2ff896e0eb0826b01108b2f34ff542221442047164e91570d7b556e0904496b0

Analysis

max time kernel
45s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
22/09/2022, 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ff896e0eb0826b01108b2f34ff542221442047164e91570d7b556e0904496b0.exe
Size

7.9MB
MD5

0db11d9b70979077ee5c9b64ea246642
SHA1

3da78b279f552aaf5e55fde70a02f4fa420603b7
SHA256

2ff896e0eb0826b01108b2f34ff542221442047164e91570d7b556e0904496b0
SHA512

b0a1d1f489e13af484afc958d97d784d5b2b224a38df1ce8f2a80a21905aa44d9e3ecced1b1970db99faa208648c64b9830524bd9d8dfa0f2d882436ab1aa9a0
SSDEEP

196608:NIaoWrmazl5IaoWrmazlc+WV4TR6sH96BCnh72J1IFFtxjMeB1EWe39MgIaowrmv:NIaoWqqIaoWqMWV4VwBEhyGtxwSgIao7

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2020	2ff896e0eb0826b01108b2f34ff542221442047164e91570d7b556e0904496b0.exe
1372	regsvr32.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\MSCOMM32.oca	cmd.exe
File opened for modification	C:\Windows\SysWOW64\MSCOMM32.oca	cmd.exe
File created	C:\Windows\SysWOW64\mscomm32.ocx	cmd.exe
File opened for modification	C:\Windows\SysWOW64\mscomm32.ocx	cmd.exe
File created	C:\Windows\SysWOW64\MSCOMM32.DEP	cmd.exe
File opened for modification	C:\Windows\SysWOW64\MSCOMM32.DEP	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6E17E90-DF38-11CF-8E74-00A0C90F26F8}\TypeLib\ = "{648A5603-2C6E-101B-82B6-000000000014}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\6FB38640-6AC7-11cf-8ADB-00AA00C00905\ = "gdjkokgdldikhdddpjkkekgknesjikdkoioh"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E6E17E90-DF38-11CF-8E74-00A0C90F26F8}\ = "IMSComm"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E6E17E90-DF38-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{648A5602-2C6E-101B-82B6-000000000014}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\ED4B87C4-9F76-11d1-8BF7-0000F8754DA1	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\DC4D7920-6AC8-11cf-8ADB-00AA00C00905	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\DC4D7920-6AC8-11cf-8ADB-00AA00C00905\ = "iokouhloohrojhhhtnooiokomiwnmohosmsl"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{648A5600-2C6E-101B-82B6-000000000014}\TypeLib\ = "{648A5603-2C6E-101B-82B6-000000000014}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E6E17E90-DF38-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E6E17E90-DF38-11CF-8E74-00A0C90F26F8}\TypeLib\ = "{648A5603-2C6E-101B-82B6-000000000014}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\78E1BDD1-9941-11cf-9756-00AA00C00908\ = "yjrjvqkjlqqjnqkjvprqsjnjvkuknjpjtoun"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D0FC8A81-2CB2-101B-82B6-000000000014}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{648A5603-2C6E-101B-82B6-000000000014}\1.1\FLAGS\ = "2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{648A5600-2C6E-101B-82B6-000000000014}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0DC8C80-3486-101B-82B6-000000000014}\InprocServer32\ = "C:\\Windows\\SysWOW64\\MSCOMM32.OCX"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{648A5600-2C6E-101B-82B6-000000000014}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{648A5600-2C6E-101B-82B6-000000000014}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{648A5600-2C6E-101B-82B6-000000000014}\MiscStatus\1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\CDE57A55-8B86-11D0-b3C6-00A0C90AEA82\ = "ekpkhddkjkekpdjkqemkfkldoeoefkfdjfqe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\2c49f800-c2dd-11cf-9ad6-0080c7e7b78d\ = "mlrljgrlhltlngjlthrligklpkrhllglqlrk"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{648A5600-2C6E-101B-82B6-000000000014}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{648A5600-2C6E-101B-82B6-000000000014}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\096EFC40-6ABF-11cf-850C-08002B30345D	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\B1692F60-23B0-11D0-8E95-00A0C90F26F8	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D0FC8A81-2CB2-101B-82B6-000000000014}\ = "MSComm Hardware Property Page Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{648A5602-2C6E-101B-82B6-000000000014}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{648A5602-2C6E-101B-82B6-000000000014}\ = "DMSCommEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\57CBF9E0-6AA7-11cf-8ADB-00AA00C00905\ = "aahakhchghkhfhaamghhbhbhkbpgfhahlfle"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSCOMMLib.MSComm\CLSID\ = "{648A5600-2C6E-101B-82B6-000000000014}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSCOMMLib.MSComm.1\CLSID\ = "{648A5600-2C6E-101B-82B6-000000000014}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\7C35CA30-D112-11cf-8E72-00A0C90F26F8\ = "whmhmhohmhiorhkouimhihihwiwinhlosmsl"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\43478d75-78e0-11cf-8e78-00a0d100038e\ = "imshohohphlmnhimuinmphmmuiminhlmsmsl"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{648A5604-2C6E-101B-82B6-000000000014}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{648A5603-2C6E-101B-82B6-000000000014}\1.1\0\win32\ = "C:\\Windows\\SysWOW64\\MSCOMM32.OCX"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\4250E830-6AC2-11cf-8ADB-00AA00C00905\ = "kjljvjjjoquqmjjjvpqqkqmqykypoqjquoun"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\43478d75-78e0-11cf-8e78-00a0d100038e	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{648A5600-2C6E-101B-82B6-000000000014}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\9E799BF1-8817-11cf-958F-0020AFC28C3B\ = "uqpqnqkjujkjjjjqwktjrjkjtkupsjnjtoun"	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D0FC8A81-2CB2-101B-82B6-000000000014}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{648A5603-2C6E-101B-82B6-000000000014}\1.1\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\9E799BF1-8817-11cf-958F-0020AFC28C3B	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\57CBF9E0-6AA7-11cf-8ADB-00AA00C00905	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\80E80EF0-DBBE-11D0-BCE2-00A0C90DCA10\ = "qijimitpmpnpxplpvjnikpkpqoxjmpkpoivj"	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{648A5600-2C6E-101B-82B6-000000000014}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{648A5600-2C6E-101B-82B6-000000000014}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{648A5603-2C6E-101B-82B6-000000000014}\1.1\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E6E17E90-DF38-11CF-8E74-00A0C90F26F8}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6E17E90-DF38-11CF-8E74-00A0C90F26F8}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{648A5602-2C6E-101B-82B6-000000000014}\TypeLib\ = "{648A5603-2C6E-101B-82B6-000000000014}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\C4145310-469C-11d1-B182-00A0C922E820	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\A133F000-CCB0-11d0-A316-00AA00688B10	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{648A5600-2C6E-101B-82B6-000000000014}\VersionIndependentProgID\ = "MSCOMMLib.MSComm"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{648A5600-2C6E-101B-82B6-000000000014}\MiscStatus	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{648A5600-2C6E-101B-82B6-000000000014}\Control	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\9DF1A470-BA8E-11D0-849C-00A0C90DC8A9\ = "cchcqjejhcgcqcfjpdfcdjkckiqikchcojpd"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSCOMMLib.MSComm	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{648A5600-2C6E-101B-82B6-000000000014}\MiscStatus\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{648A5602-2C6E-101B-82B6-000000000014}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\7C35CA30-D112-11cf-8E72-00A0C90F26F8	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{648A5600-2C6E-101B-82B6-000000000014}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{648A5604-2C6E-101B-82B6-000000000014}\ = "MSComm General Property Page Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\B1EFCCF0-6AC1-11cf-8ADB-00AA00C00905	reg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 684	2020	2ff896e0eb0826b01108b2f34ff542221442047164e91570d7b556e0904496b0.exe	28
PID 2020 wrote to memory of 684	2020	2ff896e0eb0826b01108b2f34ff542221442047164e91570d7b556e0904496b0.exe	28
PID 2020 wrote to memory of 684	2020	2ff896e0eb0826b01108b2f34ff542221442047164e91570d7b556e0904496b0.exe	28
PID 2020 wrote to memory of 684	2020	2ff896e0eb0826b01108b2f34ff542221442047164e91570d7b556e0904496b0.exe	28
PID 2020 wrote to memory of 684	2020	2ff896e0eb0826b01108b2f34ff542221442047164e91570d7b556e0904496b0.exe	28
PID 2020 wrote to memory of 684	2020	2ff896e0eb0826b01108b2f34ff542221442047164e91570d7b556e0904496b0.exe	28
PID 2020 wrote to memory of 684	2020	2ff896e0eb0826b01108b2f34ff542221442047164e91570d7b556e0904496b0.exe	28
PID 684 wrote to memory of 1372	684	cmd.exe	30
PID 684 wrote to memory of 1372	684	cmd.exe	30
PID 684 wrote to memory of 1372	684	cmd.exe	30
PID 684 wrote to memory of 1372	684	cmd.exe	30
PID 684 wrote to memory of 1372	684	cmd.exe	30
PID 684 wrote to memory of 1372	684	cmd.exe	30
PID 684 wrote to memory of 1372	684	cmd.exe	30
PID 684 wrote to memory of 1624	684	cmd.exe	32
PID 684 wrote to memory of 1624	684	cmd.exe	32
PID 684 wrote to memory of 1624	684	cmd.exe	32
PID 684 wrote to memory of 1624	684	cmd.exe	32
PID 684 wrote to memory of 1624	684	cmd.exe	32
PID 684 wrote to memory of 1624	684	cmd.exe	32
PID 684 wrote to memory of 1624	684	cmd.exe	32
PID 684 wrote to memory of 1500	684	cmd.exe	33
PID 684 wrote to memory of 1500	684	cmd.exe	33
PID 684 wrote to memory of 1500	684	cmd.exe	33
PID 684 wrote to memory of 1500	684	cmd.exe	33
PID 684 wrote to memory of 1500	684	cmd.exe	33
PID 684 wrote to memory of 1500	684	cmd.exe	33
PID 684 wrote to memory of 1500	684	cmd.exe	33
PID 684 wrote to memory of 1956	684	cmd.exe	34
PID 684 wrote to memory of 1956	684	cmd.exe	34
PID 684 wrote to memory of 1956	684	cmd.exe	34
PID 684 wrote to memory of 1956	684	cmd.exe	34
PID 684 wrote to memory of 1956	684	cmd.exe	34
PID 684 wrote to memory of 1956	684	cmd.exe	34
PID 684 wrote to memory of 1956	684	cmd.exe	34
PID 684 wrote to memory of 852	684	cmd.exe	35
PID 684 wrote to memory of 852	684	cmd.exe	35
PID 684 wrote to memory of 852	684	cmd.exe	35
PID 684 wrote to memory of 852	684	cmd.exe	35
PID 684 wrote to memory of 852	684	cmd.exe	35
PID 684 wrote to memory of 852	684	cmd.exe	35
PID 684 wrote to memory of 852	684	cmd.exe	35
PID 684 wrote to memory of 1156	684	cmd.exe	36
PID 684 wrote to memory of 1156	684	cmd.exe	36
PID 684 wrote to memory of 1156	684	cmd.exe	36
PID 684 wrote to memory of 1156	684	cmd.exe	36
PID 684 wrote to memory of 1156	684	cmd.exe	36
PID 684 wrote to memory of 1156	684	cmd.exe	36
PID 684 wrote to memory of 1156	684	cmd.exe	36
PID 684 wrote to memory of 2032	684	cmd.exe	37
PID 684 wrote to memory of 2032	684	cmd.exe	37
PID 684 wrote to memory of 2032	684	cmd.exe	37
PID 684 wrote to memory of 2032	684	cmd.exe	37
PID 684 wrote to memory of 2032	684	cmd.exe	37
PID 684 wrote to memory of 2032	684	cmd.exe	37
PID 684 wrote to memory of 2032	684	cmd.exe	37
PID 684 wrote to memory of 976	684	cmd.exe	38
PID 684 wrote to memory of 976	684	cmd.exe	38
PID 684 wrote to memory of 976	684	cmd.exe	38
PID 684 wrote to memory of 976	684	cmd.exe	38
PID 684 wrote to memory of 976	684	cmd.exe	38
PID 684 wrote to memory of 976	684	cmd.exe	38
PID 684 wrote to memory of 976	684	cmd.exe	38
PID 684 wrote to memory of 1232	684	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\2ff896e0eb0826b01108b2f34ff542221442047164e91570d7b556e0904496b0.exe
"C:\Users\Admin\AppData\Local\Temp\2ff896e0eb0826b01108b2f34ff542221442047164e91570d7b556e0904496b0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\青鸟控制器调试软件\register.bat" "
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:684
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s MSCOMM32.OCX
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:1372
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CLASSES_ROOT\Licenses" /v "" /t REG_SZ /d "Licensing: Copying the keys may be a violation of established copyrights." /f
    3⤵
    - Modifies registry class
    PID:1624
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CLASSES_ROOT\Licenses\BC96F860-9928-11cf-8AFA-00AA00C00905" /v "" /t REG_SZ /d "mmimfflflmqmlfffrlnmofhfkgrlmmfmqkqj" /f
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CLASSES_ROOT\Licenses\12B142A4-BD51-11d1-8C08-0000F8754DA1" /v "" /t REG_SZ /d "aadhgafabafajhchnbchehfambfbbachmfmb" /f
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CLASSES_ROOT\Licenses\4D553650-6ABE-11cf-8ADB-00AA00C00905" /v "" /t REG_SZ /d "gfjmrfkfifkmkfffrlmmgmhmnlulkmfmqkqj" /f
    3⤵
    PID:852
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CLASSES_ROOT\Licenses\C4145310-469C-11d1-B182-00A0C922E820" /v "" /t REG_SZ /d "konhqhioohihphkouimonhqhvnwiqhhhnjti" /f
    3⤵
    - Modifies registry class
    PID:1156
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CLASSES_ROOT\Licenses\38911DA0-E448-11D0-84A3-00DD01104159" /v "" /t REG_SZ /d "mcpckchcdchjcjcclidcgcgchdqdcjhcojpd" /f
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CLASSES_ROOT\Licenses\9E799BF1-8817-11cf-958F-0020AFC28C3B" /v "" /t REG_SZ /d "uqpqnqkjujkjjjjqwktjrjkjtkupsjnjtoun" /f
    3⤵
    - Modifies registry class
    PID:976
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CLASSES_ROOT\Licenses\57CBF9E0-6AA7-11cf-8ADB-00AA00C00905" /v "" /t REG_SZ /d "aahakhchghkhfhaamghhbhbhkbpgfhahlfle" /f
    3⤵
    - Modifies registry class
    PID:1232
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CLASSES_ROOT\Licenses\556C75F1-EFBC-11CF-B9F3-00A0247033C4" /v "" /t REG_SZ /d "xybiedobrqsprbijaegcbislrsiucfjdhisl" /f
    3⤵
    PID:1308
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CLASSES_ROOT\Licenses\096EFC40-6ABF-11cf-850C-08002B30345D" /v "" /t REG_SZ /d "knsgigmnmngnmnigthmgpninrmumhgkgrlrk" /f
    3⤵
    - Modifies registry class
    PID:1108
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CLASSES_ROOT\Licenses\78E1BDD1-9941-11cf-9756-00AA00C00908" /v "" /t REG_SZ /d "yjrjvqkjlqqjnqkjvprqsjnjvkuknjpjtoun" /f
    3⤵
    - Modifies registry class
    PID:832
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CLASSES_ROOT\Licenses\B1EFCCF0-6AC1-11cf-8ADB-00AA00C00905" /v "" /t REG_SZ /d "qqkjvqpqmqjjpqjjvpqqkqmqvkypoqjquoun" /f
    3⤵
    - Modifies registry class
    PID:1044
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CLASSES_ROOT\Licenses\7C35CA30-D112-11cf-8E72-00A0C90F26F8" /v "" /t REG_SZ /d "whmhmhohmhiorhkouimhihihwiwinhlosmsl" /f
    3⤵
    - Modifies registry class
    PID:1052
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CLASSES_ROOT\Licenses\4F86BADF-9F77-11d1-B1B7-0000F8753F5D" /v "" /t REG_SZ /d "iplpwpnippopupiivjrioppisjsjlpiiokuj" /f
    3⤵
    PID:1212
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CLASSES_ROOT\Licenses\ED4B87C4-9F76-11d1-8BF7-0000F8754DA1" /v "" /t REG_SZ /d "knlggnmntgggrninthpgmnngrhqhnnjnslsh" /f
    3⤵
    - Modifies registry class
    PID:1132
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CLASSES_ROOT\Licenses\4250E830-6AC2-11cf-8ADB-00AA00C00905" /v "" /t REG_SZ /d "kjljvjjjoquqmjjjvpqqkqmqykypoqjquoun" /f
    3⤵
    - Modifies registry class
    PID:1008
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CLASSES_ROOT\Licenses\CDE57A55-8B86-11D0-b3C6-00A0C90AEA82" /v "" /t REG_SZ /d "ekpkhddkjkekpdjkqemkfkldoeoefkfdjfqe" /f
    3⤵
    - Modifies registry class
    PID:1476
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CLASSES_ROOT\Licenses\A133F000-CCB0-11d0-A316-00AA00688B10" /v "" /t REG_SZ /d "cibbcimbpihbbbbbnhdbeidiocmcbbdbgdoc" /f
    3⤵
    - Modifies registry class
    PID:1164
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CLASSES_ROOT\Licenses\D015B071-D2ED-11d0-A31A-00AA00688B10" /v "" /t REG_SZ /d "gjdcfjpcmjicjcdcoihcechjlioiccechepd" /f
    3⤵
    PID:1312
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CLASSES_ROOT\Licenses\9DF1A470-BA8E-11D0-849C-00A0C90DC8A9" /v "" /t REG_SZ /d "cchcqjejhcgcqcfjpdfcdjkckiqikchcojpd" /f
    3⤵
    - Modifies registry class
    PID:820
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CLASSES_ROOT\Licenses\72E67120-5959-11cf-91F6-C2863C385E30" /v "" /t REG_SZ /d "ibcbbbebqbdbciebmcobmbhifcmciibblgmf" /f
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CLASSES_ROOT\Licenses\899B3E80-6AC6-11cf-8ADB-00AA00C00905" /v "" /t REG_SZ /d "wjsjjjlqmjpjrjjjvpqqkqmqukypoqjquoun" /f
    3⤵
    PID:896
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CLASSES_ROOT\Licenses\B1692F60-23B0-11D0-8E95-00A0C90F26F8" /v "" /t REG_SZ /d "mjjjccncgjijrcfjpdfjfcejpdkdkcgjojpd" /f
    3⤵
    - Modifies registry class
    PID:572
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CLASSES_ROOT\Licenses\43478d75-78e0-11cf-8e78-00a0d100038e" /v "" /t REG_SZ /d "imshohohphlmnhimuinmphmmuiminhlmsmsl" /f
    3⤵
    - Modifies registry class
    PID:1512
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CLASSES_ROOT\Licenses\80E80EF0-DBBE-11D0-BCE2-00A0C90DCA10" /v "" /t REG_SZ /d "qijimitpmpnpxplpvjnikpkpqoxjmpkpoivj" /f
    3⤵
    - Modifies registry class
    PID:1372
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CLASSES_ROOT\Licenses\6FB38640-6AC7-11cf-8ADB-00AA00C00905" /v "" /t REG_SZ /d "gdjkokgdldikhdddpjkkekgknesjikdkoioh" /f
    3⤵
    - Modifies registry class
    PID:1932
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CLASSES_ROOT\Licenses\DC4D7920-6AC8-11cf-8ADB-00AA00C00905" /v "" /t REG_SZ /d "iokouhloohrojhhhtnooiokomiwnmohosmsl" /f
    3⤵
    - Modifies registry class
    PID:788
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CLASSES_ROOT\Licenses\190B7910-992A-11cf-8AFA-00AA00C00905" /v "" /t REG_SZ /d "gclclcejjcmjdcccoikjlcecoioijjcjnhng" /f
    3⤵
    PID:812
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CLASSES_ROOT\Licenses\E32E2733-1BC5-11d0-B8C3-00A0C90DCA10" /v "" /t REG_SZ /d "kmhfimlflmmfpffmsgfmhmimngtghmoflhsg" /f
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CLASSES_ROOT\Licenses\2c49f800-c2dd-11cf-9ad6-0080c7e7b78d" /v "" /t REG_SZ /d "mlrljgrlhltlngjlthrligklpkrhllglqlrk" /f
    3⤵
    - Modifies registry class
    PID:1616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\MSCOMM32.OCX

Filesize
101KB

MD5
2c6119da3993f410e74b15112f840cb0

SHA1
9d7aaffc0bcf955cc75d4ecc228b1ceda8a1856c

SHA256
51a1d6812e445c26c71465e2709e6d1ad587f8513002d662cd160f424f48b37c

SHA512
053ece4eb2ddba51c0d683a7afd439ed88605ab83619de738f7ad2495bfe9e9f16fc3b829c7fc9c779b50f039b9fad66d16aed520a5adfd1522a711073f78208

Download Submit
C:\青鸟控制器调试软件\MSCOMM32.DEP

Filesize
2KB

MD5
9dd51a3f510f3784d374eb63774c81e2

SHA1
13023d1299592292c1ebadac9d52c8e60866ed4c

SHA256
ca3dadd64b42775bd375a9d064a2fd0948a8b5e80a76c3043d01db87a187413f

SHA512
638fd09c56f681b17b6392a8d9de03cf7d3fb4d7657bf2921b8bd1c4e79f9eb0daa13cc20c4e66ee734ca8f3fdf4d4fbb6dfbe836bce03f85533e7ef551a7be2

Download Submit
C:\青鸟控制器调试软件\MSCOMM32.oca

Filesize
25KB

MD5
1a817232795529636501282b0524dec9

SHA1
27bf42eac337a63c3ec403f816800e171fa625f4

SHA256
6f71d80adbf824406e8ebe26abf69beb09c64285e4f4e195b7e82910db2f8c32

SHA512
3a4f9cf589bb41fdd395b0020dd2d1364804191d2cc569c4ff68e19d8d60224d1701cc770e9510e4c5a9fb46b881a8b31c426ae54c42028f76d57fa31ae87016

Download Submit
C:\青鸟控制器调试软件\Register.bat

Filesize
5KB

MD5
ce694809cba8df11a83294a405b580d6

SHA1
d90a6d9e3cd79bbb8c8920b1eb2a4d7763f8e658

SHA256
3882fefbac7c4f5b025451c7780df5b1a5a36b3663115eec988e11106c4f1152

SHA512
fe6eb9aa2f96e19d581abb7d936ae81b233cd9b96c0dc7639875d11ecbd6c2e27f30c39e81d5eaa0f298ec7c7e1066f22bb388c7e7f3c02f6b5a431f38e1ebdf

Download Submit
C:\青鸟控制器调试软件\mscomm32.ocx

Filesize
101KB

MD5
2c6119da3993f410e74b15112f840cb0

SHA1
9d7aaffc0bcf955cc75d4ecc228b1ceda8a1856c

SHA256
51a1d6812e445c26c71465e2709e6d1ad587f8513002d662cd160f424f48b37c

SHA512
053ece4eb2ddba51c0d683a7afd439ed88605ab83619de738f7ad2495bfe9e9f16fc3b829c7fc9c779b50f039b9fad66d16aed520a5adfd1522a711073f78208

Download Submit
\Windows\SysWOW64\mscomm32.ocx

Filesize
101KB

MD5
2c6119da3993f410e74b15112f840cb0

SHA1
9d7aaffc0bcf955cc75d4ecc228b1ceda8a1856c

SHA256
51a1d6812e445c26c71465e2709e6d1ad587f8513002d662cd160f424f48b37c

SHA512
053ece4eb2ddba51c0d683a7afd439ed88605ab83619de738f7ad2495bfe9e9f16fc3b829c7fc9c779b50f039b9fad66d16aed520a5adfd1522a711073f78208

Download Submit
\青鸟控制器调试软件\JbuPanelDebuggingToolV3.exe

Filesize
2.4MB

MD5
e6f82154ebb639d02d7be37b668cc6b7

SHA1
84d9d41c0a18a1a5ba1e57f2ab2e8e64cbdc8042

SHA256
fa21b1788511986bdfb6ab0972415dde542a770e875924707d979ea0bce020f9

SHA512
410712ba22f61d80e1ae0eb65c49dda4b59521595a04e45eeeea762b5124e25534655177a689c9b32ed7c1f41c0bd6540f7268259abf20031d33cb78fefcf783

Download Submit
memory/2020-54-0x00000000756B1000-0x00000000756B3000-memory.dmp

Filesize
8KB

Download