Analysis Overview
SHA256
8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60
Threat Level: Shows suspicious behavior
The file 8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Adds Run key to start application
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 22:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 22:29
Reported
2024-06-03 22:32
Platform
win7-20231129-en
Max time kernel
126s
Max time network
136s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FEIQ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe\" 1" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\ImageOle.dll | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\feiq\FeiqCfg.xml | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\win.ini | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib\ = "{710993A2-4F87-41D7-B6FE-F5A20368465F}" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\ProgID | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\Control | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator\CurVer | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\ProgID\ = "ImageOle.GifAnimator.1" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator.1\CLSID | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\ImageOle.dll" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\Version | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16} | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator\CurVer\ = "ImageOle.GifAnimator.1" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\InprocServer32\ = "C:\\Windows\\SysWow64\\ImageOle.dll" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\ = "GifAnimator Class" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\Version\ = "1.0" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ = "IGifAnimator" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator.1 | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator.1\ = "GifAnimator Class" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\ = "ImageOle 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator.1\CLSID\ = "{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator.1\Insertable | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ = "IGifAnimator" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib\ = "{710993A2-4F87-41D7-B6FE-F5A20368465F}" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator\CLSID | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\Programmable | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\TypeLib | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator\ = "GifAnimator Class" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\Insertable | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\ToolboxBitmap32 | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16} | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator\CLSID\ = "{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\VersionIndependentProgID\ = "ImageOle.GifAnimator" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F} | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\TypeLib\ = "{710993A2-4F87-41D7-B6FE-F5A20368465F}" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\ImageOle.dll, 102" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182} | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0 | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
Suspicious use of SetWindowsHookEx
Processes
C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe
"C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 255.255.255.255:2425 | udp | |
| N/A | 10.127.0.73:2425 | udp | |
| US | 8.8.8.8:53 | feiqupgrade.blog.sohu.com | udp |
| CN | 60.28.220.246:80 | feiqupgrade.blog.sohu.com | tcp |
| US | 8.8.8.8:53 | lubentaofeiq.blog.sohu.com | udp |
| CN | 60.13.97.138:80 | lubentaofeiq.blog.sohu.com | tcp |
| CN | 42.177.83.224:80 | lubentaofeiq.blog.sohu.com | tcp |
| CN | 42.177.83.225:80 | lubentaofeiq.blog.sohu.com | tcp |
| CN | 42.177.83.87:80 | lubentaofeiq.blog.sohu.com | tcp |
| CN | 42.177.83.115:80 | lubentaofeiq.blog.sohu.com | tcp |
| US | 8.8.8.8:53 | www.feiq18.com | udp |
| CN | 180.97.238.45:80 | www.feiq18.com | tcp |
| CN | 180.97.238.45:80 | www.feiq18.com | tcp |
| CN | 180.97.238.45:80 | www.feiq18.com | tcp |
Files
memory/2364-0-0x0000000000400000-0x0000000000730000-memory.dmp
\Windows\SysWOW64\ImageOle.dll
| MD5 | c653904916e99c2653bf3b339c734f05 |
| SHA1 | 6cb3cde5b5f7ffd76b0de150feb15801f705dd57 |
| SHA256 | a11cd7f420a737e8127012c24dc3fbce1b2e6c6c3425f2028c6171a7e8eb7785 |
| SHA512 | d4aa6713140d2391ee56352dc350e892ffc905843e74f1cdc99b0ce1645ec1d1ba4e990a8ee847928aabd10de0488f035c5df5e005ec7048c4f07d88d9082e6b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 22:29
Reported
2024-06-03 22:32
Platform
win10v2004-20240426-en
Max time kernel
135s
Max time network
145s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FEIQ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe\" 1" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\ImageOle.dll | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\feiq\FeiqCfg.xml | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\win.ini | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator\CLSID\ = "{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\Version | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\Version\ = "1.0" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\VersionIndependentProgID\ = "ImageOle.GifAnimator" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\ToolboxBitmap32 | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0 | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator.1\CLSID\ = "{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\ = "GifAnimator Class" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\ProgID\ = "ImageOle.GifAnimator.1" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\TypeLib | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ = "IGifAnimator" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator.1\ = "GifAnimator Class" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\InprocServer32\ = "C:\\Windows\\SysWow64\\ImageOle.dll" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\Control | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\Insertable | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\ImageOle.dll, 102" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib\ = "{710993A2-4F87-41D7-B6FE-F5A20368465F}" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator.1\CLSID | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator\CurVer\ = "ImageOle.GifAnimator.1" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16} | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ = "IGifAnimator" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator\ = "GifAnimator Class" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\TypeLib\ = "{710993A2-4F87-41D7-B6FE-F5A20368465F}" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator.1\Insertable | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\ImageOle.dll" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16} | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\ = "ImageOle 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\Programmable | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib\ = "{710993A2-4F87-41D7-B6FE-F5A20368465F}" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator\CurVer | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator\CLSID | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182} | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\ProgID | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator.1 | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F} | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe | N/A |
Suspicious use of SetWindowsHookEx
Processes
C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe
"C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 255.255.255.255:2425 | udp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| N/A | 10.127.0.241:2425 | udp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | feiqupgrade.blog.sohu.com | udp |
| CN | 60.13.97.138:80 | feiqupgrade.blog.sohu.com | tcp |
| US | 8.8.8.8:53 | lubentaofeiq.blog.sohu.com | udp |
| CN | 123.234.2.61:80 | lubentaofeiq.blog.sohu.com | tcp |
| CN | 42.177.83.134:80 | lubentaofeiq.blog.sohu.com | tcp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| CN | 42.177.83.115:80 | lubentaofeiq.blog.sohu.com | tcp |
| CN | 112.84.131.219:80 | lubentaofeiq.blog.sohu.com | tcp |
| CN | 60.28.220.246:80 | lubentaofeiq.blog.sohu.com | tcp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.feiq18.com | udp |
| CN | 180.97.238.45:80 | www.feiq18.com | tcp |
| CN | 180.97.238.45:80 | www.feiq18.com | tcp |
| CN | 180.97.238.45:80 | www.feiq18.com | tcp |
Files
memory/3720-0-0x0000000000400000-0x0000000000730000-memory.dmp
C:\Windows\SysWOW64\ImageOle.dll
| MD5 | c653904916e99c2653bf3b339c734f05 |
| SHA1 | 6cb3cde5b5f7ffd76b0de150feb15801f705dd57 |
| SHA256 | a11cd7f420a737e8127012c24dc3fbce1b2e6c6c3425f2028c6171a7e8eb7785 |
| SHA512 | d4aa6713140d2391ee56352dc350e892ffc905843e74f1cdc99b0ce1645ec1d1ba4e990a8ee847928aabd10de0488f035c5df5e005ec7048c4f07d88d9082e6b |