Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/03/2024, 14:15
Static task
static1
Behavioral task
behavioral1
Sample
b255d021f8154ff50c4d660af3d2add2.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b255d021f8154ff50c4d660af3d2add2.exe
Resource
win10v2004-20240226-en
General
-
Target
b255d021f8154ff50c4d660af3d2add2.exe
-
Size
57KB
-
MD5
b255d021f8154ff50c4d660af3d2add2
-
SHA1
95bd59977f59169796085fee6ee8ce16a88f0dc1
-
SHA256
d765fe9a2d98bf50348be276eb608aefc9fefd360c98550569b874cf4f7846b7
-
SHA512
6ae65532414baf189f15e90effc2ce340df3d68e4bedb5185a71ffe647b680bb00abf3c22d8dae999d33c912ec32c6d4dcbed97e0f9f392f4ac7c9a49283b01c
-
SSDEEP
1536:y16Gj+WVFGsh8p8Txzn2yh/ofBFt5CBKma:kpjdFGE1n16OLa
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2988 attrib.exe 2568 attrib.exe -
Deletes itself 1 IoCs
pid Process 3008 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1576 inlEBC8.tmp -
Loads dropped DLL 2 IoCs
pid Process 2032 b255d021f8154ff50c4d660af3d2add2.exe 2032 b255d021f8154ff50c4d660af3d2add2.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hsdfasd = "\"C:\\Users\\Admin\\AppData\\Roaming\\PPLive\\tmp.\\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}\" hh.exe" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" rundll32.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~1\INTERN~1\ieframe.dll cmd.exe File opened for modification C:\PROGRA~1\INTERN~1\ieframe.dll cmd.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.app.log rundll32.exe File opened for modification C:\Windows\INF\setupapi.app.log rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 runonce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz runonce.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\cnkankan.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\NumberOfSubdomains = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AE446291-DA31-11EE-BF06-56D57A935C49} = "0" iexplore.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main reg.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main reg.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\International\CpMRU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "63" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "126" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "126" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "126" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "63" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "415723610" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.71628.com/?i" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.71628.com/?i" reg.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E} reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E} reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H) reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command\ = "wscript -e:vbs \"C:\\Users\\Admin\\AppData\\Roaming\\PPLive\\3.bat\"" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\IsShortCut reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell reg.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeRestorePrivilege 1712 rundll32.exe Token: SeRestorePrivilege 1712 rundll32.exe Token: SeRestorePrivilege 1712 rundll32.exe Token: SeRestorePrivilege 1712 rundll32.exe Token: SeRestorePrivilege 1712 rundll32.exe Token: SeRestorePrivilege 1712 rundll32.exe Token: SeRestorePrivilege 1712 rundll32.exe Token: SeIncBasePriorityPrivilege 2032 b255d021f8154ff50c4d660af3d2add2.exe Token: SeRestorePrivilege 2732 rundll32.exe Token: SeRestorePrivilege 2732 rundll32.exe Token: SeRestorePrivilege 2732 rundll32.exe Token: SeRestorePrivilege 2732 rundll32.exe Token: SeRestorePrivilege 2732 rundll32.exe Token: SeRestorePrivilege 2732 rundll32.exe Token: SeRestorePrivilege 2732 rundll32.exe Token: SeIncBasePriorityPrivilege 1576 inlEBC8.tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2792 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2792 iexplore.exe 2792 iexplore.exe 2316 IEXPLORE.EXE 2316 IEXPLORE.EXE 2316 IEXPLORE.EXE 2316 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2032 wrote to memory of 2432 2032 b255d021f8154ff50c4d660af3d2add2.exe 31 PID 2032 wrote to memory of 2432 2032 b255d021f8154ff50c4d660af3d2add2.exe 31 PID 2032 wrote to memory of 2432 2032 b255d021f8154ff50c4d660af3d2add2.exe 31 PID 2032 wrote to memory of 2432 2032 b255d021f8154ff50c4d660af3d2add2.exe 31 PID 2432 wrote to memory of 2440 2432 cmd.exe 33 PID 2432 wrote to memory of 2440 2432 cmd.exe 33 PID 2432 wrote to memory of 2440 2432 cmd.exe 33 PID 2432 wrote to memory of 2440 2432 cmd.exe 33 PID 2440 wrote to memory of 2792 2440 cmd.exe 35 PID 2440 wrote to memory of 2792 2440 cmd.exe 35 PID 2440 wrote to memory of 2792 2440 cmd.exe 35 PID 2440 wrote to memory of 2792 2440 cmd.exe 35 PID 2440 wrote to memory of 1712 2440 cmd.exe 36 PID 2440 wrote to memory of 1712 2440 cmd.exe 36 PID 2440 wrote to memory of 1712 2440 cmd.exe 36 PID 2440 wrote to memory of 1712 2440 cmd.exe 36 PID 2440 wrote to memory of 1712 2440 cmd.exe 36 PID 2440 wrote to memory of 1712 2440 cmd.exe 36 PID 2440 wrote to memory of 1712 2440 cmd.exe 36 PID 2440 wrote to memory of 2300 2440 cmd.exe 37 PID 2440 wrote to memory of 2300 2440 cmd.exe 37 PID 2440 wrote to memory of 2300 2440 cmd.exe 37 PID 2440 wrote to memory of 2300 2440 cmd.exe 37 PID 2792 wrote to memory of 2316 2792 iexplore.exe 40 PID 2792 wrote to memory of 2316 2792 iexplore.exe 40 PID 2792 wrote to memory of 2316 2792 iexplore.exe 40 PID 2792 wrote to memory of 2316 2792 iexplore.exe 40 PID 2300 wrote to memory of 1984 2300 cmd.exe 41 PID 2300 wrote to memory of 1984 2300 cmd.exe 41 PID 2300 wrote to memory of 1984 2300 cmd.exe 41 PID 2300 wrote to memory of 1984 2300 cmd.exe 41 PID 2300 wrote to memory of 1700 2300 cmd.exe 42 PID 2300 wrote to memory of 1700 2300 cmd.exe 42 PID 2300 wrote to memory of 1700 2300 cmd.exe 42 PID 2300 wrote to memory of 1700 2300 cmd.exe 42 PID 2032 wrote to memory of 1576 2032 b255d021f8154ff50c4d660af3d2add2.exe 43 PID 2032 wrote to memory of 1576 2032 b255d021f8154ff50c4d660af3d2add2.exe 43 PID 2032 wrote to memory of 1576 2032 b255d021f8154ff50c4d660af3d2add2.exe 43 PID 2032 wrote to memory of 1576 2032 b255d021f8154ff50c4d660af3d2add2.exe 43 PID 2300 wrote to memory of 2620 2300 cmd.exe 44 PID 2300 wrote to memory of 2620 2300 cmd.exe 44 PID 2300 wrote to memory of 2620 2300 cmd.exe 44 PID 2300 wrote to memory of 2620 2300 cmd.exe 44 PID 2300 wrote to memory of 2240 2300 cmd.exe 45 PID 2300 wrote to memory of 2240 2300 cmd.exe 45 PID 2300 wrote to memory of 2240 2300 cmd.exe 45 PID 2300 wrote to memory of 2240 2300 cmd.exe 45 PID 2032 wrote to memory of 3008 2032 b255d021f8154ff50c4d660af3d2add2.exe 46 PID 2032 wrote to memory of 3008 2032 b255d021f8154ff50c4d660af3d2add2.exe 46 PID 2032 wrote to memory of 3008 2032 b255d021f8154ff50c4d660af3d2add2.exe 46 PID 2032 wrote to memory of 3008 2032 b255d021f8154ff50c4d660af3d2add2.exe 46 PID 2300 wrote to memory of 2072 2300 cmd.exe 47 PID 2300 wrote to memory of 2072 2300 cmd.exe 47 PID 2300 wrote to memory of 2072 2300 cmd.exe 47 PID 2300 wrote to memory of 2072 2300 cmd.exe 47 PID 2300 wrote to memory of 2988 2300 cmd.exe 49 PID 2300 wrote to memory of 2988 2300 cmd.exe 49 PID 2300 wrote to memory of 2988 2300 cmd.exe 49 PID 2300 wrote to memory of 2988 2300 cmd.exe 49 PID 2300 wrote to memory of 2568 2300 cmd.exe 50 PID 2300 wrote to memory of 2568 2300 cmd.exe 50 PID 2300 wrote to memory of 2568 2300 cmd.exe 50 PID 2300 wrote to memory of 2568 2300 cmd.exe 50 PID 2300 wrote to memory of 2732 2300 cmd.exe 51 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2988 attrib.exe 2568 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b255d021f8154ff50c4d660af3d2add2.exe"C:\Users\Admin\AppData\Local\Temp\b255d021f8154ff50c4d660af3d2add2.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\comeback_197.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\1.bat3⤵
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\PROGRA~1\INTERN~1\iexplore.exeC:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?716284⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2792 CREDAT:275457 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2316
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\1.inf4⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1712
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\2.bat4⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?i"" /f5⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
PID:1984
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?i"" /f5⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
PID:1700
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\tmp" /v "key" /d ""http://www.71628.com/?i"" /f5⤵PID:2620
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f5⤵
- Modifies registry class
PID:2240
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\PPLive\3.bat""" /f5⤵
- Modifies registry class
PID:2072
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2988
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2568
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\2.inf5⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2732 -
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r6⤵
- Checks processor information in registry
PID:1684 -
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o7⤵PID:1600
-
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 D:\VolumeDH\inj.dat,MainLoad5⤵PID:816
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\inlEBC8.tmpC:\Users\Admin\AppData\Local\Temp\inlEBC8.tmp2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1576 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inlEBC8.tmp > nul3⤵PID:2616
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\B255D0~1.EXE > nul2⤵
- Deletes itself
PID:3008
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56645bf1edb0371c25c90e83740e146ba
SHA15c90e7bec1af02e64f35122eabc86ceda2b0595c
SHA256a216393154ab39c3579609f991f2939413a406c4a77f8f83e2a094abc5505afa
SHA5128d075a0a69d50c09cc7ad506a3ae5451d07b59ff9e390a1db85136f3df475dce41e2a09d136c49be993841886e52abe77e43cf0cf83c850626ac3abc872d495c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD521fef5af96b07b82317c86d6cd3674af
SHA15e7f01457868a2318580d79d1d6dbcd7dc38df6f
SHA256c88aac5afa7d864a842007442d2a123bab88a4227ab91cc01af0ca95cee6ae86
SHA5127956467e7723fff9613b0136707eca5ca991e139ed96a598d646c569e940a81110b7ce4a9862245bb233d891b3251f34ff068212fd592536dabb663668b08752
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD574432926652fb3e7e85549cf81df6c34
SHA12b4e4ae4f36f1bbacdbd78593d322f3c10c4a7be
SHA25687796d4e2b32b2500fe6a30ff8eb771d59375634556fe76a1b7f8a5e0a88d1b1
SHA512e57442fde44ae1b4db6d440ccbb251b58e9706d9be7bd11aa93939d870da485ecfc9ff264367e1edc4586ea4125b2987eeefd1263a943010c6a0846c14985ab9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD58ac97dcdc20518857fa01d968bb18fc7
SHA1bfab51d6faa4783c51af34941255af6ff9135947
SHA25630e45dc251a92644e7d5226e846aa5a19bc7ecce241a75e32eb79ed6369c785d
SHA512172d0cf4708f03f5f027359f66b3350f71ba7fa66fde6adbb15035fbf043d1859a1a275cb62877769a965c0798e9dced5ec40bbac5de9dc1a017e7faec14e4e5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a375069220005962bf2391db8836c606
SHA184d80da6039b89c46c236d2156d0ed5ada9743c7
SHA256e8968c37f8acaeb0b52dd407be011e8be54976ac399cf07dee66d2009defb2d8
SHA51279bff40d71137d10e0c13c2f5c1a84252a8535d9c741d4a61494dde0c536962a3ddfb12666a03cc794dc5261068dac6d0967ae52f668809aad8b146adc83ec49
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ce1e5ba29736b76e0039d9d66f17e356
SHA1a806b2ce290c46e1a81f1662b32c79c3d3ccad6a
SHA2563088bd08d57341b43983f0c66661510c7ca226ff183d4a7ea6237ce13e4fa2d9
SHA51219466d7fe5653a565f88e8ad4b0e03981de0489ba4f093f6a4af1c6c403d78b76f33a19a3a5e3cd59424d55887c8794d332a71b8a45fd113d82caca30610c75d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5513b27644e3ef4098a56b680ffe18b56
SHA1ff03c8512f904c4ab9cd8b55c6a5ba8388e2be28
SHA256b5184c259285f190153a11fc8873b33afef54cb9b3918446f87a376a085789f1
SHA512d8a2d4b208895aa322d0cf59235a1528c163d7e0bd50ced97f10d61521055b5d90762cb42765f35e55900e6e974d1eab828c31de4371d5346b3160b25beb4cd5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD597cd3d7d88d8554ba560ec608c07340c
SHA15aab7ef087e6dff552a1721dec7a2f296b8a49fc
SHA25603e155fcee280753be82c5ec56ac54dea67ca5b09f86202fafd6546bfda4bd38
SHA512b0d3b954b10f3bd83963695e13d6edcebf736d903854e5df12147ec2907c885b0036ca25477d2ba1691c9ed0527a1c263cc86a0db92febfd867c5c3d1a374eb4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5c7adb6d6ffa222853217f6111d8b31a2
SHA10095bc497b134b8ffd4aa55f1afdd8363b7d5f99
SHA2562e93c6cd8bb57a73e882e5f131ec9ad6cf535840146b111920a95813d8543289
SHA51293d0cbc7f3f5f6b2e4a9173c2fcc1d6e34a96b4c8e4231f6fd913a6e15a1aa947be84879beb8d67dd20aeef65dfb1a723b8e3d2706c8915e9c1b129e617943c1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD510fa89b29ae66751d93f0c160c420015
SHA1b7e75adf96f1880eba3244e212232863f760f498
SHA256978446c6efb3a592539a4f1749647b0d5b543b4e3e47d1fcdba798bfcfabeb5a
SHA512d6cd78623ac1ecdb2eed164705e88f1c7213aead54a317eb2ac1af3ba46410070de22386c3b0f329cd2f83ffc1c58933ac55841ffb714ee477863389f3e2b752
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD52c98e07b69a087f6ff85862f7ee15ded
SHA16fe5dff909423e25105318aa994854a0d36d453b
SHA256ce752ae7ce4b6f04fc1b38c6a6ed1b183af0c29bcf226145898560aea494e71a
SHA512218c511af1dfd2af38477bd3e54421e9f5a03b7925857c58fa56dd88f3d86dd8a203514e2a3285acb4e445f6956c4914588054b4e269ecb66da18e7d83014035
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD549cef5b7ebd253033bcd8d70128a7678
SHA12916db80e1dd8d405d9996ef28158be3ea660998
SHA2568402b1648f36b06e83f4cba6688104731302655f123d565b378b7d2519f6c96b
SHA512363fc90d960e9dd27a3f2d64a71ccd858dc0f5b87ca7808723cfbacf5b0859bf705233337335af915cc3ff29d96c3b163cb01fcb34fa5179646c6cdce0643b66
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d71db79b52639166ad02f58ed4a7bc87
SHA1cb611677520b99c9f96f72e3bb012d9e5077471d
SHA2566debd9f05f3f84dde618c9623bd64c7f289fb9ae2cf9ae87807eff3cc9ad56bd
SHA512fac602af371faaaaecd1f5171428e5b313ee7cbfb3bb498b8a99a4043931880ef968676ee55739accf98ee0cf71eaea0052cac595f41ca8aa2227084e30c4d6a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD562cd5030ec6d6da174aee4a2c7bbbe0e
SHA10131f6f143435dd7b7af9abc0979355f43f5f5ed
SHA256309acc4ea31cef2286dacd5f6ad2d99f643df102635df2120b3b2c15e81412b4
SHA512b31628e696f47f1d5f70208690955361b91506fa3b2bf00f7a1ae975765e0409b0445497dbf06f23cd85494f4ed99ba9e71c1e9f5e731156293196e8219ba72a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD58f9b0576aefd121dcea854d89860a638
SHA17b98ebc272adf0e76ddd18765d5d6be4609e1e1d
SHA2565b6a200a68a60eb2b9223cb87b8028c6ef57dfea3fe5bdb2a145e0a59959f9b9
SHA51245ee139eced6678328257a4da00d0c479466f793c9715de3c59b392d33c08b70ef7de28d741d7dea1124f52833476bd79e07ccbaae6a3be685f79465f0144faa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD51768ed3946bbb33bdd704e74812ce5eb
SHA14a56011c3320b18c64300eab7b0f74b99116bb08
SHA2568e6ed9a676a5ad95de32cc2af3030fd2d8b2b10e0d040ef2a39a000b3e196837
SHA5127b3bd90815dcd4c45e916fdc832138c30bd34e3e3ae36133495d53edb7e9612191dd3c6b7cbef2479e6a59d35ede730b039f07b24529d90ebffdf9f9b2e8fd16
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5f38b1f5b838f5b7665cb835902470e42
SHA10a5306dc0034ffa005550f599d989045e83ffc39
SHA256251a45b8de88f3bf306e2c4f8a0bcf4a516e2bd759f0ce3c6e1494d0b5357cce
SHA512fcefc1deca3a6bab66319184e7778226903d36175d9cbac07e57a9d0fa7dfbb0205d4eb84083d5a1818ef1e690a318ab34643d1ab38d41c4d257b0aee8877aa6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD57c396f8c1a099294d72182aee9999444
SHA11da5be4f5977996abb837311516e4f1c31b8590c
SHA256547fb57f67ae67c7543f189980d6759471ae936392d7deddde4e5f3e5adce6d6
SHA512e565916d7be2586d62aff6f7c48d3c6f62ce79f85eae5b0e6c99c801498eed7f535bff3a95837219ff6cecc9136e9b157b394f526ed83bbfe0062811babdb06b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD57be74059733d4988de2ffca76eb78a47
SHA1ca163df88c0925cf2c8a8c6a07969829923a9140
SHA2560a5bd3a92782f2298e5db97d7b9eaa9312e163d2c01c25de3e4b6876ba489098
SHA5124e739020d3024d3cdec0b4c4d733b192998541480f03be56b1c8a10ed980bc250107b29cbfac5049bd879c02bbda0bc484a274f7e0f2db32ab7281d9d030e782
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5f2d477fc8d80df04ff96375e8a0c5e74
SHA16cde0d7bec8a4e1a410975d23d15cec856ecce2b
SHA256d7d26b522e73e2398bf2d40465338a4bb58cbfda43e3dd6ce552c2ceed9b4f08
SHA512298246228cb09962569d45faeadc0cc63b589ba9373a15eafff6eb29d095a1afda476e632c9ea02aaa41d2a6bbf70c8c17402bd4a76afbb55b6f96fcdde0bcde
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD571dccda05e5a9e35fc903dd8a40783ff
SHA106b89ec589b042c629ac3bafa218df92b2ae509d
SHA256cc624e12719c7f18fa5bc7506d650844d2b7de689a42232706e4adee0252de2d
SHA5122269e0d6404084b05cd670d65fefb13ef2fe040fd676e6dfb7e659a7f2a94887ff8d91c4db1c9a53fcc804666638cf3d132c2c4427a74568df4cf7ab352e1435
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5f8905e13a7fbf5d04d5c4dae812643a3
SHA175e7f4d320b7d4fa33e659e56bcbdf936a79a120
SHA25671467c2fb70dc68d7c979acec8ac94c3a503eedf7830ede5a8828cd3a754c587
SHA512579230d3b67f6158a302689edcb03b5c56546730d418bc6821d7eafa1c57e47709219c8a3fde463baa747a36074cae5b5fe98e08fc573ef9af41e5cdf8950893
-
Filesize
1KB
MD53faf9b25daef282346ae01a8b147876e
SHA1007dd5feb1cc99e36798955117e59dcd42012ce6
SHA256cb704a32a3cbcef5b1074b85485cdf61c6bfd64be15bc11e8f470907f47b56ff
SHA5124b81caa2cca6eb7ef86130be5f2a036d6242ba0db829efba862c66e67efed190535125a1f7eb2596a3fb2ca21dbe4ef63341d5e80d9a6b670bcf86b314244260
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\favicon[1].ico
Filesize1KB
MD57ef1f0a0093460fe46bb691578c07c95
SHA12da3ffbbf4737ce4dae9488359de34034d1ebfbd
SHA2564c62eef22174220b8655590a77b27957f3518b4c3b7352d0b64263b80e728f2c
SHA51268da2c2f6f7a88ae364a4cf776d2c42e50150501ccf9b740a2247885fb21d1becbe9ee0ba61e965dd21d8ee01be2b364a29a7f9032fc6b5cdfb28cc6b42f4793
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
Filesize
53B
MD523962a245f75fe25510051582203aff1
SHA120832a3a1179bb2730194d2f7738d41d5d669a43
SHA2561abcea214b9b2bd76cc04be07ae2d4d70371e6ca443d99f4f1327afe7a5fc647
SHA512dc36b64f2dbb710652900a31295c148760b0c44eae13515aa29613916c9dffe3d8e55ba61568f7c27b43bf0c341f7dcd4b9c721f81627fc6bb915b15c358fe80
-
Filesize
992KB
MD5e9cf92cf46c1aa4c3f39d32d82cb9b5f
SHA169bfcb3ca48e501f4d9d68f93beff7caeff2233d
SHA256b4a5158c399e14d98fd083cc66398c420f83aa44008bcb574c378d74930926b1
SHA51225f7e80409d52294e7b977c5694c9135fe782c858ec4a61306099e31cd927bca481c740802f50b94fd0047483e02e0b3af0970b93cc155324a1e30b6babdcd7c
-
Filesize
433KB
MD5009978a694b907272232dae718ab2dfa
SHA13e956d50265c389aaa762662e6383452747b553e
SHA25638c3a1f7ad09787918862b2d6dd93b441b4856995cc8fc713a6154f5d50f8fd9
SHA512f8bd846149481c476fd461fd05cf6e297d647894683e32d1ce3ccb96465893d3c9d0ae554d46a1bf52b28f89b1bde41dcad75afe237f413fbc60490b56a8e6c4
-
Filesize
660B
MD5d980f89e4088711df685a0aa09e8f5a7
SHA1dde805f4fa5e016e122e4240e20ff844113717d7
SHA25628f62bd59962d06d903ea079466c66985caa306251717235a0d470a1b0f62d09
SHA512fa2a669d846081d71dcada405d3c4bdb92229ba2b4a9f8fd4e461d7c4d51012d3d3b893466f814c8178b9980119703d1a3f7eafeff281a2eb75465e504df9ee9
-
Filesize
3KB
MD5286fe459674aef6eee17f6ac79a15fdb
SHA1233dc43099c575a67b05fc1076e676324fd6e63d
SHA256872cc596dc1fe6d5a131129bd84c2a76d6874e9c57ab2cd792d4d12b6f014fd2
SHA512c9acc4a134001da76e7ae6aa5ae65ce58501942dfc1f80959ae4db27c06010db753c9d115eedbe0b2b0e30dd5c4dcd1d32816493b053c65cee81d3a343c87314
-
Filesize
492B
MD534c14b8530e1094e792527f7a474fe77
SHA1f71c4e9091140256b34c18220d1dd1efab1f301d
SHA256fe0dfb3458bfe2a3632d365e00765fa10f14d62e7dfa8b70a055c7eb9fdb6713
SHA51225bb09b526e1e9f5c6052f1f7c36b37c956c1b5649936af8df3abfcf120c931f3d2603e17a061cb99d8c8074bfb1973a5423cce89762fca53cd46aeb3e8944a2
-
Filesize
3KB
MD5d4917ae9072a10d8e12ef3b282b25b3b
SHA1bd9ec6c6395997525ec7c15ecca2f115573cc14c
SHA2566f7649988962c61ac7644262ee6082ef352bbb00cb155a3f4ef0467fbdf1c67b
SHA512c6ed3119e008191ad56050f6b72a2d64e908c57e80fd0c252b8b1947cf091644c83b6bc16c56d6e2153579eb3e8711c8cd608977426a0906d56a7713bfca309d
-
Filesize
247B
MD5ca436f6f187bc049f9271ecdcbf348fa
SHA1bf8a548071cfc150f7affb802538edf03d281106
SHA2566cdfa9b7f0e1e4ee16bc8ce5d7448d47ea8866c1f55f3e56be5c2a4d183ca534
SHA512d19e20aabddad6b0284f8c1d473e9180f30b49d4d8b54f26e7c8630228e16b1f6ba04023c5e8b1993d8a10d97adcfff683b216f79b9981bf16181641aebdd591
-
Filesize
121KB
MD5f4628c8066866d1cd974801b7c51c5fb
SHA16a0594bd5bda5656b97c18626704ff19a2fd875b
SHA256f93c09513c7589ba4a0a32e6f2a1b7d1d283bf7e11926ca86b0e81c5d9aaf898
SHA512fbb851002d60862be5e22f7803586b0945443962a526ca6b1545bfd57633d5443670838f95dcbf281747943ef58edc88bbabe5faf55a2a39332bc293b3b1f5fb
-
Filesize
697KB
MD5ca12160321ab07aaf3d2eb8f822c65f0
SHA12011ec04932d553b2f4fbf1a83c92ad96ef15d46
SHA256eebdfa0592f6f965102d00ba5609642bdabacb073d9d0347ff44066887906265
SHA512fa280acfd6af33e7b37fe83907f63f274d9a2398d69278a3e3226729b55c6c848a18acf4638312634ede12126e32a77d26328dd424d03f5bae5706f4e6db51b6
-
Filesize
880KB
MD5c8183b6139b869aced9851e60618b4db
SHA1e3c7a31d9caf1d471d8b92d1101e1671a924eb00
SHA2560dd74b25b2f59f17d96804ebd782e374cb3918b865f8bd4f6f792f2bcf820a91
SHA5126e3dbe20e89e7ebc874dd39dcbeeff244caace522399aa3a6b6f1488a67e909ed9d80fa97e53b0d24cdc0be4b965fbdb83e328189a3431816ddee3bd7c467374