joker | a7bd0f79fceac4f399e071400776b7d33909831f1ee3955b12f6ef48198f92b3

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01/10/2022, 23:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7bd0f79fceac4f399e071400776b7d33909831f1ee3955b12f6ef48198f92b3.exe
Size

1.8MB
MD5

02f813c6b622223a466d802718ff6cbc
SHA1

734d0bb7aa3a3a0dc2361b8e030050b30f2c4679
SHA256

a7bd0f79fceac4f399e071400776b7d33909831f1ee3955b12f6ef48198f92b3
SHA512

c6078cccb314792e281d3edddf6b6fdffe29d95491d139113bff07e2534d0a3ac953a0c418c59b495c2c304e640d1c707f686c857f68b077dda3cb81a8ad837d
SSDEEP

24576:zMb5VwldaJxVkUDIUVUubQwE2qr2dHlz8M3PcFikGQp0MIzSgMs2SF1P:z45immUDIUVUucwE3KzbHQp0WtSF

Score

10^/10

joker infostealer trojan upx

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\system32\drivers\etc\hosts	a7bd0f79fceac4f399e071400776b7d33909831f1ee3955b12f6ef48198f92b3.exe

Executes dropped EXE 2 IoCs

pid	Process
1472	nz92.exe
896	WinHvqf32.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1308-55-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1308-58-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1308-57-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1308-59-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1308-60-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1308-62-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1308-64-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1308-66-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1308-68-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1308-70-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1308-74-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1308-72-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1308-78-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1308-76-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1308-80-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1308-84-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1308-82-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1308-88-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1308-90-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1308-86-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1308-92-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1308-94-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1308-98-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1308-96-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1308-101-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1308-114-0x0000000010000000-0x000000001003D000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1472	nz92.exe
1472	nz92.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WinHvqf32.exe	nz92.exe
File opened for modification	C:\Windows\SysWOW64\WinHvqf32.exe	nz92.exe
File created	C:\Windows\SysWOW64\WinHvqf32.exe	WinHvqf32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\nz92.exe	a7bd0f79fceac4f399e071400776b7d33909831f1ee3955b12f6ef48198f92b3.exe

Modifies Internet Explorer settings 1 TTPs 63 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\cstv1.bar\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\cfmimang.com\Total = "126"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "252"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371441782"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cfmimang.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cfmimang.com\ = "252"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\cfmimang.com\Total = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\cfmimang.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\cfmimang.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "189"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cfmimang.com\ = "189"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cfmimang.com\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\cfmimang.com\Total = "189"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\cfmimang.com\Total = "252"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4044f8aa04d6d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cfmimang.com\ = "126"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\cstv1.bar\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\cstv1.bar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\cstv1.bar\Total = "63"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a000000000200000000001066000000010000200000001414b8fb2b4881ec2ab4f992dd4e48a20d930b7eff8f760b693e3016dba2e9ab000000000e8000000002000020000000da31332a1c32d5f2226f9903c77ffae4abe69a20b51d1663b0ecc4fea74511969000000022be9a5eb8ed5dd6c6b659de2edd2a3d3577539672f580c7882f4f7b18d2ea726ff08816ad232efd0f07032f98271791c375dfdc41218f6093c66a919e98febcdbfc54becd8925dbd53b440347246e47ea0a42b9ca29134f6341c63d6d16a44d70745e28ab65fdb6a4f551ac4f37596757a0d36ef0a3a011ea9f1f4e2237a3a240bf4728f343b43aeab04b3fb8c6c44a40000000e096bdb2acf85b5fabf7a2864bbb4910f42bede4690191c73a3013251f3b372b5062a02b6d67aebf2b078ff22d0de5996d5109c7e4721a762212290b7eb312f8	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "315"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000c5cf394eb49bf862cae95c63f2135537f9efeb83d50e2a817f8f83310403401b000000000e80000000020000200000009b7656a62762fa7cd016daac0e0123156aea4a763eb8c4c00239a22027f5b2ef2000000012021882b0c1f4844b0a72f0fcd33cb8fe202ad4ea1451a6a1eb8a473ac3773240000000e9e5b8f9dbd0e8461b547b65018e3dea3b929135573ffb2cddd0bb3e5c01918fc7e4746c3ac0d1d21ae9374df02322ade5537069fe273a08ad28beecde55c073	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CD4C4281-41F7-11ED-BBEF-F2255ECFD43B} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1472	nz92.exe
Token: SeIncBasePriorityPrivilege	896	WinHvqf32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
640	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1308	a7bd0f79fceac4f399e071400776b7d33909831f1ee3955b12f6ef48198f92b3.exe
1308	a7bd0f79fceac4f399e071400776b7d33909831f1ee3955b12f6ef48198f92b3.exe
1308	a7bd0f79fceac4f399e071400776b7d33909831f1ee3955b12f6ef48198f92b3.exe
1308	a7bd0f79fceac4f399e071400776b7d33909831f1ee3955b12f6ef48198f92b3.exe
1308	a7bd0f79fceac4f399e071400776b7d33909831f1ee3955b12f6ef48198f92b3.exe
640	iexplore.exe
640	iexplore.exe
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 1472	1308	a7bd0f79fceac4f399e071400776b7d33909831f1ee3955b12f6ef48198f92b3.exe	27
PID 1308 wrote to memory of 1472	1308	a7bd0f79fceac4f399e071400776b7d33909831f1ee3955b12f6ef48198f92b3.exe	27
PID 1308 wrote to memory of 1472	1308	a7bd0f79fceac4f399e071400776b7d33909831f1ee3955b12f6ef48198f92b3.exe	27
PID 1308 wrote to memory of 1472	1308	a7bd0f79fceac4f399e071400776b7d33909831f1ee3955b12f6ef48198f92b3.exe	27
PID 1472 wrote to memory of 896	1472	nz92.exe	28
PID 1472 wrote to memory of 896	1472	nz92.exe	28
PID 1472 wrote to memory of 896	1472	nz92.exe	28
PID 1472 wrote to memory of 896	1472	nz92.exe	28
PID 1472 wrote to memory of 996	1472	nz92.exe	29
PID 1472 wrote to memory of 996	1472	nz92.exe	29
PID 1472 wrote to memory of 996	1472	nz92.exe	29
PID 1472 wrote to memory of 996	1472	nz92.exe	29
PID 896 wrote to memory of 1552	896	WinHvqf32.exe	30
PID 896 wrote to memory of 1552	896	WinHvqf32.exe	30
PID 896 wrote to memory of 1552	896	WinHvqf32.exe	30
PID 896 wrote to memory of 1552	896	WinHvqf32.exe	30
PID 1308 wrote to memory of 640	1308	a7bd0f79fceac4f399e071400776b7d33909831f1ee3955b12f6ef48198f92b3.exe	33
PID 1308 wrote to memory of 640	1308	a7bd0f79fceac4f399e071400776b7d33909831f1ee3955b12f6ef48198f92b3.exe	33
PID 1308 wrote to memory of 640	1308	a7bd0f79fceac4f399e071400776b7d33909831f1ee3955b12f6ef48198f92b3.exe	33
PID 1308 wrote to memory of 640	1308	a7bd0f79fceac4f399e071400776b7d33909831f1ee3955b12f6ef48198f92b3.exe	33
PID 640 wrote to memory of 2028	640	iexplore.exe	34
PID 640 wrote to memory of 2028	640	iexplore.exe	34
PID 640 wrote to memory of 2028	640	iexplore.exe	34
PID 640 wrote to memory of 2028	640	iexplore.exe	34

C:\Users\Admin\AppData\Local\Temp\a7bd0f79fceac4f399e071400776b7d33909831f1ee3955b12f6ef48198f92b3.exe
"C:\Users\Admin\AppData\Local\Temp\a7bd0f79fceac4f399e071400776b7d33909831f1ee3955b12f6ef48198f92b3.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1308
- C:\WINDOWS\nz92.exe
  C:\WINDOWS\nz92.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Windows\SysWOW64\WinHvqf32.exe
    "C:\Windows\system32\WinHvqf32.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:896
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\WINHVQ~1.EXE > nul
      4⤵
      PID:1552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\WINDOWS\nz92.exe > nul
    3⤵
    PID:996
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.cfmimang.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:640
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:640 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
d15aaa7c9be910a9898260767e2490e1

SHA1
2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

SHA256
f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

SHA512
7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67166fbc476ebd1ff59473871e412752

SHA1
4fab0e9663a084e2da87c1abfbc6d3764c0f1203

SHA256
575772abfa8eec65bec956658a1ed1698837a5d3a24b2aa0251d299c96129ac9

SHA512
c112087e855d56b5f039c762f2483a67cc37a075c2176dcdf3bb7aa6b433d2c8ddb7d256984a171b244a5620604f800012ad6c64b3b82a834f75f05759dda65a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\309axvf\imagestore.dat

Filesize
5KB

MD5
2cdc9fd6fe311a8a913e34443f5a7d14

SHA1
32e4d0745964385f4a388e0a52228b45ad1676f6

SHA256
d641e78a5fe336b43e069c337e9e7f3d00ca1dd04a535f8a698f7d357b17274e

SHA512
d28b201f108296120006797211219426cd283da46ae161eb6f081441adc3788a3f5362b7090abcc49230303ced425cef65cbee8e0348664526fede69d06fd2a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\V77RP3HD.txt

Filesize
608B

MD5
fb3145cdce3079a31c388b038c8d2f00

SHA1
da343040cacce90cdc4a27edb351548a140a1e01

SHA256
a36abaa652441d41274f21e49343a9a0477c92f65186176f71dbee12107d8c93

SHA512
6b0a12f83054aac221d6e7fdac96768a7f81753a5f24178972591b71f3615d36666da61851fb8b36a064809b935e1444b42589aaa4bf84905c7c488a17fdb921

Download Submit
C:\WINDOWS\nz92.exe

Filesize
17KB

MD5
c7677623e4429d99e90ce71e90813c9d

SHA1
98498570715bd76735a08377a1cbf008780a3065

SHA256
68039b861f8426e90d1c2ce0bb21c922e7aeaecf5d8b90ce0c47d1ba61199267

SHA512
f40d8897822978bcd8e956fcad0f49f634a222b1998e4c5857f5ffc2afdda25c34e8e14fdf0c5f9aaa5e2009ce7bc8c7ccb62175c0641014acae4d4125f67b8f

Download Submit
C:\Windows\SysWOW64\WinHvqf32.exe

Filesize
17KB

MD5
c7677623e4429d99e90ce71e90813c9d

SHA1
98498570715bd76735a08377a1cbf008780a3065

SHA256
68039b861f8426e90d1c2ce0bb21c922e7aeaecf5d8b90ce0c47d1ba61199267

SHA512
f40d8897822978bcd8e956fcad0f49f634a222b1998e4c5857f5ffc2afdda25c34e8e14fdf0c5f9aaa5e2009ce7bc8c7ccb62175c0641014acae4d4125f67b8f

Download Submit
C:\Windows\SysWOW64\WinHvqf32.exe

Filesize
17KB

MD5
c7677623e4429d99e90ce71e90813c9d

SHA1
98498570715bd76735a08377a1cbf008780a3065

SHA256
68039b861f8426e90d1c2ce0bb21c922e7aeaecf5d8b90ce0c47d1ba61199267

SHA512
f40d8897822978bcd8e956fcad0f49f634a222b1998e4c5857f5ffc2afdda25c34e8e14fdf0c5f9aaa5e2009ce7bc8c7ccb62175c0641014acae4d4125f67b8f

Download Submit
C:\Windows\nz92.exe

Filesize
17KB

MD5
c7677623e4429d99e90ce71e90813c9d

SHA1
98498570715bd76735a08377a1cbf008780a3065

SHA256
68039b861f8426e90d1c2ce0bb21c922e7aeaecf5d8b90ce0c47d1ba61199267

SHA512
f40d8897822978bcd8e956fcad0f49f634a222b1998e4c5857f5ffc2afdda25c34e8e14fdf0c5f9aaa5e2009ce7bc8c7ccb62175c0641014acae4d4125f67b8f

Download Submit
\Windows\SysWOW64\WinHvqf32.exe

Filesize
17KB

MD5
c7677623e4429d99e90ce71e90813c9d

SHA1
98498570715bd76735a08377a1cbf008780a3065

SHA256
68039b861f8426e90d1c2ce0bb21c922e7aeaecf5d8b90ce0c47d1ba61199267

SHA512
f40d8897822978bcd8e956fcad0f49f634a222b1998e4c5857f5ffc2afdda25c34e8e14fdf0c5f9aaa5e2009ce7bc8c7ccb62175c0641014acae4d4125f67b8f

Download Submit
\Windows\SysWOW64\WinHvqf32.exe

Filesize
17KB

MD5
c7677623e4429d99e90ce71e90813c9d

SHA1
98498570715bd76735a08377a1cbf008780a3065

SHA256
68039b861f8426e90d1c2ce0bb21c922e7aeaecf5d8b90ce0c47d1ba61199267

SHA512
f40d8897822978bcd8e956fcad0f49f634a222b1998e4c5857f5ffc2afdda25c34e8e14fdf0c5f9aaa5e2009ce7bc8c7ccb62175c0641014acae4d4125f67b8f

Download Submit
memory/1308-70-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1308-72-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1308-76-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1308-80-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1308-84-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1308-82-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1308-88-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1308-90-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1308-86-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1308-92-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1308-94-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1308-98-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1308-96-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1308-101-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1308-55-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1308-78-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1308-74-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1308-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download
memory/1308-68-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1308-66-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1308-64-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1308-62-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1308-60-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1308-58-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1308-114-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1308-59-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1308-57-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download