Malware Analysis Report

2025-04-03 19:46

Sample ID 241110-gz4nra1jcw
Target 14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N
SHA256 14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0
Tags
upx defense_evasion discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0

Threat Level: Likely malicious

The file 14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N was found to be: Likely malicious.

Malicious Activity Summary

upx defense_evasion discovery persistence

Boot or Logon Autostart Execution: Active Setup

Checks computer location settings

Drops file in System32 directory

UPX packed file

Hide Artifacts: Hidden Files and Directories

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Views/modifies file attributes

Suspicious use of WriteProcessMemory

Modifies Internet Explorer start page

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 06:15

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 06:15

Reported

2024-11-10 06:17

Platform

win7-20241010-en

Max time kernel

111s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5} C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "C:\\system.exe" C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\WINDOWS\SysWOW64\ie.bat C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe N/A
File created C:\WINDOWS\SysWOW64\qx.bat C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\WINDOWS\windows.exe C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe N/A
File opened for modification C:\WINDOWS\windows.exe C:\Windows\SysWOW64\attrib.exe N/A
File created C:\WINDOWS\windows.exe C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3057B071-9F2B-11EF-80AB-7A300BFEC721} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b131900000000020000000000106600000001000020000000329bb59a90ec4f7b500e0bb44101cd64494c4bb9e0c3b5f060f66496e6cdcdc6000000000e8000000002000020000000177f826e99db4872e63b8c8642da9ddd8d227c54ec77bc3dc86d8a4da5a6f2282000000096a6eef50be1aa3cec29be6bde8d448f65c74545ee19059c50a37933beceab66400000008a5d29683ca5df39177d6407d1a7bf849d737a694720c77979a89dd8c57f97fb10fa64415b7ff59d5ed5fc37629b0f41f65f8b7158447ebd02e78df7375d0f47 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3022F471-9F2B-11EF-80AB-7A300BFEC721} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b131900000000020000000000106600000001000020000000a751b6d8934e30fb88229fc5cb7cacf3c676d0270f7733a79d4c46cf1b02b8a7000000000e80000000020000200000003512a0b107406d6bb67bb81f2e0d6900862dcaf634b3f1200cfa8e8adb4653e6900000001e1ab36c93a294aee09e4e8b988ba70d0ef34236496cfd67240298fb3c5ed9282bc3a674d4d6c95ddeda00732ee30113c20c0a106d61e5e922c5fe112e97a1d8998c06f770ecf83c0e08f6723eb2b677a23427675b969ab5e4613199c8f1f6c4ce42a5f8ade47b7872564abdea018faf90869ea21eadfd5eb034da7661a5fc449b49fc621114418ce52cc5f8b1209a494000000070a4c42e715aded48d513d0d81f4b8b66ab130a415578f244013d3d9d16913cfb859917289b1db8b5179fa93143071f84285ca634080890b4495c7f9d71a31d6 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80f396073833db01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437381199" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com" C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2368 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2368 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2368 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2368 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2348 wrote to memory of 1800 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2348 wrote to memory of 1800 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2348 wrote to memory of 1800 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2348 wrote to memory of 1800 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2368 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2368 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2368 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2368 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2368 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2440 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2440 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2440 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2440 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2368 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2908 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2908 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2908 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2368 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2804 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2804 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2804 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2368 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2768 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2768 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2768 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2368 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2876 wrote to memory of 2988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2876 wrote to memory of 2988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2876 wrote to memory of 2988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2368 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2664 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2664 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2664 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2368 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe

"C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.212ok.com/Gbook.asp?qita

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2348 CREDAT:275457 /prefetch:2

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\WINDOWS\windows.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2528 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\attrib.exe

attrib +h "c:\system.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.212ok.com udp
US 8.8.8.8:53 www.ymtuku.com udp
HK 38.11.229.201:80 www.212ok.com tcp
HK 38.11.229.201:80 www.212ok.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2368-0-0x0000000000400000-0x0000000000429000-memory.dmp

C:\WINDOWS\windows.exe

MD5 0764beda29a5c8ba6638263663d4edee
SHA1 73744f87e240bf839eac28b0deb2344c0ce90168
SHA256 a4cb4d2b434b27cd68d9b0df42c40ece75da4423ee8baa2c241c5200bd8a309d
SHA512 aa7c839c2ebb10f8436790e247ab6d2b24923eddb655cd07b6bde9015ec18d7c7bd4a8594491bf8a0a25ecccea0190ace0ec8d7fb97298ff17f7d0c9efc32c42

C:\system.exe

MD5 da5ac4255417616722e1d19264f4c031
SHA1 3276a1a86afdde3e38fde8049eda02a5f6212517
SHA256 f234f68f787a0c0a7ee7f1a85428dd3a01a7f4c446c794c620aeb1183e35274d
SHA512 9882ee3655d9afa64397f57cec011a132e7904bfeee21058b3e8bbae36d66147f0ff3140a6c35f6efb085a57543f98dac2086c7bc3df11b3b4c804e279a15e70

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3022F471-9F2B-11EF-80AB-7A300BFEC721}.dat

MD5 77df833437beef5ee548f6a98c7530ec
SHA1 a5d45e414c67985058bd3e989e9f9d1428077992
SHA256 17313d0545f05b59599809968c22700786ce29322e19b174618af9b56cf3167b
SHA512 aa3e834b80e4a652281b1fa44587a3f4380a92ff8e2e8c23953aa44e61babe5f6b70e1b30eddbedffc911d262b694ee78ad00b65a9e015f9d7073b4f0ef3a0fc

memory/2368-25-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabE62D.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarE6CC.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9eca6762457f9b16eacba8a950132637
SHA1 517aee5d330463fbfc8180aabef0b0bf3cc8b0ce
SHA256 00318bd4e30ca9c83b12bdd3050d45bce8a123a039ec0d54b4c2cdc82a25b826
SHA512 d4a9c9e0ec6afd4bc6b57e87f800c3ce1376eb9338454f54a33b91e8e6049c903fa9feb3f92a88af5985ac4a7e18e9fef3cb9691adbcb7172113694d765336a1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e7313d2a8240c17ec9a9d0ec4c24c4e6
SHA1 1e713b875c59a64f607a2afb14bb46a8c82d21e5
SHA256 54cb09d8a02e0c7bb13a4927bb430b0dd5e68635c24d5e501243bd909ab482f5
SHA512 ead8b0738c200096233a16daeffd9ca878c43f9e34af09591b5967e5f124ccfb5ae74d02099962fb565b685f8b37de093b66ac52caeffa0a5fe244fda350ddd1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 00ade67ff1e16d37486b903d6a883952
SHA1 3c55abe99fb7070029931a5038b79f876ef00bda
SHA256 a58dffeeaccc4314b2b3eb1a782e2925e58d47f26481674317ae887372fcb139
SHA512 1fffc172d6e5186d57db3ea1290ded6907850f30ebf5f9161babe2ac6c7edc26cde85003b56202bd23af12af0d960827db45f776132b42354a028dd61a663c6c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 733f2a7cfc09b50c305b609daa656eb2
SHA1 e11b37dcce6b933df6465e3885b52c9d083b7b2f
SHA256 7342e394f650b446c9fc6d43bfa2bc148f7e425df70987a2ce20d3f482889f1d
SHA512 d6192b711b6d93a469995f176cd9fc48382ca91c770940959b9d41c2beac5893ad40b8d0a68d9801eafefb1b4f1a4d958b665f6534323a60545ba1818c6735fc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9a809d6bc0f9b5944247a3068cdcccd0
SHA1 e9008c555f2f7c5c9349efdbe6a973a4fb3197f4
SHA256 2f40412be779c064f2b5113ba94e5469a1438b1305449a7d6ea3e36bf2cb0ffe
SHA512 ca1c40fe9d4f205e3357bc338bc330a21606861dff80e88f6822cbbc960f79230dc6c65448b1fa71b7f3f595f1843e64a02d305d70313a165d726095491aa110

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f14396ecf24e540d3a41f4c65e8444ea
SHA1 c733e74f8756aa3c054a1eade441c869481fc8cc
SHA256 91d0e5424ea504d4005f1b0a7c5fc704c7ed12857ff813616dcdeee77769e80e
SHA512 a736135c4d5f7e7870fbdab80f3bacc36836b20da18e1cb88270dec39177f3298c8f0136b96392c0e10ec8514d889c7894ac0d7fffa6a5a8f0c1bcf3f3d5a1b1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c2a98fc53ef1f725321824029f749ccf
SHA1 b78b6b781b823af0a25e52e3bb592599a03888a0
SHA256 dcb7260f0c13fe0b0e19ab17cf9a776021b33cf46ef206d022df421cc5f0024a
SHA512 54464ecb19c4c3e581dbbeb866b601591701a79dd664487eb62440eac3de6a707e6522d59daabf2ae7775e2ab30b7cd292a6ec1c97c7a7cbc998d29817b2af11

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ac23988497c7eacf21468fb0f2a8011b
SHA1 e7ae81b22591924e73acf0ac34927fe702c965ed
SHA256 4c2a2e055136bb659d6a68f3b2fb00168bc40a3b3a5b323ddcba2a4517d41cd2
SHA512 fa72ef1254bafd4347166e68e3967b4f976d0694b99d0417ea634d5d32dbf107b633c3090726faee454165b6ad4fa64986845fe5d1a19fc20432a24afee6016c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6ad8fb9c93d441ea6b7c23288d0ad447
SHA1 013de3ffb037cd76b68147ea1d526d9841f8fde4
SHA256 8a9c58ce4f78d90f49f59633e9717f3136ca0b89780d89d04ffe17396f38e241
SHA512 6d091aaff2fc241ffd849a20577a351e1f03957ed123201ad646650f06fee88978c48f1ab329496cc5cd7a47cc00e38a7450e7bdfe9b90e6a9564b7ba9ada6ac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4bcf2bea33b58dbe0b6f1766d18b5c58
SHA1 70ac384db9a3117b074b8f871ec21db5add3d8ff
SHA256 46e4aeb62b85ff96b948b7ddf5ea9bf0b3b36fe1c1445174fd15e8248c778dca
SHA512 bfaad810cda6fc7f12717af95232625316b608e040b891127b9064060e80f9cd0d98821cbd7b33b52a339d648d10ad9eb9757fbeba53391bb337ae92b1072625

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a8e4869d7406775b06cd3930ed1821f0
SHA1 226ca925c15d50cf25c8f0c593d13a53bf0a1704
SHA256 b99a224d0ef96337bbd522309f8fe83c5297a9db03211586f51549155e257292
SHA512 590e58ab1311bc8311170923ce8134eae7f3ee4ef1ecf86cfa7589c5cc71d9392ab7c645ad15daaaf40e430f4f31e108b07207db8f58bb8d67591feab3ddb9b7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e5c2ecb22abcf0610b5caa09bfbe20a9
SHA1 1aa67ffac1fb74735be3d2e4348f2fd6246a6965
SHA256 f492ee0909a7a7149c81abe358da1c5454078a50d2704243a2f2c21c29e690cb
SHA512 223a03953ceaff4ea9dd25e76f8011b072530030b858a70f86ca311a337c0e742ba81cef6a2b36e6eb3fb0873d42c5f0d80edbfc58757e2790bd21f7a67fdf1a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 07fea9385623439781a333e069fd8a83
SHA1 7bdd1edff7e9b5506eb4e2bf5d0911e2bdd9f7a6
SHA256 90fa758717d257f121f1b8c3e32d2f53e4b9a7f78ed464bfe6d04797a4770eda
SHA512 b72cc990eae0659fea1b2a5beb96f87b51fd0a601bc26c757791aba80a069cf52c1f46c5ad9db1c1e316987630ae0c54d264299ffcd28310f831eefd919787b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b093fd42071ca3fb652ff62eb4c482ff
SHA1 57e08e12c5afce52632c9954d1abe1299f5e8a6c
SHA256 a43e30d790195421d32b07e7a9aa1bd404efb19407ab47d94f0e6cdd1193803d
SHA512 5151d0e05c340072baa2f2896e9480d37be46f4970ec8c9ff8385fb9423c58c45f68b5e750f5881bf7c7ddb3276a75e9ccfb18cc9519d495e0fc4ab7fca88f8f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6174ce87a7787a32c3c5f23e990380e9
SHA1 f329179ecbe1c8acb2f102a396a201c40e34245c
SHA256 403acdc5ecda7c3ba7443b7c4d6fe035429828cd6a528b44760328a6602df412
SHA512 b21b1b7c68ac76456bc239bc6318f21404d614d7f5f7612cb0cac5ad561d4d85d1c0082b26b10e5e2a36fcd70c0982b61d5e7645b99b38813945bd091ba03df0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f83d3a7d1b74673436be0700500d6120
SHA1 82b841e2719383daee2902f3e6d1f54ad9d59ef8
SHA256 346355f3e61d431e2aa5515cf2e4ca2c4df771abe0b2cfb45803f81e058b7ee8
SHA512 97c727b81bea9f99a8f9106fe3ca15ba8122892bd942fe88171a527cbe335aa7335e58c3f4e40ea59081ea0e45b6ab47ae0fc37f85d1ec614913ccef3cebc4e2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0958ed7ae3bebc250352789e65489384
SHA1 4344bfd3a2a637ee1f05169fdc48aadec16ed982
SHA256 e1c480dd0b01e0434883ae6721b55dde90d80a50df6cd15a4da9dd1e1e22b7e3
SHA512 43d7af6daf5ce2e22a1cb66a1d8fd2ae8f46980432390e950103f58382cbe5734aa73dfb9cf0ebf2d73a676b4b148f2be719633df720ed90a47ceacffcfad724

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d724e58bd9896b316ea0b2d1a6681d73
SHA1 ebbf555798e1b078055c047b2af30f61e470ade1
SHA256 154c91dd083396a0d67c922f844a31d1ebf6f1efe916dc965807d3dcd3ef7c3d
SHA512 ce9bbbeb552863be731df77a84235c2244c64400b6f5a7a8d7637a00c5f234d3a05f6093f9617024e2d307bf11d4d46ea1d7be5e4bed32266348d51a949d234e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dddfa9f50ee648f1c9bb7575a1f2c061
SHA1 e1cf0ec855d13d9959eca7f2ae2bedebef711d53
SHA256 3c33e947d3037729a55faa2311c3eedd6a0a2edbd920bfc71183c331f6775e55
SHA512 8daa4a2773e94314a08b024acfbdb742a5524a462dda89bbefc2583c9d43d966ded23fb7eeac7cec5750b60046f8230285fdf128b8a1e76d927583e6ba7e33f0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 23a0b31a15237737d9a9c3bd0bf38502
SHA1 72d8e59824ec9bb193c3e81234c699309ade1db6
SHA256 e2316e37ae33305af7828eff6ddb96f421db4362abb236aaa53817bab8004de5
SHA512 25fc58cab60361c31258d3d91953bf4512cd6889f7ba3bb18c8432f32b8a64c9800c16095e8abadd5037d8de739ff61cbf7bddb27c5d4b25b743d0234c931195

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3631d92a7672aceee6ed5ca5d0ab4392
SHA1 9bc3114b26619bc00d7337ffcc8ae45e571fbef7
SHA256 ff933c035cdae2e39ef0b6433f20796a21c9ac0cbc9adbcac8536f409ce31237
SHA512 6ecf3364a0a2afe809c60242fea6933302a1e6562499d5af7bba529de5e0ce7e2f477564cf7d9be067ae7b17d42f3f81c08c3f591fe528c53f9462888643a254

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 06:15

Reported

2024-11-10 06:17

Platform

win10v2004-20241007-en

Max time kernel

110s

Max time network

112s

Command Line

"C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5} C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "C:\\system.exe" C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\WINDOWS\SysWOW64\ie.bat C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe N/A
File created C:\WINDOWS\SysWOW64\qx.bat C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\windows.exe C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe N/A
File opened for modification C:\WINDOWS\windows.exe C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe N/A
File opened for modification C:\WINDOWS\windows.exe C:\Windows\SysWOW64\attrib.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000042e7dba96731da408b68fe0ed5b0a2460000000002000000000010660000000100002000000062301925a5e8e45a0272a306aa58e18d2f48c02c4f0e9a89a7d03718803adf9d000000000e80000000020000200000002215082c01079af2822110d6f29c56601605634e56ff4ba75e07882400643be22000000078e5fd784748caa7ce5435a8696034e903a6f33767823bd5ed639d3a9cfc9ab240000000eef82ab921aab33af48fbc25d35f67cc04ccf271b09aa0a53da58355b1f77319fe50c232e409c077f10a7535a88e7631c36065540dc571d20824ed2fcb0c1785 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31142712" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31142712" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 001b9e033833db01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437984303" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "51480042" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000042e7dba96731da408b68fe0ed5b0a24600000000020000000000106600000001000020000000ade7c42a8ce493ef82c63cc303af29f5221cbadd487d113aa5e06c54bc5ff76c000000000e8000000002000020000000164bb9a2d38597133dc2803929c76dd0dc6790b6b2e6d918d2596e96531e8c4b20000000d4e0fb56972d5aa5096ba81e3d3ddea7998336780f2ef9f7ee80f8653881f64c40000000b80fcd4113afd1079c94062c429298962cc50a1aae818e3c8f2272d17f1dc462718b7418ad25020aaca0734c3dad0e540df6097413cec4ff39c2fd044be64ffe C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31142712" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "48198965" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10ef96033833db01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "48198965" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{2E7D106F-9F2B-11EF-91C3-CEB9D96D8528} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com" C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4784 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 4784 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 4840 wrote to memory of 4704 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4840 wrote to memory of 4704 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4840 wrote to memory of 4704 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4784 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4784 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4784 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 4784 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 4784 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 3348 wrote to memory of 1476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3348 wrote to memory of 1476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3348 wrote to memory of 1476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4784 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 4784 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 4784 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 3592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1436 wrote to memory of 3592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1436 wrote to memory of 3592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4784 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 4784 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 4784 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 3112 wrote to memory of 4908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3112 wrote to memory of 4908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3112 wrote to memory of 4908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4784 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 4784 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 4784 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 4024 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4024 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4024 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4784 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 4784 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 4784 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3012 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3012 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4784 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 4784 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 4784 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 1120 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1120 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1120 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4784 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 4784 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 4784 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe C:\Windows\SysWOW64\cmd.exe
PID 392 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 392 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 392 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe

"C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.212ok.com/Gbook.asp?qita

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4840 CREDAT:17410 /prefetch:2

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\WINDOWS\windows.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h "c:\system.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.212ok.com udp
HK 38.11.229.201:80 www.212ok.com tcp
HK 38.11.229.201:80 www.212ok.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 201.229.11.38.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 75.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/4784-0-0x0000000000400000-0x0000000000429000-memory.dmp

C:\WINDOWS\windows.exe

MD5 9be000531b221067a052fe07255ce732
SHA1 d87650edbcfade4dcb4dc9b4ccca1370bf7bed8a
SHA256 e8ffd7745a8972428f36de964c42104e1464808f6f36bb4c4249e0e2be989f91
SHA512 33b8731a116b1c25e36033a8b2a56afd53cc3f080ccb122de328960b54780ff39bc3d9ce4e9538c4ebc42432d562e80c25aa32e8c955bb6222a17a092671f925

C:\system.exe

MD5 b4be0c22d3d239166e43ad32becfb859
SHA1 762e59f0317ed6d3b4d8183813e6ba06401fc664
SHA256 980c8b2c7c5a7ba936d4683874dece5b0ccda33d3fe5e2a95c9543b693b82548
SHA512 856d098bdef1d993359bf99d8ee2a3dce26d8f4c4549debafd4d6247a0ef3f39d58601de5ec5f4424912cefb96fe4307c9fd3930381cbcae8d25d940f894f376

memory/4784-21-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 042619486a0f512d0313c7b4fa6c9756
SHA1 9a3f09247b4b03933f23331b4f0207672c93e02a
SHA256 a231a95c194f54c33eef59babf53d979f0342fbc68bc52dbb524887fd378418d
SHA512 4b2b32d754d116b0609ca43b9ff54ad72c9e22ddbd617b5c94586a219c297c13823c0c2812937db6b2181382176bba46b2f3d37b4b29ae6f171e01ada216c257

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 211222b7620e1a2c9d71637ee1983acf
SHA1 ffc05f736a950a2968078c473d8845e69fa59f3a
SHA256 69bdee0b0e4c869d3f8040446e8b5d8fadceb51ea2ed451b8d8d6ffd011cf440
SHA512 092f7d6624f61b43bf18a2f8b7c7498c0bc2988fcaea7c7b68b5cecd76448f035a17177d469c28fd8f8f3446a7201b2aab4a143a37a5b3606e3f486969de7467

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V4KZV1MD\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee