Malware Analysis Report

2025-05-28 21:06

Sample ID 241109-qtbkfsyjam
Target dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN
SHA256 dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4ba
Tags
upx defense_evasion discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4ba

Threat Level: Likely malicious

The file dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN was found to be: Likely malicious.

Malicious Activity Summary

upx defense_evasion discovery persistence

Boot or Logon Autostart Execution: Active Setup

Checks computer location settings

Hide Artifacts: Hidden Files and Directories

Drops file in System32 directory

UPX packed file

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer start page

Suspicious use of SetWindowsHookEx

Views/modifies file attributes

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 13:32

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 13:32

Reported

2024-11-09 13:34

Platform

win7-20240903-en

Max time kernel

117s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5} C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "C:\\system.exe" C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\WINDOWS\SysWOW64\ie.bat C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe N/A
File created C:\WINDOWS\SysWOW64\qx.bat C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\WINDOWS\windows.exe C:\Windows\SysWOW64\attrib.exe N/A
File created C:\WINDOWS\windows.exe C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe N/A
File opened for modification C:\WINDOWS\windows.exe C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf600000000020000000000106600000001000020000000b1b06bd554dbdc09e1ee84f37dae7b378f6ab85919d1aa670afc471540c48190000000000e800000000200002000000086c0693df7d6a5472671e2f8115569fb6a4a5cdb74dd21645c5edef5c429d388200000004cfa1031f20f83b323deba69090d0b837da39148113e3e4d340fc1c9410d68dc40000000c039fe95c74982d51876be1208787162670a08746a0abfab991a59b8aa1c463ae876112da6529706872d43b969b4abb56c3315b22ac701154957aa1e74398a7d C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf600000000020000000000106600000001000020000000902b09afd2178ff16983cb80340c1f248b8fc4d38001e1de5a4fea6f437cad82000000000e80000000020000200000003d31f9b8376084fc90eb18a1517642588b798984a66bf4406647e91dccc4e3b1900000005b91b9377a034c57ba66b5b9ea9697fa5970eae5b3d531f688016e5a906ab73f2fa93f4d8386603bcc6a0f0eb9cf18370a8eddb68db362c7c2a6d7fee894c69692ce72cc43b387cf1876f4f4a9427072f76f434c215a7ea9c4ebba53a92bb9068a160db1edbacb64fc1c036239ab60752d1adb03f3e48440745cb52800aba0553c35bf259b53613e500a9efb923629a140000000838be744824cea5fe4463bc34056961c7f43f5189f70dee784cdbc2366524aca1d15785f075148bda0817216cbaf705e14b13539a3c5008793c36480452c47e1 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437321032" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{19F6C4B1-9E9F-11EF-925C-5EE01BAFE073} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50dddceeab32db01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1A061E61-9E9F-11EF-925C-5EE01BAFE073} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com" C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2960 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2960 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2960 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2960 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2564 wrote to memory of 2696 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2564 wrote to memory of 2696 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2564 wrote to memory of 2696 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2564 wrote to memory of 2696 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2960 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2960 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2960 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2960 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2960 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2848 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2848 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2848 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2960 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2708 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2708 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2708 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2960 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2460 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2460 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2460 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2960 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2988 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2988 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2988 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2960 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 1196 wrote to memory of 320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1196 wrote to memory of 320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1196 wrote to memory of 320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1196 wrote to memory of 320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2960 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 972 wrote to memory of 584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 972 wrote to memory of 584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 972 wrote to memory of 584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2960 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe

"C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.212ok.com/Gbook.asp?qita

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2564 CREDAT:275457 /prefetch:2

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\WINDOWS\windows.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h "c:\system.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2560 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.212ok.com udp
HK 38.11.229.201:80 www.212ok.com tcp
HK 38.11.229.201:80 www.212ok.com tcp
US 8.8.8.8:53 dhku.com udp
US 8.8.8.8:53 www.ymtuku.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2960-0-0x0000000000400000-0x0000000000429000-memory.dmp

C:\WINDOWS\windows.exe

MD5 665518834efc69f99734e7a3e80d4cf1
SHA1 9472dfb2cfd095703f4e27eb59d9e4cab8302881
SHA256 edafdbe4a0a7d79d920b6e39901e3302728e55df1e6a2ef6eb0d9b7c8a199396
SHA512 99a34cbd94dad430c6ecb6e8cc16b4af637b67158f1def9cc2249d0102992bc8b84030f3a1e3c8f9aea229dc1800ea9b50e1fbba6ad80ba4f1d22676197ece90

C:\system.exe

MD5 2b089a699fc580e4072d1030f62a614a
SHA1 295839b6d148dd0c81b9354cc44dfbe540fb66f7
SHA256 390f7d29f8071fb9e0e18061862969fb2f0738a92c6f08143b8042d5daf954c1
SHA512 8251da2e23a598f0c2dce8be07082d4d43247c00603209f9872c556fa26ef904b4adc6dafd90e6e8449c6c9d5464f4445d4b197cb9e9d227fc3f567c146a8a85

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{19F6C4B1-9E9F-11EF-925C-5EE01BAFE073}.dat

MD5 657dcb8558fc38331fccf2396c82c3ef
SHA1 7de91a9e57c9d1ff47b70292cf8aa7ed74775815
SHA256 459e832690d6924d3dd115c714ee659e93b0df58dfe17a0526524ca782fa332d
SHA512 707a5ef186b02b55fbb782b51910175acbffd14485b362a1187b22492cc6e9d92c8d0403e88bde26f2e538255130a998b5f6d120f7703e973b86af28b9147066

C:\Users\Admin\AppData\Local\Temp\Cab7227.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar7287.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 916c51cee0192e4c856cc0cfe7daf446
SHA1 c2b0e128c7e394d45314bdff04f634798f6dbea0
SHA256 1b986c4313891125d2cae097a73a87f96c449cb5b28f2de67a75ffef095d4aab
SHA512 928f9c282b86eec9e14b73cea40bd4e3ded28587b9b17587601e7b5363cae31e42695fc8b0ab2d34ff404560535e667fa231ab95ece97906a6b1f7a1620c305c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a3746bb5a1bba73c1ce931e68d0cb315
SHA1 288b007b49d0aa7b84bce4dea9c58362ad10bd4f
SHA256 e967ceea2cd7f53cc5bb8f9fc4808b76c6360b854265e914e4f9ba7634017dda
SHA512 fe361aef7cae194a5b62ef031b76d236001fae2ec818d4c98bc9b19c06c072da4a49cc09a50e8733fdda1c80b906cafda1f81ffbec1a43092cef4237f0418f30

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 24fd1dffc9d9eed190d21d22b4b37b68
SHA1 7d5e6449ae68df24ec4a02a75980b6362e459803
SHA256 804f342728051fb07c6fcafe41a330c7c3498468dfb30c5b61db8ae8975e7f44
SHA512 8e7abda79d36450c959139dd53cab945e41e6a514f49b0586844d306c9482ee5df40aa5111d37cbb2523c855eb5cbc07c4d242d440f11317be0946b5f539c854

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 136d4593eb01d540a34804230bf151b1
SHA1 8dfd46ec1e436f5ff83c99a8f5e9cd1a93bca4e6
SHA256 3ed87611bd800b1701fca78dc9c206dbe763781a4aeab24ce41618b5fed15625
SHA512 299edeb0e9e8956b85a3113f0e08cb26477e3cad350830696068eec5972562e075bcc2482883d189fce27b9e418a77d144ad79ace3a8bc5c2fffbe9683a463ba

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d9339a4403bbb638d5dded5af7fc90ca
SHA1 e1e9a09ef771d0e078405a1c5a415c28e2a7fb82
SHA256 d29444ba1476f7fe42d4a8ccc0bdf89d527169b36c30f3b2bd8ae9e3c5a5e5ba
SHA512 dc856559b1bbdf84270a3f67913ab1c8b629d2cec11faf63c79975a173937c17bc05796d82e5fe0abb53ce4a7d7e21ae92d297ddd7d4bbcc1566b2b490c8150b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d18946e924126bc795ab1fe1c2092de9
SHA1 71c88f0712a2cd277d4576f5858c9f6afc671c75
SHA256 3d0b8f50ce06fa89cfe95f0669228b4eee809ac6a96c2baa39f8a88de4615fa0
SHA512 3694fef430f33b8f696102dba72a98bc7024a1c16a7c8dd2bafb5f5d8bce72cbff272cb20b1035006f7541a1459d2cd3ffcec6b59d8865589a3b8e40f7255268

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f56a12ce0d4e240845b1903d5d50509c
SHA1 1447e47cc70a72624e293299b974469027cf5e2b
SHA256 b151386a7f2bdbf81e22adacd814e0d0ac77b69f098b2218a0aa53a8537c5e40
SHA512 b31101ebca3fd4bcb4da2c9ed1ce9c38c7f06df81ba191d9ab11fe556b6e46dddac17be66dae380857ea1795ea89430e7c6912833212a8d23708d64466069f63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 252e5e0ff099ba50eb2bc4e4c8418174
SHA1 9ba90630a9d25fc915f4b537c3aaa1692486e292
SHA256 78aeb47c159d88f354d2d6b5eed89689741a340870904f0dc49ff26021ec0e0a
SHA512 08fac6a623957167c3c2c06ca6d8ada6754670f7a349fc1ebeb6d3e56e04b17cf6fb2ac38c8d98d736a9b8ab64636cf35b351f20c56a93a979a76a96dea46554

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6417818eb834c18e2991d030954b61c7
SHA1 92e242e72505bbb13330dc758161efd5f5aae09e
SHA256 b8261ad284e203ffa750b153e98d8f0975562c685afc55c64758c76b177aeaae
SHA512 85401c64f8855ac49218be6efaaaf877e2f4380bffc8979d612606e262c7f5cac862bae993dbb797e3f481f8b6a1cd8d756164c9c5015791c14712281e747f6a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d00d6efe88839dee2836f9959954bba0
SHA1 27d4eeb5ae545eb8d7d05f1bd603e3654433b8e5
SHA256 2e5b505afc007acfdbc6ff29b31ea2d04118f4163d273b842bfcc398c29828f9
SHA512 b8adf054453974623f4971b3a6e82f48186ff7aefad87f4d0c6ff225e7b4d77091db3c84575fbab503be3cae80b6d154e1ab98074c04d09e86e0d01e6ec6d93f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6c68637f9e57f0cd7a5fac34c850f7a3
SHA1 2b81537c8d815d4d8106c06ab24180b7b0a896c7
SHA256 bbc779e012d0451bb0980dfb0f446d515f6d0245d51fd7823dfc58339fa65467
SHA512 dd2a7856ab30b8820c557c1183d3f25aa4b68cfe5a50d3cb6f5301f6130ba7b7695c4672ea1bfb5be9028783c037ec0ba0ff376e30f99dce210a9bc47975f08a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ca8c99a4aaacf22d570ded9c7add7e0b
SHA1 8058d8f0d9fed0e20171acc1a2b942e502e9fc56
SHA256 48c5b48c722504de5633e0f84448bcc58dc1895eff612daf0fd423546228508c
SHA512 dbe964c9a86f604e16f92768822a20f9290c100a39ce4fc5fd7009dba86a9f530949cf504b2d0b686d9f417755c47e2b4d276bd2facf2c61476bcfe6ce7a5f84

memory/2960-453-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2adc659e71a9df624bbffc09e0761f70
SHA1 90949189fcc5fccf4d415855e7abc06ebf6ce185
SHA256 0c9cb4fe7a07555b9cd822b03b63a713c2a80b3d71011105803b2fbb6256a832
SHA512 26687a11c61d175d7d185d34fd75d4599b1abf8783b6a364a57dc78a07a4613833d9b3ab7662726c929cf14af43e2a8accb204bfe88b484ba84be3dff05f7df3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b13136c798614278d3cb86cda70b1883
SHA1 5f04fadf8f4662de55a05b93214be04edad90d72
SHA256 9b75ea042013851029365bb24216579082cdf80dee61ccf46e20148b72b5d261
SHA512 1e62e7afc3e9a655a5f5aa8c0815a31c2f97c5c07f54d8ec68387f4113068a64ffe476eac037559fa92691d11cf41d7131cc6486551dbb5a2a9135026a3fb845

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0a3aabbaecb3d370399f4ca86bbe1599
SHA1 348f5ede9f9e4bcde9f4c3cd9a016db01b416f92
SHA256 ef86644c22aa474d6f0531ba1190d03aa8fff734bbfe1a95b4cd3ea3bf0201ba
SHA512 607d1ff05d7c424bfbe64bc02a46517dc1751699198734f7e78cf2b4c7bb2f480f204a1e298b41acc29a359b2169a5a9896862f7547c5aedcd227250ee8822cb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 35d2a7a30b169d5e683cb7391dcb2e9e
SHA1 e0543fd8fb22a0286a963c8d9b817152375a0273
SHA256 015aa1296d72ad4095d8a2da20ff757000f94c944c5b32e18ffa7a40f54c6b90
SHA512 9e4c3ff706d3be2fd6782e4d2dc04b60a826e3cc615114ae36989a7feedfbc2ff0e939b690984863d9c0b6027f9bc6478892018a31d812b5dd831f8b196bca70

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fb9a664f812ba58dd4654e4fbc44fe1c
SHA1 424a0e3ae93c69de473f15e2102ae4758b0dfd0a
SHA256 c4fc5b3fd3ea20d028f7c77cfe27048f7815815492327c82a26eb9316571ca36
SHA512 72ee28d6054be3d367e3430b3f39d3a8da3376800a34c752a890b2ebf612cfe04313a80bcefb561f014ce115841513e23582833b413b391f017c77cff20b378d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e2244654eb8ddafe5afd5da2c7addde0
SHA1 d2653df6453de47da759bfbd5a9cfc43f765a187
SHA256 79cb6ce81c360721615bb2f9091d31d2b7a05bf5f439260a0157260452167311
SHA512 dc12f2b6f32fb430961780b61b1c268fc41e29b956bb01c7a00747b00f2694a8413b0c4a9e732db1a3600590030ac00bbfcc8e4071ecac66806a496ca89f58be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 451a24ace6e120a7d33c325b0ab031b2
SHA1 966aa34b52fdae9fad0016547d1a6e707f2be3db
SHA256 00918a91a1b11326087e05f1c095fdc0e4073a9a1c9a6f64c7bc26a08be175cc
SHA512 7efc435dc4f2717e25aa1e89e9cf2b33ebb0f505d74a477de5dfd4a9de8637546719967826840e0bec4938ecb732ba64a9cdac35b720006d7052bd35104f059d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c0ced12a0bef534e9b3123f638f370da
SHA1 7a19845ce19aa5147792372889142a755400e651
SHA256 5368a2859f03302f5f692bde36f1b5e51ec09df706fdcc38aaa942f6ebafdbb9
SHA512 b3bfe713f2e5eb8bbc2dc34a63f82f8399d2e6a36ec0017a4df53ec5a630810b78ac3df23af483e2d9b886df77e91eb1ac214f6897e17cee3304d4375089b89d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9889bf6a6c1430683ca66e304bedee79
SHA1 7c962927f45184381492a9d6dc7b5a8c2930bc1a
SHA256 bc5cd21893d3baddb7cc840d0e8b899e4ab0d74decb93cd585befd7eb9a3ded7
SHA512 0f47894850d3f2ea78baa4a6adf7537b95442bb66cbb833bddd406ed750ab5d53061111c10b76b2d9247c1e70b6145915c2136dbcde32274b092b36c0ca7e076

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cbfc189f34fc86d1d4899ac1ad7d5f03
SHA1 e3be169e47997e49eb356e4ae1aab243dedc926e
SHA256 d29ce256198fdc6717143c7428b16feccc0aefb52ee9a143e7b8e259018382b4
SHA512 77f67969fb365a217d2aaf218b4caaf0cdbc9a5d2b94d35714d9aa9b7555a206543e0c0574134fa0e937d65553ba0a8dd65cb6a99bce6b90b87873f81d8867bd

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 13:32

Reported

2024-11-09 13:34

Platform

win10v2004-20241007-en

Max time kernel

111s

Max time network

111s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5} C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "C:\\system.exe" C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\WINDOWS\SysWOW64\ie.bat C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe N/A
File created C:\WINDOWS\SysWOW64\qx.bat C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\windows.exe C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe N/A
File opened for modification C:\WINDOWS\windows.exe C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe N/A
File opened for modification C:\WINDOWS\windows.exe C:\Windows\SysWOW64\attrib.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4002138923" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4000107170" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c03311efab32db01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4000107170" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000013f787289f1be14e87be8dc204ff715d000000000200000000001066000000010000200000002378eb9f3954296f274e28e2a516239037ab8aec99420367b00e801b718095c6000000000e80000000020000200000002125f5286e7511bce02132a7fb356911eaca4bc385588faae7a0c98ccd452bd720000000342a1effde112d1cb86938da0c6689d30d7fa39714a9ba91e1f65c9e0df50de7400000009a8292e185ed9d60342d88eff5d9f0583bc14b986294e412131fce9f323e4978d754e4fae3617d9c08179813bdeaf2c241f9647adef9e61e014d744b7490d985 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{19F75356-9E9F-11EF-B319-EE8B2F3CE00B} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437924139" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4002138923" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000013f787289f1be14e87be8dc204ff715d0000000002000000000010660000000100002000000080b5f906f2f7b779d062208724587d2edb9d44aac8d0033568b8fcda72282d49000000000e80000000020000200000003f9365fd5ca7517ece7d89f4661ed1943c45b5228ac8de7971b98e3e1ec0102520000000e7ec2615e9a90f2c7538354a1de7edc7d4f70edc16134f5762e68633f55b6151400000002c3969de1b097103c285a927d05378c2596a1888b404cf563cacd1fd872b01d2429123d6f24dc9304d640412cbf6421b2fc71e9f10104cf7dc13cf99158eee5e C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31142571" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31142571" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31142571" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31142571" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0780cefab32db01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com" C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 896 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 896 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2384 wrote to memory of 2008 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2384 wrote to memory of 2008 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2384 wrote to memory of 2008 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 896 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 896 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 896 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 896 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 896 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 1112 wrote to memory of 4064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1112 wrote to memory of 4064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1112 wrote to memory of 4064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 896 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 896 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 896 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 4972 wrote to memory of 3880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4972 wrote to memory of 3880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4972 wrote to memory of 3880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 896 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 896 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 896 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 4176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4876 wrote to memory of 4176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4876 wrote to memory of 4176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 896 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 896 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 896 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 3180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2960 wrote to memory of 3180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2960 wrote to memory of 3180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 896 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 896 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 896 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 4240 wrote to memory of 1672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4240 wrote to memory of 1672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4240 wrote to memory of 1672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 896 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 896 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 896 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 3288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2436 wrote to memory of 3288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2436 wrote to memory of 3288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 896 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 896 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 896 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe C:\Windows\SysWOW64\cmd.exe
PID 3568 wrote to memory of 1284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3568 wrote to memory of 1284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3568 wrote to memory of 1284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe

"C:\Users\Admin\AppData\Local\Temp\dfade80a7063e8ec3f877a0ebf02e6f5f1d542b6651538251ec7cf192223a4baN.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.212ok.com/Gbook.asp?qita

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2384 CREDAT:17410 /prefetch:2

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\WINDOWS\windows.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h "c:\system.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.212ok.com udp
HK 38.11.229.201:80 www.212ok.com tcp
HK 38.11.229.201:80 www.212ok.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 201.229.11.38.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 66.208.201.84.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/896-0-0x0000000000400000-0x0000000000429000-memory.dmp

C:\WINDOWS\windows.exe

MD5 3abb4f2cc2ade758a54f6f7a5b34d3e4
SHA1 433d047cd3674618a0864f80d3fa34a7ddb24a96
SHA256 22bc26ca6d7813520e5ee6d1330e762be0fcec73316ae2db7b83e9264c9ab81d
SHA512 ba9cb0c050cd4a90d26b21e67ae542ed0ea904fc2a3cb59c61ba9d1b0cfa2dc87d8f7c228ba51de920f6ee182a81c2865cb7306c0b5c8fe9618ef6c8ab80ed86

C:\system.exe

MD5 c719923ce74a0bd99b3a6a505d48f3aa
SHA1 b2fd57d2489d123854914c8e6c9f41b8ba6f2258
SHA256 6d3849cd931950a4576531a7b1383456c3ce33e325a8986def00b7bed6b5cbcd
SHA512 3ba109e71eba32dbb775d0a5b485ddbb543f75f74557028028e8840061f7a96325baee9f2399ac8650a3bc170d274b8bcb4b8e99962df561238f7cf1a633476d

memory/896-20-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 042619486a0f512d0313c7b4fa6c9756
SHA1 9a3f09247b4b03933f23331b4f0207672c93e02a
SHA256 a231a95c194f54c33eef59babf53d979f0342fbc68bc52dbb524887fd378418d
SHA512 4b2b32d754d116b0609ca43b9ff54ad72c9e22ddbd617b5c94586a219c297c13823c0c2812937db6b2181382176bba46b2f3d37b4b29ae6f171e01ada216c257

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 b79ec3022d4b49af672cbf18b03e20cd
SHA1 b0617336d8787912acc61201d68b5ba1f74039db
SHA256 311eb4949a1e5660468fae35d6b178937acec071a9fa35104f7bde6712f9d8f2
SHA512 09de167d62b3a7a259d0f41fc3a0ab19c9d7a3b939e2b2a60c4b0e6f590c24db1b87ac8ede2812b52f04236241a21936e53e209e200927172c6db9abcc4f1359

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verE186.tmp

MD5 1a545d0052b581fbb2ab4c52133846bc
SHA1 62f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512 bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8R55UT9S\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee