Analysis Overview
SHA256
3cbe5ed6225c0dd82b0c85fbff2821b4957b950e3e492067d3954d570c11a27e
Threat Level: Likely malicious
The file 8fb91d1fca02d34d04ded38a1154c8d4 was found to be: Likely malicious.
Malicious Activity Summary
Drops file in Drivers directory
Checks computer location settings
ASPack v2.12-2.42
Loads dropped DLL
Executes dropped EXE
Installs/modifies Browser Helper Object
Checks installed software on the system
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
NSIS installer
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious behavior: LoadsDriver
Modifies registry class
Modifies data under HKEY_USERS
Runs net.exe
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-04 17:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-04 17:18
Reported
2024-02-04 17:21
Platform
win7-20231129-en
Max time kernel
141s
Max time network
121s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\drivers\acpidisk.sys | C:\Users\Admin\AppData\Local\Temp\855.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\acpidisk.sys | C:\Users\Admin\AppData\Local\Temp\855.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\name8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\my_70010.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dodolook184.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bind_50195.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad2502.exe | N/A |
| N/A | N/A | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\855.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\51µØÍ¼Setup64.exe | N/A |
| N/A | N/A | \??\c:\windows\system\s8\iexplorer.exe | N/A |
Loads dropped DLL
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11F09AFD-75AD-4E51-AB43-E09E9351CE16} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\ = "AdPopup" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\mscpx32r.det | C:\Users\Admin\AppData\Local\Temp\855.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\dnserrordiagoff[1] | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\errorPageStrings[1] | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| File created | C:\Windows\SysWOW64\mscpx32r.det | C:\Users\Admin\AppData\Local\Temp\855.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\dnserrordiagoff[1] | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\navcancl[1] | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\navcancl[1] | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ErrorPageTemplate[1] | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ErrorPageTemplate[1] | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\errorPageStrings[1] | \??\c:\windows\system\s8\iexplorer.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Common Files\CPUSH\Uninst.exe | C:\Users\Admin\AppData\Local\Temp\ad2502.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\CPUSH\cpush.dll | C:\Users\Admin\AppData\Local\Temp\ad2502.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\system\s8\iexplorer.exe | C:\Users\Admin\AppData\Local\Temp\name8.exe | N/A |
| File created | \??\c:\windows\system\s8\iexplorer.exe | C:\Users\Admin\AppData\Local\Temp\name8.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main | \??\c:\windows\system\s8\iexplorer.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F8B593D4-AC9C-4869-B34E-CD72B9B36F58} | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F8B593D4-AC9C-4869-B34E-CD72B9B36F58}\aa-1f-df-43-f7-d9 | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F8B593D4-AC9C-4869-B34E-CD72B9B36F58}\WpadDecisionTime = 40501c3c8e57da01 | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0049000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F8B593D4-AC9C-4869-B34E-CD72B9B36F58}\WpadNetworkName = "Network 3" | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-1f-df-43-f7-d9\WpadDecisionTime = 40501c3c8e57da01 | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F8B593D4-AC9C-4869-B34E-CD72B9B36F58}\WpadDecision = "0" | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-1f-df-43-f7-d9\WpadDecisionReason = "1" | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F8B593D4-AC9C-4869-B34E-CD72B9B36F58}\WpadDecisionReason = "1" | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-1f-df-43-f7-d9 | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-1f-df-43-f7-d9\WpadDecision = "0" | \??\c:\windows\system\s8\iexplorer.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\ = "CAdLogic Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\ = "IAdLogic" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Common Files\\CPUSH\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\ProgID\ = "NewAdPopup.PopupBlock.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\AppID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\InprocServer32\ThreadingModel = "apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\ = "IPopupBlock" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\ = "IToolbarDetector" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.PopupBlock | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.PopupBlock\CLSID\ = "{CDE9EB54-A08E-4570-B748-13F5DDB5781C}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\VersionIndependentProgID\ = "NewAdPopup.PopupBlock" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NewMediasActive.RELogic.1\CLSID\ = "{11F09AFD-75AD-4E51-AB43-E09E9351CE16}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.PopupBlock.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\ = "NewAdPopup 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\ProgID\ = "NewMediasActive.RELogic.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\VersionIndependentProgID\ = "NewMediasActive.RELogic" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\ = "CToolbarDetector Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NewMediasActive.RELogic\CurVer\ = "NewMediasActive.RELogic.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\AppID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector.1\ = "CToolbarDetector Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.PopupBlock\CurVer\ = "NewAdPopup.PopupBlock.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\CPUSH\\cpush.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NewMediasActive.RELogic\CLSID\ = "{11F09AFD-75AD-4E51-AB43-E09E9351CE16}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NewMediasActive.RELogic\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\InprocServer32\ThreadingModel = "apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.PopupBlock.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\AppID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\ = "IToolbarDetector" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NewMediasActive.RELogic | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\ = "CPopupBlock Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Runs net.exe
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\51µØÍ¼Setup64.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\s8\iexplorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe
"C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe"
C:\Users\Admin\AppData\Local\Temp\name8.exe
"C:\Users\Admin\AppData\Local\Temp\name8.exe"
C:\Users\Admin\AppData\Local\Temp\855.exe
"C:\Users\Admin\AppData\Local\Temp\855.exe" 7184
C:\Users\Admin\AppData\Local\Temp\51µØÍ¼Setup64.exe
"C:\Users\Admin\AppData\Local\Temp\51µØÍ¼Setup64.exe"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start S27338
\??\c:\windows\system\s8\iexplorer.exe
c:\windows\system\s8\iexplorer.exe
C:\Windows\SysWOW64\net.exe
net start S27338
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Common Files\CPUSH\cpush.dll"
\??\c:\windows\system\s8\iexplorer.exe
c:\windows\system\s8\iexplorer.exe /install /SILENT a01
C:\Users\Admin\AppData\Local\Temp\ad2502.exe
"C:\Users\Admin\AppData\Local\Temp\ad2502.exe"
C:\Users\Admin\AppData\Local\Temp\bind_50195.exe
"C:\Users\Admin\AppData\Local\Temp\bind_50195.exe"
C:\Users\Admin\AppData\Local\Temp\dodolook184.exe
"C:\Users\Admin\AppData\Local\Temp\dodolook184.exe"
C:\Users\Admin\AppData\Local\Temp\my_70010.exe
"C:\Users\Admin\AppData\Local\Temp\my_70010.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | install3.ring520.org | udp |
| US | 8.8.8.8:53 | setup3.tqzn.com | udp |
| US | 8.8.8.8:53 | install4.ring520.org | udp |
| US | 8.8.8.8:53 | install1.ring520.org | udp |
| US | 8.8.8.8:53 | install2.ring520.org | udp |
| SG | 170.33.13.246:80 | setup3.tqzn.com | tcp |
| US | 8.8.8.8:53 | setup2.tqzn.com | udp |
| SG | 170.33.13.246:80 | setup2.tqzn.com | tcp |
| US | 8.8.8.8:53 | setup1.tqzn.com | udp |
| SG | 170.33.13.246:80 | setup1.tqzn.com | tcp |
| US | 8.8.8.8:53 | setup4.tqzn.com | udp |
| SG | 170.33.13.246:80 | setup4.tqzn.com | tcp |
| US | 8.8.8.8:53 | www.tel159.com | udp |
Files
memory/2364-1-0x0000000000400000-0x000000000049CE33-memory.dmp
C:\Users\Admin\AppData\Local\Temp\name8.exe
| MD5 | e917342a2678f0a95111943847db055b |
| SHA1 | feffe90673830c4abe83d90c4aef40b380a59d27 |
| SHA256 | dd84551ef3d6b430ad8296654c6accfbcb596100912e613090fd9c193ba68991 |
| SHA512 | eff51563de5a6afdcf12a9a2f5b244fac6cb58b7a31eca62584c85d937b8664ba423543f18ac1cdcf3faa56aacac14ed560235e8a5d33a9030efec500e6c1d02 |
\Users\Admin\AppData\Local\Temp\my_70010.exe
| MD5 | c084449b7d156a460fa7c577dd16b34a |
| SHA1 | 29162f945f3b5c9417d39df33946a3af0ae15841 |
| SHA256 | aadc5c2a41d2fefbbdb2489ec86241baceb2dfd03692543c1bf7bd249e619495 |
| SHA512 | f0e5099fd1e919ca087aca9f74ac3ca14d972f22f06b413c2fc619e75af1741b7f54484b49c8f8e2bea34ca406f6f819cf6326ef3cec9e92b28124a7e4694439 |
\Users\Admin\AppData\Local\Temp\nst57E.tmp\Banner.dll
| MD5 | d605203f4d6d404030b0bb8d9af5c513 |
| SHA1 | 52fb568bef638bafe602b9605c892d61dbe0f5bf |
| SHA256 | c4b76f503427b3f1b1de08c7ec56df4857ef5362acc9565fee714025b1c41a0d |
| SHA512 | e9e5eb4e7fdc75a3dd411c54bd73a9052b05cce95230882a05c39d28303c3c567a0a0c21e3aa4abb1cc82fbb012f4409fccade793eef40e6760dc3fa7bace18b |
C:\Users\Admin\AppData\Local\Temp\dodolook184.exe
| MD5 | c7c862bc46cde331b5d3da6c5d90d161 |
| SHA1 | c4cec33f42901c21458c5d8e24c0caa62e15ccd4 |
| SHA256 | 95abd0e445cde613054ada9477efd1d56e3e89001773c9461285df6f87a57597 |
| SHA512 | ce7ab4cc12c7ab73ecdce6b43f64471b02aa235c6b64c8c076bcaf742137b96cc8e48102bd0bfa7dcdb7fa2ce9a33b9a132782a38d700a477cc5728a57a6ce62 |
\Users\Admin\AppData\Local\Temp\bind_50195.exe
| MD5 | 105ff1132ecd30e09be232a581f9992e |
| SHA1 | e3dc64b7b7363002708446624a22f89907de96ff |
| SHA256 | 97ca8dfd7d16c6b6f175ed5aa918a0ee0c96c25aef761432449c5ecb30bdc7fc |
| SHA512 | 3f872f80d1bc8bf80d744d596baeafc32c039ed2376730aea2a68d4e2146ebe691fcab853fcb15e82273191a404aa87d11f1f695e0281dfca617149bf2aee460 |
\Users\Admin\AppData\Local\Temp\ad2502.exe
| MD5 | 8548d060200ed09c9e40b03161756ec5 |
| SHA1 | 46253bcd0a534d6eabaf7c0c7a5c68e69f3463dc |
| SHA256 | f4efebf4b2eadf003e6fd2566da7cda057787ed960ec1d5e8c10487bc7b58288 |
| SHA512 | 961839f8febb5c2868031876f39a81eb828f036fe317abbe2efa8de946ae4798a3a749c79868b834a8fb28b591e54f6b29ab2d046e38048ef361a9be2e51e26a |
C:\Users\Admin\AppData\Local\Temp\855.exe
| MD5 | 480b312817f238ab6f4c2dc1c4f78b41 |
| SHA1 | 5a50e8d0564cc9b5bc656e223c2ab0a8ab759721 |
| SHA256 | 6954055fe56fab247ce8a969fa5679207ba4f37bdfaa052bed8cf4b72da6a2e8 |
| SHA512 | 39a91f807ce3f09306f73acf1a60baa6f23e82449e91547f36dcde45fa053c11825635e1fe1f898d743511bb475cb72f43b4e74294863f22ccbc354ba5abee1b |
C:\Users\Admin\AppData\Local\Temp\51µØÍ¼Setup64.exe
| MD5 | 5cda9ea3c2af4482df5603c8ddd7d0c2 |
| SHA1 | 85da8541457e8eea22133937804849d43b4d4519 |
| SHA256 | e39af3c031e9fb92ba74b44a4302751fb73b6652f252998941c784f3f6a0efbb |
| SHA512 | 7f93794067113b972be1b23479af3c1897c432f7397ed06b7780f1fa605ec954de2e3bea8c49033896eb2e839aec57622626c671098189582e22775bf1a6bb99 |
\Users\Admin\AppData\Local\Temp\nso649.tmp\InstallOptions.dll
| MD5 | 08c82a46416a5e2b471d457968f53816 |
| SHA1 | 3e3897c20b9e89b279b4764a633f67955bf8f09a |
| SHA256 | 435baf3b7282c9110697a4916834ef9371dd29fae6b4cb8e19c19eb126562dc9 |
| SHA512 | 91e2055b91d04b2348a923cb298ac6ba3637de5038dc4f849c4d2f1665d17de9cd6eb6a97d42d0f894d65348c8fd8e79cd61b667ea5a78e8960347e8cc8db81d |
memory/1632-260-0x0000000000300000-0x0000000000317000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nso649.tmp\ioSpecial.ini
| MD5 | 052546ada8843941715fa25f82c48751 |
| SHA1 | f43e9a1e4600cfd27b269bcac311822abd909c97 |
| SHA256 | 9fc283ac999c3f3511724a391336cedd11d237037e9c9496aea5a748652f9c36 |
| SHA512 | f1b84ad8b3b33df1d2c5c470b6630aa6ed26fba07c175683b4102b7263ab3298d54538910785e24764ac6e6e143e2d8a55e1423cb35d9cc7a35d6473b5758383 |
\Users\Admin\AppData\Local\Temp\nso649.tmp\System.dll
| MD5 | 61151aff8c92ca17b3fab51ce1ca7156 |
| SHA1 | 68a02015863c2877a20c27da45704028dbaa7eff |
| SHA256 | af15ef6479e5ac5752d139d1c477ec02def9077df897dadc8297005b3fc4999d |
| SHA512 | 4f5c943b7058910dc635bdcfadfea1d369c3d645239d1a52b030c21f43aac8e76549e52fd28e38ba5341d32aefe3c090dd8377d9e105ad77f71ab8870d8e326e |
memory/1072-274-0x0000000000220000-0x0000000000221000-memory.dmp
memory/1652-273-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2364-142-0x0000000000400000-0x000000000049CE33-memory.dmp
C:\Windows\system\s8\iexplorer.exe
| MD5 | f0e35c6aa09eb617edd74d6c3d261cc7 |
| SHA1 | 3ddc8a75ef279de85af3456c0998ce1098c3a66b |
| SHA256 | f43935b8e17b6c0034b1d296868941c16dd27baba5752fb3bc1dfa1de29b2fd2 |
| SHA512 | 020256586266bc9d4286515d53c37edce0f4bf80701b68dc3367fb3b155f3a6122b90e5e14c24866720d295c4094fa4c2fe3c8480a3bfc89e5be27caf2cd86ca |
memory/1072-283-0x0000000000400000-0x000000000047F000-memory.dmp
memory/1072-285-0x0000000000220000-0x0000000000221000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-04 17:18
Reported
2024-02-04 17:21
Platform
win10v2004-20231215-en
Max time kernel
144s
Max time network
150s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\drivers\acpidisk.sys | C:\Users\Admin\AppData\Local\Temp\855.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\acpidisk.sys | C:\Users\Admin\AppData\Local\Temp\855.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\name8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\my_70010.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dodolook184.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bind_50195.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\855.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad2502.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\51µØÍ¼Setup64.exe | N/A |
| N/A | N/A | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\s8\iexplorer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\name8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dodolook184.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\name8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\855.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\855.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\855.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\855.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dodolook184.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\51µØÍ¼Setup64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\51µØÍ¼Setup64.exe | N/A |
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11F09AFD-75AD-4E51-AB43-E09E9351CE16} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\ = "AdPopup" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\dnserrordiagoff[1] | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\ErrorPageTemplate[1] | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\errorPageStrings[1] | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mscpx32r.det | C:\Users\Admin\AppData\Local\Temp\855.exe | N/A |
| File created | C:\Windows\SysWOW64\mscpx32r.det | C:\Users\Admin\AppData\Local\Temp\855.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\ErrorPageTemplate[1] | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\dnserrordiagoff[1] | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\navcancl[1] | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\navcancl[1] | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\errorPageStrings[1] | \??\c:\windows\system\s8\iexplorer.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Common Files\CPUSH\Uninst.exe | C:\Users\Admin\AppData\Local\Temp\ad2502.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\CPUSH\cpush.dll | C:\Users\Admin\AppData\Local\Temp\ad2502.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\system\s8\iexplorer.exe | C:\Users\Admin\AppData\Local\Temp\name8.exe | N/A |
| File created | \??\c:\windows\system\s8\iexplorer.exe | C:\Users\Admin\AppData\Local\Temp\name8.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | \??\c:\windows\system\s8\iexplorer.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NewMediasActive.RELogic.1\ = "CAdLogic Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\ = "IAdLogic" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\ = "IPopupBlock" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.PopupBlock.1\ = "CPopupBlock Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.PopupBlock.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector\CLSID\ = "{34A12A06-48C0-420D-8F11-73552EE9631A}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\ProgID\ = "NewAdPopup.ToolbarDetector.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.PopupBlock\CLSID\ = "{CDE9EB54-A08E-4570-B748-13F5DDB5781C}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\VersionIndependentProgID\ = "NewMediasActive.RELogic" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\ = "CToolbarDetector Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\0\win32\ = "C:\\Program Files (x86)\\Common Files\\CPUSH\\cpush.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Common Files\\CPUSH\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\ = "IToolbarDetector" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\InprocServer32\ThreadingModel = "apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\ = "CPopupBlock Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\InprocServer32\ThreadingModel = "apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector\ = "CToolbarDetector Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\VersionIndependentProgID\ = "NewAdPopup.ToolbarDetector" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\CPUSH\\cpush.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\AppID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NewMediasActive.RELogic.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NewMediasActive.RELogic\CurVer\ = "NewMediasActive.RELogic.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\ = "NewAdPopup 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.PopupBlock.1\CLSID\ = "{CDE9EB54-A08E-4570-B748-13F5DDB5781C}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NewMediasActive.RELogic.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NewMediasActive.RELogic\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.PopupBlock\CurVer\ = "NewAdPopup.PopupBlock.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\ProgID\ = "NewMediasActive.RELogic.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\ = "IToolbarDetector" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector.1\CLSID\ = "{34A12A06-48C0-420D-8F11-73552EE9631A}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.PopupBlock.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NewMediasActive.RELogic\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Runs net.exe
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\s8\iexplorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\s8\iexplorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe
"C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe"
C:\Users\Admin\AppData\Local\Temp\name8.exe
"C:\Users\Admin\AppData\Local\Temp\name8.exe"
C:\Users\Admin\AppData\Local\Temp\my_70010.exe
"C:\Users\Admin\AppData\Local\Temp\my_70010.exe"
C:\Users\Admin\AppData\Local\Temp\dodolook184.exe
"C:\Users\Admin\AppData\Local\Temp\dodolook184.exe"
C:\Users\Admin\AppData\Local\Temp\bind_50195.exe
"C:\Users\Admin\AppData\Local\Temp\bind_50195.exe"
C:\Users\Admin\AppData\Local\Temp\855.exe
"C:\Users\Admin\AppData\Local\Temp\855.exe" 7184
C:\Users\Admin\AppData\Local\Temp\ad2502.exe
"C:\Users\Admin\AppData\Local\Temp\ad2502.exe"
\??\c:\windows\system\s8\iexplorer.exe
c:\windows\system\s8\iexplorer.exe /install /SILENT a01
C:\Users\Admin\AppData\Local\Temp\51µØÍ¼Setup64.exe
"C:\Users\Admin\AppData\Local\Temp\51µØÍ¼Setup64.exe"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Common Files\CPUSH\cpush.dll"
C:\Windows\SysWOW64\net.exe
net start S27338
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start S27338
\??\c:\windows\system\s8\iexplorer.exe
c:\windows\system\s8\iexplorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | setup3.tqzn.com | udp |
| US | 8.8.8.8:53 | install3.ring520.org | udp |
| US | 8.8.8.8:53 | install4.ring520.org | udp |
| US | 8.8.8.8:53 | install1.ring520.org | udp |
| US | 8.8.8.8:53 | install2.ring520.org | udp |
| SG | 170.33.13.246:80 | setup3.tqzn.com | tcp |
| US | 8.8.8.8:53 | setup2.tqzn.com | udp |
| US | 8.8.8.8:53 | 246.13.33.170.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| SG | 170.33.13.246:80 | setup2.tqzn.com | tcp |
| US | 8.8.8.8:53 | setup4.tqzn.com | udp |
| SG | 170.33.13.246:80 | setup4.tqzn.com | tcp |
| US | 8.8.8.8:53 | www.tel159.com | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | setup1.tqzn.com | udp |
| SG | 170.33.13.246:80 | setup1.tqzn.com | tcp |
| US | 8.8.8.8:53 | 16.234.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |
Files
memory/2420-0-0x0000000000400000-0x000000000049CE33-memory.dmp
C:\Users\Admin\AppData\Local\Temp\name8.exe
| MD5 | e917342a2678f0a95111943847db055b |
| SHA1 | feffe90673830c4abe83d90c4aef40b380a59d27 |
| SHA256 | dd84551ef3d6b430ad8296654c6accfbcb596100912e613090fd9c193ba68991 |
| SHA512 | eff51563de5a6afdcf12a9a2f5b244fac6cb58b7a31eca62584c85d937b8664ba423543f18ac1cdcf3faa56aacac14ed560235e8a5d33a9030efec500e6c1d02 |
C:\Users\Admin\AppData\Local\Temp\my_70010.exe
| MD5 | c084449b7d156a460fa7c577dd16b34a |
| SHA1 | 29162f945f3b5c9417d39df33946a3af0ae15841 |
| SHA256 | aadc5c2a41d2fefbbdb2489ec86241baceb2dfd03692543c1bf7bd249e619495 |
| SHA512 | f0e5099fd1e919ca087aca9f74ac3ca14d972f22f06b413c2fc619e75af1741b7f54484b49c8f8e2bea34ca406f6f819cf6326ef3cec9e92b28124a7e4694439 |
C:\Users\Admin\AppData\Local\Temp\nsd829E.tmp\Banner.dll
| MD5 | d605203f4d6d404030b0bb8d9af5c513 |
| SHA1 | 52fb568bef638bafe602b9605c892d61dbe0f5bf |
| SHA256 | c4b76f503427b3f1b1de08c7ec56df4857ef5362acc9565fee714025b1c41a0d |
| SHA512 | e9e5eb4e7fdc75a3dd411c54bd73a9052b05cce95230882a05c39d28303c3c567a0a0c21e3aa4abb1cc82fbb012f4409fccade793eef40e6760dc3fa7bace18b |
C:\Users\Admin\AppData\Local\Temp\dodolook184.exe
| MD5 | c7c862bc46cde331b5d3da6c5d90d161 |
| SHA1 | c4cec33f42901c21458c5d8e24c0caa62e15ccd4 |
| SHA256 | 95abd0e445cde613054ada9477efd1d56e3e89001773c9461285df6f87a57597 |
| SHA512 | ce7ab4cc12c7ab73ecdce6b43f64471b02aa235c6b64c8c076bcaf742137b96cc8e48102bd0bfa7dcdb7fa2ce9a33b9a132782a38d700a477cc5728a57a6ce62 |
C:\Users\Admin\AppData\Local\Temp\dodolook184.exe
| MD5 | 5ef4d4eb8adc19903011639216dd26bf |
| SHA1 | 13bbd6df445edcedbe7deab9df13de3d6b7a601c |
| SHA256 | 3928d4dc9c7cff379fdddc121944ba1041cb55b02ee8acc44c85d8d54bbcae5b |
| SHA512 | 9b08835b18d87c7447ab7df17d6111389dab10899645bb02b496f7385119e585bdccc450c78b8a0a903d129821a62c62830af3a8fde95a84615b5383806d2c1a |
C:\Users\Admin\AppData\Local\Temp\bind_50195.exe
| MD5 | 105ff1132ecd30e09be232a581f9992e |
| SHA1 | e3dc64b7b7363002708446624a22f89907de96ff |
| SHA256 | 97ca8dfd7d16c6b6f175ed5aa918a0ee0c96c25aef761432449c5ecb30bdc7fc |
| SHA512 | 3f872f80d1bc8bf80d744d596baeafc32c039ed2376730aea2a68d4e2146ebe691fcab853fcb15e82273191a404aa87d11f1f695e0281dfca617149bf2aee460 |
C:\Users\Admin\AppData\Local\Temp\nse833B.tmp\System.dll
| MD5 | 61151aff8c92ca17b3fab51ce1ca7156 |
| SHA1 | 68a02015863c2877a20c27da45704028dbaa7eff |
| SHA256 | af15ef6479e5ac5752d139d1c477ec02def9077df897dadc8297005b3fc4999d |
| SHA512 | 4f5c943b7058910dc635bdcfadfea1d369c3d645239d1a52b030c21f43aac8e76549e52fd28e38ba5341d32aefe3c090dd8377d9e105ad77f71ab8870d8e326e |
C:\Users\Admin\AppData\Local\Temp\855.exe
| MD5 | 480b312817f238ab6f4c2dc1c4f78b41 |
| SHA1 | 5a50e8d0564cc9b5bc656e223c2ab0a8ab759721 |
| SHA256 | 6954055fe56fab247ce8a969fa5679207ba4f37bdfaa052bed8cf4b72da6a2e8 |
| SHA512 | 39a91f807ce3f09306f73acf1a60baa6f23e82449e91547f36dcde45fa053c11825635e1fe1f898d743511bb475cb72f43b4e74294863f22ccbc354ba5abee1b |
C:\Users\Admin\AppData\Local\Temp\ad2502.exe
| MD5 | 8548d060200ed09c9e40b03161756ec5 |
| SHA1 | 46253bcd0a534d6eabaf7c0c7a5c68e69f3463dc |
| SHA256 | f4efebf4b2eadf003e6fd2566da7cda057787ed960ec1d5e8c10487bc7b58288 |
| SHA512 | 961839f8febb5c2868031876f39a81eb828f036fe317abbe2efa8de946ae4798a3a749c79868b834a8fb28b591e54f6b29ab2d046e38048ef361a9be2e51e26a |
C:\Users\Admin\AppData\Local\Temp\51µØÍ¼Setup64.exe
| MD5 | 5cda9ea3c2af4482df5603c8ddd7d0c2 |
| SHA1 | 85da8541457e8eea22133937804849d43b4d4519 |
| SHA256 | e39af3c031e9fb92ba74b44a4302751fb73b6652f252998941c784f3f6a0efbb |
| SHA512 | 7f93794067113b972be1b23479af3c1897c432f7397ed06b7780f1fa605ec954de2e3bea8c49033896eb2e839aec57622626c671098189582e22775bf1a6bb99 |
\??\c:\windows\system\s8\iexplorer.exe
| MD5 | f0e35c6aa09eb617edd74d6c3d261cc7 |
| SHA1 | 3ddc8a75ef279de85af3456c0998ce1098c3a66b |
| SHA256 | f43935b8e17b6c0034b1d296868941c16dd27baba5752fb3bc1dfa1de29b2fd2 |
| SHA512 | 020256586266bc9d4286515d53c37edce0f4bf80701b68dc3367fb3b155f3a6122b90e5e14c24866720d295c4094fa4c2fe3c8480a3bfc89e5be27caf2cd86ca |
memory/4052-90-0x0000000002240000-0x0000000002257000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\acpidisk.sys
| MD5 | fccb95cfcb6ffd101162d8c638e7bc3a |
| SHA1 | a8dae2cfaa57769268fdbaedf021eb6ad4c89bbe |
| SHA256 | 871219e8b90a42609b31dbccd968fad4f3209dbff9aedcb0034060eace5e138b |
| SHA512 | 0d255888ea327e6b50d84ab3feb94839a6e10838203f440ae30602be3bc2edfb15fa2d4038c34d8ae983ab45b15616889373456c25a3dda74cdedd19aa93c229 |
memory/1648-99-0x00000000005C0000-0x00000000005C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DoSSSetup.dll
| MD5 | 7d70fb69d8f1e267c0dba99a7d8706e8 |
| SHA1 | a75a059ed010d17b660f5440123582e4548d8327 |
| SHA256 | 1410734294de20dea4daea85bbb3245c0161a2cc6c70b772d6bc1fad4de8d899 |
| SHA512 | 8442de28f1e2294d29026464843a743a0eed79fc6e358d494f493b0f82c181f899d3643597959afceff23b26d488636f7a9ea48c59cc476a012b07e73f7f9f37 |
C:\Program Files (x86)\Common Files\CPUSH\cpush.dll
| MD5 | 05f2b5f682867496129cf0750a76a8b1 |
| SHA1 | 2589c67a5965ebdd7fec346e8618487709bbc4bf |
| SHA256 | df304a40f0d01010bdbdd8ec1b57ab91b40034bd18780718b1aa8318454ad4f2 |
| SHA512 | 0bb2171fdadc57f6e1739e4bac5ebc8038692f43582391a53526894b079fd49078f8ca49aa0cd1f7006bc9d7bf3407c97ab763f7448a6c56587d04ebfaa2f95e |
memory/2420-71-0x0000000000400000-0x000000000049CE33-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nse855D.tmp\ioSpecial.ini
| MD5 | 7da01a60b8b58f98463affb026e8355f |
| SHA1 | dda58fcf7b5ed528ad2913c2d0dd10664435aa6e |
| SHA256 | fb63a8371e096200943ab0f08ece0dc6603aa9d7ef8ab52d6c727a90a969e98b |
| SHA512 | 89717e7cc2779dcc4e2e9470a59c88a07087c63a05d646b247de8242149afc130277b9a846de39887a882531a5c48bbf23aabe4359f1e63101c978e1139dc668 |
C:\Users\Admin\AppData\Local\Temp\nse855D.tmp\InstallOptions.dll
| MD5 | 08c82a46416a5e2b471d457968f53816 |
| SHA1 | 3e3897c20b9e89b279b4764a633f67955bf8f09a |
| SHA256 | 435baf3b7282c9110697a4916834ef9371dd29fae6b4cb8e19c19eb126562dc9 |
| SHA512 | 91e2055b91d04b2348a923cb298ac6ba3637de5038dc4f849c4d2f1665d17de9cd6eb6a97d42d0f894d65348c8fd8e79cd61b667ea5a78e8960347e8cc8db81d |
C:\Users\Admin\AppData\Local\Temp\nse855D.tmp\ioSpecial.ini
| MD5 | d32b87b1a9651a877507c7a89f2222cc |
| SHA1 | 17390134d38498a2a4e493a89dd46666c7e1115b |
| SHA256 | 1623e6a14b331744d3f9f54e9fb4ad7e5ed320ca5f80430b0e67cf5dcf8acf93 |
| SHA512 | 05058ec350d16741a754d2da256198d1242e5d995c91386b6c5cb3359808ce4dcfacb2ffb4ff6dee2beaac3b81a6bdea58b67d7bd79f2629ad0834616dc9f08a |
memory/1648-215-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3564-217-0x00000000005C0000-0x00000000005C1000-memory.dmp
memory/3564-226-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3564-228-0x00000000005C0000-0x00000000005C1000-memory.dmp