39a8ea86ad9d4a2cbac0408aa562c53e9fb68905f6ed2d04245dd7de746f46ca

Analysis

max time kernel
150s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c4d85897aa274ced9863f60a098d665_JaffaCakes118.exe
Size

1.7MB
MD5

2c4d85897aa274ced9863f60a098d665
SHA1

61119ec21a7d1734f6645d24f05779ea60910e67
SHA256

39a8ea86ad9d4a2cbac0408aa562c53e9fb68905f6ed2d04245dd7de746f46ca
SHA512

6728b571559a5a2858d0138ffd0ed825a72aa097ef2890c11a05b7d44f57bf3df549446b58d16888e6b844714c775b05a5cf5aec8fc7d9ffc84b6de167ae19c9
SSDEEP

49152:5B19SFzur/bc6/nRJ/aOheDkPQcKiwMH5yUKc5thLfrXa7sjybqS9pErw2/6pBLl:5B19ZbMG4hsYQHz0Dt

Score

7^/10

discovery spyware stealer upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	crpC1CC.exe

Executes dropped EXE 5 IoCs

pid	Process
4820	crpC17C.exe
4732	hpet.exe
1032	crpC1CC.exe
1496	hao123.1.0.0.1104.exe
5036	hao123.1.0.0.1104.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hahpjplbmicfkmoccokbjejahjjpnena\1.2_0\manifest.json	hpet.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023cb0-26.dat	upx
behavioral2/memory/1032-28-0x0000000000400000-0x00000000005C1000-memory.dmp	upx
behavioral2/memory/1032-92-0x0000000000400000-0x00000000005C1000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crpC1CC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hpet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hao123.1.0.0.1104.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hao123.1.0.0.1104.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2c4d85897aa274ced9863f60a098d665_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crpC17C.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main	crpC1CC.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://br.hao123.com/?tn=4shared_hp_hao123_br"	crpC1CC.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	crpC1CC.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	hao123.1.0.0.1104.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	hao123.1.0.0.1104.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	hao123.1.0.0.1104.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46	hao123.1.0.0.1104.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 0f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb0b000000010000002a0000005300650063007400690067006f0020002800550054004e0020004f0062006a0065006300740029000000090000000100000022000000302006082b06010505070303060a2b0601040182370a030406082b060105050703086200000001000000200000006fff78e400a70c11011cd85977c459fb5af96a3df0540820d0f4b8607875e58f140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d81d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf67087e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d901030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d4620000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	hao123.1.0.0.1104.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
4732	hpet.exe
4732	hpet.exe
4732	hpet.exe
4732	hpet.exe
4732	hpet.exe
4732	hpet.exe
1496	hao123.1.0.0.1104.exe
1496	hao123.1.0.0.1104.exe
1032	crpC1CC.exe
1032	crpC1CC.exe
1032	crpC1CC.exe
1032	crpC1CC.exe
5036	hao123.1.0.0.1104.exe
5036	hao123.1.0.0.1104.exe
1496	hao123.1.0.0.1104.exe
1496	hao123.1.0.0.1104.exe
1496	hao123.1.0.0.1104.exe
1496	hao123.1.0.0.1104.exe
1496	hao123.1.0.0.1104.exe
1496	hao123.1.0.0.1104.exe
632	msedge.exe
632	msedge.exe
1496	hao123.1.0.0.1104.exe
1496	hao123.1.0.0.1104.exe
2340	msedge.exe
2340	msedge.exe
1496	hao123.1.0.0.1104.exe
1496	hao123.1.0.0.1104.exe
1496	hao123.1.0.0.1104.exe
1496	hao123.1.0.0.1104.exe
3976	identity_helper.exe
3976	identity_helper.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTcbPrivilege	4820	crpC17C.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
4820	crpC17C.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
4820	crpC17C.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe
4820	crpC17C.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4820	crpC17C.exe
4820	crpC17C.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 4820	2252	2c4d85897aa274ced9863f60a098d665_JaffaCakes118.exe	85
PID 2252 wrote to memory of 4820	2252	2c4d85897aa274ced9863f60a098d665_JaffaCakes118.exe	85
PID 2252 wrote to memory of 4820	2252	2c4d85897aa274ced9863f60a098d665_JaffaCakes118.exe	85
PID 2252 wrote to memory of 4732	2252	2c4d85897aa274ced9863f60a098d665_JaffaCakes118.exe	86
PID 2252 wrote to memory of 4732	2252	2c4d85897aa274ced9863f60a098d665_JaffaCakes118.exe	86
PID 2252 wrote to memory of 4732	2252	2c4d85897aa274ced9863f60a098d665_JaffaCakes118.exe	86
PID 2252 wrote to memory of 1032	2252	2c4d85897aa274ced9863f60a098d665_JaffaCakes118.exe	87
PID 2252 wrote to memory of 1032	2252	2c4d85897aa274ced9863f60a098d665_JaffaCakes118.exe	87
PID 2252 wrote to memory of 1032	2252	2c4d85897aa274ced9863f60a098d665_JaffaCakes118.exe	87
PID 1032 wrote to memory of 1496	1032	crpC1CC.exe	90
PID 1032 wrote to memory of 1496	1032	crpC1CC.exe	90
PID 1032 wrote to memory of 1496	1032	crpC1CC.exe	90
PID 1032 wrote to memory of 5036	1032	crpC1CC.exe	91
PID 1032 wrote to memory of 5036	1032	crpC1CC.exe	91
PID 1032 wrote to memory of 5036	1032	crpC1CC.exe	91
PID 1496 wrote to memory of 2340	1496	hao123.1.0.0.1104.exe	94
PID 1496 wrote to memory of 2340	1496	hao123.1.0.0.1104.exe	94
PID 2340 wrote to memory of 2500	2340	msedge.exe	97
PID 2340 wrote to memory of 2500	2340	msedge.exe	97
PID 2340 wrote to memory of 2652	2340	msedge.exe	98
PID 2340 wrote to memory of 2652	2340	msedge.exe	98
PID 2340 wrote to memory of 2652	2340	msedge.exe	98
PID 2340 wrote to memory of 2652	2340	msedge.exe	98
PID 2340 wrote to memory of 2652	2340	msedge.exe	98
PID 2340 wrote to memory of 2652	2340	msedge.exe	98
PID 2340 wrote to memory of 2652	2340	msedge.exe	98
PID 2340 wrote to memory of 2652	2340	msedge.exe	98
PID 2340 wrote to memory of 2652	2340	msedge.exe	98
PID 2340 wrote to memory of 2652	2340	msedge.exe	98
PID 2340 wrote to memory of 2652	2340	msedge.exe	98
PID 2340 wrote to memory of 2652	2340	msedge.exe	98
PID 2340 wrote to memory of 2652	2340	msedge.exe	98
PID 2340 wrote to memory of 2652	2340	msedge.exe	98
PID 2340 wrote to memory of 2652	2340	msedge.exe	98
PID 2340 wrote to memory of 2652	2340	msedge.exe	98
PID 2340 wrote to memory of 2652	2340	msedge.exe	98
PID 2340 wrote to memory of 2652	2340	msedge.exe	98
PID 2340 wrote to memory of 2652	2340	msedge.exe	98
PID 2340 wrote to memory of 2652	2340	msedge.exe	98
PID 2340 wrote to memory of 2652	2340	msedge.exe	98
PID 2340 wrote to memory of 2652	2340	msedge.exe	98
PID 2340 wrote to memory of 2652	2340	msedge.exe	98
PID 2340 wrote to memory of 2652	2340	msedge.exe	98
PID 2340 wrote to memory of 2652	2340	msedge.exe	98
PID 2340 wrote to memory of 2652	2340	msedge.exe	98
PID 2340 wrote to memory of 2652	2340	msedge.exe	98
PID 2340 wrote to memory of 2652	2340	msedge.exe	98
PID 2340 wrote to memory of 2652	2340	msedge.exe	98
PID 2340 wrote to memory of 2652	2340	msedge.exe	98
PID 2340 wrote to memory of 2652	2340	msedge.exe	98
PID 2340 wrote to memory of 2652	2340	msedge.exe	98
PID 2340 wrote to memory of 2652	2340	msedge.exe	98
PID 2340 wrote to memory of 2652	2340	msedge.exe	98
PID 2340 wrote to memory of 2652	2340	msedge.exe	98
PID 2340 wrote to memory of 2652	2340	msedge.exe	98
PID 2340 wrote to memory of 2652	2340	msedge.exe	98
PID 2340 wrote to memory of 2652	2340	msedge.exe	98
PID 2340 wrote to memory of 2652	2340	msedge.exe	98
PID 2340 wrote to memory of 2652	2340	msedge.exe	98
PID 2340 wrote to memory of 632	2340	msedge.exe	99
PID 2340 wrote to memory of 632	2340	msedge.exe	99
PID 2340 wrote to memory of 2732	2340	msedge.exe	100
PID 2340 wrote to memory of 2732	2340	msedge.exe	100
PID 2340 wrote to memory of 2732	2340	msedge.exe	100

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3492
- C:\Users\Admin\AppData\Local\Temp\2c4d85897aa274ced9863f60a098d665_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2c4d85897aa274ced9863f60a098d665_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Users\Admin\AppData\Local\Temp\crpC17C.exe
    /S /notray
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:4820
- - C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe
    -home -home2 -et -spff -channel 167991
    3⤵
    - Executes dropped EXE
    - Drops Chrome extension
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4732
- - C:\Users\Admin\AppData\Local\Temp\crpC1CC.exe
    "C:\Users\Admin\AppData\Local\Temp\crpC1CC.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1032
  - - C:\Users\Admin\AppData\Roaming\baidu\hao123-br\hao123.1.0.0.1104.exe
      "C:\Users\Admin\AppData\Roaming\baidu\hao123-br\hao123.1.0.0.1104.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1496
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://br.hao123.com/
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2340
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa380546f8,0x7ffa38054708,0x7ffa38054718
        6⤵
        
        PID:2500
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,2188693300295511334,1061791755791076704,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
        6⤵
        
        PID:2652
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,2188693300295511334,1061791755791076704,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:632
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,2188693300295511334,1061791755791076704,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2548 /prefetch:8
        6⤵
        
        PID:2732
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2188693300295511334,1061791755791076704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
        6⤵
        
        PID:5068
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2188693300295511334,1061791755791076704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
        6⤵
        
        PID:1364
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2188693300295511334,1061791755791076704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
        6⤵
        
        PID:1976
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2188693300295511334,1061791755791076704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
        6⤵
        
        PID:4244
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,2188693300295511334,1061791755791076704,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 /prefetch:8
        6⤵
        
        PID:4060
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,2188693300295511334,1061791755791076704,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3976
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2188693300295511334,1061791755791076704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
        6⤵
        
        PID:3980
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2188693300295511334,1061791755791076704,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
        6⤵
        
        PID:1340
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2188693300295511334,1061791755791076704,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
        6⤵
        
        PID:4228
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2188693300295511334,1061791755791076704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
        6⤵
        
        PID:1884
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2188693300295511334,1061791755791076704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2884 /prefetch:1
        6⤵
        
        PID:2756
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2188693300295511334,1061791755791076704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
        6⤵
        
        PID:2644
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,2188693300295511334,1061791755791076704,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2796 /prefetch:2
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1660
  - - C:\Users\Admin\AppData\Roaming\baidu\hao123-br\hao123.1.0.0.1104.exe
      first_exec_from_inst
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4268

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
869aa4a54fb22070f41d259a43e1680e

SHA1
5696bb2c41e3ee2e99f3a37108ffb2710c937443

SHA256
f10240fb9db9cb1e006f1d2331bf367f29707f983e1d3ceebcfb9f844948c636

SHA512
929947caedfe46ec91ad6d7e43430792800754ec50e297caeeed51ff48aec043d69e3443b75773d6fbf6e4782e26bda14f7317a5a831477df2e028a5b47db3a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fdd524208670a5ebf16da5c799ee3f24

SHA1
c05bef97f7b600147f627ca3ee9e777ba68cef50

SHA256
618b544facd20b3ea1f41ed6ba7b3e48edae08af2f9a24cacf8ea2a06d8d3a31

SHA512
3c163a42dce5f0ee618318910c2e67210f243fc44745b1e61cd70ca9c49aa19c6d069bb35f6c7b0520873425be9040a8d483f75836c6048cc004f2e0baf7cc99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d7c3477f213577011affa6df95590aaf

SHA1
ecd282f6cc77561adb1769fe072a052a436992d8

SHA256
3ff0c98b51c0e5ec8f9ecf33da40bbdf2756e06fcba53c42c123bdd9bb88e2e9

SHA512
5c4572d5068161e949a7ed240814c62bdf0a0ef87f4ad1e6e28d93b08ac7dd49f379f1926eab3be5d9884a5c60ea685b54fafb3a137e3060bc7f2c884df531f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\a0c895a3-2c55-4421-b23b-dae0ce37b7f8.tmp

Filesize
10KB

MD5
ec384bb5274a9c52b8e75c6cf408ffab

SHA1
a12a592b5660c3601e1b8cdcca0cd47989574075

SHA256
77b374fb0b624e1d84f46612ca9c31f457ee6a59e8b2e85066da38b395625067

SHA512
4c9ded9eaf359db78f346ef37096329eca9a9b0365c5486f6c4f1c9e1293b7d3273ecb9bacf05e1e21a77440ad3ebc0d66e5dda6a821d17fc7a225f4b455720f

Download Submit
C:\Users\Admin\AppData\Local\Temp\crpC17C.exe

Filesize
804KB

MD5
dc61ef7550384b682a212cd1b7224cfa

SHA1
554f45ce56845471fb27695d62d63083b3f9eeed

SHA256
6b9d76eb7947fb680fe13c36c0614e802cb6cea4fdaa69e54cece0416f333b7a

SHA512
af8923c9af7244ffe4edf24266d19644a70a8750f1ff31562b97879832365575db4279339d2f9101407b166310c8db1c5538d23331e3196226080d1a0ba52e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\crpC1CC.exe

Filesize
341KB

MD5
72090258195e1dd0d6c49a314c745d0d

SHA1
604c69e4b22a95cb711306fac6c83796bea1309e

SHA256
81502e7f7be3941c4383f104b2a30377a5a50c0baf6b5449a329a3706ae3fc39

SHA512
9baeb85154db459cc8807a47accc927ccfd915cfd8c1f78870e37ac6da9cb89723610edff3c8932f46f48c61e57f2b774a9084c43471467b16969c48a9535f7a

Download Submit
C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe

Filesize
331KB

MD5
a3e93460c26e27a69594dc44eb58e678

SHA1
a615a8a12aa4e01c2197f4f0d78605a75979a048

SHA256
3a81cefbc928fe136056257b8b57733164f2d1fa9d944dc02897b31b171335c6

SHA512
39d17b7190f3ff5b3bc3170c8e21d7bba5c32c0f55bd372af2e848ff1ef1392083218a562f3361fdc2db95e4133a19c4ec1cab3e982174d76b8276358dac6530

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Hao123.lnk

Filesize
1KB

MD5
857cb03ae8ad4abdd6fe5f124112be9f

SHA1
2215b03f2febd0acbcc9fc73b64393d86eb53553

SHA256
4797327bc2220942569725a70113d666137b341a22a1621f724d0159991896a0

SHA512
cce197359d03c4065cfa4d23fe06913f8d6e5011b38049f161bd189d8eae9027f054c2dd342ed7d3d772636ce3cfeb6ce0c1955180c3e5fec6a874f2e1134375

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\prefs.js

Filesize
11KB

MD5
89f779c5e84f19b5802032299ff34a1e

SHA1
fa99bc8c5bd3fd38bb1f29f392b3f6016f4db74b

SHA256
564f5362bf21c9918b2c3345069c884f99c33b1e7c554fc70036b93b4d030ce3

SHA512
62f7673a403d7598615fbb8b75858b4e64b8ae736f3ed9f8dcac8a0aa6988a7cbca14a340b60d41a7a8604204406a50c208f1e1d710ba8177a2e8cdd39fe1e30

Download Submit
C:\Users\Admin\AppData\Roaming\baidu\hao123-br\hao123.1.0.0.1104.exe

Filesize
808KB

MD5
c2071b37c94a0fd8ff0ecc17d17f9583

SHA1
37ca74ef0594fae3bca1c37fb4df19e1130c2c18

SHA256
1b278f89309b77d0ad4eaa51a759311fbed941afcd36b709c91636c4dd916642

SHA512
a451de504b91326bd0487740f0de347184a8ac38936922e5fbaab114fa17934f31de8c5ecafe5a9f98f25bb2f18e02121893ad9454f8ab38d25619495424c82c

Download Submit
C:\Users\Admin\Desktop\Hao123.lnk

Filesize
1KB

MD5
303ae614361f35079daedfc846cb9fc4

SHA1
3e943b5a159ff26cc78569010c936b2af0b135a6

SHA256
21c2c2d72ee05db029035fff2c0d3e2d0f4ad030fd4cbea12586707f42ba1f43

SHA512
5e07c2fee5e23d6f6766cfff88d7c14eb5f90f153c77aab24d810bedd5255cd61772bd6f79b587ecb69374d42c2fdcbbb2c2ca708b0c2f43e7e9f9a93f749726

Download Submit
memory/1032-92-0x0000000000400000-0x00000000005C1000-memory.dmp

Filesize
1.8MB

Download
memory/1032-28-0x0000000000400000-0x00000000005C1000-memory.dmp

Filesize
1.8MB

Download
memory/1496-124-0x00000000767C0000-0x0000000076960000-memory.dmp

Filesize
1.6MB

Download
memory/1496-75-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/5036-144-0x00000000767C0000-0x0000000076960000-memory.dmp

Filesize
1.6MB

Download
memory/5036-238-0x00000000767C0000-0x0000000076960000-memory.dmp

Filesize
1.6MB

Download