Analysis Overview
SHA256
dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4ba
Threat Level: Likely malicious
The file dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN was found to be: Likely malicious.
Malicious Activity Summary
Boot or Logon Autostart Execution: Active Setup
Checks computer location settings
Hide Artifacts: Hidden Files and Directories
Drops file in System32 directory
UPX packed file
Drops file in Windows directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer start page
Suspicious use of SetWindowsHookEx
Views/modifies file attributes
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 13:32
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 13:32
Reported
2024-11-09 13:34
Platform
win7-20240903-en
Max time kernel
117s
Max time network
120s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5} | C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "C:\\system.exe" | C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\WINDOWS\SysWOW64\ie.bat | C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe | N/A |
| File created | C:\WINDOWS\SysWOW64\qx.bat | C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe | N/A |
Hide Artifacts: Hidden Files and Directories
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\WINDOWS\windows.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File created | C:\WINDOWS\windows.exe | C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe | N/A |
| File opened for modification | C:\WINDOWS\windows.exe | C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf600000000020000000000106600000001000020000000b1b06bd554dbdc09e1ee84f37dae7b378f6ab85919d1aa670afc471540c48190000000000e800000000200002000000086c0693df7d6a5472671e2f8115569fb6a4a5cdb74dd21645c5edef5c429d388200000004cfa1031f20f83b323deba69090d0b837da39148113e3e4d340fc1c9410d68dc40000000c039fe95c74982d51876be1208787162670a08746a0abfab991a59b8aa1c463ae876112da6529706872d43b969b4abb56c3315b22ac701154957aa1e74398a7d | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf600000000020000000000106600000001000020000000902b09afd2178ff16983cb80340c1f248b8fc4d38001e1de5a4fea6f437cad82000000000e80000000020000200000003d31f9b8376084fc90eb18a1517642588b798984a66bf4406647e91dccc4e3b1900000005b91b9377a034c57ba66b5b9ea9697fa5970eae5b3d531f688016e5a906ab73f2fa93f4d8386603bcc6a0f0eb9cf18370a8eddb68db362c7c2a6d7fee894c69692ce72cc43b387cf1876f4f4a9427072f76f434c215a7ea9c4ebba53a92bb9068a160db1edbacb64fc1c036239ab60752d1adb03f3e48440745cb52800aba0553c35bf259b53613e500a9efb923629a140000000838be744824cea5fe4463bc34056961c7f43f5189f70dee784cdbc2366524aca1d15785f075148bda0817216cbaf705e14b13539a3c5008793c36480452c47e1 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437321032" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{19F6C4B1-9E9F-11EF-925C-5EE01BAFE073} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50dddceeab32db01 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1A061E61-9E9F-11EF-925C-5EE01BAFE073} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com" | C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe
"C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe"
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.212ok.com/Gbook.asp?qita
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2564 CREDAT:275457 /prefetch:2
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\WINDOWS\windows.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +h "c:\system.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2560 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.212ok.com | udp |
| HK | 38.11.229.201:80 | www.212ok.com | tcp |
| HK | 38.11.229.201:80 | www.212ok.com | tcp |
| US | 8.8.8.8:53 | dhku.com | udp |
| US | 8.8.8.8:53 | www.ymtuku.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
memory/2960-0-0x0000000000400000-0x0000000000429000-memory.dmp
C:\WINDOWS\windows.exe
| MD5 | 665518834efc69f99734e7a3e80d4cf1 |
| SHA1 | 9472dfb2cfd095703f4e27eb59d9e4cab8302881 |
| SHA256 | edafdbe4a0a7d79d920b6e39901e3302728e55df1e6a2ef6eb0d9b7c8a199396 |
| SHA512 | 99a34cbd94dad430c6ecb6e8cc16b4af637b67158f1def9cc2249d0102992bc8b84030f3a1e3c8f9aea229dc1800ea9b50e1fbba6ad80ba4f1d22676197ece90 |
C:\system.exe
| MD5 | 2b089a699fc580e4072d1030f62a614a |
| SHA1 | 295839b6d148dd0c81b9354cc44dfbe540fb66f7 |
| SHA256 | 390f7d29f8071fb9e0e18061862969fb2f0738a92c6f08143b8042d5daf954c1 |
| SHA512 | 8251da2e23a598f0c2dce8be07082d4d43247c00603209f9872c556fa26ef904b4adc6dafd90e6e8449c6c9d5464f4445d4b197cb9e9d227fc3f567c146a8a85 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{19F6C4B1-9E9F-11EF-925C-5EE01BAFE073}.dat
| MD5 | 657dcb8558fc38331fccf2396c82c3ef |
| SHA1 | 7de91a9e57c9d1ff47b70292cf8aa7ed74775815 |
| SHA256 | 459e832690d6924d3dd115c714ee659e93b0df58dfe17a0526524ca782fa332d |
| SHA512 | 707a5ef186b02b55fbb782b51910175acbffd14485b362a1187b22492cc6e9d92c8d0403e88bde26f2e538255130a998b5f6d120f7703e973b86af28b9147066 |
C:\Users\Admin\AppData\Local\Temp\Cab7227.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar7287.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 916c51cee0192e4c856cc0cfe7daf446 |
| SHA1 | c2b0e128c7e394d45314bdff04f634798f6dbea0 |
| SHA256 | 1b986c4313891125d2cae097a73a87f96c449cb5b28f2de67a75ffef095d4aab |
| SHA512 | 928f9c282b86eec9e14b73cea40bd4e3ded28587b9b17587601e7b5363cae31e42695fc8b0ab2d34ff404560535e667fa231ab95ece97906a6b1f7a1620c305c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a3746bb5a1bba73c1ce931e68d0cb315 |
| SHA1 | 288b007b49d0aa7b84bce4dea9c58362ad10bd4f |
| SHA256 | e967ceea2cd7f53cc5bb8f9fc4808b76c6360b854265e914e4f9ba7634017dda |
| SHA512 | fe361aef7cae194a5b62ef031b76d236001fae2ec818d4c98bc9b19c06c072da4a49cc09a50e8733fdda1c80b906cafda1f81ffbec1a43092cef4237f0418f30 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 24fd1dffc9d9eed190d21d22b4b37b68 |
| SHA1 | 7d5e6449ae68df24ec4a02a75980b6362e459803 |
| SHA256 | 804f342728051fb07c6fcafe41a330c7c3498468dfb30c5b61db8ae8975e7f44 |
| SHA512 | 8e7abda79d36450c959139dd53cab945e41e6a514f49b0586844d306c9482ee5df40aa5111d37cbb2523c855eb5cbc07c4d242d440f11317be0946b5f539c854 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 136d4593eb01d540a34804230bf151b1 |
| SHA1 | 8dfd46ec1e436f5ff83c99a8f5e9cd1a93bca4e6 |
| SHA256 | 3ed87611bd800b1701fca78dc9c206dbe763781a4aeab24ce41618b5fed15625 |
| SHA512 | 299edeb0e9e8956b85a3113f0e08cb26477e3cad350830696068eec5972562e075bcc2482883d189fce27b9e418a77d144ad79ace3a8bc5c2fffbe9683a463ba |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d9339a4403bbb638d5dded5af7fc90ca |
| SHA1 | e1e9a09ef771d0e078405a1c5a415c28e2a7fb82 |
| SHA256 | d29444ba1476f7fe42d4a8ccc0bdf89d527169b36c30f3b2bd8ae9e3c5a5e5ba |
| SHA512 | dc856559b1bbdf84270a3f67913ab1c8b629d2cec11faf63c79975a173937c17bc05796d82e5fe0abb53ce4a7d7e21ae92d297ddd7d4bbcc1566b2b490c8150b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d18946e924126bc795ab1fe1c2092de9 |
| SHA1 | 71c88f0712a2cd277d4576f5858c9f6afc671c75 |
| SHA256 | 3d0b8f50ce06fa89cfe95f0669228b4eee809ac6a96c2baa39f8a88de4615fa0 |
| SHA512 | 3694fef430f33b8f696102dba72a98bc7024a1c16a7c8dd2bafb5f5d8bce72cbff272cb20b1035006f7541a1459d2cd3ffcec6b59d8865589a3b8e40f7255268 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f56a12ce0d4e240845b1903d5d50509c |
| SHA1 | 1447e47cc70a72624e293299b974469027cf5e2b |
| SHA256 | b151386a7f2bdbf81e22adacd814e0d0ac77b69f098b2218a0aa53a8537c5e40 |
| SHA512 | b31101ebca3fd4bcb4da2c9ed1ce9c38c7f06df81ba191d9ab11fe556b6e46dddac17be66dae380857ea1795ea89430e7c6912833212a8d23708d64466069f63 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 252e5e0ff099ba50eb2bc4e4c8418174 |
| SHA1 | 9ba90630a9d25fc915f4b537c3aaa1692486e292 |
| SHA256 | 78aeb47c159d88f354d2d6b5eed89689741a340870904f0dc49ff26021ec0e0a |
| SHA512 | 08fac6a623957167c3c2c06ca6d8ada6754670f7a349fc1ebeb6d3e56e04b17cf6fb2ac38c8d98d736a9b8ab64636cf35b351f20c56a93a979a76a96dea46554 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6417818eb834c18e2991d030954b61c7 |
| SHA1 | 92e242e72505bbb13330dc758161efd5f5aae09e |
| SHA256 | b8261ad284e203ffa750b153e98d8f0975562c685afc55c64758c76b177aeaae |
| SHA512 | 85401c64f8855ac49218be6efaaaf877e2f4380bffc8979d612606e262c7f5cac862bae993dbb797e3f481f8b6a1cd8d756164c9c5015791c14712281e747f6a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d00d6efe88839dee2836f9959954bba0 |
| SHA1 | 27d4eeb5ae545eb8d7d05f1bd603e3654433b8e5 |
| SHA256 | 2e5b505afc007acfdbc6ff29b31ea2d04118f4163d273b842bfcc398c29828f9 |
| SHA512 | b8adf054453974623f4971b3a6e82f48186ff7aefad87f4d0c6ff225e7b4d77091db3c84575fbab503be3cae80b6d154e1ab98074c04d09e86e0d01e6ec6d93f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6c68637f9e57f0cd7a5fac34c850f7a3 |
| SHA1 | 2b81537c8d815d4d8106c06ab24180b7b0a896c7 |
| SHA256 | bbc779e012d0451bb0980dfb0f446d515f6d0245d51fd7823dfc58339fa65467 |
| SHA512 | dd2a7856ab30b8820c557c1183d3f25aa4b68cfe5a50d3cb6f5301f6130ba7b7695c4672ea1bfb5be9028783c037ec0ba0ff376e30f99dce210a9bc47975f08a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ca8c99a4aaacf22d570ded9c7add7e0b |
| SHA1 | 8058d8f0d9fed0e20171acc1a2b942e502e9fc56 |
| SHA256 | 48c5b48c722504de5633e0f84448bcc58dc1895eff612daf0fd423546228508c |
| SHA512 | dbe964c9a86f604e16f92768822a20f9290c100a39ce4fc5fd7009dba86a9f530949cf504b2d0b686d9f417755c47e2b4d276bd2facf2c61476bcfe6ce7a5f84 |
memory/2960-453-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2adc659e71a9df624bbffc09e0761f70 |
| SHA1 | 90949189fcc5fccf4d415855e7abc06ebf6ce185 |
| SHA256 | 0c9cb4fe7a07555b9cd822b03b63a713c2a80b3d71011105803b2fbb6256a832 |
| SHA512 | 26687a11c61d175d7d185d34fd75d4599b1abf8783b6a364a57dc78a07a4613833d9b3ab7662726c929cf14af43e2a8accb204bfe88b484ba84be3dff05f7df3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b13136c798614278d3cb86cda70b1883 |
| SHA1 | 5f04fadf8f4662de55a05b93214be04edad90d72 |
| SHA256 | 9b75ea042013851029365bb24216579082cdf80dee61ccf46e20148b72b5d261 |
| SHA512 | 1e62e7afc3e9a655a5f5aa8c0815a31c2f97c5c07f54d8ec68387f4113068a64ffe476eac037559fa92691d11cf41d7131cc6486551dbb5a2a9135026a3fb845 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0a3aabbaecb3d370399f4ca86bbe1599 |
| SHA1 | 348f5ede9f9e4bcde9f4c3cd9a016db01b416f92 |
| SHA256 | ef86644c22aa474d6f0531ba1190d03aa8fff734bbfe1a95b4cd3ea3bf0201ba |
| SHA512 | 607d1ff05d7c424bfbe64bc02a46517dc1751699198734f7e78cf2b4c7bb2f480f204a1e298b41acc29a359b2169a5a9896862f7547c5aedcd227250ee8822cb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 35d2a7a30b169d5e683cb7391dcb2e9e |
| SHA1 | e0543fd8fb22a0286a963c8d9b817152375a0273 |
| SHA256 | 015aa1296d72ad4095d8a2da20ff757000f94c944c5b32e18ffa7a40f54c6b90 |
| SHA512 | 9e4c3ff706d3be2fd6782e4d2dc04b60a826e3cc615114ae36989a7feedfbc2ff0e939b690984863d9c0b6027f9bc6478892018a31d812b5dd831f8b196bca70 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fb9a664f812ba58dd4654e4fbc44fe1c |
| SHA1 | 424a0e3ae93c69de473f15e2102ae4758b0dfd0a |
| SHA256 | c4fc5b3fd3ea20d028f7c77cfe27048f7815815492327c82a26eb9316571ca36 |
| SHA512 | 72ee28d6054be3d367e3430b3f39d3a8da3376800a34c752a890b2ebf612cfe04313a80bcefb561f014ce115841513e23582833b413b391f017c77cff20b378d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e2244654eb8ddafe5afd5da2c7addde0 |
| SHA1 | d2653df6453de47da759bfbd5a9cfc43f765a187 |
| SHA256 | 79cb6ce81c360721615bb2f9091d31d2b7a05bf5f439260a0157260452167311 |
| SHA512 | dc12f2b6f32fb430961780b61b1c268fc41e29b956bb01c7a00747b00f2694a8413b0c4a9e732db1a3600590030ac00bbfcc8e4071ecac66806a496ca89f58be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 451a24ace6e120a7d33c325b0ab031b2 |
| SHA1 | 966aa34b52fdae9fad0016547d1a6e707f2be3db |
| SHA256 | 00918a91a1b11326087e05f1c095fdc0e4073a9a1c9a6f64c7bc26a08be175cc |
| SHA512 | 7efc435dc4f2717e25aa1e89e9cf2b33ebb0f505d74a477de5dfd4a9de8637546719967826840e0bec4938ecb732ba64a9cdac35b720006d7052bd35104f059d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c0ced12a0bef534e9b3123f638f370da |
| SHA1 | 7a19845ce19aa5147792372889142a755400e651 |
| SHA256 | 5368a2859f03302f5f692bde36f1b5e51ec09df706fdcc38aaa942f6ebafdbb9 |
| SHA512 | b3bfe713f2e5eb8bbc2dc34a63f82f8399d2e6a36ec0017a4df53ec5a630810b78ac3df23af483e2d9b886df77e91eb1ac214f6897e17cee3304d4375089b89d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9889bf6a6c1430683ca66e304bedee79 |
| SHA1 | 7c962927f45184381492a9d6dc7b5a8c2930bc1a |
| SHA256 | bc5cd21893d3baddb7cc840d0e8b899e4ab0d74decb93cd585befd7eb9a3ded7 |
| SHA512 | 0f47894850d3f2ea78baa4a6adf7537b95442bb66cbb833bddd406ed750ab5d53061111c10b76b2d9247c1e70b6145915c2136dbcde32274b092b36c0ca7e076 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cbfc189f34fc86d1d4899ac1ad7d5f03 |
| SHA1 | e3be169e47997e49eb356e4ae1aab243dedc926e |
| SHA256 | d29ce256198fdc6717143c7428b16feccc0aefb52ee9a143e7b8e259018382b4 |
| SHA512 | 77f67969fb365a217d2aaf218b4caaf0cdbc9a5d2b94d35714d9aa9b7555a206543e0c0574134fa0e937d65553ba0a8dd65cb6a99bce6b90b87873f81d8867bd |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 13:32
Reported
2024-11-09 13:34
Platform
win10v2004-20241007-en
Max time kernel
111s
Max time network
111s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5} | C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "C:\\system.exe" | C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\WINDOWS\SysWOW64\ie.bat | C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe | N/A |
| File created | C:\WINDOWS\SysWOW64\qx.bat | C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe | N/A |
Hide Artifacts: Hidden Files and Directories
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\WINDOWS\windows.exe | C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe | N/A |
| File opened for modification | C:\WINDOWS\windows.exe | C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe | N/A |
| File opened for modification | C:\WINDOWS\windows.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4002138923" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4000107170" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c03311efab32db01 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4000107170" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000013f787289f1be14e87be8dc204ff715d000000000200000000001066000000010000200000002378eb9f3954296f274e28e2a516239037ab8aec99420367b00e801b718095c6000000000e80000000020000200000002125f5286e7511bce02132a7fb356911eaca4bc385588faae7a0c98ccd452bd720000000342a1effde112d1cb86938da0c6689d30d7fa39714a9ba91e1f65c9e0df50de7400000009a8292e185ed9d60342d88eff5d9f0583bc14b986294e412131fce9f323e4978d754e4fae3617d9c08179813bdeaf2c241f9647adef9e61e014d744b7490d985 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{19F75356-9E9F-11EF-B319-EE8B2F3CE00B} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437924139" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4002138923" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000013f787289f1be14e87be8dc204ff715d0000000002000000000010660000000100002000000080b5f906f2f7b779d062208724587d2edb9d44aac8d0033568b8fcda72282d49000000000e80000000020000200000003f9365fd5ca7517ece7d89f4661ed1943c45b5228ac8de7971b98e3e1ec0102520000000e7ec2615e9a90f2c7538354a1de7edc7d4f70edc16134f5762e68633f55b6151400000002c3969de1b097103c285a927d05378c2596a1888b404cf563cacd1fd872b01d2429123d6f24dc9304d640412cbf6421b2fc71e9f10104cf7dc13cf99158eee5e | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31142571" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31142571" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31142571" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31142571" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0780cefab32db01 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com" | C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe
"C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe"
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.212ok.com/Gbook.asp?qita
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2384 CREDAT:17410 /prefetch:2
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\WINDOWS\windows.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +h "c:\system.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.212ok.com | udp |
| HK | 38.11.229.201:80 | www.212ok.com | tcp |
| HK | 38.11.229.201:80 | www.212ok.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.229.11.38.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.208.201.84.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/896-0-0x0000000000400000-0x0000000000429000-memory.dmp
C:\WINDOWS\windows.exe
| MD5 | 3abb4f2cc2ade758a54f6f7a5b34d3e4 |
| SHA1 | 433d047cd3674618a0864f80d3fa34a7ddb24a96 |
| SHA256 | 22bc26ca6d7813520e5ee6d1330e762be0fcec73316ae2db7b83e9264c9ab81d |
| SHA512 | ba9cb0c050cd4a90d26b21e67ae542ed0ea904fc2a3cb59c61ba9d1b0cfa2dc87d8f7c228ba51de920f6ee182a81c2865cb7306c0b5c8fe9618ef6c8ab80ed86 |
C:\system.exe
| MD5 | c719923ce74a0bd99b3a6a505d48f3aa |
| SHA1 | b2fd57d2489d123854914c8e6c9f41b8ba6f2258 |
| SHA256 | 6d3849cd931950a4576531a7b1383456c3ce33e325a8986def00b7bed6b5cbcd |
| SHA512 | 3ba109e71eba32dbb775d0a5b485ddbb543f75f74557028028e8840061f7a96325baee9f2399ac8650a3bc170d274b8bcb4b8e99962df561238f7cf1a633476d |
memory/896-20-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 042619486a0f512d0313c7b4fa6c9756 |
| SHA1 | 9a3f09247b4b03933f23331b4f0207672c93e02a |
| SHA256 | a231a95c194f54c33eef59babf53d979f0342fbc68bc52dbb524887fd378418d |
| SHA512 | 4b2b32d754d116b0609ca43b9ff54ad72c9e22ddbd617b5c94586a219c297c13823c0c2812937db6b2181382176bba46b2f3d37b4b29ae6f171e01ada216c257 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | b79ec3022d4b49af672cbf18b03e20cd |
| SHA1 | b0617336d8787912acc61201d68b5ba1f74039db |
| SHA256 | 311eb4949a1e5660468fae35d6b178937acec071a9fa35104f7bde6712f9d8f2 |
| SHA512 | 09de167d62b3a7a259d0f41fc3a0ab19c9d7a3b939e2b2a60c4b0e6f590c24db1b87ac8ede2812b52f04236241a21936e53e209e200927172c6db9abcc4f1359 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verE186.tmp
| MD5 | 1a545d0052b581fbb2ab4c52133846bc |
| SHA1 | 62f3266a9b9925cd6d98658b92adec673cbe3dd3 |
| SHA256 | 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1 |
| SHA512 | bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8R55UT9S\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |