13f84881b5d8c5cde33a4d73a5e348534aa2b03583e96b140488080bad5f7d7a

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05c2832548779cc63710886b102d4640.exe
Size

101KB
MD5

05c2832548779cc63710886b102d4640
SHA1

4a1a60af539c38b4859275dcdbe0b9b03d3c786c
SHA256

13f84881b5d8c5cde33a4d73a5e348534aa2b03583e96b140488080bad5f7d7a
SHA512

25fbcb6b994f521defca3b71de9a6f3b0789c492f4fb4a07d5af1693ac34f5e0e4ec2ab334bef0d9238347c2c8f24f11cf6502c43f01d6969465b0362ea21c9c
SSDEEP

1536:igYPhQXwIiPrrjThO+lUBrzCxry1ec7rUyj239au7538iJkZVa/4p0ND3Y:FYP2XerzhOUxu/XUtauF8iJkZ84pao

Score

4^/10

Malware Config

Signatures

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File created	C:\Program Files\WindWare\tbb.cmd	05c2832548779cc63710886b102d4640.exe
File created	C:\Program Files\Internet Explorer\iedw.ico	cmd.exe
File created	C:\Program Files\WindWare\__tmp_rar_sfx_access_check_259397760	05c2832548779cc63710886b102d4640.exe
File opened for modification	C:\Program Files\WindWare\36OSE.vbs	05c2832548779cc63710886b102d4640.exe
File created	C:\Program Files\WindWare\36O安全刘览器3.lnk	05c2832548779cc63710886b102d4640.exe
File opened for modification	C:\Program Files\WindWare\tb.cmd	05c2832548779cc63710886b102d4640.exe
File created	C:\Program Files\WindWare\3.cmd	05c2832548779cc63710886b102d4640.exe
File opened for modification	C:\Program Files\WindWare\36O安全刘览器 3.lnk	05c2832548779cc63710886b102d4640.exe
File created	C:\Program Files\WindWare\360SE.vbs	05c2832548779cc63710886b102d4640.exe
File opened for modification	C:\Program Files\WindWare\Internet Exploror.lnk	05c2832548779cc63710886b102d4640.exe
File created	C:\Program Files\WindWare\36OSE.vbs	05c2832548779cc63710886b102d4640.exe
File opened for modification	C:\Program Files\WindWare\36O安全刘览器3.lnk	05c2832548779cc63710886b102d4640.exe
File opened for modification	C:\Program Files\WindWare\360SE.vbs	05c2832548779cc63710886b102d4640.exe
File created	C:\Program Files\WindWare\Internet Exploror.lnk	05c2832548779cc63710886b102d4640.exe
File created	C:\Program Files\WindWare\淘宝-购物.lnk	05c2832548779cc63710886b102d4640.exe
File opened for modification	C:\Program Files\WindWare\3.cmd	05c2832548779cc63710886b102d4640.exe
File opened for modification	C:\Program Files\Internet Explorer\iedw.ico	cmd.exe
File created	C:\Program Files\WindWare\36O安全刘览器 3.lnk	05c2832548779cc63710886b102d4640.exe
File created	C:\Program Files\WindWare\tb.cmd	05c2832548779cc63710886b102d4640.exe
File opened for modification	C:\Program Files\WindWare\tb.vbs	05c2832548779cc63710886b102d4640.exe
File opened for modification	C:\Program Files\WindWare\tbb.cmd	05c2832548779cc63710886b102d4640.exe
File opened for modification	C:\Program Files\WindWare\淘宝-购物.lnk	05c2832548779cc63710886b102d4640.exe
File created	C:\Program Files\WindWare\iedw.ico	05c2832548779cc63710886b102d4640.exe
File opened for modification	C:\Program Files\WindWare\iedw.ico	05c2832548779cc63710886b102d4640.exe
File created	C:\Program Files\WindWare\tb.vbs	05c2832548779cc63710886b102d4640.exe
File opened for modification	C:\Program Files\WindWare	05c2832548779cc63710886b102d4640.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 38 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\Command\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder\HideOnDesktopPerUser	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder\WantsParsDisplayName	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\LocalizedString = "╠╘▒ª-╣║╬∩"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32\ThreadingModel = "Apartment"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\MUIVerb = "@shdoclc.dll,-10241"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder\HideFolderVerbs	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\iedw.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32\ = "%systemRoot%\\SysWow64\\shdocvw.dll"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\Command	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder\Attributes = "0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InfoTip = "╠╘▒ª╣║╬∩╠╪╝█╙┼╗▌╟°"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\Command\ = "C:\\progra~1\\Intern~1\\iexplore.exe http://www.9281.net/go/taobao.htm"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\ = "╠╘▒ª-╣║╬∩(&H)"	reg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2816	2184	05c2832548779cc63710886b102d4640.exe	41
PID 2184 wrote to memory of 2816	2184	05c2832548779cc63710886b102d4640.exe	41
PID 2184 wrote to memory of 2816	2184	05c2832548779cc63710886b102d4640.exe	41
PID 2184 wrote to memory of 2816	2184	05c2832548779cc63710886b102d4640.exe	41
PID 2184 wrote to memory of 2816	2184	05c2832548779cc63710886b102d4640.exe	41
PID 2184 wrote to memory of 2816	2184	05c2832548779cc63710886b102d4640.exe	41
PID 2184 wrote to memory of 2816	2184	05c2832548779cc63710886b102d4640.exe	41
PID 2816 wrote to memory of 2872	2816	WScript.exe	40
PID 2816 wrote to memory of 2872	2816	WScript.exe	40
PID 2816 wrote to memory of 2872	2816	WScript.exe	40
PID 2816 wrote to memory of 2872	2816	WScript.exe	40
PID 2816 wrote to memory of 2872	2816	WScript.exe	40
PID 2816 wrote to memory of 2872	2816	WScript.exe	40
PID 2816 wrote to memory of 2872	2816	WScript.exe	40
PID 2872 wrote to memory of 2844	2872	cmd.exe	39
PID 2872 wrote to memory of 2844	2872	cmd.exe	39
PID 2872 wrote to memory of 2844	2872	cmd.exe	39
PID 2872 wrote to memory of 2844	2872	cmd.exe	39
PID 2872 wrote to memory of 2844	2872	cmd.exe	39
PID 2872 wrote to memory of 2844	2872	cmd.exe	39
PID 2872 wrote to memory of 2844	2872	cmd.exe	39
PID 2872 wrote to memory of 2388	2872	cmd.exe	21
PID 2872 wrote to memory of 2388	2872	cmd.exe	21
PID 2872 wrote to memory of 2388	2872	cmd.exe	21
PID 2872 wrote to memory of 2388	2872	cmd.exe	21
PID 2872 wrote to memory of 2388	2872	cmd.exe	21
PID 2872 wrote to memory of 2388	2872	cmd.exe	21
PID 2872 wrote to memory of 2388	2872	cmd.exe	21
PID 2872 wrote to memory of 2740	2872	cmd.exe	38
PID 2872 wrote to memory of 2740	2872	cmd.exe	38
PID 2872 wrote to memory of 2740	2872	cmd.exe	38
PID 2872 wrote to memory of 2740	2872	cmd.exe	38
PID 2872 wrote to memory of 2740	2872	cmd.exe	38
PID 2872 wrote to memory of 2740	2872	cmd.exe	38
PID 2872 wrote to memory of 2740	2872	cmd.exe	38
PID 2872 wrote to memory of 2588	2872	cmd.exe	37
PID 2872 wrote to memory of 2588	2872	cmd.exe	37
PID 2872 wrote to memory of 2588	2872	cmd.exe	37
PID 2872 wrote to memory of 2588	2872	cmd.exe	37
PID 2872 wrote to memory of 2588	2872	cmd.exe	37
PID 2872 wrote to memory of 2588	2872	cmd.exe	37
PID 2872 wrote to memory of 2588	2872	cmd.exe	37
PID 2872 wrote to memory of 2360	2872	cmd.exe	36
PID 2872 wrote to memory of 2360	2872	cmd.exe	36
PID 2872 wrote to memory of 2360	2872	cmd.exe	36
PID 2872 wrote to memory of 2360	2872	cmd.exe	36
PID 2872 wrote to memory of 2360	2872	cmd.exe	36
PID 2872 wrote to memory of 2360	2872	cmd.exe	36
PID 2872 wrote to memory of 2360	2872	cmd.exe	36
PID 2872 wrote to memory of 2728	2872	cmd.exe	22
PID 2872 wrote to memory of 2728	2872	cmd.exe	22
PID 2872 wrote to memory of 2728	2872	cmd.exe	22
PID 2872 wrote to memory of 2728	2872	cmd.exe	22
PID 2872 wrote to memory of 2728	2872	cmd.exe	22
PID 2872 wrote to memory of 2728	2872	cmd.exe	22
PID 2872 wrote to memory of 2728	2872	cmd.exe	22
PID 2872 wrote to memory of 2824	2872	cmd.exe	35
PID 2872 wrote to memory of 2824	2872	cmd.exe	35
PID 2872 wrote to memory of 2824	2872	cmd.exe	35
PID 2872 wrote to memory of 2824	2872	cmd.exe	35
PID 2872 wrote to memory of 2824	2872	cmd.exe	35
PID 2872 wrote to memory of 2824	2872	cmd.exe	35
PID 2872 wrote to memory of 2824	2872	cmd.exe	35
PID 2872 wrote to memory of 2732	2872	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\05c2832548779cc63710886b102d4640.exe
"C:\Users\Admin\AppData\Local\Temp\05c2832548779cc63710886b102d4640.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files\WindWare\tb.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2816

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}" /v "InfoTip" /t REG_SZ /d "╠╘▒ª╣║╬∩╠╪╝█╙┼╗▌╟°" /f
1⤵
- Modifies registry class
PID:2388

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32"
1⤵
- Modifies registry class
PID:2728

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder" /v "HideFolderVerbs" /t REG_SZ /d "" /f
1⤵
- Modifies registry class
PID:1684

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder" /v "WantsParsDisplayName" /t REG_SZ /d "" /f
1⤵
- Modifies registry class
PID:3000

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder" /v "HideOnDesktopPerUser" /t REG_SZ /d "" /f
1⤵
- Modifies registry class
PID:2616

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder" /v "Attributes" /t REG_DWORD /d 0 /f
1⤵
- Modifies registry class
PID:2640

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder"
1⤵
- Modifies registry class
PID:2628

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://www.9281.net/go/taobao.htm" /f
1⤵
- Modifies registry class
PID:2596

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\Command"
1⤵
- Modifies registry class
PID:2580

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)" /v "MUIVerb" /t REG_SZ /d "@shdoclc.dll,-10241" /f
1⤵
- Modifies registry class
PID:2560

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)"
1⤵
- Modifies registry class
PID:2564

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell" /ve /t REG_SZ /d "╠╘▒ª-╣║╬∩(&H)" /f
1⤵
- Modifies registry class
PID:2620

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell"
1⤵
- Modifies registry class
PID:2676

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f
1⤵
- Modifies registry class
PID:2732

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32" /ve /t REG_SZ /d "%systemRoot%\system32\shdocvw.dll" /f
1⤵
- Modifies registry class
PID:2824

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon" /ve /t REG_EXPAND_SZ /d "C:\Program Files\Internet Explorer\iedw.ico" /f
1⤵
- Modifies registry class
PID:2360

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon"
1⤵
- Modifies registry class
PID:2588

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}" /v "LocalizedString" /t REG_SZ /d "╠╘▒ª-╣║╬∩" /f
1⤵
- Modifies registry class
PID:2740

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}"
1⤵
- Modifies registry class
PID:2844

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C .\tbb.cmd
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WindWare\iedw.ico

Filesize
14KB

MD5
468fada123f5548ac87e57bae81f6782

SHA1
edb8f012c25906e6afd8bf335b495e16c440243d

SHA256
091c882bb307d57f2c7c42309e7ba8740130fef8c3ed772b0bc5e5505e37034d

SHA512
635ec26c88c2394dd4f2a81b9aea8f429a91adfeb37ae34e51b03f3cf8e503c123c3685938f40cea07d6146e0c7113aadbe62fa528f1f6d8b995e617fd68a4aa

Download Submit
C:\Program Files\WindWare\tb.vbs

Filesize
127B

MD5
9c06bf76c6711c2366c8895393cc54e1

SHA1
ed3ec44e280dd5840a022e2a878e9d6a0cc2f87a

SHA256
e775e69f73ec09a0024b6f3efd309090cd9ff149fc3bc8a9d0e6faf17e53615d

SHA512
6e8d2a6f403f8c56a242611e3e1c18ae53a80612a58207510f3cc204572243637a3de758e27af213a37ccf6b7dc69c611215c5fb0de0f4f2bcd41fef06ecaf10

Download Submit
C:\Program Files\WindWare\tbb.cmd

Filesize
2KB

MD5
2cf45d3fd1abea440d5c3b6bba482e2f

SHA1
28794d41bf5be9710047f70e4ef4663bab63a97c

SHA256
799d3d37249f8254406e120964f6abbd6a7040c46344d60213d1a58050d8f345

SHA512
38af05a303f425324a575ddf94c9f85cf21ef61155b8b9b4eb900636639c3ac4df669cc9490c862f44383d67500b6e569541edf0981790b3588e85c9aa42d1c8

Download Submit