Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

2W6FcgEeMy.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

initial sample

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\E5F0NRSV\www.msn[2].xml

ASCII text, with no line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\URW0GA4Q\contextual.media[1].xml

ASCII text, with no line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EBFDF002-4B97-11EC-90EB-ECF4BBEA1588}.dat

Composite Document File V2 Document, Cannot read section info

dropped

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{EBFDF004-4B97-11EC-90EB-ECF4BBEA1588}.dat

Composite Document File V2 Document, Cannot read section info

dropped

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml

XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml

XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml

XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml

XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml

XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml

XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml

XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml

XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml

XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\gee00pr\imagestore.dat

data

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\17-361657-68ddb2ab[1].js

ASCII text, with very long lines, with no line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\55a804ab-e5c6-4b97-9319-86263d365d28[1].json

ASCII text, with very long lines, with no line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AA7XCQ3[1].png

PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAMqFmF[1].png

PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAPFmi4[1].png

PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAQBdIv[1].jpg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAQXXJy[1].jpg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAQXevg[1].jpg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAQXiy5[1].jpg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAQXrMl[1].jpg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAQY08U[1].jpg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAQYPIL[1].jpg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAQYUQR[1].jpg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAQYUU3[1].jpg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAQYVTM[1].jpg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAQYYTT[1].jpg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAQYrvs[1].jpg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAQYvQT[1].jpg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB7hg4[1].png

PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BBUZVvV[1].png

PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\a5ea21[1].ico

PNG image data, 32 x 32, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cfdbd9[1].png

PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\checksync[1].htm

HTML document, ASCII text, with very long lines

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\checksync[2].htm

HTML document, ASCII text, with very long lines

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\checksync[3].htm

HTML document, ASCII text, with very long lines

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\otCommonStyles[1].css

ASCII text, with very long lines, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\otFlat[1].json

ASCII text, with very long lines, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\otPcCenter[2].json

ASCII text, with very long lines, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\otSDKStub[1].js

ASCII text, with very long lines, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\264bf325-c7e4-4939-8912-2424a7abe532[1].jpg

JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAOdxvW[1].jpg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAOr6Ee[1].jpg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAQTQg3[1].jpg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAQY4m2[1].jpg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAQY5wp[1].jpg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAQY8Zl[1].jpg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAQYCwH[1].jpg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAQYWm8[1].jpg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAQYqMl[1].jpg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAycUpK[1].png

PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB10MkbM[1].png

PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB7hjL[1].png

PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\de-ch[2].json

UTF-8 Unicode text, with very long lines, with no line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\f69ed47f-3ddb-476a-9d92-3f337b2721b0[1].jpg

JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\favicon[2].ico

MS Windows icon resource - 2 icons, 16x16, 16 colors, 32x32, 16 colors

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\iab2Data[2].json

UTF-8 Unicode text, with very long lines, with no line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\medianet[1].htm

HTML document, ASCII text, with very long lines

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\medianet[2].htm

HTML document, ASCII text, with very long lines

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\otTCF-ie[1].js

UTF-8 Unicode text, with very long lines, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\px[1].gif

GIF image data, version 89a, 1 x 1

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\4996b9[1].woff

Web Open Font Format, TrueType, length 45633, version 1.0

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAPQoxX[1].jpg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAQVPm6[1].jpg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAQVtAu[1].jpg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAQW0Fs[1].jpg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAQY2pC[1].jpg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAQY5UV[1].jpg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAQY7HF[1].jpg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 300x250, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAQYCIb[1].jpg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAQYV96[1].jpg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAQYd7s[1].jpg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAQYvGE[1].jpg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 300x250, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAQZ3BL[1].jpg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAud6Gv[1].png

PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAzb5EX[1].png

PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1ftEY0[1].png

PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BBMW3y8[1].png

PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BBVuddh[1].png

PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BBY7ARN[1].png

PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\checksync[3].htm

HTML document, ASCII text, with very long lines

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\nrrV52461[1].js

ASCII text, with very long lines, with no line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\nrrV52461[2].js

ASCII text, with very long lines, with no line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\otBannerSdk[1].js

UTF-8 Unicode text, with very long lines, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\tag[1].js

ASCII text, with very long lines

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\2d-0e97d4-185735b[1].css

UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\52-478955-68ddb2ab[1].js

UTF-8 Unicode text, with very long lines, with no line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AAKp8YX[1].png

PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AAPwesU[1].png

PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AAQCmUS[1].jpg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AAQT0oN[1].jpg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AAQXTtj[1].jpg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AAQXYTC[1].jpg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AAQY2dE[1].jpg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AAQYSOX[1].jpg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AAQYSTg[1].jpg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AAQYULr[1].jpg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1aXBV1[1].png

PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1cEP3G[1].png

PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1cG73h[1].png

PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1fdtSt[1].png

PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced

modified

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1kc8s[1].png

PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB6Ma4a[1].png

PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB7gRE[1].png

PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BBPfCZL[1].png

GIF image data, version 89a, 50 x 50

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BBX2afX[1].png

PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\a8a064[1].gif

GIF image data, version 89a, 28 x 28

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\de-ch[1].htm

HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\e151e5[1].gif

GIF image data, version 89a, 1 x 1

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\jquery-2.1.1.min[1].js

ASCII text, with very long lines, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\~DF511C5929B225C7AA.TMP

data

dropped

C:\Users\user\AppData\Local\Temp\~DF7F454687EFA0D2F9.TMP

data

dropped

There are 106 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Windows\System32\loaddll32.exe

loaddll32.exe "C:\Users\user\Desktop\2W6FcgEeMy.dll"

Details

Is windows:	true
Is dropped:	false
PID:	6196
Target ID:	0
Parent PID:	5740
Name:	loaddll32.exe
Path:	C:\Windows\System32\loaddll32.exe
Commandline:	loaddll32.exe "C:\Users\user\Desktop\2W6FcgEeMy.dll"
Size:	893440
MD5:	72FCD8FB0ADC38ED9050569AD673650E
Time:	14:27:20
Date:	22/11/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xb70000
Modulesize:	1241088
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Ursnif	Key, Mouse, Clipboard, Microphone and Screen Capturing, E-Banking Fraud, Hooking and other Techniques for Hiding and Protection, Stealing of Sensitive Information, Remote Access Functionality
Yara detected Ursnif	Key, Mouse, Clipboard, Microphone and Screen Capturing, E-Banking Fraud, Hooking and other Techniques for Hiding and Protection, Stealing of Sensitive Information, Remote Access Functionality
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s C:\Users\user\Desktop\2W6FcgEeMy.dll

Details

Is windows:	true
Is dropped:	false
PID:	6292
Target ID:	2
Parent PID:	6196
Name:	regsvr32.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\regsvr32.exe
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\2W6FcgEeMy.dll
Size:	20992
MD5:	426E7499F6A7346F0410DEAD0805586B
Time:	14:27:21
Date:	22/11/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x10000
Modulesize:	36864
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Ursnif	Key, Mouse, Clipboard, Microphone and Screen Capturing, E-Banking Fraud, Hooking and other Techniques for Hiding and Protection, Stealing of Sensitive Information, Remote Access Functionality
Yara detected Ursnif	Key, Mouse, Clipboard, Microphone and Screen Capturing, E-Banking Fraud, Hooking and other Techniques for Hiding and Protection, Stealing of Sensitive Information, Remote Access Functionality
Registers a DLL	Data Obfuscation	Regsvr32
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\2W6FcgEeMy.dll",#1

Details

Is windows:	true
Is dropped:	false
PID:	984
Target ID:	3
Parent PID:	900
Name:	rundll32.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\rundll32.exe
Commandline:	rundll32.exe "C:\Users\user\Desktop\2W6FcgEeMy.dll",#1
Size:	61952
MD5:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Time:	14:27:21
Date:	22/11/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x1160000
Modulesize:	81920
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Ursnif	Key, Mouse, Clipboard, Microphone and Screen Capturing, E-Banking Fraud, Hooking and other Techniques for Hiding and Protection, Stealing of Sensitive Information, Remote Access Functionality
Yara detected Ursnif	Key, Mouse, Clipboard, Microphone and Screen Capturing, E-Banking Fraud, Hooking and other Techniques for Hiding and Protection, Stealing of Sensitive Information, Remote Access Functionality
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\user\Desktop\2W6FcgEeMy.dll,DllRegisterServer

Details

Is windows:	true
Is dropped:	false
PID:	6432
Target ID:	6
Parent PID:	6196
Name:	rundll32.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\rundll32.exe
Commandline:	rundll32.exe C:\Users\user\Desktop\2W6FcgEeMy.dll,DllRegisterServer
Size:	61952
MD5:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Time:	14:27:22
Date:	22/11/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x1160000
Modulesize:	81920
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Ursnif	Key, Mouse, Clipboard, Microphone and Screen Capturing, E-Banking Fraud, Hooking and other Techniques for Hiding and Protection, Stealing of Sensitive Information, Remote Access Functionality
Yara detected Ursnif	Key, Mouse, Clipboard, Microphone and Screen Capturing, E-Banking Fraud, Hooking and other Techniques for Hiding and Protection, Stealing of Sensitive Information, Remote Access Functionality
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\user\Desktop\2W6FcgEeMy.dll,adqehmqaggtoqofda

Details

Is windows:	true
Is dropped:	false
PID:	3112
Target ID:	8
Parent PID:	6196
Name:	rundll32.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\rundll32.exe
Commandline:	rundll32.exe C:\Users\user\Desktop\2W6FcgEeMy.dll,adqehmqaggtoqofda
Size:	61952
MD5:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Time:	14:27:26
Date:	22/11/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x1160000
Modulesize:	81920
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Ursnif	Key, Mouse, Clipboard, Microphone and Screen Capturing, E-Banking Fraud, Hooking and other Techniques for Hiding and Protection, Stealing of Sensitive Information, Remote Access Functionality
Yara detected Ursnif	Key, Mouse, Clipboard, Microphone and Screen Capturing, E-Banking Fraud, Hooking and other Techniques for Hiding and Protection, Stealing of Sensitive Information, Remote Access Functionality
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\user\Desktop\2W6FcgEeMy.dll,awkikcxxkllcr

Details

Is windows:	true
Is dropped:	false
PID:	2944
Target ID:	9
Parent PID:	6196
Name:	rundll32.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\rundll32.exe
Commandline:	rundll32.exe C:\Users\user\Desktop\2W6FcgEeMy.dll,awkikcxxkllcr
Size:	61952
MD5:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Time:	14:27:32
Date:	22/11/2021
Reason:	newprocess
Reputation:	timeout
Is admin:	true
Is elevated:	true
Modulebase:	0x1160000
Modulesize:	81920
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Ursnif	Key, Mouse, Clipboard, Microphone and Screen Capturing, E-Banking Fraud, Hooking and other Techniques for Hiding and Protection, Stealing of Sensitive Information, Remote Access Functionality
Yara detected Ursnif	Key, Mouse, Clipboard, Microphone and Screen Capturing, E-Banking Fraud, Hooking and other Techniques for Hiding and Protection, Stealing of Sensitive Information, Remote Access Functionality
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2W6FcgEeMy.dll",#1

Details

Is windows:	true
Is dropped:	false
PID:	900
Target ID:	1
Parent PID:	6196
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2W6FcgEeMy.dll",#1
Size:	232960
MD5:	F3BDBE3BB6F734E357235F4D5898582D
Time:	14:27:20
Date:	22/11/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x11d0000
Modulesize:	364544
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

Details

Is windows:	true
Is dropped:	false
PID:	6068
Target ID:	5
Parent PID:	6196
Name:	iexplore.exe
Class:	iexplore
Path:	C:\Program Files\internet explorer\iexplore.exe
Commandline:	C:\Program Files\Internet Explorer\iexplore.exe
Size:	823560
MD5:	6465CB92B25A7BC1DF8E01D8AC5E7596
Time:	14:27:21
Date:	22/11/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6449b0000
Modulesize:	831488
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6068 CREDAT:17410 /prefetch:2

Details

Is windows:	true
Is dropped:	false
PID:	6528
Target ID:	7
Parent PID:	6068
Name:	iexplore.exe
Class:	iexplore
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Commandline:	"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6068 CREDAT:17410 /prefetch:2
Size:	822536
MD5:	071277CC2E3DF41EEEA8013E2AB58D5A
Time:	14:27:23
Date:	22/11/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x1000000
Modulesize:	827392
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://avolebukoneh.website

unknown

http://technoshoper.com

unknown

https://avolebukoneh.website

unknown

https://ad-delivery.net/px.gif?ch=1&e=0.5207611127885279

172.67.69.19

https://aka.ms/MicrosoftEdgeDownload"

unknown

https://assets.msn.com/staticsb/statics/latest/oneTrust/1.2/consent/55a804ab-e5c6-4b97-9319-86263d36

unknown

http://searchads.msn.net/.cfm?&&kp=1&

unknown

https://contextual.media.net/medianet.php?cid=8CU157172

unknown

https://www.msn.com/de-ch/nachrichten/coronareisen

unknown

https://www.msn.com/de-ch/news/other/jacqueline-hofer-tritt-doch-nicht-zur-wiederwahl-an/ar-AAQTAnf?

unknown

https://www.msn.com/de-ch/news/other/sie-bew%c3%a4ltigen-alltagsstress-und-todesszenen/ar-AAQUall?oc

unknown

https://www.google.com/favicon.ico~

unknown

https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_promotionalstripe_na

unknown

https://onedrive.live.com;Fotos

unknown

https://www.msn.com/de-ch/sport?ocid=StripeOCID

unknown

https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn

unknown

https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel

unknown

https://www.msn.com/de-ch/sport/fussball/der-fcz-zittert-und-steht-doch-ganz-oben/ar-AAQWrxt?ocid=hp

unknown

https://www.msn.com/de-ch/news/other/mehrere-tausend-menschen-demonstrieren-in-z%c3%bcrich/ar-AAQWtO

unknown

http://ogp.me/ns/fb#

unknown

https://www.botman.ninja/privacy-policy

unknown

https://outlook.live.com/mail/deeplink/compose;Kalender

unknown

https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg

unknown

https://www.queryclick.com/privacy-policy

unknown

https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002

unknown

https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn

unknown

https://www.msn.com/de-ch/news/other/t%c3%b6fffahrer-st%c3%bcrzt-nach-verfolgungsjagd-mit-der-polize

unknown

https://www.msn.com/de-ch/news/other/t%c3%b6fffahrer-liefert-sich-wilde-verfolgungsjagd-mit-der-poli

unknown

https://btloader.com/tag?o=6208086025961472&upapi=true

172.67.70.134

http://www.reddit.com/

unknown

https://www.skype.com/

unknown

https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24545562

unknown

https://sp.booking.com/index.html?aid=1589774&label=travelnavlink

unknown

https://www.msn.com/de-ch/nachrichten/regional

unknown

https://www.stroeer.de/werben-mit-stroeer/onlinewerbung/programmatic-data/sdi-datenschutz-b2c

unknown

https://onedrive.live.com/?qt=allmyphotos;Aktuelle

unknown

http://avolebukoneh.website/glik/.lwe.bmp088991256473871MNTYA%-

unknown

https://amzn.to/2TTxhNg

unknown

https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com

unknown

https://client-s.gateway.messenger.live.com

unknown

https://secure.adnxs.com/clktrb?id=764680&t=1

unknown

https://www.msn.com/de-ch/

unknown

https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site

unknown

https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1

unknown

https://www.msn.com/de-ch

unknown

https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m

unknown

https://twitter.com/i/notifications;Ich

unknown

https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http

unknown

https://www.google.com/favicon.ico

unknown

https://ad.doubleclick.net/favicon.ico?ad=300x250&ad_box_=1&adnet=1&showad=1&size=250x250

216.58.215.230

https://nextmillennium.io/privacy-policy/

unknown

https://silvermob.com/privacy

unknown

https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin

unknown

https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb

unknown

http://www.youtube.com/

unknown

http://ogp.me/ns#

unknown

http://schema.org/Organization

unknown

https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&hl=de-ch&refer

unknown

https://onedrive.live.com/?qt=mru;OneDrive-App

unknown

https://www.skype.com/de

unknown

https://www.tippsundtricks.co/lifehacks/schwamm-kuhlschrank/?utm_campaign=DECH-schwamm&utm_sourc

unknown

https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me

unknown

https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/de-de?"

unknown

https://www.skype.com/de/download-skype

unknown

https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header

unknown

http://www.hotmail.msn.com/pii/ReadOutlookEmail/

unknown

https://onedrive.live.com;OneDrive-App

unknown

https://www.msn.com/de-ch/news/other/bei-den-%c3%a4rzten-schauen-die-beh%c3%b6rden-einfach-weg/ar-AA

unknown

https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&

unknown

https://clkde.tradedoubler.com/click?p=295926&a=3064090&g=24886692

unknown

https://www.google.com/chrome/static/images/favicons/favicon-16x16.png

unknown

https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location

unknown

http://www.amazon.com/

unknown

https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1

unknown

http://avolebukoneh.website/glik/.lwe.bmp08899

unknown

https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js

unknown

http://www.twitter.com/

unknown

https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway

unknown

https://cdn.cookielaw.org/vendorlist/googleData.json

unknown

https://clkde.tradedoubler.com/click?p=195119&a=3064090&g=25021476

unknown

https://outlook.com/

unknown

https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png"

unknown

https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2

unknown

https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json

unknown

https://cdn.cookielaw.org/vendorlist/iabData.json

unknown

https://onedrive.live.com/?qt=mru;Aktuelle

unknown

https://www.msn.com/de-ch/?ocid=iehp

unknown

https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-shoppingstripe-nav

unknown

https://www.ebay.ch/?mkcid=1&mkrid=5222-53480-19255-0&siteid=193&campid=5338626668&t

unknown

https://doceree.com/.well-known/deviceStorage.json

unknown

http://www.nytimes.com/

unknown

https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a

unknown

https://www.msn.com/de-ch/sport/other/runter-rauf-runter-wie-gc-in-genf-vom-weg-abkommt/ar-AAQYdQe?o

unknown

https://www.bidstack.com/privacy-policy/

unknown

https://onedrive.live.com/about/en/download/

unknown

https://www.msn.com/de-ch/news/other/defektes-paket-mit-radioaktivem-inhalt-in-swiss-flieger-entdeck

unknown

https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d

unknown

https://twitter.com/

unknown

http://avolebukoneh.website/glik/.lwe.bmp088991256473871MNTYA

unknown

https://www.stroeer.de/ssp-datenschutz

unknown

There are 90 hidden URLs, click here to show them.

Domains

Name

Malicious

contextual.media.net

2.18.160.23

avolebukoneh.website

37.120.206.119

dart.l.doubleclick.net

216.58.215.230

hblg.media.net

2.18.160.23

lg3.media.net

2.18.160.23

technoshoper.com

45.9.20.245

btloader.com

172.67.70.134

ad-delivery.net

172.67.69.19

assets.msn.com

unknown

web.vortex.data.msn.com

unknown

www.msn.com

unknown

ad.doubleclick.net

unknown

cvision.media.net

unknown

There are 3 hidden domains, click here to show them.

IPs

Domain

Country

Malicious

172.67.69.19

ad-delivery.net

United States

Details

IP:	172.67.69.19
TargetID:	7
Current Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	ad-delivery.net

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

45.9.20.245

technoshoper.com

Russian Federation

Details

IP:	45.9.20.245
TargetID:	2
Current Path:	C:\Windows\SysWOW64\regsvr32.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	35913
ASN name:	DEDIPATH-LLCUS
Private:	false
Domain:	technoshoper.com

216.58.215.230

dart.l.doubleclick.net

United States

Details

IP:	216.58.215.230
TargetID:	7
Current Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Country:	United States
Countrycode:	USA
ASN number:	15169
ASN name:	GOOGLEUS
Private:	false
Domain:	dart.l.doubleclick.net

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

172.67.70.134

btloader.com

United States

Details

IP:	172.67.70.134
TargetID:	7
Current Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	btloader.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\AdminActive

{EBFDF002-4B97-11EC-90EB-ECF4BBEA1588}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\iexplore

Count

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\iexplore

Time

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\iexplore

Blocked

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore

Count

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore

Time

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore

LoadTimeArray

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore

Count

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore

Time

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore

LoadTimeArray

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation

CVListPingLastYMD

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation

CVListPingBitmap

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation

CVListPingRandomizedBitmap

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DomainSuggestion

NextUpdateDate

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage

DecayDateQueue

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage

LastProcessed

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage

DecayDateQueue

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage

LastProcessed

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DOMStorage\www.msn.com

NULL

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DOMStorage\msn.com

Total

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DOMStorage\msn.com

NumberOfSubdomains