Malware Analysis Report

2024-11-16 13:20

Sample ID 240520-b6zqgsdh87
Target 5c8de46ab5674f061b88a1462d790bc0_JaffaCakes118
SHA256 e2f1be4902846deefee7eb4f0ab5c680dfb3d67ccb1e27bdeb0ff54c3fa93c81
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e2f1be4902846deefee7eb4f0ab5c680dfb3d67ccb1e27bdeb0ff54c3fa93c81

Threat Level: Known bad

The file 5c8de46ab5674f061b88a1462d790bc0_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

UAC bypass

Sality

Modifies firewall policy service

Windows security bypass

Loads dropped DLL

Windows security modification

UPX packed file

Executes dropped EXE

Enumerates connected drives

Checks whether UAC is enabled

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

System policy modification

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-20 01:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-20 01:46

Reported

2024-05-20 01:48

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

149s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-APH09.tmp\ssplitinst.tmp N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4592 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Windows\system32\fontdrvhost.exe
PID 4592 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Windows\system32\fontdrvhost.exe
PID 4592 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Windows\system32\dwm.exe
PID 4592 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Windows\system32\sihost.exe
PID 4592 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Windows\system32\svchost.exe
PID 4592 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Windows\system32\taskhostw.exe
PID 4592 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Windows\Explorer.EXE
PID 4592 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Windows\system32\svchost.exe
PID 4592 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Windows\system32\DllHost.exe
PID 4592 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4592 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Windows\System32\RuntimeBroker.exe
PID 4592 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4592 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Windows\System32\RuntimeBroker.exe
PID 4592 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Windows\System32\RuntimeBroker.exe
PID 4592 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4592 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4592 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4592 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Users\Admin\AppData\Local\Temp\is-APH09.tmp\ssplitinst.tmp
PID 4592 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Users\Admin\AppData\Local\Temp\is-APH09.tmp\ssplitinst.tmp
PID 4592 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Users\Admin\AppData\Local\Temp\is-APH09.tmp\ssplitinst.tmp
PID 4592 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Windows\system32\fontdrvhost.exe
PID 4592 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Windows\system32\fontdrvhost.exe
PID 4592 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Windows\system32\dwm.exe
PID 4592 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Windows\system32\sihost.exe
PID 4592 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Windows\system32\svchost.exe
PID 4592 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Windows\system32\taskhostw.exe
PID 4592 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Windows\Explorer.EXE
PID 4592 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Windows\system32\svchost.exe
PID 4592 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Windows\system32\DllHost.exe
PID 4592 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4592 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Windows\System32\RuntimeBroker.exe
PID 4592 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4592 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Windows\System32\RuntimeBroker.exe
PID 4592 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Windows\System32\RuntimeBroker.exe
PID 4592 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe

"C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe"

C:\Users\Admin\AppData\Local\Temp\is-APH09.tmp\ssplitinst.tmp

"C:\Users\Admin\AppData\Local\Temp\is-APH09.tmp\ssplitinst.tmp" /SL5="$601D4,6159599,141824,C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp

Files

memory/4592-0-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4592-4-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4592-7-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4592-1-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4592-8-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4592-13-0x0000000000680000-0x0000000000681000-memory.dmp

memory/4592-12-0x00000000004F0000-0x00000000004F2000-memory.dmp

memory/4592-16-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4592-19-0x0000000000401000-0x0000000000416000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-APH09.tmp\ssplitinst.tmp

MD5 206a0d523af8ed8537a37eb2ae9d998e
SHA1 321fcc8cfe84ba5fabbe4f4ea078f2714c3e8644
SHA256 fe3269a1a58f5675821af03cd8fa868b5d80ba28c1b5dfcc9d7365d5ffd7c49c
SHA512 5841949fb1d44c9f21e5297adf30671240fbde6fa2bbc7addf32d2adf97a3fa64df259d82d5b793ba65f45caacede94bf24e769fbc81124fc29c438e5000a3a7

memory/4592-15-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4592-21-0x0000000002380000-0x000000000340E000-memory.dmp

memory/2892-25-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4592-18-0x00000000004F0000-0x00000000004F2000-memory.dmp

memory/4592-17-0x00000000004F0000-0x00000000004F2000-memory.dmp

memory/4592-14-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4592-24-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4592-11-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4592-27-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4592-28-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4592-29-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4592-30-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4592-31-0x0000000002380000-0x000000000340E000-memory.dmp

memory/2892-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4592-40-0x00000000004F0000-0x00000000004F2000-memory.dmp

memory/4592-49-0x0000000000400000-0x0000000000440000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-20 01:46

Reported

2024-05-20 01:48

Platform

win7-20240221-en

Max time kernel

138s

Max time network

137s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\下载说明.htm

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BFAFC831-164A-11EF-A6D5-5A791E92BC44} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422331446" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000eb26f279ef7cbe53c9e7e5015d3f607c32181de907cdf3bb7bbcb4e7b648fda7000000000e800000000200002000000040a260936f498c29c48d13a14c1e8c88d4a2be76800170a4d2e3030a0b10779090000000f43c7fd480c9a0c64ed92cc4994fd73ca4eedaaf308724d6c5888df8168642d2f580b6c61d2cea9f66b2873ce34eea32790c7602b9403eda7cd839f81ab6ef11ce77abab682d702fe64def5f6d6c8f977c84f83f5d7ce968e891703ab08bf91f15a7924af8bcfcd0f19900c32f9a9475b29a6ca778712ce8896a1b207ed17e68477726bb855c61d8ace16ae57734cccb400000007cc6dac162c60a5d1f166f34f7823c0813f014904396d29944564cf8bda24016d6c5f4f2246c55bff1adf082b94c43e82c7d950e00d6e5fcfb78d53eff4c4069 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5002039557aada01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\International\CpMRU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000fe90c6686faeacd7641c998cb33473f76ed089b0c940fd7513bd5e3f51ae6585000000000e8000000002000020000000399bb328609f73b3f4620f161bd526e5d6fb9234619cf29e3f9d7a5ac9957aa92000000006abf4b46b8dfa92d83df4bdf03868887db47a4d5179de1bdec428f599e30b3c40000000cf3da021e86fe7e6ecdd474a292102aea61b3352377d446c9258adcbb6cefd9bce164f8f02c7afc6dec4bb8d6c1b26c702b838c795456ce69d07c8dd4963bd6e C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\下载说明.htm

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1412 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.pc0359.cn udp
CN 49.232.64.113:80 www.pc0359.cn tcp
CN 49.232.64.113:80 www.pc0359.cn tcp
CN 49.232.64.113:80 www.pc0359.cn tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabDDD2.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\CabDEC0.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\TarDF32.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e133d3fcb03a2c87aca13f2d2a954d08
SHA1 66645dd90c5ce4c32e6244479344192f2bc5da4e
SHA256 dc1cd71e1deb366cdd94cc26f563c0db7c13ab96d944f64ae90086b27556834e
SHA512 9a24b2a6ea14ccb0045c3aa178295399a107872b192871a77d0823d2bbbe26212514b4ae7478bab46a323108a9feb15cf4e224fb402511d1d9c470d07d96c555

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bcdc593953d2154da7cebf4aee2aa2ff
SHA1 578fd7f08b8eab8fdaf820a9d551774f6e987961
SHA256 80aedd3ef87b2bcf584490a2ab875ee80dbd4d1df592579d78c55615bfbe6ca0
SHA512 39033444310d35c8df05a2ccd1839ed58b3c935177711b2e26d3ddfdb978e62178d1998ab2537e0beb0d97748448518731b2c81c999346d5a84a3f7901c5f8c0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 020e0fbcca2794223c99ede78f9f899b
SHA1 954219a823e2c6db59485228289c02c7871182c5
SHA256 65638af5c3e5faa86b25b524e7dc6e6b83ebe71025053acddc478f950572733f
SHA512 5c435ca3333cac309372fda54615eb7c71bcd311661b8cee264d552b68c099a62ef76485a99019d50484e9242a6c3edbe06613925e9345d6dd19c99927d2cb9b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3961e5af1ce3f940ecb099a2a8d181a9
SHA1 2e520f0d63224d635255c90328252a1fd75a3f1e
SHA256 dcb64fab01acf2118360160a07c6be361085c976a623a61e5ac3f2e8fe5ded5e
SHA512 2c18343f177ce4dc6240dfb88c765eb490d2099cf7aae7cbc3922f41ed020615740a5e1c0b9ee679147abc8ddfc9b5f2d0fdbcbc1f60054f93907b178ec40c0e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 24941416b599c59e1982dcd3947d50ac
SHA1 ab5b73c31951e7e41b022f9f588cbd56052f101e
SHA256 67f8ee44d2acd3ddfc5304f3364fd1738bfc1e3042528c1a2f975e377d1ea25c
SHA512 fd70da41506a4b984a1afc0db7d4d33ce9f31100ee5956d392292a1703bd58adffa78dccb58edfd9b71a126c4d0b3da03e29263e3a82fc69db940f9f85de7023

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9ee44ff2937e063ae65cdd039a0ef559
SHA1 f206169724effb49e7b40d302e99aead7ecb69f1
SHA256 6b7624bdd44ab040d8166df7454eb8b7d0da4f135d2e550e912f79c445c635d0
SHA512 2270527dac317d3a6c109cf9053a193342b8047cee06afda428eae6de281cf5736a2aba55411789f13aa3f7c695a68fa48c2e6a18f1faa5283126794f86e11b3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 17f63223fdd50c6e1312987530066881
SHA1 b5a01c6e9bc36d591fb05fd68be1c3fbc41aec9e
SHA256 cc6b60a1bedb4384bddbe6f20ee4bcf37f262e11b638d88a48803d571a1c528f
SHA512 3895f694485f8790a3e1e66201404c1b818f22663d7ec17514413fb95bae7a4f482a88debb6db59cb722c3cd47e29f34d21b2d44f2820db0ea8a8c712a4dc7d1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b451c42de3c2af83a1be0a18db5241cf
SHA1 761fb4a3c4e3bdc9522fd0470064881d8ea610cd
SHA256 ba6c4ac30174c730308f4f133e501c442bf97bddfb6334390c244aab709eeea4
SHA512 ba5ba973784362c2caa997b3a84a9787f2759f8e54874a967ac6d83d7feba078dc6a7a53e7f0b4c601c6f203de7acefdaa95232b7604a14baba245bd7cf6afde

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bd3b833384d6c61aaf2a492e56817c12
SHA1 926ad7aa5a287bfe711f9db32ef2518d4dbfa6aa
SHA256 37fd54e79a2a005c314a8f75ea324f32e1772bb2221b81fe3315f53a91e0c8af
SHA512 404b158b4c81da9bdf6110002dbfc23e0d8d15cecbfc7ffe03915924ff98607cc5f43fd6da57f7f973a20065cb01931ffc64d6f71cd2e0c71023fffc606aa8b1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 af3a61898590ec1d4105b897b5b87a05
SHA1 efe221b995e76548d0b3c7b25b62b1464047f71d
SHA256 25ff8116e2570ed80b79c1da5f58f4986eb528d95b7d83f054537f43047911cd
SHA512 668e3d82e6764fe95dd46151091fca08d560d6c6283330e2c9d504fb425791b360040905cb71657b360a43b214b27dd9f8c23600f41e4ad49e749ab4ffb07a79

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b52626796752ed78aa8b3d7f25193c4c
SHA1 b0c16bd0966addf7d9a7dbf94e71463cf56e63b1
SHA256 cda71d09e3d78dd1d9c6cdd80996e8d4f83bdbda3a828ad453a74738c32cf380
SHA512 678c56427d4c2dee3405b5a446211e5e969beb35e8a8aa174feb5f6cb3eb41b82d9aec6bdebcb9e00f2987e47ec3f8ac2c75da5aff4db95b2ceabec93276f0d2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b87f9b86c8ce1bff555ae5fc57c610e2
SHA1 9516ae09600a4d08ad075cd358cb7fe52f1c5c81
SHA256 d932eee54b74db53d5054ed0b18e3b3c06b903d2cebedccea8afc5a76455f31b
SHA512 eb31105485d66bbadb7d2a225ec527a176be6b43aa5cc49d7f4a27347b4295acdeec104509d6a5e3f0f9a341125d8bf3306eede0a9038fd98a6b14118ddec013

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b783dbcdbfddc2c6739610ae9736ff4b
SHA1 e36ef58d19375baf6ac920c0d8bbd77b65158bf5
SHA256 8f66c2928f52817a6fbc6e9612a8e024d336e16ccc5fd9d07c1b122da881fb61
SHA512 fde89dbdd18524e46db37a5bd68dd8e003620dbca9704c5ae769d49cff7a241a6b6329b926b1cf313233cc65dd56680ec32cb1416941ea5826620e612779f04f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b1c733fe5ed802a54d8bbd1aaa0415d8
SHA1 b8d615449568d6fda6aabd43fd8347af4695c30a
SHA256 50bc5e44f9ad5a8e4808871c52773d02e2d9f437137ba9c051f63731cc86d8f7
SHA512 8d479a5346d3b9a9ce41c0593e637d5710d791a789d23d1e48de488cb5d34c1c7fb6cd4e02d7de854cb5ec28fe89dbc3df78e5e7f5e0f347aa1bd55efff8ebdc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f8e53779110162f08b55603d3ae1956a
SHA1 1869132121eacf5a9d4982f3d6270e45e7a81b5d
SHA256 acda8afb860bc1b87e17b2f0402b86fb8084aa398b22b9fa3cfc7151e46ba60a
SHA512 ae4940c8d57526c6f52f8bcb14d71879610462974642703cc4288404c842fb652e2967c7f0c0ebc7161c029e9c0bde1be09f47634ff82b51c2b54ceee9ccdd81

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a4e6d9ce18b5024278c8cec0061a154d
SHA1 babcf1b87a13b250cf91bc4a3a1b81d764acc2f4
SHA256 bee5f65ca79f35f41292c4e624b13c3ccdf42173b94a8820b284ec5129de5b68
SHA512 e769af6ef8682b15a71f4ca402321c5327c51b90dc5119a8bb7dce6142fd677ca49a441001d98c19d81431dbf32c259ce150e3ab903e3adb1f437967ff8d0801

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-20 01:46

Reported

2024-05-20 01:48

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

131s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\下载说明.htm

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3728 wrote to memory of 576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 5024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 5024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 5024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 5024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 5024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 5024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 5024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 5024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 5024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 5024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 5024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 5024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 5024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 5024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 5024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 5024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 5024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 5024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 5024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 5024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 5024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 5024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 5024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 5024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 5024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 5024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 5024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 5024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 5024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 5024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 5024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 5024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 5024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 5024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 5024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 5024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 5024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 5024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 5024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 5024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 2912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 2912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3728 wrote to memory of 404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\下载说明.htm

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9053046f8,0x7ff905304708,0x7ff905304718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,15557594087288904140,853942801007255847,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,15557594087288904140,853942801007255847,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,15557594087288904140,853942801007255847,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15557594087288904140,853942801007255847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15557594087288904140,853942801007255847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,15557594087288904140,853942801007255847,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,15557594087288904140,853942801007255847,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15557594087288904140,853942801007255847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15557594087288904140,853942801007255847,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15557594087288904140,853942801007255847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15557594087288904140,853942801007255847,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15557594087288904140,853942801007255847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15557594087288904140,853942801007255847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15557594087288904140,853942801007255847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2528 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15557594087288904140,853942801007255847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15557594087288904140,853942801007255847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2016 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,15557594087288904140,853942801007255847,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 www.pc0359.cn udp
CN 49.232.64.113:80 www.pc0359.cn tcp
CN 49.232.64.113:80 www.pc0359.cn tcp
CN 49.232.64.113:80 www.pc0359.cn tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
CN 49.232.64.113:80 www.pc0359.cn tcp
CN 49.232.64.113:80 www.pc0359.cn tcp
CN 49.232.64.113:80 www.pc0359.cn tcp
CN 49.232.64.113:80 www.pc0359.cn tcp
CN 49.232.64.113:80 www.pc0359.cn tcp
CN 49.232.64.113:80 www.pc0359.cn tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 www.pc0359.cn udp
CN 49.232.64.113:80 www.pc0359.cn tcp
CN 49.232.64.113:80 www.pc0359.cn tcp
CN 49.232.64.113:80 www.pc0359.cn tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4158365912175436289496136e7912c2
SHA1 813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256 354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA512 74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

\??\pipe\LOCAL\crashpad_3728_VWCDJHXHBUCIVNYT

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ce4c898f8fc7601e2fbc252fdadb5115
SHA1 01bf06badc5da353e539c7c07527d30dccc55a91
SHA256 bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA512 80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8a388ae236cfbdb3f993b2b1f5db6052
SHA1 381d9bfecdf8a09efb0f1c71439a3f0f525b9516
SHA256 9c36dc2f4112a3d1cbbd9e202adfe5a0b1b59c0bcc610849cca41627aa3b4a6f
SHA512 88d18ca0a0f17f7d4449144b1190e258ffea32123a484540669ee552532d703f44780a7d4839f3296fbb3671d411ef46cb3316edca0b712a8a43f8d90c833376

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 083c868d404462e098a06f7120bd0554
SHA1 1697efc8ab69b2703a8f6bb333d1ad62939aa024
SHA256 3c646344353757b03040e81f53da25b7811d6063d5ffbaa4e65f52158b134c88
SHA512 b121fbe864fdaa8b0dd59c946b823e174dc88c84a5a66157d5f2c502012871d2acbfa78496a3ffd81f975d37b81fddf1c910254fb7cb85aa4bc2b1a327c326e7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 88a2d9e9b882a09228e2cf30f8f6c29a
SHA1 3b5f4050860e4b70f90529945b06770954766ff0
SHA256 1ae4df38776d1fc0ff4a0d98a3bb0fc41b50f8a9da302cab876fa7536846e5dc
SHA512 65aeb016b3c65ce5f0c0699475c13d19c41e04faa0bdf98e15ef8d226b15d67d9ce8de6a782b14cff31d7304047e37119f4081c4b8b5fd0728c93e6125564559

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 177a4cf850426825191c3d1c53d1d50c
SHA1 490529d313420d89de55d3b8f30b0c44d70b96c2
SHA256 d80e6b1362e23f7935907abed1f615fef1582fbdb6aa6db56489a48dfc96d61a
SHA512 ef07fd5cc46aed8e8a6b625432edd0231bc925f81e920af4d1359ddb3789eef95dc7918a12f6c013a371522df329d560032c88b65c8b297c6dd7785b03b846af

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-20 01:46

Reported

2024-05-20 01:48

Platform

win7-20240508-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\使用帮助(河东软件园).url

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\使用帮助(河东软件园).url

Network

N/A

Files

memory/2412-0-0x0000000000220000-0x0000000000221000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-20 01:46

Reported

2024-05-20 01:48

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\使用帮助(河东软件园).url

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\使用帮助(河东软件园).url

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 01:46

Reported

2024-05-20 01:48

Platform

win7-20240508-en

Max time kernel

121s

Max time network

124s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-409MP.tmp\ssplitinst.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3016 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Users\Admin\AppData\Local\Temp\is-409MP.tmp\ssplitinst.tmp
PID 3016 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Users\Admin\AppData\Local\Temp\is-409MP.tmp\ssplitinst.tmp
PID 3016 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Users\Admin\AppData\Local\Temp\is-409MP.tmp\ssplitinst.tmp
PID 3016 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Users\Admin\AppData\Local\Temp\is-409MP.tmp\ssplitinst.tmp
PID 3016 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Users\Admin\AppData\Local\Temp\is-409MP.tmp\ssplitinst.tmp
PID 3016 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Users\Admin\AppData\Local\Temp\is-409MP.tmp\ssplitinst.tmp
PID 3016 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Users\Admin\AppData\Local\Temp\is-409MP.tmp\ssplitinst.tmp
PID 3016 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Windows\system32\taskhost.exe
PID 3016 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Windows\system32\Dwm.exe
PID 3016 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Windows\system32\DllHost.exe
PID 3016 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Users\Admin\AppData\Local\Temp\is-409MP.tmp\ssplitinst.tmp
PID 3016 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe C:\Users\Admin\AppData\Local\Temp\is-409MP.tmp\ssplitinst.tmp

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe

"C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe"

C:\Users\Admin\AppData\Local\Temp\is-409MP.tmp\ssplitinst.tmp

"C:\Users\Admin\AppData\Local\Temp\is-409MP.tmp\ssplitinst.tmp" /SL5="$40150,6159599,141824,C:\Users\Admin\AppData\Local\Temp\ELTIMASerialSplitter\ssplitinst.exe"

Network

N/A

Files

memory/3016-0-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3016-2-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3016-7-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/3016-8-0x0000000000401000-0x0000000000416000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-409MP.tmp\ssplitinst.tmp

MD5 206a0d523af8ed8537a37eb2ae9d998e
SHA1 321fcc8cfe84ba5fabbe4f4ea078f2714c3e8644
SHA256 fe3269a1a58f5675821af03cd8fa868b5d80ba28c1b5dfcc9d7365d5ffd7c49c
SHA512 5841949fb1d44c9f21e5297adf30671240fbde6fa2bbc7addf32d2adf97a3fa64df259d82d5b793ba65f45caacede94bf24e769fbc81124fc29c438e5000a3a7

memory/3016-10-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/3044-36-0x0000000000320000-0x0000000000321000-memory.dmp

memory/3016-42-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/3044-44-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3044-46-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3016-41-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/3044-40-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3016-39-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3044-38-0x00000000001D0000-0x00000000001D2000-memory.dmp

memory/3016-14-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/3016-31-0x0000000000860000-0x0000000000861000-memory.dmp

memory/3016-29-0x0000000000860000-0x0000000000861000-memory.dmp

memory/3016-28-0x0000000000610000-0x0000000000612000-memory.dmp

memory/1124-19-0x0000000000450000-0x0000000000452000-memory.dmp

memory/3016-17-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/3016-43-0x0000000000610000-0x0000000000612000-memory.dmp

memory/3016-15-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/3016-16-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/3016-13-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/3016-47-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/3016-48-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/3016-50-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/3016-51-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/3016-52-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/3016-54-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/3016-55-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/3044-60-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3016-71-0x0000000000610000-0x0000000000612000-memory.dmp

memory/3016-80-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/3016-79-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3044-56-0x00000000001D0000-0x00000000001D2000-memory.dmp