Analysis Overview
SHA256
bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b
Threat Level: Likely malicious
The file bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b was found to be: Likely malicious.
Malicious Activity Summary
Boot or Logon Autostart Execution: Active Setup
Checks computer location settings
UPX packed file
Drops file in System32 directory
Hide Artifacts: Hidden Files and Directories
Drops file in Windows directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer start page
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Views/modifies file attributes
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-31 04:26
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-31 04:26
Reported
2024-10-31 04:29
Platform
win7-20241010-en
Max time kernel
140s
Max time network
134s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5} | C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "C:\\system.exe" | C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\WINDOWS\SysWOW64\qx.bat | C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe | N/A |
| File created | C:\WINDOWS\SysWOW64\ie.bat | C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe | N/A |
Hide Artifacts: Hidden Files and Directories
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\WINDOWS\windows.exe | C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe | N/A |
| File opened for modification | C:\WINDOWS\windows.exe | C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe | N/A |
| File opened for modification | C:\WINDOWS\windows.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436510691" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b1319000000000200000000001066000000010000200000002c734558c2b9d022ac789c0f27c7f3cc3f40ce72d83dacf9c7629774f5cc0cf1000000000e8000000002000020000000b479babbf94163da0da5e61782889b5b48f4cbd5074ba81e124e6e928a4b5f74200000006dd7434dd67b234c1d241e353461006203f56b3395b225008b7293a3bc585a4f40000000944ef153df62e38737cb56c778c1918dc5849bacc2d077fe8f47ded5b8673129f3f56b826808935f8796f5d5afd4ed9523b3bcd96971c4d91a51ac121bb5cf34 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00c666374d2bdb01 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b1319000000000200000000001066000000010000200000009a3d5b820d6d88a4f49aa9c6b76020e922aa6288c71b2aab60b7ec62cb131fbc000000000e80000000020000200000000b7a63a8de754146fafc68a858363643710f7d8d0acf84da9e3be34cf818efef90000000f93bd18d516115ea01cdf4190de27b03dac24fa8ad7fe8600663d7a9303b4c213c1f6855392bdac9095cd8f008c9e0dcd6149af06b140434a8db0db61b61ab53e7aef87739b339c55cc103da0590ac2008f70494e66b47957719f42e64cd12c30d5088b7b3c5115fcf01e089286ba8d497daf67077713e9fac76f2d07c1ebf0d072f31fb249ff661f0be1a378a468d5940000000a6f12b43885b85d115ff01e9b5d552c3f352eb752de211df627974317c17f748d16a1c5133bc98a63dc10f736d077a0137861213e1b33f4d05047bd5ecf0b7a9 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5FF0CB21-9740-11EF-A5FC-C670A0C1054F} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{60194281-9740-11EF-A5FC-C670A0C1054F} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com" | C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe
"C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe"
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.212ok.com/Gbook.asp?qita
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2548 CREDAT:275457 /prefetch:2
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2932 CREDAT:275457 /prefetch:2
C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\WINDOWS\windows.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +h "c:\system.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.212ok.com | udp |
| US | 8.8.8.8:53 | www.ymtuku.com | udp |
| HK | 38.11.229.201:80 | www.212ok.com | tcp |
| HK | 38.11.229.201:80 | www.212ok.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
memory/516-0-0x0000000000400000-0x0000000000429000-memory.dmp
C:\WINDOWS\windows.exe
| MD5 | 959580a2d105e6140652d2a3ec6e5630 |
| SHA1 | 6d407fa2193dba88750a29aa2872f42fa6d939fb |
| SHA256 | 11c9d47686b80ee6ed67d479344368e7e115736461712bd335af225e650d4d71 |
| SHA512 | e7706fa6993e33543df08405eb019412015cf99da7f8034007c8740d2d890e96af211f51cb2aa72f03f72ee97aa745ee57cee1b8e09f54d49c3ec48f68ad26b6 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5FF0CB21-9740-11EF-A5FC-C670A0C1054F}.dat
| MD5 | 5c7d06241871b92c6743a4045b2b6a7a |
| SHA1 | 221601389dbb1dd1d982bbffd19ee7c84d4fae7a |
| SHA256 | 07a1196b9f908bba84e8b8a12058f4610aa849190959ddca5f9989a51ee9265e |
| SHA512 | c30dced3884c6d90d281186aa000b37f9f85be64c9429972ba8e9cd9ec22acd7a2199f97741345a6a3d4812a1268d0f2496be3cfd0bc67b68cd058dc1141d0f2 |
C:\system.exe
| MD5 | 3125f9d1dc071b11b2ee21dcb8f844a7 |
| SHA1 | b98911e4c2ef5397245154fa3b914f5c756dea97 |
| SHA256 | 16c93102e4b7efc4146b2d0d31da792026b38815be54409594a74677c99e5721 |
| SHA512 | 8558e5fc790f0119867181ce4be488e0408a37b4067e5617e47a44aa7995dd9a87c2bbc3423fd116aad070b8f2a6b9f255f890f7837b7c93b8c5cbac527beb52 |
memory/516-25-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabB69.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarC46.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | db26b8c923007cadcee647e9357c5949 |
| SHA1 | 864135a0dfb1d8477ca1afc2f652ddbbc97a4475 |
| SHA256 | 9fe56b12fbc696354d7f22f157c1275a6417c4e7aa73c9a782afe45e1de0854e |
| SHA512 | 0d6c5c25454648412fc5b66be13ea7fcde1546549b8198e8d8197c17980932ac681fce3759275bf3e99aa6d4dbceb50d73c710cbb41acb5fcb9d343619e3180c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 18df4f08c4b6ee0ab90285f7ba4a7bf8 |
| SHA1 | 6b7d9d2bfd2c9718a24be191594f6495fcb4c0ee |
| SHA256 | a75493b9b909d43f7503b93225e02c8967a6d86159b5d9c1019243b92a5cb313 |
| SHA512 | eec2b3c4bfbc60277dfb1aba6e0e0be08a3ea28196ae6b9f33137859966eaf7c530555cdec4dcb5675444d040526b0c7807031159cd172306e37066cff3fb1ce |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 97068992ed64966401aff6105dc74228 |
| SHA1 | e401d9f3697aa03b2a756c0cfde5720c5a87e046 |
| SHA256 | b1669dc32c85fe27e7af8914aaa42c5f7a35729c66fb9a23afdcd76c4cff27e2 |
| SHA512 | 2234538aa9499ce0c06cfe86ed73777d7a841432227dfa842a582396b806f04113464424f6c6105c3d0080bef09cb94012e4abc62b4bbf07c576ecb3e729e12d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1f6c972d8d724849430b704cac9c1298 |
| SHA1 | 869437c5e0d32b5f0835b000b9dfb1412496589b |
| SHA256 | 8227c0887f7c5d2928d6d6cb9e3264ee9cf4d02968972bc4493e0c024a0ac597 |
| SHA512 | 577f26759a5f5312d4c60a3923d345ba7e11f94d24d4cb5217b55d27a2a0f3f07fbdb0853426852b0acc99d9466e41f077c7105c6abec6883bb5c61608392caf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2aa6d5d3b3e6f1504875ab58761781fc |
| SHA1 | 9eeb986f957ea8076bbd8b71ff487769e74ffcaf |
| SHA256 | 8e470d93dfc18a089c34b2611a4b64b09210b13150ce827c1446c13713a4a3db |
| SHA512 | ae7bca8b15f7095e98ab4026a269db537a5122fc5945fd0b5c766a7230a23a7fd924ccf870df04a7c6ba6dbf4de27328f485266751b40d41bb1cf53a26f1da6b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 38affb8a0b9f8342f5b305c38b86d57b |
| SHA1 | 3ae788431e4e7d15f5f9c02cfb92224118a1f507 |
| SHA256 | 46dd8a0276937d1bc0b4840328bca1bea7789b916dfe9e9063c55352cf185398 |
| SHA512 | 75f9b3c6b4fe70da9090b588e1f5c4f7d7d8d47f2039b70c329100c4e5b6c8346268b42446fc85645b0e7eeac2eb4526c72365f624e6b495961f4fe1e16da74f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 685829012a04e6651100a17c43010dab |
| SHA1 | 161181f8509a23e98c70e0f0d3840f310db4e472 |
| SHA256 | f2362a671476aad1c67f5598ee583c44d5f6b0aa770bf82b70aac6e0a7773331 |
| SHA512 | 622235df63f35a5a879e13c893e8869a8bbd5cff619dfb5485718c935b45d56e716675e30937fe05c3347705f7c64d6a40a5dd3288dd5c54af8e5e5b80a24209 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d3092bc69bb373ecab7ab9321397da1e |
| SHA1 | d92c4ea70e585481b3c2089a15ca3da2b1f03fc0 |
| SHA256 | c5d02fb621d559e30435be9868286674eb88b45a68efb0e30ee54ee9aa5d10be |
| SHA512 | 2b6e92c60824b4cbe0b0ca3995381d0c87c9947b81d05a996d739b6e414d7752ee7a09cd5caec24f5928a33b79aebf660cd9472ea13555b4e14c3c14674a0260 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5bcde82a1e9e563c45715728b6786750 |
| SHA1 | 29c04e2b6b22287c90945654e17ea55545436115 |
| SHA256 | ab59ce3400fdb1f98408aa9618521672efb7a8c67a52c4dfb3104ca327cd14e9 |
| SHA512 | 339abb92b1b0437ea42b800d2050c99c07eed6d186d0372bdf43d893a21d3945af9333ddcac2bfb93b8edb31d1906823477c8d9c1f2df74b4f572944a02aa9bc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e9dd15371a909a064933a977a176cb09 |
| SHA1 | f22658e91e0195f84ebe7eac3fad51257fe2e9b0 |
| SHA256 | 27b885efd19ffe2f45e05046506bab505864f33ae2c61a68cb4665fdb373edce |
| SHA512 | 7d21c31bbe63bb764b6008635436d187654082edb6ff1525b85cf5df7511cf0baf22402ea3d038d45d4b50acd8f5dfe25e3e3eedf95c2a76d15f1d4fc7dddda6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fd6dbf8a14280dfa5d9f41377e366461 |
| SHA1 | 8f0d01f0cc8358d30a159110402b7d339a483caa |
| SHA256 | 2ba1d43f4e1bc9909f853a891ff9b454f31f8c75d922ae262481e69b63f27198 |
| SHA512 | ac4764cf84f72be426bf6897581e5a1c2b0bf5383bc74738498f929db2be895e591592da15bdad0392873aca87b79d81c0232d4daecd7b86263a4a92838a1a6f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 554094881fe586c0ae29bb149e0116b0 |
| SHA1 | 6cf8cd47feffbc7c99f54226782301e8669c02d6 |
| SHA256 | 0d6be37219e30d0f47a9dacb8822e2c9eacfc1d1ae07ec8e2b87dec30a555ba6 |
| SHA512 | 728124eeb9310217f107118e67ac0792542fb6fee87d1cd7c4d7b0cfffdd3fc7fc29e78fd466bac11c2d5dbac29b53785ded0e7cca314ac81a44cb671395d4ea |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f360c041b048146ff6faf87ce927c011 |
| SHA1 | 3afd76f107d2a0464ab2956b9b30236f67b131e5 |
| SHA256 | a0553dea98769121e713f0fff1edcb81edd5823633c853b605b539322b3cc011 |
| SHA512 | 5abd5ac86baa61dadcdf9716cd4f9965449734b57cfd554715d786681e4a7900620e8f057d385b3287eae395ca44ff951b51285b9471555ce2ea18e55fbb0e0b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1b6a80773b969a427727f1160a323b3f |
| SHA1 | b3a38568f6a45bb0ef31aac4f4f5debd33c474da |
| SHA256 | ece87ca13efd4af78cfc901b8e893dd0d0402691efcd35d132524f8711153df0 |
| SHA512 | 653f69d57e9795f1a7e7d12d368d888f5b05c1fe9c1c96680fa75e7909c5d3ef50dc6427fac8cf6eb85b93be06b30789ad01dab5ee10bb698459cba9a11482c5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1a872a84010b4f542ba8883c3b5b1ad8 |
| SHA1 | 1cfef5483c939e935e89c54399a970e61508a51d |
| SHA256 | 02103ee074b75da809ee0b7029260e5e99118ecad123a5185d1b5940ba1a9e77 |
| SHA512 | 4bc976a1d4584d0c03c181c250f53787756eae6ce380c6fddfb128e2f822ffa7d2ad23ddc0180de763e0e26e4ca68c81e41c80c215360fe9c796804a38f0ae19 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ae4d1244dd81d9a0b0145d855c616c99 |
| SHA1 | 147c952a2042ad717d94d29af922607294a9bbff |
| SHA256 | 70577f4430c649a37c1ab0d92008b94be3a7c9f8af5520efc0cae2bf859add2e |
| SHA512 | 1f47088d666cfac8814c97e56a1063fb0b3ed5ba3bb1613d788a63adc2c6207df7661f64d17d881b71e05cc37f6ca067cca4f359f9fbf94699ba9b8f042bbef8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6eec9ed26284299866f26eef9b4507e5 |
| SHA1 | c714d2167e2a8cba6240af46b61762447b0c4039 |
| SHA256 | 028983b3284a5722397c2f74bd93b6b6ada8c73d432ef659b5a5a811d4a12721 |
| SHA512 | 282ff1be3b4022dfefdadb566f48353b66b7d886ddd9297bc3876b1de20c33a3bf2c8c2ac6e57cadeaa20eaf3ebae3cb0bc345049d2894c376b05a4f0103d1d3 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-31 04:26
Reported
2024-10-31 04:29
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5} | C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "C:\\system.exe" | C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\WINDOWS\SysWOW64\ie.bat | C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe | N/A |
| File created | C:\WINDOWS\SysWOW64\qx.bat | C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe | N/A |
Hide Artifacts: Hidden Files and Directories
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\WINDOWS\windows.exe | C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe | N/A |
| File opened for modification | C:\WINDOWS\windows.exe | C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe | N/A |
| File opened for modification | C:\WINDOWS\windows.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20f6e3234d2bdb01 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e3900000000020000000000106600000001000020000000eb61b8129730f5c86da2f34e539d6c9346317cbfc842a94883ca6b78553f3360000000000e8000000002000020000000204f69666c2cc85d6befcb8b2e9f6b1e02ad9b1f0b42595fd451e99c11401aa8200000005b3d22c53641ace294d37a5520867e808813e4b39d40f94d8d8239acdee5f041400000000d81db14da271c8dc1c2dbd67a245e01bdcd758ffe67d6b6278393508368ebfe4d30dd6e2547c94b5358352cded696e3cef92b0fe9ce73830d68d91ebb26d33c | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e3900000000020000000000106600000001000020000000883b393558d3a4068639e1fb3bb3d51c72b91523d64d8dc5ddea385fcb64de9f000000000e8000000002000020000000d978711c483b4dde784fbacf24ee5c75baf0e31bf5c07ad7175b5381b8b42c5c2000000062349e26355f3e90851f6bf4d0aabecb96c1090b6df528690b2fa0240fc15cd24000000066823bf39f2a353f9dc59a52d84e2fb11726196136f790cb9072a463760463be207824ee0d860b61b324b2ecd7763af2692fe203f61da6713d1d03049091d50f | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1022eb234d2bdb01 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "579804950" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437113766" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "579804950" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31140685" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31140685" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4E1743DC-9740-11EF-ADF2-FA9F886F8D04} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "582773418" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31140685" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com" | C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe
"C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe"
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.212ok.com/Gbook.asp?qita
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4352 CREDAT:17410 /prefetch:2
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\WINDOWS\windows.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +h "c:\system.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.212ok.com | udp |
| HK | 38.11.229.201:80 | www.212ok.com | tcp |
| HK | 38.11.229.201:80 | www.212ok.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.229.11.38.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/1744-0-0x0000000000400000-0x0000000000429000-memory.dmp
C:\WINDOWS\windows.exe
| MD5 | 0d643f8ca9a5f24bac69ccd1986f5fb1 |
| SHA1 | ff06461b3f95a679352ec542cd3abefb53cdeb1e |
| SHA256 | 159e71020a22eebb03495b233cf1522365f1cdfd5de24529bf186bd707688466 |
| SHA512 | 25e7dd7e1e9a49183e3571c500c7a3fe96ec71cbb1aeaf1e1fc9aa5b5cf492022163654e1618b72c70bacbef7c142f7acd92e732c7a5f02f86f74716d3125095 |
C:\system.exe
| MD5 | 430eac61f61a22cc69110a391b60e2ba |
| SHA1 | 827c47f270f2d09d46fb0788828a6474cc66a6fd |
| SHA256 | 93fc3dfa0f33f1d9fb56783eebe9fbf00991e33ab2d6ce1b94bdea9ae71f9ece |
| SHA512 | c3107fdcd46b747dd922fd741e63aed94390e95850e745c7241e7c71db65093a55ae0929cf151f61e98dc67d4c2d3b13be7b9f879346ad428abcbabfbd156e01 |
memory/1744-20-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | ee4ada789158c1e5a14d597cf1d5edd0 |
| SHA1 | 9593aee78d30d51ab93d6a29dc4dc873e0d466b6 |
| SHA256 | 903a6d82bf2fe8951104cf90d9f64aab0fbded30a2246e678a80d07868569b4f |
| SHA512 | a6214f62e5089512aeaabab7c4bb38e8663fb55d5f4129c57e726723dad10802ec40c3dc836087713b77c1874c12f177bf2b2998fd3e52f4210c1c5307885c16 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 4c4a67a6af6ffef3895c962045ef9a7b |
| SHA1 | 517e72f0e272b0d2b799725836c141e749a233b1 |
| SHA256 | 74fe1ff2b3ddc150a4321f434d03872f6c118f18359b0706fb4cb79f4560925e |
| SHA512 | 59226dcf31849b949921fcfb4eef9022d42202cd4afbf8f6627de8de8ae9e0ec0dc0affc61dc9224ae1c21c6f6188a2aa585fc60b953b6513a211a258db8a79d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PGH3GSHW\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |