sality | 3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779f

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
Sality family
sality

UAC bypass 3 TTPs 1 IoCs

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe

Windows security bypass 2 TTPs 6 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe

A potential corporate email address has been identified in the URL: result@2.png
phishing

Windows security modification 2 TTPs 7 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN = "c:\\windows\\ime\\appfht.exe"	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe

Enumerates connected drives 3 TTPs 7 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
File opened (read-only)	\??\K:	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
File opened (read-only)	\??\L:	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
File opened (read-only)	\??\E:	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
File opened (read-only)	\??\G:	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
File opened (read-only)	\??\H:	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
File opened (read-only)	\??\I:	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3128-14-0x0000000002A70000-0x0000000003AFE000-memory.dmp	upx
behavioral2/memory/3128-4-0x0000000002A70000-0x0000000003AFE000-memory.dmp	upx
behavioral2/memory/3128-6-0x0000000002A70000-0x0000000003AFE000-memory.dmp	upx
behavioral2/memory/3128-15-0x0000000002A70000-0x0000000003AFE000-memory.dmp	upx
behavioral2/memory/3128-16-0x0000000002A70000-0x0000000003AFE000-memory.dmp	upx
behavioral2/memory/3128-13-0x0000000002A70000-0x0000000003AFE000-memory.dmp	upx
behavioral2/memory/3128-5-0x0000000002A70000-0x0000000003AFE000-memory.dmp	upx
behavioral2/memory/3128-3-0x0000000002A70000-0x0000000003AFE000-memory.dmp	upx
behavioral2/memory/3128-1-0x0000000002A70000-0x0000000003AFE000-memory.dmp	upx
behavioral2/memory/3128-19-0x0000000002A70000-0x0000000003AFE000-memory.dmp	upx
behavioral2/memory/3128-20-0x0000000002A70000-0x0000000003AFE000-memory.dmp	upx
behavioral2/memory/3128-21-0x0000000002A70000-0x0000000003AFE000-memory.dmp	upx
behavioral2/memory/3128-22-0x0000000002A70000-0x0000000003AFE000-memory.dmp	upx
behavioral2/memory/3128-23-0x0000000002A70000-0x0000000003AFE000-memory.dmp	upx
behavioral2/memory/3128-24-0x0000000002A70000-0x0000000003AFE000-memory.dmp	upx
behavioral2/memory/3128-26-0x0000000002A70000-0x0000000003AFE000-memory.dmp	upx
behavioral2/memory/3128-27-0x0000000002A70000-0x0000000003AFE000-memory.dmp	upx
behavioral2/memory/3128-28-0x0000000002A70000-0x0000000003AFE000-memory.dmp	upx
behavioral2/memory/3128-30-0x0000000002A70000-0x0000000003AFE000-memory.dmp	upx
behavioral2/memory/3128-31-0x0000000002A70000-0x0000000003AFE000-memory.dmp	upx
behavioral2/memory/3128-34-0x0000000002A70000-0x0000000003AFE000-memory.dmp	upx
behavioral2/memory/3128-35-0x0000000002A70000-0x0000000003AFE000-memory.dmp	upx
behavioral2/memory/3128-40-0x0000000002A70000-0x0000000003AFE000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM.INI	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
File created	\??\c:\windows\ime\appfht.exe	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
File opened for modification	\??\c:\windows\ime\appfht.exe	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
Token: SeDebugPrivilege	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3128 wrote to memory of 784	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe	8
PID 3128 wrote to memory of 792	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe	9
PID 3128 wrote to memory of 340	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe	13
PID 3128 wrote to memory of 2652	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe	44
PID 3128 wrote to memory of 2660	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe	45
PID 3128 wrote to memory of 2804	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe	47
PID 3128 wrote to memory of 3548	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe	56
PID 3128 wrote to memory of 3680	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe	57
PID 3128 wrote to memory of 3876	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe	58
PID 3128 wrote to memory of 3968	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe	59
PID 3128 wrote to memory of 4076	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe	60
PID 3128 wrote to memory of 772	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe	61
PID 3128 wrote to memory of 4196	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe	62
PID 3128 wrote to memory of 2328	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe	64
PID 3128 wrote to memory of 1644	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe	76
PID 3128 wrote to memory of 784	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe	8
PID 3128 wrote to memory of 792	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe	9
PID 3128 wrote to memory of 340	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe	13
PID 3128 wrote to memory of 2652	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe	44
PID 3128 wrote to memory of 2660	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe	45
PID 3128 wrote to memory of 2804	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe	47
PID 3128 wrote to memory of 3548	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe	56
PID 3128 wrote to memory of 3680	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe	57
PID 3128 wrote to memory of 3876	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe	58
PID 3128 wrote to memory of 3968	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe	59
PID 3128 wrote to memory of 4076	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe	60
PID 3128 wrote to memory of 772	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe	61
PID 3128 wrote to memory of 4196	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe	62
PID 3128 wrote to memory of 2328	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe	64
PID 3128 wrote to memory of 1644	3128	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe	76

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:784

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2652

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2660

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2804

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3548
- C:\Users\Admin\AppData\Local\Temp\3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe
  "C:\Users\Admin\AppData\Local\Temp\3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe"
  2⤵
  - Modifies firewall policy service
  - UAC bypass
  - Windows security bypass
  - Windows security modification
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Enumerates connected drives
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3680

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3876

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3968

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4076

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:772

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4196

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2328

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:1644

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

154.239.44.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

154.239.44.20.in-addr.arpa

IN PTR

Response
DNS

182.129.81.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

182.129.81.91.in-addr.arpa

IN PTR

Response
DNS

136.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

136.32.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

149.220.183.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

149.220.183.52.in-addr.arpa

IN PTR

Response
DNS

www.baidu.com

3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe

Remote address:

8.8.8.8:53

Request

www.baidu.com

IN A

Response

www.baidu.com

IN CNAME

www.a.shifen.com

www.a.shifen.com

IN CNAME

www.wshifen.com

www.wshifen.com

IN A

103.235.47.188

www.wshifen.com

IN A

103.235.46.96
GET

http://www.baidu.com/

3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe

Remote address:

103.235.47.188:80

Request

GET / HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: www.baidu.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Bdpagetype: 1
Bdqid: 0xbb2ac34a00c5e03e
Connection: keep-alive
Content-Encoding: gzip
Content-Type: text/html; charset=utf-8
Date: Mon, 30 Dec 2024 23:06:33 GMT
P3p: CP=" OTI DSP COR IVA OUR IND COM "
P3p: CP=" OTI DSP COR IVA OUR IND COM "
Server: BWS/1.1
Set-Cookie: BAIDUID=798E77D5997D760795181E3FD39620BE:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: BIDUPSID=798E77D5997D760795181E3FD39620BE; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: PSTM=1735599993; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: BAIDUID=798E77D5997D76079834185CAA8DAC26:FG=1; max-age=31536000; expires=Tue, 30-Dec-25 23:06:33 GMT; domain=.baidu.com; path=/; version=1; comment=bd
Set-Cookie: BDSVRTM=2; path=/
Set-Cookie: BD_HOME=1; path=/
Traceid: 1735599993398768333813486806756722335806
X-Ua-Compatible: IE=Edge,chrome=1
X-Xss-Protection: 1;mode=block
Transfer-Encoding: chunked
GET

http://www.baidu.com/img/PCtm_d9c8750bed0b3c7d089fa7d55720d6cf.png

3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe

Remote address:

103.235.47.188:80

Request

GET /img/PCtm_d9c8750bed0b3c7d089fa7d55720d6cf.png HTTP/1.1
Accept: */*
Referer: http://www.baidu.com/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: www.baidu.com
Connection: Keep-Alive
Cookie: BAIDUID=798E77D5997D76079834185CAA8DAC26:FG=1; BIDUPSID=798E77D5997D760795181E3FD39620BE; PSTM=1735599993; BDSVRTM=2; BD_HOME=1

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Cache-Control: max-age=315360000
Content-Length: 15444
Content-Type: image/png
Date: Mon, 30 Dec 2024 23:06:34 GMT
Etag: "3c54-61d4848bad137"
Expires: Thu, 28 Dec 2034 23:06:34 GMT
Last-Modified: Mon, 15 Jul 2024 12:22:35 GMT
Server: Apache
GET

http://www.baidu.com/img/flexible/logo/pc/result.png

3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe

Remote address:

103.235.47.188:80

Request

GET /img/flexible/logo/pc/result.png HTTP/1.1
Accept: */*
Referer: http://www.baidu.com/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: www.baidu.com
Connection: Keep-Alive
Cookie: BAIDUID=798E77D5997D76079834185CAA8DAC26:FG=1; BIDUPSID=798E77D5997D760795181E3FD39620BE; PSTM=1735599993; BDSVRTM=2; BD_HOME=1

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Cache-Control: max-age=315360000
Content-Length: 6617
Content-Type: image/png
Date: Mon, 30 Dec 2024 23:06:34 GMT
Etag: "19d9-5a533d00d4900"
Expires: Thu, 28 Dec 2034 23:06:34 GMT
Last-Modified: Sat, 09 May 2020 09:33:56 GMT
Server: Apache
GET

http://www.baidu.com/img/flexible/logo/pc/peak-result.png

3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe

Remote address:

103.235.47.188:80

Request

GET /img/flexible/logo/pc/peak-result.png HTTP/1.1
Accept: */*
Referer: http://www.baidu.com/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: www.baidu.com
Connection: Keep-Alive
Cookie: BAIDUID=798E77D5997D76079834185CAA8DAC26:FG=1; BIDUPSID=798E77D5997D760795181E3FD39620BE; PSTM=1735599993; BDSVRTM=2; BD_HOME=1

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Cache-Control: max-age=315360000
Content-Length: 7707
Content-Type: image/png
Date: Mon, 30 Dec 2024 23:06:35 GMT
Etag: "1e1b-5b00622d17d00"
Expires: Thu, 28 Dec 2034 23:06:35 GMT
Last-Modified: Thu, 24 Sep 2020 02:41:24 GMT
Server: Apache
DNS

pss.bdstatic.com

3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe

Remote address:

8.8.8.8:53

Request

pss.bdstatic.com

IN A

Response

pss.bdstatic.com

IN CNAME

pss.bdstatic.com.a.bdydns.com

pss.bdstatic.com.a.bdydns.com

IN CNAME

opencdnbdpss.jomodns.com

opencdnbdpss.jomodns.com

IN CNAME

opencdnglobal.gshifen.com

opencdnglobal.gshifen.com

IN A

104.193.90.80

opencdnglobal.gshifen.com

IN A

104.193.88.112
DNS

188.47.235.103.in-addr.arpa

Remote address:

8.8.8.8:53

Request

188.47.235.103.in-addr.arpa

IN PTR

Response
GET

http://www.baidu.com/img/PCfb_5bf082d29588c07f842ccde3f97243ea.png

3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe

Remote address:

103.235.47.188:80

Request

GET /img/PCfb_5bf082d29588c07f842ccde3f97243ea.png HTTP/1.1
Accept: */*
Referer: http://www.baidu.com/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: www.baidu.com
Connection: Keep-Alive
Cookie: BAIDUID=798E77D5997D76079834185CAA8DAC26:FG=1; BIDUPSID=798E77D5997D760795181E3FD39620BE; PSTM=1735599993; BDSVRTM=2; BD_HOME=1

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Cache-Control: max-age=315360000
Content-Length: 24774
Content-Type: image/png
Date: Mon, 30 Dec 2024 23:06:34 GMT
Etag: "60c6-5f555bcf8cac0"
Expires: Thu, 28 Dec 2034 23:06:34 GMT
Last-Modified: Thu, 23 Feb 2023 03:37:55 GMT
Server: Apache
GET

http://www.baidu.com/img/flexible/logo/pc/result@2.png

3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe

Remote address:

103.235.47.188:80

Request

GET /img/flexible/logo/pc/result@2.png HTTP/1.1
Accept: */*
Referer: http://www.baidu.com/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: www.baidu.com
Connection: Keep-Alive
Cookie: BAIDUID=798E77D5997D76079834185CAA8DAC26:FG=1; BIDUPSID=798E77D5997D760795181E3FD39620BE; PSTM=1735599993; BDSVRTM=2; BD_HOME=1

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Cache-Control: max-age=315360000
Content-Length: 12802
Content-Type: image/png
Date: Mon, 30 Dec 2024 23:06:35 GMT
Etag: "3202-61d4848bc5bbf"
Expires: Thu, 28 Dec 2034 23:06:35 GMT
Last-Modified: Mon, 15 Jul 2024 12:22:35 GMT
Server: Apache
DNS

hectorstatic.baidu.com

3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe

Remote address:

8.8.8.8:53

Request

hectorstatic.baidu.com

IN A

Response

hectorstatic.baidu.com

IN CNAME

hectorstatic.baidu.com.a.bdydns.com

hectorstatic.baidu.com.a.bdydns.com

IN CNAME

opencdnbdv6.jomodns.com

opencdnbdv6.jomodns.com

IN A

183.131.185.38

opencdnbdv6.jomodns.com

IN A

42.101.56.38

opencdnbdv6.jomodns.com

IN A

58.57.102.38

opencdnbdv6.jomodns.com

IN A

171.214.23.38

opencdnbdv6.jomodns.com

IN A

1.194.253.38

opencdnbdv6.jomodns.com

IN A

218.94.231.38

opencdnbdv6.jomodns.com

IN A

218.94.232.38

opencdnbdv6.jomodns.com

IN A

171.214.24.38

opencdnbdv6.jomodns.com

IN A

183.255.35.38

opencdnbdv6.jomodns.com

IN A

182.140.225.38
GET

https://pss.bdstatic.com/r/www/static/font/cosmic/pc/cos-icon_8bae49a.css

3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe

Remote address:

104.193.90.80:443

Request

GET /r/www/static/font/cosmic/pc/cos-icon_8bae49a.css HTTP/1.1
Accept: */*
Referer: http://www.baidu.com/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: pss.bdstatic.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: JSP3/2.0.14
Date: Mon, 30 Dec 2024 23:06:35 GMT
Content-Type: text/css; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Expires: Wed, 25 Dec 2024 18:08:49 GMT
Last-Modified: Fri, 08 Nov 2024 08:59:34 GMT
ETag: "203025c0afc4140c3ad97a88a669db54"
Cache-Control: max-age=31536000
Content-Encoding: gzip
Age: 661076
Accept-Ranges: bytes
Content-MD5: IDAlwK/EFAw62XqIpmnbVA==
x-bce-content-crc32: 3991110428
x-bce-debug-id: VK8v+vmDUZu7ccf4HxqQnof84Xe3oDc5PHAjt0pWdo09KeaVxBfzOmrJRpkqWo1azhBcHbvWp3qNi3zwMViX6g==
x-bce-flow-control-type: -1
x-bce-is-transition: false
x-bce-request-id: 32c067c9-2453-4739-86e5-f98bd14b0c07
x-bce-storage-class: STANDARD
Ohc-Global-Saved-Time: Sun, 22 Dec 2024 18:08:49 GMT
Ohc-Cache-HIT: iad01-sys-jomo4.iad01.baidu.com [2], zhuzuncache54 [2]
Ohc-File-Size: 2600
X-Cache-Status: HIT
Access-Control-Allow-Origin: *
Timing-Allow-Origin: *
GET

https://pss.bdstatic.com/static/superman/css/ubase_sync-d600f57804.css?v=md5

3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe

Remote address:

104.193.90.80:443

Request

GET /static/superman/css/ubase_sync-d600f57804.css?v=md5 HTTP/1.1
Accept: */*
Referer: http://www.baidu.com/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: pss.bdstatic.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: JSP3/2.0.14
Date: Mon, 30 Dec 2024 23:06:35 GMT
Content-Type: text/css; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Expires: Mon, 14 Oct 2024 01:50:56 GMT
Last-Modified: Fri, 06 Sep 2024 06:38:07 GMT
ETag: "d600f57804631038c658b4056d63812a"
Cache-Control: max-age=31536000
Content-Encoding: gzip
Age: 661619
Accept-Ranges: bytes
Content-MD5: 1gD1eARjEDjGWLQFbWOBKg==
x-bce-content-crc32: 99606430
x-bce-debug-id: BqI6cfv9/4T7M9UyxrYC2bgkrbdzZq7SNzCVcwc/18rI8dpAHXNf3thbk9mOGJccRRkBHnzypEp49RaIGKx3ZA==
x-bce-flow-control-type: -1
x-bce-is-transition: false
x-bce-request-id: 5fd33fce-61ec-493b-a31c-70d2909d102d
x-bce-storage-class: STANDARD
Ohc-Global-Saved-Time: Fri, 11 Oct 2024 01:50:56 GMT
Ohc-Cache-HIT: iad01-sys-jomo0.iad01.baidu.com [2], zhuzuncache56 [2]
Ohc-File-Size: 212
X-Cache-Status: HIT
Access-Control-Allow-Origin: *
Timing-Allow-Origin: *
GET

https://pss.bdstatic.com/static/superman/js/lib/esl-d776bfb1aa.js

3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe

Remote address:

104.193.90.80:443

Request

GET /static/superman/js/lib/esl-d776bfb1aa.js HTTP/1.1
Accept: */*
Referer: http://www.baidu.com/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: pss.bdstatic.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: JSP3/2.0.14
Date: Mon, 30 Dec 2024 23:06:35 GMT
Content-Type: text/javascript; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Expires: Mon, 14 Oct 2024 01:50:56 GMT
Last-Modified: Fri, 06 Sep 2024 06:38:08 GMT
ETag: "d776bfb1aae5a93ad826135c4b1c8727"
Cache-Control: max-age=31536000
Content-Encoding: gzip
Age: 661068
Accept-Ranges: bytes
Content-MD5: 13a/sarlqTrYJhNcSxyHJw==
x-bce-content-crc32: 1931967198
x-bce-debug-id: d0L2rTibneb6xb+2ZRZBc0wMIZeMn5gkeYWXkDGjkU/aGxhaBJ1ebvMSMCehQXqghQxOI7xHambcqb62w8TKyQ==
x-bce-flow-control-type: -1
x-bce-is-transition: false
x-bce-request-id: 5a0fa480-ef5f-47a4-8f2a-342541604968
x-bce-storage-class: STANDARD
Ohc-Global-Saved-Time: Fri, 11 Oct 2024 01:50:56 GMT
Ohc-Cache-HIT: iad01-sys-jomo2.iad01.baidu.com [2], zhuzuncache51 [2]
Ohc-File-Size: 5219
X-Cache-Status: HIT
Access-Control-Allow-Origin: *
Timing-Allow-Origin: *
GET

https://pss.bdstatic.com/static/superman/img/topnav/newfanyi-da0cea8f7e.png

3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe

Remote address:

104.193.90.80:443

Request

GET /static/superman/img/topnav/newfanyi-da0cea8f7e.png HTTP/1.1
Accept: */*
Referer: http://www.baidu.com/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: pss.bdstatic.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: JSP3/2.0.14
Date: Mon, 30 Dec 2024 23:06:35 GMT
Content-Type: image/png
Content-Length: 4560
Connection: keep-alive
Expires: Wed, 25 Dec 2024 15:28:04 GMT
Last-Modified: Fri, 20 Dec 2024 13:11:47 GMT
ETag: "da0cea8f7e96046b1140228813422283"
Cache-Control: max-age=31536000
Age: 661081
Accept-Ranges: bytes
Content-MD5: 2gzqj36WBGsRQCKIE0Iigw==
x-bce-content-crc32: 3211882637
x-bce-debug-id: 7yZb1NqG2p6hbf/kAjXljS13NvfbSNnFQVBghEIE5Fpon+kMY4ozFfA9tByxjisYEhKY2eoyFHTGx2YEqG8b/A==
x-bce-flow-control-type: -1
x-bce-is-transition: false
x-bce-request-id: 845bcdb6-165a-4466-a4dc-932e6f6ae269
x-bce-storage-class: STANDARD
Ohc-Global-Saved-Time: Sun, 22 Dec 2024 15:28:04 GMT
Ohc-Cache-HIT: iad01-sys-jomo4.iad01.baidu.com [2], zhuzuncache53 [4]
Ohc-File-Size: 4560
X-Cache-Status: HIT
Timing-Allow-Origin: *
Access-Control-Allow-Origin: *
GET

https://pss.bdstatic.com/static/superman/js/lib/jquery-1-edb203c114.10.2.js

3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe

Remote address:

104.193.90.80:443

Request

GET /static/superman/js/lib/jquery-1-edb203c114.10.2.js HTTP/1.1
Accept: */*
Referer: http://www.baidu.com/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: pss.bdstatic.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: JSP3/2.0.14
Date: Mon, 30 Dec 2024 23:06:35 GMT
Content-Type: text/javascript; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Expires: Fri, 31 May 2024 06:47:25 GMT
Last-Modified: Fri, 26 May 2023 06:24:17 GMT
ETag: "edb203c114d8e1115c869ca443dd6e48"
Cache-Control: max-age=31536000
Content-Encoding: gzip
Age: 661081
Accept-Ranges: bytes
Content-MD5: 7bIDwRTY4RFchpykQ91uSA==
x-bce-content-crc32: 1196392526
x-bce-debug-id: ocvFnRxFZltSY3gD8ZU83WwOpLQQyBHeMKF8yfr5f7eTlqxj2eK/sIffJbVFZKvWJi2vdfQhunN1QE578zwG+w==
x-bce-request-id: d86b7a71-bb1e-44b4-8bf9-967775538d29
x-bce-storage-class: STANDARD
Ohc-Global-Saved-Time: Tue, 28 May 2024 06:47:25 GMT
Ohc-Cache-HIT: iad01-sys-jomo2.iad01.baidu.com [2]
Ohc-File-Size: 143929
X-Cache-Status: HIT
Timing-Allow-Origin: *
Access-Control-Allow-Origin: *
DNS

80.90.193.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

80.90.193.104.in-addr.arpa

IN PTR

Response
DNS

133.130.101.151.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.130.101.151.in-addr.arpa

IN PTR

Response
DNS

226.21.18.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

226.21.18.104.in-addr.arpa

IN PTR

Response
DNS

241.150.49.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.150.49.20.in-addr.arpa

IN PTR

Response
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

88.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.210.23.2.in-addr.arpa

IN PTR

Response

88.210.23.2.in-addr.arpa

IN PTR

a2-23-210-88deploystaticakamaitechnologiescom
DNS

43.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.229.111.52.in-addr.arpa

IN PTR

Response

103.235.47.188:80

http://www.baidu.com/img/flexible/logo/pc/peak-result.png

http

3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe

12.9kB
274.4kB
229
227

HTTP Request

GET http://www.baidu.com/

HTTP Response

200

HTTP Request

GET http://www.baidu.com/img/PCtm_d9c8750bed0b3c7d089fa7d55720d6cf.png

HTTP Response

200

HTTP Request

GET http://www.baidu.com/img/flexible/logo/pc/result.png

HTTP Response

200

HTTP Request

GET http://www.baidu.com/img/flexible/logo/pc/peak-result.png

HTTP Response

200
103.235.47.188:80

http://www.baidu.com/img/flexible/logo/pc/result@2.png

http

3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe

4.0kB
67.5kB
62
60

HTTP Request

GET http://www.baidu.com/img/PCfb_5bf082d29588c07f842ccde3f97243ea.png

HTTP Response

200

HTTP Request

GET http://www.baidu.com/img/flexible/logo/pc/result@2.png

HTTP Response

200
104.193.90.80:443

https://pss.bdstatic.com/static/superman/js/lib/esl-d776bfb1aa.js

tls, http

3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe

2.6kB
17.3kB
24
22

HTTP Request

GET https://pss.bdstatic.com/r/www/static/font/cosmic/pc/cos-icon_8bae49a.css

HTTP Response

200

HTTP Request

GET https://pss.bdstatic.com/static/superman/css/ubase_sync-d600f57804.css?v=md5

HTTP Response

200

HTTP Request

GET https://pss.bdstatic.com/static/superman/js/lib/esl-d776bfb1aa.js

HTTP Response

200
104.193.90.80:443

https://pss.bdstatic.com/static/superman/js/lib/jquery-1-edb203c114.10.2.js

tls, http

3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe

3.5kB
57.3kB
53
52

HTTP Request

GET https://pss.bdstatic.com/static/superman/img/topnav/newfanyi-da0cea8f7e.png

HTTP Response

200

HTTP Request

GET https://pss.bdstatic.com/static/superman/js/lib/jquery-1-edb203c114.10.2.js

HTTP Response

200
183.131.185.38:80

hectorstatic.baidu.com

3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe

104 B
2
104.193.90.80:80

pss.bdstatic.com

3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe

196 B
104 B
4
2

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

154.239.44.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

154.239.44.20.in-addr.arpa
8.8.8.8:53

182.129.81.91.in-addr.arpa

dns

72 B
147 B
1
1

DNS Request

182.129.81.91.in-addr.arpa
8.8.8.8:53

136.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

136.32.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

149.220.183.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

149.220.183.52.in-addr.arpa
8.8.8.8:53

www.baidu.com

dns

3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe

59 B
144 B
1
1

DNS Request

www.baidu.com

DNS Response

103.235.47.188

103.235.46.96
8.8.8.8:53

pss.bdstatic.com

dns

3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe

62 B
205 B
1
1

DNS Request

pss.bdstatic.com

DNS Response

104.193.90.80

104.193.88.112
8.8.8.8:53

188.47.235.103.in-addr.arpa

dns

73 B
161 B
1
1

DNS Request

188.47.235.103.in-addr.arpa
8.8.8.8:53

hectorstatic.baidu.com

dns

3c43806b515c950339ca8c8e0e95861a66fd899776145b8cefc62f08b2d4779fN.exe

68 B
308 B
1
1

DNS Request

hectorstatic.baidu.com

DNS Response

183.131.185.38

42.101.56.38

58.57.102.38

171.214.23.38

1.194.253.38

218.94.231.38

218.94.232.38

171.214.24.38

183.255.35.38

182.140.225.38
8.8.8.8:53

80.90.193.104.in-addr.arpa

dns

72 B
126 B
1
1

DNS Request

80.90.193.104.in-addr.arpa
8.8.8.8:53

133.130.101.151.in-addr.arpa

dns

74 B
134 B
1
1

DNS Request

133.130.101.151.in-addr.arpa
8.8.8.8:53

226.21.18.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

226.21.18.104.in-addr.arpa
8.8.8.8:53

241.150.49.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.150.49.20.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

88.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

88.210.23.2.in-addr.arpa
8.8.8.8:53

43.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

43.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Modify Registry