ee77f0509aec326d0397600440f4d5e7f0b05de8aead2d6ed067a8a1b18cdfe3

Analysis

max time kernel
146s
max time network
148s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 03:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a32d59033987e44506dbe9ab04d534c_JaffaCakes118.exe
Size

2.6MB
MD5

2a32d59033987e44506dbe9ab04d534c
SHA1

1ba5b7c12547d2500820e03ab73097b097e305ad
SHA256

ee77f0509aec326d0397600440f4d5e7f0b05de8aead2d6ed067a8a1b18cdfe3
SHA512

044d05aca28d205cbaff381317b34a8d93a7846dcb2be31d74c370f7c55dacdfe1c17d264e9d33668588d836b7446e462be855cd48f3aa31cfd3111e58472233
SSDEEP

49152:6ffy4NwrQoDE0uaXxl9LC2v2UZGglxh5ozMP4NQQOSr5k/I4XTZGfVuK:6ffyvuM9LCC2UfYz24NQdWC/IgT3K

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
1420	hahagame.exe
1704	game.exe
2172	maxthon.exe
2732	hahagame.tmp
2644	download.exe

Loads dropped DLL 8 IoCs

pid	Process
1420	hahagame.exe
2732	hahagame.tmp
2732	hahagame.tmp
2172	maxthon.exe
2172	maxthon.exe
2644	download.exe
2644	download.exe
2644	download.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hahagame.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a32d59033987e44506dbe9ab04d534c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hahagame.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	maxthon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	download.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Kills process with taskkill 2 IoCs

evasion

pid	Process
2304	taskkill.exe
1920	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "94"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\aliyun.com\Total = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434639260"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "79"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{19562861-863B-11EF-B692-6A8D92A4B8D0} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\aliyun.com\Total = "34"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\wanwang.aliyun.com\ = "316950"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\aliyun.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\wanwang.aliyun.com\ = "66"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\aliyun.com\Total = "316950"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\wanwang.aliyun.com\ = "94"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\wanwang.aliyun.com\ = "56"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\aliyun.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\wanwang.aliyun.com\ = "14"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000013ace003c04e374f866a16c6f3efd6e50000000002000000000010660000000100002000000096b2a3269e8b348221b49040ba89605a9d197a164637efde64f39ec1e4b795ad000000000e8000000002000020000000cf1fe21625dd89c6bd42f2f948e34892e2e18a0574d3a9553b8ad3820b6c5dbc20000000b0797aa9ce9a16abcf6bca8577084d4fd7db92a4249deb8b02a9df55fbe5569740000000048ffa805e2806da58b7fd0c1f703c1b0b6b2581948b92247aa738d7ad92f8154046d8db0f724114aa5b38ea6bdb62259f496afef89e4faa1c4497b967a77256	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\wanwang.aliyun.com\ = "79"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\wanwang.aliyun.com\ = "34"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "66"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	game.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	2172	maxthon.exe
Token: SeBackupPrivilege	2172	maxthon.exe
Token: SeDebugPrivilege	2304	taskkill.exe
Token: SeDebugPrivilege	1920	taskkill.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2384	2a32d59033987e44506dbe9ab04d534c_JaffaCakes118.exe
2384	2a32d59033987e44506dbe9ab04d534c_JaffaCakes118.exe
2384	2a32d59033987e44506dbe9ab04d534c_JaffaCakes118.exe
2264	iexplore.exe
2480	iexplore.exe
2264	iexplore.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2384	2a32d59033987e44506dbe9ab04d534c_JaffaCakes118.exe
2384	2a32d59033987e44506dbe9ab04d534c_JaffaCakes118.exe
2384	2a32d59033987e44506dbe9ab04d534c_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
2264	iexplore.exe
2264	iexplore.exe
2140	IEXPLORE.EXE
2140	IEXPLORE.EXE
2644	download.exe
2480	iexplore.exe
2480	iexplore.exe
2812	IEXPLORE.EXE
2812	IEXPLORE.EXE
2812	IEXPLORE.EXE
2812	IEXPLORE.EXE
2264	iexplore.exe
2264	iexplore.exe
2368	IEXPLORE.EXE
2368	IEXPLORE.EXE
2368	IEXPLORE.EXE
2368	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 1420	2384	2a32d59033987e44506dbe9ab04d534c_JaffaCakes118.exe	30
PID 2384 wrote to memory of 1420	2384	2a32d59033987e44506dbe9ab04d534c_JaffaCakes118.exe	30
PID 2384 wrote to memory of 1420	2384	2a32d59033987e44506dbe9ab04d534c_JaffaCakes118.exe	30
PID 2384 wrote to memory of 1420	2384	2a32d59033987e44506dbe9ab04d534c_JaffaCakes118.exe	30
PID 2384 wrote to memory of 1704	2384	2a32d59033987e44506dbe9ab04d534c_JaffaCakes118.exe	31
PID 2384 wrote to memory of 1704	2384	2a32d59033987e44506dbe9ab04d534c_JaffaCakes118.exe	31
PID 2384 wrote to memory of 1704	2384	2a32d59033987e44506dbe9ab04d534c_JaffaCakes118.exe	31
PID 2384 wrote to memory of 1704	2384	2a32d59033987e44506dbe9ab04d534c_JaffaCakes118.exe	31
PID 2384 wrote to memory of 2172	2384	2a32d59033987e44506dbe9ab04d534c_JaffaCakes118.exe	32
PID 2384 wrote to memory of 2172	2384	2a32d59033987e44506dbe9ab04d534c_JaffaCakes118.exe	32
PID 2384 wrote to memory of 2172	2384	2a32d59033987e44506dbe9ab04d534c_JaffaCakes118.exe	32
PID 2384 wrote to memory of 2172	2384	2a32d59033987e44506dbe9ab04d534c_JaffaCakes118.exe	32
PID 2384 wrote to memory of 2172	2384	2a32d59033987e44506dbe9ab04d534c_JaffaCakes118.exe	32
PID 2384 wrote to memory of 2172	2384	2a32d59033987e44506dbe9ab04d534c_JaffaCakes118.exe	32
PID 2384 wrote to memory of 2172	2384	2a32d59033987e44506dbe9ab04d534c_JaffaCakes118.exe	32
PID 2384 wrote to memory of 2264	2384	2a32d59033987e44506dbe9ab04d534c_JaffaCakes118.exe	33
PID 2384 wrote to memory of 2264	2384	2a32d59033987e44506dbe9ab04d534c_JaffaCakes118.exe	33
PID 2384 wrote to memory of 2264	2384	2a32d59033987e44506dbe9ab04d534c_JaffaCakes118.exe	33
PID 2384 wrote to memory of 2264	2384	2a32d59033987e44506dbe9ab04d534c_JaffaCakes118.exe	33
PID 2384 wrote to memory of 2480	2384	2a32d59033987e44506dbe9ab04d534c_JaffaCakes118.exe	34
PID 2384 wrote to memory of 2480	2384	2a32d59033987e44506dbe9ab04d534c_JaffaCakes118.exe	34
PID 2384 wrote to memory of 2480	2384	2a32d59033987e44506dbe9ab04d534c_JaffaCakes118.exe	34
PID 2384 wrote to memory of 2480	2384	2a32d59033987e44506dbe9ab04d534c_JaffaCakes118.exe	34
PID 1420 wrote to memory of 2732	1420	hahagame.exe	35
PID 1420 wrote to memory of 2732	1420	hahagame.exe	35
PID 1420 wrote to memory of 2732	1420	hahagame.exe	35
PID 1420 wrote to memory of 2732	1420	hahagame.exe	35
PID 1420 wrote to memory of 2732	1420	hahagame.exe	35
PID 1420 wrote to memory of 2732	1420	hahagame.exe	35
PID 1420 wrote to memory of 2732	1420	hahagame.exe	35
PID 2264 wrote to memory of 2140	2264	iexplore.exe	36
PID 2264 wrote to memory of 2140	2264	iexplore.exe	36
PID 2264 wrote to memory of 2140	2264	iexplore.exe	36
PID 2264 wrote to memory of 2140	2264	iexplore.exe	36
PID 2172 wrote to memory of 2644	2172	maxthon.exe	37
PID 2172 wrote to memory of 2644	2172	maxthon.exe	37
PID 2172 wrote to memory of 2644	2172	maxthon.exe	37
PID 2172 wrote to memory of 2644	2172	maxthon.exe	37
PID 2172 wrote to memory of 2644	2172	maxthon.exe	37
PID 2172 wrote to memory of 2644	2172	maxthon.exe	37
PID 2172 wrote to memory of 2644	2172	maxthon.exe	37
PID 2480 wrote to memory of 2812	2480	iexplore.exe	38
PID 2480 wrote to memory of 2812	2480	iexplore.exe	38
PID 2480 wrote to memory of 2812	2480	iexplore.exe	38
PID 2480 wrote to memory of 2812	2480	iexplore.exe	38
PID 2644 wrote to memory of 2472	2644	download.exe	42
PID 2644 wrote to memory of 2472	2644	download.exe	42
PID 2644 wrote to memory of 2472	2644	download.exe	42
PID 2644 wrote to memory of 2472	2644	download.exe	42
PID 2644 wrote to memory of 2472	2644	download.exe	42
PID 2644 wrote to memory of 2472	2644	download.exe	42
PID 2644 wrote to memory of 2472	2644	download.exe	42
PID 2644 wrote to memory of 1604	2644	download.exe	44
PID 2644 wrote to memory of 1604	2644	download.exe	44
PID 2644 wrote to memory of 1604	2644	download.exe	44
PID 2644 wrote to memory of 1604	2644	download.exe	44
PID 2644 wrote to memory of 1604	2644	download.exe	44
PID 2644 wrote to memory of 1604	2644	download.exe	44
PID 2644 wrote to memory of 1604	2644	download.exe	44
PID 1604 wrote to memory of 2504	1604	iexplore.exe	45
PID 1604 wrote to memory of 2504	1604	iexplore.exe	45
PID 1604 wrote to memory of 2504	1604	iexplore.exe	45
PID 1604 wrote to memory of 2504	1604	iexplore.exe	45
PID 2264 wrote to memory of 2368	2264	iexplore.exe	46

C:\Users\Admin\AppData\Local\Temp\2a32d59033987e44506dbe9ab04d534c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2a32d59033987e44506dbe9ab04d534c_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2384
- C:\hahagame.exe
  C:\hahagame.exe /sp- /silent /norestart /verysilent
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1420
- - C:\Users\Admin\AppData\Local\Temp\is-6H8H7.tmp\hahagame.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-6H8H7.tmp\hahagame.tmp" /SL5="$7019C,1630806,72704,C:\hahagame.exe" /sp- /silent /norestart /verysilent
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2732
- C:\game.exe
  C:\game.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1704
- C:\maxthon.exe
  C:\maxthon.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Users\Admin\AppData\Local\Temp\download.exe
    "C:\Users\Admin\AppData\Local\Temp\download.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\todeletetif.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:2472
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://www.hahayouxi.com/act/ConfigDownLoadList.html
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1604
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.hahayouxi.com/act/ConfigDownLoadList.html
        5⤵
        
        PID:2504
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /pid 1604
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2304
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /pid 0
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1920
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.jipinla.com
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2264 CREDAT:340993 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2140
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2264 CREDAT:734216 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2368
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.1234.la/an.htm?tianji
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2480 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
1695460d0b75231263beeb9c2da77ab3

SHA1
934a7f36031604c235d0e5cf2cbf8bba174ea330

SHA256
5bb0386b0fe4cf227c6bfe7af9129bbfa820c41867caeba36803fcd1691ded07

SHA512
ce4280c0e62c7775c125f64e1145f938ba7a46ec21f99a9d7c60ceff8479279d6b69f4b2c4248883a7fa7451a35e6618061157d60f51f314606919a69c334955

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b27cc87c2170e27e1ef1a6c89e09664

SHA1
97f9ed546e0e93e56a1c8265a8fdbaf2905e0453

SHA256
ea72c8b1b85cb59bc97ad8c0d01e9f1d563bcc5afb905298f36ce19a98338b1d

SHA512
2e677799541a4a5b84302df03499f5513d75af75e2b1b833f676853d40b6596294deeeb3a3d3a1c650302b6f8b9ee0d9feb81047a1e98eefebaf3a014e78b9ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cab5cc605388724b30e8c1950570eaa5

SHA1
7e5d670a3c4c17fcab49f68958eecf165027d195

SHA256
be6ede61aba24aca342629967fafdb661ab4e9077dfd2da9a6f86fdae8e2e845

SHA512
d78d0cd604e6555e6f66a492191248215ddd62e1ff181427c7e7b68d641a57dfbeacd7305d1289d0b95cfc719894512722901f5d8a05659977adc38e2b27a39a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e98f96916f23f9724bcff4808da03bd

SHA1
f62e19ca7ac0bd16384ef76a3c42dce2cc5ed5c1

SHA256
8429a326f5611cc4d9ddee28b07ad6d0320c2da699ee907c38a04cfac9249c8a

SHA512
a6ab8e6bf68a28cf2bcbf48ed87b4e89a8a2890e3db54fcd8d8bcb3b7d16f4fd2dfa2cdf4aabc7eb2e10555b38a6b4a9f873d4c99ef027a5a57c4aafad445e4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ad7cdd69314ac9866d385566862d552f

SHA1
2e0f259c16e88bb07cf11184ebf7ba6b7cd5229e

SHA256
6869c7ddf887008224ec783854ca7729e5bfa5b42a114ed67cc9c848b3644d20

SHA512
4198a46dfb8d2c72e3172db0a1c53199738a8e32a24b8f00a0749bfc2209f3526b0172e493d0de49b8e07643895f03859e16e1027b18d584936e67cadc49324e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3514c7dacffa21636e2c5e2fe02aa92a

SHA1
32fad5c5cde8cc90acaf9cb76805074f3dbae7d1

SHA256
dd1d86dceea617e00e3305e24ff2a87665282f9e3dc97a3e5bb3a17194ab5e1e

SHA512
25d26596694fc68810ff8638a016737e41ec6ec53b0afd40c2c143ee5f002696a26c22772365acf865768488b89d10c3fe322a73eec2a990482fe8724e91f8c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
403bf54e0301492e12428aca8c7df3a3

SHA1
f5a022689182c5e21842678160968dce28f14da6

SHA256
e70bc4cbc679fee924635e96397ccda6c7987a9924a13565db59ac2519d83867

SHA512
50c152d250db43b5bda371836d26c1452bfcf561567fe875c1ae45af05e7add5999c678665afc6028fe23bd80329e7fe2025371fb270500a4918c31ea5561afb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f32c24b38bf064cd008e9d07156281d

SHA1
2d8b09fdc67e7ad16a96c3b383b66e101c623c30

SHA256
9c1cedd7164a15403c6c2192cf0de604519f27626e782129327c36130ccc2ba3

SHA512
8b557fb118be160799e0708ecfaed7dfd934394ee2dcb4b398695c9be4d58328008e031ef3c9ef45b46d7b5e6c722328cb4cf26eee4aa1a11d49deec7db5c1f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb05da551152465f5c3d02b00f2b1500

SHA1
907d9e8cfeee237314eb545d56b8229df4e9283e

SHA256
d9b36cb0898c7a3e4504864c8dee0ad08caccc22fceb643ca2c6a5703d6c52de

SHA512
239e5ec6346a771111615886b104918868a7e6932b521473002ac4961d211d0f76ab595c197c72931e8c135c05274cf3210fe93d9b0ec0f47cb26acde65ea192

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
514cfe87c554f33d3faec55075c69427

SHA1
d94cc285c7cce36b5c8ab27a79f67bae4076dc07

SHA256
aa0f3dd0fde988ef8cde79624b4f8751affeb32a487e6e03782191131e313072

SHA512
71baa9855d9f9245bb633e73ffd555e88729246899b2461d841bd28f6781612353e19287380fb804846ba7c6d42a0020c9d8e7ec2ad4a7db1039a2c5011ec5c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
987ff7ba1d7080f50aea5cd7df1ce0bd

SHA1
c2c7cb34aa5b026a1728ffeb0298840e7140a1a8

SHA256
e97080a2da41ad9b87a47fbed4850f23327c26ce40f97245d36ab83b62486dd9

SHA512
1522cd8c6418e525d68bfe84c5feb084ecb6f50efcb721639d0f55d5674a0135e4b2c5b7f03ea93215fcd0cc97deae96cf7dc8244cf9603ce15e4241bc1fda73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c9bdc8b1538f968140a37d0d40205951

SHA1
19f346fee28a1e3a7e4a0ce737b352312480f6d3

SHA256
d64050b4c35ab8a5e2d210f607b42a2fc09cbe77e26c419187de5cbc6d731cee

SHA512
fa14fe0fde64c9b7d734fc9d31fdd20f9ef192a864ca52c75091c472f46749c046e346b9d0bb26b2efdf81ce48c2a865424cbfbc75bdaa6148153dcba8bf6b31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
f0bde012d1ceeb5c9f1902e464b71d48

SHA1
50d4033fe0560e346ee9a51edbfad68f0569e10e

SHA256
be122c2499577d5c04147ca5ae2ca426425bd5938e8778169968288281d3bb5f

SHA512
993262a496096832969395149fb7028682a17981178ba283a7dff0c0ce154fef774e473729d0158091fb99a8e8fae72d2ad327a2c53ad79df916652b37ce87e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\09VB83LT\wanwang.aliyun[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\09VB83LT\wanwang.aliyun[1].xml

Filesize
140B

MD5
d7c69e2c6e9a033dbd2d9da31bd414fe

SHA1
b13523550f857fe1274b5fbcc86a7aa639181d44

SHA256
7a0315fa730d1c7f9deee53e6fbf70bb23f2d34ee6225a71ab8794e785ec2589

SHA512
51dcabac5bd3a6c38353fcd5f170b2c878e9ef8c5dd1098bb264b133e7287a25ae74a9e8d71a34b390b02881d4b88a54befef5af845b262833b664694d5037e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{194CA2E1-863B-11EF-B692-6A8D92A4B8D0}.dat

Filesize
5KB

MD5
5f37ef6ac454785d12403f0762639683

SHA1
a206068bf229dbe3ecf732de9b0a02bb8973e58c

SHA256
79956e77f0cd213a460e9eeb057c6bfdafcf68e755012909d7d472e408a93856

SHA512
57c0dca3b642b74df5e64f34fda3762141d4af8ebd8ac06635a6d9769d488154978d8abc8451dd4b536508d40e9378025b47a07fdf7b3af223e567167bc9df52

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE735.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE738.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\download.exe

Filesize
44KB

MD5
1e61219ddacbfc81d6459142ce054085

SHA1
230216b0deca51883c62c3735a11191c6fa94887

SHA256
f3deeafe0b5b9828c118f67d7f89f7da0d41b0189025998b28f6d63f51507774

SHA512
3ad181a849f7344094a0cdff71d54338318bd3440ff2c0bde6c1d158ca954b273b1f6388b54044b5d92d9cec7c8b3e260de94f0a5ac80136ba17d2bd2c5b960d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6H8H7.tmp\hahagame.tmp

Filesize
682KB

MD5
d0699dfc3ff2c8980f167c7ab586dfcc

SHA1
c3f4aa0a542c01a0251782e48b313cbb7c5941a7

SHA256
52361d23cd961a2918dd0ca57306bb9d1cf9aa65f518d2b4d11147ef1f657175

SHA512
ea55708ba81207a55dfaf8e4ab77e837086d83b27c185942ce6b228f0844d4dc3e26cddd39cfda60ebf34a4f449e563f47ad46ba72e45a133e898e2a038fbf69

Download Submit
C:\Users\Admin\AppData\Local\Temp\todeletetif.bat

Filesize
95B

MD5
cd490fc0b8299edb479fe88c9245808a

SHA1
63ef98f15756c129ac1977864c845d90c427881b

SHA256
30baa4c3ad9a57399678728d9cfd8fb2456005b794e45df84383c115e357e0d6

SHA512
efd2077ad9b62ff946f9943d435c12a07e598a074026c0ba3e50db1f96aae6fa484d10c3048bd91855bbd7b7cf6c439082678709eec0d5a8012e4c3fca7faf38

Download Submit
C:\Users\Admin\Local Settings\Temporary Internet Files\Content.IE5\4RXRX1VH\0.0[1].js

Filesize
671KB

MD5
987c28069a806e449cc1745725d0a761

SHA1
0d0316b7457e4679198f014fe49efb1505dd17e0

SHA256
39a435660abe1e9920ef4b0c50f6e0e2d542cf126fe6316296d9893faa1a8c17

SHA512
a3f4df39d850e2baf57ed61667ef27ff28915387542e521ead8f787ee359af4e5c671c8df48481be3c6336099e1d920a47c239fb0bc22acf2ee76b71f9f4f3c0

Download Submit
C:\Users\Admin\Local Settings\Temporary Internet Files\Content.IE5\4RXRX1VH\aplus_v2[1].js

Filesize
15KB

MD5
52f694bc0c708091328bd1aea36737ba

SHA1
ec625575f5b1867af3c5f6ba958578b5637e211a

SHA256
d417a585c9ff889d6337d7d0525d65a980e062f3710381d16f69fa079e8cf0df

SHA512
8265bcc3baa65776fc631bb1fe316aa68c773c2d48ef352d2382111c0106b95b5912c24a21bde03eb6d9634e7ad1e5fb171143acb939968f07f02093b571ece9

Download Submit
C:\Users\Admin\Local Settings\Temporary Internet Files\Content.IE5\4RXRX1VH\down[1]

Filesize
748B

MD5
c4f558c4c8b56858f15c09037cd6625a

SHA1
ee497cc061d6a7a59bb66defea65f9a8145ba240

SHA256
39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781

SHA512
d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44

Download Submit
C:\Users\Admin\Local Settings\Temporary Internet Files\Content.IE5\4RXRX1VH\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\Local Settings\Temporary Internet Files\Content.IE5\4RXRX1VH\font_274588_tf6h927cvbl[1].css

Filesize
19KB

MD5
08fca8beac5eed494fe9d28a2c6cf62a

SHA1
1bf5b3ff286af515908deeccdf6733a0c1c7d95c

SHA256
be358172564749960f40cc839c1b863464312639c751843f382e096029b1ab39

SHA512
7c564c45ef24f911adb18f2d63fccc27fc673f1b359bd87493f8d36600463cee8ce427e9748d150eefd2ceb86cd868ab26873367e2b241f11efa7719ba51f6a8

Download Submit
C:\Users\Admin\Local Settings\Temporary Internet Files\Content.IE5\4RXRX1VH\font_276948_28ii451l5wi[1].css

Filesize
29KB

MD5
7560ba9febab91c429e63b8701db6fdf

SHA1
e184a4533796c04ac7b4157e10c52fcbfafeda35

SHA256
5c6a9ca70a2a058770cd47e873021bdcbd164d4a8fb6536f28e4597bbc234f32

SHA512
fc706808f83bb69379b8c75d7ecba30b7be51b7cf0652381d1a13f7acb21edc14a534ac2b87081a62cd6dbaaf47780f3e376545dede167cc10e98c5a27aab988

Download Submit
C:\Users\Admin\Local Settings\Temporary Internet Files\Content.IE5\4RXRX1VH\index[1].css

Filesize
12KB

MD5
42f33716bd4c38d027ac1fe42c0813b5

SHA1
a31895a4902b3ef5be2e42d64f6e31e308123818

SHA256
a8d8706c298022b6666108a0755d602b2875cd9e9e1bc7e01b6cfab5e18eb320

SHA512
876df399556f2e80cabbe387ec4f2d010ff9adcc20551f64269338c8434551be92f0f615291149d325a34f118c7fb982d40b0144b8dba610311efb6faa68f8d0

Download Submit
C:\Users\Admin\Local Settings\Temporary Internet Files\Content.IE5\4RXRX1VH\index[1].js

Filesize
11KB

MD5
960e01af3551ff8e5bcc3568558b35ae

SHA1
a0ebe282a9ace8be5f86e35cd2df94cf3be287a5

SHA256
20c695e450dc5c285ad28f29bea888dd6f7b4f71c875c748112d591d61a74a33

SHA512
d29aa57315e7b98cc3032e760612e25354bfac86133ecadf7d1b2e600d4bfdcef64a4e20a845bc4dd784db221df5809fa97d55860341ad6b158b7966105e6420

Download Submit
C:\Users\Admin\Local Settings\Temporary Internet Files\Content.IE5\4RXRX1VH\index[2].js

Filesize
17KB

MD5
b9a5a9592db7e29feb4cc5e8814dea21

SHA1
7efbde36c1131ebd7b51ae536eb087a8cebdbb7e

SHA256
f4425a89ec24254262bc3d81a838890e5c9740428e28cd96e520c5bf8ddffa4c

SHA512
26c2a4f256fa23da25a752a02ae6192f69e43ed34e7491b8cd6eaa7cd1b15266bdbc8c7e43efad7e525833f0ed81aacf7b8c5f20e3386fbb85f67072d030e092

Download Submit
C:\Users\Admin\Local Settings\Temporary Internet Files\Content.IE5\84EXSCRK\0.0[1].js

Filesize
1.3MB

MD5
a39d7dee030ec93264370b948694f1e4

SHA1
4966ddc45c20d115d59c40a522be0fe60208102b

SHA256
73ed2baa54199fc89335d8703e02e134b2426373941902f5dfc11248aa5210e3

SHA512
9ec2fc2cf558ed7727cd3affe8e98231ff004e0f7ca5545600a2ec3198dc565a5928893b55a28990b48bc37e4efab384f6837a398ad5ad9b1aac86e563b4b921

Download Submit
C:\Users\Admin\Local Settings\Temporary Internet Files\Content.IE5\84EXSCRK\1P2E5UW4.css

Filesize
562KB

MD5
db8afe29dd5f03b6cd077192fb93fd6c

SHA1
fc83e7fa736899fc3ec73b01284119eeed677bad

SHA256
77d79be5f3ce1b2ad151a18c460965a1afd891f9761b187b92d27100e7108e4b

SHA512
53210c2ea785296dc41f1b061b5d29844dec4018cccf12bd1d93695304e6b911b23a3182bf4e2f4e568697559244899f21decce76e34a49026d3d39bce2430b0

Download Submit
C:\Users\Admin\Local Settings\Temporary Internet Files\Content.IE5\84EXSCRK\GP147RKD.js

Filesize
1.2MB

MD5
1ff222ac4512527a6d874c8ff6f8bd40

SHA1
807a51e5b0767fb9ef56f5ccd54dd298d73047c8

SHA256
a2cc86c23fce7f9cc4922b931fa79325d05c2190d78157867928db957009fd78

SHA512
1647ad7326a37a3ef828989650fad01f695429c2e88211af49e5554fb4c42252232be57438525b511bdc9099f6188997c1598bdda6185209ede94513710747cf

Download Submit
C:\Users\Admin\Local Settings\Temporary Internet Files\Content.IE5\84EXSCRK\aes[1].js

Filesize
109KB

MD5
6923e41b213376b5e04e049e6c85ce20

SHA1
b5f4a0a018fd488a0bbf1438978aab0f9b231c62

SHA256
e0af0ce7a4bd82f412c122cb800002f074d54b4d3da66c363090ea571a4b072f

SHA512
9bcc4e6559dc8435d1e2fdb6720fac8797280089a8e8e8cad2194f54a6187eff4fb273c3cc2c4ad346efa000eed81efca945775d80ca6a4505b780269c688f86

Download Submit
C:\Users\Admin\Local Settings\Temporary Internet Files\Content.IE5\84EXSCRK\awsc[1].js

Filesize
9KB

MD5
9203f3bed5223f67b71d68b35164e516

SHA1
f9087ee2c64a76742b12788db3d3f7fd29bd593f

SHA256
b8186e526c1cb83799840fb5264291e185205b4a5d5ce3d9167ca7ef75e37dce

SHA512
bb9d04f4ccbb4ad6eefa10916391faed8799a4763ff42813fd347f6788144072269fc2095e96da9ee37edaf10c202e09c6e48040dddf153f3d790ffa733ef29e

Download Submit
C:\Users\Admin\Local Settings\Temporary Internet Files\Content.IE5\84EXSCRK\http_410[1]

Filesize
4KB

MD5
ffcb90ad5a880c6e88de7e211c7282c7

SHA1
ed03e943dd09c79ba94bd4237cbf09f0bac2b491

SHA256
bbb7e4f40606302dc3f9a4b22a6d9db196de9d47615db81c1071eb21bf434707

SHA512
3a119ba698051752afaa2e97aa342173c3821129b06d6da0ceb5b929dc3ee79700c4fcd997f20d0de3d0bc07b2367ca60440d9c6f7b23adf8a083eccee6f416e

Download Submit
C:\Users\Admin\Local Settings\Temporary Internet Files\Content.IE5\84EXSCRK\index[1].js

Filesize
55KB

MD5
8fab4e24e2ee1ab97e1604c40c9c18ca

SHA1
a01ce90d4cff5a959229b43af851f724608286c3

SHA256
15907940572e3d23816147d7d11560e71011891783f93d3b455c3da3b2ca8760

SHA512
44b3dda94bedaba1581e3a304c5e2acb2d4c132a33fcd93dc6f51d31a46f58f542dfadc26638e18608f4f2e9a46f786d597e77547ac4946d14c1d64ad3ee8eea

Download Submit
C:\Users\Admin\Local Settings\Temporary Internet Files\Content.IE5\84EXSCRK\info_48[1]

Filesize
4KB

MD5
5565250fcc163aa3a79f0b746416ce69

SHA1
b97cc66471fcdee07d0ee36c7fb03f342c231f8f

SHA256
51129c6c98a82ea491f89857c31146ecec14c4af184517450a7a20c699c84859

SHA512
e60ea153b0fece4d311769391d3b763b14b9a140105a36a13dad23c2906735eaab9092236deb8c68ef078e8864d6e288bef7ef1731c1e9f1ad9b0170b95ac134

Download Submit
C:\Users\Admin\Local Settings\Temporary Internet Files\Content.IE5\J7FHNNOW\0FJZU2UO.css

Filesize
26KB

MD5
3ba15bb2729029c045a5313ff6211b31

SHA1
5479243cef126a88baabc196a1745312f4c94b46

SHA256
550f91c7852b1ab46452ec13e92a3598478f6e9b1f0e17aec34e66c37257b537

SHA512
a23beb4c3caf4961362d5b862f9b38901e422968fc227826edee592b4eff73fd6e124403c98a4928745d993a4b7e5bf70faeb946fbb1a9337481bf853de758f7

Download Submit
C:\Users\Admin\Local Settings\Temporary Internet Files\Content.IE5\J7FHNNOW\alilog[1].js

Filesize
309KB

MD5
84ce048a8e4d9847093658ae777d6b3e

SHA1
3944af1be9dda7907431f648347965ae19cbd6ef

SHA256
e0d70e9093256eb6ed18ddf49ba2eac3028a8676948baa24ca46ae1161c61a30

SHA512
f854773a9055623a1683519a30c3f61047d1ffad666497395d81c66fb6ac33d428a43e422b3f08387e69196e0fbe38a33dd80ee7db961f07f126f3609b0faaa2

Download Submit
C:\Users\Admin\Local Settings\Temporary Internet Files\Content.IE5\J7FHNNOW\background_gradient[1]

Filesize
453B

MD5
20f0110ed5e4e0d5384a496e4880139b

SHA1
51f5fc61d8bf19100df0f8aadaa57fcd9c086255

SHA256
1471693be91e53c2640fe7baeecbc624530b088444222d93f2815dfce1865d5b

SHA512
5f52c117e346111d99d3b642926139178a80b9ec03147c00e27f07aab47fe38e9319fe983444f3e0e36def1e86dd7c56c25e44b14efdc3f13b45ededa064db5a

Download Submit
C:\Users\Admin\Local Settings\Temporary Internet Files\Content.IE5\J7FHNNOW\et_n[1].js

Filesize
291KB

MD5
72f3ea16df0a2c318bf8f60b221f6080

SHA1
e75b27db343b47e5100da031c6b313c9257fab06

SHA256
79c09816cf58dfbdc34fdb3460503acd50aedaabfea74ad5a21140b2c0888cac

SHA512
5e28a41b9897f11c31e3928b3cdd03ba48d06673841f94da96525be6d182cacfec4b4767952b6515be3e7fc6eedca05921c5b39cde8f2cadf1e6bfe4db215e30

Download Submit
C:\Users\Admin\Local Settings\Temporary Internet Files\Content.IE5\J7FHNNOW\httpErrorPagesScripts[1]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\Local Settings\Temporary Internet Files\Content.IE5\J7FHNNOW\index[1].js

Filesize
107KB

MD5
2947f1ee7e3566a770d8d394a914351e

SHA1
ce3304d13e561eabb01cf91531e48ffa8a000772

SHA256
2220985122c8a758305dd227d40aba81a5e75279abae7deec7be13b9a628e2a7

SHA512
e970d351aae59407477e54c8f79c281eb8b86792150cccf1004394988aa4efeab5bd1afba092a97617a458d2d8b666e82cfecc47d66e2befc1d9c641c9a49c58

Download Submit
C:\Users\Admin\Local Settings\Temporary Internet Files\Content.IE5\J7FHNNOW\seed-min[1].js

Filesize
43KB

MD5
9dcc83d8e379199d7834d39c256397f4

SHA1
1d04e1c56dab92aa68228b7d02028b8606f50aa1

SHA256
e34917ed6c4e83dfc68f7f928e81a0371c067b4687996e119279cfbceb1be810

SHA512
9f47943d4d37f8d7a687503b794af2eaab82bd96d8de2d23ab59d2b56fbd8032a6221f77cad02a6c20cd07acc4edd02306f7ee5550f5792d50b763e288b00f53

Download Submit
C:\Users\Admin\Local Settings\Temporary Internet Files\Content.IE5\J7FHNNOW\website[1].js

Filesize
232KB

MD5
bc80ebba826598a33d977b3de591c493

SHA1
31b3fc21b9da995990fd9e38dba73936b04c3d2d

SHA256
6467b3e7148bcc13e84d962e56ff7e7537b6c7a9bafc5c7581fd04157e9b6257

SHA512
a544dd3562dc5abe32438676384862db1f19b554c720912ee3a30bb485fda9826f505dd467b0744dc015b952b5fe39b2e95ebb1fc97da4a1e062c1375fb768a9

Download Submit
C:\Users\Admin\Local Settings\Temporary Internet Files\Content.IE5\OX8Z8GR5\0.0[1].js

Filesize
19KB

MD5
6ab2de6bd55a3fcfd1067ce6558c95aa

SHA1
fdd57aa5455fac7d3e226896aac3d216d4ba32dd

SHA256
67763f50a510e9d59e7a28a0e99ceaffd707e4d707ea59fdf4f03e49b18b7442

SHA512
a87cbb87d13d1468acafab63810c91bd0da42bef9969d90c79579f49a7bb1650d43b81d602ac5bd4720f4360a4208114fd42594d38a5247c5a010329d42f37cb

Download Submit
C:\Users\Admin\Local Settings\Temporary Internet Files\Content.IE5\OX8Z8GR5\4A4F85N4.js

Filesize
85KB

MD5
2c872dbe60f4ba70fb85356113d8b35e

SHA1
ee48592d1fff952fcf06ce0b666ed4785493afdc

SHA256
fc9a93dd241f6b045cbff0481cf4e1901becd0e12fb45166a8f17f95823f0b1a

SHA512
bf6089ed4698cb8270a8b0c8ad9508ff886a7a842278e98064d5c1790ca3a36d5d69d9f047ef196882554fc104da2c88eb5395f1ee8cf0f3f6ff8869408350fe

Download Submit
C:\Users\Admin\Local Settings\Temporary Internet Files\Content.IE5\OX8Z8GR5\ErrorPageTemplate[1]

Filesize
2KB

MD5
f4fe1cb77e758e1ba56b8a8ec20417c5

SHA1
f4eda06901edb98633a686b11d02f4925f827bf0

SHA256
8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f

SHA512
62514ab345b6648c5442200a8e9530dfb88a0355e262069e0a694289c39a4a1c06c6143e5961074bfac219949102a416c09733f24e8468984b96843dc222b436

Download Submit
C:\Users\Admin\Local Settings\Temporary Internet Files\Content.IE5\OX8Z8GR5\KQSWZDHR.js

Filesize
149KB

MD5
b4957f9c047ff5b5f2dc1d1b3e6723be

SHA1
d42dc86809d35493edf1b0cdcb27610fbef0a851

SHA256
a88124457319fe1ac3a6919adae959f3300acf112b1112409d7d8b4706175900

SHA512
7dfb44975862f6a856b7f1bd1b4ed1177bd920a0890dde3e14785ffb2f7d16c3f5b7fa497be1e406566be7923e839bd7080d3e3e5e4417081d43df3efec16820

Download Submit
C:\Users\Admin\Local Settings\Temporary Internet Files\Content.IE5\OX8Z8GR5\MXF30G6I.js

Filesize
149KB

MD5
112719139f6f5fb4997d8e998a37621a

SHA1
91fba60f57658cd3e55ad08e75262f6c17a69c42

SHA256
cc5d782430b1d9c61c2467fbdf0d10b546bf8e232c235b04903b650f0c5ac724

SHA512
41f61e2f4fcd597b787facaf49127d4b6356b8dc6a19ccc92d88ff54a93c84ddf3543a84e3d42e81bd79047090bfa47bfbf376b83a532156eaba347b2e669586

Download Submit
C:\Users\Admin\Local Settings\Temporary Internet Files\Content.IE5\OX8Z8GR5\baxiaCommon[1].js

Filesize
31KB

MD5
52a7b0f08deb4eecafd81b5d4e03e705

SHA1
943180cd6ead13d91b9961922b4bae692e32899f

SHA256
9f1020cdb6d9f692fdd6fe785d78200b8543a6b3d8eed978b6f1d372cc3ac9b5

SHA512
0e2629e441caeca922cd09e34fb818a762497cd7d0139afc66262f70409ba21c1b7cc043c59ec3637a6a4bc21fc3a7a5d48bdd6c7075c7cf8562bcf010b3013b

Download Submit
C:\Users\Admin\Local Settings\Temporary Internet Files\Content.IE5\OX8Z8GR5\bullet[1]

Filesize
447B

MD5
26f971d87ca00e23bd2d064524aef838

SHA1
7440beff2f4f8fabc9315608a13bf26cabad27d9

SHA256
1d8e5fd3c1fd384c0a7507e7283c7fe8f65015e521b84569132a7eabedc9d41d

SHA512
c62eb51be301bb96c80539d66a73cd17ca2021d5d816233853a37db72e04050271e581cc99652f3d8469b390003ca6c62dad2a9d57164c620b7777ae99aa1b15

Download Submit
C:\Users\Admin\Local Settings\Temporary Internet Files\Content.IE5\OX8Z8GR5\font_1175572_77a2hn4ww6y[1].css

Filesize
7KB

MD5
fa01268c7ad1c7ceb10393fd13df55db

SHA1
287354bbed9e12e0d897518ce6b829bb58377d88

SHA256
6d4dc6181e701ff3f9c9a9c1c78cc7a35b83f80bb58987c749e408cdecb567c8

SHA512
9fb30bdeb3d7298257033a69f7643698a572e9c883d6ca968a7077007214aaa91163ca3b7ed870759d64b7fe11a7940687d763e6d8e6b2378152069c191bbbd8

Download Submit
C:\Users\Admin\Local Settings\Temporary Internet Files\Content.IE5\OX8Z8GR5\index[1].css

Filesize
18KB

MD5
99e43e714bf1c40fcb071dabc444580e

SHA1
1c7c7cb0eea6378b92f62561e8342db77e817b8e

SHA256
e8a2b83a5018f7b9207b06b555fff5fb58bf41cb28d1d4b6cd4756ac683a046f

SHA512
8cc81812e4b899d5887130ce59fc4ffe0fabbff07febf165c372d585f54374431a47fb9f70a52ce4f902f90d920f1fa35920a77207fb0907a90be80823d8c2cf

Download Submit
C:\game.exe

Filesize
111KB

MD5
38ce47aaacb8f1cb7169bda66f62298d

SHA1
8571d7e86810e0a17ae7d73c6ed4e7027a62359c

SHA256
d83e27fca97e80ed4842fa7a9b73fb63ba5cf0a1f959dd39a966398319c243c2

SHA512
83e44f4071cb983da68f4adb97db182a60f9347a8c8a5e6d339f5d78d4e53981f7bcdb57a49bf421ab8300a72b316a24b3e0b291f3f64384f8a71fc7b0496dca

Download Submit
C:\hahagame.exe

Filesize
1.8MB

MD5
0b80274947513ef334429c0c666b3c53

SHA1
eb8f8ea8b3dc913c361adcfa4f790935083c4bf9

SHA256
4e9864adbc4b7c31cb8c1a81bb4a396459ab456640307d820f1f5d9f29e341be

SHA512
07ad09b3a021effce8cf696ac3e15be276d26e0b8d983fd64647fbac71a749a158c5b02e8399fa4c008d4a5517c2befbc3e84e02be803f0dd1f169da72fd5213

Download Submit
C:\maxthon.exe

Filesize
159KB

MD5
7bce9c46da8425ef61167f87e69cb53f

SHA1
7eaebc37924cfd6f166549aaaf063985017cce62

SHA256
1ad7a77aae1cf61a4d72cb381310d6222b46d94707372a3a5dfe03923c2971a7

SHA512
8ac9315b32654d77f675931ff257cb631a1bca7b4b905b12f1e4490c6b053f96d4989740e5e9631de2f027df51871a8dca5d506d8ca0e3e1faa3060b2ae76783

Download Submit
\Users\Admin\AppData\Local\Temp\is-41SOK.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1420-102-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1420-24-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1420-30-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/1704-38-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2172-61-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2732-101-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download