5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181

Analysis

max time kernel
126s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2022 16:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
Size

135KB
MD5

7813e5030b0092e14d1fb0209ce922ec
SHA1

2f8b63c5084acdeb7d96c1c26a71aef2cdaa0694
SHA256

5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181
SHA512

eb7f0c0853312973ee8faa86f5b4d50d0ac102ddf5a0d177eff2ced87ca99a5f99af5880a3f469361fc5e0b9c2e834da04f5dd92db69b1389c008ac1c417e238
SSDEEP

3072:WwxVMhOC/dTDbq91+mno3t4QZQ3rfvlJk7xFRaSG2yQM:WTfFDbRnOTrf9JyS52c

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Drops file in System32 directory 45 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Inonet.lnk	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
File opened for modification	C:\Windows\SysWOW64\ku.lnk	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
File created	C:\Windows\SysWOW64\youxi.url	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
File created	C:\Windows\SysWOW64\hao.bat	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
File opened for modification	C:\Windows\SysWOW64\qq2009.bat	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
File created	C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_240575671	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
File created	C:\Windows\SysWOW64\qq.ico	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
File opened for modification	C:\Windows\SysWOW64\taobao.ico	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
File created	C:\Windows\SysWOW64\vod.url	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
File opened for modification	C:\Windows\SysWOW64\免费电影.lnk	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
File created	C:\Windows\SysWOW64\淘宝购物.lnk	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
File opened for modification	C:\Windows\SysWOW64\5y.vbs	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
File created	C:\Windows\SysWOW64\INT E0XPorer.url	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
File opened for modification	C:\Windows\SysWOW64\systemvbs.vbs	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
File created	C:\Windows\SysWOW64\taobao.ico	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
File opened for modification	C:\Windows\SysWOW64\youxi.url	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
File created	C:\Windows\SysWOW64\yx.lnk	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
File opened for modification	C:\Windows\SysWOW64\zq.ico	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
File created	C:\Windows\SysWOW64\免费电影.lnk	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
File created	C:\Windows\SysWOW64\qq2009.bat	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
File created	C:\Windows\SysWOW64\hao.lnk	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
File opened for modification	C:\Windows\SysWOW64\qq.ico	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
File created	C:\Windows\SysWOW64\zq.lnk	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
File created	C:\Windows\SysWOW64\5y.vbs	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
File opened for modification	C:\Windows\SysWOW64\mm.ico	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
File opened for modification	C:\Windows\SysWOW64\hao.lnk	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
File opened for modification	C:\Windows\SysWOW64\Inonet.lnk	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
File created	C:\Windows\SysWOW64\taobao.url	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
File opened for modification	C:\Windows\SysWOW64\vod.url	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
File opened for modification	C:\Windows\SysWOW64\hao.bat	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
File created	C:\Windows\SysWOW64\mediaplayer_icon.gif	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
File created	C:\Windows\SysWOW64\mm.ico	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
File created	C:\Windows\SysWOW64\systemvbs.vbs	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
File opened for modification	C:\Windows\SysWOW64\taobao.url	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
File opened for modification	C:\Windows\SysWOW64\yx.lnk	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
File opened for modification	C:\Windows\SysWOW64\淘宝购物.lnk	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
File created	C:\Windows\SysWOW64\腾讯QQ.lnk	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
File opened for modification	C:\Windows\SysWOW64\腾讯QQ.lnk	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
File opened for modification	C:\Windows\SysWOW64\mediaplayer_icon.gif	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
File created	C:\Windows\SysWOW64\yx.ico	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
File created	C:\Windows\SysWOW64\ku.lnk	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
File opened for modification	C:\Windows\SysWOW64\yx.ico	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
File created	C:\Windows\SysWOW64\zq.ico	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
File opened for modification	C:\Windows\SysWOW64\zq.lnk	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
File opened for modification	C:\Windows\SysWOW64\INT E0XPorer.url	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies Internet Explorer settings 1 TTPs 62 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50b6189e96ccd801	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C572AC8D-3889-11ED-89AC-C2DBB15B3A76} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30985366"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30985366"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2589763496"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2589763496"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30985366"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a1000000000020000000000106600000001000020000000e910a16a88764f2eaaf0694480c1fd6bf53f63faf7c2a870442a164ff6199d43000000000e800000000200002000000041baf6a6bc5dbc26e11c40e8728831ee2ed3aa4a633f6003c682d284dcd4911720000000d6a48b6bee80cb9b2498bbb4e62aa0c4407a075bb467006846866ce127bd739b40000000bf80cbebd067a629fc82e15ef5fde94b7af1570d0ff311956c262794baf1e7f6ac4caf14eeae25d51c2240683b4efe9fd1fdae33437ebad76d66a5cc888b2a1e	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a10000000000200000000001066000000010000200000007ef4159f9f18e66131c7c6fdcf1d25111f71ce24cd03d1756c54e8b3a28b7548000000000e80000000020000200000004d38d95a35be7d840af307decb80108b722c4dff39cd4f175cefa430486eb22420000000e3645952ec7c995a08e589c80a986609d15feefb0a66ed10e5cb5202448972dc400000003c6038e2760a7006bfb70f902b81fd47f68aee15d4198158c56263887ce09b39566eacab3c378ad5dd8cf7c14791a730d1c301e3e56d342d2dca776a34d8e184	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C572857D-3889-11ED-89AC-C2DBB15B3A76} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2744764813"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2744764813"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "370404965"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2601951496"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30985366"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30985366"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 106bcc9d96ccd801	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4240	IEXPLORE.EXE
1240	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1240	IEXPLORE.EXE
1240	IEXPLORE.EXE
4240	IEXPLORE.EXE
4240	IEXPLORE.EXE
3720	IEXPLORE.EXE
3720	IEXPLORE.EXE
1276	IEXPLORE.EXE
1276	IEXPLORE.EXE
1276	IEXPLORE.EXE
1276	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 4848	4804	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe	82
PID 4804 wrote to memory of 4848	4804	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe	82
PID 4804 wrote to memory of 4848	4804	5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe	82
PID 4848 wrote to memory of 3972	4848	WScript.exe	83
PID 4848 wrote to memory of 3972	4848	WScript.exe	83
PID 4848 wrote to memory of 3972	4848	WScript.exe	83
PID 3972 wrote to memory of 4620	3972	cmd.exe	85
PID 3972 wrote to memory of 4620	3972	cmd.exe	85
PID 3972 wrote to memory of 4620	3972	cmd.exe	85
PID 3972 wrote to memory of 3564	3972	cmd.exe	86
PID 3972 wrote to memory of 3564	3972	cmd.exe	86
PID 3972 wrote to memory of 3564	3972	cmd.exe	86
PID 3972 wrote to memory of 1004	3972	cmd.exe	87
PID 3972 wrote to memory of 1004	3972	cmd.exe	87
PID 3972 wrote to memory of 1004	3972	cmd.exe	87
PID 1004 wrote to memory of 1216	1004	rundll32.exe	88
PID 1004 wrote to memory of 1216	1004	rundll32.exe	88
PID 1004 wrote to memory of 1216	1004	rundll32.exe	88
PID 1216 wrote to memory of 3892	1216	runonce.exe	89
PID 1216 wrote to memory of 3892	1216	runonce.exe	89
PID 1216 wrote to memory of 3892	1216	runonce.exe	89
PID 3972 wrote to memory of 3108	3972	cmd.exe	93
PID 3972 wrote to memory of 3108	3972	cmd.exe	93
PID 3972 wrote to memory of 3108	3972	cmd.exe	93
PID 3972 wrote to memory of 3176	3972	cmd.exe	94
PID 3972 wrote to memory of 3176	3972	cmd.exe	94
PID 3972 wrote to memory of 3176	3972	cmd.exe	94
PID 3972 wrote to memory of 3008	3972	cmd.exe	95
PID 3972 wrote to memory of 3008	3972	cmd.exe	95
PID 3972 wrote to memory of 3008	3972	cmd.exe	95
PID 3972 wrote to memory of 2708	3972	cmd.exe	96
PID 3972 wrote to memory of 2708	3972	cmd.exe	96
PID 3972 wrote to memory of 2708	3972	cmd.exe	96
PID 3972 wrote to memory of 3556	3972	cmd.exe	97
PID 3972 wrote to memory of 3556	3972	cmd.exe	97
PID 3972 wrote to memory of 3556	3972	cmd.exe	97
PID 3972 wrote to memory of 3936	3972	cmd.exe	98
PID 3972 wrote to memory of 3936	3972	cmd.exe	98
PID 3972 wrote to memory of 3936	3972	cmd.exe	98
PID 3972 wrote to memory of 1072	3972	cmd.exe	99
PID 3972 wrote to memory of 1072	3972	cmd.exe	99
PID 3972 wrote to memory of 1072	3972	cmd.exe	99
PID 3972 wrote to memory of 4696	3972	cmd.exe	100
PID 3972 wrote to memory of 4696	3972	cmd.exe	100
PID 3972 wrote to memory of 4696	3972	cmd.exe	100
PID 3972 wrote to memory of 4948	3972	cmd.exe	101
PID 3972 wrote to memory of 4948	3972	cmd.exe	101
PID 3972 wrote to memory of 4948	3972	cmd.exe	101
PID 3972 wrote to memory of 2732	3972	cmd.exe	102
PID 3972 wrote to memory of 2732	3972	cmd.exe	102
PID 3972 wrote to memory of 2732	3972	cmd.exe	102
PID 3972 wrote to memory of 4652	3972	cmd.exe	103
PID 3972 wrote to memory of 4652	3972	cmd.exe	103
PID 3972 wrote to memory of 4652	3972	cmd.exe	103
PID 3972 wrote to memory of 3256	3972	cmd.exe	104
PID 3972 wrote to memory of 3256	3972	cmd.exe	104
PID 3972 wrote to memory of 3256	3972	cmd.exe	104
PID 3972 wrote to memory of 4232	3972	cmd.exe	105
PID 3972 wrote to memory of 4232	3972	cmd.exe	105
PID 3972 wrote to memory of 4232	3972	cmd.exe	105
PID 3972 wrote to memory of 4760	3972	cmd.exe	107
PID 3972 wrote to memory of 4760	3972	cmd.exe	107
PID 3972 wrote to memory of 4760	3972	cmd.exe	107
PID 4232 wrote to memory of 4240	4232	iexplore.exe	108

Views/modifies file attributes 1 TTPs 9 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2292	attrib.exe
3884	attrib.exe
4264	attrib.exe
4156	attrib.exe
804	attrib.exe
4592	attrib.exe
4960	attrib.exe
3548	attrib.exe
3228	attrib.exe

C:\Users\Admin\AppData\Local\Temp\5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
"C:\Users\Admin\AppData\Local\Temp\5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\system32\5y.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\WINDOWS\system32\hao.bat" "
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:3972
  - - C:\Windows\SysWOW64\reg.exe
      Reg Add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu" /v "{871C5380-42A0-1069-A2EA-08002B30309D}" /t "REG_DWORD" /d "1" /f
      4⤵
      PID:4620
  - - C:\Windows\SysWOW64\reg.exe
      Reg Add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" /v "{871C5380-42A0-1069-A2EA-08002B30309D}" /t "REG_DWORD" /d "1" /f
      4⤵
      PID:3564
  - - C:\Windows\SysWOW64\rundll32.exe
      RUNDLL32 SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\TmpInf.inf
      4⤵
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1004
    - - C:\Windows\SysWOW64\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        5⤵
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:1216
      - C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        6⤵
        
        PID:3892
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:3108
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Users\Admin\╫└├µ\*.lnk" /p everyone:f
      4⤵
      PID:3176
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:3008
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Users\Admin\╫└├µ\*.url" /p everyone:f
      4⤵
      PID:2708
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:3556
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Documents and Settings\All Users\╫└├µ\*.lnk" /p everyone:f
      4⤵
      PID:3936
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:1072
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Documents and Settings\All Users\╫└├µ\*.url" /p everyone:f
      4⤵
      PID:4696
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:4948
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*.lnk" /p everyone:f
      4⤵
      PID:2732
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:4652
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*.url" /p everyone:f
      4⤵
      PID:3256
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://www.7802.com/index1.html
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4232
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.7802.com/index1.html
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:4240
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4240 CREDAT:17410 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1276
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://fzlsisi.com/fenlei.htm
      4⤵
      PID:4760
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://fzlsisi.com/fenlei.htm
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:1240
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1240 CREDAT:17410 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3720
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\╫└├µ\Internet Expleror.lnk" +R +S
      4⤵
      Views/modifies file attributes
      PID:2292
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*.lnk" +R +S
      4⤵
      Views/modifies file attributes
      PID:3884
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\í╕┐¬╩╝í╣▓╦╡Ñ\═°╓╖╓«╝╥.lnk" +R +S
      4⤵
      Views/modifies file attributes
      PID:4156
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\╫└├µ\╠╘▒ª╣║╬∩.lnk" +R +S
      4⤵
      Views/modifies file attributes
      PID:804
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\╫└├µ\├Γ╖╤╡τ╙░.lnk" +R +S
      4⤵
      Views/modifies file attributes
      PID:4592
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\╫└├µ\╨í╙╬╧╖.lnk" +R +S
      4⤵
      Views/modifies file attributes
      PID:4960
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\í╕┐¬╩╝í╣▓╦╡Ñ\╠╘▒ª╣║╬∩.lnk" +R +S
      4⤵
      Views/modifies file attributes
      PID:3548
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\í╕┐¬╩╝í╣▓╦╡Ñ\├Γ╖╤╡τ╙░.lnk" +R +S
      4⤵
      Views/modifies file attributes
      PID:4264
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\í╕┐¬╩╝í╣▓╦╡Ñ\╨í╙╬╧╖.lnk" +R +S
      4⤵
      Views/modifies file attributes
      PID:3228
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:1104
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Users\Admin\╫└├µ\Internet Expleror.lnk" /p everyone:R
      4⤵
      PID:5024
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:5048
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\╞⌠╢» Internet Expleror Σ»└└╞≈.lnk" /p everyone:R
      4⤵
      PID:512
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\╨í╙╬╧╖.lnk" /p everyone:R
      4⤵
      PID:1224
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:2848
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:5080
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\├Γ╖╤╡τ╙░.lnk" /p everyone:R
      4⤵
      PID:1724
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:3352
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Users\Admin\╫└├µ\╨í╙╬╧╖.lnk" /p everyone:R
      4⤵
      PID:2068
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Users\Admin\╫└├µ\╠╘▒ª╣║╬∩.lnk" /p everyone:R
      4⤵
      PID:1364
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:4748
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:4368
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Users\Admin\í╕┐¬╩╝í╣▓╦╡Ñ\Internet Expleror.lnk" /p everyone:R
      4⤵
      PID:3184
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:4108
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Users\Admin\í╕┐¬╩╝í╣▓╦╡Ñ\╨í╙╬╧╖.lnk" /p everyone:R
      4⤵
      PID:2544
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:4988
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Users\Admin\í╕┐¬╩╝í╣▓╦╡Ñ\├Γ╖╤╡τ╙░.lnk" /p everyone:R
      4⤵
      PID:2264

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\TmpInf.inf

Filesize
58B

MD5
ef482bb78b8fff6cf20ec2ff9a677a93

SHA1
7613c5c62b89e63dc686c0f4007c4a77a4a77335

SHA256
7fc3b374408af4dac1e4c39fc1218c98cb692241fd2a753ed169627e70f1536d

SHA512
b4f00ef86cf8fa09517eb09d16d448d45363b87973fe346b3b6b6e9c3c41e087ede8c1a9aa0934fc1abd4d0fb01b853ec501c3bca5483a539c8d28607fd45166

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
520071a63bb5e2038486cd0ce14055b1

SHA1
752cfb61bbe3ae1e2c2609c53aeee510661a59ed

SHA256
f8a989e9cf1fe0f0000c795537122a3c727e3b570b66582bfb62d9bbae4b20f8

SHA512
6f0131c9e0943c6a13d52a7525e1c592c95db868bf2dd21a8a37254150a239748985cc31518d0c4844bebfc5613feee6857b5debfbbbd6ed4539cd5e494ebbb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
d2018985ce31d406fae046d0e5a37d19

SHA1
c91917d34f1d5976852b576c746b395b61390300

SHA256
9f11eb3b17ed3684a989cca6453d564f2c5ae8af12d75b9c193bb0cab187bc90

SHA512
3e5dc8fc4b5a14eb16d22164f939e8655ef5519453f7d3239afadb1248e2fecd6f43b11032618d313eba3ac6ef31b8b1f32a3aa19412b555468565b9d925554f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C572857D-3889-11ED-89AC-C2DBB15B3A76}.dat

Filesize
3KB

MD5
8001fbc9ff5e890151b3eb772039de1c

SHA1
febaac9142c7b84ee6824c0dd90f792cc96cdf33

SHA256
7cd81bad5229addc6fd25e6480d1e28a251c99a5f74718f214085b62b922de19

SHA512
72832d82f204bd540cae1d6b63a6c77042f2d5a186935ed411cb1b3bab8fbe87dd95fb8b7e9268096d46ef5e9cfa439e4fc19c0002c80e06aaf08aa8f53039bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C572AC8D-3889-11ED-89AC-C2DBB15B3A76}.dat

Filesize
3KB

MD5
99e6ec86778eef8aa6fcecafad5105c3

SHA1
fab9e56a187b0ac8c9055b621adcf17501632832

SHA256
ccf7cb60d251a37e8b39b2a88aa5e888a26ec03435d202a29df10571161764c5

SHA512
ca57282d93df93c6b53c0c561287b8ca3850686d98d3ddcf463dd858b3aa006f55419df29534d9607ba968aed8818d8b2213606b5fb881a1837b23d4d427d027

Download Submit
C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\╞⌠╢» Internet Expleror Σ»└└╞≈.lnk

Filesize
800B

MD5
a3ab5b82d1e6714262bc167f130045c5

SHA1
94998582d6029b0539b26dcecd2b1050dfcc9d12

SHA256
5a0e9a8d8944168ae9afe2d3b50268c83f19f541d33bd6c71c2cd2ed4eea2e17

SHA512
1c2c7a4830072cd3625ef291b6b013e3445eed7feb91f54a51eb7b6e776061f8f2df15c60f658dacad72f646f19b384777db2ccd2f164d6682d498e978671d28

Download Submit
C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\╨í╙╬╧╖.lnk

Filesize
1KB

MD5
91cc4989f6d5a642533dfb150f97dadc

SHA1
61bb275bc5645e131145e4ff57c8175f9669e03c

SHA256
84c894e082fd9c8129332a0a516fe8e945b815ee796e801aac80533bd3897821

SHA512
d96205dae2feadfbd9e0029a9f097d5515fa5a9aca56811053f1faddf2631cd08152224d84e21fb27be18571891a296dda915cf615aff985ebb12228ed6ad1b5

Download Submit
C:\Users\Admin\Favorites\╨í╙╬╧╖.lnk

Filesize
1KB

MD5
91cc4989f6d5a642533dfb150f97dadc

SHA1
61bb275bc5645e131145e4ff57c8175f9669e03c

SHA256
84c894e082fd9c8129332a0a516fe8e945b815ee796e801aac80533bd3897821

SHA512
d96205dae2feadfbd9e0029a9f097d5515fa5a9aca56811053f1faddf2631cd08152224d84e21fb27be18571891a296dda915cf615aff985ebb12228ed6ad1b5

Download Submit
C:\WINDOWS\SysWOW64\hao.bat

Filesize
5KB

MD5
64e9d4f8cd396c5b7dd0084d6c0619c5

SHA1
0a6e405b7d0092b1bd671c973980f8bb482201ce

SHA256
5302208aa85b805180cf7becb7d180f1d5729bcee241b543904be3e3eb2c0189

SHA512
e57c797e75baf5b387f92dbc5d46e92bd9d0709ea2aa5b70537b67006244ab56446b717b013a05cdf48d19d39150fac7003ab1f76e2c59458f451e352598fe3e

Download Submit
C:\Windows\SysWOW64\5y.vbs

Filesize
2KB

MD5
1ea9a74910e8916e5009aa50da3cf7ea

SHA1
0953ae0f63d2c65343a7fdade9a767c70b32ffd7

SHA256
97c76777fdbe48fb0ad555fa26c7f82fceec059b3f7605c14bc23573fd012f35

SHA512
0290082a7dfd1beed055be1e46c667d5ddb1311c2feb8139dd686dd38d5eb6025b673988613918f7c8eeb73d37439bcf7407911e6d9a13a42fa91239ae8a150b

Download Submit
C:\Windows\SysWOW64\Inonet.lnk

Filesize
800B

MD5
a3ab5b82d1e6714262bc167f130045c5

SHA1
94998582d6029b0539b26dcecd2b1050dfcc9d12

SHA256
5a0e9a8d8944168ae9afe2d3b50268c83f19f541d33bd6c71c2cd2ed4eea2e17

SHA512
1c2c7a4830072cd3625ef291b6b013e3445eed7feb91f54a51eb7b6e776061f8f2df15c60f658dacad72f646f19b384777db2ccd2f164d6682d498e978671d28

Download Submit
C:\Windows\SysWOW64\hao.lnk

Filesize
949B

MD5
18a02e96e6f8060796b4d5f3772c9e9b

SHA1
8bbcefd7ef25b865bf94461c42f553154bb4698f

SHA256
864c6e35c52d56146166a8a9bdadb011b04198cc179b6b1902f9f05ae8ab8a26

SHA512
4697774150a929dac6c34e1cde3ef9a6f1ee6711c1e16b068768dfdd03b21664377cd6f54ff7f8b8c92e9379b9bb3817c354c1ab061c64ffe49b76ecd606ccef

Download Submit
C:\Windows\SysWOW64\ku.lnk

Filesize
945B

MD5
a8e22b6219720d3fab60fc8b96f8c24f

SHA1
c1892837d5ccd6dcb3bd4f45aa353b430313a86a

SHA256
ca149ca1e50c55155c410e0609b8cea09442dc153d33c9d1682eaa8519d1e89b

SHA512
d96706fa4883962d35c7cd89234940fb10304eba14746454f85c09b3233d7ba71ad462ac4c4333a50eed2ebc6d29c12076d3d0b4f74656fca0d27f01a8f164d1

Download Submit
C:\Windows\SysWOW64\yx.lnk

Filesize
1KB

MD5
91cc4989f6d5a642533dfb150f97dadc

SHA1
61bb275bc5645e131145e4ff57c8175f9669e03c

SHA256
84c894e082fd9c8129332a0a516fe8e945b815ee796e801aac80533bd3897821

SHA512
d96205dae2feadfbd9e0029a9f097d5515fa5a9aca56811053f1faddf2631cd08152224d84e21fb27be18571891a296dda915cf615aff985ebb12228ed6ad1b5

Download Submit
C:\Windows\SysWOW64\zq.lnk

Filesize
1KB

MD5
586858afd4ab25de0f002a9f046f1b66

SHA1
8b713dcaf0818194efa47e821c75f07a2abc406b

SHA256
49a14034c6e670acf765ac34a6066b5c92d7dd841848d8a9ac430f00f58609bd

SHA512
0f13c8ba1f1f8863c2e04a0c1d5aa0688bbf985def8bcdbd154b9cc5ef9e9653b9fdea332726d28cc505ddf72d45c326cc8fa5c683f9087b54055252059a0414

Download Submit
memory/512-173-0x0000000000000000-mapping.dmp

Download
memory/804-164-0x0000000000000000-mapping.dmp

Download
memory/1004-138-0x0000000000000000-mapping.dmp

Download
memory/1072-148-0x0000000000000000-mapping.dmp

Download
memory/1104-170-0x0000000000000000-mapping.dmp

Download
memory/1216-140-0x0000000000000000-mapping.dmp

Download
memory/1224-175-0x0000000000000000-mapping.dmp

Download
memory/1364-181-0x0000000000000000-mapping.dmp

Download
memory/1724-177-0x0000000000000000-mapping.dmp

Download
memory/2068-179-0x0000000000000000-mapping.dmp

Download
memory/2264-187-0x0000000000000000-mapping.dmp

Download
memory/2292-159-0x0000000000000000-mapping.dmp

Download
memory/2544-185-0x0000000000000000-mapping.dmp

Download
memory/2708-145-0x0000000000000000-mapping.dmp

Download
memory/2732-151-0x0000000000000000-mapping.dmp

Download
memory/2848-174-0x0000000000000000-mapping.dmp

Download
memory/3008-144-0x0000000000000000-mapping.dmp

Download
memory/3108-142-0x0000000000000000-mapping.dmp

Download
memory/3176-143-0x0000000000000000-mapping.dmp

Download
memory/3184-183-0x0000000000000000-mapping.dmp

Download
memory/3228-169-0x0000000000000000-mapping.dmp

Download
memory/3256-153-0x0000000000000000-mapping.dmp

Download
memory/3352-178-0x0000000000000000-mapping.dmp

Download
memory/3548-167-0x0000000000000000-mapping.dmp

Download
memory/3556-146-0x0000000000000000-mapping.dmp

Download
memory/3564-137-0x0000000000000000-mapping.dmp

Download
memory/3884-160-0x0000000000000000-mapping.dmp

Download
memory/3892-141-0x0000000000000000-mapping.dmp

Download
memory/3936-147-0x0000000000000000-mapping.dmp

Download
memory/3972-135-0x0000000000000000-mapping.dmp

Download
memory/4108-184-0x0000000000000000-mapping.dmp

Download
memory/4156-163-0x0000000000000000-mapping.dmp

Download
memory/4264-168-0x0000000000000000-mapping.dmp

Download
memory/4368-182-0x0000000000000000-mapping.dmp

Download
memory/4592-165-0x0000000000000000-mapping.dmp

Download
memory/4620-136-0x0000000000000000-mapping.dmp

Download
memory/4652-152-0x0000000000000000-mapping.dmp

Download
memory/4696-149-0x0000000000000000-mapping.dmp

Download
memory/4748-180-0x0000000000000000-mapping.dmp

Download
memory/4848-132-0x0000000000000000-mapping.dmp

Download
memory/4948-150-0x0000000000000000-mapping.dmp

Download
memory/4960-166-0x0000000000000000-mapping.dmp

Download
memory/4988-186-0x0000000000000000-mapping.dmp

Download
memory/5024-171-0x0000000000000000-mapping.dmp

Download
memory/5048-172-0x0000000000000000-mapping.dmp

Download
memory/5080-176-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads