Malware Analysis Report

2024-12-07 17:07

Sample ID 241113-k2xvrsskep
Target 7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe
SHA256 7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86
Tags
defense_evasion discovery persistence upx
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86

Threat Level: Likely malicious

The file 7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion discovery persistence upx

Boot or Logon Autostart Execution: Active Setup

Checks computer location settings

Drops file in System32 directory

Hide Artifacts: Hidden Files and Directories

UPX packed file

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Views/modifies file attributes

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer start page

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 09:06

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 09:06

Reported

2024-11-13 09:08

Platform

win7-20240903-en

Max time kernel

110s

Max time network

91s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5} C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "C:\\system.exe" C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\WINDOWS\SysWOW64\ie.bat C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe N/A
File created C:\WINDOWS\SysWOW64\qx.bat C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\windows.exe C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe N/A
File opened for modification C:\WINDOWS\windows.exe C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe N/A
File opened for modification C:\WINDOWS\windows.exe C:\Windows\SysWOW64\attrib.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f542000000000200000000001066000000010000200000005ca2196fdcf629b25d3de2f1588c914bd7ea7fdd7c4d488f8224493442694695000000000e8000000002000020000000a1b446d5ee36ab80c9b2c330ebb7ca995f41ae62d59dce220d756ec60f3329bb20000000d9d3cf45405d46e905c06a3847233ae02967522ec97cfedfd42de9b6d81794894000000044d0b38942e4f22c5610158f005071248769291f3e64efe9a96b2993dbc5e544ab65598a4f3d7cfe92e9b071921628e246cdc41a7739a9042646a08aecf4fdcc C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437650652" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8F5B3A41-A19E-11EF-BB31-7694D31B45CA} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f5420000000002000000000010660000000100002000000062b91191482aaed9399226e37e213928fc91a2bbd3cce03b299e5042097f3acc000000000e80000000020000200000001c948f7dbb67878670a93332d3ec0dda789fa21492a84f4cdf04a292de609d4990000000911cd93a930503700a707fb164b7651b9e419f393822b78d63f52c2965adfaa6f9ef9869b11b5c6be16c3defb5211876855833af9630fef555eaad7c81e67c21bb923b94c11953759e934f6652fb3f86ef3aa2a97185086c4516f58684b68161719bbf5b3083971a74b22cc0b4733c2637e16a864a8fac6161f4a03b969493f6698b28848bff3a10e8a568af7755542f400000008c09b027d23384999bd1f75d17564982167405794cfb43eb6c6201b52da307088782805a25c762a4a35210a3a3971bc18278997dcd8fd4f280e257e58496fff8 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2077cc65ab35db01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8F683291-A19E-11EF-BB31-7694D31B45CA} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com" C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1800 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1800 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1800 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1800 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2060 wrote to memory of 2772 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2060 wrote to memory of 2772 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2060 wrote to memory of 2772 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2060 wrote to memory of 2772 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1800 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1800 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1800 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1800 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1800 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2692 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2692 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2692 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1800 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 2888 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2888 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2888 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2888 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1800 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2804 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2804 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2804 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1800 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 536 wrote to memory of 1316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 536 wrote to memory of 1316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 536 wrote to memory of 1316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 536 wrote to memory of 1316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1800 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2592 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2592 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2592 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1800 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2600 wrote to memory of 2984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2600 wrote to memory of 2984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2600 wrote to memory of 2984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1800 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe

"C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.212ok.com/Gbook.asp?qita

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2060 CREDAT:275457 /prefetch:2

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\WINDOWS\windows.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h "c:\system.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2628 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.212ok.com udp
US 8.8.8.8:53 dhku.com udp
US 8.8.8.8:53 www.ymtuku.com udp
HK 38.11.229.201:80 www.212ok.com tcp
HK 38.11.229.201:80 www.212ok.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1800-0-0x0000000000400000-0x0000000000429000-memory.dmp

C:\WINDOWS\windows.exe

MD5 28624f069cea91ca3405530484cb70c6
SHA1 589588ee128b3281cbdd0aa908e0af07f6db6440
SHA256 d7455bafa8a4b9b101647f166a569fbb10fe06572129e73da4d91dfa8c7603d4
SHA512 364f4f113aee54ba1007547b212808793c22777ea13a69656cc4ff45c2b39a9540d9f7aba39d1a6f93bb261ed68942ecb0740164b05175be54ea98bae3374f66

C:\system.exe

MD5 90d46667826b8978a70b74c1b1f24565
SHA1 9db9f50c8223dfc8dcef8424cb3a9699ac6f7a97
SHA256 bd7c96b251cfe5f3e401d1e1d881f464e456c13203860b50a9edd6c3a723470f
SHA512 255c356e80b776193ef84f495bcf91c0a4fbaaee5d2a367f2b0b63adb4917fb7e9dc1735d010a1a400eb453ba3e46c587de7f989a229d4f1fb3a2630bf8839c5

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8F5B3A41-A19E-11EF-BB31-7694D31B45CA}.dat

MD5 aeae1647c07362dde504d42315135c11
SHA1 72152cbafbbe667b19980084c7eca38b1760df29
SHA256 097aac72a8a764e7cfef82b4f3dc7a235284077c6df1b5b2a6f6177c8cbcc8a1
SHA512 da29c13838e86e73b1c8202e1714d719ac3a3b79893566b4ab30d8d2e7a9497b6bb711bb34e5ead7e84ea1277577511e4151505d09fe283bc251e1a34eb89ae0

C:\Users\Admin\AppData\Local\Temp\CabF9DC.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarFA2D.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5216bda8c296d378974be19bcd310854
SHA1 4f250034869fb9253f3db21ee895680311876e41
SHA256 88ed80d3b55a808860321f3e43598f40ecf89b800449e04df071ac8ff38e9a74
SHA512 829f83f8334497162cbc2bf8f99c3be77e6fa7ced9fc202fa9112bb14544d540fcb6179bcad8b3e028ab36d4b9b83c15c42b33daf72324c049beb04dab3ab389

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 db94d3318a8d08bae21c9d43483c4ed7
SHA1 a2ba31e96776c0a52de4f4860c73a79e9e7de731
SHA256 aa0b97cbc42447f4b7c9bdbcd691d163f4bc83916bd06b015ada2255473415c1
SHA512 e5ab9db72d9dc8c0fd90f667b867c3d45f74ba7ae89b78a8c8e4163e3b572ff534eddb7fc90f2e2d3b46cd266df3247b90b2fada4b29f5580478e24ff4de5519

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6ba46d7f2233d70ffa9fa40b5c334a1f
SHA1 c6e878c77a209e28040a731936d59fa05f43a677
SHA256 13ce40a16e3e1676cd39c35a18bb04867d5a51a5382eec93ddcf3031cba78018
SHA512 d2ec3598097737bc979764386dfe61c1700d642bc546dfe27bdbbc722c382a1d4264899f65f7be17e0afbea18b6b797cae247adee9a44c1bdebcb0e663df9422

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0464cda946c3ee96ef21e0b5907c0a7e
SHA1 efd84262aaf874b9ccd46b7fc0322b2ea525d1b2
SHA256 09e2995899cd559b5df69eeffdf98748a6d3200068a5a7691aeaec22c5382dfa
SHA512 cfb1a04701b7aca5dce90187b6d28465e96211293e290c92ea074584b5817da1f86947602ff7f24261768e1d215ebcec590cbd6994f21df380b0c88ad161bd1a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 421120ec2c7d300bf050478a1804b292
SHA1 8f4a2876d86c250eec3def935d21af6b61330c77
SHA256 c70531db0d88446e356be7795335f23c198366a44d20db30e6ccf184fac20452
SHA512 f5379fed35f7e9b9b283b9cdf7feed1ddce2477d96cd84947dc3a062667d2ddc7d59254d6cb16cb12c8e1486e361d9db08f0fd91244c4469db1a3d34f02c7f5e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f457cec31b1fe2fdfd4fd764213034a6
SHA1 ac79d5542547339a8ad32b8895016e0630a85f47
SHA256 b67e8ef1a01e236e252ac8e7188d03ed1df8fa0f70fbd94ed2df104c56b2d820
SHA512 2e7b42e422034052d0de580dae8f9dea53089ceaedf5fa968ee93ca2d46da4cafdedf7e1fd2ce9d98ba97c218b6029c99058a8bb08b0d1c7f8b6831b2bc1314b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c293a7cd7c6a583e07bbe7906f12de89
SHA1 f9d08e3696f26f822183e8e322f37af6db454631
SHA256 00de81b1166b9021e51fbf13956b7957580e64970a89617f441d93109b4cb2f3
SHA512 69ee10a2e76467e94ad53083b52dd0b40bde403e04ff6be4a1d3748ca24feddabebe7fb17c9cf5c98a7f2619c09efa25cee0cacfb8b81a0ec0a20c115ffef888

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bcf6c0ad887734e6ccb4dffc07df5394
SHA1 965fd6b9e0fc8667c173495235a5a0e1fb0f0df0
SHA256 03aa48c29931561c9d9b42a15bd2f214abbfafa813a36991c8ccb3e3b652bcc3
SHA512 19094beaf53b2860db8d6d89a845b62d9c02c4b6822a27812cce0a5cbde8508d5dbb8d4edaf42623c5479cbcea2c6eda5510ef1735d8ec6f8cacc32ba1662928

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f0858be6f211f91759097e9b19c5f286
SHA1 2e261b2e0bbbd4d72c79339db3f84dfaf6506703
SHA256 197ed148d01b040bbae06ee71323a793748c268dbd6e298d7e9ee0cd57807b2e
SHA512 04f94132d005377eb2074df433438dd45edbce602de987bf6fb222f37d2633e0f6efa6d6074205a823d5f6f0875d36a0c522ea2cc68b0b5734b56100bf245c96

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ac7ee6a6f7fd3221896e0d33b56a3cec
SHA1 1f24450394101fb7741e451968d2c0c047c3e611
SHA256 a7b5e68edfa8cefa812c4a25cfe31f609c75c8d460d8a7d1453b85378907d420
SHA512 d24325c20362ba37de68bd9719b575b7954f6a7198307d6aba09179520001a6845fe82eec862d7cb9da51e9a176e10713e8842ab8fe965a81a4213b4b7a6d3d0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 93a02933e3f062333959ee444a970213
SHA1 3ae71cdd42c797eaa11098101e190090a8e5e3b7
SHA256 5b8826ebb0c65b9b8f9f2650e2f3791f2c05bab78fc9c5e986bed7ee9b575f26
SHA512 cafcbfffd29df43baa9db2d90b022781d4b8b4a9682ebec9bc3f66c20076ec4feee6820430ab5d9c6d84e9bd674d4c6776522003fe842dbc00e6aa9b51255796

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4ed40b415ff8cff45de092bec7fc194f
SHA1 f5077b5b7298abf3dd8e2cd477125a7a5fa027b1
SHA256 7bafd6e8d4232960970781928ae05516c88dee7eb1fa41f514846a4ef0e3bbff
SHA512 77758f0f8ebae5d173108d39a69d83d59adbdb3515371f40b02acd94cea9bd1ae25bb196e02e6527117b0378d26b702485c1be439f38012d7085187f47e34884

memory/1800-453-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 48fb17dcb06edd6f9cff1a9d78218a42
SHA1 275560c21fb4ab5ce9c9e9efbf7f2618093d26c7
SHA256 a5df5a1e8723b2aa025e94deecae941c3143e30ac0ac41bb860d36417532f6dd
SHA512 d79e415598cbf97304534b6a530e3edaf480ec31aab251b8620e5e63478105fe3aa5d5743c0dfe335bdd801d556726f01c8c26cbd457b780da2d3b370be7264f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 27a5db63efce9eeccf111dbe088b688e
SHA1 0e3d1c32101541e722d22c7359da5401dee1c588
SHA256 f6d8539601f8b90055b6badc9374f5007d89353e35dea08b106943501c0a0965
SHA512 373f9f9e185254eda254e4a156462141c6e0df7dbdfd8912a33bf660b2b6d1656f41d827aaa738852a58c03fc132f807901a2ac9283538d9cd257e491904d15d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 43cab04ef606e04ff82c41bed38c0f89
SHA1 17a49b42b762a8f838e6fdd3306b1e9b173ee3da
SHA256 485ff582039dc0f3d1211ab41911b499af9569640b65067aee7cbf16b15fefb4
SHA512 98e4e11093ddfa19ce14cfc97284b42067bbdc05980e7d9bb7c67678558c24448ab47481a68c63c8e5e229195ea1d0b0000cb526770ca06a5bac70b13fddaf69

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ee012f64a1c23c5beb65fa3af7fc0093
SHA1 f7e52d2a32d821ca348eb3556bcd233484391aff
SHA256 b66ae2e818c424b4498b66f4494034313e05f59ada629230be65320845f9214e
SHA512 1b6d01ef57e8df1e802b2020544eec040ef77205a86c508c354d6efb313e24f85ba02bf4a170bfecb3fe0c354cfa784b4cbed3837c8754fa134966f2a676ab8e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dd11932ff9f6ca62473592109e73e07e
SHA1 5ad60cee96c6bf33fe64ca7b291d40aabc1f47d1
SHA256 4dfbb1041c747889ad9b15d610a5e122f07ed4cc5e38460ee8e3f63a091d0a4e
SHA512 afa0449a4ec69d0943c4bcab31cf8d44045c64183b778cc1ea2d5ccb2b63a1e0c5d1e0d920aff43636975d4faa535616fbbe5e1e85c50b61dc54193904a5106d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2f3fffaa52d336d67a45bc09f86f6cc5
SHA1 fdfc21a2a57458c2fc793e07ad12d1bfd41296a7
SHA256 8e30c63ac55a5220d4129f9013f0d01ecc6297318e5c3ec6f4b95b174cf54f5a
SHA512 8e243b92537e07a4b375c2d99dd8372835ab23e062562e35e23d31fc79d216978c89a685ddb986ec27611a8c2a88eefc62029cd68bd54540e24cb6ea431dfc70

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ea9b79676bc3b14a3dc1b5a633ca3d7d
SHA1 a8882851d80de0059401a2eb4a29791c03bd35f2
SHA256 fb968eda8563e440cbf69b3af3540a2d27a20cf4504ca96174bfbb783f9c4cb2
SHA512 c8c28981d319efca40e6190807f5fafe6a98cda6635a0fce11fd23d5911de7d3e08001b9927870d3f721cec8a5658316701670be560759426b05a5cc52302c49

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7c32872ce92f18a46a6fdb3437c41b96
SHA1 fe27e4dbde5e343fa1adcb867ad5f0683232f849
SHA256 063d4e3fe3d4d9345d0ab0b232bedb744e5a4864d87047f3d5fff756397b0c51
SHA512 26746b2d909f0afec9fbfe1e9860d1cead6cd861d749e0acc4d1f0f26142342a609672c89e922e62bcbca16dd3b76ce5b7987fe976412079c8887b21f5a2e54a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f519a21c2b7b8462690a7899379492d2
SHA1 b757c21c66e46f39dc565e167ae03be6096b8df2
SHA256 5d9de76522324ff9d3766482f9a0143843278989f529bf97882d63222937c642
SHA512 dfd34b89482d35378de09d409d45543aea6877dc45142265b7ef0937aaf737a7e3eb8291c60177fd98f8198329d71c5a696f38e41956ecd4a4fece8e6a3b05e1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1d9d32ca660f2392a43f4a6123a5fb2d
SHA1 786cf59bc47105badd3ee7a9fdc4cb6de193cb6c
SHA256 88335ca44b2a31d687289cc7a11c669338d21454e5fecfe87c633a83579dc3c3
SHA512 5933d0154df26baa4644d81bcd9e09eb435f5c379e1c2408c7dce64b08bf1826c7e3c15ad01fbe171b0ccb519a15c084e27bd9d3b31b7fe9395d5d462acc095d

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 09:06

Reported

2024-11-13 09:08

Platform

win10v2004-20241007-en

Max time kernel

111s

Max time network

112s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5} C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "C:\\system.exe" C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\WINDOWS\SysWOW64\ie.bat C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe N/A
File created C:\WINDOWS\SysWOW64\qx.bat C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\windows.exe C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe N/A
File opened for modification C:\WINDOWS\windows.exe C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe N/A
File opened for modification C:\WINDOWS\windows.exe C:\Windows\SysWOW64\attrib.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ab44cbc7ac5e824ba8748f8001f100a1000000000200000000001066000000010000200000001014fd72f08724b141dd088f3cf7a5581078e0dba943f1055accb78810a8c3f5000000000e8000000002000020000000e44becda96402cbb7199d110a3021d8e14518144bf8e0bac2c31b789e44eea7220000000ad6eb38eae18c74e8ce2d17b84bbd3e1d47466735713b7ab79ec4021e7657834400000001398a44033a8eb345b2e3258754ec2610b174e4189d76e34cd2bc66ccaa1ce8a941e74cdcef3057b535ac0bbbb983c187fdf28b63f07ea7ccadba068fce3d6bf C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ab44cbc7ac5e824ba8748f8001f100a1000000000200000000001066000000010000200000008bf6e16724476fef759cb5c91beedfc83fc660e7562a3361d007c37bbd06a7c2000000000e800000000200002000000064881fe124d07b7cdf8d4c3ece9ee10f6b3a9caf8126e5c66d9fb1cf5e57b94b20000000e19339adfd8df4c3de27eebdfa6b2b7dda377784c4fda63bac89313d76ec2be84000000014fcacb41f0f0d9ef9b9baf69dab432cb287affadec56bceb82ede2f5f9c0b4d460780f7b74eed2f5b16405cda855ee669a604b49bac2fe86d0c87d8e315497f C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1677335189" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1673897430" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a04d9064ab35db01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31143339" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438253760" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80529764ab35db01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31143339" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8F65A3D7-A19E-11EF-9361-CE95CE932DF6} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1673897430" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31143339" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com" C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4220 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 4220 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 5000 wrote to memory of 980 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 5000 wrote to memory of 980 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 5000 wrote to memory of 980 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4220 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4220 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4220 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 4220 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 4220 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 3976 wrote to memory of 5036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3976 wrote to memory of 5036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3976 wrote to memory of 5036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4220 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 4220 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 4220 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 2668 wrote to memory of 3856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2668 wrote to memory of 3856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2668 wrote to memory of 3856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4220 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 4220 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 4220 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2856 wrote to memory of 216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2856 wrote to memory of 216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4220 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 4220 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 4220 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 844 wrote to memory of 3344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 844 wrote to memory of 3344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 844 wrote to memory of 3344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4220 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 4220 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 4220 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 4004 wrote to memory of 5040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4004 wrote to memory of 5040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4004 wrote to memory of 5040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4220 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 4220 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 4220 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 2580 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2580 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2580 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4220 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 4220 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 4220 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe C:\Windows\SysWOW64\cmd.exe
PID 4968 wrote to memory of 2876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4968 wrote to memory of 2876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4968 wrote to memory of 2876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe

"C:\Users\Admin\AppData\Local\Temp\7f662d6d62b164792eaef7a78c66c938af5a6bdf5ec540955106bbbf3dfb9c86N.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.212ok.com/Gbook.asp?qita

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5000 CREDAT:17410 /prefetch:2

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\WINDOWS\windows.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h "c:\system.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.212ok.com udp
HK 38.11.229.201:80 www.212ok.com tcp
HK 38.11.229.201:80 www.212ok.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 201.229.11.38.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/4220-0-0x0000000000400000-0x0000000000429000-memory.dmp

C:\WINDOWS\windows.exe

MD5 42d8f9cc719fd55af7a1f536f69e2226
SHA1 53367cee3a886ca6d7842b3bf0ac7cf96b3c0b61
SHA256 18dc18abf61fdcebfa9b94acadcd0ec5c41aa72ef453c542b819a6d4c06818d9
SHA512 52eb7e7327b46fcf3a0ad5718986b887d93c5b5892dc73604de01e0592788d7a2531e5be4918cfb2df1ed9ce4cc6fe96e12606acf72f6556623461651e9873ca

C:\system.exe

MD5 91a58e1f5e36c46df817a89e674692dc
SHA1 0f5f3820247d06d1f973e01ff81383cb1412d537
SHA256 38381efe9b0e26734a1dda63cdd917a17cf137d8f4c0452a357d030944863528
SHA512 1514d3c89503f8aa8fcecda36c48c372d9a917eacfde7ca0fa87f61d24ab4f25884de831282f5e610481456f7993aad4d995ed4f5e105fdac9226d8d8ee608bf

memory/4220-20-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 b88227d8cd7a65511bbbb66e5a26e3de
SHA1 40d381d159da1285f947c468717c8ca0c02ff597
SHA256 e7559c406347f6de487b4cd642fb3c430120fe16da8fa4a2f5a303707da42ddb
SHA512 6af22698ae6e729212d963d151d289e0810338d4b063f10129bff94288b4b78e9e8e9bac5f11ed4bdea966e6eeded3e5fc3283d132400f0cb8059d61e68837c0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 c5b910a3883b5d54b26fa68341b223ea
SHA1 6e1ed477f1a57feecb562b4951859ae17bef7b83
SHA256 c4913226904f98c44475945044975f6509c21fa99c637077fa4c9df068348cb7
SHA512 11a05d600f300e1cc2f0a5f8d7b2e55fae94b018c3e420b81e37d2da8d27e78fae00406ae1f963b66552866d9d4f3021b95aa60f3a23f242ea106054b907e105

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JAZ6MGFU\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee