Malware Analysis Report

2024-12-07 16:18

Sample ID 241113-3erdkszqhz
Target 76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b
SHA256 76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b
Tags
upx defense_evasion discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b

Threat Level: Likely malicious

The file 76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b was found to be: Likely malicious.

Malicious Activity Summary

upx defense_evasion discovery persistence

Boot or Logon Autostart Execution: Active Setup

Checks computer location settings

UPX packed file

Hide Artifacts: Hidden Files and Directories

Drops file in System32 directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Views/modifies file attributes

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer start page

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 23:25

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 23:25

Reported

2024-11-13 23:28

Platform

win7-20241023-en

Max time kernel

141s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5} C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "C:\\system.exe" C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\WINDOWS\SysWOW64\ie.bat C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe N/A
File created C:\WINDOWS\SysWOW64\qx.bat C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\windows.exe C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe N/A
File opened for modification C:\WINDOWS\windows.exe C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe N/A
File opened for modification C:\WINDOWS\windows.exe C:\Windows\SysWOW64\attrib.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437702225" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A2314971-A216-11EF-ABAC-EE705CD14931} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a907cc1344750743988d8bab481dbfbf00000000020000000000106600000001000020000000557df0dcd6e8142e5946fe62c44a58921f6fad950afb53efe795483a579b9e5f000000000e80000000020000200000008887f8fc73769bcbdcaa8fa264c2eac764e757d84892a217569fb652012f3f4a20000000c78c0e0908990fe45ca45ec3852a8394d88be5e049ee16c165bbd430eda5fec740000000831e922f6a7aec35529afa48bfd034382232693f035d5e39119d3dc7033daac94d2f4a6041e207417f29f9a5b184c833ba60945e181c88e2b1d78dca8e36eda5 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a907cc1344750743988d8bab481dbfbf00000000020000000000106600000001000020000000a21147d4742aad6c2ae246b97758722f2acb2db681627cc9751fa87077531251000000000e800000000200002000000066a49e4b8a29f194500c2c46b38e4d105d01ef365dbdb83f29f4d2f1b89dfe1090000000c69a685227e70439a7fbb3e2c4551a379f8fbf6c51b52259afd54ffc1488e308fe54b2e0f1a78764acf418e57a9be046d5939f0abd178f83542cbefcc3cd681f4a07d1335d9fbf0d773b2759051daf254a9b63ebc6527c3004714f8cfa82c07a98f36bcb31ee85ab55b47f80c6e444acb82824262baf3c2aaa743355c9d71df6aefbf71fd7b5fe173a4bec63176830d140000000c59db07de16b17b29ce577209558a28c9b2f4b838b5aa68965fbf756595f9117b8a5c833039fc38a21813481ef261587acbf1d17271f4eb0308aa94010e9f7ca C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0edbd782336db01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A2209FD1-A216-11EF-ABAC-EE705CD14931} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com" C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 596 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 596 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 596 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 596 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1728 wrote to memory of 2504 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1728 wrote to memory of 2504 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1728 wrote to memory of 2504 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1728 wrote to memory of 2504 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 596 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 596 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 596 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 596 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 596 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 596 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 596 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 596 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2828 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2828 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2828 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 596 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 596 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 596 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 596 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3044 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3044 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3044 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 596 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 596 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 596 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 596 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2960 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2960 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2960 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 596 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 596 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 596 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 596 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2856 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2856 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2856 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 596 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 596 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 596 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 596 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 2956 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2956 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2956 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2956 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 596 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 596 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 596 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 596 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2804 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2804 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2804 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 596 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 596 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 596 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 596 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe

"C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.212ok.com/Gbook.asp?qita

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1728 CREDAT:275457 /prefetch:2

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\WINDOWS\windows.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h "c:\system.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2300 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.212ok.com udp
US 8.8.8.8:53 dhku.com udp
US 8.8.8.8:53 www.ymtuku.com udp
HK 38.11.229.201:80 www.212ok.com tcp
HK 38.11.229.201:80 www.212ok.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/596-0-0x0000000000400000-0x0000000000429000-memory.dmp

C:\WINDOWS\windows.exe

MD5 1188885cab869a5cc7f9c04260f463c6
SHA1 81b70fd04ce4cf757d1174f4ad3dd6ff2089bf9e
SHA256 93fe68fd1afa029c2a300619818c23378ebb8765bd56c6a6f6b097c5a2a624a9
SHA512 60831fa1f3249082cc46883d3cb2da0fd926c6d54bdd96edf35b3f8678317401a3401b8b7df3c0cfab1ceaa1b1c5a9eb6e8c715707621c88c30f15112cc5a7d9

C:\system.exe

MD5 8d56f5a568df38f2b7e316b8580efe0e
SHA1 e94d55c5430e1589f5ebc05852e8221b507eddff
SHA256 8710f6f112c4ca32857e22b0f08f98887374fca477ce96c113d100f4f1f42eaa
SHA512 a120e50628136a64d6459e4d4f0aa10c8105ed77d69871d52813c7119e03466161f39cde134f97b712ecd0e5d6333330b3fa13320a6bdd7956832d4c77717231

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A2209FD1-A216-11EF-ABAC-EE705CD14931}.dat

MD5 7bb6780c1df7e9f83bc18abdd2ed389c
SHA1 8a72322ecb6765df9372d300ac0ef76c4c03dcce
SHA256 47f0b7b24efd74592e2abd3ace8f95bf909699a6cd3313b4cd4c62e1e5d48833
SHA512 684637a3bf798a8c132fa8756eb646b4a3e207b97fa583f070f2f45e3ffa2c506865f31c9dc280f767a60e58d0419a773187cfe090873c6b3b2755310c6bef46

C:\Users\Admin\AppData\Local\Temp\CabD77E.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarD82C.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ca67380bd44b35944a41a0209df11885
SHA1 8e389500e86d6a97d3847528edb40765884b62cd
SHA256 7e74c0fa39bcae2fa55b0a68752f7e1a26bd3fb93fc077d5d4c6ce429309efcb
SHA512 ea0c47d2f55d7670301d2ba6fb0b0c41012453e302f7c969daaaf084e492dd82abc81819f6a6c5ba6f3ffff31496192d9deb423163584f6d9f46d7184234e4ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7b5c5d0a8f37f3eb25f0b3814e24fade
SHA1 87bbee4985c00f5380c24a9cb6f81abaeb7e1950
SHA256 5b87ae3c05ae471527eb4d4cf4d174fab5ca5cb759b569d16d1fd7b93a97524b
SHA512 0d2952fe2d4c245c443d007028988a12d1f7fbfdf549c9653ae0706421cec789652312657c52605aaecaabcd1ef52c1e4bb4f358db6b2cafa64c8e175b7b0e22

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ec6a6885315c3523852f31ba7f22fdd2
SHA1 fde007e363e41d4e8cb55b0301fe753b021a144b
SHA256 33df468db38272c68c4700eb9a4dae293881dfbc99a3e0c4dfa89d9416acba19
SHA512 dbcdd939deb1faca19a7a1c27385616739a2dda732c592d4e57a1e5011a8810c2b37967fc821202264c40930c33a8490ade447df30f5d9f84918d55a8f5a52c1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 092a6609951b85b3256d5a539d4198c4
SHA1 f305f586da8a6ab3f2de393db0f566c057ec4911
SHA256 f97d51c01721ef38894f77002741d8ee1881ea1407ed2ad21e9c58ef5fc7d8a9
SHA512 6db2ceebfab91b26ea0215d4e465b0e489516bf8a14921c2cea0d90f1521f0e53b7fe3a43f3e4fa0704de7de2c080ce37d1ddc8e54f28847e8b36f6efc2ee03f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6784e05c785606ecc4ddc75f2be82cf5
SHA1 62e840543cfc0bd2df3f2ad984576b9e5813d685
SHA256 be089980627b97d4f84ca11708138eedbbb4399b45074a8ba172c67f7f38c14a
SHA512 4f460e9a36db252383757f0b6e42f6b07744f9ea8719075544b807b036eade4156e5c3407c55aff132510dd43b289b16b4a6de2d9204cbf3488993ef97e21279

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 daca366f79d320dc68170749ecce4136
SHA1 7755d14d8f1eb8ffbc322aea9e67db11be33d4a0
SHA256 3d1809a2e9a53a49cf3ba9e4235d4d46f0c960a6e2a910e54560ae1b16602d3b
SHA512 b8f0e895c8f8752b024cda575dac4f128e6cad28d1781676ea250d749988bc08e2e94e943dbe57377d73b0531bfcb58376127099635f89e4c47ec668e5498b12

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 13053734c93a3d550a8c9d1aac547c03
SHA1 0abc46c14fe81075ce92546c7bbe5b98b86848be
SHA256 970de4f4d6c87b2d5236df1ba400b80a7b6f08fd7cf2be08f0c72565e6caa12e
SHA512 0a971fc6cb683a87f403c082bd78d162dad84023b2ee525484c9ffd9cee542f331fd68a9e7a273179c30d89a39bf90d668fef2b291046f4d888ffd2c7a7f343a

memory/596-274-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 090afea42794bc12904556389059eba1
SHA1 d9ef0a3188a8ef0e823f256cbe6fc5a1aaafd7cd
SHA256 db2e1116af88c14acd44f6980a5b99d4e5879edaefa02437dd20f61a31d2bb5a
SHA512 45616c7b720aebd80c220d0983c6ea0c106b67c9791cd0f3a1e01df1f30f6a583adb3cbf3a68c96094153ac215f1f60fa84794fa08a3ed85e697ff6496ded12c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5a97af6bebff26e70d17375d08d040b8
SHA1 89b76aa3186355d2d6470ed3e97b8abf08461d18
SHA256 5bd2498a669ef98e58d16fe1dc78e0bdf71b44548f64aabac7df110121e6fbb1
SHA512 f4758982c13b7ad859db0dded986ea347c056e70d90a5dab67c6c722bcaef119423c5ac2f56b7061aaf27d23c499d19fec1a8507b4e9d7b1e738c061c27bbd75

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 314e2502865edb72bcb99f974450a1e4
SHA1 8c30fa801f3e0e5f504424b2b0cd3f1218368bc8
SHA256 c6058221bed78045af120e530ff676145e8ec28b838f745b5f60fa4f9c071e14
SHA512 f0f7d305a14304690b894235a5ae43fb92ae34ecee33d74d66421453b29ebd322c89267ccabd2b8a3a4f6adaad4cbac262fb1e65c35c8464700b2cb05f35440b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7b1f559366fe8284ab5cee7c8ec82a15
SHA1 2da939a77424e3df6d4ba6ebda2ad35bafe8f1c3
SHA256 62e8b93eddddde354b6748a41fd2be322d41d7bcdd35977ac8364d5d216328cd
SHA512 e25cfb7a0e7d12b380cf00e23e3191aa3bdbb6e6f01ee30595025ec00ba3b08a4d7509b3fa6d1d897339d915fed7c2bf69db1a43991aad6de81839c76e720371

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 885a74fabec78827dd7e0fa3cffe95a3
SHA1 810430ea9d5277c98ee8641f3d453f4b6d399e17
SHA256 d3909b009371e6d9b867c5b198234b8cca72f25cd553306fdc46a3fd297bc864
SHA512 8ebc2a5a96c9263cd37b3c6eed8def5d520eefbd83600a6c72eee2488b291fcde06226df596655d3e6f6d73e2bb6981ee33aff3f698d9badc19de5046ecc0a79

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cc00fb75aef5e2aa556075bb7a1757cf
SHA1 9ef48e33f4da54e3e345ab0cc8333305000cd8d0
SHA256 f3307256b429ac7b6786fb4ca7bae75009a025bdda0bf84cfbecfd72fbe9f5d9
SHA512 022001968615b9f7d5acf7c40d69c4555cb14d480b5915423791c9795fcfd80ff4fb36c7252f5c5be11b0a3844ea3886ad7d18d0d4d6dadb2fc757f267c207f3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2cf12ddf8af52911e827f75d0e5ca4f8
SHA1 17b3d946c17d6e047ea9caa042144cef48e211f4
SHA256 cd3c8a9bd20635febe8e7017c32481e1802ad032c12803c47ef5a9424048107b
SHA512 93f4e09a56523e0347a4c5410e58bf8039ef47551439173fac38ad5237a2d69d8218e3161371a7fe82c1d41569ef994d9c3fed2967e0a9853b406d1f993855df

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 22bec9995ce33110db231522d81134a9
SHA1 5cdbaae7abe1cd8a45bf9b1c7dc0b23c5b425c07
SHA256 fc5f7cc517e055b883423b1d2b1c9ce2cfeb23a78db9f6412f69e8f8d549ebe6
SHA512 4fe4920e5e8a1ee047c2a518f25d65465b3e85abc85dabf0d4db58dc97c6ad4120a84e4bd22d72dd5c20189d6fa9095fb6e0601e8f8230b6e0a01c75000bc258

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f325592d925d62f4cb22ecc7f5e0af70
SHA1 8127a24c4358895796790dc61838e1b06b0a4ee1
SHA256 56be214e3b275e9852019e36137294724532c9efe7f513ed4aad44384bfb4aa8
SHA512 806dda266c984bda6f1c2803b0f223a78bd4ef5b58564f7c97a6d9f12a5e9c2d5f48ee19cf48152ade0f37ea2708a2f61d734a9e78111416c941802bf310b8f3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9edbe16fa70149ab45b864f1d578de53
SHA1 4e690b758879e56a40f2a43c115ff2830dce9603
SHA256 75b3a4b6e8bbb5803e3ef2d6de35284268fc96603f57f5f091f000b456c3b160
SHA512 d4b2a819cb84b41347553c064546f40a7fdd45ea8b4fe70d80c6f1a414c084ace9733772442c74888cb8f70b38b16d40c04beee56869606fe67cd64063d210ce

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 23:25

Reported

2024-11-13 23:28

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5} C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "C:\\system.exe" C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\WINDOWS\SysWOW64\ie.bat C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe N/A
File created C:\WINDOWS\SysWOW64\qx.bat C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\windows.exe C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe N/A
File opened for modification C:\WINDOWS\windows.exe C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe N/A
File opened for modification C:\WINDOWS\windows.exe C:\Windows\SysWOW64\attrib.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1989532588" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A22EB628-A216-11EF-A4B7-FA89EA07D49F} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0fcba772336db01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438305331" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1995002058" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000028e76085f1f7640a0643881d549bbfc00000000020000000000106600000001000020000000bdc232a511f4f088834110535351afbcba657b7773a8bcc31034740ec2eac224000000000e800000000200002000000004a24d37241e17e14419016fd33f496696ed962c96176197a81edf7df5f4794e20000000873893b3d6122f367a357fb6dfb8bad00210a82683457a571c40774f2fc8ff0c40000000a3c204b948e8f1045a357a0f23e3e8d5a55d513b88a307b1a46fafe987bfbc955bffa006483333ac904ff3b903cf972d7afcebbf65273d3bc96b9b4b5f268bbd C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31143459" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31143459" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1989532588" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31143459" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10ccac772336db01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000028e76085f1f7640a0643881d549bbfc000000000200000000001066000000010000200000009b056fc66c22f152ad6603ad848a14ac506f72558227d6a28dde6d4ac3932a0e000000000e8000000002000020000000b9f6fec274079d5de298368c2a64215eb20a17e319f8ef23f4e1271912832ffd20000000cbdd3c27d22c6ab14cdf9f2d77189af2e42816f67f7f4143ce0b2d7dc1a072fe4000000049ff7cb3e28449343fc95c16c9c8052950bcdc50d092e02ea767a676912fa7b6f715ea5c7d102b96847735a0322eec964bc76a8a7a84c1cb928db03a4e613ef0 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com" C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4464 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 4464 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2680 wrote to memory of 1732 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2680 wrote to memory of 1732 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2680 wrote to memory of 1732 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4464 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4464 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4464 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 4464 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 4464 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 1072 wrote to memory of 936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1072 wrote to memory of 936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1072 wrote to memory of 936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4464 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 4464 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 4464 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 2932 wrote to memory of 1608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2932 wrote to memory of 1608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2932 wrote to memory of 1608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4464 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 4464 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 4464 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 2012 wrote to memory of 4872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2012 wrote to memory of 4872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2012 wrote to memory of 4872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4464 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 4464 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 4464 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 652 wrote to memory of 224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 652 wrote to memory of 224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4464 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 4464 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 4464 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 3568 wrote to memory of 3068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3568 wrote to memory of 3068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3568 wrote to memory of 3068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4464 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 4464 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 4464 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 316 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 316 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 316 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4464 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 4464 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 4464 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 3996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2092 wrote to memory of 3996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2092 wrote to memory of 3996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe

"C:\Users\Admin\AppData\Local\Temp\76b602574a08e47570fba6cd05ac2dafc7c2ff8c98254837fc3bca8c4e153d9b.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.212ok.com/Gbook.asp?qita

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2680 CREDAT:17410 /prefetch:2

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\WINDOWS\windows.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h "c:\system.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 www.212ok.com udp
HK 38.11.229.201:80 www.212ok.com tcp
HK 38.11.229.201:80 www.212ok.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 201.229.11.38.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/4464-0-0x0000000000400000-0x0000000000429000-memory.dmp

C:\WINDOWS\windows.exe

MD5 39f52f0d4cfcf8a145bd222d66b585ce
SHA1 6b7b55887d1e91aeffc81b0c22eee60ad96d3c02
SHA256 58390d464c16de53bd28865a1e9992066f67957ca751974e388a9d0577153775
SHA512 10176ebd046ae945f2c6714977e5765e54caf449cc7387a5eda82114c887fc2d4a013e6a0b09d69a5c566a4e30d907d03d8a6f028d09e9180e6a55876d2b11ba

C:\system.exe

MD5 916b8d9bc8124a326e3bc16d395b35f6
SHA1 f885319f79b896a30ff1cfcfbc48f6541bd71b44
SHA256 19a5283879faf1154a56a3015889456875fa0e71cfe6b63d0e675b39d3f53c41
SHA512 32628cc6b980b731275df992b38349c8ab0dd98a95d432701ede821c9567ad0285981819b603a09ca450adce7ab7bd062efa1c718bc54f3521effda0781d82cf

memory/4464-20-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 6911c74e9fef0942b37967a889ed5383
SHA1 62e0675e75f626f2fff3b486fa8fae6f4f558d5d
SHA256 1b93adeab62e6271270d2d20018d674d97f34ed82b127d165d338e4a520f532d
SHA512 68b12ee8a3da5d80be8cfc171028fb6a1b745595ee04ebaeb03f7f5a86b0c2f82b3b96801453e26684c7b8a20691d793a55f30f521decf3b947af360f49c1893

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 7a53985fe30318a6d6d1a2f0e7d5c3b5
SHA1 4a23a155e19824ac5723029f19d3ea490a8e3e86
SHA256 8ae523b733ec2df75917bb57f64196bd66546a2c8d1816f39db72ef44b959fff
SHA512 2986a88d2f184d8ee34fd17e049a456a5ae7099117a0fa98341278fbd35929d85aa12b14a13ee6ef7cf24f989f87bd59298cd605ce1d4e8c04309b1f016e5718

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P2UT3MS5\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee