Analysis
-
max time kernel
121s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 08:22
Behavioral task
behavioral1
Sample
6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
General
-
Target
6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe
-
Size
232KB
-
MD5
6c6ffe6dec9996e509c8b17333d1ed50
-
SHA1
a1d7fec43b3268afd22cf92f6fb6a4f418c741e3
-
SHA256
363b9c1d79698e5dfe0dbc430a76c424629420fa7d4bf9399df566855acc0e6c
-
SHA512
5c5d7968ce74fea3b70a8e21379cd2170519f41450f5adab7d04026eb723e5f6ed3539a8a0fba0ea70a7648050bb36d59c769454a1a254e5f82f60f06d42a9ec
-
SSDEEP
3072:m1i/NU8bOMYcYYcmy51VRgiFCpCIXUWOLTsEsigcL3P6xxc1VOz1i/NU82OMYcYU:Ai/NjO5xbg/CSUFLTwMjs6oi/N+O7
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5} 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "C:\\system.exe" 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe -
Processes:
resource yara_rule behavioral1/memory/3000-0-0x0000000000400000-0x000000000043A000-memory.dmp upx C:\WINDOWS\windows.exe upx C:\system.exe upx behavioral1/memory/3000-12-0x0000000000400000-0x000000000043A000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
Processes:
6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exedescription ioc process File created C:\WINDOWS\SysWOW64\ie.bat 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe File created C:\WINDOWS\SysWOW64\qx.bat 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe -
Drops file in Windows directory 3 IoCs
Processes:
6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exeattrib.exedescription ioc process File created C:\WINDOWS\windows.exe 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe File opened for modification C:\WINDOWS\windows.exe 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe File opened for modification C:\WINDOWS\windows.exe attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
iexplore.exeIEXPLORE.EXE6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000099ee51cc9ba18e4eb359fbbe97a951a1000000000200000000001066000000010000200000008f88c6157e6463013373211b3dcc69405cd330202b6a5cd5176880e5c1d474b9000000000e8000000002000020000000549fa723646067f36ea86136e3df8aa9118c4b358012a5306bf132c2588f5d4490000000ef5ed1adb22c751044c38595f3ecb28bf7276dd56ad43b09ed5383da2aad3cc16718addf698c9dbf9bc6f7d92e2c7c8f0d92065656e65853f20d38a6680f3a462dd29d9cfb94910f590921ede56f13ac6e1cd4c626c01aa01f066af353d4bf8261c7f9a4f8b9ce6bc2bb58933d8cec7cf4029b1cab423f2cf26327112fb1c2725673bafbefd70b7c469144d1229932354000000042217b54bfa0520f36d6986e072d9c38dd07bb7dd1eb0b1810356bc9929e90d6f7508daea2459889d3015a4b3eb92fc2a74b52766386ea1fdf1a3f39dd3b5c66 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{13A732E1-295E-11EF-8414-4A4F109F65B0} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 408151016bbdda01 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424428818" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000099ee51cc9ba18e4eb359fbbe97a951a100000000020000000000106600000001000020000000da0770658e7e96e94e2e1d50b37a1de17348b51c9afab23017fb4867f1b5b7af000000000e800000000200002000000076c575c441d56c9bc8633edd4f97febe5bbab42753ad2374bc45ed1ffc51ccb520000000a287b4978ec7bed639802aed152cc134f5a89b1ce761a14e11a1441eef8b2dcb400000009050841d4d9eabfcaf17a73617f0413a144060025602f05dd77d739503e3de6ea11a4b42380f25535e294326681a5e01ae3e10a8f096a6c05d2ab9b3d45fcb14 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
Processes:
6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com" 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exepid process 3000 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe 3000 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe 3000 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe 3000 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe 3000 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 2156 iexplore.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exeiexplore.exeIEXPLORE.EXEpid process 3000 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe 2156 iexplore.exe 2156 iexplore.exe 2516 IEXPLORE.EXE 2516 IEXPLORE.EXE 2516 IEXPLORE.EXE 2516 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exeiexplore.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 3000 wrote to memory of 2156 3000 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe iexplore.exe PID 3000 wrote to memory of 2156 3000 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe iexplore.exe PID 3000 wrote to memory of 2156 3000 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe iexplore.exe PID 3000 wrote to memory of 2156 3000 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe iexplore.exe PID 2156 wrote to memory of 2516 2156 iexplore.exe IEXPLORE.EXE PID 2156 wrote to memory of 2516 2156 iexplore.exe IEXPLORE.EXE PID 2156 wrote to memory of 2516 2156 iexplore.exe IEXPLORE.EXE PID 2156 wrote to memory of 2516 2156 iexplore.exe IEXPLORE.EXE PID 3000 wrote to memory of 2720 3000 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe cmd.exe PID 3000 wrote to memory of 2720 3000 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe cmd.exe PID 3000 wrote to memory of 2720 3000 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe cmd.exe PID 3000 wrote to memory of 2720 3000 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe cmd.exe PID 2720 wrote to memory of 2556 2720 cmd.exe attrib.exe PID 2720 wrote to memory of 2556 2720 cmd.exe attrib.exe PID 2720 wrote to memory of 2556 2720 cmd.exe attrib.exe PID 2720 wrote to memory of 2556 2720 cmd.exe attrib.exe PID 3000 wrote to memory of 2748 3000 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe cmd.exe PID 3000 wrote to memory of 2748 3000 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe cmd.exe PID 3000 wrote to memory of 2748 3000 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe cmd.exe PID 3000 wrote to memory of 2748 3000 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe cmd.exe PID 2748 wrote to memory of 2752 2748 cmd.exe attrib.exe PID 2748 wrote to memory of 2752 2748 cmd.exe attrib.exe PID 2748 wrote to memory of 2752 2748 cmd.exe attrib.exe PID 2748 wrote to memory of 2752 2748 cmd.exe attrib.exe PID 3000 wrote to memory of 2448 3000 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe cmd.exe PID 3000 wrote to memory of 2448 3000 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe cmd.exe PID 3000 wrote to memory of 2448 3000 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe cmd.exe PID 3000 wrote to memory of 2448 3000 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe cmd.exe PID 2448 wrote to memory of 2588 2448 cmd.exe attrib.exe PID 2448 wrote to memory of 2588 2448 cmd.exe attrib.exe PID 2448 wrote to memory of 2588 2448 cmd.exe attrib.exe PID 2448 wrote to memory of 2588 2448 cmd.exe attrib.exe PID 3000 wrote to memory of 2536 3000 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe cmd.exe PID 3000 wrote to memory of 2536 3000 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe cmd.exe PID 3000 wrote to memory of 2536 3000 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe cmd.exe PID 3000 wrote to memory of 2536 3000 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe cmd.exe PID 2536 wrote to memory of 2428 2536 cmd.exe attrib.exe PID 2536 wrote to memory of 2428 2536 cmd.exe attrib.exe PID 2536 wrote to memory of 2428 2536 cmd.exe attrib.exe PID 2536 wrote to memory of 2428 2536 cmd.exe attrib.exe PID 3000 wrote to memory of 2440 3000 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe cmd.exe PID 3000 wrote to memory of 2440 3000 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe cmd.exe PID 3000 wrote to memory of 2440 3000 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe cmd.exe PID 3000 wrote to memory of 2440 3000 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe cmd.exe PID 2440 wrote to memory of 2544 2440 cmd.exe attrib.exe PID 2440 wrote to memory of 2544 2440 cmd.exe attrib.exe PID 2440 wrote to memory of 2544 2440 cmd.exe attrib.exe PID 2440 wrote to memory of 2544 2440 cmd.exe attrib.exe PID 3000 wrote to memory of 2940 3000 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe cmd.exe PID 3000 wrote to memory of 2940 3000 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe cmd.exe PID 3000 wrote to memory of 2940 3000 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe cmd.exe PID 3000 wrote to memory of 2940 3000 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe cmd.exe PID 2940 wrote to memory of 1152 2940 cmd.exe attrib.exe PID 2940 wrote to memory of 1152 2940 cmd.exe attrib.exe PID 2940 wrote to memory of 1152 2940 cmd.exe attrib.exe PID 2940 wrote to memory of 1152 2940 cmd.exe attrib.exe PID 3000 wrote to memory of 2996 3000 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe cmd.exe PID 3000 wrote to memory of 2996 3000 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe cmd.exe PID 3000 wrote to memory of 2996 3000 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe cmd.exe PID 3000 wrote to memory of 2996 3000 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe cmd.exe PID 2996 wrote to memory of 1508 2996 cmd.exe attrib.exe PID 2996 wrote to memory of 1508 2996 cmd.exe attrib.exe PID 2996 wrote to memory of 1508 2996 cmd.exe attrib.exe PID 2996 wrote to memory of 1508 2996 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 7 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 2544 attrib.exe 1152 attrib.exe 1508 attrib.exe 2556 attrib.exe 2752 attrib.exe 2588 attrib.exe 2428 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2156 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2516
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"2⤵
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"3⤵
- Views/modifies file attributes
PID:2556
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"2⤵
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"3⤵
- Views/modifies file attributes
PID:2752
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"2⤵
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"3⤵
- Views/modifies file attributes
PID:2588
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"2⤵
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"3⤵
- Views/modifies file attributes
PID:2428
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"2⤵
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"3⤵
- Views/modifies file attributes
PID:2544
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\WINDOWS\windows.exe"3⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1152
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\attrib.exeattrib +h "c:\system.exe"3⤵
- Views/modifies file attributes
PID:1508
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b5f3cd501fdae126ab3f3d0a4bd9d14d
SHA12ef064250979abd52d1b05bae10f86bd838f85c4
SHA2562949914a4d7553223d98b8c6a18b3ef11f1ebdef914c08b5180a640a080b7e71
SHA512f6496c57efb0c093e1414a6de9e87da3d2ccca880c27f56e99e154a2b809d7626baaeff29cfa2726eec4ad5b4802599d076e4d77564933efb41fa863e5547ee3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56083aef146065ac434f1202f021db1ad
SHA1a253682941525ac4c1bde57bed77cc57cb300aed
SHA256a80935e380b96c8d95ef04c4f1d2d333323c6c00fe13aebbafda7ce9bdf01b87
SHA5127b045d96b81fdbd8d0fdc91cef30552a240a1a91f0378030ca92831bcbb8c1acb2e91c24eaa44c9985c45bac7e9984f5c150ef0b8a6c28f0df56bd64d2295a1f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c4431a8d0b226a14db90feab016b9c7f
SHA10549c39927b55c9042b8c9380e401f11f9366d2c
SHA25635be1941d0732bc04c521bee5cda52987f10f01842869060e15fb1a55a51bfe2
SHA5126654786d08f8f011a564c698306694d9badaa7c7e18370a41b30d52247cb0a66ceb57b4a7189d313fd867c0c04ae04c4603528a1c40f9db614324bc27474537e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD581c5c0d5fa16e71c550d19cbd3642ae2
SHA18d9305e484de1ad1777f05c582b18d5f3d916810
SHA25661e8ad89a4d7b7e11bbf438647bdc5f5881305033ae5bff3d8fe47847b915f8a
SHA512cf38255527d077dada05c2dc37909b17650be51f55d77f7bd8c7c74f671c9781e85900de1b5ea3507bdc5fddac0f03de7967f9e93a161c242cdd14ac7a55e0e7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f3d2fe150341199dc586c7cdb65aafba
SHA1565e55f5c428c44115c4adaac8f3aefe95cc8f0e
SHA256c3917db21acc72fee71a0c7ae6482db254d972c4a0e7e35b14c2b779a892c05f
SHA5126087174a1a61c7b77edaad941a4f8e7232204d969825ca1373567d29ab52fb2bb3273eee5f559caa35e9a8d2be0491978cd543ac22001f47afd488b355ee79d7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD566b0d42d0fbbdbb91299a0d68e34931b
SHA113974bb85463af886bd9ee271ad90c54b5e0e7ef
SHA256256b42fd8767c51b263ec71ba9ffd44376d764b43013590b10a09b21602fe9a8
SHA51208b0179ec760b7916c5347f433ae6635820f2c1e6a96f9f0bdf8d1af8651a154d52faadc5b9efe29da155b8ee59bc6ffb92e236a059d0f5b3c4de8d3fa7f9b8d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56380b2b5fc5dcbd6bf46832ee04b5b5f
SHA1d0de4ed877085e987e3a70636fbfd9253a03b571
SHA2561ffefb8f4481e770758def283ff8d41e7a38dbe3f266df9f897f445977df3459
SHA51267e5441dfc4322d05ef512da98925f85761ffb4ab5bf380b1ad77cc8eeb14ff4ea522784dbd7855f1e351b3d6f411fd3c03606de849478e8e94873e320bd4a57
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ada0706f4f9920f28db3ad1eb56fe817
SHA108e44997d3d20db3f368824ba52fbb53dd038e8d
SHA25689dc38747f5bbc41573461437928dff6e48f52b11d99ebf5e6af957575159598
SHA51290a07106ea5abebeb5271abc053bc5bf1682ddcf1f25acc97ba65e2ff30089dc8a9163e2589f80df48279f7627e8427fb7f40ef3036fd1c0b09e29f02b6a8d83
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b5aa252b2ad671daa25699a86fe09703
SHA1614c5ea86544ea514db7c4bb4f8fb1c062fa0975
SHA2567ed5826424277e32bf09453c3561ef8d43f4e9690822fac6cb840603b50b5672
SHA512d03749101bce62797b73b62f7970b70e736d916296e7cf0413abe8962b032c398d5c8f8fa2ab4a49f309cc6a32bc19d5eecb77fe6ef8acf6d3a35669a7032874
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5edcb170a815261246138e0703fe0fb51
SHA14e3d52a1a5152f3cc69890e8c9e535139fa97baa
SHA2566cb635b89f7c71df082de09b2e51d15318c497f76b14ba4222808253187bfb59
SHA5125c52933b43c98f35b67376bfcc869d5a70421b66772fe03df24344865d2c914c4466b86b6f809a9a9b795c81da7b89d071767e004db9d8066e47d1b614d50cbd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fcb758c5f85c5b7c3a7cb11d0045dad4
SHA15e62672ed57470f17c88238ef499877364007d93
SHA256eb1863520f84abb5e7868546d8da076d2752bc18ca211db9a52521eb560dd04b
SHA512261f4301d6901dbf075b91f40db0c93db993c8043885b477708779babb94b187198c6e947e804f273d61756c264ee41eafc6b39b7d65f947ba100c7195218c54
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57edc1488b12b09a0d8360f87b3d9bdc6
SHA1db45454745da8cf5d6ea2b27e448e6d256ce1400
SHA2565b174601681ccdf43f8829c7c09a564f13a7f4051127135cfe14c1bfedadb0d6
SHA5124e10e3afb1d2741f07daa9015cd36711adb7517e762ba0b802747d0fcf1422c33a9ac487f9d02b39e6f7821f5dcd670504b307c38a6bdb4bf34d1e05e6cb31cc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56e1560e4032798006bdaefd039b56d57
SHA1123aa53292504fb784b4a0b77c4430ea7481991a
SHA256f60a1e48a796e87a10570f25e5100a8b09d1200355d3360b6acc892e39a09ac3
SHA5123ae94840a83bef50717de6268083ac2ca28753c800e9b2a5e09020ddd85e0db8752aaf5091ebe1452fe149a06ebe2ba976b234dcd26817c3c3b87a12256ff364
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59d82701c297c67180afe0ea887171f7f
SHA1b44717e99e4af6bad8892fd1e35dd3aabda49513
SHA25646b7152044857dcae7e69c55ac2da444a03bfbf300f55c4c13b11ededdcb0172
SHA512a73eb31869d2d49e47c031043d116919a77104a5c205bd402c14b080de30065067a3342622c3dabad9ad8a796a54fd47798416c38c0e0ce8373708e8b720e660
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55fcd9d66ce940cf46c2a72462f5e80aa
SHA1b61bd0c5cec27603aa02c2ad61905ff9c582d428
SHA2563063c8a268a06d3ba9e1b1285ade5157a88a237924c0d2535da693090bcbc20c
SHA51201eba2a02f6b8bcf0fa2bdf4c2fe0ef241e78c2b03b4e2ec3d2460fbaa5698df92ef4f0fa0b95ea109697652de060a92b5370a03cc1c527318a3f5f71fb20325
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50f349589e3ebbacaf664e3e3ec97283e
SHA1edb0090fc0f85808c665cdaa6e27e15d474296d7
SHA256f5900ff2119ae8d7a7085cf35a7ffeb9886556b80813cc4cd0aeee08a03533c3
SHA512616bdcd7b03393a6439bdf740972400afefb953d07000daf79ae6cc640ad01d5f6623c4593283147bdaa81f8d084cd0e68494798b2840e3c381a8dab3e826e84
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53c014dc374540dcd1406c6ec56364b24
SHA14821db6e41d325fbf6592d0139e65e8228f9d11a
SHA25622200c21602d44de27fd7d82a515aa020905b80628fbe2fc60082de4599b5da6
SHA51297255a2f6abab6f91e5b536cedcad99de2a8c40f047f09e53a1ef66363a9ed2421637a66bcb2f489eefff4467c152c862570bb0a1a80ffe46ecfbd41a3160fa2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD580f41712519ab4e1687634fcaa10fcac
SHA1891eeb669872e8aa0b8a02ee1cb0af030376592b
SHA25683aa136e960cd87ea3cbfbbdea52bd89ef06c01ccd0995248817b50a2ebb0ee6
SHA51283cdf4e5a0781c9c5f2d298c35a138b76c953df77c20eed9f0dd56fde887420f8aca5de8714e6cd062e123502028ddb5b3a0385c80a938cac772a49078cb12fb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57d1c1a2f8bfdb9d2d88ec4e2c883b769
SHA165e3f1876d61a1f43fc7eb11bf76a5b42ca1917a
SHA256b47c5af495be60442385feba6f00c12f684d18b17719163f398fd14149a79152
SHA5125b771318e13209e947a8ca7435d05e0e77d6df21b8aa2b3fd4b63986a40130c92241cb6c38c890bd24f7fa73c64f1fe8b9512678a5112a99dc81e71dd74000c1
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
232KB
MD50a7646ec3b42de8f1d20859722186b7e
SHA1965789c39ef97b038abf4e7c09e5c24031730466
SHA256ecb26fd5c7d0cbd707bcef90dd8d1d3c401eaf3e2e65343659240b860fcfd8dd
SHA512cb558a290c2f4339ed45344fc107f0556c653d8e14a41b19cbb26c4bef01e0cdfa2ec022dd4d394552d7a9d4a77d20aad78e2290a84a0a46dc0791a48c748e81
-
Filesize
232KB
MD569a912ca464521e0816fdc115df5097f
SHA1867d0cb5c60e14b3e049a335d38f688850ef5d47
SHA25633b5d7598d756f7b567e7278e12bf1a76b27ac4fa232e1122d25bbb787916f1c
SHA51219553fc417e663a521377fe59ce3da9af1f6a492692ae3f78e49ce7731f4d3e727709134b960e32d7047e4c9b6f45105bb5c1de1bba72dfa67cbd7b454cada0b