Analysis
-
max time kernel
116s -
max time network
114s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07/11/2024, 09:47
Static task
static1
Behavioral task
behavioral1
Sample
17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe
Resource
win7-20240903-en
General
-
Target
17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe
-
Size
1.2MB
-
MD5
34d850caf862d761d89d5b026c8cfa20
-
SHA1
3c972ebbc6880e3cc53a9c0bb697ea5ab2453e30
-
SHA256
17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80
-
SHA512
2cad240d3175fe95e03aca9d8d902a4ce8cb3c947884543f251892d9792519f75eec66547318e50e664601e9ded9c0e585fdb28bbb411ac8972b0ffc0b013740
-
SSDEEP
24576:GNoEYOvOSDvI5EJqbJSVEePoHDHZQdJY9WaChFeN5OFBy+p:GNmwOUhJqbJS+eQHjZ1YhqUyK
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1560 wingames.exe 2744 QvodSetupPlus3.exe -
Loads dropped DLL 18 IoCs
pid Process 2088 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe 2088 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe 2088 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe 2088 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 2492 rundll32.exe 2492 rundll32.exe 2492 rundll32.exe 2492 rundll32.exe 2492 rundll32.exe 1548 regsvr32.exe 2088 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe 2744 QvodSetupPlus3.exe 2744 QvodSetupPlus3.exe 2744 QvodSetupPlus3.exe -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}! regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}!\ = "360°²È«ÎÀÊ¿" regsvr32.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\helpme.vbs rundll32.exe File created C:\Windows\SysWOW64\helpme.ink rundll32.exe File created C:\Windows\SysWOW64\sysurl.dll rundll32.exe File opened for modification C:\Windows\SysWOW64\sysurl.dll rundll32.exe -
resource yara_rule behavioral1/files/0x000500000001944f-147.dat upx behavioral1/memory/2744-154-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2744-157-0x0000000000320000-0x0000000000377000-memory.dmp upx behavioral1/memory/2744-164-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2744-166-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2744-168-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2744-170-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2744-174-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2744-178-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2744-180-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2744-184-0x0000000000400000-0x0000000000457000-memory.dmp upx -
Drops file in Program Files directory 30 IoCs
description ioc Process File created C:\Program Files\Win32Games\jiuzhou.ico 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe File created C:\Program Files\Win32Games\minigame.vbs 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe File created C:\Program Files\Win32Games\URL.dll 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe File created C:\Program Files\Win32Games\url.txt 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe File opened for modification C:\Program Files\Win32Games\Internet.vbs rundll32.exe File created C:\Program Files\Win32Games\dangdangwang.ico 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe File created C:\Program Files\Win32Games\Internet.vbs 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe File created C:\Program Files\Win32Games\minigame.ico 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe File created C:\Program Files\Win32Games\Xianjian.ico 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe File opened for modification C:\Program Files\Win32Games\url.txt rundll32.exe File created C:\Program Files\Win32Games\Config.ini 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe File created C:\Program Files\Win32Games\taobao.vbs 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe File opened for modification C:\Program Files\Win32Games\Internet.vbs rundll32.exe File created C:\Program Files\Win32Games\bb.tmp 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe File created C:\Program Files\Win32Games\QvodSetupPlus3.exe 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe File created C:\Program Files\Win32Games\Thumbs.db 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe File created C:\Program Files\Win32Games\syspowerues.dll 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe File created C:\Program Files\Win32Games\Untitled - 2.ico 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe File created C:\Program Files\Win32Games\zhuoyue.ico 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe File created C:\Program Files\Win32Games\2xi.ico 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe File created C:\Program Files\Win32Games\2xi.vbs 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe File created C:\Program Files\Win32Games\bingfeng.ico 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe File created C:\Program Files\Win32Games\bookmarks.dat 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe File created C:\Program Files\Win32Games\wingames.exe 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe File created C:\Program Files\Internet Explorer\SIGNUP\iexplore.exe rundll32.exe File created C:\Program Files\Win32Games\taobao.ico 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe File created C:\Program Files\Win32Games\baidu.ico 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe File created C:\Program Files\Win32Games\aaa.bat 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe File created C:\Program Files\Win32Games\doset.bat 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe File created C:\Program Files\Win32Games\url.txt rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wingames.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QvodSetupPlus3.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main wingames.exe -
Modifies registry class 39 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32\ = "C:\\Windows\\SysWOW64\\syspowerues.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ = "Internet Explorer" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\ÊôÐÔ(&D)\Command rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ProgID\ = "syspowerues.360SafeMode" regsvr32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\Attributes = 00000000 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\ÊôÐÔ(&D) rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ = "Safemon class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\syspowerues.360SafeMode\Clsid\ = "{B69F34DD-F0F9-42DC-9EDD-957187DA688D}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.uri cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ink\ = "lnkfile" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\InProcServer32 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\Open rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\Open\Command rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ink cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ThreadingModel = "Apartment" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\syspowerues.360SafeMode regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\syspowerues.360SafeMode\ = "Safemon class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.uri\ = "InternetShortcut" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.uri cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\{305ca226-d286-468e-b848-2b2e8e697b74} 2 = "0" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ink cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.uri\ = "InternetShortcut" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ink\ = "lnkfile" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\ÊôÐÔ(&D)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\syspowerues.360SafeMode\Clsid regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\iexplore.exe" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ = "shdocvw.dll" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\Open\Command\ = "C:\\Program Files\\Internet Explorer\\SIGNUP\\iexplore.exe %1 h%t%t%p%:%/%/%w%w%w.6dudu.%c%o%m%/" rundll32.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1560 wingames.exe 2744 QvodSetupPlus3.exe 2744 QvodSetupPlus3.exe 2744 QvodSetupPlus3.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2744 QvodSetupPlus3.exe 2744 QvodSetupPlus3.exe 2744 QvodSetupPlus3.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1560 wingames.exe 1560 wingames.exe 1560 wingames.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 2088 wrote to memory of 2648 2088 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe 30 PID 2088 wrote to memory of 2648 2088 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe 30 PID 2088 wrote to memory of 2648 2088 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe 30 PID 2088 wrote to memory of 2648 2088 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe 30 PID 2088 wrote to memory of 1560 2088 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe 32 PID 2088 wrote to memory of 1560 2088 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe 32 PID 2088 wrote to memory of 1560 2088 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe 32 PID 2088 wrote to memory of 1560 2088 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe 32 PID 2088 wrote to memory of 2572 2088 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe 33 PID 2088 wrote to memory of 2572 2088 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe 33 PID 2088 wrote to memory of 2572 2088 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe 33 PID 2088 wrote to memory of 2572 2088 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe 33 PID 2572 wrote to memory of 1848 2572 cmd.exe 35 PID 2572 wrote to memory of 1848 2572 cmd.exe 35 PID 2572 wrote to memory of 1848 2572 cmd.exe 35 PID 2572 wrote to memory of 1848 2572 cmd.exe 35 PID 2572 wrote to memory of 1848 2572 cmd.exe 35 PID 2572 wrote to memory of 1848 2572 cmd.exe 35 PID 2572 wrote to memory of 1848 2572 cmd.exe 35 PID 2572 wrote to memory of 2492 2572 cmd.exe 36 PID 2572 wrote to memory of 2492 2572 cmd.exe 36 PID 2572 wrote to memory of 2492 2572 cmd.exe 36 PID 2572 wrote to memory of 2492 2572 cmd.exe 36 PID 2572 wrote to memory of 2492 2572 cmd.exe 36 PID 2572 wrote to memory of 2492 2572 cmd.exe 36 PID 2572 wrote to memory of 2492 2572 cmd.exe 36 PID 2572 wrote to memory of 1548 2572 cmd.exe 37 PID 2572 wrote to memory of 1548 2572 cmd.exe 37 PID 2572 wrote to memory of 1548 2572 cmd.exe 37 PID 2572 wrote to memory of 1548 2572 cmd.exe 37 PID 2572 wrote to memory of 1548 2572 cmd.exe 37 PID 2572 wrote to memory of 1548 2572 cmd.exe 37 PID 2572 wrote to memory of 1548 2572 cmd.exe 37 PID 2088 wrote to memory of 2744 2088 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe 40 PID 2088 wrote to memory of 2744 2088 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe 40 PID 2088 wrote to memory of 2744 2088 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe 40 PID 2088 wrote to memory of 2744 2088 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe 40 PID 2088 wrote to memory of 2744 2088 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe 40 PID 2088 wrote to memory of 2744 2088 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe 40 PID 2088 wrote to memory of 2744 2088 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe"C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files\Win32Games\aaa.bat" "2⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2648
-
-
C:\Program Files\Win32Games\wingames.exe"C:\Program Files\Win32Games\wingames.exe" "http://reg.weiguan8.com/sqtxj"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1560
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files\Win32Games\doset.bat" "2⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\rundll32.exerundll32 "C:\Program Files\Win32Games\URL.dll" helpme3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1848
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 "C:\Program Files\Win32Games\URL.dll" doset3⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2492
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 syspowerues.dll /s3⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1548
-
-
-
C:\Program Files\Win32Games\QvodSetupPlus3.exe"C:\Program Files\Win32Games\QvodSetupPlus3.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2744
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5deafb00b9e7bdeef9f28c8856cfd3fef
SHA1aaa520a9d7e7d66d8cc9f46eaf8b7a22fc613405
SHA256e506df6ed0400ebdc6881225f230fe8ebd9fc0cc4ca0f2fd8e8ce0d5a9baacec
SHA51212d2b2b4a72e786a6118b1f0d04d45cbdc0781ec95508738375134c78833b07a21674c52ccf720199a43977de8fc570566ab84029eca3ead689415df6b01746e
-
Filesize
333B
MD51e09fbfc0cc38a82530c27c61f72f170
SHA189344f847e4f0261b1138de7cc6f92ab48b9d111
SHA25623bc24a0e52be16cdab5895319e888efaff6b65606b3adafdc34d3871480f1bf
SHA512d903fcb92d34b63348812ffd53b1e2b794f45ced2e59e3d8556b369395b96c4be240e6e9ecbcbbed226989b135804e581a6d4fae7f377d849c8f1c7a68100e41
-
Filesize
178KB
MD538fd3a889940f8d5160c0340cfc6a451
SHA16d78fdc78573cbc675d0f20f943cbe03c15f6557
SHA256aedd37ac77dbffd56d4fc1fd4f72f58a7b575f51ab32845c32a55676609872af
SHA51259b7bb1c066d9f85a93a2af7aefc90e1dcd217229cc8eb9e9764e01692b321570400b1dd33cfab161123f61cac06173dd7aa9c22f374ba58150094ed5b99a7c3
-
Filesize
23KB
MD5cdad1c273cbf6e059022029dfbd9bee6
SHA17fb484f24929070097237db926f240e887a23bd5
SHA256c8eb519eb05ea06daf3c9e7d059266c53adda91611514ecf7904eebeb3297fc1
SHA5121c631fe1a03f32513a451e2259387161637094be8b0eea0d636ecd8e35c85c13e6add5d05c2346a634ee9ec042efd2da73faf023d8f4636edd84a05883ec372c
-
Filesize
103B
MD57391dc80d581fb94646d5ee534a77d1b
SHA11d67613f26b7cc4c01f407817ab80cb84b100115
SHA2565b6c03e4940bd851aee7fdfe145b1b69f2d3519acb88b6210c5de6e2fbd74fed
SHA512c4c15b149b0f5fe4be065acf604a68fd9e46fb81ddab98ee261c820f26e827c11281338c75616673b76cc0cf13f27aab88f81f262f389c87a17c05f17dbab92d
-
Filesize
297B
MD5a7ed90b88fd89dfd6558ab3c9b610ed4
SHA1b0f8b86e1546f8a1408b7f47a50208bca38b9b9c
SHA2566fd3d63e5a2c5cb7e7a5fbdbf44681454175d29c7b29d39510a19429f6fd2e85
SHA51289809a38e8fca2069f5c0b4428bdc731605db8114ca889db4316623be8de443b833f3e42f140102fd5bf63b84de76f34cce1348eb8a0979547c4593a92f78eec
-
Filesize
341B
MD52d1b6f4bccda34d2ea67f964e1807f31
SHA1ef2944b0c437fe0fc2b7fd04a6522b8294180c6e
SHA2568e18d19fbcbae7563fc69b71fa5fb3b88f51dc46c244f2c3f70d533368d8fe68
SHA51264e6a7aab48141edfad71e23a14c47d5527e72c56e709b63f68d4f67d500d3f3dfe3fb2296f256a18a6591447e3bf6cc88d47888519c153c5239652a3db5e82b
-
Filesize
343B
MD51f8ba37a69e383b466921b0658c87a11
SHA16a334328b4c66eb35534411b004b7883e2cc2faf
SHA256f03ea6fa8d3f042e8edbf6f7c90cde3bb183fc5ee1ce6461766dfccc67dfe72c
SHA5129f8973019a2b586fd8335505ef70e7d18661942b260bb616ccd3e3755eafcd4c180aa7fbddc4ff2622ae5e97c654dff2491f2befe24be97521bb609fb6ff7ea1
-
Filesize
29B
MD544fb4e7d1a22004c3d0459e3cc89d156
SHA1e7ad2634c4cd7c00dd9447f3ae235d1ff3664c65
SHA2560757723787c1c60d2312afc46790c4ea5794b4bd2810a4477003b485cc9be0d9
SHA512274454707726b6a6cc29f78b7a46cf5c984b8222e28e15cd98c5bc3808e26208d18c13f0329b48894acb976cf6c850cac119fa1e6a11bf9ad76dba08f0818fe0
-
Filesize
1KB
MD5937776029e6c9bfcc8f28ca019323415
SHA1b92a2d7972d0b0a9d0a44d1bc08d7cbf83f5bf72
SHA256d49f754b19fc84f61abc3a39cfa72f8af308e8eeb463399bdd2ea423bc9a9ae4
SHA512a5065556e5f45b00c50f0d85812b392d3632c88400471b4e197fc2e1923f2cb2e97d7f225e1bb17bda1277817a7caffc084c2b8c827440839cef027bd393c0c6
-
Filesize
443KB
MD54a463f93d431014383aef5af103aca5e
SHA14e45cfd382a61c684d502c606ccee63b8b3c0b5b
SHA256895b4248d40e513b46931a4eb9f32990d14d4984d4bd7536280303c3f92a022d
SHA512b5b64318c96bd61e25126fa936e325886d83b89af321a0bbc22a5a374f4e7057af7ee05d49397017bf3857c22d094d44a7bd3cfb8d471c92efe58a8a8756b8e5
-
Filesize
149KB
MD58da481acb7ce2508f68071da569ce84a
SHA18cbac6dd58a715f1618588e97ccd8889f8e6e976
SHA2568faa31e39d329b8d86f4c7668832c6e7e557e24538fe57e097171db4516e16d4
SHA512ede7b12bce408532c95f2a9a2224af2bcfdda340926a613d562ef8f1356cbfff07c62d6188b3a0de51fc0d5db28508e91a5e037c5d08798ad40d6a7c122654f6
-
Filesize
1.3MB
MD5b63c3aab2e123fe96a4e7adac47913ec
SHA1bc59745b880794d99d498c5917be23434de09440
SHA256d9c65c2ac25b5ec22ddc699dca821e92838834d61f4bcbd4b795a416939afa3d
SHA51229cd845a31cb46e941166fddc7e8cdb3f554743f76dac6ca1d6b7ebae922529adef3b92e1e9c668b4e3572fd7010af714cb260c928bce1ec03295a324ee723c0