Analysis Overview
SHA256
3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9
Threat Level: Known bad
The file 3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9 was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Modifies visibility of file extensions in Explorer
UAC bypass
Possible privilege escalation attempt
Sets file to hidden
Disables taskbar notifications via registry modification
Deletes itself
UPX packed file
Executes dropped EXE
Modifies file permissions
Modifies system executable filetype association
Reads user/profile data of web browsers
Enumerates connected drives
AutoIT Executable
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies Internet Explorer Protected Mode Banner
Modifies registry class
Views/modifies file attributes
Suspicious behavior: CmdExeWriteProcessMemorySpam
Runs .reg file with regedit
Modifies Internet Explorer settings
Runs ping.exe
Modifies Internet Explorer start page
Modifies File Icons
Modifies Internet Explorer Protected Mode
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-05 00:36
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-05 00:36
Reported
2024-03-05 00:39
Platform
win7-20240221-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\regedit.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\regedit.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" | C:\Windows\regedit.exe | N/A |
Disables taskbar notifications via registry modification
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\web\sms.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2 | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\ = "管理员取得所有权" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\NoWorkingDirectory | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command\ = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" | C:\Windows\regedit.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Tencent\QDesk | C:\Windows\system32\attrib.exe | N/A |
| File opened for modification | C:\Program Files\QDesk | C:\Windows\system32\attrib.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\web\uac11.reg | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| File opened for modification | C:\Windows\web\uac11.reg | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| File created | C:\Windows\Web\sms.exe | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| File opened for modification | C:\Windows\Web\sms.exe | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
Enumerates physical storage devices
Modifies File Icons
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\77 = "%systemroot%\\system32\\imageres.dll,197" | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\77 = "%systemroot%\\system32\\imageres.dll,197" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Windows\regedit.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Windows\regedit.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://www.cbala.com/" | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{5CE25775-92B7-477d-9603-852F0B34D8B0} | C:\Windows\system32\regini.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\OpenAllHomePages = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MINIE\CommandBarEnabled = "1" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Download | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\ThumbnailBehavior = "1" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\FaviconURL = "http://www.baidu.com/favicon.ico" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\Codepage = "65001" | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.cbala.com" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\ShortcutBehavior = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadUpdates = "1" | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\ | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://bj1.api.bing.com/qsml.aspx?query={searchTerms}&src={referrer:source}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IE8SSC&market={Language}" | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\Codepage = "65001" | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\DEPOff = "1" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\LinksFolderName = " " | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\ | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\SortIndex = "1" | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\DisplayName = "百度搜索" | C:\Windows\regedit.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = da4b9550aecdcb01 | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.cbala.com/" | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\URL = "http://www.456020.com/s.htm?wd={searchTerms}&ie=utf-8" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico" | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A} | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ = "Bing" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://bj1.api.bing.com/qsml.aspx?query={searchTerms}&src={referrer:source}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IE8SSC&market={Language}" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\UnattendBackup\ActiveSetup\Home_Page\Home_Page = "http://www.cbala.com" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\OpenInForeground = "0" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "yes" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\NoUpdateCheck = "1" | C:\Windows\regedit.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff0000000000000000ffff0000ffff0000 | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\ShowSearchSuggestions = "1" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Bing" | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\DisplayName = "百度搜索" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "@ieframe.dll,-12512" | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\DisplayName = "百度搜索" | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\ShowSearchSuggestions = "1" | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\FaviconURL = "http://www.baidu.com/favicon.ico" | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\SortIndex = "1" | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\FaviconPath = "C:\\Program Files\\Internet Explorer\\Services\\search_{A481937F-4D99-4B11-86E6-5B0F1007C557}.ico" | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\WarnOnClose = "0" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557} | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\FaviconURL = "http://www.baidu.com/favicon.ico" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557} | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\SuggestionsURL_JSON = "http://suggestion.baidu.com/su?wd={searchTerms}&action=opensearch&ie=utf-8&from=ie8" | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\Groups = "1" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "@ieframe.dll,-12512" | C:\Windows\regedit.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = da4b9550aecdcb01 | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Bing" | C:\Windows\regedit.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.cbala.com/" | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.cbala.com/" | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.cbala.com" | C:\Windows\regedit.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B} | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\Open\Command | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6} | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\Set\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command\ = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.jpeg\ = "PhotoViewer.FileAssoc.Tiff" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\Set\Command | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.tiff | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\DefaultIcon\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe,-32528" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\ShellFolder\HideFolderVerbs | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\ = "管理员取得所有权" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\Gadgets | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2 | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.jpg\ = "PhotoViewer.FileAssoc.Tiff" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.jpeg | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.tiff\ = "PhotoViewer.FileAssoc.Tiff" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.ico | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\Open | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Notepad\Command | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.png\ = "PhotoViewer.FileAssoc.Tiff" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\ = "管理员取得所有权" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Notepad\Command\ = "notepad %1" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\HomeButtonPage = "http://www.cbala.com/" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\HomeButtonEnabled = "1" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\NoAddOns\Command | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\Set\ = "属性(&R)" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\ShellFolder\HideAsDeletePerUser | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\NoWorkingDirectory | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.gif\ = "PhotoViewer.FileAssoc.Tiff" | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\XXX Groove GFS Context Menu Handler XXX | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\Open\ = "打开主页(&H)" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\NoWorkingDirectory | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\HomeButtonEnabled = "1" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\New | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\new | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\Open\Command\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\ShellFolder\Attributes = "48" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\command | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\ShellFolder | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.jpg | C:\Windows\regedit.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\regedit.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe
"C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /f "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" && icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t
C:\Windows\system32\takeown.exe
takeown /f "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /f "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" && icacls "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t
C:\Windows\system32\takeown.exe
takeown /f "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
C:\Windows\regedit.exe
regedit /s "C:\Windows\web\uac11.reg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +a +s +h +r "%programfiles%\Tencent\QDesk" >nul 2>nul
C:\Windows\system32\attrib.exe
attrib +a +s +h +r "C:\Program Files\Tencent\QDesk"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo y|cacls "%programfiles%\Tencent\QDesk" /c /p everyone:n >nul 2>nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
C:\Windows\system32\cacls.exe
cacls "C:\Program Files\Tencent\QDesk" /c /p everyone:n
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +a +s +h +r "%programfiles%\QDesk" >nul 2>nul
C:\Windows\system32\attrib.exe
attrib +a +s +h +r "C:\Program Files\QDesk"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo y|cacls "%programfiles%\QDesk" /c /p everyone:n >nul 2>nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
C:\Windows\system32\cacls.exe
cacls "C:\Program Files\QDesk" /c /p everyone:n
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c regsvr32 /u /s igfxpph.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /u /s igfxpph.dll
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers /f
C:\Windows\system32\reg.exe
reg delete HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers\new /ve /d {D969A300-E7FF-11d0-A93B-00A0C90F2719}
C:\Windows\system32\reg.exe
reg add HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers\new /ve /d {D969A300-E7FF-11d0-A93B-00A0C90F2719}
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v HotKeysCmds /f
C:\Windows\system32\reg.exe
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v HotKeysCmds /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v IgfxTray /f
C:\Windows\system32\reg.exe
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v IgfxTray /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @echo off
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c if exist regset.ini @del /q /f regset.ini
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{5CE25775-92B7-477d-9603-852F0B34D8B0} [2 8 19] >regset.ini
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c regini regset.ini
C:\Windows\system32\regini.exe
regini regset.ini
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /q /f regset.ini
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @echo off
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c if exist regset.ini @del /q /f regset.ini
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557} [2 8 19] >regset.ini
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c regini regset.ini
C:\Windows\system32\regini.exe
regini regset.ini
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /q /f regset.ini
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @echo off
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c if exist regset.ini @del /q /f regset.ini
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes [2 8 19] >regset.ini
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c regini regset.ini
C:\Windows\system32\regini.exe
regini regset.ini
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /q /f regset.ini
C:\Windows\web\sms.exe
C:\Windows\web\sms.exe
C:\Windows\system32\cmd.exe
cmd.exe /c ping -n 3 127.1 & del /q "C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe"
C:\Windows\system32\PING.EXE
ping -n 3 127.1
Network
Files
memory/1712-0-0x000000013F4B0000-0x000000013F62C000-memory.dmp
C:\Windows\Web\uac11.reg
| MD5 | bbd3dee5cbbb93dccf6142734392c1b8 |
| SHA1 | a777e02f98e5c0f3051c94f338152030ec18d9bd |
| SHA256 | 89c385e57268607b7f467b4cbe946c6ce2f8af523e41b200789d92d04097865b |
| SHA512 | 19c961c0384be66200396d19284cfa77381e4eeb034505477a3096e4ac1bc4bfb8bca1ab7ae9dd29c2d82add686555b84d5450dfc8d365adc24c45ec412985e6 |
C:\Users\Admin\AppData\Local\Temp\regset.ini
| MD5 | 06697bf2f4f5395a9af659f50df00e3b |
| SHA1 | 01925ffbeed3e54e134e1fafaef8ff640dda9107 |
| SHA256 | 8868e97e8dfbc08e681ab68b6b5b1a756cd352354d8ed6c5ce1cb6dee07e55f1 |
| SHA512 | 9c32faff9e7d4b0c82b92ea87c03cff3bd1548ea07728bb7c1fda828db6be857f4101c94e6cffd70f16e2d4fef93c641f4a7edb8cc62c1edda23b54218affd73 |
C:\Users\Admin\AppData\Local\Temp\regset.ini
| MD5 | b141c6974c48fadca812a060e03f8200 |
| SHA1 | bfc010eeda61bd2bd6d3b7963570cbc7d7539037 |
| SHA256 | 68a17dd52a94c7807e46ec191f4481f330eba25303daba341316ac389c17282e |
| SHA512 | 353288737aca756f1e78b7143711a87917509a3290bf62c789e4de03275b4684eff9027d5d668996b7bc47e3ae7d4f2fc85c523a16795b90a94a9f5d6ed8f138 |
C:\Users\Admin\AppData\Local\Temp\regset.ini
| MD5 | 2c545704057f619fa7fb3f994862f181 |
| SHA1 | b820cf6d3e8cbc30ef87632370ed60ef4a5f0bbd |
| SHA256 | 0a31ed19b74d461d0819477eb328af5f8ef3508974df347cf4304fa62977d1a0 |
| SHA512 | 5875c2626b6172d6059faa391efb4bfcd9c6c35ec15aa002becff0cef7f05b928f9690ed8edd19f790e056d8d19a3f5c7a5402213ae649577202a7f025388a84 |
C:\Windows\Web\sms.exe
| MD5 | 628ca25523c98eb00cee7503787f78ee |
| SHA1 | 7b1c2393002e35ea36f4e20c5d6dd87d14542408 |
| SHA256 | 6f01b51d56b152362ad864e5c4e3f8979aa60c565021e0eff2b34fba422d4870 |
| SHA512 | 07eca622f5d10b2d5892417dc872ecce2d1b0b8e6a1c6916186770c685038e8cdf4ebc01c50fd6ad47e981f8b7a7c9bdc05e1e71fbba54cab1d5b34cb8edc639 |
memory/1712-34-0x000000013F4B0000-0x000000013F62C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-05 00:36
Reported
2024-03-05 00:39
Platform
win10v2004-20240226-en
Max time kernel
146s
Max time network
147s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\regedit.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\regedit.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" | C:\Windows\regedit.exe | N/A |
Disables taskbar notifications via registry modification
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\web\sms.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\NoWorkingDirectory | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command\ = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2 | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\ = "管理员取得所有权" | C:\Windows\regedit.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Tencent\QDesk | C:\Windows\system32\attrib.exe | N/A |
| File opened for modification | C:\Program Files\QDesk | C:\Windows\system32\attrib.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\web\uac11.reg | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| File opened for modification | C:\Windows\web\uac11.reg | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| File created | C:\Windows\Web\sms.exe | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| File opened for modification | C:\Windows\Web\sms.exe | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
Enumerates physical storage devices
Modifies File Icons
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\77 = "%systemroot%\\system32\\imageres.dll,197" | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\77 = "%systemroot%\\system32\\imageres.dll,197" | C:\Windows\regedit.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Windows\regedit.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Windows\regedit.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\ShowStatusBar = "1" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\ | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://bj1.api.bing.com/qsml.aspx?query={searchTerms}&src={referrer:source}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IE8SSC&market={Language}" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\FaviconURL = "http://www.baidu.com/favicon.ico" | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\Groups = "1" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{A481937F-4D99-4B11-86E6-5B0F1007C557}" | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "0" | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\LinksFolderName = " " | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Program Files\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC" | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557} | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\FaviconURL = "http://www.baidu.com/favicon.ico" | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "@ieframe.dll,-12512" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\Version = "2" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\ | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\DisplayName = "百度搜索" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico" | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557} | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\URL = "http://www.456020.com/s.htm?wd={searchTerms}&ie=utf-8" | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\CommandBarEnabled = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Use FormSuggest = "yes" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\SuggestionsURL_JSON = "http://suggestion.baidu.com/su?wd={searchTerms}&action=opensearch&ie=utf-8&from=ie8" | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557} | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{A481937F-4D99-4B11-86E6-5B0F1007C557}" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\DisplayName = "百度搜索" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "@ieframe.dll,-12512" | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Download | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Suggested Sites\Enabled = "0" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557} | C:\Windows\system32\regini.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\SortIndex = "1" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "yes" | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557} | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\ShowSearchSuggestions = "1" | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Bing" | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\SortIndex = "1" | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\URL = "http://www.456020.com/s.htm?wd={searchTerms}&ie=utf-8" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\ | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\SortIndex = "1" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\URL = "http://www.456020.com/s.htm?wd={searchTerms}&ie=utf-8" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\ShowSearchSuggestions = "1" | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\SearchScopes\{5CE25775-92B7-477d-9603-852F0B34D8B0} | C:\Windows\system32\regini.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557} | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\FaviconPath = "C:\\Program Files\\Internet Explorer\\Services\\search_{A481937F-4D99-4B11-86E6-5B0F1007C557}.ico" | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A} | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\UseClearType = "yes" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DownloadUpdates = "1" | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{A481937F-4D99-4B11-86E6-5B0F1007C557}" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\SortIndex = "1" | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\ShowTabsBelowAddressBar = "1" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\ | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.cbala.com/" | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.cbala.com/" | C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.cbala.com" | C:\Windows\regedit.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\.jpeg | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\.jpeg\ = "PhotoViewer.FileAssoc.Tiff" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\.gif\ = "PhotoViewer.FileAssoc.Tiff" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\.ico\ = "PhotoViewer.FileAssoc.Tiff" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\Open | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\HomeButtonPage = "http://www.cbala.com/" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\.gif | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shellex\ContextMenuHandlers\new\ = "{D969A300-E7FF-11d0-A93B-00A0C90F2719}" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\ | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\Set | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\ShellFolder\HideFolderVerbs | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\ = "管理员取得所有权" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\.ico | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\NoAddOns\Command | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\Open\Command | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command\ = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\command\ = "cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\.png | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\NoAddOns\ = "在没有加载项的情况下启动(&N)" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Notepad\Command\ = "notepad %1" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\DefaultIcon | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\ShellFolder\Attributes = "48" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\NoWorkingDirectory | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\.bmp | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\.bmp\ = "PhotoViewer.FileAssoc.Tiff" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\NoAddOns | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\ShellFolder | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\NoAddOns\Command\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe about:NoAdd-ons" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Notepad\ = "用记事本打开该文件" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\ = "管理员取得所有权" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\Attributes = "4035969101" | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Directory\Background\shellex\ContextMenuHandlers\ FileSyncEx | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\ShellFolder\HideOnDesktopPerUser | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\Open\Command\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2 | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\ = "管理员取得所有权" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\command | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\ = "Internet Explorer" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\new | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\.tiff\ = "PhotoViewer.FileAssoc.Tiff" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\ShellFolder\WantsParseDisplayName | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\NoWorkingDirectory | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command\ = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\.jpg | C:\Windows\regedit.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\regedit.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe
"C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /f "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" && icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t
C:\Windows\system32\takeown.exe
takeown /f "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /f "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" && icacls "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t
C:\Windows\system32\takeown.exe
takeown /f "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
C:\Windows\regedit.exe
regedit /s "C:\Windows\web\uac11.reg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +a +s +h +r "%programfiles%\Tencent\QDesk" >nul 2>nul
C:\Windows\system32\attrib.exe
attrib +a +s +h +r "C:\Program Files\Tencent\QDesk"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo y|cacls "%programfiles%\Tencent\QDesk" /c /p everyone:n >nul 2>nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
C:\Windows\system32\cacls.exe
cacls "C:\Program Files\Tencent\QDesk" /c /p everyone:n
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +a +s +h +r "%programfiles%\QDesk" >nul 2>nul
C:\Windows\system32\attrib.exe
attrib +a +s +h +r "C:\Program Files\QDesk"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo y|cacls "%programfiles%\QDesk" /c /p everyone:n >nul 2>nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
C:\Windows\system32\cacls.exe
cacls "C:\Program Files\QDesk" /c /p everyone:n
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c regsvr32 /u /s igfxpph.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /u /s igfxpph.dll
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers /f
C:\Windows\system32\reg.exe
reg delete HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers\new /ve /d {D969A300-E7FF-11d0-A93B-00A0C90F2719}
C:\Windows\system32\reg.exe
reg add HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers\new /ve /d {D969A300-E7FF-11d0-A93B-00A0C90F2719}
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v HotKeysCmds /f
C:\Windows\system32\reg.exe
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v HotKeysCmds /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v IgfxTray /f
C:\Windows\system32\reg.exe
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v IgfxTray /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @echo off
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c if exist regset.ini @del /q /f regset.ini
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{5CE25775-92B7-477d-9603-852F0B34D8B0} [2 8 19] >regset.ini
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c regini regset.ini
C:\Windows\system32\regini.exe
regini regset.ini
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /q /f regset.ini
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @echo off
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c if exist regset.ini @del /q /f regset.ini
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557} [2 8 19] >regset.ini
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c regini regset.ini
C:\Windows\system32\regini.exe
regini regset.ini
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /q /f regset.ini
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @echo off
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c if exist regset.ini @del /q /f regset.ini
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes [2 8 19] >regset.ini
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c regini regset.ini
C:\Windows\system32\regini.exe
regini regset.ini
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /q /f regset.ini
C:\Windows\web\sms.exe
C:\Windows\web\sms.exe
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c ping -n 3 127.1 & del /q "C:\Users\Admin\AppData\Local\Temp\3d58f5ca2ffb62a9649de5bab8a38aa02313a1acafe1cd2b47512b289cce4ad9.exe"
C:\Windows\system32\PING.EXE
ping -n 3 127.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wsus.ithome.com | udp |
| US | 8.8.8.8:53 | wsus.ithome.com | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wsus.ithome.com | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
Files
memory/3732-0-0x00007FF763BE0000-0x00007FF763D5C000-memory.dmp
C:\Windows\Web\uac11.reg
| MD5 | bbd3dee5cbbb93dccf6142734392c1b8 |
| SHA1 | a777e02f98e5c0f3051c94f338152030ec18d9bd |
| SHA256 | 89c385e57268607b7f467b4cbe946c6ce2f8af523e41b200789d92d04097865b |
| SHA512 | 19c961c0384be66200396d19284cfa77381e4eeb034505477a3096e4ac1bc4bfb8bca1ab7ae9dd29c2d82add686555b84d5450dfc8d365adc24c45ec412985e6 |
C:\Users\Admin\AppData\Local\Temp\regset.ini
| MD5 | 06697bf2f4f5395a9af659f50df00e3b |
| SHA1 | 01925ffbeed3e54e134e1fafaef8ff640dda9107 |
| SHA256 | 8868e97e8dfbc08e681ab68b6b5b1a756cd352354d8ed6c5ce1cb6dee07e55f1 |
| SHA512 | 9c32faff9e7d4b0c82b92ea87c03cff3bd1548ea07728bb7c1fda828db6be857f4101c94e6cffd70f16e2d4fef93c641f4a7edb8cc62c1edda23b54218affd73 |
C:\Users\Admin\AppData\Local\Temp\regset.ini
| MD5 | b141c6974c48fadca812a060e03f8200 |
| SHA1 | bfc010eeda61bd2bd6d3b7963570cbc7d7539037 |
| SHA256 | 68a17dd52a94c7807e46ec191f4481f330eba25303daba341316ac389c17282e |
| SHA512 | 353288737aca756f1e78b7143711a87917509a3290bf62c789e4de03275b4684eff9027d5d668996b7bc47e3ae7d4f2fc85c523a16795b90a94a9f5d6ed8f138 |
C:\Users\Admin\AppData\Local\Temp\regset.ini
| MD5 | 2c545704057f619fa7fb3f994862f181 |
| SHA1 | b820cf6d3e8cbc30ef87632370ed60ef4a5f0bbd |
| SHA256 | 0a31ed19b74d461d0819477eb328af5f8ef3508974df347cf4304fa62977d1a0 |
| SHA512 | 5875c2626b6172d6059faa391efb4bfcd9c6c35ec15aa002becff0cef7f05b928f9690ed8edd19f790e056d8d19a3f5c7a5402213ae649577202a7f025388a84 |
C:\Windows\Web\sms.exe
| MD5 | 628ca25523c98eb00cee7503787f78ee |
| SHA1 | 7b1c2393002e35ea36f4e20c5d6dd87d14542408 |
| SHA256 | 6f01b51d56b152362ad864e5c4e3f8979aa60c565021e0eff2b34fba422d4870 |
| SHA512 | 07eca622f5d10b2d5892417dc872ecce2d1b0b8e6a1c6916186770c685038e8cdf4ebc01c50fd6ad47e981f8b7a7c9bdc05e1e71fbba54cab1d5b34cb8edc639 |
memory/3732-34-0x00007FF763BE0000-0x00007FF763D5C000-memory.dmp