f014a14f262504c75702269a589c852842da40d53a4ca47092b8bd89f2d2d50e

Analysis

max time kernel
148s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 04:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9911a52e217f2bd431b4d7ad2369d7a_JaffaCakes118.exe
Size

1.6MB
MD5

a9911a52e217f2bd431b4d7ad2369d7a
SHA1

ec32aa46b0d576d2aa4a59b7b068681eaa4624ae
SHA256

f014a14f262504c75702269a589c852842da40d53a4ca47092b8bd89f2d2d50e
SHA512

1f6026b6d4f5111ba9d6aa28eaf7b1cb24cda3831339efa475e13b475a33b811ce3f2ac06495ba6007009eb9eb86477bb8e4bac488454d845f82ffd20b6ee50d
SSDEEP

49152:ZgQ1kduvZ+WQ6iRMgi7ksi4MgKGOx7UiR6l:ZDjsvMosi4MgKz7Ql

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	a9911a52e217f2bd431b4d7ad2369d7a_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
2420	wingames.exe
1228	setup1.exe
3564	setup1.tmp

Loads dropped DLL 7 IoCs

pid	Process
4812	rundll32.exe
4812	rundll32.exe
4812	rundll32.exe
3668	rundll32.exe
3668	rundll32.exe
3668	rundll32.exe
2912	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}asd	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}asd\ = "360°²È«ÎÀÊ¿"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}asd	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}asd\ = "360°²È«ÎÀÊ¿"	rundll32.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\doifa.bat	rundll32.exe
File created	C:\Windows\SysWOW64\url.txt	rundll32.exe
File created	C:\Windows\SysWOW64\runfonce.bat	rundll32.exe

Drops file in Program Files directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\·½±ã¿ìËÙ°Ù¶ÈËÑË÷\is-5RI5C.tmp	setup1.tmp
File created	C:\Program Files\Win32Games\SuperRepair.dll	a9911a52e217f2bd431b4d7ad2369d7a_JaffaCakes118.exe
File created	C:\Program Files\Win32Games\taobao.ico	a9911a52e217f2bd431b4d7ad2369d7a_JaffaCakes118.exe
File created	C:\Program Files (x86)\·½±ã¿ìËÙ°Ù¶ÈËÑË÷\unins000.dat	setup1.tmp
File created	C:\Program Files\Win32Games\baidu.ico	a9911a52e217f2bd431b4d7ad2369d7a_JaffaCakes118.exe
File created	C:\Program Files\Win32Games\dangdangwang.ico	a9911a52e217f2bd431b4d7ad2369d7a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\·½±ã¿ìËÙ°Ù¶ÈËÑË÷\unins000.dat	setup1.tmp
File created	C:\Program Files\Win32Games\Config.ini	a9911a52e217f2bd431b4d7ad2369d7a_JaffaCakes118.exe
File created	C:\Program Files\Win32Games\install.exe	a9911a52e217f2bd431b4d7ad2369d7a_JaffaCakes118.exe
File created	C:\Program Files (x86)\·½±ã¿ìËÙ°Ù¶ÈËÑË÷\is-5RI5C.tmp	setup1.tmp
File created	C:\Program Files\Win32Games\shffolder.dll	a9911a52e217f2bd431b4d7ad2369d7a_JaffaCakes118.exe
File created	C:\Program Files\Win32Games\Thumbs.db	a9911a52e217f2bd431b4d7ad2369d7a_JaffaCakes118.exe
File created	C:\Program Files\Win32Games\url.txt	a9911a52e217f2bd431b4d7ad2369d7a_JaffaCakes118.exe
File created	C:\Program Files\Win32Games\wingames.exe	a9911a52e217f2bd431b4d7ad2369d7a_JaffaCakes118.exe
File created	C:\Program Files (x86)\·½±ã¿ìËÙ°Ù¶ÈËÑË÷\is-7LIVJ.tmp	setup1.tmp
File created	C:\Program Files\Win32Games\2xi.ico	a9911a52e217f2bd431b4d7ad2369d7a_JaffaCakes118.exe
File created	C:\Program Files\Win32Games\setup.bat	a9911a52e217f2bd431b4d7ad2369d7a_JaffaCakes118.exe
File created	C:\Program Files\Win32Games\setup.exe	a9911a52e217f2bd431b4d7ad2369d7a_JaffaCakes118.exe
File created	C:\Program Files\Win32Games\sysdkeys.dll	a9911a52e217f2bd431b4d7ad2369d7a_JaffaCakes118.exe
File created	C:\Program Files\Win32Games\bb.tmp	a9911a52e217f2bd431b4d7ad2369d7a_JaffaCakes118.exe
File created	C:\Program Files\Win32Games\bookmarks.dat	a9911a52e217f2bd431b4d7ad2369d7a_JaffaCakes118.exe
File created	C:\Program Files\Win32Games\runbat.bat	a9911a52e217f2bd431b4d7ad2369d7a_JaffaCakes118.exe
File created	C:\Program Files\Win32Games\Xianjian.ico	a9911a52e217f2bd431b4d7ad2369d7a_JaffaCakes118.exe
File created	C:\Program Files\Win32Games\zhuoyue.ico	a9911a52e217f2bd431b4d7ad2369d7a_JaffaCakes118.exe
File created	C:\Program Files (x86)\·½±ã¿ìËÙ°Ù¶ÈËÑË÷\is-4QD9C.tmp	setup1.tmp
File created	C:\Program Files (x86)\·½±ã¿ìËÙ°Ù¶ÈËÑË÷\is-2CDPV.tmp	setup1.tmp
File created	C:\Program Files\Win32Games\AddURL.bat	a9911a52e217f2bd431b4d7ad2369d7a_JaffaCakes118.exe
File created	C:\Program Files\Win32Games\AddURL.dll	a9911a52e217f2bd431b4d7ad2369d7a_JaffaCakes118.exe
File created	C:\Program Files\Win32Games\jiuzhou.ico	a9911a52e217f2bd431b4d7ad2369d7a_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a9911a52e217f2bd431b4d7ad2369d7a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingames.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup1.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry class 27 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32\ = "C:\\Windows\\SysWow64\\SuperRepair.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ = "Safemon class"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ = "Safemon class"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32\ = "C:\\Windows\\SysWow64\\SuperRepair.dll"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SuperRepair.360SafeMode	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SuperRepair.360SafeMode\Clsid	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SuperRepair.360SafeMode\Clsid	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ProgID\ = "SuperRepair.360SafeMode"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ProgID\ = "SuperRepair.360SafeMode"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SuperRepair.360SafeMode\ = "Safemon class"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SuperRepair.360SafeMode\ = "Safemon class"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ProgID	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SuperRepair.360SafeMode\Clsid\ = "{B69F34DD-F0F9-42DC-9EDD-957187DA688D}"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SuperRepair.360SafeMode	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ProgID	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SuperRepair.360SafeMode\Clsid\ = "{B69F34DD-F0F9-42DC-9EDD-957187DA688D}"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4812	rundll32.exe
4812	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2420	wingames.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2420	wingames.exe
2420	wingames.exe
2420	wingames.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 2420	4820	a9911a52e217f2bd431b4d7ad2369d7a_JaffaCakes118.exe	99
PID 4820 wrote to memory of 2420	4820	a9911a52e217f2bd431b4d7ad2369d7a_JaffaCakes118.exe	99
PID 4820 wrote to memory of 2420	4820	a9911a52e217f2bd431b4d7ad2369d7a_JaffaCakes118.exe	99
PID 4820 wrote to memory of 4176	4820	a9911a52e217f2bd431b4d7ad2369d7a_JaffaCakes118.exe	101
PID 4820 wrote to memory of 4176	4820	a9911a52e217f2bd431b4d7ad2369d7a_JaffaCakes118.exe	101
PID 4820 wrote to memory of 4176	4820	a9911a52e217f2bd431b4d7ad2369d7a_JaffaCakes118.exe	101
PID 4820 wrote to memory of 4444	4820	a9911a52e217f2bd431b4d7ad2369d7a_JaffaCakes118.exe	103
PID 4820 wrote to memory of 4444	4820	a9911a52e217f2bd431b4d7ad2369d7a_JaffaCakes118.exe	103
PID 4820 wrote to memory of 4444	4820	a9911a52e217f2bd431b4d7ad2369d7a_JaffaCakes118.exe	103
PID 4176 wrote to memory of 2064	4176	cmd.exe	105
PID 4176 wrote to memory of 2064	4176	cmd.exe	105
PID 4176 wrote to memory of 2064	4176	cmd.exe	105
PID 4444 wrote to memory of 4812	4444	cmd.exe	106
PID 4444 wrote to memory of 4812	4444	cmd.exe	106
PID 4444 wrote to memory of 4812	4444	cmd.exe	106
PID 4812 wrote to memory of 3484	4812	rundll32.exe	107
PID 4812 wrote to memory of 3484	4812	rundll32.exe	107
PID 4812 wrote to memory of 3484	4812	rundll32.exe	107
PID 4812 wrote to memory of 4484	4812	rundll32.exe	108
PID 4812 wrote to memory of 4484	4812	rundll32.exe	108
PID 4812 wrote to memory of 4484	4812	rundll32.exe	108
PID 3484 wrote to memory of 1228	3484	cmd.exe	111
PID 3484 wrote to memory of 1228	3484	cmd.exe	111
PID 3484 wrote to memory of 1228	3484	cmd.exe	111
PID 4484 wrote to memory of 3668	4484	cmd.exe	112
PID 4484 wrote to memory of 3668	4484	cmd.exe	112
PID 4484 wrote to memory of 3668	4484	cmd.exe	112
PID 1228 wrote to memory of 3564	1228	setup1.exe	113
PID 1228 wrote to memory of 3564	1228	setup1.exe	113
PID 1228 wrote to memory of 3564	1228	setup1.exe	113
PID 3668 wrote to memory of 1256	3668	rundll32.exe	114
PID 3668 wrote to memory of 1256	3668	rundll32.exe	114
PID 3668 wrote to memory of 1256	3668	rundll32.exe	114
PID 1256 wrote to memory of 4588	1256	cmd.exe	116
PID 1256 wrote to memory of 4588	1256	cmd.exe	116
PID 1256 wrote to memory of 4588	1256	cmd.exe	116
PID 3484 wrote to memory of 2912	3484	cmd.exe	117
PID 3484 wrote to memory of 2912	3484	cmd.exe	117
PID 3484 wrote to memory of 2912	3484	cmd.exe	117

C:\Users\Admin\AppData\Local\Temp\a9911a52e217f2bd431b4d7ad2369d7a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a9911a52e217f2bd431b4d7ad2369d7a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Program Files\Win32Games\wingames.exe
  "C:\Program Files\Win32Games\wingames.exe" http://reg.2xi.com/cpt01
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files\Win32Games\AddURL.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4176
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 "C:\Program Files\WinGames\AddURL.dll" addurlp
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files\Win32Games\runbat.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4444
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Program Files\Win32Games\shffolder.dll" movefilesuper
    3⤵
    - Checks computer location settings
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4812
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files\Win32Games\setup.bat" /SILENT /SUPPRESSMSGBOXES"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3484
    - - C:\Windows\SysWOW64\setup1.exe
        
        setup1.exe /SUPPRESSMSGBOXES /VERYSILENT
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1228
      - C:\Users\Admin\AppData\Local\Temp\is-K1LH3.tmp\setup1.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-K1LH3.tmp\setup1.tmp" /SL5="$2015C,255549,51712,C:\Windows\SysWOW64\setup1.exe" /SUPPRESSMSGBOXES /VERYSILENT
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:3564
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 "C:\Program Files\Win32Games\AddURL.dll" addurlp
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2912
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\doifa.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4484
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe "C:\Windows\system32\sysdkeys.dll" huise
        5⤵
        Checks computer location settings
        Loads dropped DLL
        Installs/modifies Browser Helper Object
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3668
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\openonepage.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command" /v "" /t reg_sz /d "C:\Program Files\Internet Explorer\iexplore.exe http://www.506520.net/cp.html" /f
        7⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4304,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=4060 /prefetch:8
1⤵
PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\·½±ã¿ìËÙ°Ù¶ÈËÑË÷\FangBian.exe

Filesize
474KB

MD5
22ff50d409646fd09fd4a564f8fead16

SHA1
ac02f88f3d648bd31213b7985844f6af66b82e3a

SHA256
7333a2d4a52843642bbb4158d03502a205c14c2ff7857c17d7cbdd525ad7c918

SHA512
dfc73bc9ac62e2a98aac75e4b7830334f5493877241b2ca97801e2f56f2ec3af5d7346577a2f41536492f5b432a21e4ba6fa997b46186e10387ae3e278e5ecb3

Download Submit
C:\Program Files\Win32Games\AddURL.bat

Filesize
55B

MD5
56c0d3786a6d5073223286adf190e862

SHA1
ce5e32fd83cacb1fd3979fd42682fd250968497a

SHA256
6cac152136abd1e452ce171ee66d45990315183d96750262c7251afb58ea0398

SHA512
47033d1dd3cebd5e4228f0b1393db0656855df2a426fabd8fc3908a8e5a1baf04ad2e353e196d2f7be5c88fa2fc586b3a8b4c5bc829f734c3c65f986a6f87120

Download Submit
C:\Program Files\Win32Games\AddURL.dll

Filesize
119KB

MD5
0a8bdcbb1998fd1ed0c534128d746317

SHA1
7034704fcd8d1311a7dfa3f3572bda3e5e647777

SHA256
6b632af7516e724035c90f71b5587d905c8433d36086d1bbe5d60f9ed79ec702

SHA512
06c27fd32f66b191202a497e6c6bc5c5e00cf62a89d1a68cab6ea5fa343ca4d18b787707d0378aea9784ad8add6c0784b3a633830491f78c0a149d03894bb2a2

Download Submit
C:\Program Files\Win32Games\Config.ini

Filesize
1KB

MD5
c056711604884ba6e0ae40443659780e

SHA1
a16beeaa9c03b76efc9def6367b908e9ec1f3fb1

SHA256
740ae6b7a057c33d605e303bcf9b3a681f0c66dd64f3f99684e563ed957ccedf

SHA512
86c7a2a6e51cfde46e4f803b1b420890728cbc99eaf2d1d0583ab32ad8ef6b173b1a491a4fdb786d9fef10a96ade008ea74e29fb6123d8ab7e5889eed52cf1cb

Download Submit
C:\Program Files\Win32Games\bookmarks.dat

Filesize
31KB

MD5
37856ab54f4884347ca7399511b1e451

SHA1
434eed05a783325094d6dc177809640edd17434b

SHA256
97cbbefb6c945d81c6189905cf21645ae38c14349de4afd4511a4dca9471deec

SHA512
635a2afb8329cadbde52274f623002c269dad38175affea4e66ebde59fdbbfaf9641f51fdc98dc2ec2ab85086e49a66356367bce65546c839d59ef939b8433b9

Download Submit
C:\Program Files\Win32Games\install.exe

Filesize
88KB

MD5
3ff37f7120c893d4181b91730de00891

SHA1
7ebdb7b29897e1d3ce1b0b3a894fed7b05a0ab40

SHA256
be838574f77449da02d7bd432b87b8e8b1809c439ae241ca1f4bf198d61fe670

SHA512
91de6092937e76a3aa188e7194c5951ab8515d1a88a4ad0252b1f8500353d9bd65a8ae291cbfd68e4ae24fa1b0dab0188ad855acd959cac2baac01857aaec569

Download Submit
C:\Program Files\Win32Games\runbat.bat

Filesize
129B

MD5
73059092d399c7e46689cec258c4e28b

SHA1
aabf043c06d3aef6a5ebaa882c1445a6615e02d7

SHA256
efad88fa1a72ae39ac1214e7b8e79f997877886e370151bfed92a0af249e4848

SHA512
3df9b70231cf9ea3f3417b665c2a7d8d12bface366130b727210e075fa695cd8ad9b8f140fc6d793f47dec743eb477a70339280deca1921db023588eb766c969

Download Submit
C:\Program Files\Win32Games\setup.bat

Filesize
168B

MD5
59595f6e3e2dc287a9437b05d2c3658f

SHA1
a5e7d3d8425b30d71c7f0ddf18f844405228d121

SHA256
8ee18eebd8869fe8d3d4c9a854ced4606bcf7666a814bec59625e1a60e3f27a2

SHA512
222b41676dc242ef3c5e746167c85b9fd2c5f9f407a5b1f13d24621a08fbd51b9defa1575196bd6b66fa814106a0d2bbc5de8fd9d73778c3a1334977a8bb66e9

Download Submit
C:\Program Files\Win32Games\setup.exe

Filesize
488KB

MD5
9527c066eb5805f3dcb5faff1ea9a9ca

SHA1
9d22c5f510556d14d167cd9c6564bb6f672fb71d

SHA256
fd7c2c689e1d3945e1f22d23d95479bde64cfa633adef5de34f0ad6e6401c3fb

SHA512
fbdf829781db039b4a1d591c69a91a0bca35c8309723d6120ea21207e3cdd165389dd447916da5d8b11f6ce1dfa77f242bf48e7a5d209f6385e27691f32fb488

Download Submit
C:\Program Files\Win32Games\shffolder.dll

Filesize
90KB

MD5
b16a2ffdc99fad06910e4f5840b09b7e

SHA1
a6007e4a23a466d770a4530e88f4fce674321686

SHA256
4d0f7f715e56326d1a1ad1dc38253d1e1c981f11e45f7ce3bcda7466c28439cd

SHA512
511bf69bae59bc67254f535dda5679e05bf7f412ace4d50ab5b683992f12ffa95f193ace6edd933fa1f0fbbfd9d1ce8e2995642748c3329cae8454f649c32c06

Download Submit
C:\Program Files\Win32Games\sysdkeys.dll

Filesize
126KB

MD5
7543e7a3654c8c01a5c8177f554555a6

SHA1
3df0c9c7ac749b75036647ea1c7446966926751c

SHA256
f1cf49d0c4042310e3036389da686a64efc54fcb39fcc51adaa780b2b7e43e14

SHA512
ce78f36e93a3ab7df700a4eb506c569899bda02e1986ad7ce7a382fdb0cfecee32daed99ed4d218b08ac21ca4faa386369bc61b4b78f3c224a48d169aefb3d7f

Download Submit
C:\Program Files\Win32Games\url.txt

Filesize
31B

MD5
7be794eef3c8b50431718965a909dab7

SHA1
ea3c350cd241302d8235391088365fcf4fe2e242

SHA256
2cc6b02e3e74e20e3fe1405ff79c67a8b1a5ca0c8c304b7b37dc7ba0a0d671e0

SHA512
414a2636b2f7b5c7b09fa862539d71f82bca32ad6d95a767760eca169ab4e17f0d9b53c6ec978aea30d65ed1f16d4e4420e4f405382394f9c4c4909edbf66119

Download Submit
C:\Program Files\Win32Games\wingames.exe

Filesize
1.3MB

MD5
a3809af6e4577e5373905d9d8fba7b32

SHA1
e3537de67613e72025c0f6ee707c9118e12b3101

SHA256
ecd6226fcd7898b00b308595a6923384ac0d944939771e66a8d4c6fac8cbe60e

SHA512
772a407bcf4711ff47c04a44189ceed76ba34d1278c85cc340c2788a339d30cae62a8162de919fb5f403023c0c11d0f6ca93a8ddaf73287624d9c401bbd9f50b

Download Submit
C:\Program Files\Win32Games\xianjian.ico

Filesize
23KB

MD5
cdad1c273cbf6e059022029dfbd9bee6

SHA1
7fb484f24929070097237db926f240e887a23bd5

SHA256
c8eb519eb05ea06daf3c9e7d059266c53adda91611514ecf7904eebeb3297fc1

SHA512
1c631fe1a03f32513a451e2259387161637094be8b0eea0d636ecd8e35c85c13e6add5d05c2346a634ee9ec042efd2da73faf023d8f4636edd84a05883ec372c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K1LH3.tmp\setup1.tmp

Filesize
690KB

MD5
867a12e0f5ee621dc2ba872027a0c3af

SHA1
16f73e48c5c1831776a04b42a850d7a3c4d646b7

SHA256
81659ebef12ada97da313b86a865bfd3606d7fcbdafd75927dcbd51e2e3fa273

SHA512
2468ec1d3479039a56bd3517692852adfbd908d1b13b60ce5dbec9439847aad80428c0d3f6249012bd704ebd4ffe75676ffd1241e7b5fa766d20aba216d4c387

Download Submit
C:\Users\Admin\AppData\Local\Temp\openonepage.bat

Filesize
214B

MD5
90a6420c8d2ef0f920d90c37b53522a4

SHA1
cd565c2cc5f92fb46ba2dde28b960732ef8e276f

SHA256
b95029baeeb1eb929cbadfc87c34233a56eefbbca71d9ae5639f7eb2d316ddd4

SHA512
1742d54d29c0e9ad99ad56094629f6751a5d485d3b33195c1b915a79f7b5d180fc7dfaaa9c0139c75e4e29a73f32445558131d2fc0be372c8b0b7ec4a6231718

Download Submit
C:\Windows\SysWOW64\SuperRepair.dll

Filesize
438KB

MD5
c2162351a34f12a3fe63e1f6c68a1372

SHA1
3982ae0da77d574bfc97e87e599e816953e7fb37

SHA256
6c61bd68b7c788b1dd720da0ad8602d0a4e9405e2132184b90ac1b0fe1bc26dc

SHA512
29737cdee5f6e666358f683af3b3ae2003e68463479d8ebf35285d4a96613b8e68ccf0afb4d6bde894d1f45950d9b931948577f468008481d8c935cb293744d9

Download Submit
C:\Windows\SysWOW64\doifa.bat

Filesize
103B

MD5
04bc98078381e1261a16e4320feac43c

SHA1
a98afe6907d0aedaee261e0ba04a987d745706b9

SHA256
8fe651f0ad2de63fee51a6b2c1531c5837ed8f861b88dc9fa8cac7760987dbf0

SHA512
1d7c64ccc799dc2cac9529020a472db4a72f4272b77e3cd14c2627ac3ba9be9b23686c79310a3a7a053644224ae260c53af4e1cdcb8bd52bbdf94b38b435bb9f

Download Submit
memory/1228-57-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1228-107-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2420-35-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/2420-129-0x0000000000400000-0x000000000054A000-memory.dmp

Filesize
1.3MB

Download
memory/2420-130-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/3564-106-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/3668-66-0x0000000002BD0000-0x0000000002C43000-memory.dmp

Filesize
460KB

Download
memory/4812-50-0x0000000002D10000-0x0000000002D83000-memory.dmp

Filesize
460KB

Download
memory/4820-128-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4820-132-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download