Malware Analysis Report

2025-01-18 21:32

Sample ID 240325-czy12sdg57
Target dd05c0c435083766ae2e8ae4a8e66a6d
SHA256 ccc02e286948da9c7ce2d873e82452bb5721c03db8b837a0707f725e5a7fd857
Tags
adware persistence stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ccc02e286948da9c7ce2d873e82452bb5721c03db8b837a0707f725e5a7fd857

Threat Level: Shows suspicious behavior

The file dd05c0c435083766ae2e8ae4a8e66a6d was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware persistence stealer

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Installs/modifies Browser Helper Object

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-25 02:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-25 02:31

Reported

2024-03-25 02:34

Platform

win7-20240221-en

Max time kernel

12s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd05c0c435083766ae2e8ae4a8e66a6d.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Windows\tmp.tmp.tmp1 N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LoginScreen.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E14DCE67-8FB7-4721-8149-179BAA4D792C} C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\wsock32.sys C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
File opened for modification C:\Windows\SysWOW64\28egr8w5P8.ini C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
File created C:\Windows\SysWOW64\28egr8w5P8.ini C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WinUtilInst.exe C:\Users\Admin\AppData\Local\Temp\dd05c0c435083766ae2e8ae4a8e66a6d.exe N/A
File opened for modification C:\Windows\tmp.tmp.tmp1 C:\Users\Admin\AppData\Local\Temp\dd05c0c435083766ae2e8ae4a8e66a6d.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CC264C51-EA4F-11EE-9DC0-D20227E6D795} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib\Version = "3.0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\N.Cs4\Clsid\ = "{E14DCE67-8FB7-4721-8149-179BAA4D792C}" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\ = "N" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\0 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib\ = "{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib\ = "{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib\Version = "3.0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\ProgID\ = "N.Cs4" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ = "_Cs4" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39} C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\ProgID C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\0\win32 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\HELPDIR\ = "C:\\Windows\\system32" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ = "_Cs4" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\VERSION\ = "3.0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\0\win32\ = "C:\\Windows\\SysWow64\\wsock32.sys" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C} C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\ = "N.Cs4" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\TypeLib C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ = "Cs4" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3} C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\FLAGS C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39} C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\InprocServer32\ = "C:\\Windows\\SysWow64\\wsock32.sys" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\N.Cs4 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\N.Cs4\ = "N.Cs4" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\N.Cs4\Clsid C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ProxyStubClsid C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\TypeLib\ = "{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\VERSION C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2684 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\dd05c0c435083766ae2e8ae4a8e66a6d.exe C:\Windows\WinUtilInst.exe
PID 2684 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\dd05c0c435083766ae2e8ae4a8e66a6d.exe C:\Windows\WinUtilInst.exe
PID 2684 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\dd05c0c435083766ae2e8ae4a8e66a6d.exe C:\Windows\WinUtilInst.exe
PID 2684 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\dd05c0c435083766ae2e8ae4a8e66a6d.exe C:\Windows\WinUtilInst.exe
PID 2684 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\dd05c0c435083766ae2e8ae4a8e66a6d.exe C:\Windows\WinUtilInst.exe
PID 2684 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\dd05c0c435083766ae2e8ae4a8e66a6d.exe C:\Windows\WinUtilInst.exe
PID 2684 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\dd05c0c435083766ae2e8ae4a8e66a6d.exe C:\Windows\WinUtilInst.exe
PID 2684 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\dd05c0c435083766ae2e8ae4a8e66a6d.exe C:\Windows\tmp.tmp.tmp1
PID 2684 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\dd05c0c435083766ae2e8ae4a8e66a6d.exe C:\Windows\tmp.tmp.tmp1
PID 2684 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\dd05c0c435083766ae2e8ae4a8e66a6d.exe C:\Windows\tmp.tmp.tmp1
PID 2684 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\dd05c0c435083766ae2e8ae4a8e66a6d.exe C:\Windows\tmp.tmp.tmp1
PID 2684 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\dd05c0c435083766ae2e8ae4a8e66a6d.exe C:\Windows\tmp.tmp.tmp1
PID 2684 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\dd05c0c435083766ae2e8ae4a8e66a6d.exe C:\Windows\tmp.tmp.tmp1
PID 2684 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\dd05c0c435083766ae2e8ae4a8e66a6d.exe C:\Windows\tmp.tmp.tmp1
PID 2504 wrote to memory of 2624 N/A C:\Windows\tmp.tmp.tmp1 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyffing.exe
PID 2504 wrote to memory of 2624 N/A C:\Windows\tmp.tmp.tmp1 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyffing.exe
PID 2504 wrote to memory of 2624 N/A C:\Windows\tmp.tmp.tmp1 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyffing.exe
PID 2504 wrote to memory of 2624 N/A C:\Windows\tmp.tmp.tmp1 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyffing.exe
PID 2504 wrote to memory of 2624 N/A C:\Windows\tmp.tmp.tmp1 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyffing.exe
PID 2504 wrote to memory of 2624 N/A C:\Windows\tmp.tmp.tmp1 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyffing.exe
PID 2504 wrote to memory of 2624 N/A C:\Windows\tmp.tmp.tmp1 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyffing.exe
PID 2624 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyffing.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LoginScreen.exe
PID 2624 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyffing.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LoginScreen.exe
PID 2624 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyffing.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LoginScreen.exe
PID 2624 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyffing.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LoginScreen.exe
PID 2624 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyffing.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LoginScreen.exe
PID 2624 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyffing.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LoginScreen.exe
PID 2624 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyffing.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LoginScreen.exe
PID 2624 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyffing.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyff.exe
PID 2624 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyffing.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyff.exe
PID 2624 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyffing.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyff.exe
PID 2624 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyffing.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyff.exe
PID 2624 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyffing.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyff.exe
PID 2624 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyffing.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyff.exe
PID 2624 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyffing.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyff.exe
PID 2072 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LoginScreen.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE
PID 2072 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LoginScreen.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE
PID 2072 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LoginScreen.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE
PID 2072 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LoginScreen.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE
PID 2072 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LoginScreen.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE
PID 2072 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LoginScreen.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE
PID 2072 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LoginScreen.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE
PID 2428 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE C:\Program Files (x86)\internet explorer\iexplore.exe
PID 2428 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE C:\Program Files (x86)\internet explorer\iexplore.exe
PID 2428 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE C:\Program Files (x86)\internet explorer\iexplore.exe
PID 2428 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE C:\Program Files (x86)\internet explorer\iexplore.exe
PID 2428 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE C:\Program Files (x86)\internet explorer\iexplore.exe
PID 2428 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE C:\Program Files (x86)\internet explorer\iexplore.exe
PID 2428 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE C:\Program Files (x86)\internet explorer\iexplore.exe
PID 2020 wrote to memory of 2036 N/A C:\Program Files (x86)\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2020 wrote to memory of 2036 N/A C:\Program Files (x86)\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2020 wrote to memory of 2036 N/A C:\Program Files (x86)\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2020 wrote to memory of 2036 N/A C:\Program Files (x86)\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2020 wrote to memory of 2036 N/A C:\Program Files (x86)\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2020 wrote to memory of 2036 N/A C:\Program Files (x86)\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2020 wrote to memory of 2036 N/A C:\Program Files (x86)\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2036 wrote to memory of 2732 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2036 wrote to memory of 2732 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2036 wrote to memory of 2732 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2036 wrote to memory of 2732 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2036 wrote to memory of 2732 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2036 wrote to memory of 2732 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2036 wrote to memory of 2732 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\dd05c0c435083766ae2e8ae4a8e66a6d.exe

"C:\Users\Admin\AppData\Local\Temp\dd05c0c435083766ae2e8ae4a8e66a6d.exe"

C:\Windows\WinUtilInst.exe

"C:\Windows\WinUtilInst.exe"

C:\Windows\tmp.tmp.tmp1

C:\Windows\tmp.tmp.tmp1

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyffing.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyffing.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LoginScreen.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LoginScreen.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyff.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyff.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE

C:\Program Files (x86)\internet explorer\iexplore.exe

"C:\Program Files (x86)\internet explorer\iexplore.exe" http://

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2036 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2684-0-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Windows\WinUtilInst.exe

MD5 671ef7bbe86943fb3fe91a5c0418096b
SHA1 279fc38de8980dd80412c6044480195e97791397
SHA256 62d5fbd06593133bdb9a2cfacc770f2916035a9a52ddb7264473f323ce255b0b
SHA512 419ce917bb2fdc3dd5f54ac9c6e225372f976d3b67a1ba29d2b8f19c3d29a10589cae17799dab2a4b0ccfa7774b71d5fea69dfed1db85b27f320472ea0838d72

C:\Windows\tmp.tmp.tmp1

MD5 b91ab099d3e225b6d8f350cf78aa7b0f
SHA1 652a9b4bc7b6a45a245572c09e00ab1333a3361c
SHA256 68bc0347d9fe3ebb24af45a352ffb1f5a80f220845aefe035152bb1c12d0f842
SHA512 11e0d311782f3b93cf0ccf4a5d116b745c039b1aa2acd6418e21cf674a5895e544cb4f4fc198a9f460b4e9c32715377bd580f778ed08dd94ab68f2278736930a

memory/2684-20-0x0000000000400000-0x0000000000408000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyffing.exe

MD5 3f419fc16ff704cd932d711e49538dcc
SHA1 66821a33d40c1d20605e54107a0753b4e1cb2f78
SHA256 77d173f45c4fef0756c75a29d9286df15f40814c67ad09ceefc7865df0c630d1
SHA512 a97bda6e4f0542810542e84448cfff499d586f90574d8e07aa47ca2b314765f7f550e56f544fa49cc91bb5b7cced612ab3b6b0de126b987624d0812fe6245d67

\Users\Admin\AppData\Local\Temp\IXP000.TMP\LoginScreen.exe

MD5 2b1375e3b7bd11111bf3ed37ec2fc176
SHA1 3d4252ccae5a9f59c83d67023e5abfa445110ee2
SHA256 f2356be1f67093327178c2ea19bf7be13f92be2b850195cdf24614bf7757aa34
SHA512 58f83d244e56ad44586ccf03eb9d2394684ec00fb48379052f44fe00198b6cc313a7e44d4336137f53b489cf682ca67111138346b7748c1a5f61fa248d067456

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyff.exe

MD5 d3bf2d26bf179fb390e9e7c8da8c9030
SHA1 fef57c12c1efd132cc0a9adf3e7277d5a64fef3b
SHA256 4c9c9da287437f14a11981c77147759b0fc3401296d9804a193c7ead3ce3194f
SHA512 8a73e4dc1d17b045708120f5e6c2aeed25130f5b223cdd7ef576e6ac0763e7b7809bbb6c3c7df25dac8cb2a2161a15cb44cb05f7c3abc213be635a0b9caefa91

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyff.exe

MD5 21302426553bf1719e9329eafa0e9fd4
SHA1 7037928feed7bd3a9248010e80a13f8d91a16a3d
SHA256 8c9f402054dcae30d90f5654cdd7dd69cacdd94cb375d5920ff1e53e561b7d86
SHA512 f330bf0bd0a36198337f3750e061b88f7e6d3c59f24ea0aa38a432d18200f97f2705b1d26186455322565d9fd7bf02e5336cf3041cc8bf2b018ffbd7501649e0

memory/2624-51-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyff.exe

MD5 c802d55ef1eced6ef8308626d08f6e91
SHA1 75da8e233c52ecc5b2826948ef235d454bdc6152
SHA256 d855a4033fb3561c1b30fc3b0f687ccbb15d32ca61d596c8f77f1e2fbe12f685
SHA512 799f0f4ea08335044abd01dff2a6a76985fc35a9393bb92b448241378d1c65d4b62b15acf3ef670db135db1b9a5884802e3a2ddf7a9886b16fd3edeb2fb09c9e

\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE

MD5 560eb15c91f52c917d96c409c89066c4
SHA1 2e2a663c8e7479fbc1bd9a4525d14b26a81175c7
SHA256 5528bf0f1e16d82216a7d6dc8ac9d966088a73ff3837a903f2132cc31d67ab68
SHA512 c0c528a7531dccffebaea12821be2224e13d11c575436b2e303ed6198a834393010ab24c8575643b238db4fca64be3998c2131c29d5154db85502c481785ef3f

\Windows\SysWOW64\wsock32.sys

MD5 e542cc1875d57544eb2382faf41573b1
SHA1 e23d5915349d5772f23180dfa2c2cac2c0b8d14e
SHA256 0a907a6bb00f24dffa890786c2b0ac06bfb09a9bd79294c1181957108ba828ac
SHA512 5c59a3532e6fe273e954a5161cc095be463377426cb4c6f948d566f833ba7558b437742fa5ee261f7dd31c611ce2bc8092df6ad04f1dc50ed4d0118c75f59468

C:\Users\Admin\AppData\Local\Temp\Cab590B.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9e5108ab2041ffc1158fb3e0bc395136
SHA1 5219bc4b18fc7338f1d6173d940e9615bbb59a0b
SHA256 30a904d818e48ccba5ed5f03d83fe0dbf76584f8cca74b65d38101f3d560f1ac
SHA512 1ecd7cb46220a26f1d489f375aff362dfd0d7c4ce945a57155a7daef0137034acf564c523e98e6ab25cbea1b1af9bce2047bb357822174a0ef125609e74f5589

C:\Users\Admin\AppData\Local\Temp\Tar5E6F.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a1e787e43d23e7082cb666cee403a87a
SHA1 1c1b8c276047a404561a3747681038ef1744d4d5
SHA256 5fc40184672e3bbe5a3e7581af2cd54299dca70817d24f096758fe20ba92a7ec
SHA512 3c8bdcaffeac696061c27437e435119f6f84c890154c94bfc02ca3f48aaa04f51c0a1c2ac50353c07f79c46d2853e74aa7c5fd16bdba646d295b3c2beb374b54

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c40cd32a2d4c1193b6df73aea8356832
SHA1 36849abf285845ac1f6e32c49429cad51acf3696
SHA256 74e13dcf43c3c7aa42e6a752053c248e22dcc9b51d43f59661582da0400d69fb
SHA512 901489b1c483fafc69bbee1f2d644bb85811654ce75acf7ca96c9f8818c28c02ef2b01d192699cf5b6f85ee56fedd75b2531105e1ea4be86694d26aab400a8fa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 98472266a3098420cd28752fd45ccb77
SHA1 4d91af974ec40ab78174a387b48ca8f15d616f36
SHA256 16c6712bea6ae477d09a2720120bbaadd93b82bf6869fd15770ba545c9ced2e2
SHA512 1d6eefef1d2a6683b918698c10c5253a64b304dc45d7d63d956df074f4f029fa2d68ca63490608dec1e234008ba52e8d33e089acb578ece81cecffd31178776f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 193672d6e9778b7444fe250d5ac31449
SHA1 84e3eaf57701b7ff94e42f68172f4dc158551788
SHA256 30f2a727bdb37c49843e9ea69c7b9e3ef767a19fa052b73998e1bc95da2a4ac2
SHA512 ef1cca5b7ca57c70ee55c306d8bccfc1c68459001922072317788d8b2fd209841a0b1da3f7d883a8acb26cb4bce3a6ddf48ae64ab62ae9dde408db716ce3e19c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 02ec500d1ecc7e6310f5113297d1077c
SHA1 ac9fe1cd2d57e1fcc7282ccaaf17cd965dc7cb73
SHA256 1053456b5840145bfb4929ef2456ecd8ee06adc66d3b274482e504671d20272f
SHA512 fe9628c48e804c9580f3b1dd52240c8a3610a6a503442c9f8d66b1606eb9d4b2bbe7b5994524915ffaa3100e3bcee6d91509ba7099863f05c3544fa8f5c0d173

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 036a1e44acf35c5c566c7140673145f6
SHA1 0c9822569a9527f0c85ee1d0ac1f3d9ead3b1a4d
SHA256 55f2648dad83084642e80eaa77c0aed9d4eed58d03d0fb866f8efaec1f3cf929
SHA512 963abedfc37aeb8349f1db5401c0b21e07d509b02de46a030ea271eb2150b80e0419f33e90d313705ca71a8165a11428c02189084ae7d7fbeeff0098d735e6d2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eb52d8ce8e3167b68ee1d6985c2d04fa
SHA1 74fabf55bf8c74ea2f8568bed72d5b73c8a1f290
SHA256 5e068674e1d77afc75bf95345ab40dab232b3e0cc4729a83f5086c01d5130501
SHA512 f1be4093a557f3376d8128dec3bd5365a9ce791bc783d43f9e25662e9bbbc17c55cb5ebc20717105c7332012c896bc458a34f2710296348dae00cd4b5fbe802d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 70f1aefff150bdea996a130d63489dbb
SHA1 d6f7f31b6dd5252506fad3599c3a4a7550501473
SHA256 4f5c294cbf48778d0fc0cdd52c72502a3646c932dc048e7fe2aedf88703a51ca
SHA512 f7a51efc505d8044c29a6dca57a696e3d016174b3f68734776d126e411923d87f5e278f4305ed246f2f8bc4b78d5ba06883cfedec9965886a5bc46fb6ab767ca

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fbeb41a4c2e5fd1f871906b37de8b130
SHA1 d81595ed58cb65c284fee83466273c1d7410bd59
SHA256 348e3162ccaf8ce9cef2c3ea8192a021cb0bea4c251f4ee70127a534673afc46
SHA512 08c8ae63cc4adb377fb4f230e209de18c251acee82ecf8cfec86b61d8957a378ddb45891739763c462e591a762f17723ae32543f980416c79a483b1f3ecf405d

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-25 02:31

Reported

2024-03-25 02:34

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd05c0c435083766ae2e8ae4a8e66a6d.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dd05c0c435083766ae2e8ae4a8e66a6d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyffing.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Windows\tmp.tmp.tmp1 N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LoginScreen.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E14DCE67-8FB7-4721-8149-179BAA4D792C} C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\28egr8w5P8.ini C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
File opened for modification C:\Windows\SysWOW64\wsock32.sys C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
File opened for modification C:\Windows\SysWOW64\28egr8w5P8.ini C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WinUtilInst.exe C:\Users\Admin\AppData\Local\Temp\dd05c0c435083766ae2e8ae4a8e66a6d.exe N/A
File opened for modification C:\Windows\tmp.tmp.tmp1 C:\Users\Admin\AppData\Local\Temp\dd05c0c435083766ae2e8ae4a8e66a6d.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31096412" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2702060409" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2702060409" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31096412" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31096412" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb81c2d97e83014aa839d28a6b89bdd400000000020000000000106600000001000020000000f8be494144455c8f45c18ca4c49732138b3cb4b269bb78817391b15d6303be41000000000e8000000002000020000000cb60bd2e040fc8954bd30fbfe039598efae0ab721ecf7ae43a1ea2444f333b032000000011393a2dfd0f48cd2c03b744950d49486c280ce950c70f479908da5895b8a1a840000000b7ae0b3b45fc8a0ab931309ca3001189c0817303d96d36fa30b7466aa06d821620ee686d49bd4e2e89e5f4acd5e23c771351cddb1468bd6f666496f3cb89bc26 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2707373013" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "418098871" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e06098a15c7eda01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d01b9da15c7eda01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{CCA96447-EA4F-11EE-9216-CE945492B8DF} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb81c2d97e83014aa839d28a6b89bdd400000000020000000000106600000001000020000000a41c813531ab12f05af7e1135a46bfd437966741cce2e8291d9519a160c45a9a000000000e8000000002000020000000326ebad467f2c1a1e9dc76281daaeda39a7264da916b20e1589773188fb36df220000000cbec950a351fb63ec5193fbf4c534584091f3915beef9db026f2f5a4b4e101674000000002156bfbbb0af694af546dc0bdccdf1638c77ab3923329f9babfb5b16853a267c8cfb6c1368af1ce6c609fae6088193d67575ce0d6956e2915a16072255bc6ee C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\ProgID C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\0 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\HELPDIR\ = "C:\\Windows\\system32" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib\Version = "3.0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\ = "N.Cs4" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\InprocServer32\ = "C:\\Windows\\SysWow64\\wsock32.sys" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\N.Cs4\ = "N.Cs4" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\N.Cs4\Clsid C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3} C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ = "_Cs4" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib\ = "{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\VERSION\ = "3.0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\ = "N" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39} C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ = "_Cs4" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C} C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ProxyStubClsid C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\0\win32\ = "C:\\Windows\\SysWow64\\wsock32.sys" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib\ = "{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib\Version = "3.0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\VERSION C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\N.Cs4 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\0\win32 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\ProgID\ = "N.Cs4" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\TypeLib C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\N.Cs4\Clsid\ = "{E14DCE67-8FB7-4721-8149-179BAA4D792C}" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ = "Cs4" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\FLAGS C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39} C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\TypeLib\ = "{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2956 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\dd05c0c435083766ae2e8ae4a8e66a6d.exe C:\Windows\WinUtilInst.exe
PID 2956 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\dd05c0c435083766ae2e8ae4a8e66a6d.exe C:\Windows\WinUtilInst.exe
PID 2956 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\dd05c0c435083766ae2e8ae4a8e66a6d.exe C:\Windows\WinUtilInst.exe
PID 2956 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\dd05c0c435083766ae2e8ae4a8e66a6d.exe C:\Windows\tmp.tmp.tmp1
PID 2956 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\dd05c0c435083766ae2e8ae4a8e66a6d.exe C:\Windows\tmp.tmp.tmp1
PID 2956 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\dd05c0c435083766ae2e8ae4a8e66a6d.exe C:\Windows\tmp.tmp.tmp1
PID 1180 wrote to memory of 2328 N/A C:\Windows\tmp.tmp.tmp1 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyffing.exe
PID 1180 wrote to memory of 2328 N/A C:\Windows\tmp.tmp.tmp1 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyffing.exe
PID 1180 wrote to memory of 2328 N/A C:\Windows\tmp.tmp.tmp1 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyffing.exe
PID 2328 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyffing.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LoginScreen.exe
PID 2328 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyffing.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LoginScreen.exe
PID 2328 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyffing.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LoginScreen.exe
PID 2328 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyffing.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyff.exe
PID 2328 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyffing.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyff.exe
PID 2328 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyffing.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyff.exe
PID 1612 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LoginScreen.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE
PID 1612 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LoginScreen.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE
PID 1612 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LoginScreen.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE
PID 4504 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE C:\Program Files (x86)\internet explorer\iexplore.exe
PID 4504 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE C:\Program Files (x86)\internet explorer\iexplore.exe
PID 4504 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE C:\Program Files (x86)\internet explorer\iexplore.exe
PID 1220 wrote to memory of 524 N/A C:\Program Files (x86)\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1220 wrote to memory of 524 N/A C:\Program Files (x86)\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 524 wrote to memory of 4584 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 524 wrote to memory of 4584 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 524 wrote to memory of 4584 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\dd05c0c435083766ae2e8ae4a8e66a6d.exe

"C:\Users\Admin\AppData\Local\Temp\dd05c0c435083766ae2e8ae4a8e66a6d.exe"

C:\Windows\WinUtilInst.exe

"C:\Windows\WinUtilInst.exe"

C:\Windows\tmp.tmp.tmp1

C:\Windows\tmp.tmp.tmp1

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyffing.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyffing.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LoginScreen.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LoginScreen.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyff.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyff.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE

C:\Program Files (x86)\internet explorer\iexplore.exe

"C:\Program Files (x86)\internet explorer\iexplore.exe" http://

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:524 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 17.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp

Files

memory/2956-0-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Windows\WinUtilInst.exe

MD5 671ef7bbe86943fb3fe91a5c0418096b
SHA1 279fc38de8980dd80412c6044480195e97791397
SHA256 62d5fbd06593133bdb9a2cfacc770f2916035a9a52ddb7264473f323ce255b0b
SHA512 419ce917bb2fdc3dd5f54ac9c6e225372f976d3b67a1ba29d2b8f19c3d29a10589cae17799dab2a4b0ccfa7774b71d5fea69dfed1db85b27f320472ea0838d72

C:\Windows\tmp.tmp.tmp1

MD5 b91ab099d3e225b6d8f350cf78aa7b0f
SHA1 652a9b4bc7b6a45a245572c09e00ab1333a3361c
SHA256 68bc0347d9fe3ebb24af45a352ffb1f5a80f220845aefe035152bb1c12d0f842
SHA512 11e0d311782f3b93cf0ccf4a5d116b745c039b1aa2acd6418e21cf674a5895e544cb4f4fc198a9f460b4e9c32715377bd580f778ed08dd94ab68f2278736930a

memory/2956-17-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyffing.exe

MD5 3f419fc16ff704cd932d711e49538dcc
SHA1 66821a33d40c1d20605e54107a0753b4e1cb2f78
SHA256 77d173f45c4fef0756c75a29d9286df15f40814c67ad09ceefc7865df0c630d1
SHA512 a97bda6e4f0542810542e84448cfff499d586f90574d8e07aa47ca2b314765f7f550e56f544fa49cc91bb5b7cced612ab3b6b0de126b987624d0812fe6245d67

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LoginScreen.exe

MD5 2b1375e3b7bd11111bf3ed37ec2fc176
SHA1 3d4252ccae5a9f59c83d67023e5abfa445110ee2
SHA256 f2356be1f67093327178c2ea19bf7be13f92be2b850195cdf24614bf7757aa34
SHA512 58f83d244e56ad44586ccf03eb9d2394684ec00fb48379052f44fe00198b6cc313a7e44d4336137f53b489cf682ca67111138346b7748c1a5f61fa248d067456

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flyff.exe

MD5 d78c6aa1611293ed14eb4f6fb63710a3
SHA1 67be85425307e89f22eb7b03ccc20c0a1083d921
SHA256 8086115ef70e2b92d28dc1c7af2963ab653f5d847b4d4e2eaeb1908f46a9a51f
SHA512 8c0e98eda3ad6cfcddedc7da666356e92c92276e71a64e7907f32544c04a1f613599486194adde994f4cf00a25867caf57abdba10d2fb794ec9bed42c72a375c

memory/2328-47-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NEUERL~1.EXE

MD5 560eb15c91f52c917d96c409c89066c4
SHA1 2e2a663c8e7479fbc1bd9a4525d14b26a81175c7
SHA256 5528bf0f1e16d82216a7d6dc8ac9d966088a73ff3837a903f2132cc31d67ab68
SHA512 c0c528a7531dccffebaea12821be2224e13d11c575436b2e303ed6198a834393010ab24c8575643b238db4fca64be3998c2131c29d5154db85502c481785ef3f

C:\Windows\SysWOW64\wsock32.sys

MD5 e542cc1875d57544eb2382faf41573b1
SHA1 e23d5915349d5772f23180dfa2c2cac2c0b8d14e
SHA256 0a907a6bb00f24dffa890786c2b0ac06bfb09a9bd79294c1181957108ba828ac
SHA512 5c59a3532e6fe273e954a5161cc095be463377426cb4c6f948d566f833ba7558b437742fa5ee261f7dd31c611ce2bc8092df6ad04f1dc50ed4d0118c75f59468

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\J3U83TL1\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee