5bc4a5bfcdb11fc91439c69f8b120badd36f52ba05e50f2476c0094573ec963e

Analysis

max time kernel
119s
max time network
146s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

090d04afd5d5b7df5cc1593fbad9cfed_JaffaCakes118.exe
Size

108KB
MD5

090d04afd5d5b7df5cc1593fbad9cfed
SHA1

2949b43ce077caa4a55ce3e2b282b03334d314e5
SHA256

5bc4a5bfcdb11fc91439c69f8b120badd36f52ba05e50f2476c0094573ec963e
SHA512

213cec24228f4f38494bbb1e0a6d8cd45bd70a9cf529182d0774922c52c5aba7c57a40b32728ecbea47a08b256fac053a4ce9df9f38f2179933dc703dcfbbc77
SSDEEP

1536:UTzE/c8uyy6+aoxx6qljbUZqGt3SvFcT7PeAbCvV011owPR2oJ6iuN:Hpuyy6+aezjbUti9aCN011owPR2ogiuN

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1688	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2528	Hijack.exe

Loads dropped DLL 2 IoCs

pid	Process
1688	cmd.exe
1688	cmd.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft.KuaiLeKuangBen\Hijack.exe	cmd.exe
File opened for modification	C:\Program Files\Microsoft.KuaiLeKuangBen\Hijack.exe	cmd.exe
File opened for modification	C:\Program Files\Microsoft.KuaiLeKuangBen\Hijack.bat	Hijack.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2832	taskkill.exe
3004	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 63 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E23B47B1-3235-11EF-9A72-56DE4A60B18F} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000157240d6756a6c448c856c67ff8be0180000000002000000000010660000000100002000000047d739d0832c3804c54390e230bb8bef91a0a21c34ae3f2ca0e5f18c05e2f431000000000e8000000002000020000000cd76a30cfe588568c7275e86bd4cf0e59e3a0f38148275fe6bbe54f1c531787f90000000512bc775da2527662e1d1193b3ab83ba118d0dca6683108157e616fc88993dd3b92d3a43132378946eebaedadc2d0e83ad8bd0f1498f51d22a9763eb67e9945ca7f3ad3cd64dff32d48612974855b5f50905b096401e1cc3d7abd1c8c9a0fb997b9cb4b2c165eb67561086b6609c3f60c8fe0d6b6972d11df93211fd4f58e8644a4584288dd1f52887c18bc337ba331a400000000f5fd48c23fa2f54ce796c13f1de1cd5937360d1b94f6bc25dfba6a6888b02882a8d2032d8c8b00cc57cc7960cc24bed1e070f43ee8fee8de298e80f0edd56fe	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425401126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000157240d6756a6c448c856c67ff8be018000000000200000000001066000000010000200000002998d779c1d8e68ec92a696f5167fbedd129f653c10c31f5333c8cded2bd3cc2000000000e80000000020000200000009d39fbfe74991d752e7fd390bd96ba33730f227290aed4c5157ade80a08f8aa1200000007898e7849e85dce48c7a5b47cd3a193c72a163fbcaa68699cf09213f06bf2da54000000082d0a710d68fa02116fd047c791f9b6bfaa103eda37d94383acc93bd2a6f7f5bca426a885697b20f58cc899102af9038fd82c7111c7ac665d2ee9c44b54f2167	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80810bbd42c6da01	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E54E2531-3235-11EF-9A72-56DE4A60B18F} = "0"	IEXPLORE.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2196	PING.EXE
2592	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2832	taskkill.exe
Token: SeDebugPrivilege	3004	taskkill.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2732	IEXPLORE.EXE
1852	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2192	090d04afd5d5b7df5cc1593fbad9cfed_JaffaCakes118.exe
2528	Hijack.exe
2732	IEXPLORE.EXE
2732	IEXPLORE.EXE
2404	IEXPLORE.EXE
2404	IEXPLORE.EXE
2732	IEXPLORE.EXE
2732	IEXPLORE.EXE
1852	IEXPLORE.EXE
1852	IEXPLORE.EXE
2588	IEXPLORE.EXE
2588	IEXPLORE.EXE
2588	IEXPLORE.EXE
2588	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 1688	2192	090d04afd5d5b7df5cc1593fbad9cfed_JaffaCakes118.exe	28
PID 2192 wrote to memory of 1688	2192	090d04afd5d5b7df5cc1593fbad9cfed_JaffaCakes118.exe	28
PID 2192 wrote to memory of 1688	2192	090d04afd5d5b7df5cc1593fbad9cfed_JaffaCakes118.exe	28
PID 2192 wrote to memory of 1688	2192	090d04afd5d5b7df5cc1593fbad9cfed_JaffaCakes118.exe	28
PID 1688 wrote to memory of 2196	1688	cmd.exe	30
PID 1688 wrote to memory of 2196	1688	cmd.exe	30
PID 1688 wrote to memory of 2196	1688	cmd.exe	30
PID 1688 wrote to memory of 2196	1688	cmd.exe	30
PID 1688 wrote to memory of 2528	1688	cmd.exe	31
PID 1688 wrote to memory of 2528	1688	cmd.exe	31
PID 1688 wrote to memory of 2528	1688	cmd.exe	31
PID 1688 wrote to memory of 2528	1688	cmd.exe	31
PID 1688 wrote to memory of 2592	1688	cmd.exe	32
PID 1688 wrote to memory of 2592	1688	cmd.exe	32
PID 1688 wrote to memory of 2592	1688	cmd.exe	32
PID 1688 wrote to memory of 2592	1688	cmd.exe	32
PID 2528 wrote to memory of 2732	2528	Hijack.exe	34
PID 2528 wrote to memory of 2732	2528	Hijack.exe	34
PID 2528 wrote to memory of 2732	2528	Hijack.exe	34
PID 2528 wrote to memory of 2732	2528	Hijack.exe	34
PID 2732 wrote to memory of 2404	2732	IEXPLORE.EXE	36
PID 2732 wrote to memory of 2404	2732	IEXPLORE.EXE	36
PID 2732 wrote to memory of 2404	2732	IEXPLORE.EXE	36
PID 2732 wrote to memory of 2404	2732	IEXPLORE.EXE	36
PID 2528 wrote to memory of 2832	2528	Hijack.exe	38
PID 2528 wrote to memory of 2832	2528	Hijack.exe	38
PID 2528 wrote to memory of 2832	2528	Hijack.exe	38
PID 2528 wrote to memory of 2832	2528	Hijack.exe	38
PID 2528 wrote to memory of 404	2528	Hijack.exe	40
PID 2528 wrote to memory of 404	2528	Hijack.exe	40
PID 2528 wrote to memory of 404	2528	Hijack.exe	40
PID 2528 wrote to memory of 404	2528	Hijack.exe	40
PID 404 wrote to memory of 1852	404	iexplore.exe	41
PID 404 wrote to memory of 1852	404	iexplore.exe	41
PID 404 wrote to memory of 1852	404	iexplore.exe	41
PID 404 wrote to memory of 1852	404	iexplore.exe	41
PID 2732 wrote to memory of 1568	2732	IEXPLORE.EXE	42
PID 2732 wrote to memory of 1568	2732	IEXPLORE.EXE	42
PID 2732 wrote to memory of 1568	2732	IEXPLORE.EXE	42
PID 2732 wrote to memory of 1568	2732	IEXPLORE.EXE	42
PID 2528 wrote to memory of 3004	2528	Hijack.exe	43
PID 2528 wrote to memory of 3004	2528	Hijack.exe	43
PID 2528 wrote to memory of 3004	2528	Hijack.exe	43
PID 2528 wrote to memory of 3004	2528	Hijack.exe	43
PID 1852 wrote to memory of 2588	1852	IEXPLORE.EXE	45
PID 1852 wrote to memory of 2588	1852	IEXPLORE.EXE	45
PID 1852 wrote to memory of 2588	1852	IEXPLORE.EXE	45
PID 1852 wrote to memory of 2588	1852	IEXPLORE.EXE	45

C:\Users\Admin\AppData\Local\Temp\090d04afd5d5b7df5cc1593fbad9cfed_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\090d04afd5d5b7df5cc1593fbad9cfed_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\\nResurrection.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Windows\SysWOW64\PING.EXE
    ping -a 127.1
    3⤵
    - Runs ping.exe
    PID:2196
- - C:\Program Files\Microsoft.KuaiLeKuangBen\Hijack.exe
    "C:\Program Files\Microsoft.KuaiLeKuangBen\Hijack.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE" ?mac=56-DE-4A-60-B1-8F&mdx=c9512565ef6194ca664dc41ec0de7a530d3e5b918179d8874ae3fac476679bcb&ver=53-10-34-65-6
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2732 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2404
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2732 CREDAT:3552272 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        
        PID:1568
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /pid 2732
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2832
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\download.html
      4⤵
      Suspicious use of WriteProcessMemory
      PID:404
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" C:\Users\Admin\AppData\Local\Temp\download.html
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1852
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1852 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2588
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /pid 404
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3004
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.1
    3⤵
    - Runs ping.exe
    PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

Filesize
579B

MD5
f55da450a5fb287e1e0f0dcc965756ca

SHA1
7e04de896a3e666d00e687d33ffad93be83d349e

SHA256
31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0

SHA512
19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
6e965e19878405e75dabeddfd0ffb4a6

SHA1
9c8cf0e3e21a94580463b28079da20bc5f46f231

SHA256
b70142c470d2f81fa7c0aae16b1aa7089b1c3822d5894477f8348397ec1e2da3

SHA512
b53303fac265efef2660626226dd5c710d26d5c4bed8b38f8044ec6d7ca5540c4e0ced9a4b4f6ba2f7b42d0e17256bc46474234419f3ff92eea6aa9c408088a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

Filesize
252B

MD5
98d64eb117a7ff1efc59b1225dd9de32

SHA1
531358ca3250178e2c3d271142f547fdad2c4020

SHA256
f17209c4e021c468811c2aaa2b07c1c1bbfb3ce871bd088be677e9e678b0aa94

SHA512
53b6a642a9205db23a4b8e4ade8ed705a5b5763208e80e15e7e31edf44f007737994d4a2d2b711e6151e32d33fb0106555a9981b57a5b632f00607b7889dfd21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6c8fca0552c8c173cff1fa363ec6fc05

SHA1
dbc43efbb562571b3a0d9d90a11c455048474b9d

SHA256
2fb6861aafbc8333e9294ebe78d982a2118e71ab3d82b0af92715db451267ae9

SHA512
34c97011282ddf699be25ad64e493b5c7a2d5b95bd683372ecadf7f4bbf13538bbb87035a5630dad358af624aa7f467cf193ae15201d78526cf0e54fc31f53ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f9906277d8c430184ee6764e5492742

SHA1
d3264b8c001e84e9c18889e1b6343fc8a2bfe6e8

SHA256
74f5e2ec590729a0f2f8844a44bd58503e4a87dd14e3258113d2542654b2a9e3

SHA512
0c0612db974caccbc83bdbbd72973bbd0e80f02581bca77ab003caa7eb783c432a4031da295d449805c304e47593c44b180289d58e7b327a021b234d929772d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e251abd6d4d1c1135dd2cbf2c7666e86

SHA1
b950379067a0029b2a2f1194d6d315425f0b5403

SHA256
d0b281898889c7121235b201665f188f65c401011d7513867e4fae5fe0a18d11

SHA512
53745cfcc048b19e075a4e5947986f6b0bfb64ae37e3829f0163c55308e9851c3a3a8d54cfd6d45aa3c1800b7453ebcef9b5d05af6bd66239301d404bd5aca54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
194f126c352c32e224d44a234d7814bb

SHA1
c35c0b8e22c25f17e40f5700ed6f2838526ffcd5

SHA256
8a996dcb8946337b7c8506cfd87f23f98c8eb76b7df0a33cb3d5c5b803741321

SHA512
97dbbf6c0ddf62cf565d02e539be991a707fb2ecb9f3b06e8f15c47c982f622be547cf74a7a201c5eadaac75cf58d78162cc71a4f6c54d238876d278a189dd23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
786e0f0e3e80d405c6be6ca3b2639cd5

SHA1
fe3f2de8bcba0b219f600b2da38492764de849f6

SHA256
6bdf5e85545ab8dfe8c302c1584f22a2b17b8a38da19829a13e893bd826e5d8d

SHA512
0dd09b29430c100f0d3f83ae22a82163148607310afc5a5fc03d3a3e797c65a6a0b4df23910e46a624378a09741e0b176ab81099c080e948758d891b2fe93529

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1620798b15d968e894d10a776e843e52

SHA1
5b9dc9e6e873c61b4e1a6fb2568db3a6f0463a76

SHA256
0bb3e2a34cfa68222bfcfc48c7808791a1674b54b6661997ff27f762fc453355

SHA512
f7da709c93c4ff97adbc246278281f9036f48c5c5c104fb35515a510852effcb772d13abb12ec8456fa2aa399cbd93fc9a5d55a37bd85f22eb36e452366bbfc6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0edbfa363fdae495aad044898cf305ef

SHA1
567cfd588abd34c174b8eae5895004e50ffe8eb0

SHA256
33068a250b5ec3f6a04048821b0a30a10a31cc16da939814f4d5fc8019836c6c

SHA512
e41a5401e8c657e44f9f0ced159ae7e03790ccf420136cf86d651dec55c03378a7c41e557baed58612c673c1f1434fed4d7a98c31f18e06f9d61c6b1305a691d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
017ec85a210501c53ff226a676255813

SHA1
c139ecfff1f4f7402739d653c658381553d4357d

SHA256
76a261c96793cd1ee4a1eed55f6dd46f04d1be899b88c40360035cf95cea1349

SHA512
74f5b38d491ab9638949a64872bb127ec4514f9fb1dd33caaa153377255476d58be8add6f96bc172be0f95df35ee4b3e888ae81bbc1cd7b170609395bd4e619c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0aff9c0d34e2639b2212608b1596233e

SHA1
ad5e7ff5c6a6903e2cd3662df48e91509f2d8a01

SHA256
78804b4cfc0fea207fa3e7315926e18ed9b257b69e734c1b4b29a5dae07e5e9b

SHA512
7258569e318d66ae00fadad9ef0ff1e9275c5ea5b96d0ad78f30b68d25ac407581fdb49741a1cede87d01619cdc186f35b01d0e9deb2193214ec04a6bbd0a5fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
44ef6ded3641f98b230ce2ec0f5fc28d

SHA1
669adb146a5490359cc01e9b5dd44412524c1df4

SHA256
7d57b2805f9b1d24bc1328169e3d12e15fc0127600f632cdea77a07a31ce6113

SHA512
0bd63eba0d47447490dfaf939370fccff28c6b07bac57585d36e6b398ee06d28008e76d770ddbec82532118cf874eb5064b1935f0496efe3bc911a095b5275eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f044893d82feb13c4bc1baf14a3d1005

SHA1
801a7bbd789a4a830e74c6c1fd0736b9809ca4e2

SHA256
48ac48bf8eb1ca55a1c759f25a40fa01759dc7182a08503a07bfc648772419b3

SHA512
e41b76ac43e45205d70a31ff5f34f5b3180b1bf4df9b243bee0d5dfea30a0ddb086cbe6b00ac8c552c344b703a2832c0bdef9edb301bb9e1067420ace629e55e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd3af35f005dbc3d08f3ceaac5ffd959

SHA1
bd805f14e2998f67ed3d9fe879beafa66b5dedba

SHA256
cbae50848ff09b02899b1dd2a44908a9fb3f9b0d164ffab1ddbc0511e221b8a1

SHA512
08650b52deb395973192906d438239e2da657e194639a0a70722ce5ece8e7ba7f516e3f75b05a9a88e86d58468545ffd5428fa36159540d3dd07dd0ac7a126d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93cfb75a97fdbe591944abea21bb7a94

SHA1
bb14921a6ad86fcf2ab63db5a3f7adbe0306f5f2

SHA256
d043ae19743cc35987f3ffaaad9290643667b989f2bc600726aaeff388e0c5c1

SHA512
ac022a296b48ef01320ed01c6d95b74dc8f551a2b86c89dce282b3634464023a4133e2c4e8d9e7910c406e8419bc29c3c6798536b463b6c29e81e6fec048f70d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
755eab39f04849ef6773fcdc6f03651a

SHA1
617ae850ddd9d1100a4f314e0a71c7900e53ed23

SHA256
cdd2da094017589f77b6e20fa07e1669f8b42380f342f97bbd6e60912c88ac45

SHA512
917833297abb3d9cdbb2c7ef64739ff3b80699f55e499bcca21165d34bfb11088ab83ee54f5ee1bc92c6b66a16424729a7a786b4b484a9dfa7dbfbd650c1176b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d26a4f3b58c8ad1977765000d8c1f4b1

SHA1
889340a694960896883e1625a4461929c1c960e9

SHA256
0afc5d36aa2be9c158829981449eed5d5057cd9b2201cf45e3257f9d541fe782

SHA512
08ad1e16b3ca2b7494d910918993ac69c211e1525c2584c2d08c07062030f33b68cde08400e68f8521c78e2cb1ccb01680ec49adeb1e867d9609b028d9f21bba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a698e58b5d45e0b878c38158a9e7bcf

SHA1
51ebe86fdfe87bc02648be14f599239370aab60e

SHA256
5bc70d87d32a0ec7b3ad677ad2a31c93483c7214ac3ce4c3f14e48e3aa73467b

SHA512
464b1ebed137c9606e09f851689749faf617d9ccd845faf3ddc6bfa39abe6e0075526be2ab00cf41c9d9351d081e89fa61199ce7b4f32aa6a224200c677bb3b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
86dda179ca87bcb923b618abbf2fbe9a

SHA1
2e9de7fba9e5c2503ee8a0f47355b32a7bdf1128

SHA256
334d9aa41af04221375967a0c129da01faf398a34f18510eeb3a331d90c7092b

SHA512
e432a0c1da6a35dc1d68a289e9d46d506101700dbf8cc9c220c4df5b0990ebd5ed3ab75267cbfc969a0eba8c3d5fbf03e6c86deee276974700100c389df7b9c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87f5001a524f601f10abc95890f2f588

SHA1
03fab9a6211bff8dd5048d4fe13ce108ececb2fd

SHA256
61f02045f3b28908eb216e5a0f07b0244d870f296a72e5610ee1c6ef8b2738f7

SHA512
6a07202c0e8b252657c9aa17aa3b400990c600644a61ef0cecd2b28bff4d6ebcbe2613903d4091858ca8b5984aff944983e7f3d9730519ac25c4d6132fb4e0cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
11c9d635d09b22bc0192d956fb5cf42d

SHA1
69178f4de8e693b774c07042d19e4c66ce7b31e2

SHA256
34fa414a7594c3c241f0f5538ea86bfec6211a540f8ee76061426e0e34e047ed

SHA512
07f48d0cb07502c9455d8ac29e44bdb1333abb6b956f94a02c435e366dc461a23bf89c46dadf1b47e3212b1f857d542ee07da17fa7affba2765643df24ac1c37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a65767cb9d6574b8b5e508ed221a8211

SHA1
40207e2a0c8aebd099992f095d5ac31d674e8f20

SHA256
75fb6d4efd18d40d12e7b677d1172a9ba082e7178bc33fedfe1a68c98cea7127

SHA512
7206b9df5d6690cd5327f1b4479fc2783ab24ff1a22c51dcb36e0bf82144a127a157e3543977ee2f96a175743d34040096f42ccffa57016c695412814f567b0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9aa4f6aedd5496680a7184f90ca3f6e2

SHA1
7c7e4a73af0bede8fa0f971eb88b811ba4947726

SHA256
66a742812bccffe4acecea71840a2ac458b34e418537d823603df50a55379ec3

SHA512
7a367e34bf69eaf5208e30af0420e4bde77674f8fce093a21949b1d117110aeb1aa351aa68917a301fff55c7b9f5b5af72d6c94cbad9fb880b93e5730b0a7c40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fcdb0d11fce2999b6efe95b51363f8ef

SHA1
92290d05601f612d4c72e7702ed9acdc72914435

SHA256
be809cd948dea90a5c9931e5a662cb1e2998b2a6c13a8d629294a93dbb2e8ac9

SHA512
896df3a1dbd83afd4b6f867450fd328659ae567f1d2253a1de71e9c30b3e20a94200844e8411f17b190ef1a949feee4b6a317b692b6eb34cdba4c9406bdf130d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
97d89983a810009a19d6fe8497e03154

SHA1
c9e77baad5f8e20235395fcd4e81bd7f257eec9f

SHA256
e0c80eac2363bef7dfaba41ebb6946135192eec4f39d3ce5b05f27bd5a60709c

SHA512
6ef092b2b44a99837fd0bdfe2f118391e1abbdcac1bc8c530de34f0421b292e22852b8721f779d5f0547c2a0eb06aceffd21434f795f8a21a4962f885b830c6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fae61e7df574524bd2106bcb1032d51d

SHA1
46efdd60d206136831d632393e3dfcf096f43704

SHA256
26ea027d8717b625c9b9e61d77fb856a194b5340f100f15a84389a7b77848f4c

SHA512
582111fcaf68406cc3257db743229d1897e65d7ffbb17e495d8f70a6b0635cbc450b690505ba2aba32ddca7958d708fabd9d45e836ccd9eb7db1d310a96d2f00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
07e7ad68155f3e4a6330a82871b7dd11

SHA1
aba86f9473d1c355f7a19fb1067779b0fa54b1c6

SHA256
405d6152b303af3d0c11179921dd762080656c2c65af83020aa909dad904fdf4

SHA512
2cc6462eed1623e5091db6671e66c7023463b33b0f8bb6e6db758c42eceb2ba40842cd35bbc1b77e1a2f755843d5ca5ef4f1042fddf7d7fe7081d0b23e8ad860

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
80f5f8d383a05dad27925300bd9d0c7c

SHA1
6abb7ffcd1e006e56b90381d9b0af188c995612d

SHA256
17f5723383a692e2f8b09d8ce367b1c0d77639770e73d1aa815340ca831c4fd7

SHA512
a0c32989d61bd66518840715de8b0cbaa07487953e2ad171edb5739fa935a5c3b5a0912d25c8c28368ed088b9257bde927952198f5c2765ac80e7ba7c1446fe4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c84e183231847dee8829cf39818213ad

SHA1
5210b105269195cb450d745657929906da85f31f

SHA256
7cbd1f21c3ed1b672803c0a032119987370c937a8aab5c7df780e2e2c2ea35b4

SHA512
693791cf721e4860feb35f309af4e6dda33bdd829ef4834eab4306bf8be3e47847288717e0f0a17c6dac9daca7d5ad3ec2fe91a864e6548c30bdf2c0269c3a19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec2433fca372ddee70d416df272b0b20

SHA1
7d9fa9b62274467ec7e0f4dfae53ca085b548cca

SHA256
4e2a8769cf87fd261ade0f3c33b76d69085267e8f683f42622b2510429b9a69b

SHA512
87e30a368a2ce2713ffb3704d87370c30dbcff0ed616362e83fb83f241b0e2958ff906c7494349aba8e58a61058911e8b207d47ce641c3f9b0fd3a4c994301be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a0d3d71b8061855e5942db3b00b01e5

SHA1
40b7c9d506c76031815b05481dcb004f463a9552

SHA256
a6256c65871c7ffd0ce28238149e77b48d8a2cd2ec5649d8b8177bdbe999360b

SHA512
f58c7a31ab2aed5092abe5ce1b50a3a882d7471e1ef4e9dd1e637ef832a889399842dcea6da35ff412f5f9e41a0b30d8b9b9b7f0625d0283252de7b1e271a49d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f977e0bfaf0acd56e06f5d656b8ca3d3

SHA1
fc1a8b217edf463b9fcb916029e204594ef34862

SHA256
9f94f96611b42a5072caf5486cdf6e6b742ca06c66e4561a296e1391f7b29515

SHA512
0df9cdfe5d3b8ced80a93ba178d34245233eadb3bc8749729a9f29acf211d035ee53b03a026eca6acdba5e2031c4f32b8cb22ecb5c43fa5fbfdfd2ce9347a92b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f33cfadbca49ecd6603c864b89a2e32

SHA1
56adf7eb97527f2d28c2c9a8c3cc74b7e3dd8b6d

SHA256
95439ad9bbddff00db365a54b995a477faadc49908e90cae2ed95210593fc101

SHA512
6f6b84ea541d5ea5ba7c92bee2e07edcd95918ce0a8e25004923b39eb90b441f909166e2d3aefad7ae1f1b94f5e68b2a3b63839fa9b8f301d94540f78ade2cc7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ed63cfe2356944d4ebebf25fcf56575

SHA1
c04887161202e4d3f39a70024c38cb5420ac8dd3

SHA256
00b8b7862f23fdeefe6918b942d8160e8d49b2957bf97a04fd011f7fd52b4808

SHA512
ceab1ddc66264f544d518290ab99f96c035dbe2f4cd0ef5d88c60172870e066a7503cbd79cb4986f919ce9af4496db725434f31a6c40f527740781d23cc91ffc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3aa232d044c0cf6a1b26ddb4378f9ef4

SHA1
232cf584adc6596e27bd84a726fd9fd486fce077

SHA256
ed6ef2a2be0bf5274bf6655a37099d8a1a3d1391e960183dbb9442678a3cda0b

SHA512
853b3b4b3a9020d5d6faba0b808c63afecfe0b7db1fe372256545cf1d41f350bf197d31e1432db30b112d2cb5b621772d1d4637dc07557b6302c8591f2e363f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b9c781936b02889f115d352353ba913f

SHA1
ffd6e608f8217376aa593741c482bfbbe0486ee1

SHA256
2daf2eb88b26f5f6f15ebbd3a99223468134ac8575dc16ed9dc2a011cc2e9dee

SHA512
239abed9ee020f40b0bb68e43ced3e1e417a4bf42599eb3d3170f09332894fc09efbe34ba4ee4556ca8f65f1bcb240bc40065b3b034a08ca5a85991d34b527ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e49f682392687318e2e3d6740bba04bf

SHA1
75a126d5d0c667920a32b769bd7a32485d74637e

SHA256
44d26155745019811c8ecfbb62acbc81a0ba22215b50c0e4a7e34f7860028e5d

SHA512
2bb2ad0c6f5986023ef77d1b3c638c317b5544236afbdc92058014eacaf64d18bfd8979dd9b7751a525ce2520b246229589bfd4d70b20751d53f5f68a09c414a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
145fa93a4033c79edbd44b9c71ae7f7e

SHA1
253d3e5ae8cac52980781b9cffc870e4ec9af26d

SHA256
972425abde71b11b73d7d066f7d564faebeea1896d44147e7a76b7a7f6ba6a51

SHA512
7e7957b281773a0e32a775b948a5b9bddc18cf94e56a6b8395f50f00cb93134ee02f3e375a026fce54e210833841a7ab0e03ae7af0357c579c2d893ca3ed40af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8db52aa10b7322c44916a5cd14891d1c

SHA1
435f9af32a6237df472ab21677493dcdc795254a

SHA256
5c4d96ac515cf79a396382e8e04b543c16fdd83f38170a49ec6809631840a856

SHA512
a7099c7f6656c2245958a08f763095571321fabcbc1d17800553ad2e6345e76343f515be0e7fae42bce30f04197b4f922844d149b12c03fd15714e11e9ce23a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e182c65c553b158af5aa441cb8016bb7

SHA1
e230e2dd0c0c930061145b5ef266b58e2c6060e3

SHA256
06e442f4c2b54e9e7eed0faadefb0beb7825438a70c43ea850b191d7da22677f

SHA512
91ffbd53d71b7cfba8663d40289c81b74e3683b3c2a5f0fb8def5b224f8bf794f6b43ea1a5fa29a6bc7294ae10a1bb66f1eb43c4d1c9b89e3c7a47cb07a74beb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
b9247cfd07a83f67c3ed7525d6c2282d

SHA1
8b8edbfe7b3a7893d0782698720f6236a859ff59

SHA256
a2672042d235eacddcc5edec05fc730a9f014b8099fa4422097666ce9bfd3e5c

SHA512
54bf75258b4fe6d7ffe253ce6ccde23c16414b01aabeeafb8459a383e5e11b4a42d5afc3a79445c74211ac0fc12642ee075040fcbccd3205eebde4013187ff5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E23B47B1-3235-11EF-9A72-56DE4A60B18F}.dat

Filesize
5KB

MD5
084a35254502de20a949a59cfeddcd18

SHA1
d0daa5c3c7400ec742236ff8823f1c26abaab106

SHA256
0910c7a6c76e5ef09a69a225984687746608dbbed9a29624350c6b19ce6fd4f7

SHA512
f5ea7f5f9439e3be6956a45b45ab2f7e42ec35d17ecb39ded187866babd2cf379a3ed757dafd1b24e8171de0aa7ea27602a6e500fc0fabec068178a936e65892

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\jw2rl61\imagestore.dat

Filesize
4KB

MD5
e3c19b5a8346aa69765538bf0f2f1cf1

SHA1
fb0ec0ca5e7ca9de38ae713f724443b246b3ed9a

SHA256
3da73cd5a75bd5e82ffbef04ff82d6cc74bb40c74f8f4da4317d17a9b595926a

SHA512
b99ce2f1605f97b0836051ac7bb87a3a69b419e33d4a960d176ee7dd195535e62665a3cdb342af4b91d75cb572fd70905cb7ac22e0cc25c3248409c9137c06bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\jw2rl61\imagestore.dat

Filesize
8KB

MD5
80354fe8df938b3569bc1e04758280eb

SHA1
384d50206b954398aef76c51e959695a58ba730b

SHA256
75fb022620128b9b1ca1980ba05e6bed1094871f1ce525e5db9bcb191cbdcadc

SHA512
3928a8992f61c560c67e4a0d855bd230ce126609dd44d798e377b90f7c01fd5ca2d777862e83a8035503c468bd0f08e1d07e6ba17574a563e5925bc89944ef3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\favicon-trans-bg-blue-mg[1].ico

Filesize
4KB

MD5
30967b1b52cb6df18a8af8fcc04f83c9

SHA1
aaf67cd84fcd64fb2d8974d7135d6f1e4fc03588

SHA256
439b6089e45ef1e0c37ef88764d5c99a3b2752609c4e2af3376480d7ffcfaf2e

SHA512
7cb3c09a81fbd301741e7cf5296c406baf1c76685d354c54457c87f6471867390a1aeed9f95701eb9361d7dfacce31afd1d240841037fc1de4a120c66c1b088c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3895.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\download.html

Filesize
92B

MD5
fc43f29dac5f86135b8deb6d7a28e35b

SHA1
5e35ca771584cfefa2be96900c4674aba5c7810c

SHA256
23930a4558a4ffa78c6bb3290520bd0891f695e875f0689674a1df4a6c98db4c

SHA512
caf22c27717a2553aacd9d8044acadb115bfe6ec979197396fe7812d84479644a9ebeab80a5e9851ca1d7ae5cc10f5eaf3c8db81843c1d5f5b22e863493130e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nResurrection.bat

Filesize
333B

MD5
fb1322e0b9c01e35c3fc58a651782d61

SHA1
17db04223042ce569b78ff17341596b708837940

SHA256
a11da3f06a514aeea67415cec7806b95a08f0f9f18901af642aec95eadad5955

SHA512
a01eaa77fc2ace259c899682ae47191e1c9d2611cfef0e3407d42831755774ac649b26e28da015bc1de318d41bd73f464e360939e0c9ab131a986140e2b52400

Download Submit
\Program Files\Microsoft.KuaiLeKuangBen\Hijack.exe

Filesize
108KB

MD5
090d04afd5d5b7df5cc1593fbad9cfed

SHA1
2949b43ce077caa4a55ce3e2b282b03334d314e5

SHA256
5bc4a5bfcdb11fc91439c69f8b120badd36f52ba05e50f2476c0094573ec963e

SHA512
213cec24228f4f38494bbb1e0a6d8cd45bd70a9cf529182d0774922c52c5aba7c57a40b32728ecbea47a08b256fac053a4ce9df9f38f2179933dc703dcfbbc77

Download Submit
memory/2528-1186-0x00000000003F0000-0x00000000003F2000-memory.dmp

Filesize
8KB

Download