76816732db8051f52654c9969f4b6d028b8a8ab327fe79c26653e86d43ace11d

Analysis

max time kernel
249s
max time network
369s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 03:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76816732db8051f52654c9969f4b6d028b8a8ab327fe79c26653e86d43ace11d.exe
Size

1.8MB
MD5

0dffd34640eb0bf4a199ee3ed018ae52
SHA1

fd381c88c26c51e6a5a313a9b83b9d185e6f86f9
SHA256

76816732db8051f52654c9969f4b6d028b8a8ab327fe79c26653e86d43ace11d
SHA512

4eaa7678c80fcc3779ed07e4f27f0a42630c98e1727850fabd547be395a5d2ae2e40350a3db445934f79e059eff660f160d9f649521edb5cc5f0d72e896d002a
SSDEEP

24576:3B/E0QwpHP5IX2Zfxh5sVuRmG4WLKPBHmOnrRbPqnpMd5itymGqEFNIjsgW:R/d9pvxMuR4WwH5rhOpeUtRELIog

Score

9^/10

bootkit evasion persistence

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	76816732db8051f52654c9969f4b6d028b8a8ab327fe79c26653e86d43ace11d.exe

Executes dropped EXE 4 IoCs

pid	Process
1744	DNF3 2012-09-05 22.41.exe
1412	svchost.exe
1768	Guarder.exe
1036	dnf小岚0907A全屏秒杀全屏爆炸.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Wine	76816732db8051f52654c9969f4b6d028b8a8ab327fe79c26653e86d43ace11d.exe

Loads dropped DLL 14 IoCs

pid	Process
1512	76816732db8051f52654c9969f4b6d028b8a8ab327fe79c26653e86d43ace11d.exe
1744	DNF3 2012-09-05 22.41.exe
1412	svchost.exe
1512	76816732db8051f52654c9969f4b6d028b8a8ab327fe79c26653e86d43ace11d.exe
1512	76816732db8051f52654c9969f4b6d028b8a8ab327fe79c26653e86d43ace11d.exe
1036	dnf小岚0907A全屏秒杀全屏爆炸.exe
1036	dnf小岚0907A全屏秒杀全屏爆炸.exe
1036	dnf小岚0907A全屏秒杀全屏爆炸.exe
1036	dnf小岚0907A全屏秒杀全屏爆炸.exe
1036	dnf小岚0907A全屏秒杀全屏爆炸.exe
1036	dnf小岚0907A全屏秒杀全屏爆炸.exe
1036	dnf小岚0907A全屏秒杀全屏爆炸.exe
1036	dnf小岚0907A全屏秒杀全屏爆炸.exe
1036	dnf小岚0907A全屏秒杀全屏爆炸.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	dnf小岚0907A全屏秒杀全屏爆炸.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\DNFÐ¡á°.dll	dnf小岚0907A全屏秒杀全屏爆炸.exe
File created	C:\Windows\SysWOW64\ÄÚ´æ´úÂë.txt	dnf小岚0907A全屏秒杀全屏爆炸.exe
File opened for modification	C:\Windows\SysWOW64\DNFÐ¡á°.dll	dnf小岚0907A全屏秒杀全屏爆炸.exe
File created	C:\Windows\SysWOW64\Ð¡á°×¢Èë.ime	dnf小岚0907A全屏秒杀全屏爆炸.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1512	76816732db8051f52654c9969f4b6d028b8a8ab327fe79c26653e86d43ace11d.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Shared\Record.dat	DNF3 2012-09-05 22.41.exe
File opened for modification	C:\Program Files (x86)\Common Files\Shared\svchost.exe	DNF3 2012-09-05 22.41.exe
File created	C:\Program Files (x86)\Common Files\Shared\svchost.exe	DNF3 2012-09-05 22.41.exe
File opened for modification	C:\Program Files (x86)\Common Files\Shared\RCXAFD0.tmp	DNF3 2012-09-05 22.41.exe
File opened for modification	C:\Program Files (x86)\Common Files\Shared\Guarder.exe	svchost.exe
File created	C:\Program Files (x86)\Common Files\Shared\Guarder.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 48 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D5153CA1-72D6-11ED-BAC3-4ADA2A0CA6C6} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D51563B1-72D6-11ED-BAC3-4ADA2A0CA6C6} = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1512	76816732db8051f52654c9969f4b6d028b8a8ab327fe79c26653e86d43ace11d.exe
1744	DNF3 2012-09-05 22.41.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1768	Guarder.exe
Token: 33	1036	dnf小岚0907A全屏秒杀全屏爆炸.exe
Token: SeIncBasePriorityPrivilege	1036	dnf小岚0907A全屏秒杀全屏爆炸.exe
Token: 33	1036	dnf小岚0907A全屏秒杀全屏爆炸.exe
Token: SeIncBasePriorityPrivilege	1036	dnf小岚0907A全屏秒杀全屏爆炸.exe
Token: 33	1036	dnf小岚0907A全屏秒杀全屏爆炸.exe
Token: SeIncBasePriorityPrivilege	1036	dnf小岚0907A全屏秒杀全屏爆炸.exe
Token: 33	1036	dnf小岚0907A全屏秒杀全屏爆炸.exe
Token: SeIncBasePriorityPrivilege	1036	dnf小岚0907A全屏秒杀全屏爆炸.exe
Token: 33	1036	dnf小岚0907A全屏秒杀全屏爆炸.exe
Token: SeIncBasePriorityPrivilege	1036	dnf小岚0907A全屏秒杀全屏爆炸.exe
Token: 33	1036	dnf小岚0907A全屏秒杀全屏爆炸.exe
Token: SeIncBasePriorityPrivilege	1036	dnf小岚0907A全屏秒杀全屏爆炸.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
292	iexplore.exe
1136	iexplore.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
1744	DNF3 2012-09-05 22.41.exe
1412	svchost.exe
1412	svchost.exe
1768	Guarder.exe
1768	Guarder.exe
1036	dnf小岚0907A全屏秒杀全屏爆炸.exe
1036	dnf小岚0907A全屏秒杀全屏爆炸.exe
292	iexplore.exe
292	iexplore.exe
1136	iexplore.exe
1136	iexplore.exe
776	IEXPLORE.EXE
776	IEXPLORE.EXE
1408	IEXPLORE.EXE
1408	IEXPLORE.EXE
1408	IEXPLORE.EXE
1408	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 1744	1512	76816732db8051f52654c9969f4b6d028b8a8ab327fe79c26653e86d43ace11d.exe	28
PID 1512 wrote to memory of 1744	1512	76816732db8051f52654c9969f4b6d028b8a8ab327fe79c26653e86d43ace11d.exe	28
PID 1512 wrote to memory of 1744	1512	76816732db8051f52654c9969f4b6d028b8a8ab327fe79c26653e86d43ace11d.exe	28
PID 1512 wrote to memory of 1744	1512	76816732db8051f52654c9969f4b6d028b8a8ab327fe79c26653e86d43ace11d.exe	28
PID 1744 wrote to memory of 1412	1744	DNF3 2012-09-05 22.41.exe	29
PID 1744 wrote to memory of 1412	1744	DNF3 2012-09-05 22.41.exe	29
PID 1744 wrote to memory of 1412	1744	DNF3 2012-09-05 22.41.exe	29
PID 1744 wrote to memory of 1412	1744	DNF3 2012-09-05 22.41.exe	29
PID 1412 wrote to memory of 1768	1412	svchost.exe	30
PID 1412 wrote to memory of 1768	1412	svchost.exe	30
PID 1412 wrote to memory of 1768	1412	svchost.exe	30
PID 1412 wrote to memory of 1768	1412	svchost.exe	30
PID 1512 wrote to memory of 1036	1512	76816732db8051f52654c9969f4b6d028b8a8ab327fe79c26653e86d43ace11d.exe	31
PID 1512 wrote to memory of 1036	1512	76816732db8051f52654c9969f4b6d028b8a8ab327fe79c26653e86d43ace11d.exe	31
PID 1512 wrote to memory of 1036	1512	76816732db8051f52654c9969f4b6d028b8a8ab327fe79c26653e86d43ace11d.exe	31
PID 1512 wrote to memory of 1036	1512	76816732db8051f52654c9969f4b6d028b8a8ab327fe79c26653e86d43ace11d.exe	31
PID 1036 wrote to memory of 292	1036	dnf小岚0907A全屏秒杀全屏爆炸.exe	32
PID 1036 wrote to memory of 292	1036	dnf小岚0907A全屏秒杀全屏爆炸.exe	32
PID 1036 wrote to memory of 292	1036	dnf小岚0907A全屏秒杀全屏爆炸.exe	32
PID 1036 wrote to memory of 292	1036	dnf小岚0907A全屏秒杀全屏爆炸.exe	32
PID 1036 wrote to memory of 1136	1036	dnf小岚0907A全屏秒杀全屏爆炸.exe	33
PID 1036 wrote to memory of 1136	1036	dnf小岚0907A全屏秒杀全屏爆炸.exe	33
PID 1036 wrote to memory of 1136	1036	dnf小岚0907A全屏秒杀全屏爆炸.exe	33
PID 1036 wrote to memory of 1136	1036	dnf小岚0907A全屏秒杀全屏爆炸.exe	33
PID 292 wrote to memory of 776	292	iexplore.exe	36
PID 292 wrote to memory of 776	292	iexplore.exe	36
PID 292 wrote to memory of 776	292	iexplore.exe	36
PID 292 wrote to memory of 776	292	iexplore.exe	36
PID 1136 wrote to memory of 1408	1136	iexplore.exe	35
PID 1136 wrote to memory of 1408	1136	iexplore.exe	35
PID 1136 wrote to memory of 1408	1136	iexplore.exe	35
PID 1136 wrote to memory of 1408	1136	iexplore.exe	35

C:\Users\Admin\AppData\Local\Temp\76816732db8051f52654c9969f4b6d028b8a8ab327fe79c26653e86d43ace11d.exe
"C:\Users\Admin\AppData\Local\Temp\76816732db8051f52654c9969f4b6d028b8a8ab327fe79c26653e86d43ace11d.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Users\Admin\AppData\Local\Temp\DNF3 2012-09-05 22.41.exe
  "C:\Users\Admin\AppData\Local\Temp\DNF3 2012-09-05 22.41.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Program Files (x86)\Common Files\Shared\svchost.exe
    "C:\Program Files (x86)\Common Files\Shared\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1412
  - - C:\Program Files (x86)\Common Files\Shared\Guarder.exe
      1412*C:\Program Files (x86)\Common Files\Shared\svchost.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1768
- C:\Users\Admin\AppData\Local\Temp\dnf小岚0907A全屏秒杀全屏爆炸.exe
  "C:\Users\Admin\AppData\Local\Temp\dnf小岚0907A全屏秒杀全屏爆炸.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" www.dnfxiaolan.com
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:292
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:292 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:776
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" www.dnfxiaolan.com
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1136
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1136 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Shared\Guarder.exe

Filesize
4.1MB

MD5
6b7fc45ec32c45984e9842f8a7e8c976

SHA1
b99341eb2b8e8dd4a5268e5e61c8b9fa4b289d20

SHA256
31c3b60f7a318d275ca8c15bd5a1330d0da1b561d3e109984187c19fc5fc4da9

SHA512
5b567667f111eeaf49a77177fa492a7f7394aa92bfcfc5ff4e6042bbef1661ebd9ac726d3cae8fe31dd14b9fe53c3c1ed7037a4826a5b7781e5f3c0d1f6f544e

Download Submit
C:\Program Files (x86)\Common Files\Shared\Record.dat

Filesize
260B

MD5
33418954cba5cdba78b6c7535faccaca

SHA1
b941f030693597aa8c513f8eb79faee3e380e4e9

SHA256
ab3716fafd0a19d07901e6a26f4e5ff922dab3f7d830127200a70ffe1df261e3

SHA512
93c4aa71f739c6928e7abfc1c1ecb6696bbc16ace8652d9baaead5c75d731ed47bcb42fbfe58d63a6b99ba9be43604eff43e6c3055e47dd810bcd61365025eed

Download Submit
C:\Program Files (x86)\Common Files\Shared\svchost.exe

Filesize
4.1MB

MD5
6b7fc45ec32c45984e9842f8a7e8c976

SHA1
b99341eb2b8e8dd4a5268e5e61c8b9fa4b289d20

SHA256
31c3b60f7a318d275ca8c15bd5a1330d0da1b561d3e109984187c19fc5fc4da9

SHA512
5b567667f111eeaf49a77177fa492a7f7394aa92bfcfc5ff4e6042bbef1661ebd9ac726d3cae8fe31dd14b9fe53c3c1ed7037a4826a5b7781e5f3c0d1f6f544e

Download Submit
C:\Program Files (x86)\Common Files\Shared\svchost.exe

Filesize
4.1MB

MD5
6b7fc45ec32c45984e9842f8a7e8c976

SHA1
b99341eb2b8e8dd4a5268e5e61c8b9fa4b289d20

SHA256
31c3b60f7a318d275ca8c15bd5a1330d0da1b561d3e109984187c19fc5fc4da9

SHA512
5b567667f111eeaf49a77177fa492a7f7394aa92bfcfc5ff4e6042bbef1661ebd9ac726d3cae8fe31dd14b9fe53c3c1ed7037a4826a5b7781e5f3c0d1f6f544e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D5153CA1-72D6-11ED-BAC3-4ADA2A0CA6C6}.dat

Filesize
3KB

MD5
859c0777650e364d1c58d88b97816dcf

SHA1
f8d6d0b90779747160570fdfacb58bb5cf498c66

SHA256
b066618f9f5285d6e619024e5bc85956d651d6b4018bc79fc4dd7b0203dbf26f

SHA512
9dbabed39bae63baaa3dc53363cd85bb9d453bf74fb80e624725fa0a51fbb76b4d35338e02b5d674c80c6e1cafdaec6b7f0a65948464afda15d004477fcace5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D51563B1-72D6-11ED-BAC3-4ADA2A0CA6C6}.dat

Filesize
5KB

MD5
1056d967e10f31d86855e24487d2df32

SHA1
cec16ca34c1957d7c14f8725cb01ee864f7e2d47

SHA256
8cae0ebb8dae0d0dc02b8254fa3876bb3840b8c8abe1253f1a385810852f8158

SHA512
ff013d34423c47ac5bf9597340b116f883e8e57ca2a6f7645dd90c560c0297aa1bff2b6cc4d076744c9868ee063d2252927c419a537a4f1854fb0eaea6cc796f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DNF3 2012-09-05 22.41.exe

Filesize
97KB

MD5
11735bdb2ca8632f72da3e37052f40d2

SHA1
abdd3678d3f9ad3751ef82c8912828802e3e565f

SHA256
4b11aff6f8821fe3160c071f78db37c33226d163a4503678e2ffa1e96f37c86a

SHA512
69f8b4ec629c0951c84bb7f118690c6bbdeaa0b24b2a9bccad6417e1eef983fb159a2872c9f2b020923074ea005cf03c2588a3533daf855b34217f2991c25ea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DNF3 2012-09-05 22.41.exe

Filesize
97KB

MD5
11735bdb2ca8632f72da3e37052f40d2

SHA1
abdd3678d3f9ad3751ef82c8912828802e3e565f

SHA256
4b11aff6f8821fe3160c071f78db37c33226d163a4503678e2ffa1e96f37c86a

SHA512
69f8b4ec629c0951c84bb7f118690c6bbdeaa0b24b2a9bccad6417e1eef983fb159a2872c9f2b020923074ea005cf03c2588a3533daf855b34217f2991c25ea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\dnf小岚0907A全屏秒杀全屏爆炸.exe

Filesize
19.7MB

MD5
6430600d3f47519135cd132e219164ff

SHA1
466580f053f216afbed956b46096fd2edb985e17

SHA256
786d74121b9c74494a619e53ad283b94b5dfa0fd97d7854854e12f397c4c9ec1

SHA512
236f4a40319d320f4e5e405bae99936fc29861ae98e4000c5a116b709c5ebe3b79c2a09bd9d7cd8ed981441825cd1cfe00d0fcb16753c657550a6f90384fa154

Download Submit
\Program Files (x86)\Common Files\Shared\Guarder.exe

Filesize
4.1MB

MD5
6b7fc45ec32c45984e9842f8a7e8c976

SHA1
b99341eb2b8e8dd4a5268e5e61c8b9fa4b289d20

SHA256
31c3b60f7a318d275ca8c15bd5a1330d0da1b561d3e109984187c19fc5fc4da9

SHA512
5b567667f111eeaf49a77177fa492a7f7394aa92bfcfc5ff4e6042bbef1661ebd9ac726d3cae8fe31dd14b9fe53c3c1ed7037a4826a5b7781e5f3c0d1f6f544e

Download Submit
\Program Files (x86)\Common Files\Shared\svchost.exe

Filesize
4.1MB

MD5
6b7fc45ec32c45984e9842f8a7e8c976

SHA1
b99341eb2b8e8dd4a5268e5e61c8b9fa4b289d20

SHA256
31c3b60f7a318d275ca8c15bd5a1330d0da1b561d3e109984187c19fc5fc4da9

SHA512
5b567667f111eeaf49a77177fa492a7f7394aa92bfcfc5ff4e6042bbef1661ebd9ac726d3cae8fe31dd14b9fe53c3c1ed7037a4826a5b7781e5f3c0d1f6f544e

Download Submit
\Users\Admin\AppData\Local\Temp\DNF3 2012-09-05 22.41.exe

Filesize
97KB

MD5
11735bdb2ca8632f72da3e37052f40d2

SHA1
abdd3678d3f9ad3751ef82c8912828802e3e565f

SHA256
4b11aff6f8821fe3160c071f78db37c33226d163a4503678e2ffa1e96f37c86a

SHA512
69f8b4ec629c0951c84bb7f118690c6bbdeaa0b24b2a9bccad6417e1eef983fb159a2872c9f2b020923074ea005cf03c2588a3533daf855b34217f2991c25ea7

Download Submit
\Users\Admin\AppData\Local\Temp\dnf小岚0907A全屏秒杀全屏爆炸.exe

Filesize
19.7MB

MD5
6430600d3f47519135cd132e219164ff

SHA1
466580f053f216afbed956b46096fd2edb985e17

SHA256
786d74121b9c74494a619e53ad283b94b5dfa0fd97d7854854e12f397c4c9ec1

SHA512
236f4a40319d320f4e5e405bae99936fc29861ae98e4000c5a116b709c5ebe3b79c2a09bd9d7cd8ed981441825cd1cfe00d0fcb16753c657550a6f90384fa154

Download Submit
\Users\Admin\AppData\Local\Temp\dnf小岚0907A全屏秒杀全屏爆炸.exe

Filesize
19.7MB

MD5
6430600d3f47519135cd132e219164ff

SHA1
466580f053f216afbed956b46096fd2edb985e17

SHA256
786d74121b9c74494a619e53ad283b94b5dfa0fd97d7854854e12f397c4c9ec1

SHA512
236f4a40319d320f4e5e405bae99936fc29861ae98e4000c5a116b709c5ebe3b79c2a09bd9d7cd8ed981441825cd1cfe00d0fcb16753c657550a6f90384fa154

Download Submit
\Windows\SysWOW64\Ð¡á°×¢Èë.ime

Filesize
52KB

MD5
c19a9f52996c85527e500747a7d69749

SHA1
ad867382e1f3696f1a46a577c62e49cbd3b03a14

SHA256
1c335c6d63bdf8fc0382bca35a0da10b2b0d4f338f85e18189beab13c45a942b

SHA512
e54323b141d813499b9e763de8df06870fa6a225d1403bd1bec49dc4a0996d11f53706bb6fe58a11f5dc639999a51a8f99d4241b54a1edaf75ba43a30dd78f12

Download Submit
\Windows\SysWOW64\Ð¡á°×¢Èë.ime

Filesize
52KB

MD5
c19a9f52996c85527e500747a7d69749

SHA1
ad867382e1f3696f1a46a577c62e49cbd3b03a14

SHA256
1c335c6d63bdf8fc0382bca35a0da10b2b0d4f338f85e18189beab13c45a942b

SHA512
e54323b141d813499b9e763de8df06870fa6a225d1403bd1bec49dc4a0996d11f53706bb6fe58a11f5dc639999a51a8f99d4241b54a1edaf75ba43a30dd78f12

Download Submit
\Windows\SysWOW64\Ð¡á°×¢Èë.ime

Filesize
52KB

MD5
c19a9f52996c85527e500747a7d69749

SHA1
ad867382e1f3696f1a46a577c62e49cbd3b03a14

SHA256
1c335c6d63bdf8fc0382bca35a0da10b2b0d4f338f85e18189beab13c45a942b

SHA512
e54323b141d813499b9e763de8df06870fa6a225d1403bd1bec49dc4a0996d11f53706bb6fe58a11f5dc639999a51a8f99d4241b54a1edaf75ba43a30dd78f12

Download Submit
\Windows\SysWOW64\Ð¡á°×¢Èë.ime

Filesize
52KB

MD5
c19a9f52996c85527e500747a7d69749

SHA1
ad867382e1f3696f1a46a577c62e49cbd3b03a14

SHA256
1c335c6d63bdf8fc0382bca35a0da10b2b0d4f338f85e18189beab13c45a942b

SHA512
e54323b141d813499b9e763de8df06870fa6a225d1403bd1bec49dc4a0996d11f53706bb6fe58a11f5dc639999a51a8f99d4241b54a1edaf75ba43a30dd78f12

Download Submit
\Windows\SysWOW64\Ð¡á°×¢Èë.ime

Filesize
52KB

MD5
c19a9f52996c85527e500747a7d69749

SHA1
ad867382e1f3696f1a46a577c62e49cbd3b03a14

SHA256
1c335c6d63bdf8fc0382bca35a0da10b2b0d4f338f85e18189beab13c45a942b

SHA512
e54323b141d813499b9e763de8df06870fa6a225d1403bd1bec49dc4a0996d11f53706bb6fe58a11f5dc639999a51a8f99d4241b54a1edaf75ba43a30dd78f12

Download Submit
\Windows\SysWOW64\Ð¡á°×¢Èë.ime

Filesize
52KB

MD5
c19a9f52996c85527e500747a7d69749

SHA1
ad867382e1f3696f1a46a577c62e49cbd3b03a14

SHA256
1c335c6d63bdf8fc0382bca35a0da10b2b0d4f338f85e18189beab13c45a942b

SHA512
e54323b141d813499b9e763de8df06870fa6a225d1403bd1bec49dc4a0996d11f53706bb6fe58a11f5dc639999a51a8f99d4241b54a1edaf75ba43a30dd78f12

Download Submit
\Windows\SysWOW64\Ð¡á°×¢Èë.ime

Filesize
52KB

MD5
c19a9f52996c85527e500747a7d69749

SHA1
ad867382e1f3696f1a46a577c62e49cbd3b03a14

SHA256
1c335c6d63bdf8fc0382bca35a0da10b2b0d4f338f85e18189beab13c45a942b

SHA512
e54323b141d813499b9e763de8df06870fa6a225d1403bd1bec49dc4a0996d11f53706bb6fe58a11f5dc639999a51a8f99d4241b54a1edaf75ba43a30dd78f12

Download Submit
\Windows\SysWOW64\Ð¡á°×¢Èë.ime

Filesize
52KB

MD5
c19a9f52996c85527e500747a7d69749

SHA1
ad867382e1f3696f1a46a577c62e49cbd3b03a14

SHA256
1c335c6d63bdf8fc0382bca35a0da10b2b0d4f338f85e18189beab13c45a942b

SHA512
e54323b141d813499b9e763de8df06870fa6a225d1403bd1bec49dc4a0996d11f53706bb6fe58a11f5dc639999a51a8f99d4241b54a1edaf75ba43a30dd78f12

Download Submit
\Windows\SysWOW64\Ð¡á°×¢Èë.ime

Filesize
52KB

MD5
c19a9f52996c85527e500747a7d69749

SHA1
ad867382e1f3696f1a46a577c62e49cbd3b03a14

SHA256
1c335c6d63bdf8fc0382bca35a0da10b2b0d4f338f85e18189beab13c45a942b

SHA512
e54323b141d813499b9e763de8df06870fa6a225d1403bd1bec49dc4a0996d11f53706bb6fe58a11f5dc639999a51a8f99d4241b54a1edaf75ba43a30dd78f12

Download Submit
memory/1512-54-0x0000000000400000-0x0000000000698000-memory.dmp

Filesize
2.6MB

Download
memory/1512-61-0x0000000000400000-0x0000000000698000-memory.dmp

Filesize
2.6MB

Download
memory/1512-62-0x0000000077A10000-0x0000000077B90000-memory.dmp

Filesize
1.5MB

Download
memory/1512-57-0x0000000000400000-0x0000000000698000-memory.dmp

Filesize
2.6MB

Download
memory/1512-79-0x0000000077A10000-0x0000000077B90000-memory.dmp

Filesize
1.5MB

Download
memory/1512-78-0x0000000000400000-0x0000000000698000-memory.dmp

Filesize
2.6MB

Download
memory/1512-56-0x0000000077A10000-0x0000000077B90000-memory.dmp

Filesize
1.5MB

Download
memory/1512-55-0x0000000076931000-0x0000000076933000-memory.dmp

Filesize
8KB

Download