Malware Analysis Report

2025-08-06 02:47

Sample ID 241031-cy1hgsxhjk
Target 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN
SHA256 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592e
Tags
defense_evasion discovery persistence upx
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592e

Threat Level: Likely malicious

The file 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion discovery persistence upx

Boot or Logon Autostart Execution: Active Setup

Checks computer location settings

UPX packed file

Drops file in System32 directory

Hide Artifacts: Hidden Files and Directories

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer start page

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 02:29

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 02:29

Reported

2024-10-31 02:41

Platform

win10v2004-20241007-en

Max time kernel

104s

Max time network

113s

Command Line

"C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5} C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "C:\\system.exe" C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\WINDOWS\SysWOW64\qx.bat C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe N/A
File created C:\WINDOWS\SysWOW64\ie.bat C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\windows.exe C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe N/A
File opened for modification C:\WINDOWS\windows.exe C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe N/A
File opened for modification C:\WINDOWS\windows.exe C:\Windows\SysWOW64\attrib.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1014096290" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31140670" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 6040543d3e2bdb01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1014096290" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e390000000002000000000010660000000100002000000022042b5ee06d1322f3d11e6307d39fc402ac3550350b4bb4d0c675d6e3748e07000000000e8000000002000020000000d4e110f2eceb5745ab091154b2d17854d313da53b752848a9a36766222d0a82f20000000404cc68edce51bdba8698d1d3b40f90e41f0dcdb71c0842b18f20767bbd0285d40000000d0785872255fe3b0f12642e3d48f9548f9ff75afa991edca733e6aee537307566a3781f8325a1c65d4147e977fd689fd591958130218c5a35ad2674f22eb2e34 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70144d3d3e2bdb01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{67FA072D-9731-11EF-ADF2-DA67B56E6C1B} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1017065054" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31140670" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31140670" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437107367" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e39000000000200000000001066000000010000200000005f00d7c89993a1e889b6901f18dee9f297ff66be915ca2814bf79f31a2ee0faa000000000e800000000200002000000098da16899f2ccfc2cd51e5c5afe11ca8d44a756860082878c5c9ae493f12383c20000000272a1e74611c338e6ad52561fad547de9557004214260a4d91330d8c5fbace9e40000000b385e5fa6561715e4e7ff971050fc229a67b424b07689d45b2497fc843351867cf5e0a0e65fe4b6e3b5b614c00b5ad8f09420ebd626a7aa3683f37d34c02b88e C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com" C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2388 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2388 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 4460 wrote to memory of 2092 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4460 wrote to memory of 2092 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4460 wrote to memory of 2092 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2388 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2388 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2388 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Windows\SysWOW64\cmd.exe
PID 3936 wrote to memory of 4344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3936 wrote to memory of 4344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3936 wrote to memory of 4344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2388 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Windows\SysWOW64\cmd.exe
PID 2008 wrote to memory of 3060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2008 wrote to memory of 3060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2008 wrote to memory of 3060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2388 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Windows\SysWOW64\cmd.exe
PID 3900 wrote to memory of 4320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3900 wrote to memory of 4320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3900 wrote to memory of 4320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2388 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Windows\SysWOW64\cmd.exe
PID 3568 wrote to memory of 5024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3568 wrote to memory of 5024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3568 wrote to memory of 5024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2388 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Windows\SysWOW64\cmd.exe
PID 5052 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 5052 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 5052 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2388 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3016 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3016 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2388 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 3484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1956 wrote to memory of 3484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1956 wrote to memory of 3484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe

"C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.212ok.com/Gbook.asp?qita

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4460 CREDAT:17410 /prefetch:2

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\WINDOWS\windows.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h "c:\system.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 www.212ok.com udp
HK 38.11.229.201:80 www.212ok.com tcp
HK 38.11.229.201:80 www.212ok.com tcp
US 8.8.8.8:53 201.229.11.38.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/2388-0-0x0000000000400000-0x000000000043A000-memory.dmp

C:\WINDOWS\windows.exe

MD5 7eaa05eb2f9fe1626109501ef1facde5
SHA1 6dc0dbd279aa295c8947d30957196eab34ddfe64
SHA256 8d4aee84ab79c6df337910ae253b03e3ec99e5e73913b3bfff3eac0c2abe7d20
SHA512 3c4e874aed552e1ccd31aaa4756209052857817e4ba60a5525f965f59aa37745bc360efeaef8ec7e115d9fcd2d07a6ede149001d616517682efa71d6933ec013

C:\system.exe

MD5 31f13a0bcd6ebfcfb96b3805cded8832
SHA1 ec1011ad7f407280c964951d8cf19533a79eeb4a
SHA256 2351f199267877ecdd14a10684e08411be0388dfe19c215317135d02454d5a0c
SHA512 398a869d8f2c2275f01c852cda2fec3d0d6c249f97effed8c8e093188a6fde2f9e55861041ed8c196c4c8a14c69a77784727ef9d5dcd792deccf875d89c1ec98

memory/2388-20-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 29df1b7a507e2c042e03935e546145aa
SHA1 ed7f0d2af19d512b2ab7b0bc411281c86f26177b
SHA256 4f156ed018fb99858b42b9ff71a0f3c5d92fc8d9d86b275b7dea82c5621b55fb
SHA512 2ebdc4c6caf33b1dec6187977b7d0539e5cc852213b588af72cb8dfb59dbade0673a09141b34cb42305d9f7fb89230f2ef12457d8dfda2d0adcfb35b9fb8c6b4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 ee4ada789158c1e5a14d597cf1d5edd0
SHA1 9593aee78d30d51ab93d6a29dc4dc873e0d466b6
SHA256 903a6d82bf2fe8951104cf90d9f64aab0fbded30a2246e678a80d07868569b4f
SHA512 a6214f62e5089512aeaabab7c4bb38e8663fb55d5f4129c57e726723dad10802ec40c3dc836087713b77c1874c12f177bf2b2998fd3e52f4210c1c5307885c16

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PGH3GSHW\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 02:29

Reported

2024-10-31 02:41

Platform

win7-20241010-en

Max time kernel

118s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5} C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "C:\\system.exe" C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\WINDOWS\SysWOW64\qx.bat C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe N/A
File created C:\WINDOWS\SysWOW64\ie.bat C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\windows.exe C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe N/A
File opened for modification C:\WINDOWS\windows.exe C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe N/A
File opened for modification C:\WINDOWS\windows.exe C:\Windows\SysWOW64\attrib.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6256FB51-9731-11EF-B4AF-66AD3A2062CD} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6275ED31-9731-11EF-B4AF-66AD3A2062CD} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b131900000000020000000000106600000001000020000000ea21f220659d77aafc1844f8225f8ce35caa6173f9e3fc8c8a0dc816df3d8f7f000000000e8000000002000020000000b4c46bea125402e0420b6a80e3bee7854ae51bb90ea565c7f790956dc84c849e900000003f74ec13f210c456395fb6bac2115b0d2d9b8ba53f71e90fa2b607b7d83f5999270469d8054b28345f9dbd09b223c4dc2044898f8f471079ed4e915c149d66f5172e3aa9ef1719bf5830c98b9b68a407556c439e473fb65d671ac82633618c59766ed0f9317c7dc623acf5ed46707a7ac6b33f956d99c78e4619aa04c979823bddd69cd2800a7faa2494ede941f24a784000000058b2bcb54e6442b1bcfdf25553ab3dd1d337657dbae0f4183d973ec84ae346bfc526cdd5fb502c89e48efdbcfd0a17333e54912e9f34b9ef23270987fa434bc5 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b13190000000002000000000010660000000100002000000048a1d57080b5bd48b0f2be538be443f1dee48900733f1001746c73df5d015008000000000e8000000002000020000000e04e4a6b739ba17608f7c478f0ad324599f3e9328a899c100a98da2c3ce9818220000000370a305f69827dc89f9f44fc30bbd4d987edc298c3499a44bd90c7e8bae0ee044000000006cdc59a1d0bb9ccc5449db3885fca63e27510d4a1cd60a83ecba7bb9d79abe42646c7e08051c4abcc9f60f15400daae9116dc2d1dc685e54fc03fd61cb9f5b2 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436504251" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 400c383a3e2bdb01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com" C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2776 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2776 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2776 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2776 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2860 wrote to memory of 2900 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2860 wrote to memory of 2900 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2860 wrote to memory of 2900 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2860 wrote to memory of 2900 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2776 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2776 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2776 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2776 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2776 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2660 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2660 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2660 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2776 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 2404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2100 wrote to memory of 2404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2100 wrote to memory of 2404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2100 wrote to memory of 2404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2776 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Windows\SysWOW64\cmd.exe
PID 1420 wrote to memory of 432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1420 wrote to memory of 432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1420 wrote to memory of 432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1420 wrote to memory of 432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2776 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 920 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 920 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 920 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2776 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Windows\SysWOW64\cmd.exe
PID 1036 wrote to memory of 1932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1036 wrote to memory of 1932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1036 wrote to memory of 1932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1036 wrote to memory of 1932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2776 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2616 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2616 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2616 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2848 wrote to memory of 1672 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2848 wrote to memory of 1672 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2848 wrote to memory of 1672 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2848 wrote to memory of 1672 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe

"C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.212ok.com/Gbook.asp?qita

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2860 CREDAT:275457 /prefetch:2

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\WINDOWS\windows.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2848 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h "c:\system.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.212ok.com udp
HK 38.11.229.201:80 www.212ok.com tcp
HK 38.11.229.201:80 www.212ok.com tcp
US 8.8.8.8:53 www.ymtuku.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2776-0-0x0000000000400000-0x000000000043A000-memory.dmp

C:\WINDOWS\windows.exe

MD5 347189f8b5887446986443f0d7057332
SHA1 eefd23b6ae4027aca206fe529154c413c2d95b2d
SHA256 62277e596802d849c67935335099cc2034728a33799dff07831f83f7758690e5
SHA512 1b7b8fa958418d41160ce34abc04df93ec95c20c6f42ad797187a01591dd7d7c1ac648662f7eccf3beeec24783d401cd5aa8de44e928ec8b5550944adf9e3134

C:\system.exe

MD5 c6de79a5cb2657a423dcab4baa7a6ff1
SHA1 16e238033aae3b4d61b08b8886eeea491d600fad
SHA256 c808dc2e605228bd205885dc59bcdfb71f3bc5f5ae1f08709ce9bac0a2d3e431
SHA512 0ee1f64b47874e09224b607cd642c9b9e8a22daa9a584089b366f5a3bee29356c4ba242b9f4a9f599647c7b571601d156a77e932556db73a1b26b874d18de200

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6256FB51-9731-11EF-B4AF-66AD3A2062CD}.dat

MD5 a4605b2329e93dee3b747ec573a67b1e
SHA1 a3dee4d0502e65ecfb164d85e0fba41607668608
SHA256 9fc05fbbe1a99d9ad18d7bf4ca7707ca3df6abeb2da4aab8032152cfe7a4b77b
SHA512 5d4cedd0a178f4e0e70e0436865baf126a78fcbb76a8ac372786529ddd76fb4aad83567821faab074779e0c965ee0dc0c96394255cc8c282ae0f783f23bc6212

memory/2776-25-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab88FF.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar89AF.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d2a1c19392d8bfba2b9d5c6b1699675a
SHA1 8e7b941607734c2e1974e7a79f6e794b39800005
SHA256 238ccb2ce514a93c4394cf8ff5b80fe5bd4e3f0e63e05def9ed177ccad9f854b
SHA512 db1b39180d50fdf32ba0f38eb3834f3a40c5e526b0af39ea3597f7eec87f3def3d257d9c2e16137f2d2ea078b249dadde36f1f3c2a45221ce6eb3e288a8f993e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c51102bcfda0e4d956d7ae37db53fdcf
SHA1 8bf26931c2acb2f0b49cf264cc7836effd11581a
SHA256 348ac3564ec9b14ff883058c7463044068f81dbae7ba23908038865b4ba48add
SHA512 11aba5105de95b7f1321ad1a87328e23e8837c759b266c146834fa695af573b6cdc54efd224fc66f907e947a8099eeea9c355981dc78507608a5c18e86f63c43

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 15d80fa50aa44541b566a130b6371b65
SHA1 681ac7ea285bfe54f55baf665f0d738c858732fd
SHA256 5c6df0ccafbb72e958110bb814cb468ad31637919874c9ce73c50e1a7679fd6f
SHA512 2fea00a7761d939f736fc25e461af1b2947b9cdc0ffe4ad7a5b4757ec93e33d7c10203603b6cac6b79897994d412cef32cb65ac59b82e831e0779c26e58ad42f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d90be9d35b846af8d69f5593035993f9
SHA1 2cdaff0cdb25cab694a353731aac4d6e1373cb5b
SHA256 5ed784c453acf8eca02175752dcafe816dafd9e3504f2c068cd28b6dd5272937
SHA512 6228f1c66670a516a28582b866e886e657a17f9762b95fe214a3566187c34dac9a35c067daa080e52f000d946f45d572b1febe46c333d4d1224f3a5cb57c6674

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 939af96e9772739eb0d6a1e8ebd652b8
SHA1 b177ece88500d56b09c0309ccc00be3689849c71
SHA256 aabd35cbc8d8aafdd813e6d46a1d6429c71e4d93af14215a484f2afe2af772ba
SHA512 bcecf77bced712aae5a097d1565745fe068153ff4a582ea47b11512d2b5beabfb1a027375f38f3d19ec9a90cf46688223f2b6b7a21491fce5c5cf1e5a282dfe7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 220181414c4f1cb86c5282bbf016a95e
SHA1 5d4e71b0d3edf248b647c27012d386662628b278
SHA256 0913c8998d3acf6962cb80e90a35827a132c988e66871eda8bf2634f8d91d650
SHA512 cc771ae36b8e8900d4c13be100d31e63e0af85b553a0a60dc59bb8530058eeeb974958c37b04dd94eb7265b6450ad12965191321e40435b93d03195aecf66347

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ecbaf173481d1a487cc631e0ccd3ab7b
SHA1 cfd51a34acb9e77cb928e01006232bef4d26c691
SHA256 df3614314d094db151bc4bfe4c4dcfad96aed67e7abcf3482f4c5ce3211302d7
SHA512 d569212343371ed89244c8a34abba4cfdad0c83bfa707fd6a69aef6070f7c6caeb15eb109ab131d078f178e87c85c99f2f38c1859d3e48fe9a321017aeacfba8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1bd646fd80bcb2564101346b4ab6d0d8
SHA1 81061e953840bf9c5c504ab5b0f2ecbf016a650a
SHA256 29182adaad4dfd113e3a6b2b61a1a6359df9543ebeeb517456f14e8d82a192d4
SHA512 37036033e7da95addcdef907df999a4d15daccb0d4ad6034456b723ac3e614639317782935782cda0566a48d72461dc9137f6ab82dc43693168ca946bcebeca1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e7d51c9e20a1cc0cf36bb6aa2acf2478
SHA1 6c68c60914d86543b0bfd3771567af5996024df2
SHA256 0147798c5e62ccc70986884b1547c45bcf5609cdad8040eaf7ebb8e6b92f955b
SHA512 518267690949b8603df4d8d275032959ea278ee46aee49f8cede290498a5e782d27b1253bc5c8e69ef5966ac34f137c43e9fe39981b8d52df721eaa05db24148

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 773298d816b4d15928908dcefdbff769
SHA1 a3193be2625cd57b8deef3e7e58a1513c95ded8e
SHA256 18d008408641323c8fe23f1fe3c7902417e8c9fa8539c393fc5b7e168a3ce3b8
SHA512 1da2ec8248583003e604e2c3642bde19270843224915be0bd8c169d766d274c1e20b9a3927b735ac9f9fd4494b43bdbdf29f11a8eb9f8228dc295adffc81194c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8286b78f9f307e59cb4f882bfe1bd3a7
SHA1 8e3c366733184aa951dded5541d8d62047cddd41
SHA256 f1648ec70d3ffbf7ca99c21e65946d1a14ceb566958f235c2f572d74ed8acf9a
SHA512 944d38b9ed03fca56bc005f2be2a60d5fd5f1dce6dd8a5137c862377d9e0fa4777957a877555ba39a9c05ac9430c4480d20bf1fc9196591d5e1397053deb728b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6616a6006a20ecba8e132087964dcba3
SHA1 1af11f98aa9afcdf374ca6ad5ce008ead81b39e3
SHA256 842bb11e91cb1155a2ee293dab415e7623016b017082d4ba76428c2706f9f427
SHA512 ff71885e681a86cc68132059cdd07285eee9f64c9583046cf6861211c6ae842d79df35cb699958528be48e0b7552b59e48b2cdbf8aead7243b5b2fa4a04c0a3f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d550fb98f1cc86804f09bbfc8c4a850b
SHA1 af9d829b1b35561dc02cd8e1d18bf43740fb60d0
SHA256 492ec44c777274887ff219a63cf130adc4379f6d57bdf0dc4893f553b67077d7
SHA512 43b18da8af99e05e33a238b82b10a7caf790a3227ee9d7fb049f6b62e47a3d93f44debd84173f8d76caa1c18897b54b3600c56ef43a924e2623648190bc9b0a8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8889c1d9d57af29a76deba9f9aae4d8c
SHA1 53314654068177caa46ee8345429888565492526
SHA256 1612adcbc28fc6ac355c2547fcfff83f773ae6a307784de41e23ea43e7168cd0
SHA512 cc7239f29cb83fb74aa071404e167e6b078e94dbef5a56151f56bf637fcb0ecfcf0d9042ff8ff8a07be46b1796f5a15ed6c2e2f8abb8f14b7e9c9c1a3298df0a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b7f05ee7d21465abd272f87d8c5c7dd3
SHA1 31ef607c596a71fd7b2d8d67864d1b4a4d8d01c6
SHA256 d3156279d2d311fce805f3fdcd06f9d0542648450cd14826b472611d88c0fc14
SHA512 819f5323d9e4785703263119f9a506f6329958df1f4db68e38b612f6a6bbbc3742e8b467fd6ee600164ea9ac3a0a767f190716fff108e4ae836a2be816544875

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 65f80053f0ab2493acd66fcebbf6af56
SHA1 76c61b91df4ed180fcc51a7f6a971738c1e423ac
SHA256 4d0e1dd32ce86f6655b88dea1d98a8e31954e448a41ed8a63ef61a89bff4ec37
SHA512 787127c562024b45d5b33be27d8bdd1411b9f700cbeb7779d00b7b6f00fc547ab53f8775fff15efdb5c78f18c95a6c650423f94383d01a89d569784e03af22d3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0e2c3e54f6ffea763b8e64e0642f5ef8
SHA1 fd26045ef1095e842e1434643660252c4a531c81
SHA256 05b9f673530b9d62aa7541bd89d341d3887e81c35cd1ab46f82bebd3e5b91c26
SHA512 9391ab76e971e9b9b8fadc41dcfbc27a9d6b744e8743880f2415338b86c44e90263cc7c467f463f2e5f7fca30d87537f618f2f412f4bad7d0c83aad4ef356925

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 03e4bf5d47dbe0d396f4c22aafb95dbe
SHA1 0e6f23d46c12c943966141b17657f32882b0cbad
SHA256 6d2fb362396cfc9b899d9f535fb1d09a7bc86ed5f4a22197586a2d999695dbc3
SHA512 5ec660a373595350626c6ea0cd8d485e6cd79b943af984f7c115eb1d1d8aeba0d8d6b1302c7c577a48d6dcc3085f7d28c50741193a42c4d81d4bde96e1406307

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9e5629d724c3425d3827c51ea0576f95
SHA1 4b07300ff1ee9d061d6205c9e25925660bfda3b7
SHA256 9a578453459864f5eb43933755ccfb9061bf7d45809c1a09318355239610ce56
SHA512 8aeb7a3f3d101b37f69d27387d21c2f6b0d64ee0ad38ae3a14ec91d2010df6a84b52ecff8f6ba131f11d72be1581c446c0ae9b272b7c43e397961b0392731b71

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 65e30dbafee42c4b9955b93ab9b7aef5
SHA1 976267c7cc1e74f50f97c95b764d6c6b71a717ac
SHA256 c0c34e814d740e7ea2771ca54dfe3fb042d35efe83859cb8259cbe8e42530d7e
SHA512 812657ad57f158e540259913dc480ac3354c8073342dde382dc1c9cf34f3f92681f344bb3d070344d1b9d0f882dd9c3baf4e057ff960d9642b738b9ba568fb54