Malware Analysis Report

2025-03-14 22:30

Sample ID 240304-rkkmfacb4z
Target b255d021f8154ff50c4d660af3d2add2
SHA256 d765fe9a2d98bf50348be276eb608aefc9fefd360c98550569b874cf4f7846b7
Tags
evasion persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

d765fe9a2d98bf50348be276eb608aefc9fefd360c98550569b874cf4f7846b7

Threat Level: Likely malicious

The file b255d021f8154ff50c4d660af3d2add2 was found to be: Likely malicious.

Malicious Activity Summary

evasion persistence

Sets file to hidden

Checks computer location settings

Loads dropped DLL

Deletes itself

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Views/modifies file attributes

Modifies registry class

Suspicious use of WriteProcessMemory

Modifies Internet Explorer start page

Modifies Internet Explorer settings

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-04 14:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-04 14:15

Reported

2024-03-04 14:17

Platform

win7-20240221-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b255d021f8154ff50c4d660af3d2add2.exe"

Signatures

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\inlEBC8.tmp N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hsdfasd = "\"C:\\Users\\Admin\\AppData\\Roaming\\PPLive\\tmp.\\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}\" hh.exe" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~1\INTERN~1\ieframe.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~1\INTERN~1\ieframe.dll C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.app.log C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\INF\setupapi.app.log C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\runonce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\runonce.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\cnkankan.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AE446291-DA31-11EE-BF06-56D57A935C49} = "0" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\International\CpMRU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "63" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "126" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "126" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "126" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "63" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "415723610" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\PROGRA~1\INTERN~1\iexplore.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.71628.com/?i" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.71628.com/?i" C:\Windows\SysWOW64\reg.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E} C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E} C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H) C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command\ = "wscript -e:vbs \"C:\\Users\\Admin\\AppData\\Roaming\\PPLive\\3.bat\"" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\IsShortCut C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b255d021f8154ff50c4d660af3d2add2.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\inlEBC8.tmp N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\PROGRA~1\INTERN~1\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2032 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\b255d021f8154ff50c4d660af3d2add2.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\b255d021f8154ff50c4d660af3d2add2.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\b255d021f8154ff50c4d660af3d2add2.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\b255d021f8154ff50c4d660af3d2add2.exe C:\Windows\SysWOW64\cmd.exe
PID 2432 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2432 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2432 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2432 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2440 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\PROGRA~1\INTERN~1\iexplore.exe
PID 2440 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\PROGRA~1\INTERN~1\iexplore.exe
PID 2440 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\PROGRA~1\INTERN~1\iexplore.exe
PID 2440 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\PROGRA~1\INTERN~1\iexplore.exe
PID 2440 wrote to memory of 1712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2440 wrote to memory of 1712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2440 wrote to memory of 1712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2440 wrote to memory of 1712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2440 wrote to memory of 1712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2440 wrote to memory of 1712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2440 wrote to memory of 1712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2440 wrote to memory of 2300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2440 wrote to memory of 2300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2440 wrote to memory of 2300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2440 wrote to memory of 2300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 2316 N/A C:\PROGRA~1\INTERN~1\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2792 wrote to memory of 2316 N/A C:\PROGRA~1\INTERN~1\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2792 wrote to memory of 2316 N/A C:\PROGRA~1\INTERN~1\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2792 wrote to memory of 2316 N/A C:\PROGRA~1\INTERN~1\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2300 wrote to memory of 1984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2300 wrote to memory of 1984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2300 wrote to memory of 1984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2300 wrote to memory of 1984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2300 wrote to memory of 1700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2300 wrote to memory of 1700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2300 wrote to memory of 1700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2300 wrote to memory of 1700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2032 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\b255d021f8154ff50c4d660af3d2add2.exe C:\Users\Admin\AppData\Local\Temp\inlEBC8.tmp
PID 2032 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\b255d021f8154ff50c4d660af3d2add2.exe C:\Users\Admin\AppData\Local\Temp\inlEBC8.tmp
PID 2032 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\b255d021f8154ff50c4d660af3d2add2.exe C:\Users\Admin\AppData\Local\Temp\inlEBC8.tmp
PID 2032 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\b255d021f8154ff50c4d660af3d2add2.exe C:\Users\Admin\AppData\Local\Temp\inlEBC8.tmp
PID 2300 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2300 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2300 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2300 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2300 wrote to memory of 2240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2300 wrote to memory of 2240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2300 wrote to memory of 2240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2300 wrote to memory of 2240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2032 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\b255d021f8154ff50c4d660af3d2add2.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\b255d021f8154ff50c4d660af3d2add2.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\b255d021f8154ff50c4d660af3d2add2.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\b255d021f8154ff50c4d660af3d2add2.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2300 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2300 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2300 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2300 wrote to memory of 2988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2300 wrote to memory of 2988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2300 wrote to memory of 2988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2300 wrote to memory of 2988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2300 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2300 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2300 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2300 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2300 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b255d021f8154ff50c4d660af3d2add2.exe

"C:\Users\Admin\AppData\Local\Temp\b255d021f8154ff50c4d660af3d2add2.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\comeback_197.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\1.bat

C:\PROGRA~1\INTERN~1\iexplore.exe

C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?71628

C:\Windows\SysWOW64\rundll32.exe

rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\1.inf

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\2.bat

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2792 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?i"" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?i"" /f

C:\Users\Admin\AppData\Local\Temp\inlEBC8.tmp

C:\Users\Admin\AppData\Local\Temp\inlEBC8.tmp

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\tmp" /v "key" /d ""http://www.71628.com/?i"" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\B255D0~1.EXE > nul

C:\Windows\SysWOW64\reg.exe

reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\PPLive\3.bat""" /f

C:\Windows\SysWOW64\attrib.exe

attrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}

C:\Windows\SysWOW64\attrib.exe

attrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp

C:\Windows\SysWOW64\rundll32.exe

rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\2.inf

C:\Windows\SysWOW64\rundll32.exe

rundll32 D:\VolumeDH\inj.dat,MainLoad

C:\Windows\SysWOW64\runonce.exe

"C:\Windows\system32\runonce.exe" -r

C:\Windows\SysWOW64\grpconv.exe

"C:\Windows\System32\grpconv.exe" -o

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inlEBC8.tmp > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 kp.9n9n.net udp
US 8.8.8.8:53 www.cnkankan.com udp
US 8.8.8.8:53 jump2.35638.com udp
US 156.224.146.42:80 www.cnkankan.com tcp
US 156.224.146.42:80 www.cnkankan.com tcp
US 8.8.8.8:53 push.zhanzhang.baidu.com udp
US 8.8.8.8:53 hm.baidu.com udp
US 8.8.8.8:53 sstatic1.histats.com udp
CA 149.56.240.130:80 sstatic1.histats.com tcp
CA 149.56.240.130:80 sstatic1.histats.com tcp
HK 103.235.46.191:443 hm.baidu.com tcp
HK 103.235.46.191:443 hm.baidu.com tcp
CN 14.215.182.161:80 push.zhanzhang.baidu.com tcp
CN 14.215.182.161:80 push.zhanzhang.baidu.com tcp
US 8.8.8.8:53 bofangqi.6gg.cn udp
SG 170.33.13.246:80 bofangqi.6gg.cn tcp
US 8.8.8.8:53 mohe.6gg.cn udp
SG 170.33.13.246:8012 mohe.6gg.cn tcp
CN 39.156.68.163:80 push.zhanzhang.baidu.com tcp
CN 39.156.68.163:80 push.zhanzhang.baidu.com tcp
US 8.8.8.8:53 dl.pipi.cn udp
US 8.8.8.8:53 d.shasanguo.com udp
US 8.8.8.8:53 rsdownload.rising.com.cn udp
UA 163.171.137.26:80 rsdownload.rising.com.cn tcp
CN 112.34.113.148:80 push.zhanzhang.baidu.com tcp
CN 112.34.113.148:80 push.zhanzhang.baidu.com tcp
CN 163.177.17.97:80 push.zhanzhang.baidu.com tcp
CN 163.177.17.97:80 push.zhanzhang.baidu.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
CN 180.101.212.103:80 push.zhanzhang.baidu.com tcp
CN 180.101.212.103:80 push.zhanzhang.baidu.com tcp
US 156.224.146.42:80 www.cnkankan.com tcp
US 156.224.146.42:80 www.cnkankan.com tcp

Files

memory/2032-0-0x00000000001F0000-0x0000000000217000-memory.dmp

memory/2032-1-0x0000000000020000-0x0000000000023000-memory.dmp

memory/2032-5-0x00000000001F0000-0x0000000000217000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\winrar_config.tmp

MD5 d980f89e4088711df685a0aa09e8f5a7
SHA1 dde805f4fa5e016e122e4240e20ff844113717d7
SHA256 28f62bd59962d06d903ea079466c66985caa306251717235a0d470a1b0f62d09
SHA512 fa2a669d846081d71dcada405d3c4bdb92229ba2b4a9f8fd4e461d7c4d51012d3d3b893466f814c8178b9980119703d1a3f7eafeff281a2eb75465e504df9ee9

memory/2032-9-0x0000000000020000-0x0000000000023000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\comeback_197.bat

MD5 23962a245f75fe25510051582203aff1
SHA1 20832a3a1179bb2730194d2f7738d41d5d669a43
SHA256 1abcea214b9b2bd76cc04be07ae2d4d70371e6ca443d99f4f1327afe7a5fc647
SHA512 dc36b64f2dbb710652900a31295c148760b0c44eae13515aa29613916c9dffe3d8e55ba61568f7c27b43bf0c341f7dcd4b9c721f81627fc6bb915b15c358fe80

memory/2032-28-0x0000000000930000-0x000000000093F000-memory.dmp

C:\Users\Admin\AppData\Roaming\PPLive\1.bat

MD5 286fe459674aef6eee17f6ac79a15fdb
SHA1 233dc43099c575a67b05fc1076e676324fd6e63d
SHA256 872cc596dc1fe6d5a131129bd84c2a76d6874e9c57ab2cd792d4d12b6f014fd2
SHA512 c9acc4a134001da76e7ae6aa5ae65ce58501942dfc1f80959ae4db27c06010db753c9d115eedbe0b2b0e30dd5c4dcd1d32816493b053c65cee81d3a343c87314

memory/2792-72-0x0000000002DE0000-0x0000000002DF0000-memory.dmp

C:\Users\Admin\AppData\Roaming\PPLive\2.bat

MD5 d4917ae9072a10d8e12ef3b282b25b3b
SHA1 bd9ec6c6395997525ec7c15ecca2f115573cc14c
SHA256 6f7649988962c61ac7644262ee6082ef352bbb00cb155a3f4ef0467fbdf1c67b
SHA512 c6ed3119e008191ad56050f6b72a2d64e908c57e80fd0c252b8b1947cf091644c83b6bc16c56d6e2153579eb3e8711c8cd608977426a0906d56a7713bfca309d

C:\Users\Admin\AppData\Roaming\PPLive\1.inf

MD5 34c14b8530e1094e792527f7a474fe77
SHA1 f71c4e9091140256b34c18220d1dd1efab1f301d
SHA256 fe0dfb3458bfe2a3632d365e00765fa10f14d62e7dfa8b70a055c7eb9fdb6713
SHA512 25bb09b526e1e9f5c6052f1f7c36b37c956c1b5649936af8df3abfcf120c931f3d2603e17a061cb99d8c8074bfb1973a5423cce89762fca53cd46aeb3e8944a2

C:\Users\Admin\AppData\Local\Temp\inlEBC8.tmp

MD5 009978a694b907272232dae718ab2dfa
SHA1 3e956d50265c389aaa762662e6383452747b553e
SHA256 38c3a1f7ad09787918862b2d6dd93b441b4856995cc8fc713a6154f5d50f8fd9
SHA512 f8bd846149481c476fd461fd05cf6e297d647894683e32d1ce3ccb96465893d3c9d0ae554d46a1bf52b28f89b1bde41dcad75afe237f413fbc60490b56a8e6c4

C:\Users\Admin\AppData\Local\Temp\inlEBC8.tmp

MD5 e9cf92cf46c1aa4c3f39d32d82cb9b5f
SHA1 69bfcb3ca48e501f4d9d68f93beff7caeff2233d
SHA256 b4a5158c399e14d98fd083cc66398c420f83aa44008bcb574c378d74930926b1
SHA512 25f7e80409d52294e7b977c5694c9135fe782c858ec4a61306099e31cd927bca481c740802f50b94fd0047483e02e0b3af0970b93cc155324a1e30b6babdcd7c

\Users\Admin\AppData\Local\Temp\inlEBC8.tmp

MD5 ca12160321ab07aaf3d2eb8f822c65f0
SHA1 2011ec04932d553b2f4fbf1a83c92ad96ef15d46
SHA256 eebdfa0592f6f965102d00ba5609642bdabacb073d9d0347ff44066887906265
SHA512 fa280acfd6af33e7b37fe83907f63f274d9a2398d69278a3e3226729b55c6c848a18acf4638312634ede12126e32a77d26328dd424d03f5bae5706f4e6db51b6

\Users\Admin\AppData\Local\Temp\inlEBC8.tmp

MD5 c8183b6139b869aced9851e60618b4db
SHA1 e3c7a31d9caf1d471d8b92d1101e1671a924eb00
SHA256 0dd74b25b2f59f17d96804ebd782e374cb3918b865f8bd4f6f792f2bcf820a91
SHA512 6e3dbe20e89e7ebc874dd39dcbeeff244caace522399aa3a6b6f1488a67e909ed9d80fa97e53b0d24cdc0be4b965fbdb83e328189a3431816ddee3bd7c467374

C:\Users\Admin\AppData\Roaming\PPLive\4.bat

MD5 f4628c8066866d1cd974801b7c51c5fb
SHA1 6a0594bd5bda5656b97c18626704ff19a2fd875b
SHA256 f93c09513c7589ba4a0a32e6f2a1b7d1d283bf7e11926ca86b0e81c5d9aaf898
SHA512 fbb851002d60862be5e22f7803586b0945443962a526ca6b1545bfd57633d5443670838f95dcbf281747943ef58edc88bbabe5faf55a2a39332bc293b3b1f5fb

memory/2032-88-0x00000000001F0000-0x0000000000217000-memory.dmp

C:\Users\Admin\AppData\Roaming\PPLive\2.inf

MD5 ca436f6f187bc049f9271ecdcbf348fa
SHA1 bf8a548071cfc150f7affb802538edf03d281106
SHA256 6cdfa9b7f0e1e4ee16bc8ce5d7448d47ea8866c1f55f3e56be5c2a4d183ca534
SHA512 d19e20aabddad6b0284f8c1d473e9180f30b49d4d8b54f26e7c8630228e16b1f6ba04023c5e8b1993d8a10d97adcfff683b216f79b9981bf16181641aebdd591

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6645bf1edb0371c25c90e83740e146ba
SHA1 5c90e7bec1af02e64f35122eabc86ceda2b0595c
SHA256 a216393154ab39c3579609f991f2939413a406c4a77f8f83e2a094abc5505afa
SHA512 8d075a0a69d50c09cc7ad506a3ae5451d07b59ff9e390a1db85136f3df475dce41e2a09d136c49be993841886e52abe77e43cf0cf83c850626ac3abc872d495c

C:\Users\Admin\AppData\Local\Temp\CabF1A1.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarF1A0.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Local\Temp\CabF2DB.tmp

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 21fef5af96b07b82317c86d6cd3674af
SHA1 5e7f01457868a2318580d79d1d6dbcd7dc38df6f
SHA256 c88aac5afa7d864a842007442d2a123bab88a4227ab91cc01af0ca95cee6ae86
SHA512 7956467e7723fff9613b0136707eca5ca991e139ed96a598d646c569e940a81110b7ce4a9862245bb233d891b3251f34ff068212fd592536dabb663668b08752

C:\Users\Admin\AppData\Local\Temp\TarF340.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 74432926652fb3e7e85549cf81df6c34
SHA1 2b4e4ae4f36f1bbacdbd78593d322f3c10c4a7be
SHA256 87796d4e2b32b2500fe6a30ff8eb771d59375634556fe76a1b7f8a5e0a88d1b1
SHA512 e57442fde44ae1b4db6d440ccbb251b58e9706d9be7bd11aa93939d870da485ecfc9ff264367e1edc4586ea4125b2987eeefd1263a943010c6a0846c14985ab9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8ac97dcdc20518857fa01d968bb18fc7
SHA1 bfab51d6faa4783c51af34941255af6ff9135947
SHA256 30e45dc251a92644e7d5226e846aa5a19bc7ecce241a75e32eb79ed6369c785d
SHA512 172d0cf4708f03f5f027359f66b3350f71ba7fa66fde6adbb15035fbf043d1859a1a275cb62877769a965c0798e9dced5ec40bbac5de9dc1a017e7faec14e4e5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a375069220005962bf2391db8836c606
SHA1 84d80da6039b89c46c236d2156d0ed5ada9743c7
SHA256 e8968c37f8acaeb0b52dd407be011e8be54976ac399cf07dee66d2009defb2d8
SHA512 79bff40d71137d10e0c13c2f5c1a84252a8535d9c741d4a61494dde0c536962a3ddfb12666a03cc794dc5261068dac6d0967ae52f668809aad8b146adc83ec49

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ce1e5ba29736b76e0039d9d66f17e356
SHA1 a806b2ce290c46e1a81f1662b32c79c3d3ccad6a
SHA256 3088bd08d57341b43983f0c66661510c7ca226ff183d4a7ea6237ce13e4fa2d9
SHA512 19466d7fe5653a565f88e8ad4b0e03981de0489ba4f093f6a4af1c6c403d78b76f33a19a3a5e3cd59424d55887c8794d332a71b8a45fd113d82caca30610c75d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 513b27644e3ef4098a56b680ffe18b56
SHA1 ff03c8512f904c4ab9cd8b55c6a5ba8388e2be28
SHA256 b5184c259285f190153a11fc8873b33afef54cb9b3918446f87a376a085789f1
SHA512 d8a2d4b208895aa322d0cf59235a1528c163d7e0bd50ced97f10d61521055b5d90762cb42765f35e55900e6e974d1eab828c31de4371d5346b3160b25beb4cd5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 97cd3d7d88d8554ba560ec608c07340c
SHA1 5aab7ef087e6dff552a1721dec7a2f296b8a49fc
SHA256 03e155fcee280753be82c5ec56ac54dea67ca5b09f86202fafd6546bfda4bd38
SHA512 b0d3b954b10f3bd83963695e13d6edcebf736d903854e5df12147ec2907c885b0036ca25477d2ba1691c9ed0527a1c263cc86a0db92febfd867c5c3d1a374eb4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c7adb6d6ffa222853217f6111d8b31a2
SHA1 0095bc497b134b8ffd4aa55f1afdd8363b7d5f99
SHA256 2e93c6cd8bb57a73e882e5f131ec9ad6cf535840146b111920a95813d8543289
SHA512 93d0cbc7f3f5f6b2e4a9173c2fcc1d6e34a96b4c8e4231f6fd913a6e15a1aa947be84879beb8d67dd20aeef65dfb1a723b8e3d2706c8915e9c1b129e617943c1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 10fa89b29ae66751d93f0c160c420015
SHA1 b7e75adf96f1880eba3244e212232863f760f498
SHA256 978446c6efb3a592539a4f1749647b0d5b543b4e3e47d1fcdba798bfcfabeb5a
SHA512 d6cd78623ac1ecdb2eed164705e88f1c7213aead54a317eb2ac1af3ba46410070de22386c3b0f329cd2f83ffc1c58933ac55841ffb714ee477863389f3e2b752

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2c98e07b69a087f6ff85862f7ee15ded
SHA1 6fe5dff909423e25105318aa994854a0d36d453b
SHA256 ce752ae7ce4b6f04fc1b38c6a6ed1b183af0c29bcf226145898560aea494e71a
SHA512 218c511af1dfd2af38477bd3e54421e9f5a03b7925857c58fa56dd88f3d86dd8a203514e2a3285acb4e445f6956c4914588054b4e269ecb66da18e7d83014035

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 49cef5b7ebd253033bcd8d70128a7678
SHA1 2916db80e1dd8d405d9996ef28158be3ea660998
SHA256 8402b1648f36b06e83f4cba6688104731302655f123d565b378b7d2519f6c96b
SHA512 363fc90d960e9dd27a3f2d64a71ccd858dc0f5b87ca7808723cfbacf5b0859bf705233337335af915cc3ff29d96c3b163cb01fcb34fa5179646c6cdce0643b66

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d71db79b52639166ad02f58ed4a7bc87
SHA1 cb611677520b99c9f96f72e3bb012d9e5077471d
SHA256 6debd9f05f3f84dde618c9623bd64c7f289fb9ae2cf9ae87807eff3cc9ad56bd
SHA512 fac602af371faaaaecd1f5171428e5b313ee7cbfb3bb498b8a99a4043931880ef968676ee55739accf98ee0cf71eaea0052cac595f41ca8aa2227084e30c4d6a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 62cd5030ec6d6da174aee4a2c7bbbe0e
SHA1 0131f6f143435dd7b7af9abc0979355f43f5f5ed
SHA256 309acc4ea31cef2286dacd5f6ad2d99f643df102635df2120b3b2c15e81412b4
SHA512 b31628e696f47f1d5f70208690955361b91506fa3b2bf00f7a1ae975765e0409b0445497dbf06f23cd85494f4ed99ba9e71c1e9f5e731156293196e8219ba72a

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\favicon[1].ico

MD5 7ef1f0a0093460fe46bb691578c07c95
SHA1 2da3ffbbf4737ce4dae9488359de34034d1ebfbd
SHA256 4c62eef22174220b8655590a77b27957f3518b4c3b7352d0b64263b80e728f2c
SHA512 68da2c2f6f7a88ae364a4cf776d2c42e50150501ccf9b740a2247885fb21d1becbe9ee0ba61e965dd21d8ee01be2b364a29a7f9032fc6b5cdfb28cc6b42f4793

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\q905y6j\imagestore.dat

MD5 3faf9b25daef282346ae01a8b147876e
SHA1 007dd5feb1cc99e36798955117e59dcd42012ce6
SHA256 cb704a32a3cbcef5b1074b85485cdf61c6bfd64be15bc11e8f470907f47b56ff
SHA512 4b81caa2cca6eb7ef86130be5f2a036d6242ba0db829efba862c66e67efed190535125a1f7eb2596a3fb2ca21dbe4ef63341d5e80d9a6b670bcf86b314244260

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8f9b0576aefd121dcea854d89860a638
SHA1 7b98ebc272adf0e76ddd18765d5d6be4609e1e1d
SHA256 5b6a200a68a60eb2b9223cb87b8028c6ef57dfea3fe5bdb2a145e0a59959f9b9
SHA512 45ee139eced6678328257a4da00d0c479466f793c9715de3c59b392d33c08b70ef7de28d741d7dea1124f52833476bd79e07ccbaae6a3be685f79465f0144faa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1768ed3946bbb33bdd704e74812ce5eb
SHA1 4a56011c3320b18c64300eab7b0f74b99116bb08
SHA256 8e6ed9a676a5ad95de32cc2af3030fd2d8b2b10e0d040ef2a39a000b3e196837
SHA512 7b3bd90815dcd4c45e916fdc832138c30bd34e3e3ae36133495d53edb7e9612191dd3c6b7cbef2479e6a59d35ede730b039f07b24529d90ebffdf9f9b2e8fd16

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f38b1f5b838f5b7665cb835902470e42
SHA1 0a5306dc0034ffa005550f599d989045e83ffc39
SHA256 251a45b8de88f3bf306e2c4f8a0bcf4a516e2bd759f0ce3c6e1494d0b5357cce
SHA512 fcefc1deca3a6bab66319184e7778226903d36175d9cbac07e57a9d0fa7dfbb0205d4eb84083d5a1818ef1e690a318ab34643d1ab38d41c4d257b0aee8877aa6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7c396f8c1a099294d72182aee9999444
SHA1 1da5be4f5977996abb837311516e4f1c31b8590c
SHA256 547fb57f67ae67c7543f189980d6759471ae936392d7deddde4e5f3e5adce6d6
SHA512 e565916d7be2586d62aff6f7c48d3c6f62ce79f85eae5b0e6c99c801498eed7f535bff3a95837219ff6cecc9136e9b157b394f526ed83bbfe0062811babdb06b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7be74059733d4988de2ffca76eb78a47
SHA1 ca163df88c0925cf2c8a8c6a07969829923a9140
SHA256 0a5bd3a92782f2298e5db97d7b9eaa9312e163d2c01c25de3e4b6876ba489098
SHA512 4e739020d3024d3cdec0b4c4d733b192998541480f03be56b1c8a10ed980bc250107b29cbfac5049bd879c02bbda0bc484a274f7e0f2db32ab7281d9d030e782

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f2d477fc8d80df04ff96375e8a0c5e74
SHA1 6cde0d7bec8a4e1a410975d23d15cec856ecce2b
SHA256 d7d26b522e73e2398bf2d40465338a4bb58cbfda43e3dd6ce552c2ceed9b4f08
SHA512 298246228cb09962569d45faeadc0cc63b589ba9373a15eafff6eb29d095a1afda476e632c9ea02aaa41d2a6bbf70c8c17402bd4a76afbb55b6f96fcdde0bcde

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 71dccda05e5a9e35fc903dd8a40783ff
SHA1 06b89ec589b042c629ac3bafa218df92b2ae509d
SHA256 cc624e12719c7f18fa5bc7506d650844d2b7de689a42232706e4adee0252de2d
SHA512 2269e0d6404084b05cd670d65fefb13ef2fe040fd676e6dfb7e659a7f2a94887ff8d91c4db1c9a53fcc804666638cf3d132c2c4427a74568df4cf7ab352e1435

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f8905e13a7fbf5d04d5c4dae812643a3
SHA1 75e7f4d320b7d4fa33e659e56bcbdf936a79a120
SHA256 71467c2fb70dc68d7c979acec8ac94c3a503eedf7830ede5a8828cd3a754c587
SHA512 579230d3b67f6158a302689edcb03b5c56546730d418bc6821d7eafa1c57e47709219c8a3fde463baa747a36074cae5b5fe98e08fc573ef9af41e5cdf8950893

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-04 14:15

Reported

2024-03-04 14:17

Platform

win10v2004-20240226-en

Max time kernel

153s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b255d021f8154ff50c4d660af3d2add2.exe"

Signatures

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b255d021f8154ff50c4d660af3d2add2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\inl6FCE.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\inl6FCE.tmp N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hsdfasd = "\"C:\\Users\\Admin\\AppData\\Roaming\\PPLive\\tmp.\\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}\" hh.exe" C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~1\INTERN~1\ieframe.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\PROGRA~1\INTERN~1\ieframe.dll C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\runonce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\runonce.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "63" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0ecdea13e6eda01 C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "63" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B43D231D-DA31-11EE-B9F7-C69DB2B6DED0} = "0" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "126" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "126" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2307468804" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "63" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2307468804" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31092286" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003e15d6e14f38454ea63b5f1bfd95170200000000020000000000106600000001000020000000918f33394cadab8a22a6502b53f466377476a1e80971914dc443ad770f01740a000000000e8000000002000020000000ab76c8246f46b663ecc5ac641e6346b1f075dab0d51cedcf7f8d29b495d459822000000034361ecf7d1bfbc78fda75ae01af0341224c628dfc1e189be8fab6704dbc1cdb40000000f0d6e375c63e36e089f9cc98adf07b14e9d29cb31695250a8069ad971be4d6f8efcf252d4ca79c5c4d2cec959458393f60662a01594805ee367367ff7a110060 C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f063c2a13e6eda01 C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2321062717" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "416326729" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\reg.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\International\CpMRU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "126" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31092286" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003e15d6e14f38454ea63b5f1bfd9517020000000002000000000010660000000100002000000020328a060149c1c8428384c3a338a4ae45f364cb1f0ca79c6b06fb21e6a21ead000000000e80000000020000200000009186badae395625c275361bdab36dd410fa7ced6828a832bc5025ba5199f223c20000000bf630e9068b62f4c7cbe1c37c13f87b5da7521f6521e0ba202072474dcd324674000000037ac2ef97da15c679179601022edd30dfb94ef7781cf1c974f6fa9aa65010faf3e76ddf424657fcebf4da95b9c2d8027a7bbf7a5073ce20a1e09ac1c762e0cd7 C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DOMStorage\cnkankan.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31092286" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\PROGRA~1\INTERN~1\iexplore.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.71628.com/?i" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.71628.com/?i" C:\Windows\SysWOW64\reg.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E} C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H) C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command\ = "wscript -e:vbs \"C:\\Users\\Admin\\AppData\\Roaming\\PPLive\\3.bat\"" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E} C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\IsShortCut C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b255d021f8154ff50c4d660af3d2add2.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\inl6FCE.tmp N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\PROGRA~1\INTERN~1\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3396 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\b255d021f8154ff50c4d660af3d2add2.exe C:\Windows\SysWOW64\cmd.exe
PID 3396 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\b255d021f8154ff50c4d660af3d2add2.exe C:\Windows\SysWOW64\cmd.exe
PID 3396 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\b255d021f8154ff50c4d660af3d2add2.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 3620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 3620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 3620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3620 wrote to memory of 4960 N/A C:\Windows\SysWOW64\cmd.exe C:\PROGRA~1\INTERN~1\iexplore.exe
PID 3620 wrote to memory of 4960 N/A C:\Windows\SysWOW64\cmd.exe C:\PROGRA~1\INTERN~1\iexplore.exe
PID 3620 wrote to memory of 3792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3620 wrote to memory of 3792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3620 wrote to memory of 3792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3620 wrote to memory of 4748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3620 wrote to memory of 4748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3620 wrote to memory of 4748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4748 wrote to memory of 4856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4748 wrote to memory of 4856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4748 wrote to memory of 4856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3396 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\b255d021f8154ff50c4d660af3d2add2.exe C:\Users\Admin\AppData\Local\Temp\inl6FCE.tmp
PID 3396 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\b255d021f8154ff50c4d660af3d2add2.exe C:\Users\Admin\AppData\Local\Temp\inl6FCE.tmp
PID 3396 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\b255d021f8154ff50c4d660af3d2add2.exe C:\Users\Admin\AppData\Local\Temp\inl6FCE.tmp
PID 4960 wrote to memory of 2916 N/A C:\PROGRA~1\INTERN~1\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4960 wrote to memory of 2916 N/A C:\PROGRA~1\INTERN~1\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4960 wrote to memory of 2916 N/A C:\PROGRA~1\INTERN~1\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4748 wrote to memory of 3536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4748 wrote to memory of 3536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4748 wrote to memory of 3536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4748 wrote to memory of 772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4748 wrote to memory of 772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4748 wrote to memory of 772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3396 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\b255d021f8154ff50c4d660af3d2add2.exe C:\Windows\SysWOW64\cmd.exe
PID 3396 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\b255d021f8154ff50c4d660af3d2add2.exe C:\Windows\SysWOW64\cmd.exe
PID 3396 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\b255d021f8154ff50c4d660af3d2add2.exe C:\Windows\SysWOW64\cmd.exe
PID 4748 wrote to memory of 3604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4748 wrote to memory of 3604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4748 wrote to memory of 3604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4748 wrote to memory of 1784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4748 wrote to memory of 1784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4748 wrote to memory of 1784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4748 wrote to memory of 1656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4748 wrote to memory of 1656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4748 wrote to memory of 1656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4748 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4748 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4748 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4748 wrote to memory of 4024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 4748 wrote to memory of 4024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 4748 wrote to memory of 4024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 4748 wrote to memory of 4036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 4748 wrote to memory of 4036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 4748 wrote to memory of 4036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 4024 wrote to memory of 3688 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\runonce.exe
PID 4024 wrote to memory of 3688 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\runonce.exe
PID 4024 wrote to memory of 3688 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\runonce.exe
PID 3688 wrote to memory of 4268 N/A C:\Windows\SysWOW64\runonce.exe C:\Windows\SysWOW64\grpconv.exe
PID 3688 wrote to memory of 4268 N/A C:\Windows\SysWOW64\runonce.exe C:\Windows\SysWOW64\grpconv.exe
PID 3688 wrote to memory of 4268 N/A C:\Windows\SysWOW64\runonce.exe C:\Windows\SysWOW64\grpconv.exe
PID 3896 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\inl6FCE.tmp C:\Windows\SysWOW64\cmd.exe
PID 3896 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\inl6FCE.tmp C:\Windows\SysWOW64\cmd.exe
PID 3896 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\inl6FCE.tmp C:\Windows\SysWOW64\cmd.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b255d021f8154ff50c4d660af3d2add2.exe

"C:\Users\Admin\AppData\Local\Temp\b255d021f8154ff50c4d660af3d2add2.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\comeback_197.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\1.bat

C:\PROGRA~1\INTERN~1\iexplore.exe

C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?71628

C:\Windows\SysWOW64\rundll32.exe

rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\1.inf

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\2.bat

C:\Users\Admin\AppData\Local\Temp\inl6FCE.tmp

C:\Users\Admin\AppData\Local\Temp\inl6FCE.tmp

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?i"" /f

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4960 CREDAT:17410 /prefetch:2

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?i"" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\tmp" /v "key" /d ""http://www.71628.com/?i"" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\B255D0~1.EXE > nul

C:\Windows\SysWOW64\reg.exe

reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\PPLive\3.bat""" /f

C:\Windows\SysWOW64\attrib.exe

attrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}

C:\Windows\SysWOW64\attrib.exe

attrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp

C:\Windows\SysWOW64\rundll32.exe

rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\2.inf

C:\Windows\SysWOW64\rundll32.exe

rundll32 D:\VolumeDH\inj.dat,MainLoad

C:\Windows\SysWOW64\runonce.exe

"C:\Windows\system32\runonce.exe" -r

C:\Windows\SysWOW64\grpconv.exe

"C:\Windows\System32\grpconv.exe" -o

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl6FCE.tmp > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 kp.9n9n.net udp
US 8.8.8.8:53 kp.9n9n.net udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 kp.9n9n.net udp
US 8.8.8.8:53 www.cnkankan.com udp
US 8.8.8.8:53 jump2.35638.com udp
US 8.8.8.8:53 bofangqi.6gg.cn udp
SG 170.33.13.246:80 bofangqi.6gg.cn tcp
US 8.8.8.8:53 246.13.33.170.in-addr.arpa udp
US 8.8.8.8:53 mohe.6gg.cn udp
SG 170.33.13.246:8012 mohe.6gg.cn tcp
US 156.224.146.42:80 www.cnkankan.com tcp
US 156.224.146.42:80 www.cnkankan.com tcp
US 8.8.8.8:53 push.zhanzhang.baidu.com udp
CN 14.215.182.161:80 push.zhanzhang.baidu.com tcp
CN 14.215.182.161:80 push.zhanzhang.baidu.com tcp
US 8.8.8.8:53 42.146.224.156.in-addr.arpa udp
US 8.8.8.8:53 hm.baidu.com udp
US 8.8.8.8:53 sstatic1.histats.com udp
CA 54.39.128.162:80 sstatic1.histats.com tcp
CA 54.39.128.162:80 sstatic1.histats.com tcp
HK 103.235.46.191:443 hm.baidu.com tcp
HK 103.235.46.191:443 hm.baidu.com tcp
US 8.8.8.8:53 162.128.39.54.in-addr.arpa udp
US 8.8.8.8:53 191.46.235.103.in-addr.arpa udp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
CN 39.156.68.163:80 push.zhanzhang.baidu.com tcp
CN 39.156.68.163:80 push.zhanzhang.baidu.com tcp
CN 112.34.113.148:80 push.zhanzhang.baidu.com tcp
CN 112.34.113.148:80 push.zhanzhang.baidu.com tcp
US 8.8.8.8:53 dl.pipi.cn udp
US 8.8.8.8:53 d.shasanguo.com udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
CN 163.177.17.97:80 push.zhanzhang.baidu.com tcp
CN 163.177.17.97:80 push.zhanzhang.baidu.com tcp
US 8.8.8.8:53 rsdownload.rising.com.cn udp
UA 163.171.137.26:80 rsdownload.rising.com.cn tcp
US 8.8.8.8:53 26.137.171.163.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
CN 180.101.212.103:80 push.zhanzhang.baidu.com tcp
CN 180.101.212.103:80 push.zhanzhang.baidu.com tcp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 172.217.169.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 10.169.217.172.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

memory/3396-0-0x0000000000FA0000-0x0000000000FC7000-memory.dmp

memory/3396-1-0x0000000001450000-0x0000000001453000-memory.dmp

memory/3396-5-0x0000000000FA0000-0x0000000000FC7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\winrar_config.tmp

MD5 d980f89e4088711df685a0aa09e8f5a7
SHA1 dde805f4fa5e016e122e4240e20ff844113717d7
SHA256 28f62bd59962d06d903ea079466c66985caa306251717235a0d470a1b0f62d09
SHA512 fa2a669d846081d71dcada405d3c4bdb92229ba2b4a9f8fd4e461d7c4d51012d3d3b893466f814c8178b9980119703d1a3f7eafeff281a2eb75465e504df9ee9

memory/3396-9-0x0000000001450000-0x0000000001453000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\comeback_197.bat

MD5 23962a245f75fe25510051582203aff1
SHA1 20832a3a1179bb2730194d2f7738d41d5d669a43
SHA256 1abcea214b9b2bd76cc04be07ae2d4d70371e6ca443d99f4f1327afe7a5fc647
SHA512 dc36b64f2dbb710652900a31295c148760b0c44eae13515aa29613916c9dffe3d8e55ba61568f7c27b43bf0c341f7dcd4b9c721f81627fc6bb915b15c358fe80

C:\Users\Admin\AppData\Roaming\PPLive\1.bat

MD5 286fe459674aef6eee17f6ac79a15fdb
SHA1 233dc43099c575a67b05fc1076e676324fd6e63d
SHA256 872cc596dc1fe6d5a131129bd84c2a76d6874e9c57ab2cd792d4d12b6f014fd2
SHA512 c9acc4a134001da76e7ae6aa5ae65ce58501942dfc1f80959ae4db27c06010db753c9d115eedbe0b2b0e30dd5c4dcd1d32816493b053c65cee81d3a343c87314

C:\Users\Admin\AppData\Roaming\PPLive\╟º═┼═┼╣║.url

MD5 f14a9f1417503c7dc1dd6759de850312
SHA1 2647c9cfe611b033824c3998b9e17a69eb7a8d65
SHA256 8c05d3fb956dac02702a9377d361116e2ad6b2f079e36ada56df98d240cc3d96
SHA512 677fbe17bd9b318a69aed59af3b81a340cdddbe430e34f7d15b02f279118be65a2c7b7b30618bd8d0331de60d7f15de0e0864c3ed7fb90eef6eeac3187d9c3c1

memory/4960-68-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

memory/4960-69-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

memory/4960-71-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

memory/4960-72-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

memory/4960-73-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

memory/4960-74-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

C:\Users\Admin\AppData\Roaming\PPLive\2.bat

MD5 d4917ae9072a10d8e12ef3b282b25b3b
SHA1 bd9ec6c6395997525ec7c15ecca2f115573cc14c
SHA256 6f7649988962c61ac7644262ee6082ef352bbb00cb155a3f4ef0467fbdf1c67b
SHA512 c6ed3119e008191ad56050f6b72a2d64e908c57e80fd0c252b8b1947cf091644c83b6bc16c56d6e2153579eb3e8711c8cd608977426a0906d56a7713bfca309d

memory/4960-76-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

memory/4960-77-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

memory/4960-78-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

memory/4960-79-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

memory/4960-80-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

C:\Users\Admin\AppData\Roaming\PPLive\1.inf

MD5 34c14b8530e1094e792527f7a474fe77
SHA1 f71c4e9091140256b34c18220d1dd1efab1f301d
SHA256 fe0dfb3458bfe2a3632d365e00765fa10f14d62e7dfa8b70a055c7eb9fdb6713
SHA512 25bb09b526e1e9f5c6052f1f7c36b37c956c1b5649936af8df3abfcf120c931f3d2603e17a061cb99d8c8074bfb1973a5423cce89762fca53cd46aeb3e8944a2

memory/4960-83-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

memory/4960-85-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

memory/4960-86-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

memory/4960-87-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

memory/4960-89-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

memory/4960-90-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

memory/4960-91-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

memory/4960-92-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\inl6FCE.tmp

MD5 3d2492610c982c00c183be4f06dfc9de
SHA1 0ed4cced1b00c893efe924bc16cc1429fdc793e9
SHA256 b812174c1b53f53fd7406c0d0e3224adb2ad069e5a9f9159fb37f750ae0debd5
SHA512 390bdfe0c9eeca641c05872c6af56d2551f1c69af60b61943cf054709ab225a8458adf30c7d484a153b6effff4a0fb636942fe5de9620641b3e2caf78dd45744

C:\Users\Admin\AppData\Local\Temp\inl6FCE.tmp

MD5 d90be79fa8940c4ffd039c6853d01a2b
SHA1 587e14407d07474592494c6d62faee0f865870a6
SHA256 ea3415e6ccc21f7d149662ef91154d74c530a5f6f38a3e5ca7f813ff58a01f37
SHA512 d009defea234a0f49761c816a881e77c3448c068b7e479a59ca901c99717fd4225894f042a487cd02e66765afe1d5c367904bbc477d5101937e7a897d1751b18

memory/4960-99-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

memory/4960-102-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

memory/4960-103-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

memory/4960-104-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

C:\Users\Admin\AppData\Roaming\PPLive\4.bat

MD5 3d15c5ef21f90fffe50d88e328584702
SHA1 443ef8619f38810b1ad6a98a2d1d15fca492ce71
SHA256 276b7329bfafa86a50364795b7182431b27034731350c88012290b78c56b05da
SHA512 3e844392223c684ba4ff4e8b67b091f2ad9ec64bf7484639c488b9c44bd6741376678574c402f2effc960525f3e739eb4ebb0a2493471a42356382018f5852e7

memory/4960-108-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

memory/4960-109-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

memory/3396-110-0x0000000000FA0000-0x0000000000FC7000-memory.dmp

memory/4960-111-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

memory/4960-112-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

memory/4960-113-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

memory/4960-117-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

memory/4960-118-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

memory/4960-119-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

memory/4960-127-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

C:\Users\Admin\AppData\Roaming\PPLive\2.inf

MD5 ca436f6f187bc049f9271ecdcbf348fa
SHA1 bf8a548071cfc150f7affb802538edf03d281106
SHA256 6cdfa9b7f0e1e4ee16bc8ce5d7448d47ea8866c1f55f3e56be5c2a4d183ca534
SHA512 d19e20aabddad6b0284f8c1d473e9180f30b49d4d8b54f26e7c8630228e16b1f6ba04023c5e8b1993d8a10d97adcfff683b216f79b9981bf16181641aebdd591

memory/4960-129-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

memory/4960-134-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

memory/4960-136-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

memory/4960-138-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

memory/4960-137-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

memory/4960-139-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

memory/4960-141-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

memory/4960-143-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

memory/4960-175-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

memory/4960-176-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

memory/4960-177-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

memory/4960-179-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X0OFMNIL\favicon[1].ico

MD5 7ef1f0a0093460fe46bb691578c07c95
SHA1 2da3ffbbf4737ce4dae9488359de34034d1ebfbd
SHA256 4c62eef22174220b8655590a77b27957f3518b4c3b7352d0b64263b80e728f2c
SHA512 68da2c2f6f7a88ae364a4cf776d2c42e50150501ccf9b740a2247885fb21d1becbe9ee0ba61e965dd21d8ee01be2b364a29a7f9032fc6b5cdfb28cc6b42f4793

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\j7c4o4u\imagestore.dat

MD5 76243e7defac3199a00e8c291c73a790
SHA1 08b3f4906687c90385e18c58862bdd6312c289ee
SHA256 54c7b42959deb4115cf98da16d0b98e048fff3c0868d40a57d06620b2447cffb
SHA512 6042a67f337fa0f499476c5556e46291e3904493ee42011de8b2fb2d21567c53b24157259fad84113336104afb81fdd245bb5d485a6541688eeb546445617841

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BHC2O5WS\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee