joker | bcfe72d7338bea0db62e187619993434e66452a6424408784409ccfa8752c024

Analysis

max time kernel
151s
max time network
133s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
18-09-2022 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bcfe72d7338bea0db62e187619993434e66452a6424408784409ccfa8752c024.exe
Size

3.4MB
MD5

32718480a706f43d85f7478c07595b5e
SHA1

e44b81fe3d61529bfa2ed2005d76bdcdb63c6526
SHA256

bcfe72d7338bea0db62e187619993434e66452a6424408784409ccfa8752c024
SHA512

5836767c9bd1b44fa68925e768c1578a7be4d69245fecdd2ce9bef08e73f7b1dae5d31eab5810c746cc8379f23540365db2a27a204d835647f659a7c7f4bb9a1
SSDEEP

98304:2lG4t8z7N7Qsmvxc3bxGTYZDQxXjOYgfi0dO4O/EgrbKJwv8qr:pz7NElvxcbOxzMM5/jSS0qr

Score

10^/10

joker aspackv2 infostealer trojan

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000500000000b2d2-56.dat	aspack_v212_v242
behavioral1/files/0x000500000000b2d2-58.dat	aspack_v212_v242

Executes dropped EXE 5 IoCs

pid	Process
892	调皮猴辅助.exe
1552	家庭用户.exe
1224	用户2.exe
1720	windowliua.exe
1084	windowss.exe

Loads dropped DLL 9 IoCs

pid	Process
1696	bcfe72d7338bea0db62e187619993434e66452a6424408784409ccfa8752c024.exe
1696	bcfe72d7338bea0db62e187619993434e66452a6424408784409ccfa8752c024.exe
1696	bcfe72d7338bea0db62e187619993434e66452a6424408784409ccfa8752c024.exe
1696	bcfe72d7338bea0db62e187619993434e66452a6424408784409ccfa8752c024.exe
1696	bcfe72d7338bea0db62e187619993434e66452a6424408784409ccfa8752c024.exe
1696	bcfe72d7338bea0db62e187619993434e66452a6424408784409ccfa8752c024.exe
1696	bcfe72d7338bea0db62e187619993434e66452a6424408784409ccfa8752c024.exe
1720	windowliua.exe
1720	windowliua.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\36OTray.exe	用户2.exe
File opened for modification	C:\Windows\SysWOW64\ieapfltr.dat	用户2.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
892	调皮猴辅助.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Thunbs.db	家庭用户.exe
File created	C:\Program Files\windowss.exe	windowliua.exe
File opened for modification	C:\Program Files\windowss.exe	windowliua.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\DELME.BAT	用户2.exe
File created	C:\Windows\uninstal.bat	家庭用户.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 16 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\188nmxbscb-bncbhhncjkb-jb.com\NumberOfSubdomains = "1"	调皮猴辅助.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	调皮猴辅助.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage	调皮猴辅助.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	调皮猴辅助.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\188nmxbscb-bncbhhncjkb-jb.com\Total = "63"	调皮猴辅助.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\x5mk.com	调皮猴辅助.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\188nmxbscb-bncbhhncjkb-jb.com\ = "63"	调皮猴辅助.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	调皮猴辅助.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	调皮猴辅助.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\188nmxbscb-bncbhhncjkb-jb.com	调皮猴辅助.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	调皮猴辅助.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\x5mk.com\NumberOfSubdomains = "1"	调皮猴辅助.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\x5mk.com\Total = "63"	调皮猴辅助.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	调皮猴辅助.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.x5mk.com	调皮猴辅助.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.x5mk.com\ = "63"	调皮猴辅助.exe

Modifies system certificate store 2 TTPs 16 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	调皮猴辅助.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	调皮猴辅助.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	调皮猴辅助.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	调皮猴辅助.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\SystemCertificates\CA\Certificates\33E4E80807204C2B6182A3A14B591ACD25B5F0DB	调皮猴辅助.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\SystemCertificates\CA\Certificates\33E4E80807204C2B6182A3A14B591ACD25B5F0DB\Blob = 03000000010000001400000033e4e80807204c2b6182a3a14b591acd25b5f0db1400000001000000140000008d8c5ec454ad8ae177e99bf99b05e1b8018d61e1040000000100000010000000adab5c4df031fb9299f71ada7e18f6130f00000001000000300000008b612b2190a95b28b866b9be5d0b95f368c17534ab1da61a42dfb32766f9ae2908fe6bfd1669be140eddaf0d33e95235190000000100000010000000fc741b3b78cfb31e075744fe5d0eeb96180000000100000010000000ea6089055218053dd01e37e1d806eedf20000000010000001706000030820613308203fba00302010202107d5b5126b476ba11db74160bbc530da7300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3138313130323030303030305a170d3330313233313233353935395a30818f310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f726431183016060355040a130f5365637469676f204c696d69746564313730350603550403132e5365637469676f2052534120446f6d61696e2056616c69646174696f6e205365637572652053657276657220434130820122300d06092a864886f70d01010105000382010f003082010a0282010100d67333d6d73c20d000d21745b8d63e07a23fc741ee3230c9b06cfdf49fcb12980f2d3f8d4d010c820f177f622ee9b84879fb16834eadd7322593b707bfb9503fa94cc3402ae939ffd981ca1f163241da8026b9237a87201ee3ff209a3c95446f8775069040b4329316091008233ed2dd870f6f5d51146a0a69c54f017269cfd3934c6d04a0a31b827eb19ab9edc59ec537789f9a0834fb562e58c4090e06645bbc37dcf19f2868a856b092a35c9fbb8898081b241dab3085aeafb02e9e7a9dc1c0421ce202f0eae04ad2ef900eb4c14016f06f85424a64f7a430a0febf2ea3275a8e8b58b8adc319178463ed6f56fd83cb6034c474bee69ddbe1e4e5ca0c5f150203010001a382016e3082016a301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e041604148d8c5ec454ad8ae177e99bf99b05e1b8018d61e1300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b06010505070302301b0603551d200414301230060604551d20003008060667810c01020130500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f555345525472757374525341416464547275737443412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c0500038202010032bf61bd0e48c34fc7ba474df89c781901dc131d806ffcc370b4529a31339a5752fb319e6ba4ef54aa898d401768f811107cd2cab1f15586c7eeb3369186f63951bf46bf0fa0bab4f77e49c42a36179ee468397aaf944e566fb27b3bbf0a86bdcdc5771c03b838b1a21f5f7edb8adc4648b6680acfb2b5b4e234e467a93866095ed2b8fc9d283a174027c2724e29fd213c7ccf13fb962cc53144fd13edd59ba96968777ceee1ffa4f93638085339a284349c19f3be0eacd52437eb23a878d0d3e7ef924764623922efc6f711be2285c6664424268e10328dc893ae079e833e2fd9f9f5468e63bec1e6b4dca6cd21a8860a95d92e85261afdfcb1b657426d95d133f6391406824138f58f58dc805ba4d57d9578fda79bfffdc5a869ab26e7a7a405875ba9b7b8a3200b97a94585ddb38be589378e290dfc0617f638400e42e41206fb7bf3c6116862dfe398f413d8154f8bb169d91060bc642aea31b7e4b5a33a149b26e30b7bfd028eb699c138975936f6a874a286b65eebc664eacfa0a3f96e9eba2d11b6869808582dc9ac2564f25e75b438c1ae7f5a4683ea51cab6f19911356ba56a7bc600b0e7f8be64b2adc8c2f1ace351eaa493e079c8e18140c90a5be1123cc1602ae397c08942ca94cf46981269bb98d0c2d30d724b476ee593c43228638743e4b0323e0ad34bbf239b1429412b9a041f932df1c739483cad5a127f	调皮猴辅助.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	调皮猴辅助.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	调皮猴辅助.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	调皮猴辅助.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	调皮猴辅助.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	调皮猴辅助.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	调皮猴辅助.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	调皮猴辅助.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	调皮猴辅助.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	调皮猴辅助.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	调皮猴辅助.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1572	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1084	windowss.exe
1084	windowss.exe
1084	windowss.exe
1084	windowss.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1084	windowss.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1552	家庭用户.exe
Token: SeDebugPrivilege	1224	用户2.exe
Token: 33	1084	windowss.exe
Token: SeIncBasePriorityPrivilege	1084	windowss.exe
Token: 33	1084	windowss.exe
Token: SeIncBasePriorityPrivilege	1084	windowss.exe
Token: 33	1084	windowss.exe
Token: SeIncBasePriorityPrivilege	1084	windowss.exe
Token: 33	1084	windowss.exe
Token: SeIncBasePriorityPrivilege	1084	windowss.exe
Token: 33	1084	windowss.exe
Token: SeIncBasePriorityPrivilege	1084	windowss.exe
Token: 33	1084	windowss.exe
Token: SeIncBasePriorityPrivilege	1084	windowss.exe
Token: 33	1084	windowss.exe
Token: SeIncBasePriorityPrivilege	1084	windowss.exe
Token: 33	1084	windowss.exe
Token: SeIncBasePriorityPrivilege	1084	windowss.exe
Token: 33	1084	windowss.exe
Token: SeIncBasePriorityPrivilege	1084	windowss.exe
Token: 33	1084	windowss.exe
Token: SeIncBasePriorityPrivilege	1084	windowss.exe
Token: 33	1084	windowss.exe
Token: SeIncBasePriorityPrivilege	1084	windowss.exe
Token: 33	1084	windowss.exe
Token: SeIncBasePriorityPrivilege	1084	windowss.exe
Token: 33	1084	windowss.exe
Token: SeIncBasePriorityPrivilege	1084	windowss.exe
Token: 33	1084	windowss.exe
Token: SeIncBasePriorityPrivilege	1084	windowss.exe
Token: 33	1084	windowss.exe
Token: SeIncBasePriorityPrivilege	1084	windowss.exe
Token: 33	1084	windowss.exe
Token: SeIncBasePriorityPrivilege	1084	windowss.exe
Token: 33	1084	windowss.exe
Token: SeIncBasePriorityPrivilege	1084	windowss.exe
Token: 33	1084	windowss.exe
Token: SeIncBasePriorityPrivilege	1084	windowss.exe
Token: 33	1084	windowss.exe
Token: SeIncBasePriorityPrivilege	1084	windowss.exe
Token: 33	1084	windowss.exe
Token: SeIncBasePriorityPrivilege	1084	windowss.exe
Token: 33	1084	windowss.exe
Token: SeIncBasePriorityPrivilege	1084	windowss.exe
Token: 33	1084	windowss.exe
Token: SeIncBasePriorityPrivilege	1084	windowss.exe
Token: 33	1084	windowss.exe
Token: SeIncBasePriorityPrivilege	1084	windowss.exe
Token: 33	1084	windowss.exe
Token: SeIncBasePriorityPrivilege	1084	windowss.exe
Token: 33	1084	windowss.exe
Token: SeIncBasePriorityPrivilege	1084	windowss.exe
Token: 33	1084	windowss.exe
Token: SeIncBasePriorityPrivilege	1084	windowss.exe
Token: 33	1084	windowss.exe
Token: SeIncBasePriorityPrivilege	1084	windowss.exe
Token: 33	1084	windowss.exe
Token: SeIncBasePriorityPrivilege	1084	windowss.exe
Token: 33	1084	windowss.exe
Token: SeIncBasePriorityPrivilege	1084	windowss.exe
Token: 33	1084	windowss.exe
Token: SeIncBasePriorityPrivilege	1084	windowss.exe
Token: 33	1084	windowss.exe
Token: SeIncBasePriorityPrivilege	1084	windowss.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1720	windowliua.exe
1720	windowliua.exe
892	调皮猴辅助.exe
892	调皮猴辅助.exe
892	调皮猴辅助.exe
1084	windowss.exe
1084	windowss.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 892	1696	bcfe72d7338bea0db62e187619993434e66452a6424408784409ccfa8752c024.exe	27
PID 1696 wrote to memory of 892	1696	bcfe72d7338bea0db62e187619993434e66452a6424408784409ccfa8752c024.exe	27
PID 1696 wrote to memory of 892	1696	bcfe72d7338bea0db62e187619993434e66452a6424408784409ccfa8752c024.exe	27
PID 1696 wrote to memory of 892	1696	bcfe72d7338bea0db62e187619993434e66452a6424408784409ccfa8752c024.exe	27
PID 1696 wrote to memory of 1552	1696	bcfe72d7338bea0db62e187619993434e66452a6424408784409ccfa8752c024.exe	28
PID 1696 wrote to memory of 1552	1696	bcfe72d7338bea0db62e187619993434e66452a6424408784409ccfa8752c024.exe	28
PID 1696 wrote to memory of 1552	1696	bcfe72d7338bea0db62e187619993434e66452a6424408784409ccfa8752c024.exe	28
PID 1696 wrote to memory of 1552	1696	bcfe72d7338bea0db62e187619993434e66452a6424408784409ccfa8752c024.exe	28
PID 1696 wrote to memory of 1224	1696	bcfe72d7338bea0db62e187619993434e66452a6424408784409ccfa8752c024.exe	29
PID 1696 wrote to memory of 1224	1696	bcfe72d7338bea0db62e187619993434e66452a6424408784409ccfa8752c024.exe	29
PID 1696 wrote to memory of 1224	1696	bcfe72d7338bea0db62e187619993434e66452a6424408784409ccfa8752c024.exe	29
PID 1696 wrote to memory of 1224	1696	bcfe72d7338bea0db62e187619993434e66452a6424408784409ccfa8752c024.exe	29
PID 1696 wrote to memory of 1720	1696	bcfe72d7338bea0db62e187619993434e66452a6424408784409ccfa8752c024.exe	30
PID 1696 wrote to memory of 1720	1696	bcfe72d7338bea0db62e187619993434e66452a6424408784409ccfa8752c024.exe	30
PID 1696 wrote to memory of 1720	1696	bcfe72d7338bea0db62e187619993434e66452a6424408784409ccfa8752c024.exe	30
PID 1696 wrote to memory of 1720	1696	bcfe72d7338bea0db62e187619993434e66452a6424408784409ccfa8752c024.exe	30
PID 1224 wrote to memory of 1764	1224	用户2.exe	31
PID 1224 wrote to memory of 1764	1224	用户2.exe	31
PID 1224 wrote to memory of 1764	1224	用户2.exe	31
PID 1224 wrote to memory of 1764	1224	用户2.exe	31
PID 1552 wrote to memory of 1040	1552	家庭用户.exe	34
PID 1552 wrote to memory of 1040	1552	家庭用户.exe	34
PID 1552 wrote to memory of 1040	1552	家庭用户.exe	34
PID 1552 wrote to memory of 1040	1552	家庭用户.exe	34
PID 1552 wrote to memory of 1040	1552	家庭用户.exe	34
PID 1552 wrote to memory of 1040	1552	家庭用户.exe	34
PID 1552 wrote to memory of 1040	1552	家庭用户.exe	34
PID 1720 wrote to memory of 1084	1720	windowliua.exe	37
PID 1720 wrote to memory of 1084	1720	windowliua.exe	37
PID 1720 wrote to memory of 1084	1720	windowliua.exe	37
PID 1720 wrote to memory of 1084	1720	windowliua.exe	37
PID 1720 wrote to memory of 1936	1720	windowliua.exe	38
PID 1720 wrote to memory of 1936	1720	windowliua.exe	38
PID 1720 wrote to memory of 1936	1720	windowliua.exe	38
PID 1720 wrote to memory of 1936	1720	windowliua.exe	38
PID 1936 wrote to memory of 1572	1936	cmd.exe	40
PID 1936 wrote to memory of 1572	1936	cmd.exe	40
PID 1936 wrote to memory of 1572	1936	cmd.exe	40
PID 1936 wrote to memory of 1572	1936	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\bcfe72d7338bea0db62e187619993434e66452a6424408784409ccfa8752c024.exe
"C:\Users\Admin\AppData\Local\Temp\bcfe72d7338bea0db62e187619993434e66452a6424408784409ccfa8752c024.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Users\Admin\AppData\Local\Temp\调皮猴辅助.exe
  "C:\Users\Admin\AppData\Local\Temp\调皮猴辅助.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  PID:892
- C:\Users\Admin\AppData\Local\Temp\家庭用户.exe
  "C:\Users\Admin\AppData\Local\Temp\家庭用户.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\uninstal.bat
    3⤵
    PID:1040
- C:\Users\Admin\AppData\Local\Temp\用户2.exe
  "C:\Users\Admin\AppData\Local\Temp\用户2.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\DELME.BAT
    3⤵
    PID:1764
- C:\Users\Admin\AppData\Local\Temp\windowliua.exe
  "C:\Users\Admin\AppData\Local\Temp\windowliua.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Program Files\windowss.exe
    "C:\Program Files\windowss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1084
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ping 127.0.0.1 -n 2 &del "C:\Users\Admin\AppData\Local\Temp\windowliua.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      Runs ping.exe
      PID:1572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\windowss.exe

Filesize
844KB

MD5
fc9a93ad351be6c16602705f63330cae

SHA1
9c81b00f991ad0640ebdc31ff85a47998a898c39

SHA256
c54b6a648e5b182ccb3899bb915262d232383dd60156dcfc65b572065e918059

SHA512
41f468bc563de4a78e2d015116a969a3d7f4caa2f0e6b3c0fd26e2fc7a958b378544c5d14b2a9096690b961b5d89fab07ba1840ef3c19147c3d3f220af8473d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowliua.exe

Filesize
844KB

MD5
fc9a93ad351be6c16602705f63330cae

SHA1
9c81b00f991ad0640ebdc31ff85a47998a898c39

SHA256
c54b6a648e5b182ccb3899bb915262d232383dd60156dcfc65b572065e918059

SHA512
41f468bc563de4a78e2d015116a969a3d7f4caa2f0e6b3c0fd26e2fc7a958b378544c5d14b2a9096690b961b5d89fab07ba1840ef3c19147c3d3f220af8473d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowliua.exe

Filesize
844KB

MD5
fc9a93ad351be6c16602705f63330cae

SHA1
9c81b00f991ad0640ebdc31ff85a47998a898c39

SHA256
c54b6a648e5b182ccb3899bb915262d232383dd60156dcfc65b572065e918059

SHA512
41f468bc563de4a78e2d015116a969a3d7f4caa2f0e6b3c0fd26e2fc7a958b378544c5d14b2a9096690b961b5d89fab07ba1840ef3c19147c3d3f220af8473d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\家庭用户.exe

Filesize
732KB

MD5
8183b24c5b05fb5a3afe114945c5c168

SHA1
2233b8013e7c16bf29501a40fe020d5bc3e8d16d

SHA256
f908e097cfc4dd96d4771a360d2f6f8b1e773d9920f6b777cf70754b96aeedde

SHA512
57310da434094e65d46aa1448bc76e7d13e495bfb7f8619150d91cbe8053a77c510250af5f73db73dd46b976693ff9b21fab1fb7d57d9932ca5197f410a6f3ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\家庭用户.exe

Filesize
732KB

MD5
8183b24c5b05fb5a3afe114945c5c168

SHA1
2233b8013e7c16bf29501a40fe020d5bc3e8d16d

SHA256
f908e097cfc4dd96d4771a360d2f6f8b1e773d9920f6b777cf70754b96aeedde

SHA512
57310da434094e65d46aa1448bc76e7d13e495bfb7f8619150d91cbe8053a77c510250af5f73db73dd46b976693ff9b21fab1fb7d57d9932ca5197f410a6f3ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\用户2.exe

Filesize
765KB

MD5
37e00e589768a8ac072eb2bbfacdba99

SHA1
99e51a2fffb17779c8cfe7d1ec615b7647a0ed19

SHA256
7450aa85a6bec52cd2c5b0d03bdec061a6d325b9d6c5ae2335f7ab02c8716aa7

SHA512
d128012da86de62f298b98e19fc7794e54d7e318bd30fb04e9633cc4ee364ca962b089175be6a5bb1521c67598ad4ef8252f6dd124e7ba207fa05dedfa88d0f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\用户2.exe

Filesize
765KB

MD5
37e00e589768a8ac072eb2bbfacdba99

SHA1
99e51a2fffb17779c8cfe7d1ec615b7647a0ed19

SHA256
7450aa85a6bec52cd2c5b0d03bdec061a6d325b9d6c5ae2335f7ab02c8716aa7

SHA512
d128012da86de62f298b98e19fc7794e54d7e318bd30fb04e9633cc4ee364ca962b089175be6a5bb1521c67598ad4ef8252f6dd124e7ba207fa05dedfa88d0f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\调皮猴辅助.exe

Filesize
2.2MB

MD5
b31eda9a0a9502ff3e9f991a9b46855c

SHA1
6e495665d4357686e5a4a6883bcfb2fe28b3996f

SHA256
eb4150a63bd6073c025831cbe227e23812b19dd2fa95c842c631c2e156c89451

SHA512
f1e606c4df5f7eea0b1900eba9bd381bc5858a7ad2c8fc65a7a02e918112f1b6c21583af80a8371acdbd6b0edae3aa15091f816e5b926bce992b39b96cfd9a97

Download Submit
C:\Windows\DELME.BAT

Filesize
132B

MD5
b7909254b7b60f4d489bdcf5afa2a0af

SHA1
c31f467208a3a2ff4605a3d043113db84f11a12c

SHA256
56e6e3bebc951674489ab23763d8e864b6d18ca03639ec8ee224abc5f3457026

SHA512
9a378bf7471e66b9bf108a25cb1da8aba65f10a166be91dee130d3bd0f4852295dbbca263d35eda7da71a20f0e8b20e3f4c30f35b28ab0437dfffac789e74079

Download Submit
C:\Windows\uninstal.bat

Filesize
134B

MD5
6fda656ff825b917490d093a3edb1a7e

SHA1
ae08f0fb691cf4728111e9a1c77beb914a8477ac

SHA256
2634972971c137fc744d8ef3caec98a8853f9866e0e7ad6c203549918b6bb2dc

SHA512
4b4800abf18fe805808d1efedcb8a6813df046928b9aa3cac3b155942b2627e50071f35d1ab65ddc7f8fffda94f7e35adccd7ea701fcb0c9a6dd4a151b2a460d

Download Submit
\Program Files\windowss.exe

Filesize
844KB

MD5
fc9a93ad351be6c16602705f63330cae

SHA1
9c81b00f991ad0640ebdc31ff85a47998a898c39

SHA256
c54b6a648e5b182ccb3899bb915262d232383dd60156dcfc65b572065e918059

SHA512
41f468bc563de4a78e2d015116a969a3d7f4caa2f0e6b3c0fd26e2fc7a958b378544c5d14b2a9096690b961b5d89fab07ba1840ef3c19147c3d3f220af8473d5

Download Submit
\Program Files\windowss.exe

Filesize
844KB

MD5
fc9a93ad351be6c16602705f63330cae

SHA1
9c81b00f991ad0640ebdc31ff85a47998a898c39

SHA256
c54b6a648e5b182ccb3899bb915262d232383dd60156dcfc65b572065e918059

SHA512
41f468bc563de4a78e2d015116a969a3d7f4caa2f0e6b3c0fd26e2fc7a958b378544c5d14b2a9096690b961b5d89fab07ba1840ef3c19147c3d3f220af8473d5

Download Submit
\Users\Admin\AppData\Local\Temp\windowliua.exe

Filesize
844KB

MD5
fc9a93ad351be6c16602705f63330cae

SHA1
9c81b00f991ad0640ebdc31ff85a47998a898c39

SHA256
c54b6a648e5b182ccb3899bb915262d232383dd60156dcfc65b572065e918059

SHA512
41f468bc563de4a78e2d015116a969a3d7f4caa2f0e6b3c0fd26e2fc7a958b378544c5d14b2a9096690b961b5d89fab07ba1840ef3c19147c3d3f220af8473d5

Download Submit
\Users\Admin\AppData\Local\Temp\windowliua.exe

Filesize
844KB

MD5
fc9a93ad351be6c16602705f63330cae

SHA1
9c81b00f991ad0640ebdc31ff85a47998a898c39

SHA256
c54b6a648e5b182ccb3899bb915262d232383dd60156dcfc65b572065e918059

SHA512
41f468bc563de4a78e2d015116a969a3d7f4caa2f0e6b3c0fd26e2fc7a958b378544c5d14b2a9096690b961b5d89fab07ba1840ef3c19147c3d3f220af8473d5

Download Submit
\Users\Admin\AppData\Local\Temp\家庭用户.exe

Filesize
732KB

MD5
8183b24c5b05fb5a3afe114945c5c168

SHA1
2233b8013e7c16bf29501a40fe020d5bc3e8d16d

SHA256
f908e097cfc4dd96d4771a360d2f6f8b1e773d9920f6b777cf70754b96aeedde

SHA512
57310da434094e65d46aa1448bc76e7d13e495bfb7f8619150d91cbe8053a77c510250af5f73db73dd46b976693ff9b21fab1fb7d57d9932ca5197f410a6f3ca

Download Submit
\Users\Admin\AppData\Local\Temp\家庭用户.exe

Filesize
732KB

MD5
8183b24c5b05fb5a3afe114945c5c168

SHA1
2233b8013e7c16bf29501a40fe020d5bc3e8d16d

SHA256
f908e097cfc4dd96d4771a360d2f6f8b1e773d9920f6b777cf70754b96aeedde

SHA512
57310da434094e65d46aa1448bc76e7d13e495bfb7f8619150d91cbe8053a77c510250af5f73db73dd46b976693ff9b21fab1fb7d57d9932ca5197f410a6f3ca

Download Submit
\Users\Admin\AppData\Local\Temp\用户2.exe

Filesize
765KB

MD5
37e00e589768a8ac072eb2bbfacdba99

SHA1
99e51a2fffb17779c8cfe7d1ec615b7647a0ed19

SHA256
7450aa85a6bec52cd2c5b0d03bdec061a6d325b9d6c5ae2335f7ab02c8716aa7

SHA512
d128012da86de62f298b98e19fc7794e54d7e318bd30fb04e9633cc4ee364ca962b089175be6a5bb1521c67598ad4ef8252f6dd124e7ba207fa05dedfa88d0f6

Download Submit
\Users\Admin\AppData\Local\Temp\用户2.exe

Filesize
765KB

MD5
37e00e589768a8ac072eb2bbfacdba99

SHA1
99e51a2fffb17779c8cfe7d1ec615b7647a0ed19

SHA256
7450aa85a6bec52cd2c5b0d03bdec061a6d325b9d6c5ae2335f7ab02c8716aa7

SHA512
d128012da86de62f298b98e19fc7794e54d7e318bd30fb04e9633cc4ee364ca962b089175be6a5bb1521c67598ad4ef8252f6dd124e7ba207fa05dedfa88d0f6

Download Submit
\Users\Admin\AppData\Local\Temp\调皮猴辅助.exe

Filesize
2.2MB

MD5
b31eda9a0a9502ff3e9f991a9b46855c

SHA1
6e495665d4357686e5a4a6883bcfb2fe28b3996f

SHA256
eb4150a63bd6073c025831cbe227e23812b19dd2fa95c842c631c2e156c89451

SHA512
f1e606c4df5f7eea0b1900eba9bd381bc5858a7ad2c8fc65a7a02e918112f1b6c21583af80a8371acdbd6b0edae3aa15091f816e5b926bce992b39b96cfd9a97

Download Submit
memory/892-102-0x0000000000400000-0x0000000000715000-memory.dmp

Filesize
3.1MB

Download
memory/892-63-0x0000000000400000-0x0000000000715000-memory.dmp

Filesize
3.1MB

Download
memory/892-67-0x0000000000400000-0x0000000000715000-memory.dmp

Filesize
3.1MB

Download
memory/892-64-0x0000000000400000-0x0000000000715000-memory.dmp

Filesize
3.1MB

Download
memory/892-73-0x0000000000400000-0x0000000000715000-memory.dmp

Filesize
3.1MB

Download
memory/1696-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/1696-71-0x0000000002E90000-0x00000000031A5000-memory.dmp

Filesize
3.1MB

Download
memory/1696-55-0x0000000000220000-0x00000000002CC000-memory.dmp

Filesize
688KB

Download