3c098c97226f02d7f4e65366828d03645485dd6e68615cb8aed5ebf9f97c807e

Analysis

max time kernel
117s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-10-2024 06:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

169ac8e0ae499d0514496fd2f18dd07b_JaffaCakes118.exe
Size

108KB
MD5

169ac8e0ae499d0514496fd2f18dd07b
SHA1

7923573e1ecabfd0033d4b100c9c743b79221eaa
SHA256

3c098c97226f02d7f4e65366828d03645485dd6e68615cb8aed5ebf9f97c807e
SHA512

a294788cef16c88c41a7cc76d8c105f2c047ae90274957b090e9153e9548973c6540e20bef33325e69dcf0726b7031f467ab6e429ac1d7dfd732351a9f486f7f
SSDEEP

1536:eaWDboVghDhHy/PqZBQ0jFjWq0Wn0gMT7fuDSMCd1oQPR2oG:90M6hDhHy/PIDjFj90gdSNd1oQPR2oG

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2664	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3060	SMSvcHost.exe

Loads dropped DLL 2 IoCs

pid	Process
2664	cmd.exe
2664	cmd.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft.KuaiLeKuangBen\SMSvcHost.exe	cmd.exe
File opened for modification	C:\Program Files\Microsoft.KuaiLeKuangBen\SMSvcHost.exe	cmd.exe
File opened for modification	C:\Program Files\Microsoft.KuaiLeKuangBen\SMSvcHost.bat	SMSvcHost.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMSvcHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	169ac8e0ae499d0514496fd2f18dd07b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2732	PING.EXE
2796	PING.EXE

Kills process with taskkill 2 IoCs

evasion

pid	Process
1976	taskkill.exe
2364	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 63 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10cf5430f316db01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f542000000000200000000001066000000010000200000008de92316cf02257d2ed007c71212834a6e883e20e9fc343c9c2be2f6d3312c43000000000e800000000200002000000006aaca6dc16eb702dcee6c4c7e6c99c649d22bfadbd5ad0710903828161736f6200000009e138d0fb3d6b416790ed7ad712d67da0f962967d14cbc8b5ae82ef992105ba940000000dd191b81ca1cd4d64c0fbc7cad282ee4150d0a1b28b29e0328436769c33f64de02918ba29ddbeeb6cad19f90a549a2fac440ae2cc8815594c69b083f8a9afe5e	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5899DBF1-82E6-11EF-AC61-4E0B11BE40FD} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f542000000000200000000001066000000010000200000007e4b16058fcf6269f6ff3a32ff57c0a48e7f9b1fe65af1ca58d66c4d272d2d56000000000e8000000002000020000000fbff26fcac00559d805d2c1a8493db17c6c5ef2e2c41c52fa3be3af49ddbd6959000000038b89cae34864c67a1fca51d67df9eab78aece6fc2cabd17d6e770ff8a6428b47ffa278c3409e377676327474851c4d4ffbee4fb101fee5287b99f64be8f583eeb4b933ae36405add44947b9c5472c4080a9c530982375f4fc237775424c5a6d04b6fde2b7276af6a38a37e300687198b8ffdf971f4f1fc509792567ade18d4309664868ed9252679a58fac843380ff640000000190cd966e6fe01b6024e2205807c3829c2977a4b98a7cc5cd534f67cec1edd1c25eee7cfea630e50fc3b05ca09feedbe3f1b42ff3c4c167fe103dc39e5c1f234	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434273003"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{55945481-82E6-11EF-AC61-4E0B11BE40FD} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2732	PING.EXE
2796	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1976	taskkill.exe
Token: SeDebugPrivilege	2364	taskkill.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
808	IEXPLORE.EXE
1844	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2872	169ac8e0ae499d0514496fd2f18dd07b_JaffaCakes118.exe
3060	SMSvcHost.exe
808	IEXPLORE.EXE
808	IEXPLORE.EXE
2984	IEXPLORE.EXE
2984	IEXPLORE.EXE
808	IEXPLORE.EXE
808	IEXPLORE.EXE
1844	IEXPLORE.EXE
1844	IEXPLORE.EXE
2780	IEXPLORE.EXE
2780	IEXPLORE.EXE
2780	IEXPLORE.EXE
2780	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2664	2872	169ac8e0ae499d0514496fd2f18dd07b_JaffaCakes118.exe	30
PID 2872 wrote to memory of 2664	2872	169ac8e0ae499d0514496fd2f18dd07b_JaffaCakes118.exe	30
PID 2872 wrote to memory of 2664	2872	169ac8e0ae499d0514496fd2f18dd07b_JaffaCakes118.exe	30
PID 2872 wrote to memory of 2664	2872	169ac8e0ae499d0514496fd2f18dd07b_JaffaCakes118.exe	30
PID 2664 wrote to memory of 2732	2664	cmd.exe	32
PID 2664 wrote to memory of 2732	2664	cmd.exe	32
PID 2664 wrote to memory of 2732	2664	cmd.exe	32
PID 2664 wrote to memory of 2732	2664	cmd.exe	32
PID 2664 wrote to memory of 3060	2664	cmd.exe	33
PID 2664 wrote to memory of 3060	2664	cmd.exe	33
PID 2664 wrote to memory of 3060	2664	cmd.exe	33
PID 2664 wrote to memory of 3060	2664	cmd.exe	33
PID 2664 wrote to memory of 2796	2664	cmd.exe	34
PID 2664 wrote to memory of 2796	2664	cmd.exe	34
PID 2664 wrote to memory of 2796	2664	cmd.exe	34
PID 2664 wrote to memory of 2796	2664	cmd.exe	34
PID 3060 wrote to memory of 808	3060	SMSvcHost.exe	36
PID 3060 wrote to memory of 808	3060	SMSvcHost.exe	36
PID 3060 wrote to memory of 808	3060	SMSvcHost.exe	36
PID 3060 wrote to memory of 808	3060	SMSvcHost.exe	36
PID 808 wrote to memory of 2984	808	IEXPLORE.EXE	37
PID 808 wrote to memory of 2984	808	IEXPLORE.EXE	37
PID 808 wrote to memory of 2984	808	IEXPLORE.EXE	37
PID 808 wrote to memory of 2984	808	IEXPLORE.EXE	37
PID 3060 wrote to memory of 1976	3060	SMSvcHost.exe	39
PID 3060 wrote to memory of 1976	3060	SMSvcHost.exe	39
PID 3060 wrote to memory of 1976	3060	SMSvcHost.exe	39
PID 3060 wrote to memory of 1976	3060	SMSvcHost.exe	39
PID 3060 wrote to memory of 1164	3060	SMSvcHost.exe	41
PID 3060 wrote to memory of 1164	3060	SMSvcHost.exe	41
PID 3060 wrote to memory of 1164	3060	SMSvcHost.exe	41
PID 3060 wrote to memory of 1164	3060	SMSvcHost.exe	41
PID 1164 wrote to memory of 1844	1164	iexplore.exe	42
PID 1164 wrote to memory of 1844	1164	iexplore.exe	42
PID 1164 wrote to memory of 1844	1164	iexplore.exe	42
PID 1164 wrote to memory of 1844	1164	iexplore.exe	42
PID 808 wrote to memory of 1804	808	IEXPLORE.EXE	43
PID 808 wrote to memory of 1804	808	IEXPLORE.EXE	43
PID 808 wrote to memory of 1804	808	IEXPLORE.EXE	43
PID 808 wrote to memory of 1804	808	IEXPLORE.EXE	43
PID 3060 wrote to memory of 2364	3060	SMSvcHost.exe	44
PID 3060 wrote to memory of 2364	3060	SMSvcHost.exe	44
PID 3060 wrote to memory of 2364	3060	SMSvcHost.exe	44
PID 3060 wrote to memory of 2364	3060	SMSvcHost.exe	44
PID 1844 wrote to memory of 2780	1844	IEXPLORE.EXE	46
PID 1844 wrote to memory of 2780	1844	IEXPLORE.EXE	46
PID 1844 wrote to memory of 2780	1844	IEXPLORE.EXE	46
PID 1844 wrote to memory of 2780	1844	IEXPLORE.EXE	46

C:\Users\Admin\AppData\Local\Temp\169ac8e0ae499d0514496fd2f18dd07b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\169ac8e0ae499d0514496fd2f18dd07b_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\\nResurrection.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\SysWOW64\PING.EXE
    ping -a 127.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2732
- - C:\Program Files\Microsoft.KuaiLeKuangBen\SMSvcHost.exe
    "C:\Program Files\Microsoft.KuaiLeKuangBen\SMSvcHost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE" ?mac=4E-0B-11-BE-40-FD&mdx=d645920e395fedad7bbbed0eca3fe2e0a8fa6b553b655657f943cb8fd85859d1&ver=53-10-34-65-6
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:808
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:808 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2984
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:808 CREDAT:537613 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:1804
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /pid 808
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1976
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\download.html
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1164
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" C:\Users\Admin\AppData\Local\Temp\download.html
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1844
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1844 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2780
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /pid 1164
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2364
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

Filesize
579B

MD5
f55da450a5fb287e1e0f0dcc965756ca

SHA1
7e04de896a3e666d00e687d33ffad93be83d349e

SHA256
31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0

SHA512
19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
ad6ad316a597751d8e2800c31cf4bd25

SHA1
cb150c3e74f6ec1f69aaccd956979326d74711de

SHA256
f35090bdc364cd247195cbd9f90512d97704427f48f7a1befe449a731b500b23

SHA512
7faaa937f4a0bafc8cf04c94feb5a1b8d6b7d56569d73663c954b0f5bcb3ba993d9b468e1001e2df371bc332f3745bca88f1825f28e1d7f7d56c4b066e538e91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

Filesize
252B

MD5
53dd339f899fa90979f559aea135c743

SHA1
642ec8b603e2a1e49caccf402f826f2c8b4612c3

SHA256
0d1b3cb74dc5801635a16243f2ed4be1852754136944452a8ea4a075d4b049dd

SHA512
fb83bf68bddbc9176e59413f18a2820740f6aff67493f10bf4a2eda69e541ce7737b3e6417dadeef13208536d235d9ceba25d2325e3869a454941016881070ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
75add2a49b09d2104e727f269751b979

SHA1
a11ecdea66693e7c8f5008fd12a936a92fd507f9

SHA256
bbfd52449c3b14e2091fff4bfe3af3dcda7d7a2e37fcf0f0bf1bcd4299448db0

SHA512
1cd6d937a1017a9a4ae68297833d49efa9ff48fd0a66cd6d5790583719edabd78872f562b7a79159775013b019879d73e2d3a137fbd2fb061eec34579a552512

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5eb5611d7cd3ec332b91ef6060e2add8

SHA1
1295fd7de23f002277688ba0996fe0ec55d542ad

SHA256
15eb238c9cea3d1056e89fdeffe71bfd64113a78edb118a2b355b78363d04240

SHA512
93b30ac34ddcd47da11e7a1ad74056a8a1e02e6bfde52ccd52171e34172d0b9ad8266958912ca02168d655deb4fa53c65fc5e9e063f5b439512f42eaa02017df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
039900bde70ef439652e2b88621e9077

SHA1
b2165652ec18db2b48dce8563b560e4125747e2a

SHA256
eae6c4b0c4f9365455ccf410412208fd174aed9673b3bd59b90b7844d133960a

SHA512
cbe60403430ee92ce97536acb4ddef8bce7fdb4d59ba964f109f7548d8824baf38a1fe6ae94ffc197af2558609f6e5ea56ead3d9677eab36c132419749e7a11f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4efce4899265730163e9cfb1b046e2ef

SHA1
b5a4054b5cc74603c164691e4f679f578ba16df4

SHA256
95ddf9c7fdabb974b43ed6108caac63798f7696f8a6a749e1b03bdd72889fc61

SHA512
faa3f039e0473c52c720769be07c54b7f0c3d45cfe4d3e001bc83e5ce3af40004d6c31cd92ca7557e64da5acf84260febaa60f477d482b958336397dd5275642

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
91aee775e10ef33192f9b0dd841e2825

SHA1
ef96f068883e9986d295fc3ae937be46c7aebf80

SHA256
2f81ac74273f3e08fb02c0cfe4fd90562d07c13c96b781e8a0ac1f198b396ad5

SHA512
c7de52fb8408e1b9adadba93d7b03d1d97edce16e41302e5992fdc79f095bfae18eb21bebbe2385f975bc49605b58164a4559e2989c6a0880e14da77fb0b9407

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3b5d562f0bb62c0199386582cdfcc30

SHA1
20822bef892d3daf0408f95f0e5b1e2abb3d2ba7

SHA256
ea2497fd0dd3582a0c7fde34f0b1971958660c160fb7589fb47e00a658287fc4

SHA512
52c8bea45be8e10dc9266067c11a3166fca7543d164676d489144a044c4719803155b5638c988a3321e6dc6b8b1d13afe275996ef9ebc24eb248b00d15c8e7ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
406ab1ed6443a421ed2c7fef551d98ba

SHA1
8deb5df564217438e02c48efb8329b03aa20cb08

SHA256
433cdd4370a4c975cf6afdb1f77659cb69286baf8e9680a6ed73e1557b4b4135

SHA512
a293924324e982b5be5423694d890d384a0002cbc257b69af7e4d8af2746fa77540c3222c89ff2175362af3de250d705dc0a6f958d3a828270154aae91377521

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3bc34c7d5ce609957c8171702720d3fc

SHA1
7a0e13648e00891e1bc686eb18c3e7b7b7fb8127

SHA256
8889c9e9e418c61395388e11aefe18b78acb315367141b028ad3c1c4deb05b4f

SHA512
5126ecf02053534113cc23bbbbf4a45448e921cf5f4ceadef42c4ff38d34bfa15e19ea1c24d9c547641fa900690ec19ec2d7a224bbd68f3e183ea09aa467fbb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c6a89898ff1317bfb16ebb5f1ade15e

SHA1
3b67f106c96ef822548bbd6af753c34d779d46fc

SHA256
4634e64ebf2f17d6ec31c921e5646b139691c03c0b6a58b9915fc13e579c544c

SHA512
65c1ecafb52e7b43bb7851f15f94e341a7184d11a9c7ec5d9f08cb602ea5e85d4f1facf0a5381892a2c24343172be43e8ea5b4c7b82312fd457d02c67771e2d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4401942f06c92c5833bd0841d3ee49b3

SHA1
657828df7f946e1f072da38a27836194d441153a

SHA256
9915838f9d5f50e105daecbc84ce668e6014e6f1f1dbd111c2713060d2dd29e2

SHA512
fdcb20c6c3c8750aab789df6af9286b3d0d7a03802266084ba8e9db799358d4cd4ac03ddc18c2ca3d9ce692d6150e56610a9b746a7295f84c83eded95afc08ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
386a9f409ae602aea1aea70179e6dfc4

SHA1
b5f13cee30936321a5dbfea2f66764881f420571

SHA256
c7bdc21384d9491e26fd9a27a00042c6d1983c42b683f610c1c82a46a7d2d517

SHA512
6da382300bf76c922cc6d92d630b9b0417660415464984b047d1be5aff13d7ad928ba21f10a84c8259e8b78dab61c882c56efc583cccad53019a350fd98e6b3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c0a2f56f32545fc6e0e180793e1beb03

SHA1
e56fdc4b8504cae0367ee78217df6a79791cc8ff

SHA256
e1747910d702b180d4ed9fc8d091b198a66d55d9fca556457651ae890c4d4958

SHA512
befa3082d8c6af97ef10bae10a83b32bab2d69b09e060c495d0bc29599f4308e617fdc2b3d63dac425d64e9f4bc93824167402b4c8296ac56d747f074cda1ce9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
341385bd5ce90190b8112fc1512d82eb

SHA1
588680a7a2681717adccb7bd03f74d19b26799dc

SHA256
b1f3dc005c15f74789ba6f6b82047607edd75f8ef90e6d339b0f4149d0317371

SHA512
0b1cb941a64b8223ee1ccc38d0cc43db3dcf63e861bf6c6b5cbd92c52d5e195a2ad8d24bc2f1475da618d8f0cd6162445aed904e2fc58935927640491cd6bbd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3fa458e13d22da49872d5ec13a0cc603

SHA1
1601c32d46a36fd190468e77c154dcfbb62216fe

SHA256
c9ff756fb7bd8edade379d5fd20fbf8927eeda3fc109ae440e06da41f78ddb0d

SHA512
8e5a0edad7ce7eb9e5180de9ab4ed09162edaf25f07153542330fd3bf669fe04ce2d51838d3cc15964d45c6c03df6c3932fe2c022fc725d8ef56f3eeaaba77a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f56d43c7f545bbaf2a26f888d7cabc0c

SHA1
1043b2f5c55f4f6e8499cea122d23db9949e5a69

SHA256
2bb3d16ec2a44963ba83a369d0fa870d2cc75566f4abf097d12546629a88001a

SHA512
cd94ae8f62fbdd8f9beb952a9bed2a0083bd57da92178efb7e92ae22f512eebf25ae9ed360ae9e3c660ffb113626076466047e2b9b943e7050995a40295beb41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
105c1aa106b013cd99de86f474f32b45

SHA1
2ec65b962564ecc84843b24cd9887c09d4cb7695

SHA256
c6fd66664f41eacf9b39f30364b3601dcd8bf00b20cc706bb7935fde11238c26

SHA512
444ee71bb23881b7ed6b1860608a717a9358e8ec53ba9d8e9eec828c2e0f62c5637885b851639806792c193ac0c1ed8b906d0af2d79c0208bd22f10e633376e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10de4d3d34d6f77306089305edd91c64

SHA1
b8014fe2ba6be35ddcc6848bdf0d091e86fc98eb

SHA256
5895317b9612dc64f4b408be7e3c8d49ebb29693c39fb08decb0eea295934037

SHA512
79eb5cbbfecbe7520e84aee56eb2b527eaf446e36949f8e520fa35f72f3a015fb1ef8e9bdc8faea271b44d015393245a45155eab80e808d63f2ebf37017a69a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60431f63248d11aceb49d79fb788e82c

SHA1
8553e58d7f99b10441ad5ad96ee82eb191b7afd0

SHA256
c751403473826e780e87cfc4a0209328028a96c950db7d415dd471d91e1d6d6a

SHA512
d644e8fd2fbc6a8cc15ea3e3b9062650d4d00344c5d8997a2ad3fc8adce839c2a6f05a5470d8b6732a494636925bad77b9301e806d31cdcfdf278433f3bfb50d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
42c3a2d1f71047c100e25e23f3158bf9

SHA1
bb7d7d4adaffe70515d0eacfabb7dedad0ab3722

SHA256
b96a963e52713769251fc369c1e9a51cd6d45dc7ea4d2adbb4194c4b1183d666

SHA512
6fb3e372da8e5685750cf4d3acc381f7382695c6ce3182857d57128e84a8f396ee528e3642f4256a07c602f6420debde7ec9a0cd6baa0e727e75d7cbefa0f021

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e67d76da5b5dfd8b69a20adfd8acca45

SHA1
52c3c05bd935537672599345a97abe26d2f32f2a

SHA256
baad96bd4a86fb2cb66afc0654000c46024f7fd4cc3b4a6d63f262446460dde2

SHA512
82396e42452dfe3fd04070c75a910ad351b6807f4a91783ed4275f22ed007135859837322498f27dd23750ad0a485c639c95ee6e23529abb93c56243eb8215a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6930c892afce24c51dc811a96449d5db

SHA1
6569383f1b1aa2853940e5765c88b9f7ddcc346a

SHA256
7da3701543ef083ef8adc416708debaf36e3a3ccf7268d06ad0edf081a0a7a46

SHA512
ee0095fad30492f3334ca58dbcf84a09c7a39cc1f4cd122a59dcff3516110c57fa3c2a5f006969f5baa4974a91e0f2505638f88135ef8993c0aede62bd2030c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e13555a98df67782eead2444c45893d2

SHA1
f37bf899c4cb016fb77c4e69ff1673c1c2b3c456

SHA256
e68bb0f9c75cd9b1593df2aaeb4f3487095e8042fb8b60d17dfbfead4d65ce1e

SHA512
27ff9179ba1055d0f82a460cc908178e6414a536c1ef0dd41655b364d811318ad27e57e238d73645b73580581e007819d973bfea08362b4457d9cd91f3259b79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8d7b6534d2b833ff947bf9540f1270c0

SHA1
edf2427f48c687e51f31f986ce4f9834216d36d8

SHA256
639a062a57d15334bff0708daa3df80e6e1bf21607fe3e3e44811e62094eabf0

SHA512
07e9840fb56925f8ad9887c233abb41d03c7b74b5a92a93961917c7aa55ed75867d216e83cc90dc30a1ccea8f224d73bf9f4b8362dd2d3d2a352d92b1b146ccb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
96c25705b0f1fd62d21c2511294430d2

SHA1
c87a7544a12061bfec494ff68279eaeabb6e1ba6

SHA256
9eaff9add8582d2af0dcdd9528dc5a33d55888cc1aa4d4927e40c90fb3da5097

SHA512
07c9e376b1e53bf33e85c1be69898da4513db8eae601752249644a18445108fac12bb4a3604e8742b81f16758bca50b3470b1da2a47ca24c72583a25941a6198

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4bcd3e25fb0466857ff32119bb5341b4

SHA1
25a4d667aefc22d9ffd1aa4f9f9ea63aad214474

SHA256
0011120668792089b6561503cf306f8e728b07af27be1db92d96d836cbb66d10

SHA512
25e67ae5231a35f3727f5283357d5dfba6a12488f41a20e49ac3276538797a1f249df2602551313d6ef1b18e041cd06eb722440464445b025b0212ea00729371

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec85ddc651d8cba9072628b21c84eff0

SHA1
89e7cfd63ae29677ab30beaaedbc6022d25cfcc7

SHA256
8ebfacafd41febfbbcdc09b89d73b4a54a0842f4dce74ac3d288842d52c1c135

SHA512
539d53024ad168edbba9c9c50f11267461dcd0b25b6adbece2e02cda73044024c1bd2e2d1e3dd3510abf1217289fa752e7515b74cfdaaedce676136bcdbb5c1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1767b3d5b6bf049c125e9b2be355d63f

SHA1
3af7c69cb4e37e22672e8a21ce907c5e147ea8a4

SHA256
b1816980826ddc378ac2dcd9c0c2fdfbe92b6c0bff194238f06a01fd61c7da6b

SHA512
e6de0f973b72bf6adccf01d9ae99d7c098f9ce2f10c3d42ba2e53e8e78adddd9d38f023372f7bf38bfea8c94980fa0c530fddda653bd58fa772924e1de1c94d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8781a56aa534a148b1338a3f90e3cafe

SHA1
d23bc7d53a44a3e016686d97df0d059ba8c86ad6

SHA256
8b2f194ef8225facd2a7063fff9dd5b38a727e9fad9201ed8f7378fd21223136

SHA512
d7283754fd41799cedfab98eb0221a58742f4ccd35ef934f5bc1716473d4e6e898ef43d3359a38ada65852054809ef3b4c531eeb426f9c82d778e693839e8246

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
99f867c80a89c8bd35b98008e45b1a66

SHA1
da50fd74c102aacab0cef4319fba9f19d3605b8f

SHA256
218366d8c97c29eff2613487a64d7220e9715350675bfe3ed8763940372c97d3

SHA512
6881c1db8dcd545695df4a82649130e763d1ab00aff17ed4d4c73c0938de3cc7a7f766be46a2b3748dde0e0bc29be3f3e7b1000a4e75a3b918934faf38caf9ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
318572a4ae37c939d6d6abe6c3563fbe

SHA1
57e842eb11c90f3da2b4ed3c3c3e42a2741885d3

SHA256
147771ad1b6e53c03cc9ee72f8ad5edc645df3c4df98ae51602d537ce0be2aef

SHA512
3b831cf38b3d46420c7c1f211bfa8be4e49e8f1418d58c98963dfb6b3468904f9c4c7ff2243b93713384a6465914f59092eb3f4a1343edf47b0c46fe4b68990f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ecc97dc97fa18af9cd9c3ee515d1a0f

SHA1
0c48d7602fadf6e9b890f99fbe2257791e7824ce

SHA256
a767ae6023eaa6c8231bc569e73b97acbc229b4e694a4ac4d58ec539845b2098

SHA512
9e54c10b7756e3de7b477cccb381d3f332b238d707d100423f8ac1b86f36ceafc5b28f175a3b0bfd36121cf980472691011ce051b58a0ba55451910e6ea61d57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f8a56396d48b6049add7f0aa927e6dc4

SHA1
4306d852943e947bc862db38fcc67dbe64069027

SHA256
0b51e36facd18f223068790eca4e24917da46d8ee02218a072896247f9fe0f40

SHA512
c131a0cefbb2236abe9823639bc8547d1443a1309b39d35df6a33f0555beaef22d4bc68f4ac3a7161c206e8c27ad0cd343efd9ca9ece9ec1585224c9456ddb6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c6c9fa6a4b11478ab4cc76baa0ab2b21

SHA1
21e86ad420c12a76f18436fb55328c4d5066564e

SHA256
269604a5640de526208a1d71bd9cbce63ca78d5d508006a46a0704cd266e9fd5

SHA512
6df4002a5b7de792c7b3622e20bb24a97f405d41d53b2fc27bd398130224191181484a1e86bb4129366017809f6f66f8dcd121d82d468454293d470c12d61e3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
90e38eb73b2f7acd74458f604f18c7d2

SHA1
98f460ede7a0e01baa4e06f2b980809d57fe32b6

SHA256
a019c3454569d9e7512a4b748e919b81b7600f3fc1ac268404134d2192cb1679

SHA512
d87cbad2bef1d352ed387f1d509eb694bd84ff0881fcb1583cdbaa80cda1b65fde071f6f0b2f604babd06486ce7d20cc5d768c596ec6176c2f2886480fe63c96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c4fc60e881cef5140db8d785b66bd100

SHA1
5fa0949a4a191b81d9bd9e9d8e6ed5583855c192

SHA256
55ce56efaeef69e13c13a4c091afa317f3092d56bffbe7dd0ed2b41e70156d64

SHA512
858a99e95166c95e53ee663a93aeff1c7593590d5569ffdc4fffa8b770c59dc86d1a3bf18663dd290de6dc7ffe4f6712b5b6ea0d39edd57615263f8add264306

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bb37c9b01547c98113382b1c6da100aa

SHA1
c3bb014ef51501ec044d48f71800cd5beb0e34c2

SHA256
879076f6ee5431cf871200dec413b19f7e2695dfb7186219e85099b1baedd302

SHA512
b175e250d4ed007e48e357668a67b5191a2aa1090b1ba824a940da198b438bdbecbd2f5f72dd6ab73055d891520a0bc4dff7442ac73bc8566abc86b4fd7d2044

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b9acfe45e9e6d91d37338f775197c99

SHA1
4d3205696d511323e4f563fe5751737b803ab9bb

SHA256
2c2017530501b7f53a63d312eabbca8224765e783d9213f7cc1eb68fb4c6eee2

SHA512
b749ab5ad5f78e101c5fcec0cd360cf463697f1c53b8447848da60adaade3bb86b8d582e0cc181f0eb85cd8c4debeb045574bcb62b1071660c4e1624097bdcd5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b3a8a0be3751b2642c76acbc972b1d78

SHA1
c5adf98049ec6930c3e4c4365ff4a2db84d02a59

SHA256
4b7d80b1c2a4d26f2458ee5c595a334f3d8cb6af5289813d9bf54312d75e9439

SHA512
e55cd498596a34f54da824aaeb7539029312970601516c60a53a0a54b6664897f0781fc35a04906845ac563e38ba564e5030badda160f095fbf4ca6d41f51f5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7908a03d5f9588b4483c1782bd6791cd

SHA1
6247a119cdb29362cf03ad961693a7d33976c670

SHA256
941754718f5d5f27f1419850fcd4c32da6ae77d0aada01fbd39261c1fcca9936

SHA512
03f430f09a0aa0ac0c7f8e40d93bbf7d328b6cdb60db65ba292328b22860406ca85d74ae490bbf223d38b61de30b28f7c9a714f38604d6dddf89878c6ac69360

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c7e371975780b3bbd43975df3e2ce84

SHA1
1a9cf9bea76dfc39daefda1c1ead42c36827e17a

SHA256
5e6a73c65e5a988d415772ba4953b24da50d8f1804d501bcffedc22d32006bd1

SHA512
1cfbb426fdc48e1e26dd487b036235d3499efd6f0148fa51a7a5c1217edda9204a6010d2479bd2442d13a1534b7586f08098835c0b6f5a1490fbb46ca8f41858

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
423f5bc706fbbb6efa74cdbbb8bd6f4f

SHA1
254c2a2fc4fb4facbc0ce5bcc416fd5614c44ce7

SHA256
782621957f1b11bacb4eb71bf705164733514b406e94b4b9d6e0374ae0316694

SHA512
943ec23a9cfb4e9c2be6b3106b915d1a08a910b66062c8b525d22ac21bd478f539ebf2231aac2eb0c33e4b39e400d4a73a2044e33ad3bcbc0a17cd67590f2374

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eefb9e3820dbeb1936b5753ca9726cc4

SHA1
7ca873024685a286793a00ca531c716b15ab6691

SHA256
c36483ada5b150c75b3be12047f2acc4923e479ff2e3e6949b004934d0881128

SHA512
93723c8df0d4bc82e50d3aa26e826ee4f37a6175c454b1dd25d7c828fea684984783472028b2cfffac4e29c94083807364ed1c82e208293e0b5cf86f28936b54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5a4eee901bf6b24bb27c3a0c8da574b8

SHA1
8bdd42b1117afa79767d8e56c2f3cc7d50a520d2

SHA256
d7df2bc327a003c0c459d5c1f60cded5945a246d5c19560fa3b01ead38ede4de

SHA512
b25a519709d03fd51605e5289b9c364ea2c01e7b58133255acc46158980c18c5f9c0e9a8598ced8a8f64cb373f8a26c44bc2e544ad7c67fb8c6abc1bb1507d36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
83a2fd0dd8588dbf68196f3a5f122409

SHA1
421a5db0d2fbacc98a8ef31aff7452721d69bfd9

SHA256
0ce49041e6ad519c50a573e8b1ba1c42b06bfc5f6c51aeca9bdec15b3e440a5c

SHA512
1673b96e6d6ea112933b1e933f923823c62656effb421ae7f4a838c936eed2c787e697c512314e5d5a3b26d7eb9492ebea90add771c83e88c5c284591a5e67e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{55945481-82E6-11EF-AC61-4E0B11BE40FD}.dat

Filesize
5KB

MD5
03aec61fe0126f792cd2d471853380dd

SHA1
7a492bca54f718488e3902c5cdcdbe0ad5b71359

SHA256
09d87f9db308333c47aea643b37509ad832661c8f73f672f7ae2da88624aaea6

SHA512
f751cbb21c250c6ada5504b7d29b898034c480ed7b4e4c29655b0b403a57db29936e6732acf737e0b4de76badb15c2bde195a38e155ae67b61f895b3b0835bd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\bl977i7\imagestore.dat

Filesize
8KB

MD5
6c19095e544282e7479cd9b227928d7b

SHA1
7717ee854dcccc5450a5dd75d20c1c09ee18c21f

SHA256
aebdedc9778f3be65b706058580fc33a30862bb0dc55bf41350b8a74827447d3

SHA512
7663cf61a9973f86aae392f6827035060defebf2d4912f4d944c888dff5f12dc783c0377ffe02e9128f2367f27239c183c4b94074e6d9e4af4109e49ef83e7d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\633SXO0D\favicon-trans-bg-000-mg[1].ico

Filesize
4KB

MD5
5879b2763fc53367a29f1e64721976db

SHA1
edee687feb0438fbb4fdf6e0b9bc941f2a0c464d

SHA256
b5f794efdee46f6e8759441cfb2bdc36640f50e47cad9f11cea18bed48e6c43b

SHA512
6b04809dad6d927b7c9fe0d674b8e14c9bb374ea069558e53468e33da76be44c8de6221f90f719462bcea90bec1a90ece58a706e440229ec78d81ba9063ad0f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1A94.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1AD6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\download.html

Filesize
92B

MD5
fc43f29dac5f86135b8deb6d7a28e35b

SHA1
5e35ca771584cfefa2be96900c4674aba5c7810c

SHA256
23930a4558a4ffa78c6bb3290520bd0891f695e875f0689674a1df4a6c98db4c

SHA512
caf22c27717a2553aacd9d8044acadb115bfe6ec979197396fe7812d84479644a9ebeab80a5e9851ca1d7ae5cc10f5eaf3c8db81843c1d5f5b22e863493130e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nResurrection.bat

Filesize
339B

MD5
882b77b0f34c71241c1d374148015783

SHA1
3e04a5a7fbefeab118c75f51604ec0024bb64eff

SHA256
5acc980d9df63dd4c362a4a56a92493be7eac8a1f68e1dc77c0e8ca4360fd8a6

SHA512
3ed8e9e2768a052516e8e60751de97e686ffdc2c0498ffeec95107c6201a4ed15557fabf1ceaef48f9626f296969190ec29766cab356b0883bf8acf43b000b44

Download Submit
\Program Files\Microsoft.KuaiLeKuangBen\SMSvcHost.exe

Filesize
108KB

MD5
169ac8e0ae499d0514496fd2f18dd07b

SHA1
7923573e1ecabfd0033d4b100c9c743b79221eaa

SHA256
3c098c97226f02d7f4e65366828d03645485dd6e68615cb8aed5ebf9f97c807e

SHA512
a294788cef16c88c41a7cc76d8c105f2c047ae90274957b090e9153e9548973c6540e20bef33325e69dcf0726b7031f467ab6e429ac1d7dfd732351a9f486f7f

Download Submit
memory/3060-1382-0x00000000003F0000-0x00000000003F2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads