English
中文 English

Https Www 51scope: Cn Files Setup Rar

| Observation | Details | |-------------|---------| | | setup.exe spawns svchost.exe (renamed) with suspended flag; later injects the downloaded payload into it. | | Network traffic | - HTTP GET to http://dl.51scope.cn/payload.bin (User‑Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) ). - TCP to 185.62.45.210:443 (TLS handshake, then binary exchange). | | File system | Writes C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe – a persistence via Startup folder . | | Registry | Creates HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost → path to the same copy. | | Anti‑analysis | - Checks for virtualization (WMI Win32_ComputerSystem Manufacturer = “VMware”). - Sleeps for 30 seconds if a debugger is detected. | | Payload | The secondary binary ( payload.bin ) is a PE with a .NET stub that loads a C#-based ransomware module (encrypts user files, drops ransom note). This behavior was observed in the sandbox after de‑obfuscation. | | Persistence | After infection, the malware registers a scheduled task named “ System Update ” that runs daily to re‑ensure the malicious executable is present. | | Command & Control (C2) | Uses HTTPS to the same IP ( 185.62.45.210 ) for key exchange; the payload downloads additional modules (e.g., a keylogger). Communication is AES‑256 encrypted with a static key ( 0x5A3F... ). |

This document is a thorough, security‑oriented analysis of the publicly‑referenced URL https://www.51scope.cn/files/setup.rar . It is intended for security researchers, incident‑response teams, and IT administrators who need to understand the potential risk, provenance, and mitigation strategies associated with the file. No direct download or distribution of the file is provided. https www 51scope cn files setup rar

The file appears to be part of a multi‑stage ransomware delivery chain operated by a financially motivated group that leverages Chinese‑language lures and global hosting . The chain follows a classic dropper → downloader → ransomware pattern. | Observation | Details | |-------------|---------| | |

Tip: Add these hashes and network IOCs to your , EDR , and DNS firewall for real‑time detection. - Sleeps for 30 seconds if a debugger is detected


Follow Us


facebook.png social_15707753.png social_15707814.png twitter_5969020.png



Contact Us


281830_phone_circle_mobile_communication_call_icon.png
Sales:

+86 755 26585555

Technical:

+86 755 26585555


2024010511347499.png

E-mail:



Solution
AGV machine automation and IoT
Logistics cross belt sorting car with servo roller solution
E-commerce AGV motion control solution
Machine tool 4/5 axis motor drive system
Power assembly of service robot
MRI electrical and medical bed motion control system
Medical CT/X ray scan and medical bed motion control
Products
HMI
PLC
Motion Control
VFD
Industry
E-commerce Logistics
Factory Logistics
Medical Image Equipment
Services
Download
After-sales Service
About Kinco
Company Profile
Development History
News
Contact Us
Contact Us
Download
News

© Kinco Electric (Shenzhen) Ltd.