1570151349b2273b968614d21a43183f3a6558353c8ed1fe27e431ecc7cc3965

Analysis

max time kernel
111s
max time network
135s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
25-07-2024 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7121af4236f94e40a70dee7cd3cfd537_JaffaCakes118.exe
Size

2.9MB
MD5

7121af4236f94e40a70dee7cd3cfd537
SHA1

27d79123c5721a744c857016771abae19ad5d84b
SHA256

1570151349b2273b968614d21a43183f3a6558353c8ed1fe27e431ecc7cc3965
SHA512

28a1dad5730340ce649e4ee2e48c12ee17242b59c105f72afe7b1276e4e3f59546be67349405cb5d756ebf88ae90ec5b66198ad1f0239783130fafc6836bc3e7
SSDEEP

49152:nffy4NwrQp0naXxl9LC2v2UZGglza0ZWIt2ZQUhu6awTMiC5jiteK4sYD1BIBD8:nffy/nM9LCC2Uf3xhn6bTMiC5WtEtBug

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2844	百度工具条.exe
2948	hahagamesss3.exe
2200	hahagamesss3.tmp

Loads dropped DLL 3 IoCs

pid	Process
2948	hahagamesss3.exe
2200	hahagamesss3.tmp
2200	hahagamesss3.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7121af4236f94e40a70dee7cd3cfd537_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	百度工具条.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hahagamesss3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hahagamesss3.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\DOMStorage\520560.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.520560.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\DOMStorage\520560.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 101ae1fdd1deda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{27B5A091-4AC5-11EF-826E-EEF6AC92610E} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.520560.com\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\DOMStorage\520560.com\Total = "63"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003e1c4d4a7885794291b78de8e6dfadfd00000000020000000000106600000001000020000000ce327f5fe1528f9134a3f248c3dece81e234efabe8ed44841aa97506267e74ad000000000e8000000002000020000000c2d37916de15be8641c4d70cc00462585729f2d347190d9a6e5d6e8a1fb9c763200000008f9c86edea00dc9e92adb402bc3ffc70808e946ac65410ff4ea14989ebc7f4c8400000003026bf671585f7c4de9e83af35826690826c487601299970ee42a84c17e04253e84bf5465e279f99237889b70ab5923e7361a1022d7041c6b72634fc9f3a7c28	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003e1c4d4a7885794291b78de8e6dfadfd000000000200000000001066000000010000200000001897bbbf07662b42ed7764d0377502f1e242817ee81f64c11f403c9e5d5b0be2000000000e80000000020000200000007f98d7f54549f082fb6a2d3b32de18216a936a7a710c17a32945f4cca6b274cf9000000034883a01e84848481a9082476b255234b883af01b88a626d029000af4590d6b906483526cb916aac63a66f2ac57478967681e8fccf36d48137b57855688f1799b723e2058f4df3bc7ec4624986eb7b2aa31bb16c3a12930db66ef71c7e0dd11fc3fc0744f816a368f75343e60c22060a38b09e80dc84a22ac9d22736b3686fe65bbe871dfec6309256414b2fe72c6930400000007103758e867a43185466802f90890786bbcdf81b53d3b9d8dc946b57bc49bb5c3c81e3e30fc2e92d0b35849a943dc27ff20f1b3e7d14d87f417e2c404e189c48	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "428101478"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{27B33F31-4AC5-11EF-826E-EEF6AC92610E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2052	7121af4236f94e40a70dee7cd3cfd537_JaffaCakes118.exe
2052	7121af4236f94e40a70dee7cd3cfd537_JaffaCakes118.exe
2052	7121af4236f94e40a70dee7cd3cfd537_JaffaCakes118.exe
2848	iexplore.exe
2836	iexplore.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2052	7121af4236f94e40a70dee7cd3cfd537_JaffaCakes118.exe
2052	7121af4236f94e40a70dee7cd3cfd537_JaffaCakes118.exe
2052	7121af4236f94e40a70dee7cd3cfd537_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2848	iexplore.exe
2848	iexplore.exe
2836	iexplore.exe
2836	iexplore.exe
2728	IEXPLORE.EXE
2728	IEXPLORE.EXE
2512	IEXPLORE.EXE
2512	IEXPLORE.EXE
2512	IEXPLORE.EXE
2512	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 2844	2052	7121af4236f94e40a70dee7cd3cfd537_JaffaCakes118.exe	30
PID 2052 wrote to memory of 2844	2052	7121af4236f94e40a70dee7cd3cfd537_JaffaCakes118.exe	30
PID 2052 wrote to memory of 2844	2052	7121af4236f94e40a70dee7cd3cfd537_JaffaCakes118.exe	30
PID 2052 wrote to memory of 2844	2052	7121af4236f94e40a70dee7cd3cfd537_JaffaCakes118.exe	30
PID 2052 wrote to memory of 2844	2052	7121af4236f94e40a70dee7cd3cfd537_JaffaCakes118.exe	30
PID 2052 wrote to memory of 2844	2052	7121af4236f94e40a70dee7cd3cfd537_JaffaCakes118.exe	30
PID 2052 wrote to memory of 2844	2052	7121af4236f94e40a70dee7cd3cfd537_JaffaCakes118.exe	30
PID 2052 wrote to memory of 2948	2052	7121af4236f94e40a70dee7cd3cfd537_JaffaCakes118.exe	31
PID 2052 wrote to memory of 2948	2052	7121af4236f94e40a70dee7cd3cfd537_JaffaCakes118.exe	31
PID 2052 wrote to memory of 2948	2052	7121af4236f94e40a70dee7cd3cfd537_JaffaCakes118.exe	31
PID 2052 wrote to memory of 2948	2052	7121af4236f94e40a70dee7cd3cfd537_JaffaCakes118.exe	31
PID 2052 wrote to memory of 2848	2052	7121af4236f94e40a70dee7cd3cfd537_JaffaCakes118.exe	32
PID 2052 wrote to memory of 2848	2052	7121af4236f94e40a70dee7cd3cfd537_JaffaCakes118.exe	32
PID 2052 wrote to memory of 2848	2052	7121af4236f94e40a70dee7cd3cfd537_JaffaCakes118.exe	32
PID 2052 wrote to memory of 2848	2052	7121af4236f94e40a70dee7cd3cfd537_JaffaCakes118.exe	32
PID 2052 wrote to memory of 2836	2052	7121af4236f94e40a70dee7cd3cfd537_JaffaCakes118.exe	33
PID 2052 wrote to memory of 2836	2052	7121af4236f94e40a70dee7cd3cfd537_JaffaCakes118.exe	33
PID 2052 wrote to memory of 2836	2052	7121af4236f94e40a70dee7cd3cfd537_JaffaCakes118.exe	33
PID 2052 wrote to memory of 2836	2052	7121af4236f94e40a70dee7cd3cfd537_JaffaCakes118.exe	33
PID 2948 wrote to memory of 2200	2948	hahagamesss3.exe	34
PID 2948 wrote to memory of 2200	2948	hahagamesss3.exe	34
PID 2948 wrote to memory of 2200	2948	hahagamesss3.exe	34
PID 2948 wrote to memory of 2200	2948	hahagamesss3.exe	34
PID 2948 wrote to memory of 2200	2948	hahagamesss3.exe	34
PID 2948 wrote to memory of 2200	2948	hahagamesss3.exe	34
PID 2948 wrote to memory of 2200	2948	hahagamesss3.exe	34
PID 2848 wrote to memory of 2728	2848	iexplore.exe	35
PID 2848 wrote to memory of 2728	2848	iexplore.exe	35
PID 2848 wrote to memory of 2728	2848	iexplore.exe	35
PID 2848 wrote to memory of 2728	2848	iexplore.exe	35
PID 2836 wrote to memory of 2512	2836	iexplore.exe	36
PID 2836 wrote to memory of 2512	2836	iexplore.exe	36
PID 2836 wrote to memory of 2512	2836	iexplore.exe	36
PID 2836 wrote to memory of 2512	2836	iexplore.exe	36

C:\Users\Admin\AppData\Local\Temp\7121af4236f94e40a70dee7cd3cfd537_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7121af4236f94e40a70dee7cd3cfd537_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2052
- C:\百度工具条.exe
  C:\百度工具条.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2844
- C:\hahagamesss3.exe
  C:\hahagamesss3.exe /sp- /silent /norestart
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Users\Admin\AppData\Local\Temp\is-85GC4.tmp\hahagamesss3.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-85GC4.tmp\hahagamesss3.tmp" /SL5="$60158,1630073,72704,C:\hahagamesss3.exe" /sp- /silent /norestart
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2200
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.520560.com
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2848 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2728
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.1234.la/an.htm?77di
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2836 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d4f1d716dfcf06b8b16a664c1f5d227

SHA1
e6fb469424a4699822e7f9804fdd170edada17f7

SHA256
b3bb217e9c53bc83d991409c0623af40dd8720c2bd376229707897b5422b056e

SHA512
7976daae654c3d87cae77c010bdcfe21a6ec301275c627f782a9d38f1db149ee025a08a4bfac77ff78d44b56cedfcc1b43907971cb7e1df7da3a7c3c81030f36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
27e0bb3bfdd00b9139c6ac1c893f17a1

SHA1
d806b53fcdcd3bd8a53720fa8e4cdae67f00791d

SHA256
6f704287228a69e4450d48aa966daa448a0e5a7c0118e4b8cd37343b3c972758

SHA512
5e2ad55657da3f3812aeb354ea7681b8958d96b5be3c2fdf47f5483b2eda22a1d33e970d8f1f8f463f56f3647a81b9f84392a7b08c313f35e7c12d2b90b14356

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa94381b11fd08eb482b8edaf8e3cf8d

SHA1
50297d143c49faf3907fc2f0a2d39c8e8db47755

SHA256
35bb46c4e43c995cf2dd0bd0931ccce85d4d56c3c134157cc7223735ba2e86f4

SHA512
eeaedcc2730fc858e20c0b703c5bc2161dd48da68159bc24929c2df3afcd2dadd35400f13a82e42dea2de899c73c0e871621c0f52cee65d8dca679812317ce9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
abe1d37a4f648fe237aa4feb24494775

SHA1
878efa79be733bfd7f8f21da6add2dc8e429e85d

SHA256
623b3bb30ffabf087dbf02326d0d58cd39cc3b87e7a1ee2d29ea02a01fb08b18

SHA512
7ac5fc9478704f1ba65af0e96e1cff2a8c8c2b9aa52249ef69b91df5da12cf4644d87194b28364e4e02df305b9c750368abc0b551f6bc4266180dfaf3113d53b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53b3edb6be5054e833e781fcd7923b74

SHA1
21dae3d4716246acee0dde22088dbd22bc5521ab

SHA256
ab4ab6bd06b21d3c3bb2675828625ed2404a79e71f3ff9244ae01c55a5e0c17a

SHA512
2922eb3ed80a06ae8633fb499ac51ce7e48809fc082cc335cdde4da01941dfdf8855673fe8a45ff7642d7107e54e41f1e0deb377f74c30121fd010d9a8c33f04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ce36dd3bd0a848f6f21b3094f5035fe

SHA1
2e89829176b6204bfb36e53f2fdfadbd25fe3048

SHA256
7df2da1c02bd1695a34ae7df5e48b0f57f735d983be1742f733961d0c0c1094e

SHA512
0d7be91961dc6b3d8e2dfd5fa522e18a9742738c130fde5245298c63c328a3985d62612bc28177dd9bf1992d2680d932464f9c0432bbd58ec017a24d4e36301c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
69d901f6cbc1a39137023d3ff6d13468

SHA1
a30a34bc3224808e02f2bfebafaec904bbb16640

SHA256
3ee829f684966ccf36602f03714528c6248052d003d0183cb6822239f6013a9b

SHA512
01b7e51c8441a485bbb663b60e795b4a9e7a0cc666aa05e62c53db0bfb07351e837ca2cf9d3bd9d6b43441c1acd450abf9507919aaffee7263fe5dfae22adddb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
217df088d671af5f86d93c7c5f0f0e18

SHA1
bd32a9e06742a8375bdda81bdea61cc8e6992b47

SHA256
85bd375d27d0b4ac7e9fdb65516f7801d830326c612b2234d6d6f1746df37c35

SHA512
ef46e2459f3e5c4fc154e1a24f06b81d571d1a40d8bc6f24c4135e04cf8be093eeddab0f4d2db083fee2c21aef06d2c9967cd8ccefa4ff545c566816df64d77b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c59d824d0badfe3963fdc0bf3ba111f8

SHA1
1db360100451c987e50e817e7af80bf4e96b0c5b

SHA256
d755ae12e26d994070e24bb8bb3c33db9faa0995879f8c13508f0a833594855a

SHA512
c3c3257ecf13082bcbf42c478132eec8350903006d1a6618b73c0933b0f23d147004013f8ded0ca21ef484e2140dc37af313a71a14e480cdf35e0c2f2ec6a6e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
892b9554ddd3c16340d02831250211de

SHA1
9d4c1987128362995c651111ddb897678faaf400

SHA256
dc5c410c7795c9bc56d23c430c408b5d6e7a7d78daf756a9d9ea0c66b659d253

SHA512
4024b695cb15377484e87e33f02420b886fd19d7480497f0c9f233d8db6f6cbc647d73bc28f7308ae5728bbacca85b18db1f31507ab5ca1065af126e0fe7c814

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d7a3b1100a7a21ef77a87d10d0f2c9c

SHA1
21dd7dc4c90338d3fc51b6de407888697ccc54bd

SHA256
6dc168269605a155371453340aaef96f01bfeaa7e86387d73c3da2a61a9e8cab

SHA512
2f8b586d577e48d5b95037f93ce5687b939598b11b425e057e0fa7e5eb3675437bed49edeb73f509845b0aa3537d2a7652dcc9305eb963e79b2a99a3bd623592

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bce5440182371e74144f17576d74da7b

SHA1
873286c488f0a444aef8722af335c4d60e90586f

SHA256
60bac3fb092ade70afdf81824b38b2f0d41f1896ceb7a824997afb03f5254ed9

SHA512
1bc95bb123faeff96e0645d150f5f5061c60d50afb1a0ac7d283d73fa1de2eaa442ccc1b5571d3e009bf5bc1eec4fa7e1994b0cc9acc25fdc2f8c6f6dcbf9928

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
52fe6bf9e6e216b0356d2f1776059f0e

SHA1
28f492728956629605f59439bc48cee49330a874

SHA256
dc11192ed6f95fcdf4ff74b5d8bcbff50f4b70c60c30d17d617465be355cdb91

SHA512
9610bd103a404d9c4ecf368dc8de230cffbdd8be5fbe1f71c6f5c0d0e1587291f46441a4719b80117c7257159490be1a1baf26bc1488f3cec885d040214d7849

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2fd3538de16258c98e01d5ff16eecccd

SHA1
bac3b7237695bc26277523c9e24c834171195018

SHA256
5d47b7c987bf161325bfeffe4422a6b855415606b0026475371e7b8b68fa1bad

SHA512
f1c31624cba2d654153f200b3f3fda8de3ece04aef9bc875e6cefcf2803cd2b3f2e67e4c4994b4be276f9070acf1e9297493d800c4e51157db1669e9d22d6dab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d6a6bff7f60edb68fdc90fda53cc3af5

SHA1
932016735adf625ae06c5dd76b56d715c77d1139

SHA256
11bedcfcad580985c1b5f4acb06dc8c661929f6de91d0ff213373d6cc19acde1

SHA512
d96ef80472e7660c01b0d3d796f2209a58ab3ddd10b8609ee522cb6de6bed3dfbc69bc520c04d804c662f9ceecdcadc4065e605b53ab76fed511ac7174e4bbe9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
938f22dfa89b18dde3401be12adde9ce

SHA1
19638177d15f5056af034e56355ac0b040a7bda5

SHA256
523c682db7de3c31489694f8661eaf2aca5aa66d5af3ef65486f05caf0b9c745

SHA512
0cb1030b4267f5478919a723483a51b074288d4965596091077f12a4bdbc33f2066734056f81fc6e520452e3a897c9c4064329ba5e9d38614de9e6889cd71a8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4701af5e02c4635397516eb2faeb4f3e

SHA1
d0f75e11385f54981d1f49881bb6d99f93c2dc29

SHA256
d45355b8f485eef84a35607a72b3c81f036b142c5b053254527c7d4df3414864

SHA512
70b2d9eb52cee658988591270b2d1cc37fdd14dd5e2285b26ba0b4f0cbe4318dd5e89973f252eab30691fb8dfab00c7ee572f9ab3053a3b7fe531772e52239c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c16ce1ef8a2d4498b68635a89e3eec50

SHA1
fc2656a4bc5a044e05ec45bf9af938cb007b4265

SHA256
cc7f3dbb104eed7d5c386e64c58576226f1161aedb0ad0c4726c3c9e5f42f4c5

SHA512
31a7658dbe641d826b701308bc8c1025b58ad4fb22dae98cd9e24ce77dbade1b0c79ad19f73a885746788723dab3ae37e89cfd33ab0e3cde7e168dd157000f19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2165c63ed6107de16608782ef3be2bc1

SHA1
d4c6442983bc7e31edce3e0858bbe27a5ae16dbc

SHA256
9927bde4986efd9305b4e9797954b614bb7e46e203ae1e4c581d2e27787e39ef

SHA512
76f80f0584578bf9cc0ebc61c7162cdc6cb6061952ffd83233fec4c15409e70b82cef41aa9e9c4ac5ce92806781c8a36da309a7609ca90a4987501700f658822

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{27B33F31-4AC5-11EF-826E-EEF6AC92610E}.dat

Filesize
5KB

MD5
143e538b845a9e1c9272433f0b8ea5cb

SHA1
e1dd15e7d2b1664aaead44da00f4857594307d9e

SHA256
ece8023415651ec654295f0b9d0b7d1ddfb5758b1d496f4deff7f785bb223b4f

SHA512
0b614fbdb8ecd6923e8f45b335cfe3b6333f8af23865ebc0419d2620d7f0f83572909d31fb2e8b812221c00bfe0477b0d8578ea387dbced37856d75690cb350b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA306.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA367.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\hahagamesss3.exe

Filesize
1.8MB

MD5
d20046cbc55e12245f16cc1840c93aa5

SHA1
2bebbad38f542b25abc7a5eb006d4455db857459

SHA256
2761606c12787bac5841d5a8c1a472a09727b0a9386e68ccb4445a622588bfec

SHA512
0af332749c9b848b9a6fc1918b007bef031a94458185b36adfdb4205e3348ed39b94538e99f24d3be94870f5868283d66c9f01eb1fdaba6f92f270650aa4383a

Download Submit
C:\百度工具条.exe

Filesize
565KB

MD5
a7fe02de9f892a9043e1bb4a0ea2715e

SHA1
d84c05fa7c324183c45ad2d8ebae556010ee91af

SHA256
d3f2c383616002b4126caf9bb05c1a903745bd6f43a9c94e5d6220a800b9700f

SHA512
32917a5576a0512fb3b0b67ae7a0d796ec46dd3e36d5bc59e8187c199bc8f755e4e98b0b600d24f1cc8fe59623c0e49e86098e8dd38c731a60fa8c6d966b2858

Download Submit
\Users\Admin\AppData\Local\Temp\is-85GC4.tmp\hahagamesss3.tmp

Filesize
682KB

MD5
d0699dfc3ff2c8980f167c7ab586dfcc

SHA1
c3f4aa0a542c01a0251782e48b313cbb7c5941a7

SHA256
52361d23cd961a2918dd0ca57306bb9d1cf9aa65f518d2b4d11147ef1f657175

SHA512
ea55708ba81207a55dfaf8e4ab77e837086d83b27c185942ce6b228f0844d4dc3e26cddd39cfda60ebf34a4f449e563f47ad46ba72e45a133e898e2a038fbf69

Download Submit
\Users\Admin\AppData\Local\Temp\is-ID0UN.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/2200-95-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2948-24-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2948-20-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2948-96-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download