baf2795000000000e8000000002000020000000fd08b4ada6b77ca70e57c4e37c5c2675e53e2c9b183d022ec0d8eb43778d7ce010000000251d0a97da833c0f6089e6175a526ad340000000383669223dbc404033ebfc4cede071af988f4d511d6bc1e142d437c2d34a91edb9903edc1a0ea7eb6d1d6b1a863a9ddbc3acfff493ff685052e7c1b4ec4034d0 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce0000000002000000000010660000000100002000000050e211d12b938800b7a8234cffe036eae97f37792b8767ba195c2053bb463425000000000e800000000200002000000072cd3903f629f263f977d54b57aadcdee66914bef6af0aea5ea90e9bda072a7e10000000b2ec338706189aa2d19668c509fcbe5a400000009aaba860cb2aa9293bcba9cecd14898683fb1cf05a0501782a6c84ae0e521046bd9a55600de96b6c5444b26f1109113c09e58b48199c0f1228a51b2b9c0c52f8 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6795114A-1CC4-462b-99E6-2C7B0FA69CDC}\AppName = "ALOTSettings.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7}\ShowSearchSuggestions = "1" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce000000000200000000001066000000010000200000007ff3d5ecaf494a6c1813f535897642bf80a38c5c279c4a650d01b5475f45393e000000000e80000000020000200000006390c77642cab2c610ca118ebe5d9421c4a720569397df21791184279020df1b100000006e29275703aacec7c35ad7dd1542fca540000000356241ef61741a96613e2a0788ebc61d9b0b07a9150bc9079720c300a60ba6fd0e30e8f67eb6072150dde699488b29802a8261bc465baab992c96a69c6cfae89 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5AA2BA46-9913-4dc7-9620-69AB0FA17AE7}\ = "ALOT Toolbar" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5AA2BA46-9913-4dc7-9620-69AB0FA17AE7}\InprocServer32\ = "C:\\Program Files (x86)\\alot\\bin\\alot.dll" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6}\ = "ALOT Toolbar Helper" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5AA2BA46-9913-4dc7-9620-69AB0FA17AE7}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5AA2BA46-9913-4dc7-9620-69AB0FA17AE7}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6}\InprocServer32\ = "C:\\Program Files (x86)\\alot\\bin\\BHO\\alotBHO.dll" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | csc3-2004-crl.verisign.com | udp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| FR | 2.22.255.150:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| RO | 2.20.118.102:80 | www.microsoft.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\nsj9F1F.tmp\System.dll
| MD5 | b9f430f71c7144d8ff4ab94be2785aa6 |
| SHA1 | c5c1e153caff7ad1d221a9acc8bbb831f05ccb05 |
| SHA256 | b496e81a74ce871236abcd096fb9a6b210b456bebaa7464fa844b3241e51a655 |
| SHA512 | c7ce431b6a1493fd7d1fe1b1c823ad22b582c43c8eb2fb6a471c648dd9df9953277c89932c66afd598d43ea36f4a8602e84cd175115266943071cbc8ce204099 |
memory/2916-15-0x00000000005A0000-0x00000000005C3000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsj9F1F.tmp\installhelper.dll
| MD5 | 91b0372096274dbd47395aa8b28ffedb |
| SHA1 | 05d79ba090439c2898d8ad480355c08091acee55 |
| SHA256 | 0411ab18ecb0d3d6292eabb89b4c8e41112b3e0be272b087555c2cb8cb0bfc28 |
| SHA512 | c40b9eace25b6c871eee9b4186181268de7463c4fe1c4c19372413989489fa891ebd528175d15df031dc768613a81c619acce0981a4c29d475e795d18b1aff08 |
C:\Users\Admin\AppData\Local\Temp\nsj9F1F.tmp\eula.ini
| MD5 | 6a82b6a0fe6138096e549bef053ca02b |
| SHA1 | af3bba863d0e78d85a3fc9da7ea3da1f1ff5c2c3 |
| SHA256 | 974ff69ea21ffc3f5cb32db5536eed7d685120726eb6413c2040116a5016b26c |
| SHA512 | c425cf0a340b44819ffe65a3da58f790223956d0da13a1176e6fa9f3a4a61da057b1cf2515b3cf7be8105c4f9279bec81d7589ee41373dc2d3d142289397294f |
\Users\Admin\AppData\Local\Temp\nsj9F1F.tmp\InstallOptions.dll
| MD5 | 6e663f1a0de94bc05d64d020da5d6f36 |
| SHA1 | c5abb0033776d6ab1f07e5b3568f7d64f90e5b04 |
| SHA256 | 458b70e1745dc6e768d2338ccf3e6e86436488954ca3763472d8ffec4e7177e4 |
| SHA512 | 2a037c39f3a08d4a80494227990f36c4fef2f73c4a6ad74dcc334317a1372234c25d08d8b80d79e126881a49fa4b3f2fffe3604c959d9ceceb47acc7192cc6a5 |
C:\Users\Admin\AppData\Local\Temp\nsj9F1F.tmp\eula.ini
| MD5 | a34c3aeca76e7bc74297a272d7c34522 |
| SHA1 | cabe469ba2681d487fafdf8bd92bf6899e134bea |
| SHA256 | e11cee5be2b9ea2a238d0a1700af18a231f13cff5a86468bfcdd3c6865a6ac3b |
| SHA512 | 62c08dcb7f06674568c3bd794cf823dd1850d3179e334688727b7484f517a11e3f7de91298bf9889ccf13701b2999761ab874978204b42a9be6db24d7fbfd032 |
memory/2916-158-0x00000000003F0000-0x00000000003F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsj9F1F.tmp\eula_en.html
| MD5 | f8aee788c2a09699cd4d607e1db670c8 |
| SHA1 | 6457b766f043d901a6dd204d00626c4bea02d503 |
| SHA256 | 503477569d8a48c47c4febbfd4ae6d3cb036856432c8212dcb0226580e7034c9 |
| SHA512 | 424ef5a4f2653b27b3ca921c35e5e36f28c41ddfe9bcd6b5aba7968d87129826770777fbbfcdc78fce8512c1dce819be0e355282d4a729580591ff296a751162 |
C:\Users\Admin\AppData\Local\Temp\nsj9F1F.tmp\eula.ini
| MD5 | 1bfc333220308823791c96d52ab9bee2 |
| SHA1 | 7672c3f7aa2459baba59b7d8c6a3172feb6c4899 |
| SHA256 | 83b0f42ccf3172baf19897138a6c2b2a670b58e7e81e35e0172f92c1462dd6a3 |
| SHA512 | c531fc3f2f8f4125d9def6901177c40f2386693443a76c3a988d808c0ca6d5a427360ff93f55ec29dfb398e5923f50618e9fabd11ab6bcf4f49f42f51292f751 |
memory/2916-198-0x0000000010004000-0x0000000010005000-memory.dmp
memory/2916-197-0x0000000002750000-0x0000000002751000-memory.dmp
memory/2916-280-0x0000000003560000-0x0000000003632000-memory.dmp
\Program Files (x86)\alot\bin\alot.dll
| MD5 | acb423998044f7dcc904a43419ef2d78 |
| SHA1 | 7fec3d6d444c8f3fef32b6634901fd010b0295bb |
| SHA256 | 03707a3959ee86ab624d805a399b839d9b2949875f79940026f63a96e6be740f |
| SHA512 | f037a03564f3608dc69deef46aa63b9250721f4c16aa882054b8eae8a34842a2f7b39910abe47141b549e276b9316ad731056674b9c76bbf5991158ec2c6170a |
C:\Users\Admin\AppData\LocalLow\alot\toolbar.xml
| MD5 | 94cd2434f802cc1d795d5fc2965ad827 |
| SHA1 | bcd3ca114373d07b84aa6e2d2e249ad9d80838b9 |
| SHA256 | 82c4b7fc52038a34414fb8f7fb328289e0516f3a5e209f12488417236772794d |
| SHA512 | 4c94214015beb2cb6914605b1d4acc10470299f3d4dda7c2c6cdd2fde5ed663a77bc7da3f9ba65876a7712eaaa0c3e80026930e8a4d9ed6bfba00428e145a134 |
C:\Users\Admin\AppData\LocalLow\alot\toolbar.xml.backup
| MD5 | e6a20b68ab7ebfa534eb020e84aacfe6 |
| SHA1 | 5e1edd6166e586bb72f759104edefc754f344d33 |
| SHA256 | 2001499108e66e5ac01a657149af97e71e1f8c584c4b9d1c44757b598a24da74 |
| SHA512 | 9991a8bd8f0832e0b8333abf378479a163afb18d2a051791e6e9fb023f46f17865ccb13900121c1c40f302c9449ac4f79f142bca2a397d6b41016191d77c6fb7 |
memory/2916-314-0x00000000003F0000-0x00000000003F1000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C3948BE6E525B8A8CEE9FAC91C9E392_0C493B6872FE216C47DE50A9F8E11760
| MD5 | 5bfa51f3a417b98e7443eca90fc94703 |
| SHA1 | 8c015d80b8a23f780bdd215dc842b0f5551f63bd |
| SHA256 | bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128 |
| SHA512 | 4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399 |
memory/2916-335-0x0000000010004000-0x0000000010005000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2025-01-20 12:04
Reported
2025-01-20 12:08
Platform
win10v2004-20241007-en
Max time kernel
145s
Max time network
148s
Command Line
Signatures
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\$0\Resources\BrowserSearch\alot_search_defend.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff99b7b46f8,0x7ff99b7b4708,0x7ff99b7b4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,15753463453747274438,12780226515720749064,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,15753463453747274438,12780226515720749064,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,15753463453747274438,12780226515720749064,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15753463453747274438,12780226515720749064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15753463453747274438,12780226515720749064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,15753463453747274438,12780226515720749064,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,15753463453747274438,12780226515720749064,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15753463453747274438,12780226515720749064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15753463453747274438,12780226515720749064,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15753463453747274438,12780226515720749064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15753463453747274438,12780226515720749064,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,15753463453747274438,12780226515720749064,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 34d2c4f40f47672ecdf6f66fea242f4a |
| SHA1 | 4bcad62542aeb44cae38a907d8b5a8604115ada2 |
| SHA256 | b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33 |
| SHA512 | 50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6 |
\??\pipe\LOCAL\crashpad_1936_OCOYSHMTVFFDNTLA
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 8749e21d9d0a17dac32d5aa2027f7a75 |
| SHA1 | a5d555f8b035c7938a4a864e89218c0402ab7cde |
| SHA256 | 915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304 |
| SHA512 | c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 13858f461b2a6d639078ec37d6b4753e |
| SHA1 | 2364ad50ef096fa02fddf3ec09e22a058ac3fefc |
| SHA256 | 291731bc45039a9d197fc92d99013ee570a2ff7979af85299f02496b9f40e177 |
| SHA512 | 46b7f61c1a8dfe619967a2ff2890eab550aa8ed78b9135babaf72e473876f49b9454dab6289133cd4cf89b791b76dc4377f71ba42942c268864ae9e80fe02d47 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 09039e2d6b0bda9f201bfe41e4a7752c |
| SHA1 | 713487825189d1597ae0b91702e2ef3c0bd79c4e |
| SHA256 | 9d14e1648bc52f8a805c03b030bc6a5e5c8c322e5cf9c6847a71bea57d0bcc4d |
| SHA512 | 71477d22d1db0a54f3672790025f2eb7047e5f14cc5600fbce943d1fc76ec4a334fbecc2eddcafcf12c6b5e78b371e49e4ec8656aa654b905a5267e2a30a5c0f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 35529151ac23a3198dbc06fe4a8118ae |
| SHA1 | 023e3759c8c3b164351961a1f407649935454b71 |
| SHA256 | ef92da5c1cceea83e07f731f2d67b5e08fa426592e4fd6a139a8150b0dbfc7eb |
| SHA512 | 34869c29a4a47ba2dcb9f630cb5e22b67177cae09153a84bcae4bb5b8faee4f8981c5e7275e98f54d3cbcd0903f1ed05e251aa1812ee6420bffc678a32801393 |
Analysis: behavioral5
Detonation Overview
Submitted
2025-01-20 12:04
Reported
2025-01-20 12:07
Platform
win7-20240903-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 244
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2025-01-20 12:04
Reported
2025-01-20 12:08
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
145s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1544 wrote to memory of 4928 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1544 wrote to memory of 4928 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1544 wrote to memory of 4928 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4928 -ip 4928
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 636
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.72.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 120.250.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2025-01-20 12:04
Reported
2025-01-20 12:08
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\eula_en.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb382446f8,0x7ffb38244708,0x7ffb38244718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,12447320131399961991,17205116669284315285,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,12447320131399961991,17205116669284315285,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,12447320131399961991,17205116669284315285,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,12447320131399961991,17205116669284315285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,12447320131399961991,17205116669284315285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,12447320131399961991,17205116669284315285,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,12447320131399961991,17205116669284315285,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,12447320131399961991,17205116669284315285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,12447320131399961991,17205116669284315285,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,12447320131399961991,17205116669284315285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,12447320131399961991,17205116669284315285,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,12447320131399961991,17205116669284315285,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5440 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 36988ca14952e1848e81a959880ea217 |
| SHA1 | a0482ef725657760502c2d1a5abe0bb37aebaadb |
| SHA256 | d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6 |
| SHA512 | d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173 |
\??\pipe\LOCAL\crashpad_4320_IGZDBXBUQWLSIGFZ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | fab8d8d865e33fe195732aa7dcb91c30 |
| SHA1 | 2637e832f38acc70af3e511f5eba80fbd7461f2c |
| SHA256 | 1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea |
| SHA512 | 39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 4448f053ba558dcb3f60dfeb72d45606 |
| SHA1 | b2531167ca0b8e2bc5d25188634b9b8ad28344f9 |
| SHA256 | d1f72c167ff4180b544531490e3a10319a9a12530703060b212e8e8a5c9cf0c2 |
| SHA512 | f50fa164ed874516c7f2740b6cec91bdbfd99200e19f5a99d2546016cd846127ae605e1e33d07818c68ee7122ac8b7c0e3ed9203405fcd2c596102443852ec9d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 91d42331303359dc9bf1479ce69963a5 |
| SHA1 | 82ebda47e6b35d852dc06d61a309454635db9dff |
| SHA256 | eb78a54883ff9218cb4c78e017bd0b431241aa2d6a926d3c22024fb2550095b5 |
| SHA512 | 431b7693f65e59fc4ddfebe0ebe2c3193ec6c183d3d370c5c94d91ed7a7bf399106b72c6c7549078b3100d10ba48de538cb7fdc983ff629c6643f23052a468b0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b6d133de7288c1667a7863436d44e08e |
| SHA1 | 9a29b8f78f213287b9342edaac6cf3f8f8cec054 |
| SHA256 | d752e674412cbc15b20cecb0405993fdd3198b9909becd6db56635aef6622de5 |
| SHA512 | 6c31aa70055f8632e7e0d5b266fcb96613f446e60e05a6275553b34a3b9b30c2ebbb9d61e6aea6c538ff4cb1707642e8c97ea0490b8208c499beca0af3f61157 |
Analysis: behavioral13
Detonation Overview
Submitted
2025-01-20 12:04
Reported
2025-01-20 12:07
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\alot\bin\ALOTSettings.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\alot\bin\ALOTSettings.exe
"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\alot\bin\ALOTSettings.exe"