d69868cb989e25a136eaa658f66f687ef02736fd4b52070c491ec699a061dec7

Analysis

max time kernel
122s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 16:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

067f62040949050c5e47620a6bbd7055_JaffaCakes118.exe
Size

108KB
MD5

067f62040949050c5e47620a6bbd7055
SHA1

12a04896d8e22a76252ac3ce1e74eb95d4ffad19
SHA256

d69868cb989e25a136eaa658f66f687ef02736fd4b52070c491ec699a061dec7
SHA512

46ad2d7f796ef36eeb8f0f76307eca3da2f9bd74282eaa5039318e863ada57eb36aeedd9e8f16c6efeac148aa635daf61715aa92e2d4b3540120718e0258f4a1
SSDEEP

1536:eaWDboVghDhHy/PqZBQ0jFjWq0Wn0gMT7fuDSMCd1oQPR2oF:90M6hDhHy/PIDjFj90gdSNd1oQPR2oF

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2120	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2056	SMSvcHost.exe

Loads dropped DLL 2 IoCs

pid	Process
2120	cmd.exe
2120	cmd.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft.KuaiLeKuangBen\SMSvcHost.exe	cmd.exe
File opened for modification	C:\Program Files\Microsoft.KuaiLeKuangBen\SMSvcHost.exe	cmd.exe
File opened for modification	C:\Program Files\Microsoft.KuaiLeKuangBen\SMSvcHost.bat	SMSvcHost.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	067f62040949050c5e47620a6bbd7055_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMSvcHost.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
268	PING.EXE
2292	PING.EXE

Kills process with taskkill 2 IoCs

evasion

pid	Process
1644	taskkill.exe
1400	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 63 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80b5b8a31d14db01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433961383"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd30000000002000000000010660000000100002000000009c43373dc5639b7111bae4690236cd0208979c5a057a54e00bee7982d7e1694000000000e800000000200002000000038e0e0a39947cd002efb005ba9bff2866c98b767babeb2a0696533e5a666352120000000ad15d2b9236a1208449427a813806efc517653fb6cad7867d655024f2b766e6a4000000072fde3bdc22ce953fb3d7f58eb73bfd90926e582c1e50bb33b23b58cceb4b1ba6e2da4742571440aa69a901ba0707a196de2a9ca766f1f5c65a094da10bd85c3	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd3000000000200000000001066000000010000200000004be739514d5c2067dd016c6bb60549c965f3967da0d590c6bfc1461a9ee84c43000000000e80000000020000200000009607a172f8c21634d3222e6f01fe47a1f579013d0dc2f0b8f40dba52570e92ff90000000712e70bbf502757c62dc8aade3fe5fa2d7b0e9569f4bdd016e39fc64da8efedbcf02a6c98e7770c91845b766cd4e6f93125ac6d37aefbc3e82dbccff8abb52b0942d0e1233d426050263c5a54cf659085fa0ea462c5494c8ae9148a75b27343df7c31b98394a96877547b719d7d4b175cb5096ab73307ef98a86a5f6e6151bed09da3efd3b2bfb3661472b9abb63d886400000002659435ad5e50b9d2e13d933147f56e78d92d9ab297dea7a81e03e9db0cdd9568c43f84852820d49ed69d8ef904f4c5c77ee61624be679aa366cd4e1ed5d53a7	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C8F73151-8010-11EF-BC71-EAF933E40231} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CC04EA69-8010-11EF-BC71-EAF933E40231} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
268	PING.EXE
2292	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1644	taskkill.exe
Token: SeDebugPrivilege	1400	taskkill.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3036	IEXPLORE.EXE
2952	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2868	067f62040949050c5e47620a6bbd7055_JaffaCakes118.exe
2056	SMSvcHost.exe
3036	IEXPLORE.EXE
3036	IEXPLORE.EXE
2760	IEXPLORE.EXE
2760	IEXPLORE.EXE
3036	IEXPLORE.EXE
3036	IEXPLORE.EXE
2952	IEXPLORE.EXE
2952	IEXPLORE.EXE
2036	IEXPLORE.EXE
2036	IEXPLORE.EXE
2036	IEXPLORE.EXE
2036	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2120	2868	067f62040949050c5e47620a6bbd7055_JaffaCakes118.exe	28
PID 2868 wrote to memory of 2120	2868	067f62040949050c5e47620a6bbd7055_JaffaCakes118.exe	28
PID 2868 wrote to memory of 2120	2868	067f62040949050c5e47620a6bbd7055_JaffaCakes118.exe	28
PID 2868 wrote to memory of 2120	2868	067f62040949050c5e47620a6bbd7055_JaffaCakes118.exe	28
PID 2120 wrote to memory of 268	2120	cmd.exe	30
PID 2120 wrote to memory of 268	2120	cmd.exe	30
PID 2120 wrote to memory of 268	2120	cmd.exe	30
PID 2120 wrote to memory of 268	2120	cmd.exe	30
PID 2120 wrote to memory of 2056	2120	cmd.exe	31
PID 2120 wrote to memory of 2056	2120	cmd.exe	31
PID 2120 wrote to memory of 2056	2120	cmd.exe	31
PID 2120 wrote to memory of 2056	2120	cmd.exe	31
PID 2120 wrote to memory of 2292	2120	cmd.exe	32
PID 2120 wrote to memory of 2292	2120	cmd.exe	32
PID 2120 wrote to memory of 2292	2120	cmd.exe	32
PID 2120 wrote to memory of 2292	2120	cmd.exe	32
PID 2056 wrote to memory of 3036	2056	SMSvcHost.exe	34
PID 2056 wrote to memory of 3036	2056	SMSvcHost.exe	34
PID 2056 wrote to memory of 3036	2056	SMSvcHost.exe	34
PID 2056 wrote to memory of 3036	2056	SMSvcHost.exe	34
PID 3036 wrote to memory of 2760	3036	IEXPLORE.EXE	35
PID 3036 wrote to memory of 2760	3036	IEXPLORE.EXE	35
PID 3036 wrote to memory of 2760	3036	IEXPLORE.EXE	35
PID 3036 wrote to memory of 2760	3036	IEXPLORE.EXE	35
PID 2056 wrote to memory of 1644	2056	SMSvcHost.exe	37
PID 2056 wrote to memory of 1644	2056	SMSvcHost.exe	37
PID 2056 wrote to memory of 1644	2056	SMSvcHost.exe	37
PID 2056 wrote to memory of 1644	2056	SMSvcHost.exe	37
PID 2056 wrote to memory of 2280	2056	SMSvcHost.exe	39
PID 2056 wrote to memory of 2280	2056	SMSvcHost.exe	39
PID 2056 wrote to memory of 2280	2056	SMSvcHost.exe	39
PID 2056 wrote to memory of 2280	2056	SMSvcHost.exe	39
PID 2280 wrote to memory of 2952	2280	iexplore.exe	40
PID 2280 wrote to memory of 2952	2280	iexplore.exe	40
PID 2280 wrote to memory of 2952	2280	iexplore.exe	40
PID 2280 wrote to memory of 2952	2280	iexplore.exe	40
PID 3036 wrote to memory of 1780	3036	IEXPLORE.EXE	41
PID 3036 wrote to memory of 1780	3036	IEXPLORE.EXE	41
PID 3036 wrote to memory of 1780	3036	IEXPLORE.EXE	41
PID 3036 wrote to memory of 1780	3036	IEXPLORE.EXE	41
PID 2056 wrote to memory of 1400	2056	SMSvcHost.exe	44
PID 2056 wrote to memory of 1400	2056	SMSvcHost.exe	44
PID 2056 wrote to memory of 1400	2056	SMSvcHost.exe	44
PID 2056 wrote to memory of 1400	2056	SMSvcHost.exe	44
PID 2952 wrote to memory of 2036	2952	IEXPLORE.EXE	46
PID 2952 wrote to memory of 2036	2952	IEXPLORE.EXE	46
PID 2952 wrote to memory of 2036	2952	IEXPLORE.EXE	46
PID 2952 wrote to memory of 2036	2952	IEXPLORE.EXE	46

C:\Users\Admin\AppData\Local\Temp\067f62040949050c5e47620a6bbd7055_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\067f62040949050c5e47620a6bbd7055_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\\nResurrection.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\SysWOW64\PING.EXE
    ping -a 127.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:268
- - C:\Program Files\Microsoft.KuaiLeKuangBen\SMSvcHost.exe
    "C:\Program Files\Microsoft.KuaiLeKuangBen\SMSvcHost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE" ?mac=EA-F9-33-E4-02-31&mdx=a2ef406e2c2351e0b9e80029c909242dc16a5320fa475530d9583c34fd356ef5&ver=53-10-34-65-6
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3036
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3036 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2760
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3036 CREDAT:537611 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:1780
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /pid 3036
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1644
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\download.html
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2280
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" C:\Users\Admin\AppData\Local\Temp\download.html
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2952
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2952 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2036
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /pid 2280
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1400
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

Filesize
579B

MD5
f55da450a5fb287e1e0f0dcc965756ca

SHA1
7e04de896a3e666d00e687d33ffad93be83d349e

SHA256
31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0

SHA512
19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
0a0d5315b138700ff5d84a2bfe332254

SHA1
ac715bb2bf6f7d630e1997832b2e5dbc33177f12

SHA256
5c64d3e0933e4b6b9843c3dc6b28e2ed39262e04e7628a32a896b695f6347d35

SHA512
9d3a7827b07c12898575a31d1c5f4d7c237ec7340a42a69f02491eed3d2f7df60abbfe2cda1ec6362c75df8f39db07deaaca6007f2fff45908f307cddf62ac40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

Filesize
252B

MD5
c4dd6f8afe0c6434c4e45afb10f794b0

SHA1
3222570621dd2349b6429e9528d0a1c81c2a5852

SHA256
382011d6b20b56ed048b06bc41e6d06b70fc95ea348cb1c7adfb27b9fd9ff0b7

SHA512
a814066120afd736b65e7578174f5175ac18a11f5d685daec0cf489dce95084b6827f1563fc20ee5a9311ddc9682e55a724328f32aa689f59536d33135a8ad7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98fd5efcaa499abbcefbbcfc6c917e1c

SHA1
ed7ad711b4f7ddf27349d483bedd34f24fbd4aa5

SHA256
7efcee16b78513278118c97c5979d26f7271b4207b80343f64de964053217eec

SHA512
408c24ddc2e17631689368aa911710686e7126b668dcf684650ebcbfd9a2b1785c95e20ada078d87c8a9bfc6a870c7984f48e3b8c506fc5499424280891ca5cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8364afb4628fe339edc1de84fd21a8a4

SHA1
8865fb770351c31964eb9dc4bc342a0e1e2dd8fa

SHA256
72da952af3173785736ea07fced5f55540157dfe87138a3b6b0d8409d490a1e2

SHA512
76e7ac77dbd164b1e96b873eede84e477c2a881b74fbb42359c08ecc3a1fcfb15ea0ea72c87ff839a1e03e4e66c42e90aa7356f5bacb1c2e268deab549aff5ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e6235d3e1a431a41b77cf333adce0e52

SHA1
1bb9827c8605eb1da4e27e8e41fb1f758d2b970f

SHA256
6b27dcd030432288765be5f37ff3944162f8e9a5a81d8a0cce3e3af982a52e24

SHA512
3b5cada48ab3010f56128031723b2e5db2fb5d383fe994f61241a9db335376bd9bbec94b970bfcffa87db318df40fd8ab33cf184fd678f04e64a6b09b4e64225

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4d0825fbf8d78f405ad16449bf4c525a

SHA1
44c33b83055c2343f3560a1e527a7248eab46673

SHA256
33c7f137f65b7cbce67975a9c69623d608a825c72b9309179364e4a33f180504

SHA512
2accbfeca20ea316d2784532e0ae468d7e905652da554c9c9897d8367cc9d3fd4d1993939d244a7d546a3b02733c233543e9267c2febe4ec73edbc49dd42c8ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
26d6461d5c02a90f83320033c9c9866e

SHA1
f1b05d774ebbf95866ecd338139525a12f532055

SHA256
15ed157fc8503d38b159a73df7169201faa5e8e5ef9d0374f604bd1726120145

SHA512
df203421f01507be9a6e34979c396699814b90e7812670c4de7d84e5dde10e7d3ccace356b7be472bcf6638476006f54a80371235a66aa58c2c5369fe179a64c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fab18683bef3ee7f39d23f8313eb4879

SHA1
01583a6d6e8f5a0ca7b38a1160767b471f7a7fc2

SHA256
130b34b0a656bc60037ce330ef91d9ef30e93eab955944197e3fe8a60d032f83

SHA512
8064bc626ae956800f5dd1453b7b7c34432416b0e6db3838f34201261c92872724ebcf878988a7e58a0b4dd1c053aa075da3f24433538c4a5e7654d7375fc07b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
40d71c781a841b45242ae4f4db41ef88

SHA1
1da28dca779da3bcf86f9b494d3e1ac970254a70

SHA256
e014826a525167ed6f8b38da85d02208340cc7c9a578f11bfdf81cda82c2d051

SHA512
3a15ebef0176055d647766655f4a9005768aaa633a82644831324b22d73f9fc99946bf76f489b2fe92956a6efe5c0ddc93d68183c032b6bd832a79f1b2c45e08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b6aa9125a32b1f89becca7be0db8539

SHA1
9b778af7a7a3b47e30cd9e1842b70fb0a110ebf4

SHA256
024cc8390195af443a53682eb9858685977ccfab29e23b851013f05e326c8eec

SHA512
69f41880c6114c535470652a8ec4dd62e70ad2c11c09d54235919f7db30c6702b4c2e736ad9bfd6c6432c58be51cd006d23e72a1c3e7b22a9110b9422e5f0831

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1dd07f8f2ad8b7f541db4298b6df640

SHA1
c78475fbb0882feccb30590a489222ca27393709

SHA256
c1573f40d687d9e1377646c1ed6487e4efb30c0df2a9b78b2a9b8898998e5ebf

SHA512
06843cf63eb27b537614a2336aabe13ca975291212b5f02663252fc4a9a82db900bb468cb34a3a09a9c7f710b13bcc62af7e6f0b92dc0f82ea5f2a91be35bea1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e9aee903e5a0acc46cf65f0817f2fcb4

SHA1
0270b4eb60b835dc88183e3583b946d3b0facec2

SHA256
103447115f42d6e78c8bcb606dc4fdd09e4a6b1fdf85e8ec8d2bf89b26be9da3

SHA512
92d3c6dae18cf0540d5ae534d8781ac786193b284415a2999197c3e8640988da23f37fea93574eaddc7ad2d64eb061216575ecd833c0dce66a8ee6ebe4a0b9a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4dc5deae7deb4c823de885653597fec1

SHA1
6248b015c6426188d510f8e97b746c83ddc18529

SHA256
e7032fc4db1c0f46afa21f7fe3fe6abf6b0970ecd99b6d62f20851c61276da5c

SHA512
49f4722618644db36067272362215301f94352e23ab8a669deace600ca9f1d17797e78a3695c6457c71134ce60dc7237ee68048c41b9a2528beb353d5390aa2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
12f95300de474c6a488273f707c86ab4

SHA1
ed9faf516e73de90b5de677e548f5f4bdc7e1e73

SHA256
dfd7e4d41e8519b416662d67a9d49fe73def1e8cf8f1ded52eca60dc80226a29

SHA512
fadb98fada5519755e1a28c497eb7f4121ee6cde937b56eefef80ef1de7512c99cee1456f61ba91f83445a818711b94c0035d67759741c73c85d9accb7154e7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
31950643d1fca42b26e9fde947a8bdba

SHA1
64f103147b36d936c95aa22c29f666ef1e8584e1

SHA256
fd33884dcef31115238ac61fe6c8d129f59fafbf725b9ea2abb19c5bae4999b8

SHA512
e56da45b94e8b897124c766e1411ef8e3962bb43beb6e24eff4734a0d30f3a5993d1a852690fd19b625a87f4748801eb88f0996fb5aaad606963f2bfa3721289

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2555ddfdcad7f3781aa332fc39749209

SHA1
04473e83d3df71f2d235feeb190cc1d013016022

SHA256
214634cea6d8188b58129199b64d8ec74a4fddabd3adc9a59124e9eda46c4e13

SHA512
f788bc2abbb28fb22e31d65cd80d6605a7015bb9e509bf1b32bfc2d59e18f357b46aebbf2600375f7e7bc07ffb98579c301a65955e2a0f7861ab7bca92a1e501

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1400b4bc7dc08feed98e34ac48133ba9

SHA1
03540c639a57f06d7c6231e4a10ef2f7d71499d5

SHA256
a7797a5893530ed98f569038f58cdf7b335d0ef44f505ca552abda74d3042095

SHA512
25b0416728480338c27bb5c0450b0677b3ae0e7e982eebf8dd4453d2c9463bc78b186fcb542c4dd7c7b2cc81068f4c11216a563568742e2c84fd25f35abde773

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af4b8528b815783ecc9cca4ca08ce737

SHA1
748bc1ac27d2421f705071de3895bf8bd8f9b601

SHA256
adcae2a065a3843e5ec63378e18b4d46575672121bf0b9535e9ff7e7448c9dd2

SHA512
d7869131d87965aad55d2a10c6a34ef539923f401befee33d8524410f2263f9c5214b62d9cdcaca545722ea799e59d90d6e432ed5f25b6783eff701c98e8c349

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
71388c9915c62e5d1555781dfba3eaf2

SHA1
cec4870abe83729582311306122a0d2325955a19

SHA256
283867032ed358da974dd0850c80ae5e6254b6d3145b107ceb372dba4bc11c6c

SHA512
b4e05b01001276ff5d1cacaab0c9fdc9807c94ef9236e35b4e59a2db698ce854ec7fcf57f2c7ba5340bedb1f7efe00b2e2c012c2f45b48f9955487c2f1bcadc4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
32e5b45fc2aed5bd6f8c18dc0bbb276b

SHA1
f91817a7da7105a2eebb75ae5d9a5a3ddd0df87b

SHA256
7d61106542db2568afbf21a8157301364a4c3671eb4feeb9c41f126cbd7dffc6

SHA512
ada6b6f0160cb16a90809b54db519b625685ac27c7bc9ef0dda08259861cb9175f13a2633e593bb8919335e90d7df341282416f5e750b1d229b3ea3686641b23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a16ff3a871ffe5f83bc3f39ef28d7045

SHA1
77b01b72c7eafcdb0eb9a8ccf1da82c747c26e51

SHA256
c73b31bec05c1dba538aaf0bc28024dad6de002fe3b93c80e9ac495ad36cd35f

SHA512
051adb7a907430766469011e21570063a98f21e30cda8445b81f18bb9126b5717c4ed2714fb77cccf235be369db60d149d0ae9561ec2d6191521f017f2a02efb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
55420c236085b76c23252fcf9a41f578

SHA1
e242a815a62a71e201837758d9928b12b3a54320

SHA256
192434c27dbd88c9e9b5bf87a0f5f9d190ebe694b67939df6a4e13446eee485f

SHA512
b60acb44df14fa914404da13d92768bc762866cf13d6203673a20eb01e0dbad1afc3ecaf87472b7758a10eb9cd10cac0d56cc7234569ccb644ef6322b51bb839

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2462352facfbc180c223809975b40e86

SHA1
416312cd5f41acb8f1158f4c37bfc350771980fb

SHA256
affda9385dba7f4c18b8d1f0ec98ce7bd663c82ffd6ab6b4890841686f66454b

SHA512
76c55f8ed82121bc2c254a65269239feec51165b9db43fa03c6ee2174ca811294fff13c4db49ce5fe2e58b4cf185bfe134f6896b49cbccaa66dcb134d630489d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
feef19564b6c9f806bf25b6125c415f7

SHA1
c7ada4eb6fa227accb2ff79b910042f2293cea1b

SHA256
9a5f4bcb77d2b6b493b3c009a79c595553e42e69af845414607773ac2c976c4e

SHA512
1eb7e2b4d8546988f464f679137a7fa7d97f388fd50050eb4710590ac48267fe77ac82fb0e88aff589ed6ef217a6713d3aa3118211878296708c59768b413ea0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff21a877cd86d5b3f17167884f555872

SHA1
990d2f6c036399badbd9f311ff49bc3c8a2dd163

SHA256
1080f51ac355ef3298b0ea699eda42d026ac3441d0b9d66c833e71dd56a1fe64

SHA512
4c2c46b7d4e4db9e56b2a14de5c66a08d6bd8c7808ef813415917a6e96a2c34015cb4f259d16fab330a853aa82645e9e807ecd7fc39eb762964db782f709fd1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2546c4042ba7eb8225e58b654e893d8f

SHA1
5374b480194e029bb9ef64aca46d15969b2cffec

SHA256
7dfd19cb89d449121e6a021bf0836d8a5e5632439d6f616e2afba769366f9c68

SHA512
02d84402f3d8d0c9f294efe7c63e1f03a131dabb9943ed72b9eb0cf6651900b966d579386cc07ee83414eaa8e81038733c3b589ef7c32d36dfb590c5bc6ee63d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
19155513789b10d8c906625377c3e13d

SHA1
cce5f65336965b6a91553dcfcd097a989a495855

SHA256
841f600aea3bc288f9182af9f2cdcf0b64b951db14e667238fcb11ed3d0e1436

SHA512
05dcabb3861571b5783238a0081814aa253ca8a09eab501be86483d5cd49d24f28b0b5faeff740f9403194f718573d2798abfb82bb6bd8aee839dc1f6cb9c0b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
25e52d5bf44aad17606ead6fd4c5cb76

SHA1
e357715f1389f06c3717c7a67fbb3fa582dee618

SHA256
70ab31c1baf5006c3977cbbf7dbabc228d68565d1029e6177faee3db968065d2

SHA512
0ffa36a64ff36768d5e47dfa6c2a1c7fd8ff9ba9b7d1ca5232dc05b4565af17249c57fa471539fade4708d2f34ba62fdf12af2167695c0e098ac5b1b0ff5e826

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a364da5717f30e58c858ada1b4a9a20f

SHA1
753d847cd690b50d7a74ef2b71a6adf285cdc62e

SHA256
9b5b3fc1e9b8697cfd89e2fad8e9c425a99c912c774f99c4222b2252694b4a27

SHA512
e75045a61500aef727802a8c9484e76150b93b639fa578b26b703b6571e248dc9b80c3924eea75a2f46429be4438f8c4747a3194490af254414b144f8395315b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a7d76df9e3ddc0e2d252327f97d50635

SHA1
8923e78a0d6a84eed3f5dfeeccf1ce45f26cc824

SHA256
65597ee9db2a6f96787fbc288320327ddf46fc633a33d54b760c5aad009c9000

SHA512
079b72408ecb0efc741492423373abaa7d49a51a4f05c3f611d0dae3a1fb7220704c78baf742c2154ac28110219bc5061686cc3e5399ed076b50fd350633b706

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7077e3c6c4bfb887a8ca5853e9f39009

SHA1
3cb735a04fb86ed7f62dafdfff48d0c2a04b8034

SHA256
6904c28ca7ca40d485bd18e75e8df459a35d6bccf2bc2407af32ab90c50c7e30

SHA512
4af3d5b4ca23a01eee476a05dfa011b34c08af9ba0b07924a6ee36da659ee52d766c8e302f6678ceb005f753935f614202f9282e1be86e3df320df61ff56817b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f3cd5ba24b8a08bd50841f9852dd0bf8

SHA1
5255878f8899f0ae4e1a4853a5aac493dafc85ee

SHA256
5ef97cf4f4c0e1140e8d6e3e1298b0d82e47fa3bbbb70dbc884c4b41b9c99d35

SHA512
956395b39f7b6db21070c812b21d55c57de44215bc9d8c29882f5f13ad791f446dab908bff9d2e3939951f9509ccf92fb75e1db46d7db6f3573337ae30139006

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
80e9650719eea4073cce59704be1512f

SHA1
b20783c2f323a1599f938b28f9b0b173a20c3ac8

SHA256
7056b52293a5e09e0b225ed533abf2eae44e47904a52f0fe8938ea0953be60e1

SHA512
c7cbb6b78aafab8d131530ab19d0ab4751d7aaa899c85e0d7be1c9b48b4ee2d852eb40ff8d2516c68b89f071510ace7e7f6819e05876a86985dcb3136c610d4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4d24cf66d7c6847d66a46e04c9670168

SHA1
7403ca7cb039519b2c0fe4f798de9925cec10de7

SHA256
7038e1893d644d35bb8824a3f7e06ff82035e12f819052b607181c1056d2de82

SHA512
011ea3945c9d4d93a04c4fba4eb31974bd638886aa6028ff79768cde226ab2be0dce989545815102f337895a54353830b7f8700731468360b8c72740751b9cd5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
63e5094c0b3d201758dde705e4d8b869

SHA1
5280cf4a50bc62b13f9958429505ffd683c0e720

SHA256
aa34af1529cc0d91a57d4de3047874f57df4f2ab4d8688ae23fd768ec900793d

SHA512
5508757e15d56020d67ce2892af6c430b57668db5fe7ea381d39d007412ab0329bef2ce39b1a3de616e9e18e30a5dfa8366b4891e450acfcbfb3bc250337f61c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed28813ea14a13e13f9024bdec75fc08

SHA1
d5832aba42e218ed82af50b57111d2846f8effec

SHA256
09ef1e63fee9a0fc0d703e7894beea2f202438643905a4414515b79d3707a232

SHA512
7dad9b1c345d1d31c55919a3524bce357b30743ee23c89d5d6e029890767056857f4600b8b2da5861ffbfc33f7269e28490521c0b8ce9228481b102ad77957b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
479cd2957b045a7e8d7909a22c5b1e11

SHA1
e34175d67a1670c519d5e29611b2c06ecba5c248

SHA256
645c77625a89c6387cc7b175b3346a3eb56ddb53a56e6dba3436a050fdcc528b

SHA512
80ef48340ee731415c4ce9fc0a028825e4dedceb17bb96bcb79e389aa5efcf9524b42ed409904a6159326c119e3590a0d5dbbf77e3569c657d6f5361248d1c67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
f3169f408a191e265c096ac3fa074833

SHA1
744ad40530861846fd7aa3b46b524b6a79823f18

SHA256
ac11cc30895ca49a796a5b8344dbfe28328830b9e0b2995611a9e987ff5d33c8

SHA512
d0504cd53912a99c550754b7d07ea22071be8065fd6095deb75ba85a27ccb076222cd01d7cab675cba0061bdcc9001390eaa2c8c85687c345dad88b955f37aed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C8F73151-8010-11EF-BC71-EAF933E40231}.dat

Filesize
5KB

MD5
85914113a26de0f859bdf0828bd54464

SHA1
0eaa64f237e00fea427a2031a672bd87268b6d5c

SHA256
349f2cefaaa811f67ca147158338e34e0eb32a6dcaeb00f1b5a2c7485ae15b4c

SHA512
aef2426a7cd3347669f740af3e0a55c52fa7781b303eb36d6ed796295f19a1310891d1c5fd15fdb5a5c13374b9d8289545f27849136fdb984c1d8f65e263b094

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\guoemn1\imagestore.dat

Filesize
8KB

MD5
a9422395e30760acda0910b99db62dc5

SHA1
7ba8aa576525f501a1351f576413c978a39ea0ab

SHA256
dd39345a8f9b609a25f5330e0cae4ec93722ffa53744179355a21337f9fc8602

SHA512
91b7a2bc8fc49bb21b7339dba54b59fe1fe351f32e4f0b51154926dda345e0500ece3aa089ba07d3313735886a7582de55d042c238cf6ec9815817c75e0a80ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZOGPI1N2\favicon-trans-bg-blue-mg[1].ico

Filesize
4KB

MD5
30967b1b52cb6df18a8af8fcc04f83c9

SHA1
aaf67cd84fcd64fb2d8974d7135d6f1e4fc03588

SHA256
439b6089e45ef1e0c37ef88764d5c99a3b2752609c4e2af3376480d7ffcfaf2e

SHA512
7cb3c09a81fbd301741e7cf5296c406baf1c76685d354c54457c87f6471867390a1aeed9f95701eb9361d7dfacce31afd1d240841037fc1de4a120c66c1b088c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB5B8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB61B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\download.html

Filesize
92B

MD5
fc43f29dac5f86135b8deb6d7a28e35b

SHA1
5e35ca771584cfefa2be96900c4674aba5c7810c

SHA256
23930a4558a4ffa78c6bb3290520bd0891f695e875f0689674a1df4a6c98db4c

SHA512
caf22c27717a2553aacd9d8044acadb115bfe6ec979197396fe7812d84479644a9ebeab80a5e9851ca1d7ae5cc10f5eaf3c8db81843c1d5f5b22e863493130e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nResurrection.bat

Filesize
339B

MD5
a98052a0eb984a28c4d966b36be3af73

SHA1
641cce390deb06c64ed7c8f4fc5be7ce08715f7e

SHA256
2d549938b17c99736c4b159f4b2269ed41ee72d463d17e9dd6804a3013f6a116

SHA512
a0f67fc3bf1e86ba1552089ff18f368e8a07f04519ec9822b416b974949c42ef76a2b0943fd3e3f2e7e2f9ca79e4f78039c2ec6277132ef42ce76e4e554604c3

Download Submit
\Program Files\Microsoft.KuaiLeKuangBen\SMSvcHost.exe

Filesize
108KB

MD5
067f62040949050c5e47620a6bbd7055

SHA1
12a04896d8e22a76252ac3ce1e74eb95d4ffad19

SHA256
d69868cb989e25a136eaa658f66f687ef02736fd4b52070c491ec699a061dec7

SHA512
46ad2d7f796ef36eeb8f0f76307eca3da2f9bd74282eaa5039318e863ada57eb36aeedd9e8f16c6efeac148aa635daf61715aa92e2d4b3540120718e0258f4a1

Download Submit
memory/2056-980-0x00000000003D0000-0x00000000003D2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads