joker | fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914

Analysis

max time kernel
136s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2022 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe
Size

665KB
MD5

693a45eba4ca44b0989b567c4adfa210
SHA1

aab926de0748d693d2f24d7475cb0bb3e32ab627
SHA256

fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914
SHA512

57e9a2a5bd13ce158906e4e48f8c15110192702889a53172373dd9b842752323af5a5e5f8d7ae4abda1c454dd9ba6b84ca6634127f5bdba1115fd342929d28a4
SSDEEP

12288:dZjMLf11MmPQeRXEHYYS3gA0FJO1t3r6QMgrwT:dafIiy4NwdLpQMywT

Score

10^/10

joker infostealer trojan

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Executes dropped EXE 3 IoCs

pid	Process
5004	rising.exe
1540	flash.exe
4136	Show.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	rising.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\windows\flash.exe	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe
File created	C:\windows\Show.exe	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe
File opened for modification	C:\windows\Show.exe	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe
File created	C:\windows\tao.ico	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe
File opened for modification	C:\windows\tao.ico	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe
File created	C:\windows\flash.exe	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\77817.com\Total = "0"	Show.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "578"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.5136688.com\ = "126"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.lantiantiantianbaodaliang3.com\ = "504"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.5136688.com\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989625"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.77817.com	Show.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\lantiantiantianbaodaliang3.com\Total = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2671469746"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\lantiantiantianbaodaliang3.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	Show.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "200"	Show.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\lantiantiantianbaodaliang3.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.lantiantiantianbaodaliang3.com\ = "126"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.lantiantiantianbaodaliang3.com\ = "567"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\77817.com	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\77817.com\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "515"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30989625"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.77817.com\ = "0"	Show.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\lantiantiantianbaodaliang3.com\Total = "378"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\5136688.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "189"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\lantiantiantianbaodaliang3.com\Total = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\5136688.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\5136688.com\Total = "126"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "263"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2671469746"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "830"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2697716869"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\77817.com\Total = "74"	Show.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2671469746"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.77817.com\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\77817.com\NumberOfSubdomains = "2"	Show.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "326"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\lantiantiantianbaodaliang3.com\Total = "504"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.54680.com/"	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe

Modifies registry class 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder	rising.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\	rising.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell	rising.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\	rising.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\Attributes = "1"	rising.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\IntroText = "Internet Explorer"	rising.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\firefoxxFile\CLSID	rising.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)\Command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" http://www.5136688.com/?wg999"	rising.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder	rising.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)	rising.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)\Command	rising.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\LocalizedString = "Internet Explorer"	rising.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}	rising.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon	rising.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)\Command	rising.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\firefoxxFile\shell	rising.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\firefoxxFile\shell\open\command\ = "%SystemRoot%\\SysWow64\\WScript.exe \"%1\" %*"	rising.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon	rising.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)\Command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" http://www.5136688.com/?wg999"	rising.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\Attributes = "1"	rising.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.firefoxx\ = "firefoxxFile"	rising.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\firefoxxFile	rising.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\firefoxxFile\ = "????"	rising.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\firefoxxFile\NeverShowExt	rising.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\firefoxxFile\shell\open	rising.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ = "Internet Explorer"	rising.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ = "Internet Explorer"	rising.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.firefoxx	rising.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\firefoxxFile\shell\open\command	rising.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\firefoxxFile\ScriptEngine	rising.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\firefoxxFile\shell\ = "open"	rising.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)	rising.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"	rising.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell	rising.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\ = "????(&O)"	rising.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)\ = "????(&O)"	rising.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\firefoxxFile\ScriptEngine\ = "JScript.Encode"	rising.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"	rising.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\ = "????(&O)"	rising.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)\ = "????(&O)"	rising.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\firefoxxFile\DefaultIcon\ = "C:\\Program Files\\Mozilla Firefox\\firefox.exe"	rising.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\firefoxxFile\CLSID\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	rising.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\firefoxxFile\shell\open\CLSID = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	rising.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}	rising.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}	rising.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\firefoxxFile\DefaultIcon	rising.exe

Runs .reg file with regedit 2 IoCs

pid	Process
5116	regedit.exe
1412	regedit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4132	iexplore.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2868	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe
2868	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe
2868	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe
4132	iexplore.exe
4132	iexplore.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2868	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe
2868	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe
2868	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
5004	rising.exe
1540	flash.exe
4136	Show.exe
4136	Show.exe
4136	Show.exe
4132	iexplore.exe
4132	iexplore.exe
3496	IEXPLORE.EXE
3496	IEXPLORE.EXE
4132	iexplore.exe
4132	iexplore.exe
212	IEXPLORE.EXE
212	IEXPLORE.EXE
212	IEXPLORE.EXE
212	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 5004	2868	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe	81
PID 2868 wrote to memory of 5004	2868	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe	81
PID 2868 wrote to memory of 5004	2868	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe	81
PID 2868 wrote to memory of 1540	2868	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe	84
PID 2868 wrote to memory of 1540	2868	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe	84
PID 2868 wrote to memory of 1540	2868	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe	84
PID 2868 wrote to memory of 4136	2868	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe	82
PID 2868 wrote to memory of 4136	2868	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe	82
PID 2868 wrote to memory of 4136	2868	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe	82
PID 2868 wrote to memory of 4132	2868	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe	83
PID 2868 wrote to memory of 4132	2868	fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe	83
PID 5004 wrote to memory of 3664	5004	rising.exe	85
PID 5004 wrote to memory of 3664	5004	rising.exe	85
PID 5004 wrote to memory of 3664	5004	rising.exe	85
PID 3664 wrote to memory of 5116	3664	cmd.exe	87
PID 3664 wrote to memory of 5116	3664	cmd.exe	87
PID 3664 wrote to memory of 5116	3664	cmd.exe	87
PID 4132 wrote to memory of 3496	4132	iexplore.exe	88
PID 4132 wrote to memory of 3496	4132	iexplore.exe	88
PID 4132 wrote to memory of 3496	4132	iexplore.exe	88
PID 5004 wrote to memory of 1464	5004	rising.exe	90
PID 5004 wrote to memory of 1464	5004	rising.exe	90
PID 5004 wrote to memory of 3332	5004	rising.exe	91
PID 5004 wrote to memory of 3332	5004	rising.exe	91
PID 5004 wrote to memory of 3332	5004	rising.exe	91
PID 4132 wrote to memory of 212	4132	iexplore.exe	93
PID 4132 wrote to memory of 212	4132	iexplore.exe	93
PID 4132 wrote to memory of 212	4132	iexplore.exe	93
PID 3332 wrote to memory of 1412	3332	cmd.exe	94
PID 3332 wrote to memory of 1412	3332	cmd.exe	94
PID 3332 wrote to memory of 1412	3332	cmd.exe	94
PID 5004 wrote to memory of 3672	5004	rising.exe	95
PID 5004 wrote to memory of 3672	5004	rising.exe	95
PID 5004 wrote to memory of 3672	5004	rising.exe	95

C:\Users\Admin\AppData\Local\Temp\fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe
"C:\Users\Admin\AppData\Local\Temp\fb962f1b42390657648cd90a6b008db012ff1187bad47bafa6c6729cc91ef914.exe"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2868
- C:\rising.exe
  C:\rising.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5004
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c regedit /s c:\reg.reg
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3664
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s c:\reg.reg
      4⤵
      Runs .reg file with regedit
      PID:5116
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.5136688.com/?t
    3⤵
    PID:1464
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c regedit /s c:\reg2.reg
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3332
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s c:\reg2.reg
      4⤵
      Runs .reg file with regedit
      PID:1412
- - \??\c:\windows\SysWOW64\wscript.exe
    c:\windows\system32\wscript.exe C:\\Killme.vbs
    3⤵
    PID:3672
- C:\windows\Show.exe
  C:\windows\Show.exe
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4136
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.77817.com/setup.asp?wg999
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4132
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4132 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3496
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4132 CREDAT:17416 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:212
- C:\windows\flash.exe
  C:\windows\flash.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Killme.vbs

Filesize
219B

MD5
4483db672c67e498915eca2ba22c6b8c

SHA1
1f29ed5a2c6db4301599d4487a324535f6640539

SHA256
52d77c509bc42e5ea1e5cfb815f2efad9ec6c770b71bd8ddb1ef391a06ba91ab

SHA512
2fb84b25f75eed13df4f8d0d46e6d39191dcd5a6b0f88f7102cfd8cfec7acea6347a783fbd5dbc0b61636f3167fcc308dfeacd348abbb2aeddc57be9d213fd1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B

Filesize
1KB

MD5
5ecfef9e237bf97e4b37b7df2ba16523

SHA1
ced56bfb54cf26d4186bf7058bc3171d2f6b9e91

SHA256
1baa421111367ffec18d5dcbe68916551514fb2a35874083ffc6e7ceaad919a9

SHA512
34b9b3c7b93462b6277e1a6fff5e3e653abbae1ce806a51c9b199535f0f6adad709ed5fb7830dfff59257f6efacd6909dc1e9b6ab8f332fd773f171767cc76d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1495DD322A24490E2BF2FAABAE1C61

Filesize
300B

MD5
bf034518c3427206cc85465dc2e296e5

SHA1
ef3d8f548ad3c26e08fa41f2a74e68707cfc3d3a

SHA256
e5da797df9533a2fcae7a6aa79f2b9872c8f227dd1c901c91014c7a9fa82ff7e

SHA512
c307eaf605bd02e03f25b58fa38ff8e59f4fb5672ef6cb5270c8bdb004bca56e47450777bfb7662797ffb18ab409cde66df4536510bc5a435cc945e662bddb78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_97A2CB43E01F27293633B7B57353C80B

Filesize
1KB

MD5
b1545b6b4522bcef26d2887bd817dd06

SHA1
a0cc4609d1c12a8d5d4054fb21bddac428db73c3

SHA256
00a53c78abe8c042dce53eb1c8da96efabd198fafaa7b2a13353f8b9139e584e

SHA512
bcf7e626ee661d5088db0c49b49f44ff1d0dc53cdceb0b0b0e657016b7a1670dbba4e29674cea274b9e01a2efa23fd35982207b47e0815558f060da43e18f309

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
1KB

MD5
efeb76106b4a42dcfe9d9b9eb2b268cc

SHA1
9bd7be857e1940a5e69a3ca18a8337e888c2a92e

SHA256
d895832dee7a8b1bd1ff870bc4de166b78b7949a5cfb48e7b899bd6da89f0d45

SHA512
0aa00542e041b6afb8b3b9861777700992d2e8c272d832e018a68f1004e956ded740dad89aeb05e635454d2c9e9f8f9dfc66d21e0d5f51a44d5a8f14559ac5d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
fceed7a5f76725fb398c6a91ff552899

SHA1
237aec000ae7c7c35a639664b1ad6c0d842a0749

SHA256
2888c66a6908f10474313b2fef31aeeff40cffe1bcbd19b84b29334ff6a71383

SHA512
adfba4e72523d38395c13122d6498d9b48d93b2967858f0208549e3830c9b47ee3e98249b98fe585aeeeffe491a6985a98c80a3be581abccf4239bad4d1cdef3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
fceed7a5f76725fb398c6a91ff552899

SHA1
237aec000ae7c7c35a639664b1ad6c0d842a0749

SHA256
2888c66a6908f10474313b2fef31aeeff40cffe1bcbd19b84b29334ff6a71383

SHA512
adfba4e72523d38395c13122d6498d9b48d93b2967858f0208549e3830c9b47ee3e98249b98fe585aeeeffe491a6985a98c80a3be581abccf4239bad4d1cdef3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9DD3D82403C592F0DA5ECFF159BDA01D

Filesize
346B

MD5
e1e96dae456ac2687aa0f8673ffbca91

SHA1
af2a7e70442a1555a74e5860358286488186631f

SHA256
de28dfb47e611ffa2f0b9e7bf5a8b2af2bc4f5ab0312048f17df3ee83f675a15

SHA512
91a3762f2b6460fb7164a31666e994fe05c7948cc8c3d367346b89ed1659050612908b7904781e3922ecee44faa8f6e2a72969587b4d573763b1c89e821a9e04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A053CFB63FC8E6507871752236B5CCD5_0682F448E952CB7EC702552451662AB5

Filesize
1KB

MD5
3e19b87996ee5fe9582a2edbf0861b8f

SHA1
5c4dc62fe483356bcce8da60a6be925c2d121192

SHA256
37d79e22d966fb8dd068e6761ba747e0c686f6eecaf26a45a2e289af29bc49de

SHA512
c897ed58532e40b023a847db47c8ab2528c21e67f43488228117c79c08e0b524f3b8097dbd761e10dec2d08b894d49401907bb1c1a04939db07bcd18f6baba80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C

Filesize
1KB

MD5
446ec3a907ed655206a2d2d30af71576

SHA1
93ceddb3d21893fff0713e8e6fee551829a4d277

SHA256
92e5b5d520f6d33e405763f2ee7484d3859e1ff5b67b604d05f89ed3e7fdf5b1

SHA512
ed70d1ab10892bb24a7e0f3d09ecff88845c1e2bf90e18e423674f4fdd2365dc6bed53455ba258f7a2bc000b4858e8bbb21796f0451dff70f15ff26f8dce0753

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3

Filesize
1KB

MD5
f122694b71b1616d29b2b21d77847088

SHA1
bb53e5c827af843c286df8d63cdba3d380fafc29

SHA256
00d81849d78036e27ee3522ce6fe6a1e5f9251f462346d8a5e63f2d6a2930f98

SHA512
f78fb526ebeabeb2b5e9a61ee2eb57c4f8c74e3a1adf1c4d8ad8a301f41c3566d8c85f478becc90df57b509aaefabc85b16c65da0533fef45efee2c6e6f229e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B

Filesize
508B

MD5
96b4379f0263a1dd162c760dfe912a87

SHA1
1f1c98310d76df92ae779305b9c92592d2fb045b

SHA256
a38d0f87ccb3a75877030d17eb328263b98d8fb1b80efb5f4d2874d19328ab0c

SHA512
e1d207f1ffa86cb06110648d42a9715bcfa072efa806cbfaaaaec1060776ee28c023478d7571889ae7bf57be3d88bd734fe5100fbcb062c2e81c35d456418b0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
89357359092aef9be8ebdc60d05092dc

SHA1
1da1588cc00596bebe4e18d03959095470fa3c5f

SHA256
afb560063e75c0280f9362c9c2e2fce72287420bf0d10c6a0ea971336a93727f

SHA512
e214e59c338decb66be2172f9021cfb997c5d130adef7bc285f77bed332b27ace3d1050d54c6b82ade14ffa34455a4aaef095ba95d56be4b63e0a2148d251d9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61

Filesize
192B

MD5
745228a3cfea3f73f8c75fc845f2f42d

SHA1
729b3745f64faba6b2f9b659b5162942249cc175

SHA256
e8bae72ee4b3a4701f67757d3d41a12653ccc12ca3bb94b95b177ff50e516455

SHA512
85bc3d8a3d1835c9a6deb93a4c1dce6b03c4042405db5b2829be9e62f71ad240b926409ff101c0ccf77d69fedd3006c52ac2f10112c3ce4db1f59b96265650dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_97A2CB43E01F27293633B7B57353C80B

Filesize
532B

MD5
ea71ff54d1640dfa6409cd2150202d0b

SHA1
125ad14862bb8486e16ade1e620e8f47cbc9274f

SHA256
1e2139fc0658a45da621d47da13ec8733699dd3c9a5c65a55f879375bac2dbe7

SHA512
7d06e0f52d696a317bfbdadd0d161942422d27da9c1a2e2dd17481aada3612df64ab2ce254b9b6d42357e1117b0ec4f3995eb59ffbbf0ff07db0936ae1b74e43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
340B

MD5
2719613453ac0cb68ea7ec1918494b70

SHA1
df52ed09805d2dd409ac0eb9a77c0579f7c40cf7

SHA256
54c91899a3055f396d0237c7394e0fce6e58994420d56e19161f4801f8e262ed

SHA512
d4d5c65b05c5a7f4299d131154685a1bee8dd1c783fba97cbb030392f8b319b7df7c66455ff92a4aec078513d81bd8572d14509a91c7dab11da899e7c7b41ed6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
408B

MD5
938f0043523d56df6bf03335ca976b9a

SHA1
c6b5827982e26858e768d85b54e9c7bb525537b3

SHA256
d3139fa5a6f44f79d59a544def1b2eeadee783613799a82f5a3c42f771707e42

SHA512
d831c0e69064a608e150f71767e48dfa6b4c02f5a693698f97c8bf812e309975900aead216715f2be72dbb899e4b7d0f601f2a301b3ec1683c6934528d67568e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
688e7952ed1da38607598d47744dbaa4

SHA1
8c11023c27b16cd504c49b0e834119771eefc3d4

SHA256
a59b7bf984c8a7fe9e77740cc30aebae7578733083ae42c83c34fb8ac48ac324

SHA512
c2b3819d9525fe5a33dd646b714d59e88154ea9ab88de3b311cbfb1d0fa96249745a1f00f4346a61ad335ce9e493e23d31faab23a34e51a65216ee3dae41038b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
688e7952ed1da38607598d47744dbaa4

SHA1
8c11023c27b16cd504c49b0e834119771eefc3d4

SHA256
a59b7bf984c8a7fe9e77740cc30aebae7578733083ae42c83c34fb8ac48ac324

SHA512
c2b3819d9525fe5a33dd646b714d59e88154ea9ab88de3b311cbfb1d0fa96249745a1f00f4346a61ad335ce9e493e23d31faab23a34e51a65216ee3dae41038b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
4fd3a1317dbfc3a361c73d2c021836a5

SHA1
94a05fae7dd90afc5622bb8042a980007e8bcfe4

SHA256
ebafa1a490cb26add3ff96ec3cee44b95ea5508cd98896abcdcf0e234799506c

SHA512
2c9c4ebf6b345b8129f63d9ce4257fa6c5f4bc45856b0fb172a072156fa71f8db34cf3a74ed4aa60abeaf051f8c6205825eece1712461e78f38d2ad3c401f1bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9DD3D82403C592F0DA5ECFF159BDA01D

Filesize
544B

MD5
f9f061ef0c3e0b70abc72f02b67fa3da

SHA1
9bcbab931c7fc57b88fa597351b1373ebf619aa2

SHA256
f2ef52afba024f0f2b2d514a595a9bf5db15935cd7ab145cc04ed2740ab85b5b

SHA512
149e117cd2cb4e9831c4008a21e60475937b3dd10658356a06854253fe42614a9cabe105d12c04beb3553ac65441d4c9d180d295e9179b956fa49a1cd9572fde

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A053CFB63FC8E6507871752236B5CCD5_0682F448E952CB7EC702552451662AB5

Filesize
536B

MD5
7cf65bfd51e966409fc8107d1a3c321b

SHA1
2b1faeea2591e61b741229cc2ffeb6e4f45d6e53

SHA256
6f48dca730985411b1cc071b7733dbabb2ac13b7d59f89f963f17f3a747bf5f2

SHA512
365709ff883cb849936a28c0eaa7f653450bfc53f8c78e06d6854ffab30446ef3df5690aee2f9d912bd8e9bbe9e8da269b146c929205a18ef961e067a3233d84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A053CFB63FC8E6507871752236B5CCD5_0682F448E952CB7EC702552451662AB5

Filesize
536B

MD5
0b0f31dae4a04552fb57449e13fe1d54

SHA1
cd99823367350d80bcf6d52662935e712dd7c55c

SHA256
4996231329ccba15ebaf55d322e933aa6d5443aa2001e96f36d70819d25e859b

SHA512
de01fe5d0af904be5b7599f5bfc298c866f7066a3b984c3819158bd8318c7a1293fdb9460e029a8bb3a9beec07b1a057adebf0bcb3778ccc2e5b78072199ba16

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C

Filesize
492B

MD5
ab13a5c2332f82939d07046ecf7fc555

SHA1
24946f490729358084e3d742e9ff598f2c58f180

SHA256
adce74c5117c69566745a02e9d76ae426fe5b5ac2407930007698019255aacf5

SHA512
1b0cac126be291208e8f00e7470a0c717f943eeb70f0a6e998cc7b7ab8b643c20b509da2183b9f3b524b572116de26e5701d3274c582aae4ce4cc8dbf50123c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3

Filesize
506B

MD5
2bdf005e699a588cb5a410325a75d0b9

SHA1
240575eac3f940891b425e8291acbe451465b7ab

SHA256
e422b40b6d704264b01835c35fc0a571062e57556c9a2d52848c6974569e07c9

SHA512
097ec49c78cb2b532a4a8d7f3583972dea857b96262e128af8ecdbcc2d77cfee020a7895eab1b8332011c9146ca89822c0916291d5cfcade542d5dd9fc80dbda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ru1r3yf\imagestore.dat

Filesize
1KB

MD5
be729ec115b4ad6cbf13a8de143fc2d4

SHA1
7f2a46a93856861ff5962a7e0df5085dafc76f0c

SHA256
c8fd1a31b0421310678c21e9e0aa01a424f59b071d0911ffad00cf18a7be997a

SHA512
451c854ad9685e069890e46d8ed497e35e7c57d363d9b1752a68d66c9a93895434e902d03a48eaf425fb7dffee3e50c155239fa9177b1472c0213a00d33b7692

Download Submit
C:\Users\Admin\Favorites\小游戏.url

Filesize
48B

MD5
886c0272de0503f876373175fc7abbf6

SHA1
cb53bfa59332d71acaabfb855c85a1ab71f0cbc0

SHA256
9e5be797034a5e62b23de452d7953dedf0c2f171b9dafaf4cb72b7bb14a41764

SHA512
ead6283ec505e25d788e30eada665df300671608ef58acf268fdfaf2fce86a6c2c5f7050af293882a2f05e403ff1e0054329138b2a6a20dbcdc6fea0191e7dd8

Download Submit
C:\Users\Admin\Favorites\淘宝网.url

Filesize
157B

MD5
f9a63933cae28c1a9cf6cb00744cfabc

SHA1
920257c2ff90a95d4a02660ceffdc8af25f04c79

SHA256
da01d2bba5a065f876f1e8f9ebb92504754c9938fef6f269eb2488fe44e24471

SHA512
748c43af99fd5e865a87522ca3a2eb0f0067ed55da0c428c1fd3f34f27cd80295320fcf519f55dab43e444f6e68077a56e66bb0a10e1e9a6d1e80067b10c7ede

Download Submit
C:\Users\Admin\Favorites\绿色导航.url

Filesize
45B

MD5
5831b4e3064c03047d0dc85f0b09f3c6

SHA1
8d189040e6a173217037537dd6ebccdfaa0180b8

SHA256
eee0486e1aa1f585f71dd98921454e8dcfcb6d570fbd3fd68c1d7c44411b46cf

SHA512
df5b62bbb971b1c91b576f9e661353694788b83dce1a598c2ae7bfcd63f3bd82fb31e32dfd8db95fe541793de656ac1938a8aee76c0fae8b8833c2cd6d94c1de

Download Submit
C:\Users\Admin\Favorites\网址之家.url

Filesize
49B

MD5
6fe1525bcd5672a08a2f80c140145cf6

SHA1
0cf4f787e1423c33a7b46bd45ddc2ad1a0b80bcf

SHA256
7d922cb56c0deb526bc2ed74140490410ab571b5d42cd5f601c43e1546a43e06

SHA512
9dbd94b762702da52720dfcb5443b7b09d8eee640c3e43f05748250ff4c1ec0fcb99ba4560d55bd3ea1a3061f7d2d0428692a42ad9f98ec0255065a674e13b49

Download Submit
C:\Windows\Show.exe

Filesize
20KB

MD5
24b8c50ced40dc373e20ea41b0adc24b

SHA1
7778ec2fca87d01a835bdd5722fe08d39cb92b7e

SHA256
3878018e1184d104c23b1454c08b6f34d9c8aa0894fbc7110a27e62d0b6ed506

SHA512
ebe8a82d00c170832ffdd96a4a11c3531e81f1bb3c626935b1d1ebb3cd7331db686b8dd34c5be490a914309edd45bee4ff227033e9ea14be50f574e5a58b3256

Download Submit
C:\Windows\flash.exe

Filesize
20KB

MD5
5c0e8df573150e63a52ed648ccc25b31

SHA1
257de4c40af5c80d6af55f58cfd012f3f5a27276

SHA256
05b0144e177fbcd0c373c208bd8b6adc127661a4beda84a2239519c2e37b537d

SHA512
7cfe802d2d081b6d95cd2e51b5717c3b0c533e80616392ed74c61d8578d8e84c390ba0f42a49265467e1e4721692e498b79835d2e0f1f75176c521bdac409b77

Download Submit
C:\rising.exe

Filesize
164KB

MD5
87bd74f20ae03f921b1a3cb5f43be01f

SHA1
ffbb094e546e95ca8e7233ce1f64d19853ebd712

SHA256
d7be28e9ccaa3403f3037b3d16ce6bb01d4f6cfdd30327cd7ed72258eeec5af2

SHA512
a945f28370c58809d64cdc416a17a73cd29b9db07b8915de0a37e12df427465e563975d93b6a9546a69e98c0816d62030885b10cde2fb6895aa96c9c3d4a273a

Download Submit
C:\rising.exe

Filesize
164KB

MD5
87bd74f20ae03f921b1a3cb5f43be01f

SHA1
ffbb094e546e95ca8e7233ce1f64d19853ebd712

SHA256
d7be28e9ccaa3403f3037b3d16ce6bb01d4f6cfdd30327cd7ed72258eeec5af2

SHA512
a945f28370c58809d64cdc416a17a73cd29b9db07b8915de0a37e12df427465e563975d93b6a9546a69e98c0816d62030885b10cde2fb6895aa96c9c3d4a273a

Download Submit
C:\windows\Show.exe

Filesize
20KB

MD5
24b8c50ced40dc373e20ea41b0adc24b

SHA1
7778ec2fca87d01a835bdd5722fe08d39cb92b7e

SHA256
3878018e1184d104c23b1454c08b6f34d9c8aa0894fbc7110a27e62d0b6ed506

SHA512
ebe8a82d00c170832ffdd96a4a11c3531e81f1bb3c626935b1d1ebb3cd7331db686b8dd34c5be490a914309edd45bee4ff227033e9ea14be50f574e5a58b3256

Download Submit
C:\windows\flash.exe

Filesize
20KB

MD5
5c0e8df573150e63a52ed648ccc25b31

SHA1
257de4c40af5c80d6af55f58cfd012f3f5a27276

SHA256
05b0144e177fbcd0c373c208bd8b6adc127661a4beda84a2239519c2e37b537d

SHA512
7cfe802d2d081b6d95cd2e51b5717c3b0c533e80616392ed74c61d8578d8e84c390ba0f42a49265467e1e4721692e498b79835d2e0f1f75176c521bdac409b77

Download Submit
\??\c:\reg.reg

Filesize
195B

MD5
d074af1950aed38a9507428f23df9ad2

SHA1
0313b03e880b283cfacf64aea25c54259d388201

SHA256
5f3cd51950de3b9c7f8bb8a14cf5c39f3d480270d89a7c8fabb54900c9c34ca8

SHA512
484029eb461a182a9b088f9912047d455749381eab696d15af719f020f4982b6a331b20f1ab5437a8f9312724770ac26791f83d20c79e0e1b1340e53d1122fbc

Download Submit
\??\c:\reg2.reg

Filesize
450B

MD5
2944837920fafc0892eb196e7d774b23

SHA1
31269a61616a0064576e0e6a93e23722cf5a2057

SHA256
1c2c0c933e0023e7a24cdd4dd5bf363b00449094d3dc9ff3e7188d893e2580dc

SHA512
027b5677254eb8582a672cee88cd5c82dce09170fdc2fd47e9dfaacbd29b691719a5c7ecacbae1fb8c3a5d4a5243e9d3aad64be63e9c788e01f6dfd24f0e003f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads