b838a44f3df6cf6d09e9ef42f25d3139ee4cb96dcfb1047a689c7836d201c90f

Analysis

max time kernel
85s
max time network
146s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01-10-2024 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04878737071b22a2c2ca138defb34cd6_JaffaCakes118.exe
Size

108KB
MD5

04878737071b22a2c2ca138defb34cd6
SHA1

d09d2f7565c888272af4180aaa84dab444fd1b7c
SHA256

b838a44f3df6cf6d09e9ef42f25d3139ee4cb96dcfb1047a689c7836d201c90f
SHA512

ea479e9f17d182de471c7e08d55dd14ccc7589ceb0541941d70de9704b055738386457d8010a451eee5ca9e0b6db04a48afb6b43930974a8052b93cfd3ca5f24
SSDEEP

1536:eaWDboVghDhHy/PqZBQ0jFjWq0Wn0gMT7fuDSMCd1oQPR2oz:90M6hDhHy/PIDjFj90gdSNd1oQPR2oz

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1220	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2884	SMSvcHost.exe

Loads dropped DLL 2 IoCs

pid	Process
1220	cmd.exe
1220	cmd.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft.KuaiLeKuangBen\SMSvcHost.exe	cmd.exe
File opened for modification	C:\Program Files\Microsoft.KuaiLeKuangBen\SMSvcHost.bat	SMSvcHost.exe
File created	C:\Program Files\Microsoft.KuaiLeKuangBen\SMSvcHost.exe	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04878737071b22a2c2ca138defb34cd6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMSvcHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2852	PING.EXE
2068	PING.EXE

Kills process with taskkill 2 IoCs

evasion

pid	Process
2484	taskkill.exe
636	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 62 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433922503"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40f1ba1ec313db01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{42AA57D1-7FB6-11EF-A2BE-5E235017FF15} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e337bacba951544a9a832c52e69bfb000000000002000000000010660000000100002000000057142f85f186a3640b2fcadee26769a5121c4f6094ab0091110d143932dd348a000000000e8000000002000020000000fe0dfa08d2ebf9a4910d353b03d38c165fbdcffe708d8f3023bbf9e498fe2fa42000000058096f3057357d4c5cdb6116776c7ae1bb275daef009beb3e57ebd923322b2194000000089e0ec440a5650b981574dd7206bb213d8424ea5486b13a33ebf5dad2b7e5034ea6350678f4af079e9c0fa6ebf9f5a49423380c05e97a1d81101601227a9bd46	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e337bacba951544a9a832c52e69bfb0000000000020000000000106600000001000020000000aa7f392ec4fb134f045b26b79e575a1ee32a04c28e3cbd79a46d4ec481c0bd89000000000e80000000020000200000009fb4ae7fd23ab8d7be95f9bc8b6837eb0ba0acb99f04fe2f72e1b578fdaf5f02900000004a9b0c6e1919effc7c5a2420b8604e8e09da877089ea4e7bb57586e51e4a538a2597f68617966b21f2f4f918e3b3bd0c64a7a384e8f914f58bef8b1ceddae60a7d9218ecb811771d3a4a4cdda91876076821afab527e3c49f6df67c7de53e1eb9ec885244427abc3168baadfcb93d99801988cdde1027f0f847111bdf144f7b472666fc90a0ade82b37235b658c5b42640000000cb9f75186b89ec166489380d5f609fb8509eb7ef34b59a77cf657f7fec55631f2c86731e279bfa576b767b1442dcfd54b94eabee4dba41a49242f5d0a3034879	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{45B76509-7FB6-11EF-A2BE-5E235017FF15} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2852	PING.EXE
2068	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2484	taskkill.exe
Token: SeDebugPrivilege	636	taskkill.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3048	IEXPLORE.EXE
2192	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2220	04878737071b22a2c2ca138defb34cd6_JaffaCakes118.exe
2884	SMSvcHost.exe
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE
2864	IEXPLORE.EXE
2864	IEXPLORE.EXE
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE
2192	IEXPLORE.EXE
2192	IEXPLORE.EXE
876	IEXPLORE.EXE
876	IEXPLORE.EXE
876	IEXPLORE.EXE
876	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 1220	2220	04878737071b22a2c2ca138defb34cd6_JaffaCakes118.exe	30
PID 2220 wrote to memory of 1220	2220	04878737071b22a2c2ca138defb34cd6_JaffaCakes118.exe	30
PID 2220 wrote to memory of 1220	2220	04878737071b22a2c2ca138defb34cd6_JaffaCakes118.exe	30
PID 2220 wrote to memory of 1220	2220	04878737071b22a2c2ca138defb34cd6_JaffaCakes118.exe	30
PID 1220 wrote to memory of 2852	1220	cmd.exe	32
PID 1220 wrote to memory of 2852	1220	cmd.exe	32
PID 1220 wrote to memory of 2852	1220	cmd.exe	32
PID 1220 wrote to memory of 2852	1220	cmd.exe	32
PID 1220 wrote to memory of 2884	1220	cmd.exe	33
PID 1220 wrote to memory of 2884	1220	cmd.exe	33
PID 1220 wrote to memory of 2884	1220	cmd.exe	33
PID 1220 wrote to memory of 2884	1220	cmd.exe	33
PID 1220 wrote to memory of 2068	1220	cmd.exe	34
PID 1220 wrote to memory of 2068	1220	cmd.exe	34
PID 1220 wrote to memory of 2068	1220	cmd.exe	34
PID 1220 wrote to memory of 2068	1220	cmd.exe	34
PID 2884 wrote to memory of 3048	2884	SMSvcHost.exe	36
PID 2884 wrote to memory of 3048	2884	SMSvcHost.exe	36
PID 2884 wrote to memory of 3048	2884	SMSvcHost.exe	36
PID 2884 wrote to memory of 3048	2884	SMSvcHost.exe	36
PID 3048 wrote to memory of 2864	3048	IEXPLORE.EXE	37
PID 3048 wrote to memory of 2864	3048	IEXPLORE.EXE	37
PID 3048 wrote to memory of 2864	3048	IEXPLORE.EXE	37
PID 3048 wrote to memory of 2864	3048	IEXPLORE.EXE	37
PID 2884 wrote to memory of 2484	2884	SMSvcHost.exe	39
PID 2884 wrote to memory of 2484	2884	SMSvcHost.exe	39
PID 2884 wrote to memory of 2484	2884	SMSvcHost.exe	39
PID 2884 wrote to memory of 2484	2884	SMSvcHost.exe	39
PID 2884 wrote to memory of 1996	2884	SMSvcHost.exe	41
PID 2884 wrote to memory of 1996	2884	SMSvcHost.exe	41
PID 2884 wrote to memory of 1996	2884	SMSvcHost.exe	41
PID 2884 wrote to memory of 1996	2884	SMSvcHost.exe	41
PID 1996 wrote to memory of 2192	1996	iexplore.exe	42
PID 1996 wrote to memory of 2192	1996	iexplore.exe	42
PID 1996 wrote to memory of 2192	1996	iexplore.exe	42
PID 1996 wrote to memory of 2192	1996	iexplore.exe	42
PID 3048 wrote to memory of 1300	3048	IEXPLORE.EXE	43
PID 3048 wrote to memory of 1300	3048	IEXPLORE.EXE	43
PID 3048 wrote to memory of 1300	3048	IEXPLORE.EXE	43
PID 3048 wrote to memory of 1300	3048	IEXPLORE.EXE	43
PID 2884 wrote to memory of 636	2884	SMSvcHost.exe	44
PID 2884 wrote to memory of 636	2884	SMSvcHost.exe	44
PID 2884 wrote to memory of 636	2884	SMSvcHost.exe	44
PID 2884 wrote to memory of 636	2884	SMSvcHost.exe	44
PID 2192 wrote to memory of 876	2192	IEXPLORE.EXE	46
PID 2192 wrote to memory of 876	2192	IEXPLORE.EXE	46
PID 2192 wrote to memory of 876	2192	IEXPLORE.EXE	46
PID 2192 wrote to memory of 876	2192	IEXPLORE.EXE	46

C:\Users\Admin\AppData\Local\Temp\04878737071b22a2c2ca138defb34cd6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04878737071b22a2c2ca138defb34cd6_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\\nResurrection.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1220
- - C:\Windows\SysWOW64\PING.EXE
    ping -a 127.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2852
- - C:\Program Files\Microsoft.KuaiLeKuangBen\SMSvcHost.exe
    "C:\Program Files\Microsoft.KuaiLeKuangBen\SMSvcHost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE" ?mac=5E-23-50-17-FF-15&mdx=1fd406685cbdee605d0a7bebed56fdb09bf31c7ff062936a96d3c8bd1f8f2ff3&ver=53-10-34-65-6
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3048
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3048 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2864
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3048 CREDAT:603147 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1300
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /pid 3048
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2484
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\download.html
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1996
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" C:\Users\Admin\AppData\Local\Temp\download.html
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2192
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2192 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:876
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /pid 1996
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:636
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

Filesize
579B

MD5
f55da450a5fb287e1e0f0dcc965756ca

SHA1
7e04de896a3e666d00e687d33ffad93be83d349e

SHA256
31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0

SHA512
19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
562ec47b8e9a080bf13d0e45d6e3a444

SHA1
466c0d4e9c4c7838d7cd4df2101a83f42dd4cd4a

SHA256
53c43e92ce56eaea865035ac3cc4e4b301a91729793bb28cbb948a5a6dc12a2e

SHA512
7fff62a089fcee43b0de939f7e9cd07278e295a6c2fa320135c57fb7306731d128205bd54e40786cbfb416346be8e377c63babc416d7d0f0fc30aedde723ff93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

Filesize
252B

MD5
55eb11da690591dbb4a9775bda46ac5a

SHA1
228949b6a75f8767be64e596ac15a52481066983

SHA256
a2815d6da61349f62d50a94067225b723be5a1a753559176c702491e8cbc7c55

SHA512
331f20c2c5f198c3094eb25fddd284d25525394bb308298fdb87e1250ff586d4213e5ec09f413e19671d527661de7e0f3af292163b9c667650f27808a8701f89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
21b2d069a06ee2b6149e207d5f4ccf8c

SHA1
f77fad865a05557db8c66822513eedb1bbf159d0

SHA256
9afc0674fac563b96082e1f8cbcf4a8c6e63d04be06165cbe144fa0e4aff4a7d

SHA512
da75a9f7e7453fc6b329e53c9624ca3c445cf0898529ca8c952e507500ca569fc2d5609fcf039c8721b6bf5ec3549d4bd00e4d85109ca872cad876df9ea1dc4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a6d1bb0cfe0ae14b8816304eb0b6621

SHA1
3ebaac416e8c663ad70a8fea779bf3af2fc6393d

SHA256
bb2930410f977734b88d6e74523ade4b0b1a7f49924a7c30fc7887c130741e5e

SHA512
89e6ef333f76faf6801eae84af58d25cd5dabdf677d6dd61b026a85fdbc56e2cfb8170722b62c00822c16a4779132b74738ea4fac816aaa8dbbf2e2904ed5af0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cad9d1196655efc646c00c898d233105

SHA1
8cf8044e503609e145ba6e228565e3883997557a

SHA256
b80d2bfd042a6c186bfc45763d3ed8fff6e981c381d145d7c642acafe6037526

SHA512
92f807fbb447387ad1c1b752e71c04f5e18c0d396466824daa3c80537de369b176fcd977b62816c62ef8ef93561443e77ffa3188ce58a903335b5a31a582d2ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d2e3fa39e75b545ebe473336c196ada

SHA1
ac32b5c4dd2862be4f5626a0ffbd1abcee592643

SHA256
1feae15fbc6061355b556f49b3c136c058740e5d56b49a7dbbc52a066e2865b5

SHA512
b4a3798e7c8164b2c718208170bfa8d84ffec608a4384332bac37db3ca7658592a61be7961e806ade4e86521616d27d9b558aa1e75e53f91a65aef7520c5769a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
450ba9bd90c70fe04662f03c5309e01b

SHA1
c4675ac214e743f8e7cf3de063aaf2630c198d01

SHA256
6ac4f432c11777e43dd3e033c4316e649b3bb813bf7e10776289b42dc9762dae

SHA512
cfcee2186684be81a14713a4502a09c2ef61bae4b47e1b410070beb76f67d96cfe71ff506cf258911fcb2ed4e3af8dfd62c88e6a0a587a99797b16ff425ec5ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2147b971177a2629a62803eefad4784

SHA1
8d744d718ef190239816b57c4403c096583f7d97

SHA256
d6d00af323d3e7290adadc73c83bbd2d7f894cb696e839663fb0c983a624bd94

SHA512
d37fcb0c8d141e6a70cf936734d0e6c8a33ec39f02c9df85e75e02bbf9e70ec12403094fae72b8bfd75d83e8cf4cd278ffdcf58b5cffb33332f454a2af34337f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
56856b5c85a05a893358846a18fece1e

SHA1
0b7bbc75a793336fd28ad5d47727fe76ffeb5d67

SHA256
d9b4f1b627f88965570d9da386313ff7fa1a1ed6007af659d02721388893ca19

SHA512
d31cfeaec0b47ff0d7c18d0b2c1b7c037f0a74810f59c3eeb4d974b42fc6cd5d1ebff07a9416788c601ce5065b8e5e287e6f043f5ccca7c144fde8bb345450aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
808490da1c9945e9f18662d209a50541

SHA1
0e4a04d4091a9da23894312d7f46740198c759ad

SHA256
9d90ffe8c48a06f3607ac80992473c3899443c29429b14edaa02da6e20a3ccb2

SHA512
e928059e5d4c04654b4b6fecb5de76619fe7325eda9d271914ff46c17edb93ba48dbaef2e92c48dd5dbc58e696dd808dbb5bce23d004cad4ad1920dfaa464a59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
744fc05062637074ba081e2e41a060cd

SHA1
67c0858dd32a2fa2b3e86154035cc538c531e331

SHA256
5c1769b555b4e2f8d3f65b386c64d1c43d9ff0cd18b14222087b9568dab6615f

SHA512
8d244702c3d98dd419a0c173590d57b681767642346cb0f2832015adeb95a7650e09801dab49256c877f30449e0192c2bebee73afebc04d1b9291f076549ea89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7e14dc75695133d738877cdbc7294a18

SHA1
1e0074baf3bae39cbf8e358ff7ecbca349a60b0d

SHA256
68762f6e42b5b36af11ba77f3dc55aab24cae25cf3ea5c40e7cbfc1c6fbf30cf

SHA512
ee4faf9b1fa94ef07e90c9e46507857ca95850dedaff5515ea84cb05396eb3d0cb13459e58faa647e4dc83760ba621eb738fedd340ca0a51b525afc0cdebedac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f83123ddb9b7025cbadfac890ccb2df

SHA1
ad9617ff1773a05f6887c4e6ddd5fa9d0fc9cbd9

SHA256
d21a350c6f5c4930d6afcd38f0f3f28054dee39d22963052059876d6e6105411

SHA512
75f42258b013e2272896e3eb53701dee0a95a76edc1cf3c6d43a0f8b2078caae1894dd1c6a9564b0610aa2a8b264ba120332e73db7b3ea0696fa2a6a70b9fef0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6598ebcc8022acfa8baf989ddff0933c

SHA1
7ac42b093915404cf9db0dbf45a789b2d55ece8e

SHA256
ddde7d3bfa62a7065698773f8df66c3e57814ec3f5cdc145d51a38d12535f43b

SHA512
ebd2acf228497503f642d9b6dbf1bde305191b84f1e5e72ebddaed6ff15e6db61a7517cd959fe125bf923ade91aba7f3011dcc87f68b325ccf56ebce03bc203d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
453823f5d065c55245ea2be97fc66e30

SHA1
f360d4a95292f86423440caedd574f3b6d071772

SHA256
8fb69f267d7974c9f802cfdf0f6999054e6601310d8faae324549bf3f0fb73e0

SHA512
42d7df987effbbecfa6bb8c975a273dc0228782fdb6d29ed2f3b9d2dff93f4e8148c8f7d5f60b9690f3466dfdac800980eccd49016469a5120d89aa0d3f3c0b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c30f055082920b0c35df170e92432a5c

SHA1
8a15bc5eb23f2e97ea2ae58966b207fc7d3719ad

SHA256
3f81fa4ddf5b35e9f023a40e7cdb668d5a5bcded115be44f6102f99283bd0bfa

SHA512
2f53632789fd948f2fa1e618c5fbf025bfc83d4483cabad73057007ee0808d8a66aa8422f640ef24d9771bdc6233def7862cd61384a1b1f09931ccd887532acf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4405f00a0fed4b49fbc3423b24cd6b70

SHA1
26cbda78a524f105715d162854aa8ff5634e269b

SHA256
5084baa64321ce26df04b38e8a80cea1c5e7e2039a701d37d49ed809ebd0cfcf

SHA512
991b74c324a7a4003089c86af702a83c4cb2803a9b9d162c0edbdd95dbafd6cb3812b77e27c7a8d98559c5499f12c4e6ba4b29f39b0d28e868485c35dfa66ef5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
177067c4e989816d91c49e085f4929eb

SHA1
ed377f9c28e5c856a749dffcb6119427ade18819

SHA256
b131a215ef9686779f343d522ffecc110cd5f3b2698034619faaeb7e7cfcd842

SHA512
d5fece1168f8d71e44dd4206cae94f2e07af3df770da7b1df568c654b79918eacd92c62f83d07fa276c77f97d165575049851076fa2cb19966c92e409e892524

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
66f86a4f235ce1265b01ec11f489bf36

SHA1
2e333e24ecfd93436398b0587132cdfc10d03819

SHA256
d48eb9ec30400f3184393e20b87a5fed61d7269dfa36161257a55313f92a0cb2

SHA512
b2e815968e8a2d445730fbdd9d2b5e79818070e8afd8ede993ccec2c1d9d31e89e4bb5129dfefb12718125916c95e20565f9bd7b34d704a429cd3eb6777c2fa7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
39ae687993fdc115f7ee813124362a62

SHA1
594f25dc0c87c5f9c25a86e779cda7547737a0b0

SHA256
e2531236dcb613c586c05a8123ffc733626fe571d50ef14a80a4c09206670776

SHA512
5348581d47bce915b75e2b1cda26edd6911d42326c1d1663063eb544e6ea6a2d5301ae893091797dbb774d3411945eca4376d19d08ab60cb99773b27803dede7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1e36941b6021b70eade9a5e63b3f057

SHA1
2b85d81032221cb748899452971f2d765a0145c2

SHA256
844e63dbf62d2ab5dfd89363ebe87480e9e1c46e75790c0c47cfc8ed27cf1960

SHA512
9f0235d7d03ae7a78f9dd5a4b62435d63c473c7d35b75d2f8a20fd0e8de33502f045979c45281dc2d2391491e18b2ae4a467c2788b2fbfa9c84346ddf3527513

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e2c136e197b73e8c8aad5ff7c77d7798

SHA1
10eb4b4dbf05d2b95870dad5f7051f4207d09068

SHA256
110972707812bf4c7cddde158416eddb032766c72a76662624567b9035587f7f

SHA512
df7110fe1b4f1547817fceb43a4260a8a9ad959e9cf2286207f13cc36625f35be62f2ebbaae3265458e03786d30d03340d706ef2b728574650d743a33fa5561f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb50b6d7d9a273dc3ce382a986aaa814

SHA1
cd49b3093f0b7e58666b851dd5c814f773fb1916

SHA256
358d7c704bf3ec945fcfbfc3a2ca5ecac04ef69e3d714ef21211d321eb2ee520

SHA512
e2f32c6dc9ee133fec929cb0eccb6c6c881ac1abaa10dee9bc23a1b9af1beb261c71a8919d9cc08f3a20ea3ea4452f5aab6d186d345b93497b836da04d41f6f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b8970de2f65478ac844375a4da99b166

SHA1
4c92addbee9946d71556b2c4d45bb159947f6cac

SHA256
80e4bf1ca072c1858864d7df71d457cc1c5efebf8accdc6c130090d866c6bebf

SHA512
34e0bddff92174ab8309bd8ff6cabd3feb2031c8e6ff595e5196e47a9b7e59b07bb28b6dee7938ce1d6af25679364d4c2e94f992522839998b3f7c47b6f45c12

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
544d1462069ae8bd0a1327277d6440a5

SHA1
ba368c07f03e664824996f9cab2fcb1d93924fb1

SHA256
9af2ccb646e75ef6fc21f7a8967b8e7b33e09fb035ff58a2312c4c4d7583d82b

SHA512
80ef990f512cdee50b845fcc36ccd554ac0188786facdfacdc808b47ff20c87d59c58f56a0c0d25193d4d20df02c8e2ce5bf2a66c4202782aa5fb5146623986b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
077c5c8ae63e78de59d950cce89b0daf

SHA1
e29cb359c22efacd0018e7d47e94fe3053fabf65

SHA256
3a43dd35fdab17a274e63baf87ca9e078ccecdf5d2aba2575c6e553e37d71240

SHA512
4705d6c379f3c73fadda3a2199b9049bd0dd266040497201553392fd9baa2c4f13d16723b17aa72bd8ead01edd94b34d2cf191e7a7c4d2a6dc87aef93396f5e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c568acc3e41ee33a9954717fa4d1304

SHA1
2ee9fd880a3b57e8d75e9c16d77fb6b1f87b0412

SHA256
cb633252ae8193412afcef8e59ec58688f23d893c04cd07b3e869c8917412b6c

SHA512
3c5f87e6f75e94e6bf8e6b0a1e185964257b6c1bf9f733be4cf6d160fd416ad8f2fe226ced5f1e6823f2184e8281a2dbbd6c9776d69b4e1d19a42d8930251a63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c3707ae8500d56d1d7a07a72eae17eb

SHA1
2fcc958d03d1012bc8ca39541556fbff6c4a3a27

SHA256
78341a6c4ec6dfab8ed44b56742da48a2176e7afb5101446f10cd30f2321a0f9

SHA512
3c58074f96a7a094b2440655a0f8f8321976c0f23b725adca0ce11fe088ffb4185fa8f0fa07a90ef67465687763e83c4ad494a2386e85eae51d6cb381501e08f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fdb508396a09c52cf6fd61fd614abf56

SHA1
cc3c062090546811020e07d359383fe9ab40b00a

SHA256
552623c75a4f6eb1e321f0536fd2b14381ba018fa69e2c0db4df6777bf78f67c

SHA512
0735ca25c14d9e17bcc7c182da5ffc8c8af6d9e487595f81fdf50579f58da74667eb4440a9b46a34a024dae135c074b2736981577241b6135a45fa8e8aebbdd6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa428f2474f461a59f9953e528660148

SHA1
79aced1a612e3d2a3f1344e1ea71a6669ea5b6cd

SHA256
e9c7ca309815d6e834ac51afaed4eb8d2b2072ecc20e01f5290058070cbcd1c0

SHA512
a9de983c99d1f720c3a16cb40d9d0d1439441d578ecc6439ea2eacd7ef9de8bee81da6d551c4b93c708199773647dd0b4ea35f88077d7ae373dc0f40bec55424

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5fa19bbab01d1c238245f559737d9d4d

SHA1
ef866e08f6d618002d92290ea2c6e82647e76e49

SHA256
f40c735da1db44a24cc1a05a5187575725dc0f58f362e891aa746cc0d1f98a35

SHA512
10e4fd6fa0256c5e41c2316eef4eb5481d40ecdd3fa548b973a5bdf41e58c0c7e22a8cc86ee5e12d58d384bd8a4d25624675fbef4038b44666d651a998c9c207

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c24c3a37812efab7905e3f77b0e38704

SHA1
37c7100eeef3a297f41f22b326476b2c0baa2cdc

SHA256
1aea9599dc0575efac4593e0e43e84c84b8af3a38ddb1cc0c12a1457bcf4cd2e

SHA512
900cf01bf3705c9478e248dfb45cfefa5673cad57982b3d46888c856e90c9a3f415952ed3ce59d15a4eb6e15939bb832aba887fcf21d3da2b80a2bb468db7e09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f59a539da1b672524a7100dd4bcb5308

SHA1
5fc0c8a5acec4c3246793627a6271a4a30835e63

SHA256
919b794d6c304faaa413e5ed1caa8a1f0ac49f0ae68f40b67f8b62bb19ece37c

SHA512
55b34f83dc32159e98c35f104bcb70078d229c8f2518bc02f1ac3b5b115e4c82509a22f2bacd37a7fc293f1fa2b5e82169a788027755186a7d69e6c52b658e6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
50263709a35e423f1a82eecd01b4e7a5

SHA1
b51f7565ca0083179744bda54e756c77d6ad1bcd

SHA256
d3277c0f27ea9da2bdbab7c91e3eca26c587a7c3fe98442d121279a13c44a435

SHA512
297c0b605a7e0aacd29417f436138bb68570e7b2e44f766359807dd36e94d8777cf863863c244f1ad4a9fa6f370904ae06e90ae659516c40b230ef7ed00c1d80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
baac9b22197f94db97619e9ffffa5547

SHA1
342a553a659a1ce634d25ad840cab67c43236690

SHA256
b636a51365856e04eceb96bd958395c97456eb8a127beca9e6c3351070415e9f

SHA512
4100a4e098a8844578e873b9b6953908b1d870a97efeea46d855b8e4cb9154097c75e5002d8e056124687be937c1a90ebbc9e33e7d583cb209927b21a19a554a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7af3bc8cc1a0903005fde9249ae788fb

SHA1
d4295da1ec8724c55d035d1582845c208dba5db2

SHA256
61f6f633148bf3111abae3bb1a61c4513f9e6b1413ac4bf350bfee2f603d5ff8

SHA512
2d8c4d39a3ca4b21b4ec0b7b3d2640fc677cac0ded0de8189cecea307e2969b85d85a4fa55c0839cc42fa1462b2a44c8d475545881f2819fe5935fb037c9c502

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af1e60e68e994567bd8fca7bde239bb8

SHA1
901e4df0eaa36840d7b1516ba847bd2179ec829f

SHA256
892829c1feaff53e7be0c97f31fff9b68f8ab365c699387d7ab6d9aa93bcf66a

SHA512
d03fd545636f1524c800bdf8b7583f06096d69bf42f6240b930bf45b9b459171246c316cf3e7fb176eda7e50a4d9c2ea8e113cea9a42a25575f2b6632f2225b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a0313b37f2a7edcf90e4afb9affc9e83

SHA1
b1a45c5a3053a484a537bb75bbd0f80050972d53

SHA256
4ae0cd11502f22056a1e662834c929eaf3b68152de652f6e71ce2d4255442400

SHA512
d2bd2e3e3661ffb02cb6bf806ba314b069123cf3932c7454a532584b651d1c382cf1b93761dd36e801977ac89ada60ab50e880c052d132492b5ed33d8d5a9c36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a0bbd3cab1b40715d518d6c70a065d77

SHA1
3f8ab49cf2f45aeb507f66494a3eb15fc9fbadc8

SHA256
bc210c51b111a6d202cd5e8f8c69979483804c2030a412f9ee83f693bfe2f6de

SHA512
3006e008ea103cb40ed5950a1c3f46e1ddee6f593caeb66f4487d194cdbcc03b589e4fcfe16fe154d8d00ae8c935b816e4cbed3c0d2ec761671cbd3a1120f869

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b9602ad35f63eadc9c78defd7e5dbd19

SHA1
27344a826e09bab91999552df9156f5ab7c4fecb

SHA256
2523bc71088b589ce39aa3d461b868fa55dcf8ddb02c8d6e14496a5851a6b1b9

SHA512
74ed86d9190313975014f77a2a0c0350d188ac66d638549212aa7e8e6ad806a9ce32f2651b13f60fa3ee4d7a14eb3dff3a0a0d4d90730f0a08e4ee0d6c4d332a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53d45ead9fbc6505cbb3a6b0e543a992

SHA1
b56b7ab97bc6de71da308774ea2f6ff45c3ac82e

SHA256
9b93d071f89218f7e40ce3745faac79ead6f531c5d13efd7f54dbeed344a1869

SHA512
b3d1dc5be00f043fffa41c5556ada4dfc94586a24681b860633d71c5087fde5e06cd344706e4da360f36ed2c444f476d7ef0fa40a070b07fefb9b7a8e9dcfe44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ecfe4bdfb667cc84df52e72b7a39051

SHA1
204f3516a610dd90acb7a9c200a2808484828628

SHA256
e21c25af5cb83da6b7a78fa66dc3f4ba3e034c4918200d766020ddf9a476a569

SHA512
a616784f74839da471020e48c6331fd690f79c845def091c8255a0c43d085b41e794eb490bdec586b0fdc4a3102212d899fbecffdb9de0be842984ced2d110ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
add38ea2d07e1d0ba0636e9f4151a8db

SHA1
01428d9176605cd351312968af2063ce55d86f0c

SHA256
941fd75a894e4df47a249709d5d7719400fb97ed46f088bf427fd721258d8dbe

SHA512
76bf94641c91a8b4b0d895d28e59bd1295c2811c3aae3c9eb1b613c5515115bc62d80d535b5619cbf5cda6dde4e8d85991258bf3cfc81155fc477958add6d1bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d4aa5f396457f8bcd4889d80f3a1a253

SHA1
6ea54597859b04d14a7f9c0ee50a31cc4e2db34b

SHA256
d7f03f9a2bb8b4367f9fd8e34af91380d8e22f4b6d5d8e92ea592b230d70b087

SHA512
889ced24b04d97219ca8c6d3d0cd43605815ca48ce8099b5dd5ebff7a32a492d25c5f78e3a01c1dd9f1e41f6d1f6763bcde896f0157c305d4dfaa324e8d39133

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe7e1f9dd065e5e77c51538d6ccb6172

SHA1
cbb4186923131ee64c6c82dc56571c692a12d0ac

SHA256
7591204e829b18b250dc73ef8634a142a62818214a012207fc8e1dc0c4b8585d

SHA512
7551a384b4d8671a5b06666e85ff39d617e885a9ad9659ac0250af0203ab1783323468dcf8a12b856b28d3048c00bea49cbb3b447974cb90da2dc5966a08cfd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d040c31c87e945195a74160f48dc5adc

SHA1
afa40f9aa347af032f92ba91f50be9a368fb4b63

SHA256
3f70be9cd02f6f7c0f55120408515544f60f1c39b920d93ca8184e6782799ebf

SHA512
af31e610b65fc59609e7cbd5aef61964d1592ca7a24c155d78acc48533c46d09586dc3fdf94101ebebf578562ba25a04e66e6bd3f9ebc958e14564ed75e43d83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9080d6ce6e7491c5547b9246c1dc6c48

SHA1
51075512e8ec8ddeb72182392988c90c7f5afb1d

SHA256
b203b24fe80ce7081d9ed074ccd78ec7551264d14f23ad538412d2379acf827a

SHA512
e53b76aae80a52b9f9491fad61c201232396dea04496265a41e733a9b86a615c8bc7468e598eaea9d149031829f7ef6d7e56d30b9ce298be98bdc6b1221cab27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f693d3a7b97e7671461c6e3e9c0700ca

SHA1
84729f4bede89526f6a61a26455bd11d1b5ef76f

SHA256
f94b5b6c0d8b5f4a2f8a754ea287dbe5ddf8d37305ccbb09a76cf171ac21ba07

SHA512
ecc962a9ac82744f6d50b245178c12bca24382f9149f02d5d585af70a2458965bcbbce15b43dfc8c27a3942bd6dd99958c37a180262f124395c61fd802eb0f2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
17373cd51f7155ebd0e61295522bae5b

SHA1
0d9d1ea1f104deb9bb069f09ee423860b1016aaf

SHA256
4cf10ae52cf9a9abf31313e3e4fc7065fdfe2db9f946bc3bfaefbed8d2a3d76f

SHA512
4d48cd8a3b1d3f005cd7eafde06fa03eebbe37be218d779c2e4cb5ee5795415baf6e5381fd3ce33cf8d37ba185d9aa8aee193f02860a0c3b881d7b1ce6184325

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
8ead01234e018febab8e325ab686a2f3

SHA1
3df7750cc3349f1b5471dc1c59f8359e697a2049

SHA256
373b45ddf4d60f11704a0d90e71939133fadde4c8709f8f6eaf284cac183fab5

SHA512
fa9064e3fcde710b3288ad568d14b5339b40519e14d9f0ddcb3562457eaf6e51ae4b4d828e7ea614b0d6e79b5739aa088e4b1f7ed82c0c2c830d1a2f7100d493

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{42AA57D1-7FB6-11EF-A2BE-5E235017FF15}.dat

Filesize
5KB

MD5
503bdb5a80e3d895cda7db2b75fb5eaa

SHA1
8047d71a1b26b49651756ef8fd344490c4cdc0c5

SHA256
067eec6a33a85a47c4fdfb07bc3af33549583a1fe44d6917686b2f08983f68d9

SHA512
df39ca6afd924634fd6cc6d62caec72b71756dffeb0be5b7d64f92ddf8c7a47375c360c5ad300d3ba7aa95a0b3ad60ce8354256afb4636be6311ed63c50acaf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ivwlua0\imagestore.dat

Filesize
4KB

MD5
dc413f21fb40203bdbfa0a107f4007de

SHA1
db2be2702d208b0266c01cce82f8a5d3741563a1

SHA256
6b938baf9e3c1bb6cb360ade48f18f219c234abecff264697a209d1de7a76ef1

SHA512
d3cef613539383a0219f2eb11ea4a133291bea52247de967106d85476add6aa765037180fb70f5dedd63f548a737fbb249da877e9027dff4528885e879000a19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6XUZ2JLF\favicon-trans-bg-000-mg[1].ico

Filesize
4KB

MD5
5879b2763fc53367a29f1e64721976db

SHA1
edee687feb0438fbb4fdf6e0b9bc941f2a0c464d

SHA256
b5f794efdee46f6e8759441cfb2bdc36640f50e47cad9f11cea18bed48e6c43b

SHA512
6b04809dad6d927b7c9fe0d674b8e14c9bb374ea069558e53468e33da76be44c8de6221f90f719462bcea90bec1a90ece58a706e440229ec78d81ba9063ad0f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC6F9.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC798.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\download.html

Filesize
92B

MD5
fc43f29dac5f86135b8deb6d7a28e35b

SHA1
5e35ca771584cfefa2be96900c4674aba5c7810c

SHA256
23930a4558a4ffa78c6bb3290520bd0891f695e875f0689674a1df4a6c98db4c

SHA512
caf22c27717a2553aacd9d8044acadb115bfe6ec979197396fe7812d84479644a9ebeab80a5e9851ca1d7ae5cc10f5eaf3c8db81843c1d5f5b22e863493130e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nResurrection.bat

Filesize
339B

MD5
5a98d5d2215c0ccd886a044cd89d9858

SHA1
14f5e6416dfd8cc6c8957b38f9b9ce494d215917

SHA256
fdbe8534c2667ed467ab87c09ca74d98bacbccd3509c991161187d7d42041490

SHA512
ef89962d86628d6c2f3144ef6e16bb56d4c97ae67d9d8df62c6d9f69cbcad642dd6ee5a5242cfaf44c95d717aaea1709acedac4ecad2eb849534aa600a476e24

Download Submit
\Program Files\Microsoft.KuaiLeKuangBen\SMSvcHost.exe

Filesize
108KB

MD5
04878737071b22a2c2ca138defb34cd6

SHA1
d09d2f7565c888272af4180aaa84dab444fd1b7c

SHA256
b838a44f3df6cf6d09e9ef42f25d3139ee4cb96dcfb1047a689c7836d201c90f

SHA512
ea479e9f17d182de471c7e08d55dd14ccc7589ceb0541941d70de9704b055738386457d8010a451eee5ca9e0b6db04a48afb6b43930974a8052b93cfd3ca5f24

Download Submit
memory/2884-1335-0x00000000003C0000-0x00000000003C2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads