Malware Analysis Report

2025-08-05 16:42

Sample ID 240204-vvnnmafaa7
Target 8fb91d1fca02d34d04ded38a1154c8d4
SHA256 3cbe5ed6225c0dd82b0c85fbff2821b4957b950e3e492067d3954d570c11a27e
Tags
adware aspackv2 discovery stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

3cbe5ed6225c0dd82b0c85fbff2821b4957b950e3e492067d3954d570c11a27e

Threat Level: Likely malicious

The file 8fb91d1fca02d34d04ded38a1154c8d4 was found to be: Likely malicious.

Malicious Activity Summary

adware aspackv2 discovery stealer

Drops file in Drivers directory

Checks computer location settings

ASPack v2.12-2.42

Loads dropped DLL

Executes dropped EXE

Installs/modifies Browser Helper Object

Checks installed software on the system

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

NSIS installer

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious behavior: LoadsDriver

Modifies registry class

Modifies data under HKEY_USERS

Runs net.exe

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-04 17:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-04 17:18

Reported

2024-02-04 17:21

Platform

win7-20231129-en

Max time kernel

141s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\acpidisk.sys C:\Users\Admin\AppData\Local\Temp\855.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\acpidisk.sys C:\Users\Admin\AppData\Local\Temp\855.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\name8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\name8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\name8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\name8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dodolook184.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dodolook184.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dodolook184.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\name8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dodolook184.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\name8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\name8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad2502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad2502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad2502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dodolook184.exe N/A
N/A N/A \??\c:\windows\system\s8\iexplorer.exe N/A
N/A N/A \??\c:\windows\system\s8\iexplorer.exe N/A
N/A N/A \??\c:\windows\system\s8\iexplorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dodolook184.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\855.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\855.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\855.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\51µØÍ¼Setup64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\51µØÍ¼Setup64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\51µØÍ¼Setup64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\51µØÍ¼Setup64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\51µØÍ¼Setup64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\855.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\855.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\855.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dodolook184.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11F09AFD-75AD-4E51-AB43-E09E9351CE16} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\ = "AdPopup" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\mscpx32r.det C:\Users\Admin\AppData\Local\Temp\855.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\dnserrordiagoff[1] \??\c:\windows\system\s8\iexplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\errorPageStrings[1] \??\c:\windows\system\s8\iexplorer.exe N/A
File created C:\Windows\SysWOW64\mscpx32r.det C:\Users\Admin\AppData\Local\Temp\855.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat \??\c:\windows\system\s8\iexplorer.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\dnserrordiagoff[1] \??\c:\windows\system\s8\iexplorer.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\navcancl[1] \??\c:\windows\system\s8\iexplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\navcancl[1] \??\c:\windows\system\s8\iexplorer.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ErrorPageTemplate[1] \??\c:\windows\system\s8\iexplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ErrorPageTemplate[1] \??\c:\windows\system\s8\iexplorer.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\errorPageStrings[1] \??\c:\windows\system\s8\iexplorer.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\CPUSH\Uninst.exe C:\Users\Admin\AppData\Local\Temp\ad2502.exe N/A
File created C:\Program Files (x86)\Common Files\CPUSH\cpush.dll C:\Users\Admin\AppData\Local\Temp\ad2502.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\s8\iexplorer.exe C:\Users\Admin\AppData\Local\Temp\name8.exe N/A
File created \??\c:\windows\system\s8\iexplorer.exe C:\Users\Admin\AppData\Local\Temp\name8.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main \??\c:\windows\system\s8\iexplorer.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings \??\c:\windows\system\s8\iexplorer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" \??\c:\windows\system\s8\iexplorer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" \??\c:\windows\system\s8\iexplorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 \??\c:\windows\system\s8\iexplorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F8B593D4-AC9C-4869-B34E-CD72B9B36F58} \??\c:\windows\system\s8\iexplorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F8B593D4-AC9C-4869-B34E-CD72B9B36F58}\aa-1f-df-43-f7-d9 \??\c:\windows\system\s8\iexplorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ \??\c:\windows\system\s8\iexplorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections \??\c:\windows\system\s8\iexplorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad \??\c:\windows\system\s8\iexplorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F8B593D4-AC9C-4869-B34E-CD72B9B36F58}\WpadDecisionTime = 40501c3c8e57da01 \??\c:\windows\system\s8\iexplorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main \??\c:\windows\system\s8\iexplorer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" \??\c:\windows\system\s8\iexplorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0049000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 \??\c:\windows\system\s8\iexplorer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F8B593D4-AC9C-4869-B34E-CD72B9B36F58}\WpadNetworkName = "Network 3" \??\c:\windows\system\s8\iexplorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-1f-df-43-f7-d9\WpadDecisionTime = 40501c3c8e57da01 \??\c:\windows\system\s8\iexplorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings \??\c:\windows\system\s8\iexplorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 \??\c:\windows\system\s8\iexplorer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" \??\c:\windows\system\s8\iexplorer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F8B593D4-AC9C-4869-B34E-CD72B9B36F58}\WpadDecision = "0" \??\c:\windows\system\s8\iexplorer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-1f-df-43-f7-d9\WpadDecisionReason = "1" \??\c:\windows\system\s8\iexplorer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix \??\c:\windows\system\s8\iexplorer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" \??\c:\windows\system\s8\iexplorer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F8B593D4-AC9C-4869-B34E-CD72B9B36F58}\WpadDecisionReason = "1" \??\c:\windows\system\s8\iexplorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-1f-df-43-f7-d9 \??\c:\windows\system\s8\iexplorer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-1f-df-43-f7-d9\WpadDecision = "0" \??\c:\windows\system\s8\iexplorer.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\ = "CAdLogic Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\ = "IAdLogic" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Common Files\\CPUSH\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\ProgID\ = "NewAdPopup.PopupBlock.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\AppID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\InprocServer32\ThreadingModel = "apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\ = "IPopupBlock" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\ = "IToolbarDetector" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.PopupBlock C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.PopupBlock\CLSID\ = "{CDE9EB54-A08E-4570-B748-13F5DDB5781C}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\VersionIndependentProgID\ = "NewAdPopup.PopupBlock" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NewMediasActive.RELogic.1\CLSID\ = "{11F09AFD-75AD-4E51-AB43-E09E9351CE16}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.PopupBlock.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\ = "NewAdPopup 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\ProgID\ = "NewMediasActive.RELogic.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\VersionIndependentProgID\ = "NewMediasActive.RELogic" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\ = "CToolbarDetector Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NewMediasActive.RELogic\CurVer\ = "NewMediasActive.RELogic.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\AppID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector.1\ = "CToolbarDetector Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.PopupBlock\CurVer\ = "NewAdPopup.PopupBlock.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\CPUSH\\cpush.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NewMediasActive.RELogic\CLSID\ = "{11F09AFD-75AD-4E51-AB43-E09E9351CE16}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NewMediasActive.RELogic\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\InprocServer32\ThreadingModel = "apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.PopupBlock.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\AppID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\ = "IToolbarDetector" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NewMediasActive.RELogic C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\ = "CPopupBlock Object" C:\Windows\SysWOW64\regsvr32.exe N/A

Runs net.exe

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\51µØÍ¼Setup64.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A \??\c:\windows\system\s8\iexplorer.exe N/A
N/A N/A \??\c:\windows\system\s8\iexplorer.exe N/A
N/A N/A \??\c:\windows\system\s8\iexplorer.exe N/A
N/A N/A \??\c:\windows\system\s8\iexplorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2364 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\name8.exe
PID 2364 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\name8.exe
PID 2364 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\name8.exe
PID 2364 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\name8.exe
PID 2364 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\name8.exe
PID 2364 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\name8.exe
PID 2364 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\name8.exe
PID 2364 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\my_70010.exe
PID 2364 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\my_70010.exe
PID 2364 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\my_70010.exe
PID 2364 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\my_70010.exe
PID 2364 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\dodolook184.exe
PID 2364 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\dodolook184.exe
PID 2364 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\dodolook184.exe
PID 2364 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\dodolook184.exe
PID 2364 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\dodolook184.exe
PID 2364 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\dodolook184.exe
PID 2364 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\dodolook184.exe
PID 2364 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\bind_50195.exe
PID 2364 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\bind_50195.exe
PID 2364 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\bind_50195.exe
PID 2364 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\bind_50195.exe
PID 2364 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\ad2502.exe
PID 2364 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\ad2502.exe
PID 2364 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\ad2502.exe
PID 2364 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\ad2502.exe
PID 2364 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\ad2502.exe
PID 2364 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\ad2502.exe
PID 2364 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\ad2502.exe
PID 1964 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\name8.exe \??\c:\windows\system\s8\iexplorer.exe
PID 1964 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\name8.exe \??\c:\windows\system\s8\iexplorer.exe
PID 1964 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\name8.exe \??\c:\windows\system\s8\iexplorer.exe
PID 1964 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\name8.exe \??\c:\windows\system\s8\iexplorer.exe
PID 1964 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\name8.exe \??\c:\windows\system\s8\iexplorer.exe
PID 1964 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\name8.exe \??\c:\windows\system\s8\iexplorer.exe
PID 1964 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\name8.exe \??\c:\windows\system\s8\iexplorer.exe
PID 2608 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\dodolook184.exe C:\Users\Admin\AppData\Local\Temp\855.exe
PID 2608 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\dodolook184.exe C:\Users\Admin\AppData\Local\Temp\855.exe
PID 2608 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\dodolook184.exe C:\Users\Admin\AppData\Local\Temp\855.exe
PID 2608 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\dodolook184.exe C:\Users\Admin\AppData\Local\Temp\855.exe
PID 2608 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\dodolook184.exe C:\Users\Admin\AppData\Local\Temp\855.exe
PID 2608 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\dodolook184.exe C:\Users\Admin\AppData\Local\Temp\855.exe
PID 2608 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\dodolook184.exe C:\Users\Admin\AppData\Local\Temp\855.exe
PID 2364 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\51µØÍ¼Setup64.exe
PID 2364 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\51µØÍ¼Setup64.exe
PID 2364 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\51µØÍ¼Setup64.exe
PID 2364 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\51µØÍ¼Setup64.exe
PID 2364 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\51µØÍ¼Setup64.exe
PID 2364 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\51µØÍ¼Setup64.exe
PID 2364 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\51µØÍ¼Setup64.exe
PID 2812 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\ad2502.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2812 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\ad2502.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2812 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\ad2502.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2812 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\ad2502.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2812 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\ad2502.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2812 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\ad2502.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2812 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\ad2502.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1652 wrote to memory of 2144 N/A \??\c:\windows\system\s8\iexplorer.exe C:\Windows\SysWOW64\net.exe
PID 1652 wrote to memory of 2144 N/A \??\c:\windows\system\s8\iexplorer.exe C:\Windows\SysWOW64\net.exe
PID 1652 wrote to memory of 2144 N/A \??\c:\windows\system\s8\iexplorer.exe C:\Windows\SysWOW64\net.exe
PID 1652 wrote to memory of 2144 N/A \??\c:\windows\system\s8\iexplorer.exe C:\Windows\SysWOW64\net.exe
PID 1652 wrote to memory of 2144 N/A \??\c:\windows\system\s8\iexplorer.exe C:\Windows\SysWOW64\net.exe
PID 1652 wrote to memory of 2144 N/A \??\c:\windows\system\s8\iexplorer.exe C:\Windows\SysWOW64\net.exe
PID 1652 wrote to memory of 2144 N/A \??\c:\windows\system\s8\iexplorer.exe C:\Windows\SysWOW64\net.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe

"C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe"

C:\Users\Admin\AppData\Local\Temp\name8.exe

"C:\Users\Admin\AppData\Local\Temp\name8.exe"

C:\Users\Admin\AppData\Local\Temp\855.exe

"C:\Users\Admin\AppData\Local\Temp\855.exe" 7184

C:\Users\Admin\AppData\Local\Temp\51µØÍ¼Setup64.exe

"C:\Users\Admin\AppData\Local\Temp\51µØÍ¼Setup64.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start S27338

\??\c:\windows\system\s8\iexplorer.exe

c:\windows\system\s8\iexplorer.exe

C:\Windows\SysWOW64\net.exe

net start S27338

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Common Files\CPUSH\cpush.dll"

\??\c:\windows\system\s8\iexplorer.exe

c:\windows\system\s8\iexplorer.exe /install /SILENT a01

C:\Users\Admin\AppData\Local\Temp\ad2502.exe

"C:\Users\Admin\AppData\Local\Temp\ad2502.exe"

C:\Users\Admin\AppData\Local\Temp\bind_50195.exe

"C:\Users\Admin\AppData\Local\Temp\bind_50195.exe"

C:\Users\Admin\AppData\Local\Temp\dodolook184.exe

"C:\Users\Admin\AppData\Local\Temp\dodolook184.exe"

C:\Users\Admin\AppData\Local\Temp\my_70010.exe

"C:\Users\Admin\AppData\Local\Temp\my_70010.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 install3.ring520.org udp
US 8.8.8.8:53 setup3.tqzn.com udp
US 8.8.8.8:53 install4.ring520.org udp
US 8.8.8.8:53 install1.ring520.org udp
US 8.8.8.8:53 install2.ring520.org udp
SG 170.33.13.246:80 setup3.tqzn.com tcp
US 8.8.8.8:53 setup2.tqzn.com udp
SG 170.33.13.246:80 setup2.tqzn.com tcp
US 8.8.8.8:53 setup1.tqzn.com udp
SG 170.33.13.246:80 setup1.tqzn.com tcp
US 8.8.8.8:53 setup4.tqzn.com udp
SG 170.33.13.246:80 setup4.tqzn.com tcp
US 8.8.8.8:53 www.tel159.com udp

Files

memory/2364-1-0x0000000000400000-0x000000000049CE33-memory.dmp

C:\Users\Admin\AppData\Local\Temp\name8.exe

MD5 e917342a2678f0a95111943847db055b
SHA1 feffe90673830c4abe83d90c4aef40b380a59d27
SHA256 dd84551ef3d6b430ad8296654c6accfbcb596100912e613090fd9c193ba68991
SHA512 eff51563de5a6afdcf12a9a2f5b244fac6cb58b7a31eca62584c85d937b8664ba423543f18ac1cdcf3faa56aacac14ed560235e8a5d33a9030efec500e6c1d02

\Users\Admin\AppData\Local\Temp\my_70010.exe

MD5 c084449b7d156a460fa7c577dd16b34a
SHA1 29162f945f3b5c9417d39df33946a3af0ae15841
SHA256 aadc5c2a41d2fefbbdb2489ec86241baceb2dfd03692543c1bf7bd249e619495
SHA512 f0e5099fd1e919ca087aca9f74ac3ca14d972f22f06b413c2fc619e75af1741b7f54484b49c8f8e2bea34ca406f6f819cf6326ef3cec9e92b28124a7e4694439

\Users\Admin\AppData\Local\Temp\nst57E.tmp\Banner.dll

MD5 d605203f4d6d404030b0bb8d9af5c513
SHA1 52fb568bef638bafe602b9605c892d61dbe0f5bf
SHA256 c4b76f503427b3f1b1de08c7ec56df4857ef5362acc9565fee714025b1c41a0d
SHA512 e9e5eb4e7fdc75a3dd411c54bd73a9052b05cce95230882a05c39d28303c3c567a0a0c21e3aa4abb1cc82fbb012f4409fccade793eef40e6760dc3fa7bace18b

C:\Users\Admin\AppData\Local\Temp\dodolook184.exe

MD5 c7c862bc46cde331b5d3da6c5d90d161
SHA1 c4cec33f42901c21458c5d8e24c0caa62e15ccd4
SHA256 95abd0e445cde613054ada9477efd1d56e3e89001773c9461285df6f87a57597
SHA512 ce7ab4cc12c7ab73ecdce6b43f64471b02aa235c6b64c8c076bcaf742137b96cc8e48102bd0bfa7dcdb7fa2ce9a33b9a132782a38d700a477cc5728a57a6ce62

\Users\Admin\AppData\Local\Temp\bind_50195.exe

MD5 105ff1132ecd30e09be232a581f9992e
SHA1 e3dc64b7b7363002708446624a22f89907de96ff
SHA256 97ca8dfd7d16c6b6f175ed5aa918a0ee0c96c25aef761432449c5ecb30bdc7fc
SHA512 3f872f80d1bc8bf80d744d596baeafc32c039ed2376730aea2a68d4e2146ebe691fcab853fcb15e82273191a404aa87d11f1f695e0281dfca617149bf2aee460

\Users\Admin\AppData\Local\Temp\ad2502.exe

MD5 8548d060200ed09c9e40b03161756ec5
SHA1 46253bcd0a534d6eabaf7c0c7a5c68e69f3463dc
SHA256 f4efebf4b2eadf003e6fd2566da7cda057787ed960ec1d5e8c10487bc7b58288
SHA512 961839f8febb5c2868031876f39a81eb828f036fe317abbe2efa8de946ae4798a3a749c79868b834a8fb28b591e54f6b29ab2d046e38048ef361a9be2e51e26a

C:\Users\Admin\AppData\Local\Temp\855.exe

MD5 480b312817f238ab6f4c2dc1c4f78b41
SHA1 5a50e8d0564cc9b5bc656e223c2ab0a8ab759721
SHA256 6954055fe56fab247ce8a969fa5679207ba4f37bdfaa052bed8cf4b72da6a2e8
SHA512 39a91f807ce3f09306f73acf1a60baa6f23e82449e91547f36dcde45fa053c11825635e1fe1f898d743511bb475cb72f43b4e74294863f22ccbc354ba5abee1b

C:\Users\Admin\AppData\Local\Temp\51µØÍ¼Setup64.exe

MD5 5cda9ea3c2af4482df5603c8ddd7d0c2
SHA1 85da8541457e8eea22133937804849d43b4d4519
SHA256 e39af3c031e9fb92ba74b44a4302751fb73b6652f252998941c784f3f6a0efbb
SHA512 7f93794067113b972be1b23479af3c1897c432f7397ed06b7780f1fa605ec954de2e3bea8c49033896eb2e839aec57622626c671098189582e22775bf1a6bb99

\Users\Admin\AppData\Local\Temp\nso649.tmp\InstallOptions.dll

MD5 08c82a46416a5e2b471d457968f53816
SHA1 3e3897c20b9e89b279b4764a633f67955bf8f09a
SHA256 435baf3b7282c9110697a4916834ef9371dd29fae6b4cb8e19c19eb126562dc9
SHA512 91e2055b91d04b2348a923cb298ac6ba3637de5038dc4f849c4d2f1665d17de9cd6eb6a97d42d0f894d65348c8fd8e79cd61b667ea5a78e8960347e8cc8db81d

memory/1632-260-0x0000000000300000-0x0000000000317000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nso649.tmp\ioSpecial.ini

MD5 052546ada8843941715fa25f82c48751
SHA1 f43e9a1e4600cfd27b269bcac311822abd909c97
SHA256 9fc283ac999c3f3511724a391336cedd11d237037e9c9496aea5a748652f9c36
SHA512 f1b84ad8b3b33df1d2c5c470b6630aa6ed26fba07c175683b4102b7263ab3298d54538910785e24764ac6e6e143e2d8a55e1423cb35d9cc7a35d6473b5758383

\Users\Admin\AppData\Local\Temp\nso649.tmp\System.dll

MD5 61151aff8c92ca17b3fab51ce1ca7156
SHA1 68a02015863c2877a20c27da45704028dbaa7eff
SHA256 af15ef6479e5ac5752d139d1c477ec02def9077df897dadc8297005b3fc4999d
SHA512 4f5c943b7058910dc635bdcfadfea1d369c3d645239d1a52b030c21f43aac8e76549e52fd28e38ba5341d32aefe3c090dd8377d9e105ad77f71ab8870d8e326e

memory/1072-274-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1652-273-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2364-142-0x0000000000400000-0x000000000049CE33-memory.dmp

C:\Windows\system\s8\iexplorer.exe

MD5 f0e35c6aa09eb617edd74d6c3d261cc7
SHA1 3ddc8a75ef279de85af3456c0998ce1098c3a66b
SHA256 f43935b8e17b6c0034b1d296868941c16dd27baba5752fb3bc1dfa1de29b2fd2
SHA512 020256586266bc9d4286515d53c37edce0f4bf80701b68dc3367fb3b155f3a6122b90e5e14c24866720d295c4094fa4c2fe3c8480a3bfc89e5be27caf2cd86ca

memory/1072-283-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1072-285-0x0000000000220000-0x0000000000221000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-04 17:18

Reported

2024-02-04 17:21

Platform

win10v2004-20231215-en

Max time kernel

144s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\acpidisk.sys C:\Users\Admin\AppData\Local\Temp\855.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\acpidisk.sys C:\Users\Admin\AppData\Local\Temp\855.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11F09AFD-75AD-4E51-AB43-E09E9351CE16} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\ = "AdPopup" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\dnserrordiagoff[1] \??\c:\windows\system\s8\iexplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\ErrorPageTemplate[1] \??\c:\windows\system\s8\iexplorer.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\errorPageStrings[1] \??\c:\windows\system\s8\iexplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\mscpx32r.det C:\Users\Admin\AppData\Local\Temp\855.exe N/A
File created C:\Windows\SysWOW64\mscpx32r.det C:\Users\Admin\AppData\Local\Temp\855.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\ErrorPageTemplate[1] \??\c:\windows\system\s8\iexplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 \??\c:\windows\system\s8\iexplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE \??\c:\windows\system\s8\iexplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 \??\c:\windows\system\s8\iexplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies \??\c:\windows\system\s8\iexplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\dnserrordiagoff[1] \??\c:\windows\system\s8\iexplorer.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\navcancl[1] \??\c:\windows\system\s8\iexplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\navcancl[1] \??\c:\windows\system\s8\iexplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\errorPageStrings[1] \??\c:\windows\system\s8\iexplorer.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\CPUSH\Uninst.exe C:\Users\Admin\AppData\Local\Temp\ad2502.exe N/A
File created C:\Program Files (x86)\Common Files\CPUSH\cpush.dll C:\Users\Admin\AppData\Local\Temp\ad2502.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\s8\iexplorer.exe C:\Users\Admin\AppData\Local\Temp\name8.exe N/A
File created \??\c:\windows\system\s8\iexplorer.exe C:\Users\Admin\AppData\Local\Temp\name8.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" \??\c:\windows\system\s8\iexplorer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" \??\c:\windows\system\s8\iexplorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ \??\c:\windows\system\s8\iexplorer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" \??\c:\windows\system\s8\iexplorer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" \??\c:\windows\system\s8\iexplorer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" \??\c:\windows\system\s8\iexplorer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" \??\c:\windows\system\s8\iexplorer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix \??\c:\windows\system\s8\iexplorer.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NewMediasActive.RELogic.1\ = "CAdLogic Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\ = "IAdLogic" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\ = "IPopupBlock" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.PopupBlock.1\ = "CPopupBlock Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.PopupBlock.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector\CLSID\ = "{34A12A06-48C0-420D-8F11-73552EE9631A}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\ProgID\ = "NewAdPopup.ToolbarDetector.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.PopupBlock\CLSID\ = "{CDE9EB54-A08E-4570-B748-13F5DDB5781C}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\VersionIndependentProgID\ = "NewMediasActive.RELogic" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\ = "CToolbarDetector Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\0\win32\ = "C:\\Program Files (x86)\\Common Files\\CPUSH\\cpush.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Common Files\\CPUSH\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\ = "IToolbarDetector" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\InprocServer32\ThreadingModel = "apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\ = "CPopupBlock Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\InprocServer32\ThreadingModel = "apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector\ = "CToolbarDetector Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\VersionIndependentProgID\ = "NewAdPopup.ToolbarDetector" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\CPUSH\\cpush.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\AppID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NewMediasActive.RELogic.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NewMediasActive.RELogic\CurVer\ = "NewMediasActive.RELogic.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\ = "NewAdPopup 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.PopupBlock.1\CLSID\ = "{CDE9EB54-A08E-4570-B748-13F5DDB5781C}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NewMediasActive.RELogic.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NewMediasActive.RELogic\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.PopupBlock\CurVer\ = "NewAdPopup.PopupBlock.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\ProgID\ = "NewMediasActive.RELogic.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\ = "IToolbarDetector" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector.1\CLSID\ = "{34A12A06-48C0-420D-8F11-73552EE9631A}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.PopupBlock.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NewMediasActive.RELogic\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A} C:\Windows\SysWOW64\regsvr32.exe N/A

Runs net.exe

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A \??\c:\windows\system\s8\iexplorer.exe N/A
N/A N/A \??\c:\windows\system\s8\iexplorer.exe N/A
N/A N/A \??\c:\windows\system\s8\iexplorer.exe N/A
N/A N/A \??\c:\windows\system\s8\iexplorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2420 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\name8.exe
PID 2420 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\name8.exe
PID 2420 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\name8.exe
PID 2420 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\my_70010.exe
PID 2420 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\my_70010.exe
PID 2420 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\my_70010.exe
PID 2420 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\dodolook184.exe
PID 2420 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\dodolook184.exe
PID 2420 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\dodolook184.exe
PID 2420 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\bind_50195.exe
PID 2420 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\bind_50195.exe
PID 2420 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\bind_50195.exe
PID 3740 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\dodolook184.exe C:\Users\Admin\AppData\Local\Temp\855.exe
PID 3740 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\dodolook184.exe C:\Users\Admin\AppData\Local\Temp\855.exe
PID 3740 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\dodolook184.exe C:\Users\Admin\AppData\Local\Temp\855.exe
PID 2420 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\ad2502.exe
PID 2420 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\ad2502.exe
PID 2420 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\ad2502.exe
PID 2420 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\51µØÍ¼Setup64.exe
PID 2420 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\51µØÍ¼Setup64.exe
PID 2420 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe C:\Users\Admin\AppData\Local\Temp\51µØÍ¼Setup64.exe
PID 4728 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\name8.exe \??\c:\windows\system\s8\iexplorer.exe
PID 4728 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\name8.exe \??\c:\windows\system\s8\iexplorer.exe
PID 4728 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\name8.exe \??\c:\windows\system\s8\iexplorer.exe
PID 4956 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\ad2502.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4956 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\ad2502.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4956 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\ad2502.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1648 wrote to memory of 4556 N/A \??\c:\windows\system\s8\iexplorer.exe C:\Windows\SysWOW64\net.exe
PID 1648 wrote to memory of 4556 N/A \??\c:\windows\system\s8\iexplorer.exe C:\Windows\SysWOW64\net.exe
PID 1648 wrote to memory of 4556 N/A \??\c:\windows\system\s8\iexplorer.exe C:\Windows\SysWOW64\net.exe
PID 4556 wrote to memory of 3444 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4556 wrote to memory of 3444 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4556 wrote to memory of 3444 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe

"C:\Users\Admin\AppData\Local\Temp\8fb91d1fca02d34d04ded38a1154c8d4.exe"

C:\Users\Admin\AppData\Local\Temp\name8.exe

"C:\Users\Admin\AppData\Local\Temp\name8.exe"

C:\Users\Admin\AppData\Local\Temp\my_70010.exe

"C:\Users\Admin\AppData\Local\Temp\my_70010.exe"

C:\Users\Admin\AppData\Local\Temp\dodolook184.exe

"C:\Users\Admin\AppData\Local\Temp\dodolook184.exe"

C:\Users\Admin\AppData\Local\Temp\bind_50195.exe

"C:\Users\Admin\AppData\Local\Temp\bind_50195.exe"

C:\Users\Admin\AppData\Local\Temp\855.exe

"C:\Users\Admin\AppData\Local\Temp\855.exe" 7184

C:\Users\Admin\AppData\Local\Temp\ad2502.exe

"C:\Users\Admin\AppData\Local\Temp\ad2502.exe"

\??\c:\windows\system\s8\iexplorer.exe

c:\windows\system\s8\iexplorer.exe /install /SILENT a01

C:\Users\Admin\AppData\Local\Temp\51µØÍ¼Setup64.exe

"C:\Users\Admin\AppData\Local\Temp\51µØÍ¼Setup64.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Common Files\CPUSH\cpush.dll"

C:\Windows\SysWOW64\net.exe

net start S27338

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start S27338

\??\c:\windows\system\s8\iexplorer.exe

c:\windows\system\s8\iexplorer.exe

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 setup3.tqzn.com udp
US 8.8.8.8:53 install3.ring520.org udp
US 8.8.8.8:53 install4.ring520.org udp
US 8.8.8.8:53 install1.ring520.org udp
US 8.8.8.8:53 install2.ring520.org udp
SG 170.33.13.246:80 setup3.tqzn.com tcp
US 8.8.8.8:53 setup2.tqzn.com udp
US 8.8.8.8:53 246.13.33.170.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
SG 170.33.13.246:80 setup2.tqzn.com tcp
US 8.8.8.8:53 setup4.tqzn.com udp
SG 170.33.13.246:80 setup4.tqzn.com tcp
US 8.8.8.8:53 www.tel159.com udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 setup1.tqzn.com udp
SG 170.33.13.246:80 setup1.tqzn.com tcp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp

Files

memory/2420-0-0x0000000000400000-0x000000000049CE33-memory.dmp

C:\Users\Admin\AppData\Local\Temp\name8.exe

MD5 e917342a2678f0a95111943847db055b
SHA1 feffe90673830c4abe83d90c4aef40b380a59d27
SHA256 dd84551ef3d6b430ad8296654c6accfbcb596100912e613090fd9c193ba68991
SHA512 eff51563de5a6afdcf12a9a2f5b244fac6cb58b7a31eca62584c85d937b8664ba423543f18ac1cdcf3faa56aacac14ed560235e8a5d33a9030efec500e6c1d02

C:\Users\Admin\AppData\Local\Temp\my_70010.exe

MD5 c084449b7d156a460fa7c577dd16b34a
SHA1 29162f945f3b5c9417d39df33946a3af0ae15841
SHA256 aadc5c2a41d2fefbbdb2489ec86241baceb2dfd03692543c1bf7bd249e619495
SHA512 f0e5099fd1e919ca087aca9f74ac3ca14d972f22f06b413c2fc619e75af1741b7f54484b49c8f8e2bea34ca406f6f819cf6326ef3cec9e92b28124a7e4694439

C:\Users\Admin\AppData\Local\Temp\nsd829E.tmp\Banner.dll

MD5 d605203f4d6d404030b0bb8d9af5c513
SHA1 52fb568bef638bafe602b9605c892d61dbe0f5bf
SHA256 c4b76f503427b3f1b1de08c7ec56df4857ef5362acc9565fee714025b1c41a0d
SHA512 e9e5eb4e7fdc75a3dd411c54bd73a9052b05cce95230882a05c39d28303c3c567a0a0c21e3aa4abb1cc82fbb012f4409fccade793eef40e6760dc3fa7bace18b

C:\Users\Admin\AppData\Local\Temp\dodolook184.exe

MD5 c7c862bc46cde331b5d3da6c5d90d161
SHA1 c4cec33f42901c21458c5d8e24c0caa62e15ccd4
SHA256 95abd0e445cde613054ada9477efd1d56e3e89001773c9461285df6f87a57597
SHA512 ce7ab4cc12c7ab73ecdce6b43f64471b02aa235c6b64c8c076bcaf742137b96cc8e48102bd0bfa7dcdb7fa2ce9a33b9a132782a38d700a477cc5728a57a6ce62

C:\Users\Admin\AppData\Local\Temp\dodolook184.exe

MD5 5ef4d4eb8adc19903011639216dd26bf
SHA1 13bbd6df445edcedbe7deab9df13de3d6b7a601c
SHA256 3928d4dc9c7cff379fdddc121944ba1041cb55b02ee8acc44c85d8d54bbcae5b
SHA512 9b08835b18d87c7447ab7df17d6111389dab10899645bb02b496f7385119e585bdccc450c78b8a0a903d129821a62c62830af3a8fde95a84615b5383806d2c1a

C:\Users\Admin\AppData\Local\Temp\bind_50195.exe

MD5 105ff1132ecd30e09be232a581f9992e
SHA1 e3dc64b7b7363002708446624a22f89907de96ff
SHA256 97ca8dfd7d16c6b6f175ed5aa918a0ee0c96c25aef761432449c5ecb30bdc7fc
SHA512 3f872f80d1bc8bf80d744d596baeafc32c039ed2376730aea2a68d4e2146ebe691fcab853fcb15e82273191a404aa87d11f1f695e0281dfca617149bf2aee460

C:\Users\Admin\AppData\Local\Temp\nse833B.tmp\System.dll

MD5 61151aff8c92ca17b3fab51ce1ca7156
SHA1 68a02015863c2877a20c27da45704028dbaa7eff
SHA256 af15ef6479e5ac5752d139d1c477ec02def9077df897dadc8297005b3fc4999d
SHA512 4f5c943b7058910dc635bdcfadfea1d369c3d645239d1a52b030c21f43aac8e76549e52fd28e38ba5341d32aefe3c090dd8377d9e105ad77f71ab8870d8e326e

C:\Users\Admin\AppData\Local\Temp\855.exe

MD5 480b312817f238ab6f4c2dc1c4f78b41
SHA1 5a50e8d0564cc9b5bc656e223c2ab0a8ab759721
SHA256 6954055fe56fab247ce8a969fa5679207ba4f37bdfaa052bed8cf4b72da6a2e8
SHA512 39a91f807ce3f09306f73acf1a60baa6f23e82449e91547f36dcde45fa053c11825635e1fe1f898d743511bb475cb72f43b4e74294863f22ccbc354ba5abee1b

C:\Users\Admin\AppData\Local\Temp\ad2502.exe

MD5 8548d060200ed09c9e40b03161756ec5
SHA1 46253bcd0a534d6eabaf7c0c7a5c68e69f3463dc
SHA256 f4efebf4b2eadf003e6fd2566da7cda057787ed960ec1d5e8c10487bc7b58288
SHA512 961839f8febb5c2868031876f39a81eb828f036fe317abbe2efa8de946ae4798a3a749c79868b834a8fb28b591e54f6b29ab2d046e38048ef361a9be2e51e26a

C:\Users\Admin\AppData\Local\Temp\51µØÍ¼Setup64.exe

MD5 5cda9ea3c2af4482df5603c8ddd7d0c2
SHA1 85da8541457e8eea22133937804849d43b4d4519
SHA256 e39af3c031e9fb92ba74b44a4302751fb73b6652f252998941c784f3f6a0efbb
SHA512 7f93794067113b972be1b23479af3c1897c432f7397ed06b7780f1fa605ec954de2e3bea8c49033896eb2e839aec57622626c671098189582e22775bf1a6bb99

\??\c:\windows\system\s8\iexplorer.exe

MD5 f0e35c6aa09eb617edd74d6c3d261cc7
SHA1 3ddc8a75ef279de85af3456c0998ce1098c3a66b
SHA256 f43935b8e17b6c0034b1d296868941c16dd27baba5752fb3bc1dfa1de29b2fd2
SHA512 020256586266bc9d4286515d53c37edce0f4bf80701b68dc3367fb3b155f3a6122b90e5e14c24866720d295c4094fa4c2fe3c8480a3bfc89e5be27caf2cd86ca

memory/4052-90-0x0000000002240000-0x0000000002257000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\acpidisk.sys

MD5 fccb95cfcb6ffd101162d8c638e7bc3a
SHA1 a8dae2cfaa57769268fdbaedf021eb6ad4c89bbe
SHA256 871219e8b90a42609b31dbccd968fad4f3209dbff9aedcb0034060eace5e138b
SHA512 0d255888ea327e6b50d84ab3feb94839a6e10838203f440ae30602be3bc2edfb15fa2d4038c34d8ae983ab45b15616889373456c25a3dda74cdedd19aa93c229

memory/1648-99-0x00000000005C0000-0x00000000005C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DoSSSetup.dll

MD5 7d70fb69d8f1e267c0dba99a7d8706e8
SHA1 a75a059ed010d17b660f5440123582e4548d8327
SHA256 1410734294de20dea4daea85bbb3245c0161a2cc6c70b772d6bc1fad4de8d899
SHA512 8442de28f1e2294d29026464843a743a0eed79fc6e358d494f493b0f82c181f899d3643597959afceff23b26d488636f7a9ea48c59cc476a012b07e73f7f9f37

C:\Program Files (x86)\Common Files\CPUSH\cpush.dll

MD5 05f2b5f682867496129cf0750a76a8b1
SHA1 2589c67a5965ebdd7fec346e8618487709bbc4bf
SHA256 df304a40f0d01010bdbdd8ec1b57ab91b40034bd18780718b1aa8318454ad4f2
SHA512 0bb2171fdadc57f6e1739e4bac5ebc8038692f43582391a53526894b079fd49078f8ca49aa0cd1f7006bc9d7bf3407c97ab763f7448a6c56587d04ebfaa2f95e

memory/2420-71-0x0000000000400000-0x000000000049CE33-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nse855D.tmp\ioSpecial.ini

MD5 7da01a60b8b58f98463affb026e8355f
SHA1 dda58fcf7b5ed528ad2913c2d0dd10664435aa6e
SHA256 fb63a8371e096200943ab0f08ece0dc6603aa9d7ef8ab52d6c727a90a969e98b
SHA512 89717e7cc2779dcc4e2e9470a59c88a07087c63a05d646b247de8242149afc130277b9a846de39887a882531a5c48bbf23aabe4359f1e63101c978e1139dc668

C:\Users\Admin\AppData\Local\Temp\nse855D.tmp\InstallOptions.dll

MD5 08c82a46416a5e2b471d457968f53816
SHA1 3e3897c20b9e89b279b4764a633f67955bf8f09a
SHA256 435baf3b7282c9110697a4916834ef9371dd29fae6b4cb8e19c19eb126562dc9
SHA512 91e2055b91d04b2348a923cb298ac6ba3637de5038dc4f849c4d2f1665d17de9cd6eb6a97d42d0f894d65348c8fd8e79cd61b667ea5a78e8960347e8cc8db81d

C:\Users\Admin\AppData\Local\Temp\nse855D.tmp\ioSpecial.ini

MD5 d32b87b1a9651a877507c7a89f2222cc
SHA1 17390134d38498a2a4e493a89dd46666c7e1115b
SHA256 1623e6a14b331744d3f9f54e9fb4ad7e5ed320ca5f80430b0e67cf5dcf8acf93
SHA512 05058ec350d16741a754d2da256198d1242e5d995c91386b6c5cb3359808ce4dcfacb2ffb4ff6dee2beaac3b81a6bdea58b67d7bd79f2629ad0834616dc9f08a

memory/1648-215-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3564-217-0x00000000005C0000-0x00000000005C1000-memory.dmp

memory/3564-226-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3564-228-0x00000000005C0000-0x00000000005C1000-memory.dmp