Malware Analysis Report

2025-08-05 11:47

Sample ID 241031-e2nzza1pdm
Target bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b
SHA256 bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b
Tags
upx defense_evasion discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b

Threat Level: Likely malicious

The file bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b was found to be: Likely malicious.

Malicious Activity Summary

upx defense_evasion discovery persistence

Boot or Logon Autostart Execution: Active Setup

Checks computer location settings

UPX packed file

Drops file in System32 directory

Hide Artifacts: Hidden Files and Directories

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer start page

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 04:26

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 04:26

Reported

2024-10-31 04:29

Platform

win7-20241010-en

Max time kernel

140s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5} C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "C:\\system.exe" C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\WINDOWS\SysWOW64\qx.bat C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe N/A
File created C:\WINDOWS\SysWOW64\ie.bat C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\windows.exe C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe N/A
File opened for modification C:\WINDOWS\windows.exe C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe N/A
File opened for modification C:\WINDOWS\windows.exe C:\Windows\SysWOW64\attrib.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436510691" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b1319000000000200000000001066000000010000200000002c734558c2b9d022ac789c0f27c7f3cc3f40ce72d83dacf9c7629774f5cc0cf1000000000e8000000002000020000000b479babbf94163da0da5e61782889b5b48f4cbd5074ba81e124e6e928a4b5f74200000006dd7434dd67b234c1d241e353461006203f56b3395b225008b7293a3bc585a4f40000000944ef153df62e38737cb56c778c1918dc5849bacc2d077fe8f47ded5b8673129f3f56b826808935f8796f5d5afd4ed9523b3bcd96971c4d91a51ac121bb5cf34 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00c666374d2bdb01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b1319000000000200000000001066000000010000200000009a3d5b820d6d88a4f49aa9c6b76020e922aa6288c71b2aab60b7ec62cb131fbc000000000e80000000020000200000000b7a63a8de754146fafc68a858363643710f7d8d0acf84da9e3be34cf818efef90000000f93bd18d516115ea01cdf4190de27b03dac24fa8ad7fe8600663d7a9303b4c213c1f6855392bdac9095cd8f008c9e0dcd6149af06b140434a8db0db61b61ab53e7aef87739b339c55cc103da0590ac2008f70494e66b47957719f42e64cd12c30d5088b7b3c5115fcf01e089286ba8d497daf67077713e9fac76f2d07c1ebf0d072f31fb249ff661f0be1a378a468d5940000000a6f12b43885b85d115ff01e9b5d552c3f352eb752de211df627974317c17f748d16a1c5133bc98a63dc10f736d077a0137861213e1b33f4d05047bd5ecf0b7a9 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5FF0CB21-9740-11EF-A5FC-C670A0C1054F} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{60194281-9740-11EF-A5FC-C670A0C1054F} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com" C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 516 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 516 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 516 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 516 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2548 wrote to memory of 1692 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2548 wrote to memory of 1692 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2548 wrote to memory of 1692 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2548 wrote to memory of 1692 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 516 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 516 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 516 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 516 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 516 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Windows\SysWOW64\cmd.exe
PID 516 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Windows\SysWOW64\cmd.exe
PID 516 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Windows\SysWOW64\cmd.exe
PID 516 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2860 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2860 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2860 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 516 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Windows\SysWOW64\cmd.exe
PID 516 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Windows\SysWOW64\cmd.exe
PID 516 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Windows\SysWOW64\cmd.exe
PID 516 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2492 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2492 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2492 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 516 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Windows\SysWOW64\cmd.exe
PID 516 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Windows\SysWOW64\cmd.exe
PID 516 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Windows\SysWOW64\cmd.exe
PID 516 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Windows\SysWOW64\cmd.exe
PID 2668 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2668 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2668 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2668 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 516 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Windows\SysWOW64\cmd.exe
PID 516 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Windows\SysWOW64\cmd.exe
PID 516 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Windows\SysWOW64\cmd.exe
PID 516 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2264 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2264 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2264 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 516 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Windows\SysWOW64\cmd.exe
PID 516 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Windows\SysWOW64\cmd.exe
PID 516 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Windows\SysWOW64\cmd.exe
PID 516 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2688 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2688 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2688 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2932 wrote to memory of 1144 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2932 wrote to memory of 1144 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2932 wrote to memory of 1144 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2932 wrote to memory of 1144 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 516 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Windows\SysWOW64\cmd.exe
PID 516 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Windows\SysWOW64\cmd.exe
PID 516 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Windows\SysWOW64\cmd.exe
PID 516 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2472 wrote to memory of 940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2472 wrote to memory of 940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2472 wrote to memory of 940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe

"C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.212ok.com/Gbook.asp?qita

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2548 CREDAT:275457 /prefetch:2

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2932 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\WINDOWS\windows.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h "c:\system.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.212ok.com udp
US 8.8.8.8:53 www.ymtuku.com udp
HK 38.11.229.201:80 www.212ok.com tcp
HK 38.11.229.201:80 www.212ok.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/516-0-0x0000000000400000-0x0000000000429000-memory.dmp

C:\WINDOWS\windows.exe

MD5 959580a2d105e6140652d2a3ec6e5630
SHA1 6d407fa2193dba88750a29aa2872f42fa6d939fb
SHA256 11c9d47686b80ee6ed67d479344368e7e115736461712bd335af225e650d4d71
SHA512 e7706fa6993e33543df08405eb019412015cf99da7f8034007c8740d2d890e96af211f51cb2aa72f03f72ee97aa745ee57cee1b8e09f54d49c3ec48f68ad26b6

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5FF0CB21-9740-11EF-A5FC-C670A0C1054F}.dat

MD5 5c7d06241871b92c6743a4045b2b6a7a
SHA1 221601389dbb1dd1d982bbffd19ee7c84d4fae7a
SHA256 07a1196b9f908bba84e8b8a12058f4610aa849190959ddca5f9989a51ee9265e
SHA512 c30dced3884c6d90d281186aa000b37f9f85be64c9429972ba8e9cd9ec22acd7a2199f97741345a6a3d4812a1268d0f2496be3cfd0bc67b68cd058dc1141d0f2

C:\system.exe

MD5 3125f9d1dc071b11b2ee21dcb8f844a7
SHA1 b98911e4c2ef5397245154fa3b914f5c756dea97
SHA256 16c93102e4b7efc4146b2d0d31da792026b38815be54409594a74677c99e5721
SHA512 8558e5fc790f0119867181ce4be488e0408a37b4067e5617e47a44aa7995dd9a87c2bbc3423fd116aad070b8f2a6b9f255f890f7837b7c93b8c5cbac527beb52

memory/516-25-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabB69.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarC46.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 db26b8c923007cadcee647e9357c5949
SHA1 864135a0dfb1d8477ca1afc2f652ddbbc97a4475
SHA256 9fe56b12fbc696354d7f22f157c1275a6417c4e7aa73c9a782afe45e1de0854e
SHA512 0d6c5c25454648412fc5b66be13ea7fcde1546549b8198e8d8197c17980932ac681fce3759275bf3e99aa6d4dbceb50d73c710cbb41acb5fcb9d343619e3180c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 18df4f08c4b6ee0ab90285f7ba4a7bf8
SHA1 6b7d9d2bfd2c9718a24be191594f6495fcb4c0ee
SHA256 a75493b9b909d43f7503b93225e02c8967a6d86159b5d9c1019243b92a5cb313
SHA512 eec2b3c4bfbc60277dfb1aba6e0e0be08a3ea28196ae6b9f33137859966eaf7c530555cdec4dcb5675444d040526b0c7807031159cd172306e37066cff3fb1ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 97068992ed64966401aff6105dc74228
SHA1 e401d9f3697aa03b2a756c0cfde5720c5a87e046
SHA256 b1669dc32c85fe27e7af8914aaa42c5f7a35729c66fb9a23afdcd76c4cff27e2
SHA512 2234538aa9499ce0c06cfe86ed73777d7a841432227dfa842a582396b806f04113464424f6c6105c3d0080bef09cb94012e4abc62b4bbf07c576ecb3e729e12d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1f6c972d8d724849430b704cac9c1298
SHA1 869437c5e0d32b5f0835b000b9dfb1412496589b
SHA256 8227c0887f7c5d2928d6d6cb9e3264ee9cf4d02968972bc4493e0c024a0ac597
SHA512 577f26759a5f5312d4c60a3923d345ba7e11f94d24d4cb5217b55d27a2a0f3f07fbdb0853426852b0acc99d9466e41f077c7105c6abec6883bb5c61608392caf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2aa6d5d3b3e6f1504875ab58761781fc
SHA1 9eeb986f957ea8076bbd8b71ff487769e74ffcaf
SHA256 8e470d93dfc18a089c34b2611a4b64b09210b13150ce827c1446c13713a4a3db
SHA512 ae7bca8b15f7095e98ab4026a269db537a5122fc5945fd0b5c766a7230a23a7fd924ccf870df04a7c6ba6dbf4de27328f485266751b40d41bb1cf53a26f1da6b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 38affb8a0b9f8342f5b305c38b86d57b
SHA1 3ae788431e4e7d15f5f9c02cfb92224118a1f507
SHA256 46dd8a0276937d1bc0b4840328bca1bea7789b916dfe9e9063c55352cf185398
SHA512 75f9b3c6b4fe70da9090b588e1f5c4f7d7d8d47f2039b70c329100c4e5b6c8346268b42446fc85645b0e7eeac2eb4526c72365f624e6b495961f4fe1e16da74f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 685829012a04e6651100a17c43010dab
SHA1 161181f8509a23e98c70e0f0d3840f310db4e472
SHA256 f2362a671476aad1c67f5598ee583c44d5f6b0aa770bf82b70aac6e0a7773331
SHA512 622235df63f35a5a879e13c893e8869a8bbd5cff619dfb5485718c935b45d56e716675e30937fe05c3347705f7c64d6a40a5dd3288dd5c54af8e5e5b80a24209

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d3092bc69bb373ecab7ab9321397da1e
SHA1 d92c4ea70e585481b3c2089a15ca3da2b1f03fc0
SHA256 c5d02fb621d559e30435be9868286674eb88b45a68efb0e30ee54ee9aa5d10be
SHA512 2b6e92c60824b4cbe0b0ca3995381d0c87c9947b81d05a996d739b6e414d7752ee7a09cd5caec24f5928a33b79aebf660cd9472ea13555b4e14c3c14674a0260

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5bcde82a1e9e563c45715728b6786750
SHA1 29c04e2b6b22287c90945654e17ea55545436115
SHA256 ab59ce3400fdb1f98408aa9618521672efb7a8c67a52c4dfb3104ca327cd14e9
SHA512 339abb92b1b0437ea42b800d2050c99c07eed6d186d0372bdf43d893a21d3945af9333ddcac2bfb93b8edb31d1906823477c8d9c1f2df74b4f572944a02aa9bc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e9dd15371a909a064933a977a176cb09
SHA1 f22658e91e0195f84ebe7eac3fad51257fe2e9b0
SHA256 27b885efd19ffe2f45e05046506bab505864f33ae2c61a68cb4665fdb373edce
SHA512 7d21c31bbe63bb764b6008635436d187654082edb6ff1525b85cf5df7511cf0baf22402ea3d038d45d4b50acd8f5dfe25e3e3eedf95c2a76d15f1d4fc7dddda6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fd6dbf8a14280dfa5d9f41377e366461
SHA1 8f0d01f0cc8358d30a159110402b7d339a483caa
SHA256 2ba1d43f4e1bc9909f853a891ff9b454f31f8c75d922ae262481e69b63f27198
SHA512 ac4764cf84f72be426bf6897581e5a1c2b0bf5383bc74738498f929db2be895e591592da15bdad0392873aca87b79d81c0232d4daecd7b86263a4a92838a1a6f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 554094881fe586c0ae29bb149e0116b0
SHA1 6cf8cd47feffbc7c99f54226782301e8669c02d6
SHA256 0d6be37219e30d0f47a9dacb8822e2c9eacfc1d1ae07ec8e2b87dec30a555ba6
SHA512 728124eeb9310217f107118e67ac0792542fb6fee87d1cd7c4d7b0cfffdd3fc7fc29e78fd466bac11c2d5dbac29b53785ded0e7cca314ac81a44cb671395d4ea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f360c041b048146ff6faf87ce927c011
SHA1 3afd76f107d2a0464ab2956b9b30236f67b131e5
SHA256 a0553dea98769121e713f0fff1edcb81edd5823633c853b605b539322b3cc011
SHA512 5abd5ac86baa61dadcdf9716cd4f9965449734b57cfd554715d786681e4a7900620e8f057d385b3287eae395ca44ff951b51285b9471555ce2ea18e55fbb0e0b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1b6a80773b969a427727f1160a323b3f
SHA1 b3a38568f6a45bb0ef31aac4f4f5debd33c474da
SHA256 ece87ca13efd4af78cfc901b8e893dd0d0402691efcd35d132524f8711153df0
SHA512 653f69d57e9795f1a7e7d12d368d888f5b05c1fe9c1c96680fa75e7909c5d3ef50dc6427fac8cf6eb85b93be06b30789ad01dab5ee10bb698459cba9a11482c5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1a872a84010b4f542ba8883c3b5b1ad8
SHA1 1cfef5483c939e935e89c54399a970e61508a51d
SHA256 02103ee074b75da809ee0b7029260e5e99118ecad123a5185d1b5940ba1a9e77
SHA512 4bc976a1d4584d0c03c181c250f53787756eae6ce380c6fddfb128e2f822ffa7d2ad23ddc0180de763e0e26e4ca68c81e41c80c215360fe9c796804a38f0ae19

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ae4d1244dd81d9a0b0145d855c616c99
SHA1 147c952a2042ad717d94d29af922607294a9bbff
SHA256 70577f4430c649a37c1ab0d92008b94be3a7c9f8af5520efc0cae2bf859add2e
SHA512 1f47088d666cfac8814c97e56a1063fb0b3ed5ba3bb1613d788a63adc2c6207df7661f64d17d881b71e05cc37f6ca067cca4f359f9fbf94699ba9b8f042bbef8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6eec9ed26284299866f26eef9b4507e5
SHA1 c714d2167e2a8cba6240af46b61762447b0c4039
SHA256 028983b3284a5722397c2f74bd93b6b6ada8c73d432ef659b5a5a811d4a12721
SHA512 282ff1be3b4022dfefdadb566f48353b66b7d886ddd9297bc3876b1de20c33a3bf2c8c2ac6e57cadeaa20eaf3ebae3cb0bc345049d2894c376b05a4f0103d1d3

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 04:26

Reported

2024-10-31 04:29

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5} C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "C:\\system.exe" C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\WINDOWS\SysWOW64\ie.bat C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe N/A
File created C:\WINDOWS\SysWOW64\qx.bat C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\windows.exe C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe N/A
File opened for modification C:\WINDOWS\windows.exe C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe N/A
File opened for modification C:\WINDOWS\windows.exe C:\Windows\SysWOW64\attrib.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20f6e3234d2bdb01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e3900000000020000000000106600000001000020000000eb61b8129730f5c86da2f34e539d6c9346317cbfc842a94883ca6b78553f3360000000000e8000000002000020000000204f69666c2cc85d6befcb8b2e9f6b1e02ad9b1f0b42595fd451e99c11401aa8200000005b3d22c53641ace294d37a5520867e808813e4b39d40f94d8d8239acdee5f041400000000d81db14da271c8dc1c2dbd67a245e01bdcd758ffe67d6b6278393508368ebfe4d30dd6e2547c94b5358352cded696e3cef92b0fe9ce73830d68d91ebb26d33c C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e3900000000020000000000106600000001000020000000883b393558d3a4068639e1fb3bb3d51c72b91523d64d8dc5ddea385fcb64de9f000000000e8000000002000020000000d978711c483b4dde784fbacf24ee5c75baf0e31bf5c07ad7175b5381b8b42c5c2000000062349e26355f3e90851f6bf4d0aabecb96c1090b6df528690b2fa0240fc15cd24000000066823bf39f2a353f9dc59a52d84e2fb11726196136f790cb9072a463760463be207824ee0d860b61b324b2ecd7763af2692fe203f61da6713d1d03049091d50f C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1022eb234d2bdb01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "579804950" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437113766" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "579804950" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31140685" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31140685" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4E1743DC-9740-11EF-ADF2-FA9F886F8D04} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "582773418" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31140685" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com" C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1744 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1744 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 4352 wrote to memory of 3076 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4352 wrote to memory of 3076 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4352 wrote to memory of 3076 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1744 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1744 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1744 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 4420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2596 wrote to memory of 4420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2596 wrote to memory of 4420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1744 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Windows\SysWOW64\cmd.exe
PID 1548 wrote to memory of 944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1548 wrote to memory of 944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1548 wrote to memory of 944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1744 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 3732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1176 wrote to memory of 3732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1176 wrote to memory of 3732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1744 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Windows\SysWOW64\cmd.exe
PID 1380 wrote to memory of 3932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1380 wrote to memory of 3932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1380 wrote to memory of 3932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1744 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 2292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2172 wrote to memory of 2292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2172 wrote to memory of 2292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1744 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 5036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1460 wrote to memory of 5036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1460 wrote to memory of 5036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1744 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe C:\Windows\SysWOW64\cmd.exe
PID 1172 wrote to memory of 5000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1172 wrote to memory of 5000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1172 wrote to memory of 5000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe

"C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.212ok.com/Gbook.asp?qita

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4352 CREDAT:17410 /prefetch:2

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\WINDOWS\windows.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h "c:\system.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.212ok.com udp
HK 38.11.229.201:80 www.212ok.com tcp
HK 38.11.229.201:80 www.212ok.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 201.229.11.38.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/1744-0-0x0000000000400000-0x0000000000429000-memory.dmp

C:\WINDOWS\windows.exe

MD5 0d643f8ca9a5f24bac69ccd1986f5fb1
SHA1 ff06461b3f95a679352ec542cd3abefb53cdeb1e
SHA256 159e71020a22eebb03495b233cf1522365f1cdfd5de24529bf186bd707688466
SHA512 25e7dd7e1e9a49183e3571c500c7a3fe96ec71cbb1aeaf1e1fc9aa5b5cf492022163654e1618b72c70bacbef7c142f7acd92e732c7a5f02f86f74716d3125095

C:\system.exe

MD5 430eac61f61a22cc69110a391b60e2ba
SHA1 827c47f270f2d09d46fb0788828a6474cc66a6fd
SHA256 93fc3dfa0f33f1d9fb56783eebe9fbf00991e33ab2d6ce1b94bdea9ae71f9ece
SHA512 c3107fdcd46b747dd922fd741e63aed94390e95850e745c7241e7c71db65093a55ae0929cf151f61e98dc67d4c2d3b13be7b9f879346ad428abcbabfbd156e01

memory/1744-20-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 ee4ada789158c1e5a14d597cf1d5edd0
SHA1 9593aee78d30d51ab93d6a29dc4dc873e0d466b6
SHA256 903a6d82bf2fe8951104cf90d9f64aab0fbded30a2246e678a80d07868569b4f
SHA512 a6214f62e5089512aeaabab7c4bb38e8663fb55d5f4129c57e726723dad10802ec40c3dc836087713b77c1874c12f177bf2b2998fd3e52f4210c1c5307885c16

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 4c4a67a6af6ffef3895c962045ef9a7b
SHA1 517e72f0e272b0d2b799725836c141e749a233b1
SHA256 74fe1ff2b3ddc150a4321f434d03872f6c118f18359b0706fb4cb79f4560925e
SHA512 59226dcf31849b949921fcfb4eef9022d42202cd4afbf8f6627de8de8ae9e0ec0dc0affc61dc9224ae1c21c6f6188a2aa585fc60b953b6513a211a258db8a79d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PGH3GSHW\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee