99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f

Analysis

max time kernel
146s
max time network
152s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 17:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe
Size

135KB
MD5

bc9f39ee5787df23c3d2ecdd88a71bdd
SHA1

814cce2ffc9d552559eb5ad36df8bc52010e18b5
SHA256

99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f
SHA512

d2d0903cd37e7edc391d5d654ea8ee592e749e7906fbed266ba24b3acbf07680fb5fb83aab54ec43f37c5b545e993225523b0da619b43ce048cdaa5134dc17b7
SSDEEP

3072:uwxVMhOC/dTDbq91+mno3t4QZQ3rfvlJkJxFRaSG2yQ1:uTfFDbRnOTrf9J0S52F

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Drops file in System32 directory 45 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\yx.lnk	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe
File created	C:\Windows\SysWOW64\zq.lnk	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe
File created	C:\Windows\SysWOW64\免费电影.lnk	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe
File opened for modification	C:\Windows\SysWOW64\腾讯QQ.lnk	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe
File opened for modification	C:\Windows\SysWOW64\Inonet.lnk	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe
File opened for modification	C:\Windows\SysWOW64\zq.ico	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe
File opened for modification	C:\Windows\SysWOW64\免费电影.lnk	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe
File opened for modification	C:\Windows\SysWOW64\hao.bat	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe
File opened for modification	C:\Windows\SysWOW64\ctb.vbs	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe
File created	C:\Windows\SysWOW64\Inonet.lnk	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe
File created	C:\Windows\SysWOW64\ku.lnk	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe
File created	C:\Windows\SysWOW64\mm.ico	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe
File created	C:\Windows\SysWOW64\vod.url	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe
File created	C:\Windows\SysWOW64\hao.bat	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe
File opened for modification	C:\Windows\SysWOW64\qq2009.bat	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe
File created	C:\Windows\SysWOW64\mediaplayer_icon.gif	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe
File opened for modification	C:\Windows\SysWOW64\youxi.url	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe
File created	C:\Windows\SysWOW64\yx.ico	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe
File created	C:\Windows\SysWOW64\淘宝购物.lnk	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe
File created	C:\Windows\SysWOW64\腾讯QQ.lnk	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe
File created	C:\Windows\SysWOW64\youxi.url	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe
File opened for modification	C:\Windows\SysWOW64\INT E0XPorer.url	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe
File created	C:\Windows\SysWOW64\qq.ico	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe
File created	C:\Windows\SysWOW64\systemvbs.vbs	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe
File opened for modification	C:\Windows\SysWOW64\taobao.ico	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe
File opened for modification	C:\Windows\SysWOW64\vod.url	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe
File created	C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_7081446	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe
File created	C:\Windows\SysWOW64\hao.lnk	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe
File opened for modification	C:\Windows\SysWOW64\mm.ico	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe
File opened for modification	C:\Windows\SysWOW64\taobao.url	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe
File created	C:\Windows\SysWOW64\ctb.vbs	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe
File opened for modification	C:\Windows\SysWOW64\yx.lnk	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe
File created	C:\Windows\SysWOW64\zq.ico	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe
File opened for modification	C:\Windows\SysWOW64\淘宝购物.lnk	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe
File opened for modification	C:\Windows\SysWOW64\mediaplayer_icon.gif	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe
File opened for modification	C:\Windows\SysWOW64\ku.lnk	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe
File opened for modification	C:\Windows\SysWOW64\systemvbs.vbs	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe
File created	C:\Windows\SysWOW64\taobao.ico	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe
File created	C:\Windows\SysWOW64\taobao.url	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe
File created	C:\Windows\SysWOW64\qq2009.bat	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe
File opened for modification	C:\Windows\SysWOW64\hao.lnk	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe
File created	C:\Windows\SysWOW64\INT E0XPorer.url	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe
File opened for modification	C:\Windows\SysWOW64\qq.ico	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe
File opened for modification	C:\Windows\SysWOW64\yx.ico	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe
File opened for modification	C:\Windows\SysWOW64\zq.lnk	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7002c9359708d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cbd9f4c041b275419d1c5d1e71a2a8c5000000000200000000001066000000010000200000002db6463c8130d801376fc11e7d28a6ee953acd95b33c02f6e12d4e633a28119d000000000e800000000200002000000083b0106b7f70f6ce58fb93110ca5c29127039a51a09a396230ff0ba3d34cf2bc200000009e0ea90bc16ffcf1cb77c9dacdf4074a8916e32f7a36228296adba488fc038df40000000abf93c562026fdccfc485d1a9d650ef007a1cd5e9aeabc9c0876aadaf64360277d59eccfd6efde0b158dcdfc5b725e7455ab34e35ed386a723c96f93105e48d3	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cbd9f4c041b275419d1c5d1e71a2a8c5000000000200000000001066000000010000200000009f36cb0de7d1af57c482a0e7321bd2cd098b2b8157cdc6d43c6e9e3e72165b05000000000e8000000002000020000000ac7547360a8e076f094699949f73ce28ae53d810feada966a72c2d4ff8bb2d8f90000000c44bc24fa16e494f801e8e581f9207c9de21868821b23c4ed6c0bcdbd8893b28855ffd9394ea82f48b8b182c49254643f570e109e6a3816e5816ab93180ebaaa9b1f4b7f36e9fa4fe3c4dd38c949ab1b5ce2d1eb038df0eb3c4db24ca5f0a3f8d65e0c8d813a1cfee84bcad8f0d5710469ca6a6d27e1ecab85037cdde7a013ff95e4decbf252eba9939f99af8a00bb7a40000000ca4d82c116acaba5d1e52986fcbafef68b5aa0ba2b295dc64ab8c4e81c1c6ae20e584d1be2560bfb9b238ea4ee2f1ffc49aad87135aa32702aafcc5b2ee85c81	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5269BE61-748A-11ED-B390-DA7E66F9F45D} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{527806A1-748A-11ED-B390-DA7E66F9F45D} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377002276"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	1088	rundll32.exe
Token: SeRestorePrivilege	1088	rundll32.exe
Token: SeRestorePrivilege	1088	rundll32.exe
Token: SeRestorePrivilege	1088	rundll32.exe
Token: SeRestorePrivilege	1088	rundll32.exe
Token: SeRestorePrivilege	1088	rundll32.exe
Token: SeRestorePrivilege	1088	rundll32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1704	IEXPLORE.EXE
1128	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1704	IEXPLORE.EXE
1704	IEXPLORE.EXE
1128	IEXPLORE.EXE
1128	IEXPLORE.EXE
876	IEXPLORE.EXE
876	IEXPLORE.EXE
768	IEXPLORE.EXE
768	IEXPLORE.EXE
876	IEXPLORE.EXE
876	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 904	1844	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe	27
PID 1844 wrote to memory of 904	1844	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe	27
PID 1844 wrote to memory of 904	1844	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe	27
PID 1844 wrote to memory of 904	1844	99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe	27
PID 904 wrote to memory of 1124	904	WScript.exe	28
PID 904 wrote to memory of 1124	904	WScript.exe	28
PID 904 wrote to memory of 1124	904	WScript.exe	28
PID 904 wrote to memory of 1124	904	WScript.exe	28
PID 1124 wrote to memory of 1712	1124	cmd.exe	30
PID 1124 wrote to memory of 1712	1124	cmd.exe	30
PID 1124 wrote to memory of 1712	1124	cmd.exe	30
PID 1124 wrote to memory of 1712	1124	cmd.exe	30
PID 1124 wrote to memory of 1140	1124	cmd.exe	31
PID 1124 wrote to memory of 1140	1124	cmd.exe	31
PID 1124 wrote to memory of 1140	1124	cmd.exe	31
PID 1124 wrote to memory of 1140	1124	cmd.exe	31
PID 1124 wrote to memory of 1088	1124	cmd.exe	32
PID 1124 wrote to memory of 1088	1124	cmd.exe	32
PID 1124 wrote to memory of 1088	1124	cmd.exe	32
PID 1124 wrote to memory of 1088	1124	cmd.exe	32
PID 1124 wrote to memory of 1088	1124	cmd.exe	32
PID 1124 wrote to memory of 1088	1124	cmd.exe	32
PID 1124 wrote to memory of 1088	1124	cmd.exe	32
PID 1088 wrote to memory of 1776	1088	rundll32.exe	33
PID 1088 wrote to memory of 1776	1088	rundll32.exe	33
PID 1088 wrote to memory of 1776	1088	rundll32.exe	33
PID 1088 wrote to memory of 1776	1088	rundll32.exe	33
PID 1776 wrote to memory of 1380	1776	runonce.exe	34
PID 1776 wrote to memory of 1380	1776	runonce.exe	34
PID 1776 wrote to memory of 1380	1776	runonce.exe	34
PID 1776 wrote to memory of 1380	1776	runonce.exe	34
PID 1124 wrote to memory of 1740	1124	cmd.exe	36
PID 1124 wrote to memory of 1740	1124	cmd.exe	36
PID 1124 wrote to memory of 1740	1124	cmd.exe	36
PID 1124 wrote to memory of 1740	1124	cmd.exe	36
PID 1124 wrote to memory of 568	1124	cmd.exe	37
PID 1124 wrote to memory of 568	1124	cmd.exe	37
PID 1124 wrote to memory of 568	1124	cmd.exe	37
PID 1124 wrote to memory of 568	1124	cmd.exe	37
PID 1124 wrote to memory of 596	1124	cmd.exe	38
PID 1124 wrote to memory of 596	1124	cmd.exe	38
PID 1124 wrote to memory of 596	1124	cmd.exe	38
PID 1124 wrote to memory of 596	1124	cmd.exe	38
PID 1124 wrote to memory of 580	1124	cmd.exe	39
PID 1124 wrote to memory of 580	1124	cmd.exe	39
PID 1124 wrote to memory of 580	1124	cmd.exe	39
PID 1124 wrote to memory of 580	1124	cmd.exe	39
PID 1124 wrote to memory of 1044	1124	cmd.exe	40
PID 1124 wrote to memory of 1044	1124	cmd.exe	40
PID 1124 wrote to memory of 1044	1124	cmd.exe	40
PID 1124 wrote to memory of 1044	1124	cmd.exe	40
PID 1124 wrote to memory of 1072	1124	cmd.exe	41
PID 1124 wrote to memory of 1072	1124	cmd.exe	41
PID 1124 wrote to memory of 1072	1124	cmd.exe	41
PID 1124 wrote to memory of 1072	1124	cmd.exe	41
PID 1124 wrote to memory of 2020	1124	cmd.exe	42
PID 1124 wrote to memory of 2020	1124	cmd.exe	42
PID 1124 wrote to memory of 2020	1124	cmd.exe	42
PID 1124 wrote to memory of 2020	1124	cmd.exe	42
PID 1124 wrote to memory of 432	1124	cmd.exe	43
PID 1124 wrote to memory of 432	1124	cmd.exe	43
PID 1124 wrote to memory of 432	1124	cmd.exe	43
PID 1124 wrote to memory of 432	1124	cmd.exe	43
PID 1124 wrote to memory of 1112	1124	cmd.exe	44

Views/modifies file attributes 1 TTPs 9 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1564	attrib.exe
1740	attrib.exe
1916	attrib.exe
1460	attrib.exe
1140	attrib.exe
1012	attrib.exe
1088	attrib.exe
1032	attrib.exe
268	attrib.exe

C:\Users\Admin\AppData\Local\Temp\99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe
"C:\Users\Admin\AppData\Local\Temp\99c9c2a2130e830ec938e0a9feeb7f0423ad948ae6cfc8c813c3ea00ebc4844f.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\system32\ctb.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\WINDOWS\system32\hao.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1124
  - - C:\Windows\SysWOW64\reg.exe
      Reg Add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu" /v "{871C5380-42A0-1069-A2EA-08002B30309D}" /t "REG_DWORD" /d "1" /f
      4⤵
      PID:1712
  - - C:\Windows\SysWOW64\reg.exe
      Reg Add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" /v "{871C5380-42A0-1069-A2EA-08002B30309D}" /t "REG_DWORD" /d "1" /f
      4⤵
      PID:1140
  - - C:\Windows\SysWOW64\rundll32.exe
      RUNDLL32 SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\TmpInf.inf
      4⤵
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1088
    - - C:\Windows\SysWOW64\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        5⤵
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:1776
      - C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        6⤵
        
        PID:1380
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:1740
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Users\Admin\╫└├µ\*.lnk" /p everyone:f
      4⤵
      PID:568
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:596
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Users\Admin\╫└├µ\*.url" /p everyone:f
      4⤵
      PID:580
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:1044
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Documents and Settings\All Users\╫└├µ\*.lnk" /p everyone:f
      4⤵
      PID:1072
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:2020
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Documents and Settings\All Users\╫└├µ\*.url" /p everyone:f
      4⤵
      PID:432
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:1112
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*.lnk" /p everyone:f
      4⤵
      PID:776
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:1144
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*.url" /p everyone:f
      4⤵
      PID:240
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://www.7802.com/index1.html
      4⤵
      PID:1580
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.7802.com/index1.html
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:1704
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1704 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:768
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://fzlsisi.com/fenlei.htm
      4⤵
      PID:980
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://fzlsisi.com/fenlei.htm
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:1128
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1128 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:876
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\╫└├µ\Internet Expleror.lnk" +R +S
      4⤵
      Views/modifies file attributes
      PID:1460
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*.lnk" +R +S
      4⤵
      Views/modifies file attributes
      PID:1140
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\í╕┐¬╩╝í╣▓╦╡Ñ\═°╓╖╓«╝╥.lnk" +R +S
      4⤵
      Views/modifies file attributes
      PID:1012
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\╫└├µ\╠╘▒ª╣║╬∩.lnk" +R +S
      4⤵
      Views/modifies file attributes
      PID:1564
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\╫└├µ\├Γ╖╤╡τ╙░.lnk" +R +S
      4⤵
      Views/modifies file attributes
      PID:1088
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\╫└├µ\╨í╙╬╧╖.lnk" +R +S
      4⤵
      Views/modifies file attributes
      PID:1740
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\í╕┐¬╩╝í╣▓╦╡Ñ\╠╘▒ª╣║╬∩.lnk" +R +S
      4⤵
      Views/modifies file attributes
      PID:1916
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\í╕┐¬╩╝í╣▓╦╡Ñ\├Γ╖╤╡τ╙░.lnk" +R +S
      4⤵
      Views/modifies file attributes
      PID:1032
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\í╕┐¬╩╝í╣▓╦╡Ñ\╨í╙╬╧╖.lnk" +R +S
      4⤵
      Views/modifies file attributes
      PID:268
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:1536
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Users\Admin\╫└├µ\Internet Expleror.lnk" /p everyone:R
      4⤵
      PID:1400
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:672
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\╞⌠╢» Internet Expleror Σ»└└╞≈.lnk" /p everyone:R
      4⤵
      PID:2032
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:2036
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\╨í╙╬╧╖.lnk" /p everyone:R
      4⤵
      PID:1044
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:1924
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\├Γ╖╤╡τ╙░.lnk" /p everyone:R
      4⤵
      PID:1948
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:1000
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Users\Admin\╫└├µ\╨í╙╬╧╖.lnk" /p everyone:R
      4⤵
      PID:1184
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:1112
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Users\Admin\╫└├µ\╠╘▒ª╣║╬∩.lnk" /p everyone:R
      4⤵
      PID:776
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:1900
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Users\Admin\í╕┐¬╩╝í╣▓╦╡Ñ\Internet Expleror.lnk" /p everyone:R
      4⤵
      PID:840
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:1628
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Users\Admin\í╕┐¬╩╝í╣▓╦╡Ñ\╨í╙╬╧╖.lnk" /p everyone:R
      4⤵
      PID:1608
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:1292
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Users\Admin\í╕┐¬╩╝í╣▓╦╡Ñ\├Γ╖╤╡τ╙░.lnk" /p everyone:R
      4⤵
      PID:1012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\TmpInf.inf

Filesize
58B

MD5
ef482bb78b8fff6cf20ec2ff9a677a93

SHA1
7613c5c62b89e63dc686c0f4007c4a77a4a77335

SHA256
7fc3b374408af4dac1e4c39fc1218c98cb692241fd2a753ed169627e70f1536d

SHA512
b4f00ef86cf8fa09517eb09d16d448d45363b87973fe346b3b6b6e9c3c41e087ede8c1a9aa0934fc1abd4d0fb01b853ec501c3bca5483a539c8d28607fd45166

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d64a78344a12e489c5f030320b72c7cf

SHA1
afd02bcc775b12806005a6912816440f2553e00c

SHA256
76b34e0d309bae879be51830ec36ac67360cc3a682d784a84a1d71836f7190db

SHA512
9b182eb3ab64f42af0bdb3c371df02356463835c513e0dce06190c4000624955e5010adaf088c3cd4f84d038251842f9a73278ea42e69d4b9c3a3527c6285901

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5269BE61-748A-11ED-B390-DA7E66F9F45D}.dat

Filesize
3KB

MD5
e588dca8fc4a4c33e1978db8e93c02a7

SHA1
3cddaf12f3a5b4cc602f45b01b0367d4c6e9301d

SHA256
78d045ed665d687d235f2d1f0036a1e1a08277335423f01a4b0b43bfc9498beb

SHA512
94de876fb5a2a9cb174c56c19a9c3a02c61c595ae9ca56e2c3adcc348e37200e3a7fdce6bbf72d53681ac1f25d2f46e0b33cf6b670956f17829a4c5306df1377

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{527806A1-748A-11ED-B390-DA7E66F9F45D}.dat

Filesize
3KB

MD5
42cd180c6ffab3a9ef62d67e1249a33a

SHA1
a43cafb3d024bf8b8c67b6f5e3dfc450a71278b9

SHA256
1e1624d06eaafdf413d14847aa280717e07156549897d0fcccc66ca693ceeb41

SHA512
135662845170f4dad003ec51d470c056b301e73915c17f08f00e2939716e1651d1181e21e2b3ceb0503829ca4f65033515435fd51e91b42760aafad1d026c054

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\X3GUFX17.txt

Filesize
608B

MD5
d748018c958120af72ff8a1f2d02fcbf

SHA1
a1ac8a5cf0d1d3ad5c225354073cfc3c2bebd931

SHA256
d4cc131e8059825468e0e7235017aa18cf621ba0fd78264a83c3a2bbc292d5d7

SHA512
dc7448a729a537f6cdf8f70edeece95de9fd63999499af312d31b86d0fe713b0abcce9bb2670b3943ded6600dcc0be98e3325307bd4d02f129420c9e48f5dc36

Download Submit
C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\╞⌠╢» Internet Expleror Σ»└└╞≈.lnk

Filesize
800B

MD5
a3ab5b82d1e6714262bc167f130045c5

SHA1
94998582d6029b0539b26dcecd2b1050dfcc9d12

SHA256
5a0e9a8d8944168ae9afe2d3b50268c83f19f541d33bd6c71c2cd2ed4eea2e17

SHA512
1c2c7a4830072cd3625ef291b6b013e3445eed7feb91f54a51eb7b6e776061f8f2df15c60f658dacad72f646f19b384777db2ccd2f164d6682d498e978671d28

Download Submit
C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\╨í╙╬╧╖.lnk

Filesize
1KB

MD5
91cc4989f6d5a642533dfb150f97dadc

SHA1
61bb275bc5645e131145e4ff57c8175f9669e03c

SHA256
84c894e082fd9c8129332a0a516fe8e945b815ee796e801aac80533bd3897821

SHA512
d96205dae2feadfbd9e0029a9f097d5515fa5a9aca56811053f1faddf2631cd08152224d84e21fb27be18571891a296dda915cf615aff985ebb12228ed6ad1b5

Download Submit
C:\WINDOWS\SysWOW64\hao.bat

Filesize
5KB

MD5
64e9d4f8cd396c5b7dd0084d6c0619c5

SHA1
0a6e405b7d0092b1bd671c973980f8bb482201ce

SHA256
5302208aa85b805180cf7becb7d180f1d5729bcee241b543904be3e3eb2c0189

SHA512
e57c797e75baf5b387f92dbc5d46e92bd9d0709ea2aa5b70537b67006244ab56446b717b013a05cdf48d19d39150fac7003ab1f76e2c59458f451e352598fe3e

Download Submit
C:\Windows\SysWOW64\Inonet.lnk

Filesize
800B

MD5
a3ab5b82d1e6714262bc167f130045c5

SHA1
94998582d6029b0539b26dcecd2b1050dfcc9d12

SHA256
5a0e9a8d8944168ae9afe2d3b50268c83f19f541d33bd6c71c2cd2ed4eea2e17

SHA512
1c2c7a4830072cd3625ef291b6b013e3445eed7feb91f54a51eb7b6e776061f8f2df15c60f658dacad72f646f19b384777db2ccd2f164d6682d498e978671d28

Download Submit
C:\Windows\SysWOW64\ctb.vbs

Filesize
2KB

MD5
1ea9a74910e8916e5009aa50da3cf7ea

SHA1
0953ae0f63d2c65343a7fdade9a767c70b32ffd7

SHA256
97c76777fdbe48fb0ad555fa26c7f82fceec059b3f7605c14bc23573fd012f35

SHA512
0290082a7dfd1beed055be1e46c667d5ddb1311c2feb8139dd686dd38d5eb6025b673988613918f7c8eeb73d37439bcf7407911e6d9a13a42fa91239ae8a150b

Download Submit
C:\Windows\SysWOW64\hao.lnk

Filesize
949B

MD5
18a02e96e6f8060796b4d5f3772c9e9b

SHA1
8bbcefd7ef25b865bf94461c42f553154bb4698f

SHA256
864c6e35c52d56146166a8a9bdadb011b04198cc179b6b1902f9f05ae8ab8a26

SHA512
4697774150a929dac6c34e1cde3ef9a6f1ee6711c1e16b068768dfdd03b21664377cd6f54ff7f8b8c92e9379b9bb3817c354c1ab061c64ffe49b76ecd606ccef

Download Submit
C:\Windows\SysWOW64\ku.lnk

Filesize
945B

MD5
a8e22b6219720d3fab60fc8b96f8c24f

SHA1
c1892837d5ccd6dcb3bd4f45aa353b430313a86a

SHA256
ca149ca1e50c55155c410e0609b8cea09442dc153d33c9d1682eaa8519d1e89b

SHA512
d96706fa4883962d35c7cd89234940fb10304eba14746454f85c09b3233d7ba71ad462ac4c4333a50eed2ebc6d29c12076d3d0b4f74656fca0d27f01a8f164d1

Download Submit
C:\Windows\SysWOW64\yx.lnk

Filesize
1KB

MD5
91cc4989f6d5a642533dfb150f97dadc

SHA1
61bb275bc5645e131145e4ff57c8175f9669e03c

SHA256
84c894e082fd9c8129332a0a516fe8e945b815ee796e801aac80533bd3897821

SHA512
d96205dae2feadfbd9e0029a9f097d5515fa5a9aca56811053f1faddf2631cd08152224d84e21fb27be18571891a296dda915cf615aff985ebb12228ed6ad1b5

Download Submit
C:\Windows\SysWOW64\zq.lnk

Filesize
1KB

MD5
586858afd4ab25de0f002a9f046f1b66

SHA1
8b713dcaf0818194efa47e821c75f07a2abc406b

SHA256
49a14034c6e670acf765ac34a6066b5c92d7dd841848d8a9ac430f00f58609bd

SHA512
0f13c8ba1f1f8863c2e04a0c1d5aa0688bbf985def8bcdbd154b9cc5ef9e9653b9fdea332726d28cc505ddf72d45c326cc8fa5c683f9087b54055252059a0414

Download Submit
memory/1844-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads