762f25cd9fb1083bad9e78e3f051c338b7a587a31bf66cce5b2cc9b1414e053c

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b33846484569ea996296c2bcb9505b7_JaffaCakes118.exe
Size

285KB
MD5

7b33846484569ea996296c2bcb9505b7
SHA1

df9940dd8483d0e9402d23485d21d17cb3b6af61
SHA256

762f25cd9fb1083bad9e78e3f051c338b7a587a31bf66cce5b2cc9b1414e053c
SHA512

1fc949d6cecb13d16a13047bcc7ae3c75348b087d7a719e4ad332ce713e25ddbb775e0a59941dda206a21669b3318f954ea81459256a9b10dfe048695f0ad2bd
SSDEEP

6144:LcdzC2vfnfzzQfqPWJq1iVDRrSlnZD1WjyMABi1uEXedC:nKfffn+JqEJSlF1WjyMABeLedC

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	bdg3364.tmp

Executes dropped EXE 2 IoCs

pid	Process
736	bdg3364.tmp
1648	hao123.1.0.0.1106.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/952-0-0x0000000000400000-0x000000000050B000-memory.dmp	upx
behavioral2/memory/952-12-0x0000000000400000-0x000000000050B000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	bdg3364.tmp

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 040000000100000010000000a7f2e41606411150306b9ce3b49cb0c90f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb0b000000010000002a0000005300650063007400690067006f0020002800550054004e0020004f0062006a0065006300740029000000090000000100000022000000302006082b06010505070303060a2b0601040182370a030406082b060105050703086200000001000000200000006fff78e400a70c11011cd85977c459fb5af96a3df0540820d0f4b8607875e58f140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d81d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf67087e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d901030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d46190000000100000010000000e843ac3b52ec8c297fa948c9b1fb281920000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	hao123.1.0.0.1106.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 5c000000010000000400000000080000190000000100000010000000e843ac3b52ec8c297fa948c9b1fb2819030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d4668000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d86200000001000000200000006fff78e400a70c11011cd85977c459fb5af96a3df0540820d0f4b8607875e58f090000000100000022000000302006082b06010505070303060a2b0601040182370a030406082b060105050703080b000000010000002a0000005300650063007400690067006f0020002800550054004e0020004f0062006a00650063007400290000000f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb040000000100000010000000a7f2e41606411150306b9ce3b49cb0c920000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	hao123.1.0.0.1106.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	bdg3364.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	bdg3364.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	bdg3364.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46	hao123.1.0.0.1106.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
736	bdg3364.tmp
736	bdg3364.tmp
1648	hao123.1.0.0.1106.exe
1648	hao123.1.0.0.1106.exe
736	bdg3364.tmp
736	bdg3364.tmp
1648	hao123.1.0.0.1106.exe
1648	hao123.1.0.0.1106.exe
1648	hao123.1.0.0.1106.exe
1648	hao123.1.0.0.1106.exe
1648	hao123.1.0.0.1106.exe
1648	hao123.1.0.0.1106.exe
2820	msedge.exe
2820	msedge.exe
1648	hao123.1.0.0.1106.exe
1648	hao123.1.0.0.1106.exe
2040	msedge.exe
2040	msedge.exe
1648	hao123.1.0.0.1106.exe
1648	hao123.1.0.0.1106.exe
1648	hao123.1.0.0.1106.exe
1648	hao123.1.0.0.1106.exe
1716	identity_helper.exe
1716	identity_helper.exe
5172	msedge.exe
5172	msedge.exe
5172	msedge.exe
5172	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 952 wrote to memory of 736	952	7b33846484569ea996296c2bcb9505b7_JaffaCakes118.exe	81
PID 952 wrote to memory of 736	952	7b33846484569ea996296c2bcb9505b7_JaffaCakes118.exe	81
PID 952 wrote to memory of 736	952	7b33846484569ea996296c2bcb9505b7_JaffaCakes118.exe	81
PID 736 wrote to memory of 1648	736	bdg3364.tmp	82
PID 736 wrote to memory of 1648	736	bdg3364.tmp	82
PID 736 wrote to memory of 1648	736	bdg3364.tmp	82
PID 1648 wrote to memory of 2040	1648	hao123.1.0.0.1106.exe	84
PID 1648 wrote to memory of 2040	1648	hao123.1.0.0.1106.exe	84
PID 2040 wrote to memory of 1128	2040	msedge.exe	86
PID 2040 wrote to memory of 1128	2040	msedge.exe	86
PID 2040 wrote to memory of 3440	2040	msedge.exe	88
PID 2040 wrote to memory of 3440	2040	msedge.exe	88
PID 2040 wrote to memory of 3440	2040	msedge.exe	88
PID 2040 wrote to memory of 3440	2040	msedge.exe	88
PID 2040 wrote to memory of 3440	2040	msedge.exe	88
PID 2040 wrote to memory of 3440	2040	msedge.exe	88
PID 2040 wrote to memory of 3440	2040	msedge.exe	88
PID 2040 wrote to memory of 3440	2040	msedge.exe	88
PID 2040 wrote to memory of 3440	2040	msedge.exe	88
PID 2040 wrote to memory of 3440	2040	msedge.exe	88
PID 2040 wrote to memory of 3440	2040	msedge.exe	88
PID 2040 wrote to memory of 3440	2040	msedge.exe	88
PID 2040 wrote to memory of 3440	2040	msedge.exe	88
PID 2040 wrote to memory of 3440	2040	msedge.exe	88
PID 2040 wrote to memory of 3440	2040	msedge.exe	88
PID 2040 wrote to memory of 3440	2040	msedge.exe	88
PID 2040 wrote to memory of 3440	2040	msedge.exe	88
PID 2040 wrote to memory of 3440	2040	msedge.exe	88
PID 2040 wrote to memory of 3440	2040	msedge.exe	88
PID 2040 wrote to memory of 3440	2040	msedge.exe	88
PID 2040 wrote to memory of 3440	2040	msedge.exe	88
PID 2040 wrote to memory of 3440	2040	msedge.exe	88
PID 2040 wrote to memory of 3440	2040	msedge.exe	88
PID 2040 wrote to memory of 3440	2040	msedge.exe	88
PID 2040 wrote to memory of 3440	2040	msedge.exe	88
PID 2040 wrote to memory of 3440	2040	msedge.exe	88
PID 2040 wrote to memory of 3440	2040	msedge.exe	88
PID 2040 wrote to memory of 3440	2040	msedge.exe	88
PID 2040 wrote to memory of 3440	2040	msedge.exe	88
PID 2040 wrote to memory of 3440	2040	msedge.exe	88
PID 2040 wrote to memory of 3440	2040	msedge.exe	88
PID 2040 wrote to memory of 3440	2040	msedge.exe	88
PID 2040 wrote to memory of 3440	2040	msedge.exe	88
PID 2040 wrote to memory of 3440	2040	msedge.exe	88
PID 2040 wrote to memory of 3440	2040	msedge.exe	88
PID 2040 wrote to memory of 3440	2040	msedge.exe	88
PID 2040 wrote to memory of 3440	2040	msedge.exe	88
PID 2040 wrote to memory of 3440	2040	msedge.exe	88
PID 2040 wrote to memory of 3440	2040	msedge.exe	88
PID 2040 wrote to memory of 3440	2040	msedge.exe	88
PID 2040 wrote to memory of 2820	2040	msedge.exe	89
PID 2040 wrote to memory of 2820	2040	msedge.exe	89
PID 2040 wrote to memory of 2280	2040	msedge.exe	90
PID 2040 wrote to memory of 2280	2040	msedge.exe	90
PID 2040 wrote to memory of 2280	2040	msedge.exe	90
PID 2040 wrote to memory of 2280	2040	msedge.exe	90
PID 2040 wrote to memory of 2280	2040	msedge.exe	90
PID 2040 wrote to memory of 2280	2040	msedge.exe	90
PID 2040 wrote to memory of 2280	2040	msedge.exe	90
PID 2040 wrote to memory of 2280	2040	msedge.exe	90
PID 2040 wrote to memory of 2280	2040	msedge.exe	90
PID 2040 wrote to memory of 2280	2040	msedge.exe	90
PID 2040 wrote to memory of 2280	2040	msedge.exe	90
PID 2040 wrote to memory of 2280	2040	msedge.exe	90

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3420
- C:\Users\Admin\AppData\Local\Temp\7b33846484569ea996296c2bcb9505b7_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\7b33846484569ea996296c2bcb9505b7_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Users\Admin\AppData\Local\Temp\bdg3364.tmp
    -install
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:736
  - - C:\Users\Admin\AppData\Roaming\baidu\hao123-tw\hao123.1.0.0.1106.exe
      "C:\Users\Admin\AppData\Roaming\baidu\hao123-tw\hao123.1.0.0.1106.exe"
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1648
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://tw.hao123.com/
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2040
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff61f746f8,0x7fff61f74708,0x7fff61f74718
        6⤵
        
        PID:1128
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,14963975215976531596,4767669113762194170,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
        6⤵
        
        PID:3440
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,14963975215976531596,4767669113762194170,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2820
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,14963975215976531596,4767669113762194170,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
        6⤵
        
        PID:2280
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14963975215976531596,4767669113762194170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
        6⤵
        
        PID:5000
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14963975215976531596,4767669113762194170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
        6⤵
        
        PID:3108
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14963975215976531596,4767669113762194170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
        6⤵
        
        PID:3196
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,14963975215976531596,4767669113762194170,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5768 /prefetch:8
        6⤵
        
        PID:2904
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,14963975215976531596,4767669113762194170,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5768 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1716
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14963975215976531596,4767669113762194170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
        6⤵
        
        PID:1296
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14963975215976531596,4767669113762194170,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
        6⤵
        
        PID:3232
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14963975215976531596,4767669113762194170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
        6⤵
        
        PID:3364
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14963975215976531596,4767669113762194170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
        6⤵
        
        PID:5124
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14963975215976531596,4767669113762194170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
        6⤵
        
        PID:5240
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14963975215976531596,4767669113762194170,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
        6⤵
        
        PID:5248
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,14963975215976531596,4767669113762194170,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3720 /prefetch:2
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5172

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4656

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B8944BA8AD0EFDF0E01A43EF62BECD0_CEF628ACFBFEA6E54853F1D16F4B912D

Filesize
1KB

MD5
fc968f6463051d31ecf9d5a1765c51a0

SHA1
a87a531e951bf4bd0039731178ad31d1a52cbff9

SHA256
66952ac43915eeb47e45e42cf3fd902ad5e0b3dafea7b20ae254c0790b374844

SHA512
859c6e4054fb19b73e172ed7ae7eab5e50ca50962d500f7a06feb2a7f09fd03458a3be2b55baf302a3c276371b1ad53fb94cfcc0cad747bcb5202b488b231987

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B8944BA8AD0EFDF0E01A43EF62BECD0_CEF628ACFBFEA6E54853F1D16F4B912D

Filesize
412B

MD5
31557ebeaec07493dabdc3206877606c

SHA1
e4701e73948636e1d0b0f95d78fbed09fb2675d4

SHA256
db895191bbce6c82bdee7473d9c5b24037921eb20b27d43d5f22b1cc07cc7561

SHA512
c979aafdec03b68df0888b72ab722bef69b1d4b779ff46230976c9210065108891371722e997b429fda0ac91fa3e936cf3e411dbf9bdf9bddf68293ac7265047

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b2a1398f937474c51a48b347387ee36a

SHA1
922a8567f09e68a04233e84e5919043034635949

SHA256
2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6

SHA512
4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1ac52e2503cc26baee4322f02f5b8d9c

SHA1
38e0cee911f5f2a24888a64780ffdf6fa72207c8

SHA256
f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4

SHA512
7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
29b73f470b90b9d9dcb3c6159f5e5ab3

SHA1
df64e7dd6229db70adc8cd930f41209f57d91296

SHA256
8273090a4ee5daaa95f6daad6380d7dcd36e36ae048d33e7b2005975887dc0fd

SHA512
08a807524aace7398cb708667c3e4ad688fa9403d6c901acf6cfa27db3dbd074b886c2ac272d95fa9e27ea817208997481582fe9fed60f129b89e412135fd9c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
4cacd29373cc9fcd10090c49b1344074

SHA1
04d68537b8717e850659962c7be7ae709aa6a418

SHA256
a265419c602098ed11b1957e9ad5473413e12496bad85883251390808cc195ab

SHA512
02615629efbc95478d819e790608b57981f129e8b03d8ff37efa48baa17956fe1fdc302e1fceaa7ee1a29f557c80c82776f2bcdaf3eb8bb85f97c908ef5bf08c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b5fd1872d0a3278be004b7882c0464bd

SHA1
51d1c426f3fc8a2ce3025479d4eca5b13d2f8fab

SHA256
ba4cd5fde4a3f1da1c940dd0a626a878b958b7c2ccc06c58666ba5752f0da225

SHA512
2b2f943b5056f242400c4ecbf350b737a5caf89ecfedd3fca62d3ee15bce7d3453b216100318a6ade647ab8f64431cd3c593acf2fe94b0e482ed1ff2f2793adf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
12b2c00bfb873a84de0a4e9f765b817b

SHA1
3def6f35fb8f89a18ad747e2c59f7606315b92d0

SHA256
43e0b5f215ae465bb9e7b12727b2f1bb3e2d8ada823e60b18d101ffc584dc71d

SHA512
8c86794b7794cb56982867fbade7d6e8faa43498a8acbf73c0c6541df88cc8a600de870310707d260f34226501561cb8f67f78c9103d60fa0a3aea415a0c7ba5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
afd3dcf5bd63c656ae2cc859959f09de

SHA1
b7940b48cff5d46ac343b89e6ff03b99625d82e2

SHA256
00b98b8a36b0dbec5671600a88f1d8e69ebd72e8c4ae481f1c8198d26236a848

SHA512
01de7d6860464225bf8ef301ed0f57bbd7dca3765315bcec09db83f5d6f69fe92c6fe83590e08c7fe6f83fe22b82210f3fd1f88ec023ee1026f2bee6216ff09d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
45a68f87ef1ee193b135e59f931654fe

SHA1
6d3103ec4cb8a87bd7e2056a2a5b52325db1a7cf

SHA256
06961dab32113effe4bec56a970c4f5e35e50847ee54fa7aa51ec14da4a45e3b

SHA512
23634223790c857b66fb8878fab946ec5c645ed2c920f944499ccd6ce76b3b418093297f4a81351afce29ebd0de9fbd4c90c474ab54d5c99a00a4d943ae33d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\bdg3364.tmp

Filesize
561KB

MD5
8b37c90c7ec4256b2d585c516b3afea7

SHA1
4ef5189aaebd35549d23a08a1b25b8710f28c8d0

SHA256
b57d6f8d605fec76a89b45e1fd81210ce4d23c584951317940741152528a3dee

SHA512
a1cd9876c79835880e69fb0a510f118cd553104eacc1cd9ef0866c8d10b6adeff680cfb673e1e2191bd4997cf2f2b09807e373ddafe956ea5aabdf1ed0227bc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\hao123Config.xml

Filesize
308B

MD5
93edf8f0d6d749a6c877a67a024f3eb2

SHA1
ae997b6bda0799f57f3c28f059e6cbbc4f8745f0

SHA256
fd8cf5dc428e1e9fec670d604c5dba51e4ff8dbe705eb55125299617794d6f52

SHA512
008a297c0d6b1fdbb119bcf02cb8a173054705fb074c0c19947f96b7c49412bebbfaeba8d0b2927c8b77af7d3d110fc10ffdaedad35a304b10592d96c36d27d6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Hao123.lnk

Filesize
1KB

MD5
32217959aab32f6fbc4f4a2c7519f4c7

SHA1
f8b29e4c4d40b107862cd3bc69ff6c27ce39773c

SHA256
3b4c35faf281c5bd0623de3d210dec2af5e70487624b1d16718bb8d0c94dcd53

SHA512
44488223c93aeb1cec7949817958fa34e8b2f04411d281d4fd82ac580f55a8a706afffe0ada51beaa3951f32fc84ed9e772d114acfee221f9556770c95ffea41

Download Submit
C:\Users\Admin\Desktop\Hao123.lnk

Filesize
1KB

MD5
d54af6124bec80ee2bd67718a01d2c0c

SHA1
0b5e58e69807eaa6d2f79e1a88a20676103e1a1f

SHA256
4eebf14955cfb967092485ec8bb8ec74c24dfbfc1c731e98e3abd50458704f62

SHA512
440901b79a7e52a088900fff1af3f816599eb7069180fc73d5ff641b49e4b61feef3bd9a549fd53ddb426dbcea7142447bdaf6861823bc26fd3bcd1a831d6e76

Download Submit
memory/736-117-0x0000000075980000-0x0000000075B20000-memory.dmp

Filesize
1.6MB

Download
memory/736-14-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/736-195-0x0000000075980000-0x0000000075B20000-memory.dmp

Filesize
1.6MB

Download
memory/952-0-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/952-12-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/1648-81-0x0000000075980000-0x0000000075B20000-memory.dmp

Filesize
1.6MB

Download