84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43

Analysis

max time kernel
91s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 01:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
Size

102KB
MD5

fcc17fd2ecbba38f847b3443c326111b
SHA1

9c690a7043757c10841c9542cf5fd1037038b07d
SHA256

84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43
SHA512

d03038882061cdb162e672bb87b8ee800b269a98b1e59c5d53533dde400eacc4f486709d3aac4391e5bcfd0f963aeb462f30779b316ac8d384a85c383b06b8f4
SSDEEP

1536:igYPhQXwIiPrrjThO+lUBrzCxry1ec7rUyj239au7538iJkZ/D99/4p0N8f:FYP2XerzhOUxu/XUtauF8iJkZ/34pj

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WinsWare\Exploror.lnk	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File created	C:\Program Files\WinsWare\Internet Exploror.lnk	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File opened for modification	C:\Program Files\WinsWare\淘宝-购物.lnk	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File created	C:\Program Files\WinsWare\36OSE.vbs	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File created	C:\Program Files\WinsWare\tb.cmd	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File opened for modification	C:\Program Files\WinsWare\36O安全浏岚器3.lnk	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File opened for modification	C:\Program Files\WinsWare\36O安全浏岚器 3.lnk	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File created	C:\Program Files\Internet Explorer\iedw.ico	cmd.exe
File opened for modification	C:\Program Files\WinsWare\fav.vbs	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File opened for modification	C:\Program Files\Internet Explorer\iedw.ico	cmd.exe
File opened for modification	C:\Program Files\WinsWare	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File opened for modification	C:\Program Files\WinsWare\Internet Exploror.lnk	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File opened for modification	C:\Program Files\WinsWare\iedw.ico	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File created	C:\Program Files\WinsWare\iedw.ico	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File created	C:\Program Files\WinsWare\360SE.vbs	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File opened for modification	C:\Program Files\WinsWare\tb.vbs	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File created	C:\Program Files\WinsWare\Exploror.lnk	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File created	C:\Program Files\WinsWare\3.cmd	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File opened for modification	C:\Program Files\WinsWare\tb.cmd	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File opened for modification	C:\Program Files\WinsWare\tbb.cmd	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File created	C:\Program Files\WinsWare\36O安全浏岚器 3.lnk	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File created	C:\Program Files\WinsWare\淘宝-购物.lnk	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File opened for modification	C:\Program Files\WinsWare\36OSE.vbs	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File opened for modification	C:\Program Files\WinsWare\360SE.vbs	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File created	C:\Program Files\WinsWare\__tmp_rar_sfx_access_check_240567312	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File opened for modification	C:\Program Files\WinsWare\3.cmd	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File created	C:\Program Files\WinsWare\fav.vbs	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File created	C:\Program Files\WinsWare\tbb.cmd	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File created	C:\Program Files\WinsWare\tb.vbs	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
File created	C:\Program Files\WinsWare\36O安全浏岚器3.lnk	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 39 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder\WantsParsDisplayName	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32\ThreadingModel = "Apartment"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\Command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder\HideOnDesktopPerUser	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32\ = "%systemRoot%\\SysWow64\\shdocvw.dll"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder\Attributes = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\MUIVerb = "@shdoclc.dll,-10241"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder\HideFolderVerbs	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\Command\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\LocalizedString = "╠╘▒ª-╣║╬∩"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\Command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\iedw.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\ = "╠╘▒ª-╣║╬∩(&H)"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InfoTip = "╠╘▒ª╣║╬∩╠╪╝█╙┼╗▌╟°"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\Command\ = "C:\\progra~1\\Intern~1\\iexplore.exe http://go.447.cc/go/taobao.htm"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder	reg.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 4868	3404	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe	81
PID 3404 wrote to memory of 4868	3404	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe	81
PID 3404 wrote to memory of 4868	3404	84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe	81
PID 4868 wrote to memory of 4008	4868	WScript.exe	82
PID 4868 wrote to memory of 4008	4868	WScript.exe	82
PID 4868 wrote to memory of 4008	4868	WScript.exe	82
PID 4008 wrote to memory of 4336	4008	cmd.exe	84
PID 4008 wrote to memory of 4336	4008	cmd.exe	84
PID 4008 wrote to memory of 4336	4008	cmd.exe	84
PID 4008 wrote to memory of 1340	4008	cmd.exe	85
PID 4008 wrote to memory of 1340	4008	cmd.exe	85
PID 4008 wrote to memory of 1340	4008	cmd.exe	85
PID 4008 wrote to memory of 4728	4008	cmd.exe	86
PID 4008 wrote to memory of 4728	4008	cmd.exe	86
PID 4008 wrote to memory of 4728	4008	cmd.exe	86
PID 4008 wrote to memory of 1276	4008	cmd.exe	87
PID 4008 wrote to memory of 1276	4008	cmd.exe	87
PID 4008 wrote to memory of 1276	4008	cmd.exe	87
PID 4008 wrote to memory of 1396	4008	cmd.exe	88
PID 4008 wrote to memory of 1396	4008	cmd.exe	88
PID 4008 wrote to memory of 1396	4008	cmd.exe	88
PID 4008 wrote to memory of 4888	4008	cmd.exe	89
PID 4008 wrote to memory of 4888	4008	cmd.exe	89
PID 4008 wrote to memory of 4888	4008	cmd.exe	89
PID 4008 wrote to memory of 3128	4008	cmd.exe	90
PID 4008 wrote to memory of 3128	4008	cmd.exe	90
PID 4008 wrote to memory of 3128	4008	cmd.exe	90
PID 4008 wrote to memory of 3532	4008	cmd.exe	91
PID 4008 wrote to memory of 3532	4008	cmd.exe	91
PID 4008 wrote to memory of 3532	4008	cmd.exe	91
PID 4008 wrote to memory of 3740	4008	cmd.exe	92
PID 4008 wrote to memory of 3740	4008	cmd.exe	92
PID 4008 wrote to memory of 3740	4008	cmd.exe	92
PID 4008 wrote to memory of 3804	4008	cmd.exe	93
PID 4008 wrote to memory of 3804	4008	cmd.exe	93
PID 4008 wrote to memory of 3804	4008	cmd.exe	93
PID 4008 wrote to memory of 3676	4008	cmd.exe	94
PID 4008 wrote to memory of 3676	4008	cmd.exe	94
PID 4008 wrote to memory of 3676	4008	cmd.exe	94
PID 4008 wrote to memory of 3264	4008	cmd.exe	95
PID 4008 wrote to memory of 3264	4008	cmd.exe	95
PID 4008 wrote to memory of 3264	4008	cmd.exe	95
PID 4008 wrote to memory of 3784	4008	cmd.exe	96
PID 4008 wrote to memory of 3784	4008	cmd.exe	96
PID 4008 wrote to memory of 3784	4008	cmd.exe	96
PID 4008 wrote to memory of 5020	4008	cmd.exe	97
PID 4008 wrote to memory of 5020	4008	cmd.exe	97
PID 4008 wrote to memory of 5020	4008	cmd.exe	97
PID 4008 wrote to memory of 2788	4008	cmd.exe	98
PID 4008 wrote to memory of 2788	4008	cmd.exe	98
PID 4008 wrote to memory of 2788	4008	cmd.exe	98
PID 4008 wrote to memory of 2816	4008	cmd.exe	99
PID 4008 wrote to memory of 2816	4008	cmd.exe	99
PID 4008 wrote to memory of 2816	4008	cmd.exe	99
PID 4008 wrote to memory of 1020	4008	cmd.exe	100
PID 4008 wrote to memory of 1020	4008	cmd.exe	100
PID 4008 wrote to memory of 1020	4008	cmd.exe	100
PID 4008 wrote to memory of 3316	4008	cmd.exe	101
PID 4008 wrote to memory of 3316	4008	cmd.exe	101
PID 4008 wrote to memory of 3316	4008	cmd.exe	101
PID 4008 wrote to memory of 1144	4008	cmd.exe	102
PID 4008 wrote to memory of 1144	4008	cmd.exe	102
PID 4008 wrote to memory of 1144	4008	cmd.exe	102

C:\Users\Admin\AppData\Local\Temp\84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe
"C:\Users\Admin\AppData\Local\Temp\84f509602d70d9d02ecd0cb7544008cea27d04f707227e2466baab28eae20e43.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files\WinsWare\tb.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\tbb.cmd
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:4008
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}"
      4⤵
      Modifies registry class
      PID:4336
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}" /v "InfoTip" /t REG_SZ /d "╠╘▒ª╣║╬∩╠╪╝█╙┼╗▌╟°" /f
      4⤵
      Modifies registry class
      PID:1340
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}" /v "LocalizedString" /t REG_SZ /d "╠╘▒ª-╣║╬∩" /f
      4⤵
      Modifies registry class
      PID:4728
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon"
      4⤵
      Modifies registry class
      PID:1276
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon" /ve /t REG_EXPAND_SZ /d "C:\Program Files\Internet Explorer\iedw.ico" /f
      4⤵
      Modifies registry class
      PID:1396
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32"
      4⤵
      Modifies registry class
      PID:4888
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32" /ve /t REG_SZ /d "%systemRoot%\system32\shdocvw.dll" /f
      4⤵
      Modifies registry class
      PID:3128
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f
      4⤵
      Modifies registry class
      PID:3532
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell"
      4⤵
      Modifies registry class
      PID:3740
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell" /ve /t REG_SZ /d "╠╘▒ª-╣║╬∩(&H)" /f
      4⤵
      Modifies registry class
      PID:3804
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)"
      4⤵
      Modifies registry class
      PID:3676
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)" /v "MUIVerb" /t REG_SZ /d "@shdoclc.dll,-10241" /f
      4⤵
      Modifies registry class
      PID:3264
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\Command"
      4⤵
      Modifies registry class
      PID:3784
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://go.447.cc/go/taobao.htm" /f
      4⤵
      Modifies registry class
      PID:5020
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder"
      4⤵
      Modifies registry class
      PID:2788
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder" /v "Attributes" /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry class
      PID:2816
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder" /v "HideFolderVerbs" /t REG_SZ /d "" /f
      4⤵
      Modifies registry class
      PID:1020
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder" /v "HideOnDesktopPerUser" /t REG_SZ /d "" /f
      4⤵
      Modifies registry class
      PID:3316
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder" /v "WantsParsDisplayName" /t REG_SZ /d "" /f
      4⤵
      Modifies registry class
      PID:1144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WinsWare\iedw.ico

Filesize
14KB

MD5
468fada123f5548ac87e57bae81f6782

SHA1
edb8f012c25906e6afd8bf335b495e16c440243d

SHA256
091c882bb307d57f2c7c42309e7ba8740130fef8c3ed772b0bc5e5505e37034d

SHA512
635ec26c88c2394dd4f2a81b9aea8f429a91adfeb37ae34e51b03f3cf8e503c123c3685938f40cea07d6146e0c7113aadbe62fa528f1f6d8b995e617fd68a4aa

Download Submit
C:\Program Files\WinsWare\tb.vbs

Filesize
124B

MD5
e9c53f1488e4fb1a968ebcc98b5316fd

SHA1
a64db33b0c174e0ccb6fd032e9059fcacb4756d2

SHA256
1648c616c3f62a7800eb3ba0903b8b39081b12ba854d466fa04a60fda5cdcfce

SHA512
f491771dbb5293571703c1aa4f65292e20d326e5bf665483cb1b5171734aa72a2a25ba2e7fa1e5259a9136f19f7acf247a2fcdf4fdd85ce291091d9bf4eeb282

Download Submit
C:\Program Files\WinsWare\tbb.cmd

Filesize
2KB

MD5
b30c3171101a51ccd2a3aec48d2d9e0d

SHA1
19cecbc30f409cfbedf3445ceeb644e6e2a7b064

SHA256
780ddd6ccc9c102f64f1daa80c9fc7ee8646487a03a577450f71ac9950cd1fa6

SHA512
b13d4a8cf13af870618c699f78df731478adfd66480f1c09b0f00df3352bebc419c4d56394dae3ad7833e889688571f048162ef6ca90be18aca123e20754becb

Download Submit