Malware Analysis Report

2025-01-22 12:32

Sample ID 240518-vbe75sdb3w
Target 55c49df085255a5622f8189a367eeb3a_JaffaCakes118
SHA256 633da211c739b9be11192f580d3e3a42fa533f5da4c922bf8dca67b8af71a837
Tags
aspackv2 upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

633da211c739b9be11192f580d3e3a42fa533f5da4c922bf8dca67b8af71a837

Threat Level: Shows suspicious behavior

The file 55c49df085255a5622f8189a367eeb3a_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

aspackv2 upx

ASPack v2.12-2.42

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in System32 directory

Program crash

Unsigned PE

Enumerates physical storage devices

Modifies Internet Explorer settings

Modifies system certificate store

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-18 16:48

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-18 16:48

Reported

2024-05-18 16:51

Platform

win10v2004-20240426-en

Max time kernel

132s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\qqddp.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\qqddp.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\qqddp.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2712 -ip 2712

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 756

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/2712-0-0x00000000006C0000-0x00000000006C1000-memory.dmp

memory/2712-1-0x0000000000400000-0x00000000004ED000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-18 16:48

Reported

2024-05-18 16:51

Platform

win7-20240215-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\bskwqqddp\哈哈小游戏-宝物矿石三三消.url

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\bskwqqddp\哈哈小游戏-宝物矿石三三消.url

Network

N/A

Files

memory/1712-0-0x00000000003E0000-0x00000000003E1000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-18 16:48

Reported

2024-05-18 16:51

Platform

win7-20240221-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\bskwqqddp\宝物矿石三三消.url

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\bskwqqddp\宝物矿石三三消.url

Network

N/A

Files

memory/2020-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-18 16:48

Reported

2024-05-18 16:51

Platform

win10v2004-20240426-en

Max time kernel

133s

Max time network

101s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\bskwqqddp\宝物矿石三三消.url

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\bskwqqddp\宝物矿石三三消.url

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-18 16:48

Reported

2024-05-18 16:51

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib\ = "{91F22F3C-B0D7-4777-A439-E0709A01D50B}" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B} C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bskwqqddp\\PlayGame.exe" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib\ = "{91F22F3C-B0D7-4777-A439-E0709A01D50B}" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ = "IMyClose" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\0 C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9} C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib\ = "{91F22F3C-B0D7-4777-A439-E0709A01D50B}" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0 C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\ = "StartGame Library" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bskwqqddp\\" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib\ = "{91F22F3C-B0D7-4777-A439-E0709A01D50B}" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9} C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ = "ITaaaa" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624} C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624} C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ = "ITaaaa" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ = "IMyClose" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe

"C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 box.962.net udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 www.paopaoche.net udp
US 8.8.8.8:53 paopaoche.net udp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:443 paopaoche.net tcp
HK 43.135.124.120:443 paopaoche.net tcp
US 8.8.8.8:53 statuse.digitalcertvalidation.com udp
SE 192.229.221.95:80 statuse.digitalcertvalidation.com tcp
US 8.8.8.8:53 120.124.135.43.in-addr.arpa udp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:443 paopaoche.net tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
SE 192.229.221.95:80 statuse.digitalcertvalidation.com tcp
SE 192.229.221.95:80 statuse.digitalcertvalidation.com tcp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

memory/4548-0-0x0000000000400000-0x0000000000791000-memory.dmp

memory/4548-1-0x0000000000A70000-0x0000000000A71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bskwqqddp\rungame.ini

MD5 20733534cece6abc76efee85d57100f9
SHA1 a4bcb42ab09fb41af7bde96eca71c0cab517df34
SHA256 5e7eb4d54902999f3b1801b30d0c632d8f0226ce0ec0f7f2835627472046b586
SHA512 02c77d85c476259443502b794860b2fa0675501ea07c95f78782748fd81c591f48b8a328f8f661e5f069780167579e27a9b973dd808cac708a169a1654e0e1bd

C:\Users\Admin\AppData\Local\Temp\bskwqqddp\aqhttp.dll

MD5 3c9ec661f20ee6ca4bb17cfe7c0a5174
SHA1 9b9cbfe0e640d7e97c9c6caa5eb5fa9160cfcfe3
SHA256 71fd49b5c6af695e92eea36794025fca1b629cba62be6a5cdaf37648dd412c98
SHA512 2eebe718992a392c9a57a99cd3414e3a52fd14f06d52974d7700d57d9cf6dffafe80061f6f872edd4173982eabb95abbd99694760ce3fb35377513a8cf13ca5a

C:\Users\Admin\AppData\Local\Temp\bskwqqddp\Greening.dll

MD5 82ccb4dd63833063abd1c56ea80b529a
SHA1 bd89dae631cb68e5fa0c53accc83881f7cd365b3
SHA256 e3dccccc8f63981e528b0823a149f234bfd7cb56a23618f5004e379f8ada7183
SHA512 c908c553b7b9b7053c5938e20fe3ff97591097c3237554da3197b4d078b24cd12a5bb01597347652c422aaa920e86dc38a3776b96a6cfd46222798a3f8036867

memory/4548-37-0x0000000000400000-0x0000000000791000-memory.dmp

memory/4548-39-0x0000000000A70000-0x0000000000A71000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-18 16:48

Reported

2024-05-18 16:51

Platform

win7-20240221-en

Max time kernel

143s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bskwqqddp\qqddp.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsjD116.tmp\qqddp.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\orange-install.ico C:\Users\Admin\AppData\Local\Temp\bskwqqddp\qqddp.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Users\Admin\AppData\Local\Temp\bskwqqddp\qqddp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{24588FA4-10F1-41D7-B19D-6E22361E47FA}" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\qqddp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{24588FA4-10F1-41D7-B19D-6E22361E47FA} C:\Users\Admin\AppData\Local\Temp\bskwqqddp\qqddp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{24588FA4-10F1-41D7-B19D-6E22361E47FA}\Codepage = "65001" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\qqddp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{24588FA4-10F1-41D7-B19D-6E22361E47FA}\DisplayName = "°Ù¶È" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\qqddp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{24588FA4-10F1-41D7-B19D-6E22361E47FA}\URL = "http://www.baidu.com/s?wd={searchTerms}&tn=site888_1_pg&cl=3&ie=utf-8" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\qqddp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3048 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\bskwqqddp\qqddp.exe C:\Users\Admin\AppData\Local\Temp\nsjD116.tmp\qqddp.exe
PID 3048 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\bskwqqddp\qqddp.exe C:\Users\Admin\AppData\Local\Temp\nsjD116.tmp\qqddp.exe
PID 3048 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\bskwqqddp\qqddp.exe C:\Users\Admin\AppData\Local\Temp\nsjD116.tmp\qqddp.exe
PID 3048 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\bskwqqddp\qqddp.exe C:\Users\Admin\AppData\Local\Temp\nsjD116.tmp\qqddp.exe
PID 3048 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\bskwqqddp\qqddp.exe C:\Users\Admin\AppData\Local\Temp\nsjD116.tmp\qqddp.exe
PID 3048 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\bskwqqddp\qqddp.exe C:\Users\Admin\AppData\Local\Temp\nsjD116.tmp\qqddp.exe
PID 3048 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\bskwqqddp\qqddp.exe C:\Users\Admin\AppData\Local\Temp\nsjD116.tmp\qqddp.exe
PID 784 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\nsjD116.tmp\qqddp.exe C:\Windows\SysWOW64\WerFault.exe
PID 784 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\nsjD116.tmp\qqddp.exe C:\Windows\SysWOW64\WerFault.exe
PID 784 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\nsjD116.tmp\qqddp.exe C:\Windows\SysWOW64\WerFault.exe
PID 784 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\nsjD116.tmp\qqddp.exe C:\Windows\SysWOW64\WerFault.exe
PID 784 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\nsjD116.tmp\qqddp.exe C:\Windows\SysWOW64\WerFault.exe
PID 784 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\nsjD116.tmp\qqddp.exe C:\Windows\SysWOW64\WerFault.exe
PID 784 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\nsjD116.tmp\qqddp.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bskwqqddp\qqddp.exe

"C:\Users\Admin\AppData\Local\Temp\bskwqqddp\qqddp.exe"

C:\Users\Admin\AppData\Local\Temp\nsjD116.tmp\qqddp.exe

C:\Users\Admin\AppData\Local\Temp\nsjD116.tmp\qqddp.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 484

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsjD116.tmp\qqddp.exe

MD5 0f25b68a1e2422f0bcecb02f4cf8691d
SHA1 60a251b6160e4fd19c60e6433fd9fa7bf4f5dfdd
SHA256 3cd21fe67a619cd9f3d4afb7793563354259578e7ecfe703fd32a08b2cf7e9f2
SHA512 a788e943a23995a529f3bc6ec53f9528a6f493223b4450e07d08b138be42f00b5cbe1caf9cfb3a535cdd95c8c25a3a9d0029f73fe5553d6fddc11d5398c226f3

memory/784-18-0x0000000000400000-0x00000000004ED000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-18 16:48

Reported

2024-05-18 16:51

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bskwqqddp\qqddp.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsu6041.tmp\qqddp.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\orange-install.ico C:\Users\Admin\AppData\Local\Temp\bskwqqddp\qqddp.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Users\Admin\AppData\Local\Temp\bskwqqddp\qqddp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{24588FA4-10F1-41D7-B19D-6E22361E47FA}" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\qqddp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\SearchScopes\{24588FA4-10F1-41D7-B19D-6E22361E47FA} C:\Users\Admin\AppData\Local\Temp\bskwqqddp\qqddp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{24588FA4-10F1-41D7-B19D-6E22361E47FA}\Codepage = "65001" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\qqddp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{24588FA4-10F1-41D7-B19D-6E22361E47FA}\DisplayName = "°Ù¶È" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\qqddp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{24588FA4-10F1-41D7-B19D-6E22361E47FA}\URL = "http://www.baidu.com/s?wd={searchTerms}&tn=site888_1_pg&cl=3&ie=utf-8" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\qqddp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bskwqqddp\qqddp.exe

"C:\Users\Admin\AppData\Local\Temp\bskwqqddp\qqddp.exe"

C:\Users\Admin\AppData\Local\Temp\nsu6041.tmp\qqddp.exe

C:\Users\Admin\AppData\Local\Temp\nsu6041.tmp\qqddp.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1628 -ip 1628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 764

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsu6041.tmp\qqddp.exe

MD5 0f25b68a1e2422f0bcecb02f4cf8691d
SHA1 60a251b6160e4fd19c60e6433fd9fa7bf4f5dfdd
SHA256 3cd21fe67a619cd9f3d4afb7793563354259578e7ecfe703fd32a08b2cf7e9f2
SHA512 a788e943a23995a529f3bc6ec53f9528a6f493223b4450e07d08b138be42f00b5cbe1caf9cfb3a535cdd95c8c25a3a9d0029f73fe5553d6fddc11d5398c226f3

memory/1628-6-0x00000000007C0000-0x00000000007C1000-memory.dmp

memory/1628-7-0x0000000000400000-0x00000000004ED000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-18 16:48

Reported

2024-05-18 16:51

Platform

win7-20240419-en

Max time kernel

140s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\安装程序.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\安装程序.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\安装程序.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\安装程序.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\安装程序.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\安装程序.exe

"C:\Users\Admin\AppData\Local\Temp\安装程序.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 paopaoche.net udp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:443 paopaoche.net tcp
US 8.8.8.8:53 statuse.digitalcertvalidation.com udp
SE 192.229.221.95:80 statuse.digitalcertvalidation.com tcp
US 8.8.8.8:53 www.paopaoche.net udp
HK 43.135.124.120:443 www.paopaoche.net tcp
US 8.8.8.8:53 pic.paopaoche.net udp
US 8.8.8.8:53 c.qx5577.com udp
CN 82.157.27.9:443 pic.paopaoche.net tcp
CN 82.157.27.9:443 pic.paopaoche.net tcp
CN 82.157.27.9:443 pic.paopaoche.net tcp

Files

memory/2984-0-0x0000000000B20000-0x0000000000C46000-memory.dmp

memory/2984-21-0x0000000000B20000-0x0000000000C46000-memory.dmp

memory/2984-27-0x0000000000B20000-0x0000000000C46000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-18 16:48

Reported

2024-05-18 16:51

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\安装程序.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\安装程序.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\安装程序.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\安装程序.exe

"C:\Users\Admin\AppData\Local\Temp\安装程序.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1288,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4016 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 paopaoche.net udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:443 paopaoche.net tcp
US 8.8.8.8:53 statuse.digitalcertvalidation.com udp
SE 192.229.221.95:80 statuse.digitalcertvalidation.com tcp
NL 23.62.61.72:443 www.bing.com tcp
SE 192.229.221.95:80 statuse.digitalcertvalidation.com tcp
US 8.8.8.8:53 120.124.135.43.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 www.paopaoche.net udp
HK 43.135.124.120:443 www.paopaoche.net tcp
US 8.8.8.8:53 pic.paopaoche.net udp
US 8.8.8.8:53 c.qx5577.com udp
CN 82.157.27.9:443 pic.paopaoche.net tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
CN 82.157.27.9:443 pic.paopaoche.net tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
CN 82.157.27.9:443 pic.paopaoche.net tcp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
SE 192.229.221.95:80 statuse.digitalcertvalidation.com tcp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

memory/2748-0-0x0000000000690000-0x00000000007B6000-memory.dmp

memory/2748-12-0x0000000000690000-0x00000000007B6000-memory.dmp

memory/2748-18-0x0000000000690000-0x00000000007B6000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-18 16:48

Reported

2024-05-18 16:51

Platform

win7-20240220-en

Max time kernel

140s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\International\CpMRU C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ = "ITaaaa" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624} C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib\ = "{91F22F3C-B0D7-4777-A439-E0709A01D50B}" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ = "IMyClose" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib\ = "{91F22F3C-B0D7-4777-A439-E0709A01D50B}" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9} C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624} C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ = "IMyClose" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\ = "StartGame Library" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib\ = "{91F22F3C-B0D7-4777-A439-E0709A01D50B}" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\0 C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bskwqqddp\\" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ = "ITaaaa" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9} C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib\ = "{91F22F3C-B0D7-4777-A439-E0709A01D50B}" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B} C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0 C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bskwqqddp\\PlayGame.exe" C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe

"C:\Users\Admin\AppData\Local\Temp\bskwqqddp\PlayGame.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 box.962.net udp
US 8.8.8.8:53 www.paopaoche.net udp
US 8.8.8.8:53 www.paopaoche.net udp
HK 43.135.124.120:80 www.paopaoche.net tcp
US 8.8.8.8:53 paopaoche.net udp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:443 paopaoche.net tcp
HK 43.135.124.120:443 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
US 8.8.8.8:53 paopaoche.net udp
HK 43.135.124.120:80 paopaoche.net tcp
US 8.8.8.8:53 statuse.digitalcertvalidation.com udp
US 8.8.8.8:53 statuse.digitalcertvalidation.com udp
SE 192.229.221.95:80 statuse.digitalcertvalidation.com tcp
SE 192.229.221.95:80 statuse.digitalcertvalidation.com tcp
HK 43.135.124.120:443 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:443 paopaoche.net tcp
HK 43.135.124.120:443 paopaoche.net tcp
US 8.8.8.8:53 pic.paopaoche.net udp
US 8.8.8.8:53 s6.cnzz.com udp
CN 82.157.27.9:443 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 220.185.168.234:80 s6.cnzz.com tcp
HK 43.135.124.120:80 paopaoche.net tcp
US 8.8.8.8:53 cbjs.baidu.com udp
US 8.8.8.8:53 s94.cnzz.com udp
CN 119.188.176.49:80 cbjs.baidu.com tcp
CN 220.185.168.234:80 s94.cnzz.com tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp

Files

memory/3036-7-0x0000000000230000-0x0000000000231000-memory.dmp

memory/3036-6-0x0000000000400000-0x0000000000791000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bskwqqddp\rungame.ini

MD5 40b4dc6eac29987a11fc6016ad9eb008
SHA1 d8472668181df6e3384f21266868efd05eccd1f6
SHA256 b8055ad5e8c3fc48ad0f61b97ffe85151ee42a01f6b0f7ab71b76b57efdcfcde
SHA512 78fda1f7ef0407a4f6ef5d337204064724211ed8202c226df451c40f9093e2115a3fa9978a95cdcffb0905bbd2b656d7e57ede5609789a0ee5aa097f55f9844d

\Users\Admin\AppData\Local\Temp\bskwqqddp\Greening.dll

MD5 82ccb4dd63833063abd1c56ea80b529a
SHA1 bd89dae631cb68e5fa0c53accc83881f7cd365b3
SHA256 e3dccccc8f63981e528b0823a149f234bfd7cb56a23618f5004e379f8ada7183
SHA512 c908c553b7b9b7053c5938e20fe3ff97591097c3237554da3197b4d078b24cd12a5bb01597347652c422aaa920e86dc38a3776b96a6cfd46222798a3f8036867

\Users\Admin\AppData\Local\Temp\bskwqqddp\aqhttp.dll

MD5 3c9ec661f20ee6ca4bb17cfe7c0a5174
SHA1 9b9cbfe0e640d7e97c9c6caa5eb5fa9160cfcfe3
SHA256 71fd49b5c6af695e92eea36794025fca1b629cba62be6a5cdaf37648dd412c98
SHA512 2eebe718992a392c9a57a99cd3414e3a52fd14f06d52974d7700d57d9cf6dffafe80061f6f872edd4173982eabb95abbd99694760ce3fb35377513a8cf13ca5a

memory/3036-27-0x0000000004E80000-0x0000000004E90000-memory.dmp

memory/3036-55-0x0000000000400000-0x0000000000791000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RSAB58HZ\rank[1].htm

MD5 4f8e702cc244ec5d4de32740c0ecbd97
SHA1 3adb1f02d5b6054de0046e367c1d687b6cdf7aff
SHA256 9e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a
SHA512 21047fea5269fee75a2a187aa09316519e35068cb2f2f76cfaf371e5224445e9d5c98497bd76fb9608d2b73e9dac1a3f5bfadfdc4623c479d53ecf93d81d3c9f

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RSAB58HZ\softmain[1].css

MD5 729aa1f32dc5fe22bc67e7d73895c9c5
SHA1 bd90148bf8c4c47c9639826bde9d2341423dfa73
SHA256 c62bf9e3e8def17b145ee84add6b6f62ec972fd3609dc2a4bf175a2c4b9dbb02
SHA512 813a6d68fbe51a01d3f148a298cdcbf83b7404c895349b6dc42204f29b63bf50ff13d0ff43938a75f6b00dcdd6ea40c422cf8464807a722f387a37b9539aa720

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\softui[1].js

MD5 b9582f731eda9c4b2d967fc6d0cd3c02
SHA1 bc79c5b327762f3f3cfb0045c5098f26bdf94ef9
SHA256 de223f2810d08af3ef852c54ad26381998ad6a50fe75142eb505ff8f7058ae36
SHA512 f348ea4e0e129a49fd1cb48fe34bf9cabbd2bfea3167a6fa7d0b91e993711bf19df0d158a4d81ce371516d4ebdb7d25de770e3a1fe59b2258245f203ed83e85a

memory/3036-112-0x0000000000230000-0x0000000000231000-memory.dmp

memory/3036-114-0x0000000004E80000-0x0000000004E90000-memory.dmp

memory/3036-117-0x0000000000400000-0x0000000000791000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-18 16:48

Reported

2024-05-18 16:51

Platform

win7-20240508-en

Max time kernel

140s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\qqddp.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\qqddp.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\qqddp.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 404

Network

N/A

Files

memory/2220-0-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2220-1-0x0000000000400000-0x00000000004ED000-memory.dmp

memory/2220-3-0x0000000000230000-0x0000000000231000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-18 16:48

Reported

2024-05-18 16:51

Platform

win10v2004-20240508-en

Max time kernel

139s

Max time network

124s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\bskwqqddp\哈哈小游戏-宝物矿石三三消.url

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\bskwqqddp\哈哈小游戏-宝物矿石三三消.url

Network

Country Destination Domain Proto
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A