84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43

Analysis

max time kernel
32s
max time network
40s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 01:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
Size

102KB
MD5

fcc17fd2ecbba38f847b3443c326111b
SHA1

9c690a7043757c10841c9542cf5fd1037038b07d
SHA256

84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43
SHA512

d03038882061cdb162e672bb87b8ee800b269a98b1e59c5d53533dde400eacc4f486709d3aac4391e5bcfd0f963aeb462f30779b316ac8d384a85c383b06b8f4
SSDEEP

1536:igYPhQXwIiPrrjThO+lUBrzCxry1ec7rUyj239au7538iJkZ/D99/4p0N8f:FYP2XerzhOUxu/XUtauF8iJkZ/34pj

Score

4^/10

Malware Config

Signatures

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WinsWare\36O安全浏岚器3.lnk	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File created	C:\Program Files\WinsWare\36O安全浏岚器 3.lnk	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File opened for modification	C:\Program Files\WinsWare\iedw.ico	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File created	C:\Program Files\Internet Explorer\iedw.ico	cmd.exe
File created	C:\Program Files\WinsWare\tb.vbs	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File created	C:\Program Files\WinsWare\tbb.cmd	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File opened for modification	C:\Program Files\WinsWare\tbb.cmd	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File created	C:\Program Files\WinsWare\36OSE.vbs	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File created	C:\Program Files\WinsWare\__tmp_rar_sfx_access_check_7099402	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File opened for modification	C:\Program Files\WinsWare\36OSE.vbs	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File opened for modification	C:\Program Files\WinsWare\3.cmd	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File created	C:\Program Files\WinsWare\tb.cmd	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File created	C:\Program Files\WinsWare\36O安全浏岚器3.lnk	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File opened for modification	C:\Program Files\WinsWare	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File created	C:\Program Files\WinsWare\Exploror.lnk	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File created	C:\Program Files\WinsWare\iedw.ico	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File opened for modification	C:\Program Files\WinsWare\淘宝-购物.lnk	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File opened for modification	C:\Program Files\WinsWare\tb.cmd	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File opened for modification	C:\Program Files\WinsWare\tb.vbs	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File opened for modification	C:\Program Files\WinsWare\36O安全浏岚器 3.lnk	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File created	C:\Program Files\WinsWare\淘宝-购物.lnk	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File opened for modification	C:\Program Files\WinsWare\360SE.vbs	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File opened for modification	C:\Program Files\Internet Explorer\iedw.ico	cmd.exe
File opened for modification	C:\Program Files\WinsWare\fav.vbs	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File created	C:\Program Files\WinsWare\fav.vbs	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File opened for modification	C:\Program Files\WinsWare\Exploror.lnk	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File created	C:\Program Files\WinsWare\Internet Exploror.lnk	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File opened for modification	C:\Program Files\WinsWare\Internet Exploror.lnk	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File created	C:\Program Files\WinsWare\360SE.vbs	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File created	C:\Program Files\WinsWare\3.cmd	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 38 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InfoTip = "╠╘▒ª╣║╬∩╠╪╝█╙┼╗▌╟°"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder\Attributes = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\Command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\Command\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\iedw.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32\ = "%systemRoot%\\SysWow64\\shdocvw.dll"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\MUIVerb = "@shdoclc.dll,-10241"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder\HideOnDesktopPerUser	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\LocalizedString = "╠╘▒ª-╣║╬∩"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32\ThreadingModel = "Apartment"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder\WantsParsDisplayName	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder\HideFolderVerbs	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\ = "╠╘▒ª-╣║╬∩(&H)"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\Command\ = "C:\\progra~1\\Intern~1\\iexplore.exe http://go.447.cc/go/taobao.htm"	reg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 2040	1488	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe	27
PID 1488 wrote to memory of 2040	1488	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe	27
PID 1488 wrote to memory of 2040	1488	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe	27
PID 1488 wrote to memory of 2040	1488	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe	27
PID 1488 wrote to memory of 2040	1488	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe	27
PID 1488 wrote to memory of 2040	1488	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe	27
PID 1488 wrote to memory of 2040	1488	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe	27
PID 2040 wrote to memory of 1196	2040	WScript.exe	28
PID 2040 wrote to memory of 1196	2040	WScript.exe	28
PID 2040 wrote to memory of 1196	2040	WScript.exe	28
PID 2040 wrote to memory of 1196	2040	WScript.exe	28
PID 2040 wrote to memory of 1196	2040	WScript.exe	28
PID 2040 wrote to memory of 1196	2040	WScript.exe	28
PID 2040 wrote to memory of 1196	2040	WScript.exe	28
PID 1196 wrote to memory of 1456	1196	cmd.exe	30
PID 1196 wrote to memory of 1456	1196	cmd.exe	30
PID 1196 wrote to memory of 1456	1196	cmd.exe	30
PID 1196 wrote to memory of 1456	1196	cmd.exe	30
PID 1196 wrote to memory of 1456	1196	cmd.exe	30
PID 1196 wrote to memory of 1456	1196	cmd.exe	30
PID 1196 wrote to memory of 1456	1196	cmd.exe	30
PID 1196 wrote to memory of 1328	1196	cmd.exe	31
PID 1196 wrote to memory of 1328	1196	cmd.exe	31
PID 1196 wrote to memory of 1328	1196	cmd.exe	31
PID 1196 wrote to memory of 1328	1196	cmd.exe	31
PID 1196 wrote to memory of 1328	1196	cmd.exe	31
PID 1196 wrote to memory of 1328	1196	cmd.exe	31
PID 1196 wrote to memory of 1328	1196	cmd.exe	31
PID 1196 wrote to memory of 1580	1196	cmd.exe	32
PID 1196 wrote to memory of 1580	1196	cmd.exe	32
PID 1196 wrote to memory of 1580	1196	cmd.exe	32
PID 1196 wrote to memory of 1580	1196	cmd.exe	32
PID 1196 wrote to memory of 1580	1196	cmd.exe	32
PID 1196 wrote to memory of 1580	1196	cmd.exe	32
PID 1196 wrote to memory of 1580	1196	cmd.exe	32
PID 1196 wrote to memory of 784	1196	cmd.exe	33
PID 1196 wrote to memory of 784	1196	cmd.exe	33
PID 1196 wrote to memory of 784	1196	cmd.exe	33
PID 1196 wrote to memory of 784	1196	cmd.exe	33
PID 1196 wrote to memory of 784	1196	cmd.exe	33
PID 1196 wrote to memory of 784	1196	cmd.exe	33
PID 1196 wrote to memory of 784	1196	cmd.exe	33
PID 1196 wrote to memory of 1700	1196	cmd.exe	34
PID 1196 wrote to memory of 1700	1196	cmd.exe	34
PID 1196 wrote to memory of 1700	1196	cmd.exe	34
PID 1196 wrote to memory of 1700	1196	cmd.exe	34
PID 1196 wrote to memory of 1700	1196	cmd.exe	34
PID 1196 wrote to memory of 1700	1196	cmd.exe	34
PID 1196 wrote to memory of 1700	1196	cmd.exe	34
PID 1196 wrote to memory of 840	1196	cmd.exe	35
PID 1196 wrote to memory of 840	1196	cmd.exe	35
PID 1196 wrote to memory of 840	1196	cmd.exe	35
PID 1196 wrote to memory of 840	1196	cmd.exe	35
PID 1196 wrote to memory of 840	1196	cmd.exe	35
PID 1196 wrote to memory of 840	1196	cmd.exe	35
PID 1196 wrote to memory of 840	1196	cmd.exe	35
PID 1196 wrote to memory of 904	1196	cmd.exe	36
PID 1196 wrote to memory of 904	1196	cmd.exe	36
PID 1196 wrote to memory of 904	1196	cmd.exe	36
PID 1196 wrote to memory of 904	1196	cmd.exe	36
PID 1196 wrote to memory of 904	1196	cmd.exe	36
PID 1196 wrote to memory of 904	1196	cmd.exe	36
PID 1196 wrote to memory of 904	1196	cmd.exe	36
PID 1196 wrote to memory of 1016	1196	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
"C:\Users\Admin\AppData\Local\Temp\84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files\WinsWare\tb.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\tbb.cmd
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1196
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}"
      4⤵
      Modifies registry class
      PID:1456
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}" /v "InfoTip" /t REG_SZ /d "╠╘▒ª╣║╬∩╠╪╝█╙┼╗▌╟°" /f
      4⤵
      Modifies registry class
      PID:1328
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}" /v "LocalizedString" /t REG_SZ /d "╠╘▒ª-╣║╬∩" /f
      4⤵
      Modifies registry class
      PID:1580
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon"
      4⤵
      Modifies registry class
      PID:784
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon" /ve /t REG_EXPAND_SZ /d "C:\Program Files\Internet Explorer\iedw.ico" /f
      4⤵
      Modifies registry class
      PID:1700
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32"
      4⤵
      Modifies registry class
      PID:840
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32" /ve /t REG_SZ /d "%systemRoot%\system32\shdocvw.dll" /f
      4⤵
      Modifies registry class
      PID:904
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f
      4⤵
      Modifies registry class
      PID:1016
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell"
      4⤵
      Modifies registry class
      PID:824
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell" /ve /t REG_SZ /d "╠╘▒ª-╣║╬∩(&H)" /f
      4⤵
      Modifies registry class
      PID:1628
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)"
      4⤵
      Modifies registry class
      PID:1760
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)" /v "MUIVerb" /t REG_SZ /d "@shdoclc.dll,-10241" /f
      4⤵
      Modifies registry class
      PID:1776
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\Command"
      4⤵
      Modifies registry class
      PID:704
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://go.447.cc/go/taobao.htm" /f
      4⤵
      Modifies registry class
      PID:1612
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder"
      4⤵
      Modifies registry class
      PID:1916
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder" /v "Attributes" /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry class
      PID:1104
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder" /v "HideFolderVerbs" /t REG_SZ /d "" /f
      4⤵
      Modifies registry class
      PID:1936
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder" /v "HideOnDesktopPerUser" /t REG_SZ /d "" /f
      4⤵
      Modifies registry class
      PID:1940
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder" /v "WantsParsDisplayName" /t REG_SZ /d "" /f
      4⤵
      Modifies registry class
      PID:740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WinsWare\iedw.ico

Filesize
14KB

MD5
468fada123f5548ac87e57bae81f6782

SHA1
edb8f012c25906e6afd8bf335b495e16c440243d

SHA256
091c882bb307d57f2c7c42309e7ba8740130fef8c3ed772b0bc5e5505e37034d

SHA512
635ec26c88c2394dd4f2a81b9aea8f429a91adfeb37ae34e51b03f3cf8e503c123c3685938f40cea07d6146e0c7113aadbe62fa528f1f6d8b995e617fd68a4aa

Download Submit
C:\Program Files\WinsWare\tb.vbs

Filesize
124B

MD5
e9c53f1488e4fb1a968ebcc98b5316fd

SHA1
a64db33b0c174e0ccb6fd032e9059fcacb4756d2

SHA256
1648c616c3f62a7800eb3ba0903b8b39081b12ba854d466fa04a60fda5cdcfce

SHA512
f491771dbb5293571703c1aa4f65292e20d326e5bf665483cb1b5171734aa72a2a25ba2e7fa1e5259a9136f19f7acf247a2fcdf4fdd85ce291091d9bf4eeb282

Download Submit
C:\Program Files\WinsWare\tbb.cmd

Filesize
2KB

MD5
b30c3171101a51ccd2a3aec48d2d9e0d

SHA1
19cecbc30f409cfbedf3445ceeb644e6e2a7b064

SHA256
780ddd6ccc9c102f64f1daa80c9fc7ee8646487a03a577450f71ac9950cd1fa6

SHA512
b13d4a8cf13af870618c699f78df731478adfd66480f1c09b0f00df3352bebc419c4d56394dae3ad7833e889688571f048162ef6ca90be18aca123e20754becb

Download Submit
memory/1488-54-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

Filesize
8KB

Download