joker | fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914

Analysis

max time kernel
147s
max time network
152s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
11-10-2022 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe
Size

665KB
MD5

693a45eba4ca44b0989b567c4adfa210
SHA1

aab926de0748d693d2f24d7475cb0bb3e32ab627
SHA256

fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914
SHA512

57e9a2a5bd13ce158906e4e48f8c15110192702889a53172373dd9b842752323af5a5e5f8d7ae4abda1c454dd9ba6b84ca6634127f5bdba1115fd342929d28a4
SSDEEP

12288:dZjMLf11MmPQeRXEHYYS3gA0FJO1t3r6QMgrwT:dafIiy4NwdLpQMywT

Score

10^/10

joker infostealer trojan

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Executes dropped EXE 3 IoCs

pid	Process
1208	rising.exe
820	flash.exe
932	Show.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\windows\flash.exe	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe
File opened for modification	C:\windows\flash.exe	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe
File created	C:\windows\Show.exe	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe
File opened for modification	C:\windows\Show.exe	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe
File created	C:\windows\tao.ico	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe
File opened for modification	C:\windows\tao.ico	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EFA9A311-491B-11ED-B7CC-CE23F931F8E9} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\lantiantiantianbaodaliang3.com\Total = "693"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\lantiantiantianbaodaliang3.com\Total = "189"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.lantiantiantianbaodaliang3.com\ = "315"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "704"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.5136688.com\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\lantiantiantianbaodaliang3.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\77817.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.lantiantiantianbaodaliang3.com\ = "441"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\lantiantiantianbaodaliang3.com\Total = "567"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\5136688.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.lantiantiantianbaodaliang3.com\ = "126"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\lantiantiantianbaodaliang3.com\Total = "378"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000de4778f64635001a8a36c335aadaa853ef4a22ad3f308888d57e14101a88a97e000000000e80000000020000200000001683bca32bb0e5273ffe62e906b21ee0723727666de52373491a0b9d6e4c60649000000073bf9712caa42c9ebc06fb258fe9bc36952064974c3cfe5dbc67c97348c32a4f34608e8705bebfca50f5f068c6dba931b49cf6c49ea905ed0a60b66fcfe681b0c3c04190764c7cd755b363e3e83828ed8357a98f079518645aac3a86d6617bf53fa1cd3f8516f59be17d59758c5eb4105e9d786c1e6f7a232ed60f9820b3728880aa8da7bfdb9bb20dc9e6a391c1a4054000000017c74e7bff1bfd3fa22338d9dd361a09c4d84e4ec720524d89d482c9d624320b6d2adde3f2964edf36a99fc270e29bd5de484698b1779fb708f4d51e7ab075e8	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.lantiantiantianbaodaliang3.com\ = "693"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.77817.com	Show.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\lantiantiantianbaodaliang3.com\Total = "252"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "830"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "263"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\77817.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.5136688.com\ = "126"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\lantiantiantianbaodaliang3.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.lantiantiantianbaodaliang3.com\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "578"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	Show.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.77817.com\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.77817.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.77817.com\ = "0"	Show.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.lantiantiantianbaodaliang3.com	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a000000000200000000001066000000010000200000002db1f62839734bb58ee12208fa3f6e3707a48dbe61b1e7545b7e1143e968af1d000000000e8000000002000020000000cf5ae2be251cb9b57f691d5cf80d21ffd10066022a5aed8d38018dca641d65b920000000114f01d6758327c4ce417f78656024c6d845d906c80b996a5d46c75d4803b60b40000000941870c5468fd15425ce4477eefbfe90489c7697eaae0552ad549e3ecdf5b4c764d7fc8148beafa7b9271ede31b9841f669bb4e1472d353fba7b8ba8820c879c	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.lantiantiantianbaodaliang3.com\ = "630"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	Show.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.77817.com\ = "74"	Show.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "389"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\lantiantiantianbaodaliang3.com\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372226960"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0056cfcc28ddd801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\77817.com\Total = "74"	Show.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "137"	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.54680.com/"	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node	rising.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\	rising.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iexplorexFile\CLSID	rising.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon	rising.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)\ = "????(&O)"	rising.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\IntroText = "Internet Explorer"	rising.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iexplorexFile\ = "????"	rising.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iexplorexFile\shell\open	rising.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\firefoxxFile\ = "????"	rising.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\firefoxxFile\DefaultIcon	rising.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\Attributes = "1"	rising.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon	rising.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\ = "????(&O)"	rising.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.firefoxx	rising.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)\Command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" http://www.5136688.com/?wg999"	rising.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder	rising.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)\ = "????(&O)"	rising.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}	rising.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\ = "????(&O)"	rising.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)	rising.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iexplorexFile\CLSID\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	rising.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iexplorexFile\shell\open\CLSID = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	rising.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.firefoxx\ = "firefoxxFile"	rising.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell	rising.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)\Command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" http://www.5136688.com/?wg999"	rising.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iexplorexFile\ScriptEngine\ = "JScript.Encode"	rising.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iexplorexFile\shell\open\command	rising.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\firefoxxFile\shell	rising.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell	rising.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ = "Internet Explorer"	rising.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\LocalizedString = "Internet Explorer"	rising.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iexplorexFile\DefaultIcon	rising.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ = "Internet Explorer"	rising.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"	rising.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)\Command	rising.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}	rising.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)\Command	rising.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder	rising.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\Attributes = "1"	rising.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iexplorexFile\shell	rising.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\firefoxxFile\ScriptEngine	rising.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\firefoxxFile\NeverShowExt	rising.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\firefoxxFile\DefaultIcon\ = "C:\\Program Files\\Mozilla Firefox\\firefox.exe"	rising.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\firefoxxFile\shell\ = "open"	rising.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\firefoxxFile\shell\open\command	rising.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)	rising.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iexplorexFile\ScriptEngine	rising.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\firefoxxFile\ScriptEngine\ = "JScript.Encode"	rising.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iexplorexFile\NeverShowExt	rising.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\firefoxxFile\CLSID\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	rising.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.iexplorex\ = "iexplorexFile"	rising.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iexplorexFile	rising.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iexplorexFile\shell\ = "open"	rising.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\firefoxxFile	rising.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.iexplorex	rising.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iexplorexFile\DefaultIcon\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe"	rising.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iexplorexFile\shell\open\command\ = "%SystemRoot%\\SysWow64\\WScript.exe \"%1\" %*"	rising.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\firefoxxFile\CLSID	rising.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\firefoxxFile\shell\open\command\ = "%SystemRoot%\\SysWow64\\WScript.exe \"%1\" %*"	rising.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"	rising.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\	rising.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\firefoxxFile\shell\open	rising.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}	rising.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID	rising.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Show.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Show.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Show.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Show.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Show.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Show.exe

Runs .reg file with regedit 2 IoCs

pid	Process
1580	regedit.exe
1916	regedit.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1380	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe
1380	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe
1380	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe
920	iexplore.exe
920	iexplore.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1380	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe
1380	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe
1380	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
820	flash.exe
1208	rising.exe
932	Show.exe
932	Show.exe
932	Show.exe
920	iexplore.exe
920	iexplore.exe
952	IEXPLORE.EXE
952	IEXPLORE.EXE
920	iexplore.exe
920	iexplore.exe
1920	IEXPLORE.EXE
1920	IEXPLORE.EXE
1920	IEXPLORE.EXE
1920	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 1208	1380	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe	27
PID 1380 wrote to memory of 1208	1380	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe	27
PID 1380 wrote to memory of 1208	1380	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe	27
PID 1380 wrote to memory of 1208	1380	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe	27
PID 1380 wrote to memory of 820	1380	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe	28
PID 1380 wrote to memory of 820	1380	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe	28
PID 1380 wrote to memory of 820	1380	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe	28
PID 1380 wrote to memory of 820	1380	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe	28
PID 1380 wrote to memory of 932	1380	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe	29
PID 1380 wrote to memory of 932	1380	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe	29
PID 1380 wrote to memory of 932	1380	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe	29
PID 1380 wrote to memory of 932	1380	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe	29
PID 1380 wrote to memory of 920	1380	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe	30
PID 1380 wrote to memory of 920	1380	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe	30
PID 1380 wrote to memory of 920	1380	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe	30
PID 1380 wrote to memory of 920	1380	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe	30
PID 1208 wrote to memory of 1008	1208	rising.exe	31
PID 1208 wrote to memory of 1008	1208	rising.exe	31
PID 1208 wrote to memory of 1008	1208	rising.exe	31
PID 1208 wrote to memory of 1008	1208	rising.exe	31
PID 920 wrote to memory of 952	920	iexplore.exe	35
PID 920 wrote to memory of 952	920	iexplore.exe	35
PID 920 wrote to memory of 952	920	iexplore.exe	35
PID 920 wrote to memory of 952	920	iexplore.exe	35
PID 1008 wrote to memory of 1580	1008	cmd.exe	34
PID 1008 wrote to memory of 1580	1008	cmd.exe	34
PID 1008 wrote to memory of 1580	1008	cmd.exe	34
PID 1008 wrote to memory of 1580	1008	cmd.exe	34
PID 1208 wrote to memory of 396	1208	rising.exe	36
PID 1208 wrote to memory of 396	1208	rising.exe	36
PID 1208 wrote to memory of 396	1208	rising.exe	36
PID 1208 wrote to memory of 396	1208	rising.exe	36
PID 1208 wrote to memory of 1868	1208	rising.exe	37
PID 1208 wrote to memory of 1868	1208	rising.exe	37
PID 1208 wrote to memory of 1868	1208	rising.exe	37
PID 1208 wrote to memory of 1868	1208	rising.exe	37
PID 920 wrote to memory of 1920	920	iexplore.exe	39
PID 920 wrote to memory of 1920	920	iexplore.exe	39
PID 920 wrote to memory of 1920	920	iexplore.exe	39
PID 920 wrote to memory of 1920	920	iexplore.exe	39
PID 1868 wrote to memory of 1916	1868	cmd.exe	40
PID 1868 wrote to memory of 1916	1868	cmd.exe	40
PID 1868 wrote to memory of 1916	1868	cmd.exe	40
PID 1868 wrote to memory of 1916	1868	cmd.exe	40
PID 1208 wrote to memory of 1448	1208	rising.exe	41
PID 1208 wrote to memory of 1448	1208	rising.exe	41
PID 1208 wrote to memory of 1448	1208	rising.exe	41
PID 1208 wrote to memory of 1448	1208	rising.exe	41

C:\Users\Admin\AppData\Local\Temp\fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe
"C:\Users\Admin\AppData\Local\Temp\fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer start page
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1380
- C:\rising.exe
  C:\rising.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c regedit /s c:\reg.reg
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1008
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s c:\reg.reg
      4⤵
      Runs .reg file with regedit
      PID:1580
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.5136688.com/?t
    3⤵
    PID:396
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c regedit /s c:\reg2.reg
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1868
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s c:\reg2.reg
      4⤵
      Runs .reg file with regedit
      PID:1916
- - \??\c:\windows\SysWOW64\wscript.exe
    c:\windows\system32\wscript.exe C:\\Killme.vbs
    3⤵
    PID:1448
- C:\windows\flash.exe
  C:\windows\flash.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:820
- C:\windows\Show.exe
  C:\windows\Show.exe
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  PID:932
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.77817.com/setup.asp?wg999
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:920
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:920 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:952
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:920 CREDAT:406531 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Killme.vbs

Filesize
219B

MD5
4483db672c67e498915eca2ba22c6b8c

SHA1
1f29ed5a2c6db4301599d4487a324535f6640539

SHA256
52d77c509bc42e5ea1e5cfb815f2efad9ec6c770b71bd8ddb1ef391a06ba91ab

SHA512
2fb84b25f75eed13df4f8d0d46e6d39191dcd5a6b0f88f7102cfd8cfec7acea6347a783fbd5dbc0b61636f3167fcc308dfeacd348abbb2aeddc57be9d213fd1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B

Filesize
1KB

MD5
873684a3c2fac9c1ded001b48ccf5197

SHA1
0cff6107be7818ec610aa4506ee19e2910863d5b

SHA256
19bd5fa23ca02452a3f843a8a60ae0a0770b98c97b738d927a3c7dbf2c19b8b5

SHA512
fe8367e5392f573d5f0bf31a16d2e04dce5a1c5ca7cd4f9cce60514f871c3108187cb40b2fb455f9a60209a021722d9e6b21a3c830b75611823e4407197d3b27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1495DD322A24490E2BF2FAABAE1C61

Filesize
300B

MD5
bf034518c3427206cc85465dc2e296e5

SHA1
ef3d8f548ad3c26e08fa41f2a74e68707cfc3d3a

SHA256
e5da797df9533a2fcae7a6aa79f2b9872c8f227dd1c901c91014c7a9fa82ff7e

SHA512
c307eaf605bd02e03f25b58fa38ff8e59f4fb5672ef6cb5270c8bdb004bca56e47450777bfb7662797ffb18ab409cde66df4536510bc5a435cc945e662bddb78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_97A2CB43E01F27293633B7B57353C80B

Filesize
1KB

MD5
b1545b6b4522bcef26d2887bd817dd06

SHA1
a0cc4609d1c12a8d5d4054fb21bddac428db73c3

SHA256
00a53c78abe8c042dce53eb1c8da96efabd198fafaa7b2a13353f8b9139e584e

SHA512
bcf7e626ee661d5088db0c49b49f44ff1d0dc53cdceb0b0b0e657016b7a1670dbba4e29674cea274b9e01a2efa23fd35982207b47e0815558f060da43e18f309

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
1KB

MD5
efeb76106b4a42dcfe9d9b9eb2b268cc

SHA1
9bd7be857e1940a5e69a3ca18a8337e888c2a92e

SHA256
d895832dee7a8b1bd1ff870bc4de166b78b7949a5cfb48e7b899bd6da89f0d45

SHA512
0aa00542e041b6afb8b3b9861777700992d2e8c272d832e018a68f1004e956ded740dad89aeb05e635454d2c9e9f8f9dfc66d21e0d5f51a44d5a8f14559ac5d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
d15aaa7c9be910a9898260767e2490e1

SHA1
2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

SHA256
f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

SHA512
7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9DD3D82403C592F0DA5ECFF159BDA01D

Filesize
346B

MD5
e1e96dae456ac2687aa0f8673ffbca91

SHA1
af2a7e70442a1555a74e5860358286488186631f

SHA256
de28dfb47e611ffa2f0b9e7bf5a8b2af2bc4f5ab0312048f17df3ee83f675a15

SHA512
91a3762f2b6460fb7164a31666e994fe05c7948cc8c3d367346b89ed1659050612908b7904781e3922ecee44faa8f6e2a72969587b4d573763b1c89e821a9e04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A053CFB63FC8E6507871752236B5CCD5_0682F448E952CB7EC702552451662AB5

Filesize
1KB

MD5
7749069f24a5423c6c649035fdd3cba9

SHA1
e1b3d52c77d948e52f3746bda076b838229f9a66

SHA256
f6df29ca1bfee1c654efd71877fa178902e05bf3542c2b85187226f04fa81763

SHA512
531dfceb2181ec34366b5b78ebabeab7f820c0ff7f2ef85d78430f960fea85a2544bdc37b539818f1a3f6ce8c1b48634a72193cbc0f6210b5c826fdac4d4146e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C

Filesize
1KB

MD5
9e4bd274f168bef2a8c914a19529b552

SHA1
b92342ceeb2531e579fd9a821715db355fc5a813

SHA256
94e529d37f36dd05781d6db3c3221c951c8aa295895186d98a0ca98e1043f9c2

SHA512
804a72a14c2a7bdc169b0b19994c950abaaed3a8a4d215c3db9daebb9fd8ac6c3fff031863d572d1ffe8f8b3e938012ef853380123b771acc0a8b235ddd3ff85

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3

Filesize
1KB

MD5
f122694b71b1616d29b2b21d77847088

SHA1
bb53e5c827af843c286df8d63cdba3d380fafc29

SHA256
00d81849d78036e27ee3522ce6fe6a1e5f9251f462346d8a5e63f2d6a2930f98

SHA512
f78fb526ebeabeb2b5e9a61ee2eb57c4f8c74e3a1adf1c4d8ad8a301f41c3566d8c85f478becc90df57b509aaefabc85b16c65da0533fef45efee2c6e6f229e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B

Filesize
508B

MD5
909a7d1a260188abe887ed4bac847da9

SHA1
751d00997f13b1e4f90c4003730f25bf74002425

SHA256
a980ded759a5474137b8e9da099795d1c71b83d57a3619b8199ac0d34e72add9

SHA512
e4df2bedc0ac41e30958917e0aaf16e4bd0993408f8a529f3ca8dca49e0a93a8ef8f794f871a9f400e74e01c10fdb9bf48755933e65fadc9cfbdf399e421a164

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
cb8d7f21d3136cb7e8e46d929ed8554f

SHA1
32f38179793e854f0a4db0bbdc90a7294e5327e7

SHA256
34e94bf9ddb9e4f531f55f5f3652079f427ef44f29c1f9a2cba382612eeec6d7

SHA512
8c787f9c2e5001605c67617fc1b2e2585ef6afca4117bffcdb62068886f3356e6b96aef5a4c6a4f7bbf61111ba23cd2ec836cb1a730e94dd0a4cba1dfdbebd6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61

Filesize
192B

MD5
6c31976b1436c28b05be995417904a75

SHA1
b8b3a5b52fa53b4a893985fbd27ebf21248ab353

SHA256
e7da25b46ee9d2c3c94eb6012b85dbf2326d449962804935f87622d9ea076a9c

SHA512
939eaab06e2975540d33ba7f2a2b6fa8481364318245e88a1960da7b743ecf0e5291d0a3eaacfbf7cb6d3d9d1353fb529b47e5fd6c05cfce2dfed469961d6f19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_97A2CB43E01F27293633B7B57353C80B

Filesize
532B

MD5
472f232faa8b1d0220ce51354c458e0e

SHA1
edff3afc87a5e3107ffa0039d2e0885a0eb217c2

SHA256
cf7830c8b62a7b253fbd8cd86013d3cc083ce1f283ec221e34874361e8f1b5d3

SHA512
fe8eb30e85eaf957ee8fae05f9726830a1a46d933760f7afce81acf7cfcb8b0aceef12bad3013e676b1960fb66a040cdc126288852325ce2ab8ac22454b873f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
408B

MD5
3e9f67d4046bf4021a0bfa4e22eff36c

SHA1
2fb3b94a7fecf5b328cc5ab00a038534465a058e

SHA256
f314584e1af8ac40996ddcc7cabeb046b34c64d746582b6298926fc809221300

SHA512
a2d6f2b596d870f3e5c2d52cf46153d3e9c27ec38577b5b1e803c71ba456c5b08072333f1767e2299adcf26ee2e7599a7b85919a0debd096e62cc251dbf4d276

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a678551ac2ce9a63174fef18866e8299

SHA1
725b2a4a1ead438a683865fd16e389970940f0b0

SHA256
c25e79870509be341d331c0e94fb17aba7d6189eab09bb748c53662a7743c600

SHA512
704c529ca715baccb2fc0e747aeee42788b8a24993a52dadc0b1dfab1735f84cf71084af67ecbb1526acd012a7c22421ba605db2eafb357f06dc88033ba90ec1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
143a6a46b7546f40bbc82f3fec7b1fd0

SHA1
7c971408a1032bb800b88c30e859e8090c2f1d77

SHA256
8d8bc7449513664ec2e9f91946781fafa646dc0e5d6da7a296fa9b84a51b640d

SHA512
203de536a92335fccf32f010e324155b413df41303e55efd182ba02d166732030d103e1184a1ad6f3a100ebe84181ba3ccf07001e0ef6f8043873f100bd49527

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe85179d7ca7a768c1d1f1d1c4939888

SHA1
e8e1272d7db56d784e0a7587b99f8d33f8d58ddd

SHA256
63a0d41408b068772acb1cf84cf05e61dadbe2f18dcf54cdded9a45588592144

SHA512
74458a51d1d1298f518c944794c47b05477271af917fbe928850b1f22a41a9a681582a0079d0aac202a66f7cee1009ccb0e75cd9c4c10d291715d820c18868d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
08a4bb2959bd75f874cd2a4e05c68e86

SHA1
784bf9ec282601bebfc6145af764da6745ae1f7e

SHA256
54f5eabdbd9c11b92307b221c97a089afee27dc960dd28e67b7ef7280a7b2854

SHA512
8503bf9d612d5c50c19556565775f6b76b5c03e37f4779c408298058712054f42a08cd87f0d182260c39dfc4de762e1246dc788761888103f5f4267c34328fc9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0a32347be020649f7b21d01c507233ac

SHA1
8502f06803ad3ee7bfb59c398b2de27b37728d74

SHA256
17c0017f2b06c470f742c7b7e75ce7ac15e5533f59d5f5a646052ed09cf2059b

SHA512
7fe351c93b5712b0511c9feb0fdd9f667fbecca0d92e734db946b189f4cdf934e7bbd8896687b28b51be2ee6314afb0f6f80d51094f8dc8a487f8dfd1f25f23e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9DD3D82403C592F0DA5ECFF159BDA01D

Filesize
544B

MD5
9a85d09625d7506b81d570c56455d4a6

SHA1
b9d472348e35647250cb5e821f4c56b3f43af40d

SHA256
54fda21cf6f39ed4ffb8ab2b8aa83cb4ac5b88c083ecb7a38a3d42bb558af127

SHA512
afde911dc89088aa285a0cd7264e105529dade2fb01de01d548154c1f706e5518d08f2bb3472875000defd85b0cba28b3ad8edbe5a9af5f59966bd3bfbdf0a1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A053CFB63FC8E6507871752236B5CCD5_0682F448E952CB7EC702552451662AB5

Filesize
536B

MD5
94371ef9ad16fb513dfb3c4e94b58830

SHA1
2f21b9549ae60e540f8fbfb56b65764b1a3d6084

SHA256
b62dfe94d895f860b574f9945c5db00875b21c155d9bf210a30e1e749a5f706a

SHA512
4063e68681746970e5ac2f3c2664aea3b2b86d30ae22c59318290ec1315ccc2850f8d46878cef1e32549091646bf88f5cc379909d9ea5906780fa1b557eb5a59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C

Filesize
492B

MD5
a8439c92bdea0df81003f56f3af101db

SHA1
855472431e989bf4dfd45d8f3c6e475a902f677d

SHA256
20d177a83cb2c3c2d29352940dd341402eef757423d23724ff539dd320efdc1b

SHA512
1c0431a848e4b036f35ee942f57db80ce4a0d57b3c590b302b14511d6fa1e8e3e1f4e2de6f99a1549ff5de74a1f5550aa8cf1e71fb9e57dc8ff359df32669ae5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3

Filesize
506B

MD5
8ac240e3b80d21b7e54acb6ee1a838b4

SHA1
a68001fb0ca3865efda2a0cd8ce8e1584f82c279

SHA256
18188b05859fe04294ef23630958034ca3fb7d2e5e054f31cc226dfe143f4c65

SHA512
8059d9eb9498069bcfaae618dfe16ea7594bee3f28ca9fb748c959451173ee01d5c8b8763b99b4875f380d23441c67b47539d7c049f27e9530ae9416ebf54e4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\309axvf\imagestore.dat

Filesize
5KB

MD5
8a3451ca33bdeaf45466a99c6966b9f7

SHA1
1243912e80865b37d83cf7e624f5e436c7c04162

SHA256
4dd2801fba3214c87d91c0dbb53c155e3325d931f239f53b6fe33f3eab23c894

SHA512
9cf65f2072783e13dc3e49f3adbab314b3cd5b59799f1951f98d09228c731e5bf0fa0640821e4a4a3b13927ed0bc49e3e65bb2e3254802fda6c33df9ed192edc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PXJIW9HP\link_m1[1].png

Filesize
21KB

MD5
cb02dc0db18c463da4c554207a9fe2ff

SHA1
a5b5f40db19e9e1e0eabded46cbd97a1cfdbfecf

SHA256
5676be9e72a0f352beeebc5890b975c8ba3c35cae5c32e745fbb997efd2bc588

SHA512
a3d452120ee97808695e5e8e6c56d7dd10e7b83794f91298c0d9e1a75047cc669d91f729143ea0ad6d7924b3161d05c0b0ce49b57a75ab3cd3af4c6e24e15bd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\main_m[1].css

Filesize
1KB

MD5
69b366feb6792ffdc7fb2d735e1646fb

SHA1
5e9065af102fa82c660f5592884ed9e2aff33180

SHA256
00836a74cfdbfe758c0b152b084f12602deef948d49e21c53cdc22f7ec71ba36

SHA512
743e09d85c4b6f862e33bd3d3efddba618a5da91d275dce19cb74e14a3acc6290a29a0d6cc0d2093123f3b744c47478689ba1be4f80f802fb61a39fb084fd27e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4A7J976W.txt

Filesize
228B

MD5
f72519d72a70884e0181d00ce45acbd3

SHA1
504031692c69b3e1d826c9fb2d3ab65e05636adc

SHA256
6c6b948ca699aa343378c9cfd235399a2599b5e3d75190d48e03f9b495830297

SHA512
21e86901e74f8c718cef4c057b9968c4c43b80ee68ff966de7ec0702145755d8da6c9771558a3b3aad4d01550a2cfa47f7cb628db269fb9fe6f6cbc51227a616

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\5MVS183Q.txt

Filesize
114B

MD5
eb3005b8f68f89ce82350dc96c3b2b09

SHA1
28dce8e845de8757f18bbc21340f8072fd4e9c8d

SHA256
20883e83145062a3772ddfb851a2ce6e03a0b73b5459d8cffa775788e0c16a27

SHA512
c4dfb153cabaf478dcea17d0f5c7aeea9114d52f9aa1331259181fc3528abd93f8b5fd52ac1958c5f180ea9853097e4ef714a02d4f57a813bfa4e5aebb3060cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\DP89PAJK.txt

Filesize
1KB

MD5
46cc1661a878ecc3eb1919d115c20790

SHA1
3ee99c3ace5ed5988b6b74c266b9eec79362b311

SHA256
fd9e1190368fcff935c87092a92e1cd9978915fd90354389cd6073e6464d819f

SHA512
25f06d7d2f7ea7507a10331eb61917deb40fb3bd8c0b425c04abb074cd49001ecf33e2ad87e1b74ee7a15d1f0f8da267403148c99c54d828c719c4773496f62c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\FUZTQHAV.txt

Filesize
1KB

MD5
2c2dc660d84f99d7ba44f6ff92b7759c

SHA1
a2cf0cbd68ea0bb5f557fee26dd2a2248e3fafc5

SHA256
24eaa6b802c1460fe0fe822a309eb5fd61c86faf9fb17acfedb19185bc0cecba

SHA512
48196e4aa202344f061c154454ca23a8d10bc4f858c8b3f593d159b5d035e41512eaac8317e5c8709f4b4567922453f4e52a68516af75a0281b09db4f91078ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\HDZ5A5PX.txt

Filesize
94B

MD5
876d6718ac6bed6fa6972d87e3f691c6

SHA1
7d01ceac8832e248ef3526ee3bf22bcff11d920f

SHA256
1e762b94ca6f2112f9dd2d592b1900095b8e063b6a37820b279cb6048bcd3391

SHA512
af4403f9caa003e35a45bdeae0dfe309f188d618ba703702eb57d42c99d06404f3fc1be848846297048ad3dd24bca1f8a80895e99c2cd00cd48911694dcd3792

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\JAIILTJH.txt

Filesize
278B

MD5
daf6050f8754ef8096456fdf6a1520c7

SHA1
974d48beadeba5cfce30359df57920755faf58b9

SHA256
e84e32828e67e528c2ae19f254d6321ec6a4571e4ce2c7a6da23f29e23e16924

SHA512
9686b6faf7313f4318d7c1c1bb68223d8a1f9e07d59775c82bcf8e371683feffe8470a7658850ce96513980549b9e2332e82ef0bbd28fd639133f90fb19f06f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\MWRMN38L.txt

Filesize
94B

MD5
60e96efb2bf47e1d06a95034f11511bb

SHA1
7797673dd7db76edae7481fe0c849f547349b26e

SHA256
5e32ede2f94e6238e503be54386718aa6a574d47a88dd080c96f4b9efdffb4de

SHA512
d6ac1fbade18bc8e62a2f0cf90bc339736db44b3497f867995f24b94eb9f16f8e755dd8b76becddde0070394f0cba2cc24312c59f92dbaa1290cb37dc0504039

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\R08UC9AV.txt

Filesize
608B

MD5
5cc7d081d745b5b9254592b6d92ea6ee

SHA1
9bb0c1820216a2a082514de3b29039c453ab3a7a

SHA256
655386154cfd2a81b80be3ff37ae673079b3bed437cc266397508b7b4a221f1f

SHA512
c1cb92ec6ba544b43ef12dba891733390cb7dc0359ee0db7c874a994470f892a4440867e750acb11e56692dfd17f92a77fb749498f2b5b86314bd531f51fc1ad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\RQ0BXIAX.txt

Filesize
112B

MD5
54391b220f843434496c706a6efd54c9

SHA1
fdb67ca3f17f2e52dfd0ecda5c747a70b80dc292

SHA256
844dea4d32fe88a783d153a36e87a0ce65d59ec3b639a13d76ab6129029afa5a

SHA512
1cef49d88354f1d9557baf935099e19523e9f5f8b757cb6de29dbf38f8efa86a68c50759a2197a5d92832501fc8069d5f2985158995d3848634e324cd1f2ae2e

Download Submit
C:\Windows\Show.exe

Filesize
20KB

MD5
24b8c50ced40dc373e20ea41b0adc24b

SHA1
7778ec2fca87d01a835bdd5722fe08d39cb92b7e

SHA256
3878018e1184d104c23b1454c08b6f34d9c8aa0894fbc7110a27e62d0b6ed506

SHA512
ebe8a82d00c170832ffdd96a4a11c3531e81f1bb3c626935b1d1ebb3cd7331db686b8dd34c5be490a914309edd45bee4ff227033e9ea14be50f574e5a58b3256

Download Submit
C:\Windows\flash.exe

Filesize
20KB

MD5
5c0e8df573150e63a52ed648ccc25b31

SHA1
257de4c40af5c80d6af55f58cfd012f3f5a27276

SHA256
05b0144e177fbcd0c373c208bd8b6adc127661a4beda84a2239519c2e37b537d

SHA512
7cfe802d2d081b6d95cd2e51b5717c3b0c533e80616392ed74c61d8578d8e84c390ba0f42a49265467e1e4721692e498b79835d2e0f1f75176c521bdac409b77

Download Submit
C:\rising.exe

Filesize
164KB

MD5
87bd74f20ae03f921b1a3cb5f43be01f

SHA1
ffbb094e546e95ca8e7233ce1f64d19853ebd712

SHA256
d7be28e9ccaa3403f3037b3d16ce6bb01d4f6cfdd30327cd7ed72258eeec5af2

SHA512
a945f28370c58809d64cdc416a17a73cd29b9db07b8915de0a37e12df427465e563975d93b6a9546a69e98c0816d62030885b10cde2fb6895aa96c9c3d4a273a

Download Submit
C:\rising.exe

Filesize
164KB

MD5
87bd74f20ae03f921b1a3cb5f43be01f

SHA1
ffbb094e546e95ca8e7233ce1f64d19853ebd712

SHA256
d7be28e9ccaa3403f3037b3d16ce6bb01d4f6cfdd30327cd7ed72258eeec5af2

SHA512
a945f28370c58809d64cdc416a17a73cd29b9db07b8915de0a37e12df427465e563975d93b6a9546a69e98c0816d62030885b10cde2fb6895aa96c9c3d4a273a

Download Submit
C:\windows\Show.exe

Filesize
20KB

MD5
24b8c50ced40dc373e20ea41b0adc24b

SHA1
7778ec2fca87d01a835bdd5722fe08d39cb92b7e

SHA256
3878018e1184d104c23b1454c08b6f34d9c8aa0894fbc7110a27e62d0b6ed506

SHA512
ebe8a82d00c170832ffdd96a4a11c3531e81f1bb3c626935b1d1ebb3cd7331db686b8dd34c5be490a914309edd45bee4ff227033e9ea14be50f574e5a58b3256

Download Submit
\??\c:\reg.reg

Filesize
195B

MD5
d074af1950aed38a9507428f23df9ad2

SHA1
0313b03e880b283cfacf64aea25c54259d388201

SHA256
5f3cd51950de3b9c7f8bb8a14cf5c39f3d480270d89a7c8fabb54900c9c34ca8

SHA512
484029eb461a182a9b088f9912047d455749381eab696d15af719f020f4982b6a331b20f1ab5437a8f9312724770ac26791f83d20c79e0e1b1340e53d1122fbc

Download Submit
\??\c:\reg2.reg

Filesize
450B

MD5
2944837920fafc0892eb196e7d774b23

SHA1
31269a61616a0064576e0e6a93e23722cf5a2057

SHA256
1c2c0c933e0023e7a24cdd4dd5bf363b00449094d3dc9ff3e7188d893e2580dc

SHA512
027b5677254eb8582a672cee88cd5c82dce09170fdc2fd47e9dfaacbd29b691719a5c7ecacbae1fb8c3a5d4a5243e9d3aad64be63e9c788e01f6dfd24f0e003f

Download Submit
memory/932-74-0x0000000003581000-0x000000000442D000-memory.dmp

Filesize
14.7MB

Download
memory/1380-54-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads