Overview
overview
3Static
static
3QQ空间�...32.dll
windows7-x64
3QQ空间�...32.dll
windows10-2004-x64
3QQ空间�...32.dll
windows7-x64
3QQ空间�...32.dll
windows10-2004-x64
3QQ空间�...TL.dll
windows7-x64
3QQ空间�...TL.dll
windows10-2004-x64
3QQ空间�...ET.dll
windows7-x64
3QQ空间�...ET.dll
windows10-2004-x64
3QQ空间�...CK.dll
windows7-x64
3QQ空间�...CK.dll
windows10-2004-x64
3QQ空间�...ng.exe
windows7-x64
3QQ空间�...ng.exe
windows10-2004-x64
3QQ空间�...��.bat
windows7-x64
3QQ空间�...��.bat
windows10-2004-x64
3Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
07/09/2024, 22:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
QQ空间全能助手/COMCTL32.dll
Resource
win7-20240903-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
QQ空间全能助手/COMCTL32.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral3
Sample
QQ空间全能助手/COMDLG32.dll
Resource
win7-20240708-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral4
Sample
QQ空间全能助手/COMDLG32.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral5
Sample
QQ空间全能助手/MSCOMCTL.dll
Resource
win7-20240903-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral6
Sample
QQ空间全能助手/MSCOMCTL.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral7
Sample
QQ空间全能助手/MSINET.dll
Resource
win7-20240903-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral8
Sample
QQ空间全能助手/MSINET.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral9
Sample
QQ空间全能助手/MSWINSCK.dll
Resource
win7-20240903-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral10
Sample
QQ空间全能助手/MSWINSCK.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral11
Sample
QQ空间全能助手/QQ空间全能助手2.3 去广告 by Loading.exe
Resource
win7-20240729-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral12
Sample
QQ空间全能助手/QQ空间全能助手2.3 去广告 by Loading.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral13
Sample
QQ空间全能助手/无法运行请点我.bat
Resource
win7-20240708-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral14
Sample
QQ空间全能助手/无法运行请点我.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
QQ空间全能助手/无法运行请点我.bat
-
Size
111B
-
MD5
9f3e181c3e4e9321fc729813b8b8d390
-
SHA1
0de1a4b0fd73bac0d352b10193faa36aead47ea5
-
SHA256
102aab53907784ff8f0aad7fe63522afd5e44053ee8bf008750f6f9de368c594
-
SHA512
f246fb33497b828ae1637d5057d3e9a9c1f45dd9bde2fdc0a02ab61084935219fc4ac074251866f72547e5f02f753c8398888beef05260988b66feea282ffed2
Score
3/10
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628} regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}\AlternateCLSID = "{24B224E0-9545-4A2F-ABD5-86AA8A849385}" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628} regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}\AlternateCLSID = "{87DACC48-F1C5-4AF3-84BA-A2A72C2AB959}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\AlternateCLSID = "{996BF5E0-8044-4650-ADEB-0B013914E99C}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}\AlternateCLSID = "{627C8B79-918A-4C5C-9E19-20F66BF30B86}" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}\AlternateCLSID = "{A0E7BF67-8D30-4620-8825-7111714C7CAB}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}\AlternateCLSID = "{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}\AlternateCLSID = "{0B314611-2C19-4AB4-8513-A6EEA569D3C4}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}\AlternateCLSID = "{F91CAF91-225B-43A7-BB9E-472F991FC402}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}\AlternateCLSID = "{7DC6F291-BF55-4E50-B619-EF672D9DCC58}" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628} regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024" regsvr32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}\MiscStatus\1 regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE3C-8596-11D1-B16A-00C0F0283628} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA662-8594-11D1-B16A-00C0F0283628} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{24B224E0-9545-4A2F-ABD5-86AA8A849385}\MiscStatus\1\ = "131473" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.TabStrip.2\CLSID\ = "{1EFB6596-857C-11D1-B16A-00C0F0283628}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}\ = "Microsoft ImageComboBox Control 6.0 (SP6)" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}\ToolboxBitmap32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C247F24-8591-11D1-B16A-00C0F0283628}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ListViewCtrl.2 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867A4-8586-11D1-B16A-00C0F0283628}\ = "IPanels" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FE4-8583-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0E7BF67-8D30-4620-8825-7111714C7CAB}\Implemented Categories regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}\MiscStatus\ = "0" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE33-8596-11D1-B16A-00C0F0283628}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE3C-8596-11D1-B16A-00C0F0283628}\ = "Slider General Property Page Object" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FED-8583-11D1-B16A-00C0F0283628} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867A1-8586-11D1-B16A-00C0F0283628}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\MiscStatus\1\ = "131473" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7DC6F291-BF55-4E50-B619-EF672D9DCC58}\VersionIndependentProgID\ = "MSComctlLib.Toolbar" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C247F22-8591-11D1-B16A-00C0F0283628}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.TreeCtrl\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}\MiscStatus\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F91CAF91-225B-43A7-BB9E-472F991FC402}\MiscStatus\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\ = "Microsoft ListView Control 6.0 (SP6)" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\Control regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ProgCtrl.2\ = "Microsoft ProgressBar Control 6.0 (SP6)" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}\ToolboxBitmap32\ = "C:\\Windows\\SysWOW64\\MSCOMCTL.OCX, 1916" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE34-8596-11D1-B16A-00C0F0283628}\ = "Tab Property Page Object" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0B314611-2C19-4AB4-8513-A6EEA569D3C4}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{996BF5E0-8044-4650-ADEB-0B013914E99C}\Version regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\Implemented Categories regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7DC6F291-BF55-4E50-B619-EF672D9DCC58}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F91CAF91-225B-43A7-BB9E-472F991FC402}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F04A-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{996BF5E0-8044-4650-ADEB-0B013914E99C}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}\ProgID\ = "MSComctlLib.TreeCtrl.2" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE3B-8596-11D1-B16A-00C0F0283628} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F049-858B-11D1-B16A-00C0F0283628}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C247F26-8591-11D1-B16A-00C0F0283628}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\InprocServer32\ = "C:\\Windows\\SysWOW64\\MSCOMCTL.OCX" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.Slider.2\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FE4-8583-11D1-B16A-00C0F0283628} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FED-8583-11D1-B16A-00C0F0283628}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F04C-858B-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.TabStrip\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib\Version = "2.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FE9-8583-11D1-B16A-00C0F0283628}\ = "IButton" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C74190B7-8589-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F053-858B-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0E7BF67-8D30-4620-8825-7111714C7CAB}\CONTROL regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}\Control regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87DACC48-F1C5-4AF3-84BA-A2A72C2AB959}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7DC6F291-BF55-4E50-B619-EF672D9DCC58}\Version regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\VersionIndependentProgID\ = "MSComctlLib.ImageListCtrl" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\Implemented Categories regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{627C8B79-918A-4C5C-9E19-20F66BF30B86}\ProgID regsvr32.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 5 IoCs
pid Process 3020 regsvr32.exe 2736 regsvr32.exe 1648 regsvr32.exe 2768 regsvr32.exe 2688 regsvr32.exe -
Suspicious use of WriteProcessMemory 60 IoCs
description pid Process procid_target PID 2332 wrote to memory of 3020 2332 cmd.exe 32 PID 2332 wrote to memory of 3020 2332 cmd.exe 32 PID 2332 wrote to memory of 3020 2332 cmd.exe 32 PID 2332 wrote to memory of 3020 2332 cmd.exe 32 PID 2332 wrote to memory of 3020 2332 cmd.exe 32 PID 3020 wrote to memory of 3036 3020 regsvr32.exe 33 PID 3020 wrote to memory of 3036 3020 regsvr32.exe 33 PID 3020 wrote to memory of 3036 3020 regsvr32.exe 33 PID 3020 wrote to memory of 3036 3020 regsvr32.exe 33 PID 3020 wrote to memory of 3036 3020 regsvr32.exe 33 PID 3020 wrote to memory of 3036 3020 regsvr32.exe 33 PID 3020 wrote to memory of 3036 3020 regsvr32.exe 33 PID 2332 wrote to memory of 2736 2332 cmd.exe 34 PID 2332 wrote to memory of 2736 2332 cmd.exe 34 PID 2332 wrote to memory of 2736 2332 cmd.exe 34 PID 2332 wrote to memory of 2736 2332 cmd.exe 34 PID 2332 wrote to memory of 2736 2332 cmd.exe 34 PID 2736 wrote to memory of 2216 2736 regsvr32.exe 35 PID 2736 wrote to memory of 2216 2736 regsvr32.exe 35 PID 2736 wrote to memory of 2216 2736 regsvr32.exe 35 PID 2736 wrote to memory of 2216 2736 regsvr32.exe 35 PID 2736 wrote to memory of 2216 2736 regsvr32.exe 35 PID 2736 wrote to memory of 2216 2736 regsvr32.exe 35 PID 2736 wrote to memory of 2216 2736 regsvr32.exe 35 PID 2332 wrote to memory of 1648 2332 cmd.exe 36 PID 2332 wrote to memory of 1648 2332 cmd.exe 36 PID 2332 wrote to memory of 1648 2332 cmd.exe 36 PID 2332 wrote to memory of 1648 2332 cmd.exe 36 PID 2332 wrote to memory of 1648 2332 cmd.exe 36 PID 1648 wrote to memory of 2696 1648 regsvr32.exe 37 PID 1648 wrote to memory of 2696 1648 regsvr32.exe 37 PID 1648 wrote to memory of 2696 1648 regsvr32.exe 37 PID 1648 wrote to memory of 2696 1648 regsvr32.exe 37 PID 1648 wrote to memory of 2696 1648 regsvr32.exe 37 PID 1648 wrote to memory of 2696 1648 regsvr32.exe 37 PID 1648 wrote to memory of 2696 1648 regsvr32.exe 37 PID 2332 wrote to memory of 2768 2332 cmd.exe 38 PID 2332 wrote to memory of 2768 2332 cmd.exe 38 PID 2332 wrote to memory of 2768 2332 cmd.exe 38 PID 2332 wrote to memory of 2768 2332 cmd.exe 38 PID 2332 wrote to memory of 2768 2332 cmd.exe 38 PID 2768 wrote to memory of 2776 2768 regsvr32.exe 39 PID 2768 wrote to memory of 2776 2768 regsvr32.exe 39 PID 2768 wrote to memory of 2776 2768 regsvr32.exe 39 PID 2768 wrote to memory of 2776 2768 regsvr32.exe 39 PID 2768 wrote to memory of 2776 2768 regsvr32.exe 39 PID 2768 wrote to memory of 2776 2768 regsvr32.exe 39 PID 2768 wrote to memory of 2776 2768 regsvr32.exe 39 PID 2332 wrote to memory of 2688 2332 cmd.exe 40 PID 2332 wrote to memory of 2688 2332 cmd.exe 40 PID 2332 wrote to memory of 2688 2332 cmd.exe 40 PID 2332 wrote to memory of 2688 2332 cmd.exe 40 PID 2332 wrote to memory of 2688 2332 cmd.exe 40 PID 2688 wrote to memory of 1152 2688 regsvr32.exe 41 PID 2688 wrote to memory of 1152 2688 regsvr32.exe 41 PID 2688 wrote to memory of 1152 2688 regsvr32.exe 41 PID 2688 wrote to memory of 1152 2688 regsvr32.exe 41 PID 2688 wrote to memory of 1152 2688 regsvr32.exe 41 PID 2688 wrote to memory of 1152 2688 regsvr32.exe 41 PID 2688 wrote to memory of 1152 2688 regsvr32.exe 41
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\QQ空间全能助手\无法运行请点我.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\system32\regsvr32.exeregsvr32 COMCTL32.OCX2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\regsvr32.exeCOMCTL32.OCX3⤵
- System Location Discovery: System Language Discovery
PID:3036
-
-
-
C:\Windows\system32\regsvr32.exeregsvr32 MSWINSCK.OCX2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\regsvr32.exeMSWINSCK.OCX3⤵
- System Location Discovery: System Language Discovery
PID:2216
-
-
-
C:\Windows\system32\regsvr32.exeregsvr32 MSINET.OCX2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\regsvr32.exeMSINET.OCX3⤵
- System Location Discovery: System Language Discovery
PID:2696
-
-
-
C:\Windows\system32\regsvr32.exeregsvr32 MSCOMCTL.OCX2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\regsvr32.exeMSCOMCTL.OCX3⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
PID:2776
-
-
-
C:\Windows\system32\regsvr32.exeregsvr32 COMDLG32.OCX2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\regsvr32.exeCOMDLG32.OCX3⤵
- System Location Discovery: System Language Discovery
PID:1152
-
-