f585497e50ac7c9475b84bd24508543e444cb2750d2c005998c2449faf60dc57

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
14/08/2024, 17:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96f072ac61bf3aa1033fcb9896570a37_JaffaCakes118.exe
Size

1.7MB
MD5

96f072ac61bf3aa1033fcb9896570a37
SHA1

b19ce11bd258b20e3e30251e0b2b2043c63ceade
SHA256

f585497e50ac7c9475b84bd24508543e444cb2750d2c005998c2449faf60dc57
SHA512

232611fe2f0b29cfbf35145daa223337b7f5c5b68386a04ff506e8f97f8c4bf7b6ab1b2f7c2031e683873617e12d45010ca15298b2573d36a67a5a5d1647cd24
SSDEEP

24576:NZFJ9rgtsc/dHSbCBRMQsufpyk2KN2r0MK0mWzSyCVD58/VA/zn:NE/qcMghyNxmKGASn

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96f072ac61bf3aa1033fcb9896570a37_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90cd82326deeda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6F8D82C1-5A60-11EF-A429-7A64CBF9805C} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004961a9603b5d8740891a04601e8b8fb900000000020000000000106600000001000020000000aa0ce5ea4023071f982fef6eae4e63ddf8a1b77a9dccb27c43fb426dee2e99f1000000000e80000000020000200000008b77c30d14b3b8c59847a7d6b1ea7bf4b354c771dbbba2bb271487397c2e714e90000000d4e11228d3644767fc53fc4b4862857764b25e683172ab60b8f4731bb95abddd8a7719fc89e49471d362ff51e63063f472f30318639565accb57bf2ff6dae38ecb36e32c538b7ecc5540636483de55b580743c67288b7fb329b743ea063a48b3654e1539c8c8acace2c8d89993cb5fd8cac06216951bb3354946ff9222ed6e2f98703f30f1eb478fb4c5da13043dcb5040000000116a799ee429f521b750f4b82ab285cf46a85d75b1cf0ff09a6dcad04f78e3a3a57b1ba4359085a86ff7c5dff2b67d6ed8da1a893404eccf9ea00380092184c8	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	96f072ac61bf3aa1033fcb9896570a37_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6F8FE421-5A60-11EF-A429-7A64CBF9805C} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004961a9603b5d8740891a04601e8b8fb900000000020000000000106600000001000020000000a813afd418d0b329d357bd15f9dc44aff2c013ff11881015c6b29cc576398630000000000e80000000020000200000002d0c0262bebb72f94c885f8baa445f49d6d278883c9b145c895037fae9c4d5d6200000005dbb32e4e78808604cb0153b244831b0bae1841e5689162d9398bc6e730b6abd400000005424befc12da5a1904a244464b232937cc016b26d001004f08967cfba3f310527daab720080eeb741180284d7e4b104a7ee4e276bd4b7ae89fa41bbd7e436654	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "429817437"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1520	96f072ac61bf3aa1033fcb9896570a37_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2212	iexplore.exe
2232	iexplore.exe
2212	iexplore.exe
2212	iexplore.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
1520	96f072ac61bf3aa1033fcb9896570a37_JaffaCakes118.exe
1520	96f072ac61bf3aa1033fcb9896570a37_JaffaCakes118.exe
1520	96f072ac61bf3aa1033fcb9896570a37_JaffaCakes118.exe
1520	96f072ac61bf3aa1033fcb9896570a37_JaffaCakes118.exe
2212	iexplore.exe
2212	iexplore.exe
2232	iexplore.exe
2232	iexplore.exe
2812	IEXPLORE.EXE
2812	IEXPLORE.EXE
3032	IEXPLORE.EXE
3032	IEXPLORE.EXE
2212	iexplore.exe
2212	iexplore.exe
2212	iexplore.exe
2212	iexplore.exe
1492	IEXPLORE.EXE
1492	IEXPLORE.EXE
1968	IEXPLORE.EXE
1968	IEXPLORE.EXE
1968	IEXPLORE.EXE
1968	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 2212	1520	96f072ac61bf3aa1033fcb9896570a37_JaffaCakes118.exe	30
PID 1520 wrote to memory of 2212	1520	96f072ac61bf3aa1033fcb9896570a37_JaffaCakes118.exe	30
PID 1520 wrote to memory of 2212	1520	96f072ac61bf3aa1033fcb9896570a37_JaffaCakes118.exe	30
PID 1520 wrote to memory of 2212	1520	96f072ac61bf3aa1033fcb9896570a37_JaffaCakes118.exe	30
PID 1520 wrote to memory of 2232	1520	96f072ac61bf3aa1033fcb9896570a37_JaffaCakes118.exe	31
PID 1520 wrote to memory of 2232	1520	96f072ac61bf3aa1033fcb9896570a37_JaffaCakes118.exe	31
PID 1520 wrote to memory of 2232	1520	96f072ac61bf3aa1033fcb9896570a37_JaffaCakes118.exe	31
PID 1520 wrote to memory of 2232	1520	96f072ac61bf3aa1033fcb9896570a37_JaffaCakes118.exe	31
PID 2212 wrote to memory of 2812	2212	iexplore.exe	32
PID 2212 wrote to memory of 2812	2212	iexplore.exe	32
PID 2212 wrote to memory of 2812	2212	iexplore.exe	32
PID 2212 wrote to memory of 2812	2212	iexplore.exe	32
PID 2232 wrote to memory of 3032	2232	iexplore.exe	33
PID 2232 wrote to memory of 3032	2232	iexplore.exe	33
PID 2232 wrote to memory of 3032	2232	iexplore.exe	33
PID 2232 wrote to memory of 3032	2232	iexplore.exe	33
PID 1520 wrote to memory of 2280	1520	96f072ac61bf3aa1033fcb9896570a37_JaffaCakes118.exe	34
PID 1520 wrote to memory of 2280	1520	96f072ac61bf3aa1033fcb9896570a37_JaffaCakes118.exe	34
PID 1520 wrote to memory of 2280	1520	96f072ac61bf3aa1033fcb9896570a37_JaffaCakes118.exe	34
PID 1520 wrote to memory of 2280	1520	96f072ac61bf3aa1033fcb9896570a37_JaffaCakes118.exe	34
PID 1520 wrote to memory of 1104	1520	96f072ac61bf3aa1033fcb9896570a37_JaffaCakes118.exe	35
PID 1520 wrote to memory of 1104	1520	96f072ac61bf3aa1033fcb9896570a37_JaffaCakes118.exe	35
PID 1520 wrote to memory of 1104	1520	96f072ac61bf3aa1033fcb9896570a37_JaffaCakes118.exe	35
PID 1520 wrote to memory of 1104	1520	96f072ac61bf3aa1033fcb9896570a37_JaffaCakes118.exe	35
PID 2212 wrote to memory of 1968	2212	iexplore.exe	36
PID 2212 wrote to memory of 1968	2212	iexplore.exe	36
PID 2212 wrote to memory of 1968	2212	iexplore.exe	36
PID 2212 wrote to memory of 1968	2212	iexplore.exe	36
PID 2212 wrote to memory of 1492	2212	iexplore.exe	37
PID 2212 wrote to memory of 1492	2212	iexplore.exe	37
PID 2212 wrote to memory of 1492	2212	iexplore.exe	37
PID 2212 wrote to memory of 1492	2212	iexplore.exe	37

C:\Users\Admin\AppData\Local\Temp\96f072ac61bf3aa1033fcb9896570a37_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\96f072ac61bf3aa1033fcb9896570a37_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.cssyouxi.com/iclk/?zoneid=99&uid=151
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2212 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2812
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2212 CREDAT:5518337 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1968
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2212 CREDAT:6108161 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1492
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.cssyouxi.com/iclk/?zoneid=101&uid=151
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2232 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3032
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.9dcpm.com/union.html?P=3770&m=0
  2⤵
  PID:2280
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://822210.9lwan.com/cj/direct/628147.html
  2⤵
  PID:1104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0095EFBEC33BB99C8B0924859C835250

Filesize
504B

MD5
db8bd396b13476175fd8df00375eeade

SHA1
2b1e2aba16bd7b009a3d0daf96fc442665f5100e

SHA256
2689a8ed23c4c3e4c57900117ee51288d20d94d5dd8b8b0ffdd31baecedf6acc

SHA512
26624a1183891c3ea3ea7f7f1e92093d62907be16f2443e5fc3c8cbebbedd0a2696775025c5963907e2904bf8d3140361f1fa1e1ef60d7764984410a132cac7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0095EFBEC33BB99C8B0924859C835250

Filesize
546B

MD5
1783683f6ceca71c462fdd9f0bebf5c5

SHA1
29d4cf6eea16dbd3ff4b9d57b4636e73424bb57f

SHA256
ad945d122a399e91d4f06f22506e300b3b067fe0c3ec8e8b715aff8779dcefff

SHA512
37046009a5fe3f7831e3d7569d0d6fe2b1febb8491a6c9f15651a11c673835990366c57256c81c5fcc6bbd43c19327ed82fda3dc9d5d59df5de16ca7508a6dc7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f246f9862357e12710917f75b867565

SHA1
b8d18b8255adda52aa96d98f9f78193a3676e54e

SHA256
e79b4dff8335c1380df0d35a873df24277fe18697537b052097765a4c95d155c

SHA512
956e64d31a9a49bfb349cefcf9a7619e6f5d5ca9668923e887c59f37ef776c0b6e61a4b8993a6ffb6382c3a802a36e9d6055f8ba4ddf2f2082aa15dc770c0373

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
146eb79d5bc3393b17ad5adb060d6de3

SHA1
59e03060b94795a2afb908fde7575a58901003c1

SHA256
63b8b4ed729d5103287e1c8c91dcf38e1a04bb5ee1e52aa6d85a167a8b60e583

SHA512
a4380c5e9f71e65eff8af7a58215732dfc71d2ddff08c298768b3aa7ddefe055a8fa0a3e8abe1da9f06d2c24875be2824a8e5938c54769edc1168d31068f6fa5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c71f1cb719b035603aaa5a798121446

SHA1
052a36499accf8f64dbaa439ea507145a9ec002d

SHA256
c7135e32c1fd08614d27a4042ea2d0504c71eb252c9661165bbc7e3abdfeb5fd

SHA512
4f25be29d1add051659c481e0d548246053c7527ef11dbdf2ae2c15123ee98872886b7e2468a32b5eb438dd59d566ecc54b0f336d5842c7f3678aa1db82fdff7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fece36eb6d19eb0ba4d97e661ea1a2c1

SHA1
e4e6df5568ce4e895129d329345b606323a2f261

SHA256
023a54a4e1e8df6d8ff9e620398926b299f285ea0282fdfb310be72a6133732f

SHA512
8ba28eb9d99db91f03a03b215d7dcac0ea05f889ff8928639ab766c43f4e888389265aa41766703d143e9a904a52c5ba56d205cf3dc87e07457e6b296ac46a8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a43eba6a130a33c91479fc14e1d86ae8

SHA1
d1e61c7acc27ee793f872a6e6088d15e207ce182

SHA256
07b18d3f3aa41df9dd4666b86bfc41b321783d0ddd0ddee2b1b096c4f212a5b6

SHA512
8d2ce26028a0a1dbc98816f28946f5472181db10ce6d374d853c7e2840d009cc4dac1673688c4b720afe193b7d64b17bee2287fd1090f2c33155cfdf64c20f3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
07443bdd1bb6e58b4f487597940d32a6

SHA1
54d1f7c431745978343c520a12b4905da30cd26e

SHA256
6da5d6145d020536fee55a3a06c73236fa05e40287fce559bdb80dc4e5d9eb31

SHA512
c9a6034ba956550114ca4bf3a83315e120852b2c67a99866dfb5960b8a6f3e49fa05d33a747e885f9e88df33eda69be7cd0cfa9f5986d1332f2e5a41af2e163f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f3ee33993ed21c6293c5e768a111788d

SHA1
48830b587523aa389bcaa5d91f4c6c1078f8f2d1

SHA256
80fc8518e30fdd9f72cef88cd24c192910108c38fd2f989a9c79b048e146d080

SHA512
9472a0dbc0fe794d602399cb23a9080ea794be9c1f4909ba46b7961de533345f2337dd65f8221c50c616d3a9666df671e7ea2ea84914344be215c013ad23f3d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e4ad67a19216b8bc7b2f5813f3e6f577

SHA1
56049b7f76fa79137c8219cf7165418b573f01d7

SHA256
094d891f7af54d232c84dc4474acfb2c183ae15872ddeae24eef62e2c2589184

SHA512
9ecf7ba566c7bcf981c0c46c40ce845b6a3a7a3a797e588a84ae305dd55ba048b800888e0187bf0f578232ce59a4605cc7146de241adb651c9441af68ec6be07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c64a00e43397c640609fa2bc46206cf

SHA1
15bb2af1b8a34b97652675973681c7e7f520cc0a

SHA256
28eaf7711b8b9d8d4261a9020482d352999700afd67ae81561c4df809439fdbb

SHA512
c23aeeff56b529c6b627e1d5cb58a6c563699625f08b53c3d82effc60da43d6951acc8fee25f0ff8955d75d0e3159c370735170599fa1c28625c963395b9f61e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fcbb4d86bbc2f5608ea08ddc2853733f

SHA1
02a47d2533e2dd765fae144be62786b03fa032a0

SHA256
bf58db26aedf9f1812fd052f6b611f660d233c146cc8e5e945e812b5e1fc77cd

SHA512
c4608a6f9ee2a7f8ad7d1b9d7bbb60e99acba9137303cb5038d9e8732cc8ed40742e496ffcebdb958aabc9ad9004349c16bbf6ea2fca459a33009ede50fb9649

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ad113f1e50d689f8e8025855953f15b9

SHA1
cdc9fc097f849c829f48fb52ea6e4456c24cb3da

SHA256
b05a85ddf11f44a23796de82f3f68cb173186a13241ee3f0e35d037eb992017e

SHA512
44c77ca534f1141a6d2c0da878522892d23a6af656dcc492546f3ca2b796fa30831af07273eeb6e52e86d4a24ac5df2c90dc35e6eb11bc8aed1a9dbc236b241a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
911b25aee727e21c9b37919547c5ad0b

SHA1
a6346963d5d402bb9febcbc61451f9708465d1ce

SHA256
410a49436196815c14c135273f9de20bdbdf1f5b2b98c123be87a1276d275cdf

SHA512
527f5906cf52c618c3f7872941ffd596799f45e48bde730c1001838521501672dba04f9b8cca5ddc39e1bea779d34bf7de641846fedb99db941f1dbdb2753926

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d35c09e0a68640789c897957fafdd1e5

SHA1
d7ec20866dc3f8991fb866ef0007b2e77899b4c9

SHA256
250d5972c5e80e161faa4363bc3dbb429e59f9e570fc14cbaf9b68611a6df724

SHA512
9e584b4d4e792fb5a60c5057031e7eb120c3de270256e217990ee4679cfbc28d564f6ceb53758e28ab46785669655c3e7b46a14208c3898d2c77082711cd6802

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a11c5143daf6d04342b64ef1352139af

SHA1
182e84854eb7d5deb25d52e6f2bc3aa923991f79

SHA256
33059375c52c663bd19214ffd0206fb65c9e7e0912eed5b366067632c061fdca

SHA512
ae7c113301d179c3c9fb01c0b84ae91bdfdc3b16e181d3f89a3eea78b182f9db9fc0998f0716dd55272e66d6193c432b699ab88a98ea4eee9dc6e27adbc8fb6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f52e4005a41e0ea96fbf314a582c35c3

SHA1
e968042acc42ec464a4ded43cb194f3b83941bc2

SHA256
6079704883243498e3dbd0f56d28af022299c5ee4f74d849e8d141c751901485

SHA512
404c1acefdf0fcfae5c8e6c42bae9a74b8b3a4332bd0689306b8aee08d2b1584bcccf217c671cf1d12190dbe90d5aad1db2aea5a5db863327fa452bf52218abf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73f9258ec67283e8a5b44ca4536d3e61

SHA1
4a2845dc69bce8fe8efa36c1ba91eceb7e380309

SHA256
f6896e4d1ed9656ce164dfd4a7be098f968488fcc00ec8b82e7951d43b426fa0

SHA512
99a8b06fd2957d4de78f3c925d513d06db617a73057603659ef94f1f00f263ee2956a88f047405129b4b41619dff1308307f0d0c120367c6f539f7f6310671a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
12936c0b28b777447d920b63466de8a5

SHA1
a8eb9e835b0a85b63d1926b7df570f1c75715c5e

SHA256
544b385abc910637d694d25a826118cd16eebbbc0e9cd6c82d821573c5d52cb5

SHA512
26b3ae825faa5978f041689a28de0b2cb438bfc7f7c3076d190032e87ab146eb3e253efe10f416fc1ce3e19ea6c8dad6ea6167652f700b43fdc090d5dd28a74b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0a24938b9829a17c9c2376d422251ce3

SHA1
0e1f52c61989f482e1776a7bbecd88590d699396

SHA256
57531884df94398b8e69fcd320237563eaebea33ec6c8a9f506fda892bf431dc

SHA512
e28a203947046ea0b8509c7d5742d0340c37beb89def8430f59f862b985cb4f716241d8db33e1b564ca1a6132989633bc7303496ff81420cf2c1fd276a58741a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a4af545bab3dffa84e95d85039f078b

SHA1
2f62e6b03b6d8df940ab2678a1973fb6d63c9519

SHA256
509c0c3d9671cace9976986de2fefce99bfe3a241270fe43d41538c60ad8fb48

SHA512
64381020e2fc030bf165270f0a22525ba3a48bc0ae2433d7dec7108fcaea6e75b29d06b07bcbb6c9c267751c642d55d9584f8d8f5cf30236347d157e2e4c61a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
58dbca3b0366d39944f72b60623d5157

SHA1
4c0293e7a36283fe116bd2098ca67b68df2fdd49

SHA256
aec912b9c7d13e897366635142fd9e5b26c4b3acd0404255c499bbef02e472c3

SHA512
33be1fd923f8a77287c37da1a3012b5d760f5f22c64776fc2acd96ccb63da0df45237727090ff3df665f62592d9808d3b13544de7e0a1f7fe6cdbcafe5e57fd1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
27f46ec78688feeb83c5c647e44f910e

SHA1
f871ccba81c4853923de4b5c51bb911c25cf1b10

SHA256
cc60a7a129486b6e626e571669fd7c25555aa1b17ca3e0e3662eb3237be3853e

SHA512
d16d7435f0ff3ce861224edb649ca4bd52512266cb81390a0653fb84fc9c087152551b1d5496a8d07cf9da0ab35a27ae64dadc1d2c6b23073f234660f3261e63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6F8FE421-5A60-11EF-A429-7A64CBF9805C}.dat

Filesize
5KB

MD5
aef474588d064abacedeb52a03f77d73

SHA1
8410c20d0b6adeb85a29066ba0fe8df41c81a730

SHA256
5b85069f9acde795093c70e78c9a38bc2a553e246b0c9d9bcff2ef4ca553f96b

SHA512
7567017f8a567827c2d50a73b2836e1142de1fc9479b60a64dad5287a33da821b6cfec990cb751cf9fae0d1a24cb8c4a46e3dd831d7caac890a03e8afd146db1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\40WV1DY9\background_gradient[1]

Filesize
453B

MD5
20f0110ed5e4e0d5384a496e4880139b

SHA1
51f5fc61d8bf19100df0f8aadaa57fcd9c086255

SHA256
1471693be91e53c2640fe7baeecbc624530b088444222d93f2815dfce1865d5b

SHA512
5f52c117e346111d99d3b642926139178a80b9ec03147c00e27f07aab47fe38e9319fe983444f3e0e36def1e86dd7c56c25e44b14efdc3f13b45ededa064db5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\40WV1DY9\info_48[1]

Filesize
4KB

MD5
5565250fcc163aa3a79f0b746416ce69

SHA1
b97cc66471fcdee07d0ee36c7fb03f342c231f8f

SHA256
51129c6c98a82ea491f89857c31146ecec14c4af184517450a7a20c699c84859

SHA512
e60ea153b0fece4d311769391d3b763b14b9a140105a36a13dad23c2906735eaab9092236deb8c68ef078e8864d6e288bef7ef1731c1e9f1ad9b0170b95ac134

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8B420DKQ\ErrorPageTemplate[1]

Filesize
2KB

MD5
f4fe1cb77e758e1ba56b8a8ec20417c5

SHA1
f4eda06901edb98633a686b11d02f4925f827bf0

SHA256
8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f

SHA512
62514ab345b6648c5442200a8e9530dfb88a0355e262069e0a694289c39a4a1c06c6143e5961074bfac219949102a416c09733f24e8468984b96843dc222b436

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8B420DKQ\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8B420DKQ\httpErrorPagesScripts[1]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8B420DKQ\navcancl[1]

Filesize
2KB

MD5
4bcfe9f8db04948cddb5e31fe6a7f984

SHA1
42464c70fc16f3f361c2419751acd57d51613cdf

SHA256
bee0439fcf31de76d6e2d7fd377a24a34ac8763d5bf4114da5e1663009e24228

SHA512
bb0ef3d32310644285f4062ad5f27f30649c04c5a442361a5dbe3672bd8cb585160187070872a31d9f30b70397d81449623510365a371e73bda580e00eef0e4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDDDRHWK\favicon[1].htm

Filesize
1KB

MD5
b7d240cd182deceace4e458357cf655a

SHA1
1b9cce8eea5bbeb65d28bb2ea69d2652a1bc72aa

SHA256
6b58adc1d7c843bc5e2d0c213dc0211c6952a717f349ecdbd3de162dcc1b4950

SHA512
f4880c3c5fde576400fbdcf377ce15f1f1435f1155ccf3baa4ceb1acfa413709816514a29361ea08af7ac86f26f08cba37cdf11992976a0f881cf340bc7d30d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LW44N8OS\bullet[1]

Filesize
447B

MD5
26f971d87ca00e23bd2d064524aef838

SHA1
7440beff2f4f8fabc9315608a13bf26cabad27d9

SHA256
1d8e5fd3c1fd384c0a7507e7283c7fe8f65015e521b84569132a7eabedc9d41d

SHA512
c62eb51be301bb96c80539d66a73cd17ca2021d5d816233853a37db72e04050271e581cc99652f3d8469b390003ca6c62dad2a9d57164c620b7777ae99aa1b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBF.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar130.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit