Malware Analysis Report

2025-08-06 02:47

Sample ID 241031-c653yawpcw
Target f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN
SHA256 f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cf
Tags
upx defense_evasion discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cf

Threat Level: Likely malicious

The file f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN was found to be: Likely malicious.

Malicious Activity Summary

upx defense_evasion discovery persistence

Boot or Logon Autostart Execution: Active Setup

Checks computer location settings

Drops file in System32 directory

Hide Artifacts: Hidden Files and Directories

UPX packed file

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer start page

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 02:42

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 02:42

Reported

2024-10-31 02:45

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5} C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "C:\\system.exe" C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\WINDOWS\SysWOW64\ie.bat C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe N/A
File created C:\WINDOWS\SysWOW64\qx.bat C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\WINDOWS\windows.exe C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe N/A
File opened for modification C:\WINDOWS\windows.exe C:\Windows\SysWOW64\attrib.exe N/A
File created C:\WINDOWS\windows.exe C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E070FEA1-9731-11EF-AD58-7ED3796B1EC0} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f54200000000020000000000106600000001000020000000dc17ce2a9b438762128608dc73a9c180d94f51e796305e360950889a8cb4b33c000000000e800000000200002000000022a16a65665cbe98161d472d35747d7899069eab5e2a03669118f062d7e20aad200000002cdae006843db8fe2274825ef927d0ce1a5e383ea56d5363128313c33cc3f3f840000000c6109c7591a382a31fc83b5e3e8ce2d25eea7f4d3088d862a60d0dfb393cc7ef9b31c015ef76bbc2a42d687e8e7ea78bc04a6b1fa714204bb4ab3125f4d56725 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436504462" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E05DA581-9731-11EF-AD58-7ED3796B1EC0} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60b7f0b53e2bdb01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f54200000000020000000000106600000001000020000000c6ac7237030ca72d4aebd9f127952f5530b09ea00c35413e7e462b10197623c5000000000e800000000200002000000077d35e507b4ee0442d97a7a05e9df958dba1d7d9603941e8bd7217a0cca05aa3900000001d6ecabe18ab275e7c95d7f21fc01e321ecdd66f7c6c267feaba99905c7f11483e4d8f8f99221315be0fb8704d4799c999602e4d5611a566311fc67bdfe18b723dbd77d402ba71b5355e552466ed39a447b1dbaf82072053e2d86ab68e7f7d87a2341917009eb00029b9427286677be66924365be197d66b5e71bb9a323b394fa3752194da3e5706abb0968f4d0b40544000000085d189537426a62f3886921434ce37cf00c7701fa3f737e0e6573e08da88a6248c7d66c9fd745be8ffa37482afef11e67600b9a150ed113f4b511ea15fe72ee9 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com" C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2672 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2672 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2672 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2672 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2812 wrote to memory of 2248 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2812 wrote to memory of 2248 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2812 wrote to memory of 2248 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2812 wrote to memory of 2248 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2672 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2672 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2672 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2672 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2672 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2792 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2792 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2792 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2672 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2608 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2608 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2608 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2672 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2068 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2068 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2068 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2672 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 1876 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1876 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1876 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1876 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2672 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2680 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2680 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2680 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2672 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2960 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2960 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2960 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2672 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe

"C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.212ok.com/Gbook.asp?qita

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2812 CREDAT:275457 /prefetch:2

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\WINDOWS\windows.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h "c:\system.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2696 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.212ok.com udp
HK 38.11.229.201:80 www.212ok.com tcp
HK 38.11.229.201:80 www.212ok.com tcp
US 8.8.8.8:53 dhku.com udp
US 8.8.8.8:53 www.ymtuku.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2672-0-0x0000000000400000-0x0000000000429000-memory.dmp

C:\WINDOWS\windows.exe

MD5 e21a79cb24361cea29cadacd5bff6ed6
SHA1 306f46ca40dc64a3dbe2a6e39a3c6052d52c636b
SHA256 7281731b637ac19f75a7824af6d2e063f99a2b19c06cc9b2c82cadc6942d8d68
SHA512 1849955dd3d78ef6a1ecc0e00856d4d6be295235ca6cbb659a39aa0783e045c4f5101ff1f6f5b30ab4aa62d07564a4d3e73fbacfddc255f8310cf1c8e78d9d61

C:\system.exe

MD5 75b8c5314f6eb0e61dbadfa657ac0cec
SHA1 a3ba00420caf7a74faaa453ae3e1002e3c75aabc
SHA256 468c119eeafff3a185f417512225e7403ee93ed4785221ace3966a206984c674
SHA512 75e99346a0a772e048290505069335b1142eef14f3af0fcab74356e08462b81f9b53433b461165f51741f515c13e8c7e46a4ecd85d5940c975b880c0785f0dab

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E05DA581-9731-11EF-AD58-7ED3796B1EC0}.dat

MD5 0f99cb5d6a14803c98d9ffc0d2974ccf
SHA1 ae4e52943937df1438b3f609b3e30aac5556ab7d
SHA256 b3ae343696e17115a9c0f77d9d47f6f4ebcd08047f0eb2d9f15c2daa6d7fd370
SHA512 28917b5b03e1a935a4aaf7ed7130c6312fcd44ede2324c793f3c02c83e627649b1112756901544d8bc14c12239bdcde6083489103414ab29be1cb87452f5d0f5

C:\Users\Admin\AppData\Local\Temp\Cab9B4.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarA24.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1859e5ff7bc57788f92ac2b8f06600c1
SHA1 aadd6bd696a366b7351763ad75e05867ef3246e7
SHA256 2aa0daeb2dec2044622b2d688177d6316da93fdd35ce973067ce2a58bfc02e07
SHA512 f573d2b5867cba6459acc11eb2c292cff59311e521c8d76241fbfd65168d6faf34e1d70e479d2c1a38b27f733e71bb5c105abd0c424b0166b9f7e6f693cd48bc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8ad15e60db88ce568c01f32495df7e39
SHA1 266b57af608333079a03bf650fd5d7fe9624117b
SHA256 818cd129b5efa52d92f9459d078f6de180836e89aff8592585761cbf3825a3c9
SHA512 c1a67cefda5458fd024c8a0c48739a701594497f830ba17afee55ab5941ff34dcaa8c9df405b317dfab05bb584c80583c2fabdd43734ba2a104fb95e022ed8f5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 97d2edfb6ba4d1f55579432a56ae4b36
SHA1 2ec592504801bf3aafceb6ee9dd3f2556efa4b50
SHA256 a4bb90e195ec667d59b18de2e673a927e004455767404d91125a66e47e31adfc
SHA512 7790d68da2b8d91d0e19e62c701989784b2f8d02d93be13dbb98905538607e85f6eb503284c9476e8610dc98598c1872738b37e31749fba63db3f20cac3ab6df

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6ca1f66705aa2836101a9151fb0305b8
SHA1 8245040171191ee6360c335d4234a7b810a46303
SHA256 fb4bdf1d201eeed99834f412a525cc390e8fe662a9dea45b516f3514f9f34e90
SHA512 ca792c685cf68216c5f651537eba8bf32517468f1c85124863c8f81c3be0624f65a01d517e65a8078507814d8cf855ecf391e70c58328b291790873dce137be2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d1b2e82f6717d6e114ef65b18d9577fd
SHA1 98ae9542b0c353f72455b95bcef84f4fc3afe60a
SHA256 32106957dc0fbddf362de19a8972b02c78d12c13acc83846212946e5e74f7772
SHA512 e8dd96c03f708f9becadad97a51541fbd87fd85eee1b9d8b37c19fab45f23b810d6b5987f988ea66703e3ad31d83c09550497caaa55769f694110045c0105bdb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 34d3dec4b7c07e0eaaf5b5759945b849
SHA1 b28a02fdc3dbf9d080f76d7ad22a4011e276a81d
SHA256 8041fde8cfadd497d879db4f7402969fd87ca04c5c0b1c75bb05149bf419467b
SHA512 9910cf409581db1441589f5cb25cbc1e6ca1ca37c3e164e84c2be506f27449bd20d4dee6854961f7930afc44b83fec4fcc0b318040ea2b3aee86b91562db38af

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 44f171cc08cbb4626b83d725ad47c55b
SHA1 ca7dddefb1ec0422452b697ed92ff6c347ec84f3
SHA256 9b6dc8a8bb23de8f911560429a542bb0eaf27720c07eaabc1c12fe2a2c432419
SHA512 5ee2311f155e5c01936a04c92f9b1786d0e75e7f289a500cd9eddad986efcd0efc3753bbd5cbcc3ef9d879515ec264ee4d10307d48b420b662e8020cb8ddf9d0

memory/2672-453-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4e26184a14ee75bffaab9789ce2f886f
SHA1 9f46abbc2d6aba0006dc28b841b514bc3bf1f900
SHA256 2e88941a6d5de5e33c3fc9622b27b2d2f9aaa799f342d7fbbdb19b9b5aa56bc0
SHA512 95b1886089fbab3063bdbb51e091ea3d0043a5f96879f03daec204c210b6f75f854c1bd60dd9c6cd7f873882887cb421ee947481eac855ab5b5ed4ec2c274239

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 19f1744a4491c49dd3c74565c7b0eb71
SHA1 f5cd9b99c96fdaee1b6ffa79abcf72103f325aa0
SHA256 d13c2574ca7ac773d48685a7ce0e02342e9c768ea6a7d374ae6a0124751fe2b6
SHA512 66073ccbf18c5441a1e4e24dac6d300dc2860882b765a2483c8f859d0e0e18dd5f41ca464d6aaabb30bb160d2f3ffdcc29cb87d491ed4641df33a14deb09d0ea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d7b5e6f01afb7813adc65b18b78babf7
SHA1 bff3b3d49e376a7503413764ef2a6afc4bc01ec3
SHA256 c9b5afd41ad126c0698268ea8b274e853eed62098e34760f721999caf1244df8
SHA512 9863da4e800410d54595f6904a08333a84b6c6bd21c85444b28f9be106aa2b06e61b81d1f6ab9209e4422370f87b8330f63f638adcd8656a8db459ebff1832f5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a93e0afca020053e876199bf2ff3bdf6
SHA1 8c889ebcceac9e1a615c279f3989484d215585c5
SHA256 08e64b8e8ad23505a0af027f6532e5011e94182d6654cf9b1eea2ef3a2ec8290
SHA512 f0d913c55a962fcb7dc376e163b0b7e2cb186c305052b2a9160062d673008b6108870291550a06781f5b3f08ff125b602d8ab30c41c5a6cd02c26d85c0b85d8d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aa0a1a19bb4d19b90ad9ca287e7b996d
SHA1 30151757d42ea89932f4687cf43f867a6d6d74af
SHA256 217d25934b50190385f61422946a201e8fad3d3896de9fd91cb679036fbd88c4
SHA512 5e93bd65b6fc11c9991451c67f6fd8ca862ccf099f2e37a53cd91e1c2f913c267999ea19069c06828d5af916b008e13fcbc632c4d9abf620ddd6512df4327815

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 11d9708fd4e068cff279ec6f20da2b3e
SHA1 f2760cfd924677b547e154f6d4db6064e8a7a059
SHA256 098fa1ac168a3c9c45230d7ba5ca7bdf83688b6a2ccd2598acf34f465292d28c
SHA512 dc7da6b4bf65388b6e2cac4c850b7345512c113bae4437dff2ff093a00912270f7f0b502c756f251fb9c94167e446e7a3400fe4617e7ebf2a238c43387eba6fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e3e745774ffeececb7125fb387bdd505
SHA1 8cf3227ea216d63605b535ee96845beedc216b0b
SHA256 cde8f12fb57d5be60af0028bf503517df43a07caca484118fcafed4b48b37eee
SHA512 f491be482058dccb0045c5b4a939c327479bba0c85368c41e38c526c29a141dfb178e900c08281dce91906893c383dfe81adf4f51c05afa7482bd690254d15a4

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 02:42

Reported

2024-10-31 02:45

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "C:\\system.exe" C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5} C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\WINDOWS\SysWOW64\ie.bat C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe N/A
File created C:\WINDOWS\SysWOW64\qx.bat C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\windows.exe C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe N/A
File opened for modification C:\WINDOWS\windows.exe C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe N/A
File opened for modification C:\WINDOWS\windows.exe C:\Windows\SysWOW64\attrib.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3076325936" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ca04ef73b7c6924d879f23eb66eabf8a00000000020000000000106600000001000020000000c0d8f47beb74e3bafd6229cf55627c76b8b2fc2d63dc6478333c3bbd145197b4000000000e800000000200002000000083f845f3ce82c394abe96ef4fd86234330075c5f57d26b0fb89d7e1f4a51d210200000001c1f2f039af198c03007c5e2dc465de2dc1974c55ee3efba7fd26c2e77cf9f5440000000e8ddb85b5a77f494803f1090a1038f6be584635865d1efcbce979ba20a4ff5f4a74ba0359b83618713437383b8be19970689dd587c98eb5e415151260bdcb8a6 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31140670" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31140670" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20cdf0b73e2bdb01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ca04ef73b7c6924d879f23eb66eabf8a00000000020000000000106600000001000020000000c71a72551557550b7f9c8837992c1bd7611165ab1517f17d9d2b5bcbdb02d268000000000e8000000002000020000000b8b39cdc7e1ad22dcb4710202ea1eb2414773a51091c4fc1bddf1094455d1e90200000009ff62d40862a345cb7e58043f97289616b4eb4bddc252e187bfbdb5f43db29f1400000006184799138f4d061fecb179c6312510bc68b0e180b23566f958b6022929ac17e7fa5ead357cb5cd80bb69922eb4a44f46b6af2d8544e47eef451587bb533937d C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E2BF02A5-9731-11EF-AF2A-CAFD856C81B1} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3073825717" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3073825717" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31140670" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0043fab73e2bdb01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437107573" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com" C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4736 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 4736 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 3288 wrote to memory of 2172 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3288 wrote to memory of 2172 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3288 wrote to memory of 2172 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4736 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4736 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4736 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 4736 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 4736 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 3188 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3188 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3188 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4736 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 4736 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 4736 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 3488 wrote to memory of 4836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3488 wrote to memory of 4836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3488 wrote to memory of 4836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4736 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 4736 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 4736 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 4376 wrote to memory of 2960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4376 wrote to memory of 2960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4376 wrote to memory of 2960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4736 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 4736 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 4736 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 1920 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1920 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1920 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4736 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 4736 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 4736 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 1136 wrote to memory of 3412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1136 wrote to memory of 3412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1136 wrote to memory of 3412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4736 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 4736 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 4736 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 4400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2832 wrote to memory of 4400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2832 wrote to memory of 4400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4736 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 4736 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 4736 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 2232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4092 wrote to memory of 2232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4092 wrote to memory of 2232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe

"C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.212ok.com/Gbook.asp?qita

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3288 CREDAT:17410 /prefetch:2

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\WINDOWS\windows.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h "c:\system.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.212ok.com udp
HK 38.11.229.201:80 www.212ok.com tcp
HK 38.11.229.201:80 www.212ok.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 201.229.11.38.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/4736-0-0x0000000000400000-0x0000000000429000-memory.dmp

C:\WINDOWS\windows.exe

MD5 bd9acad9d942c154b4e614827b4eb438
SHA1 bfc9110059019c5acc94b81a85569906b7d03743
SHA256 b40b4b8f0e53675b8e3a8a5c3eddcbd2f90f03dda24df1bbc2bed42c4c2c0d6d
SHA512 43366e800c6c2578f2ad69d48d64b41a1696d2532a2311a1286d75318ba684e4879ada0e5f3d0499b86012573fe7c829af7df2487429bf2c1a392c367e526ba7

C:\system.exe

MD5 8cc70d6861940f85173e6c51c718924e
SHA1 9fb3f9eb5b4cdce0a9846424fad75fc54f897a99
SHA256 56d1df9c0d53edc8aa3abba8f7db089f1217ebb5f8867af76f1ceb213f21f97f
SHA512 3621af48c031e663651b505afe8d83bae082b7016b31cfdfd79aeccb635d1107803d79057958ccfb9f9ee657dc99d0a46f29f209b78f7a8485a6df1d27f6785a

memory/4736-20-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 ee4ada789158c1e5a14d597cf1d5edd0
SHA1 9593aee78d30d51ab93d6a29dc4dc873e0d466b6
SHA256 903a6d82bf2fe8951104cf90d9f64aab0fbded30a2246e678a80d07868569b4f
SHA512 a6214f62e5089512aeaabab7c4bb38e8663fb55d5f4129c57e726723dad10802ec40c3dc836087713b77c1874c12f177bf2b2998fd3e52f4210c1c5307885c16

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 1349e21be487e7d76cb3ee617fcab5fd
SHA1 4d73fb5b90a3942ea11a66b4a4b8115bf588714c
SHA256 c12383cab440a96f7f59fa471ceed52236ac1c1473a5c64a632b29d333a0df92
SHA512 e5e44809563ea5d39f0f9546419a6fe86aec611146697b4d4aa467ed6be8d07e6bfd1a5f24d0299198d04a80a98c2f7ff0cc77abd504873f30323c5d7197a42c

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DQ67RYHS\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee