Analysis Overview
SHA256
14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0
Threat Level: Likely malicious
The file 14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N was found to be: Likely malicious.
Malicious Activity Summary
Boot or Logon Autostart Execution: Active Setup
Checks computer location settings
Drops file in System32 directory
UPX packed file
Hide Artifacts: Hidden Files and Directories
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Views/modifies file attributes
Suspicious use of WriteProcessMemory
Modifies Internet Explorer start page
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 06:15
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 06:15
Reported
2024-11-10 06:17
Platform
win7-20241010-en
Max time kernel
111s
Max time network
96s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5} | C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "C:\\system.exe" | C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\WINDOWS\SysWOW64\ie.bat | C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe | N/A |
| File created | C:\WINDOWS\SysWOW64\qx.bat | C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe | N/A |
Hide Artifacts: Hidden Files and Directories
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\WINDOWS\windows.exe | C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe | N/A |
| File opened for modification | C:\WINDOWS\windows.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File created | C:\WINDOWS\windows.exe | C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3057B071-9F2B-11EF-80AB-7A300BFEC721} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b131900000000020000000000106600000001000020000000329bb59a90ec4f7b500e0bb44101cd64494c4bb9e0c3b5f060f66496e6cdcdc6000000000e8000000002000020000000177f826e99db4872e63b8c8642da9ddd8d227c54ec77bc3dc86d8a4da5a6f2282000000096a6eef50be1aa3cec29be6bde8d448f65c74545ee19059c50a37933beceab66400000008a5d29683ca5df39177d6407d1a7bf849d737a694720c77979a89dd8c57f97fb10fa64415b7ff59d5ed5fc37629b0f41f65f8b7158447ebd02e78df7375d0f47 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3022F471-9F2B-11EF-80AB-7A300BFEC721} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b131900000000020000000000106600000001000020000000a751b6d8934e30fb88229fc5cb7cacf3c676d0270f7733a79d4c46cf1b02b8a7000000000e80000000020000200000003512a0b107406d6bb67bb81f2e0d6900862dcaf634b3f1200cfa8e8adb4653e6900000001e1ab36c93a294aee09e4e8b988ba70d0ef34236496cfd67240298fb3c5ed9282bc3a674d4d6c95ddeda00732ee30113c20c0a106d61e5e922c5fe112e97a1d8998c06f770ecf83c0e08f6723eb2b677a23427675b969ab5e4613199c8f1f6c4ce42a5f8ade47b7872564abdea018faf90869ea21eadfd5eb034da7661a5fc449b49fc621114418ce52cc5f8b1209a494000000070a4c42e715aded48d513d0d81f4b8b66ab130a415578f244013d3d9d16913cfb859917289b1db8b5179fa93143071f84285ca634080890b4495c7f9d71a31d6 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80f396073833db01 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437381199" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com" | C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe
"C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe"
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.212ok.com/Gbook.asp?qita
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2348 CREDAT:275457 /prefetch:2
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\WINDOWS\windows.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2528 CREDAT:275457 /prefetch:2
C:\Windows\SysWOW64\attrib.exe
attrib +h "c:\system.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.212ok.com | udp |
| US | 8.8.8.8:53 | www.ymtuku.com | udp |
| HK | 38.11.229.201:80 | www.212ok.com | tcp |
| HK | 38.11.229.201:80 | www.212ok.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
memory/2368-0-0x0000000000400000-0x0000000000429000-memory.dmp
C:\WINDOWS\windows.exe
| MD5 | 0764beda29a5c8ba6638263663d4edee |
| SHA1 | 73744f87e240bf839eac28b0deb2344c0ce90168 |
| SHA256 | a4cb4d2b434b27cd68d9b0df42c40ece75da4423ee8baa2c241c5200bd8a309d |
| SHA512 | aa7c839c2ebb10f8436790e247ab6d2b24923eddb655cd07b6bde9015ec18d7c7bd4a8594491bf8a0a25ecccea0190ace0ec8d7fb97298ff17f7d0c9efc32c42 |
C:\system.exe
| MD5 | da5ac4255417616722e1d19264f4c031 |
| SHA1 | 3276a1a86afdde3e38fde8049eda02a5f6212517 |
| SHA256 | f234f68f787a0c0a7ee7f1a85428dd3a01a7f4c446c794c620aeb1183e35274d |
| SHA512 | 9882ee3655d9afa64397f57cec011a132e7904bfeee21058b3e8bbae36d66147f0ff3140a6c35f6efb085a57543f98dac2086c7bc3df11b3b4c804e279a15e70 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3022F471-9F2B-11EF-80AB-7A300BFEC721}.dat
| MD5 | 77df833437beef5ee548f6a98c7530ec |
| SHA1 | a5d45e414c67985058bd3e989e9f9d1428077992 |
| SHA256 | 17313d0545f05b59599809968c22700786ce29322e19b174618af9b56cf3167b |
| SHA512 | aa3e834b80e4a652281b1fa44587a3f4380a92ff8e2e8c23953aa44e61babe5f6b70e1b30eddbedffc911d262b694ee78ad00b65a9e015f9d7073b4f0ef3a0fc |
memory/2368-25-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabE62D.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarE6CC.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9eca6762457f9b16eacba8a950132637 |
| SHA1 | 517aee5d330463fbfc8180aabef0b0bf3cc8b0ce |
| SHA256 | 00318bd4e30ca9c83b12bdd3050d45bce8a123a039ec0d54b4c2cdc82a25b826 |
| SHA512 | d4a9c9e0ec6afd4bc6b57e87f800c3ce1376eb9338454f54a33b91e8e6049c903fa9feb3f92a88af5985ac4a7e18e9fef3cb9691adbcb7172113694d765336a1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e7313d2a8240c17ec9a9d0ec4c24c4e6 |
| SHA1 | 1e713b875c59a64f607a2afb14bb46a8c82d21e5 |
| SHA256 | 54cb09d8a02e0c7bb13a4927bb430b0dd5e68635c24d5e501243bd909ab482f5 |
| SHA512 | ead8b0738c200096233a16daeffd9ca878c43f9e34af09591b5967e5f124ccfb5ae74d02099962fb565b685f8b37de093b66ac52caeffa0a5fe244fda350ddd1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 00ade67ff1e16d37486b903d6a883952 |
| SHA1 | 3c55abe99fb7070029931a5038b79f876ef00bda |
| SHA256 | a58dffeeaccc4314b2b3eb1a782e2925e58d47f26481674317ae887372fcb139 |
| SHA512 | 1fffc172d6e5186d57db3ea1290ded6907850f30ebf5f9161babe2ac6c7edc26cde85003b56202bd23af12af0d960827db45f776132b42354a028dd61a663c6c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 733f2a7cfc09b50c305b609daa656eb2 |
| SHA1 | e11b37dcce6b933df6465e3885b52c9d083b7b2f |
| SHA256 | 7342e394f650b446c9fc6d43bfa2bc148f7e425df70987a2ce20d3f482889f1d |
| SHA512 | d6192b711b6d93a469995f176cd9fc48382ca91c770940959b9d41c2beac5893ad40b8d0a68d9801eafefb1b4f1a4d958b665f6534323a60545ba1818c6735fc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9a809d6bc0f9b5944247a3068cdcccd0 |
| SHA1 | e9008c555f2f7c5c9349efdbe6a973a4fb3197f4 |
| SHA256 | 2f40412be779c064f2b5113ba94e5469a1438b1305449a7d6ea3e36bf2cb0ffe |
| SHA512 | ca1c40fe9d4f205e3357bc338bc330a21606861dff80e88f6822cbbc960f79230dc6c65448b1fa71b7f3f595f1843e64a02d305d70313a165d726095491aa110 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f14396ecf24e540d3a41f4c65e8444ea |
| SHA1 | c733e74f8756aa3c054a1eade441c869481fc8cc |
| SHA256 | 91d0e5424ea504d4005f1b0a7c5fc704c7ed12857ff813616dcdeee77769e80e |
| SHA512 | a736135c4d5f7e7870fbdab80f3bacc36836b20da18e1cb88270dec39177f3298c8f0136b96392c0e10ec8514d889c7894ac0d7fffa6a5a8f0c1bcf3f3d5a1b1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c2a98fc53ef1f725321824029f749ccf |
| SHA1 | b78b6b781b823af0a25e52e3bb592599a03888a0 |
| SHA256 | dcb7260f0c13fe0b0e19ab17cf9a776021b33cf46ef206d022df421cc5f0024a |
| SHA512 | 54464ecb19c4c3e581dbbeb866b601591701a79dd664487eb62440eac3de6a707e6522d59daabf2ae7775e2ab30b7cd292a6ec1c97c7a7cbc998d29817b2af11 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ac23988497c7eacf21468fb0f2a8011b |
| SHA1 | e7ae81b22591924e73acf0ac34927fe702c965ed |
| SHA256 | 4c2a2e055136bb659d6a68f3b2fb00168bc40a3b3a5b323ddcba2a4517d41cd2 |
| SHA512 | fa72ef1254bafd4347166e68e3967b4f976d0694b99d0417ea634d5d32dbf107b633c3090726faee454165b6ad4fa64986845fe5d1a19fc20432a24afee6016c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6ad8fb9c93d441ea6b7c23288d0ad447 |
| SHA1 | 013de3ffb037cd76b68147ea1d526d9841f8fde4 |
| SHA256 | 8a9c58ce4f78d90f49f59633e9717f3136ca0b89780d89d04ffe17396f38e241 |
| SHA512 | 6d091aaff2fc241ffd849a20577a351e1f03957ed123201ad646650f06fee88978c48f1ab329496cc5cd7a47cc00e38a7450e7bdfe9b90e6a9564b7ba9ada6ac |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4bcf2bea33b58dbe0b6f1766d18b5c58 |
| SHA1 | 70ac384db9a3117b074b8f871ec21db5add3d8ff |
| SHA256 | 46e4aeb62b85ff96b948b7ddf5ea9bf0b3b36fe1c1445174fd15e8248c778dca |
| SHA512 | bfaad810cda6fc7f12717af95232625316b608e040b891127b9064060e80f9cd0d98821cbd7b33b52a339d648d10ad9eb9757fbeba53391bb337ae92b1072625 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a8e4869d7406775b06cd3930ed1821f0 |
| SHA1 | 226ca925c15d50cf25c8f0c593d13a53bf0a1704 |
| SHA256 | b99a224d0ef96337bbd522309f8fe83c5297a9db03211586f51549155e257292 |
| SHA512 | 590e58ab1311bc8311170923ce8134eae7f3ee4ef1ecf86cfa7589c5cc71d9392ab7c645ad15daaaf40e430f4f31e108b07207db8f58bb8d67591feab3ddb9b7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e5c2ecb22abcf0610b5caa09bfbe20a9 |
| SHA1 | 1aa67ffac1fb74735be3d2e4348f2fd6246a6965 |
| SHA256 | f492ee0909a7a7149c81abe358da1c5454078a50d2704243a2f2c21c29e690cb |
| SHA512 | 223a03953ceaff4ea9dd25e76f8011b072530030b858a70f86ca311a337c0e742ba81cef6a2b36e6eb3fb0873d42c5f0d80edbfc58757e2790bd21f7a67fdf1a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 07fea9385623439781a333e069fd8a83 |
| SHA1 | 7bdd1edff7e9b5506eb4e2bf5d0911e2bdd9f7a6 |
| SHA256 | 90fa758717d257f121f1b8c3e32d2f53e4b9a7f78ed464bfe6d04797a4770eda |
| SHA512 | b72cc990eae0659fea1b2a5beb96f87b51fd0a601bc26c757791aba80a069cf52c1f46c5ad9db1c1e316987630ae0c54d264299ffcd28310f831eefd919787b5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b093fd42071ca3fb652ff62eb4c482ff |
| SHA1 | 57e08e12c5afce52632c9954d1abe1299f5e8a6c |
| SHA256 | a43e30d790195421d32b07e7a9aa1bd404efb19407ab47d94f0e6cdd1193803d |
| SHA512 | 5151d0e05c340072baa2f2896e9480d37be46f4970ec8c9ff8385fb9423c58c45f68b5e750f5881bf7c7ddb3276a75e9ccfb18cc9519d495e0fc4ab7fca88f8f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6174ce87a7787a32c3c5f23e990380e9 |
| SHA1 | f329179ecbe1c8acb2f102a396a201c40e34245c |
| SHA256 | 403acdc5ecda7c3ba7443b7c4d6fe035429828cd6a528b44760328a6602df412 |
| SHA512 | b21b1b7c68ac76456bc239bc6318f21404d614d7f5f7612cb0cac5ad561d4d85d1c0082b26b10e5e2a36fcd70c0982b61d5e7645b99b38813945bd091ba03df0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f83d3a7d1b74673436be0700500d6120 |
| SHA1 | 82b841e2719383daee2902f3e6d1f54ad9d59ef8 |
| SHA256 | 346355f3e61d431e2aa5515cf2e4ca2c4df771abe0b2cfb45803f81e058b7ee8 |
| SHA512 | 97c727b81bea9f99a8f9106fe3ca15ba8122892bd942fe88171a527cbe335aa7335e58c3f4e40ea59081ea0e45b6ab47ae0fc37f85d1ec614913ccef3cebc4e2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0958ed7ae3bebc250352789e65489384 |
| SHA1 | 4344bfd3a2a637ee1f05169fdc48aadec16ed982 |
| SHA256 | e1c480dd0b01e0434883ae6721b55dde90d80a50df6cd15a4da9dd1e1e22b7e3 |
| SHA512 | 43d7af6daf5ce2e22a1cb66a1d8fd2ae8f46980432390e950103f58382cbe5734aa73dfb9cf0ebf2d73a676b4b148f2be719633df720ed90a47ceacffcfad724 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d724e58bd9896b316ea0b2d1a6681d73 |
| SHA1 | ebbf555798e1b078055c047b2af30f61e470ade1 |
| SHA256 | 154c91dd083396a0d67c922f844a31d1ebf6f1efe916dc965807d3dcd3ef7c3d |
| SHA512 | ce9bbbeb552863be731df77a84235c2244c64400b6f5a7a8d7637a00c5f234d3a05f6093f9617024e2d307bf11d4d46ea1d7be5e4bed32266348d51a949d234e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dddfa9f50ee648f1c9bb7575a1f2c061 |
| SHA1 | e1cf0ec855d13d9959eca7f2ae2bedebef711d53 |
| SHA256 | 3c33e947d3037729a55faa2311c3eedd6a0a2edbd920bfc71183c331f6775e55 |
| SHA512 | 8daa4a2773e94314a08b024acfbdb742a5524a462dda89bbefc2583c9d43d966ded23fb7eeac7cec5750b60046f8230285fdf128b8a1e76d927583e6ba7e33f0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 23a0b31a15237737d9a9c3bd0bf38502 |
| SHA1 | 72d8e59824ec9bb193c3e81234c699309ade1db6 |
| SHA256 | e2316e37ae33305af7828eff6ddb96f421db4362abb236aaa53817bab8004de5 |
| SHA512 | 25fc58cab60361c31258d3d91953bf4512cd6889f7ba3bb18c8432f32b8a64c9800c16095e8abadd5037d8de739ff61cbf7bddb27c5d4b25b743d0234c931195 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3631d92a7672aceee6ed5ca5d0ab4392 |
| SHA1 | 9bc3114b26619bc00d7337ffcc8ae45e571fbef7 |
| SHA256 | ff933c035cdae2e39ef0b6433f20796a21c9ac0cbc9adbcac8536f409ce31237 |
| SHA512 | 6ecf3364a0a2afe809c60242fea6933302a1e6562499d5af7bba529de5e0ce7e2f477564cf7d9be067ae7b17d42f3f81c08c3f591fe528c53f9462888643a254 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 06:15
Reported
2024-11-10 06:17
Platform
win10v2004-20241007-en
Max time kernel
110s
Max time network
112s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5} | C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "C:\\system.exe" | C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\WINDOWS\SysWOW64\ie.bat | C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe | N/A |
| File created | C:\WINDOWS\SysWOW64\qx.bat | C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe | N/A |
Hide Artifacts: Hidden Files and Directories
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\WINDOWS\windows.exe | C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe | N/A |
| File opened for modification | C:\WINDOWS\windows.exe | C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe | N/A |
| File opened for modification | C:\WINDOWS\windows.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000042e7dba96731da408b68fe0ed5b0a2460000000002000000000010660000000100002000000062301925a5e8e45a0272a306aa58e18d2f48c02c4f0e9a89a7d03718803adf9d000000000e80000000020000200000002215082c01079af2822110d6f29c56601605634e56ff4ba75e07882400643be22000000078e5fd784748caa7ce5435a8696034e903a6f33767823bd5ed639d3a9cfc9ab240000000eef82ab921aab33af48fbc25d35f67cc04ccf271b09aa0a53da58355b1f77319fe50c232e409c077f10a7535a88e7631c36065540dc571d20824ed2fcb0c1785 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31142712" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31142712" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 001b9e033833db01 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437984303" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "51480042" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000042e7dba96731da408b68fe0ed5b0a24600000000020000000000106600000001000020000000ade7c42a8ce493ef82c63cc303af29f5221cbadd487d113aa5e06c54bc5ff76c000000000e8000000002000020000000164bb9a2d38597133dc2803929c76dd0dc6790b6b2e6d918d2596e96531e8c4b20000000d4e0fb56972d5aa5096ba81e3d3ddea7998336780f2ef9f7ee80f8653881f64c40000000b80fcd4113afd1079c94062c429298962cc50a1aae818e3c8f2272d17f1dc462718b7418ad25020aaca0734c3dad0e540df6097413cec4ff39c2fd044be64ffe | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31142712" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "48198965" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10ef96033833db01 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "48198965" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{2E7D106F-9F2B-11EF-91C3-CEB9D96D8528} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com" | C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe
"C:\Users\Admin\AppData\Local\Temp\14d44cfa6900cf273d7ff39b181f120e80bc652d730c532871115bc7195b39b0N.exe"
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.212ok.com/Gbook.asp?qita
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4840 CREDAT:17410 /prefetch:2
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\WINDOWS\windows.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +h "c:\system.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.212ok.com | udp |
| HK | 38.11.229.201:80 | www.212ok.com | tcp |
| HK | 38.11.229.201:80 | www.212ok.com | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.229.11.38.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/4784-0-0x0000000000400000-0x0000000000429000-memory.dmp
C:\WINDOWS\windows.exe
| MD5 | 9be000531b221067a052fe07255ce732 |
| SHA1 | d87650edbcfade4dcb4dc9b4ccca1370bf7bed8a |
| SHA256 | e8ffd7745a8972428f36de964c42104e1464808f6f36bb4c4249e0e2be989f91 |
| SHA512 | 33b8731a116b1c25e36033a8b2a56afd53cc3f080ccb122de328960b54780ff39bc3d9ce4e9538c4ebc42432d562e80c25aa32e8c955bb6222a17a092671f925 |
C:\system.exe
| MD5 | b4be0c22d3d239166e43ad32becfb859 |
| SHA1 | 762e59f0317ed6d3b4d8183813e6ba06401fc664 |
| SHA256 | 980c8b2c7c5a7ba936d4683874dece5b0ccda33d3fe5e2a95c9543b693b82548 |
| SHA512 | 856d098bdef1d993359bf99d8ee2a3dce26d8f4c4549debafd4d6247a0ef3f39d58601de5ec5f4424912cefb96fe4307c9fd3930381cbcae8d25d940f894f376 |
memory/4784-21-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 042619486a0f512d0313c7b4fa6c9756 |
| SHA1 | 9a3f09247b4b03933f23331b4f0207672c93e02a |
| SHA256 | a231a95c194f54c33eef59babf53d979f0342fbc68bc52dbb524887fd378418d |
| SHA512 | 4b2b32d754d116b0609ca43b9ff54ad72c9e22ddbd617b5c94586a219c297c13823c0c2812937db6b2181382176bba46b2f3d37b4b29ae6f171e01ada216c257 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 211222b7620e1a2c9d71637ee1983acf |
| SHA1 | ffc05f736a950a2968078c473d8845e69fa59f3a |
| SHA256 | 69bdee0b0e4c869d3f8040446e8b5d8fadceb51ea2ed451b8d8d6ffd011cf440 |
| SHA512 | 092f7d6624f61b43bf18a2f8b7c7498c0bc2988fcaea7c7b68b5cecd76448f035a17177d469c28fd8f8f3446a7201b2aab4a143a37a5b3606e3f486969de7467 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V4KZV1MD\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |