91b3dd46f3a074eb74d87f67ca1f410f6497787a49ad1db3908e32421b935f8e

Analysis

max time kernel
144s
max time network
144s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/02/2024, 02:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ad715bcfcfcfff757e9e67f3a90e356b.exe
Size

1.4MB
MD5

ad715bcfcfcfff757e9e67f3a90e356b
SHA1

c40d87a4c413ff2be78f3ef6ff08a4e1ab047e0f
SHA256

91b3dd46f3a074eb74d87f67ca1f410f6497787a49ad1db3908e32421b935f8e
SHA512

f3c97b1d664d93db1373654b3e2e834da4d78ab6f977c0703209d3df95a488686e9d8180d39db40c01908a9764a1d8e5093df201d3cae49f13c17d16c6b42b09
SSDEEP

24576:5gr/4p6qO4pDlPJsZtZQk5p8hulbEwfFD9pBzjRvdsxlTShiVq:O/4Qf4pxPctqG8Il3JnxvdsxZ4Uq

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 9 IoCs

pid	Process
1872	ad715bcfcfcfff757e9e67f3a90e356b.exe
1872	ad715bcfcfcfff757e9e67f3a90e356b.exe
1872	ad715bcfcfcfff757e9e67f3a90e356b.exe
1872	ad715bcfcfcfff757e9e67f3a90e356b.exe
1872	ad715bcfcfcfff757e9e67f3a90e356b.exe
1872	ad715bcfcfcfff757e9e67f3a90e356b.exe
1872	ad715bcfcfcfff757e9e67f3a90e356b.exe
1872	ad715bcfcfcfff757e9e67f3a90e356b.exe
1872	ad715bcfcfcfff757e9e67f3a90e356b.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\jishu_100202\dailytips.ini	ad715bcfcfcfff757e9e67f3a90e356b.exe
File created	C:\Program Files (x86)\soft100202\wl06079.exe	ad715bcfcfcfff757e9e67f3a90e356b.exe
File created	C:\Program Files (x86)\soft100202\JJmatch_11494.exe	ad715bcfcfcfff757e9e67f3a90e356b.exe
File opened for modification	C:\Program Files (x86)\jishu_100202\jishu_100202.ini	ad715bcfcfcfff757e9e67f3a90e356b.exe
File created	C:\Program Files (x86)\soft100202\0220110205020223020210020202.txt	ad715bcfcfcfff757e9e67f3a90e356b.exe
File created	C:\Program Files (x86)\soft100202\pipi_dae_381.exe	ad715bcfcfcfff757e9e67f3a90e356b.exe
File created	C:\Program Files (x86)\jishu_100202\FlashIcon.ico	ad715bcfcfcfff757e9e67f3a90e356b.exe
File created	C:\Program Files (x86)\jishu_100202\newnew.exe	ad715bcfcfcfff757e9e67f3a90e356b.exe
File created	C:\Program Files (x86)\jishu_100202\newnew.ini	ad715bcfcfcfff757e9e67f3a90e356b.exe
File created	C:\Program Files (x86)\soft100202\a	ad715bcfcfcfff757e9e67f3a90e356b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 58 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f098f425b66ada01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000c12c25e2ddfb54dbf19c8710c230677000000000200000000001066000000010000200000000a7361789c0af93bcc9d3d16dc9e93fd52c4b8cebad17b05e34c3fccd708a481000000000e8000000002000020000000bd2d969987ecaa8d9ab019edcaadbd41083946967bae186395ade9727a137739900000007afe0f42d528a8b45cbc04b370463fa8def6b8b13d06ce06e46904a649bfe094c1d2a58bc58affa9756662ef16700bee722383ae5bd7b5318590015793135e5fa7a23f9a220755bad30c7e98c495f4a8db38e49c3e7e9ba91ad478f3f5deca2089f2b6b8d948fa0a2173177d4398232490f60183b86e4fdba238eb42a48817bb0489faa261e365918bb840d25a76ce4240000000643d11fc502828c1724036f913431eb14da9fe034cab68b35c3e632df48dea41afba665244f5ab75e345502125a02c9f7ee79c35ee6407a64e0310daa0c0ad7f	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{37D0E471-D6A9-11EE-B23F-66DD11CD6629} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000c12c25e2ddfb54dbf19c8710c2306770000000002000000000010660000000100002000000081d1aca64b57f1a55dcb01c55022d270de1fccc327e12118efee88b25106843c000000000e8000000002000020000000c39d9695f7e79ad3dc56e46aa3ae97945775ab6eec270fd9e1bbceca96cd950920000000896b9bb230ffbc39f27f7233dda2100bee7ad71197d6fc95d3191ab5385903ed400000008a72170dda5eb250bbe0d2c66382159e7473d690f7b971d5191cae9abb46638309a3e08a3d4fb68b33acf077d3d97573938db341d56e521a8cc0d808ec996395	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "415335146"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{37AACE71-D6A9-11EE-B23F-66DD11CD6629} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1872	ad715bcfcfcfff757e9e67f3a90e356b.exe
1872	ad715bcfcfcfff757e9e67f3a90e356b.exe
1872	ad715bcfcfcfff757e9e67f3a90e356b.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2628	IEXPLORE.EXE
2588	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2628	IEXPLORE.EXE
2628	IEXPLORE.EXE
2448	IEXPLORE.EXE
2448	IEXPLORE.EXE
2588	IEXPLORE.EXE
2588	IEXPLORE.EXE
2728	IEXPLORE.EXE
2728	IEXPLORE.EXE
2728	IEXPLORE.EXE
2728	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 2528	1872	ad715bcfcfcfff757e9e67f3a90e356b.exe	27
PID 1872 wrote to memory of 2528	1872	ad715bcfcfcfff757e9e67f3a90e356b.exe	27
PID 1872 wrote to memory of 2528	1872	ad715bcfcfcfff757e9e67f3a90e356b.exe	27
PID 1872 wrote to memory of 2528	1872	ad715bcfcfcfff757e9e67f3a90e356b.exe	27
PID 1872 wrote to memory of 2528	1872	ad715bcfcfcfff757e9e67f3a90e356b.exe	27
PID 1872 wrote to memory of 2528	1872	ad715bcfcfcfff757e9e67f3a90e356b.exe	27
PID 1872 wrote to memory of 2528	1872	ad715bcfcfcfff757e9e67f3a90e356b.exe	27
PID 2528 wrote to memory of 2628	2528	IEXPLORE.EXE	28
PID 2528 wrote to memory of 2628	2528	IEXPLORE.EXE	28
PID 2528 wrote to memory of 2628	2528	IEXPLORE.EXE	28
PID 2528 wrote to memory of 2628	2528	IEXPLORE.EXE	28
PID 1872 wrote to memory of 2816	1872	ad715bcfcfcfff757e9e67f3a90e356b.exe	29
PID 1872 wrote to memory of 2816	1872	ad715bcfcfcfff757e9e67f3a90e356b.exe	29
PID 1872 wrote to memory of 2816	1872	ad715bcfcfcfff757e9e67f3a90e356b.exe	29
PID 1872 wrote to memory of 2816	1872	ad715bcfcfcfff757e9e67f3a90e356b.exe	29
PID 1872 wrote to memory of 2816	1872	ad715bcfcfcfff757e9e67f3a90e356b.exe	29
PID 1872 wrote to memory of 2816	1872	ad715bcfcfcfff757e9e67f3a90e356b.exe	29
PID 1872 wrote to memory of 2816	1872	ad715bcfcfcfff757e9e67f3a90e356b.exe	29
PID 2816 wrote to memory of 2588	2816	IEXPLORE.EXE	31
PID 2816 wrote to memory of 2588	2816	IEXPLORE.EXE	31
PID 2816 wrote to memory of 2588	2816	IEXPLORE.EXE	31
PID 2816 wrote to memory of 2588	2816	IEXPLORE.EXE	31
PID 1872 wrote to memory of 2256	1872	ad715bcfcfcfff757e9e67f3a90e356b.exe	30
PID 1872 wrote to memory of 2256	1872	ad715bcfcfcfff757e9e67f3a90e356b.exe	30
PID 1872 wrote to memory of 2256	1872	ad715bcfcfcfff757e9e67f3a90e356b.exe	30
PID 1872 wrote to memory of 2256	1872	ad715bcfcfcfff757e9e67f3a90e356b.exe	30
PID 1872 wrote to memory of 2256	1872	ad715bcfcfcfff757e9e67f3a90e356b.exe	30
PID 1872 wrote to memory of 2256	1872	ad715bcfcfcfff757e9e67f3a90e356b.exe	30
PID 1872 wrote to memory of 2256	1872	ad715bcfcfcfff757e9e67f3a90e356b.exe	30
PID 2628 wrote to memory of 2448	2628	IEXPLORE.EXE	33
PID 2628 wrote to memory of 2448	2628	IEXPLORE.EXE	33
PID 2628 wrote to memory of 2448	2628	IEXPLORE.EXE	33
PID 2628 wrote to memory of 2448	2628	IEXPLORE.EXE	33
PID 2628 wrote to memory of 2448	2628	IEXPLORE.EXE	33
PID 2628 wrote to memory of 2448	2628	IEXPLORE.EXE	33
PID 2628 wrote to memory of 2448	2628	IEXPLORE.EXE	33
PID 2588 wrote to memory of 2728	2588	IEXPLORE.EXE	34
PID 2588 wrote to memory of 2728	2588	IEXPLORE.EXE	34
PID 2588 wrote to memory of 2728	2588	IEXPLORE.EXE	34
PID 2588 wrote to memory of 2728	2588	IEXPLORE.EXE	34
PID 2588 wrote to memory of 2728	2588	IEXPLORE.EXE	34
PID 2588 wrote to memory of 2728	2588	IEXPLORE.EXE	34
PID 2588 wrote to memory of 2728	2588	IEXPLORE.EXE	34

C:\Users\Admin\AppData\Local\Temp\ad715bcfcfcfff757e9e67f3a90e356b.exe
"C:\Users\Admin\AppData\Local\Temp\ad715bcfcfcfff757e9e67f3a90e356b.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://taourl.com/6jb4v
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://taourl.com/6jb4v
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2628 CREDAT:340993 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2448
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://www.178gg.com/lianjie/10608.htm
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.178gg.com/lianjie/10608.htm
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2728
- C:\Windows\SysWOW64\Wscript.exe
  "C:\Windows\system32\Wscript" "C:\Program Files (x86)\soft100202\b_1002.vbs"
  2⤵
  PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\soft100202\b_1002.vbs

Filesize
226B

MD5
3af8fdeacc8147d39dadbe9f488d9c5c

SHA1
9823195f545ae0595822e800feefe4fd42c4850b

SHA256
a61f70069a68ca73e45d03258530099f5bd34fa6a7e42ca0cfde46d0b70a89a9

SHA512
0397086c51f3692b13beebd74faffd330e78fc410d362990ff5d45b820278aedb52e6bbe2b923b374081b1a765eb830578b05ab3a3b2ac9a943258d5481a66e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c4c42d686708c77bc8ae2aab90b8989d

SHA1
196dccf3997240ba171b19e4fa35a2180c79795d

SHA256
20afc0911601a3e1f88e89ab3857d8d59b3e4f88c5adab97ca7164beee9b993b

SHA512
541723a480126279cec9e93e2a823b078a575fdfa8aa34e62b121cf4d404525c7aebd27cdc00d34882def59df280b44ea29e52dbc71c9188ee0a155bac1f6eca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
02a783166dc080881b5c5d284c4eccbb

SHA1
08805732464ddb2649a315c0ab1b59b43c2c4c93

SHA256
7c4d4fb5fd7060797ca2146a18dde1fc42bfe540046844fed0267421bd53e8fa

SHA512
8bf53b276875cabd052b94227e839e635024f43e1e5fc831b736a4363bad697dcc2b85f051f6c71ce8fb45c962165de8328e42b7cea5b013be44e8d576dbb21b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eec100debac51688aec50810c6673cd6

SHA1
5849eb73d2e512adc739e83dbbfb8e413faeeb4b

SHA256
6e8bc959395318ab6190192714b6575e977c22626fec1f237759173ec651fb02

SHA512
21fb9613142622e10f032be615ce2c243923155c50bbb71537372597a6db9640342496e3e9e2fb35677fab914f0b82e113bccfb53918b62289e163c4327b3f5f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
24189b17c0a672548127ea14acbbd1a1

SHA1
b68acba8ee3b22e91351dc78d56ce9f67eeb2fee

SHA256
2461a8e4d268043c3e5b1576cf8b019b4c07808d3aa806124e3843a5f935cf1a

SHA512
a97fc53859b03e80dcbec1f38700e136988252eb2321781272e0e683f464c4bb6d350ef267eacfb4f496521379340d90107c165aa258552f68ec8ee36dfcdd3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c24a4dd38ba9e550a8de59726099bfb1

SHA1
0ada2bd09301ddbb4e31a057b0a830135888516c

SHA256
2911058b29914f68c5757a38598394394c323d7fa371a0d7dc9f62d8b39ed39a

SHA512
8d61e03dc29749c14a4addc20e4c1715908f3aabbfa4850745283be1c65211d07a1d7de672d568325b5d456bf8366446f09be7bace82986a84ccad7da47df3a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
081a4034850622dcbb6b1c960ddead92

SHA1
171011aa38ca6bd7e30aba9556f2aa23ddce5cda

SHA256
4bd2ba8f236f8b1d06808e240a1981907696512deb0ba17a67963a63f53e1c48

SHA512
0eadf511f449a5d20ef335c563a984c8499a64304c5477ee1bdcb9b80dca5a1a48d45b47026fadd4f1a2a1590778e9a4a53c051864bb59ed5675ea8ae6cee007

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5432e14fa32df9d98131305b825c4bca

SHA1
50900b20d2c8493ffefabc6a42785265d49c5a19

SHA256
2abe5785e65f2db7b43ca3da425f955ddf06691929730548f9192db4f9cdd699

SHA512
799006df4c46812c8417a7829e5d53f7851a82839f94ae012416349bff28f44f80445ebd41318cd593dcd9127c0798682611f6a30550f3b03a5006efd27d1fe3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a771ec566d5fb4fd56b811f8f0fb1769

SHA1
63600dfbd3a29512d9e0d8a4a9c9d51ac1173c3e

SHA256
b5e2d358e39a64c5acbfdf4ba0f88bd8ae5c9a25c56559ab85023d0227b3f393

SHA512
ab567351f9da3f848d828af9c614699438c1fc9410c7425529f9381ba8346756994b479572e548bdbfea65aedd64ecac24b46cc7b7a0c87974edca7ddf8ecff6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9d16c13387f08b7f8b0acbe03dd773b5

SHA1
579dec516f3a9fd5780d0f1870586c09f72d9377

SHA256
bd7b323fe62ca9255bcb0e11ce7dc635a6e9b9ea79c9db0da6ab9201a376be33

SHA512
fe789175d8520b8b4144ad7fd11c4f6b4698f8ed23636c592ba7437050902b2001f330c25219669674e501893d8d151870936f02b50b65421c8b921d06eaf80b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
23f6ae7cb89722b4ad525ae06fdf1961

SHA1
41a0a63daba08c22422009bae1974bda8a1eb761

SHA256
ca71a692f8a63a1c89c442f534e9d4842ae97033b51bfa30a5a7d581901e9594

SHA512
30cb83edcc3f5b12174a7631dfc2d5302118ec75e1ad21e66ff7884e39249b50b2dc307b3408e7b368d44a09b43649f4a2c4f9d526d9427a5d722504a157da91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cc823b975e226b41c3263e7d9e206574

SHA1
cab743b01b99b82f77c322693262dac23a68843a

SHA256
d7e13b5ab311fc9a9293c5f06bf5358b017d148d0b4df6277d5877a62b6fc950

SHA512
cdde6efcb06442b0ac11088d0371db8c03d0eb82d4bdb309d0e2e085cf5afb813d3ebae6f10f4ea4ff6097d617152e5307ff5750204a28532c624f42f588b038

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4e1af5500594d7151b7a8e5afed25a2b

SHA1
f90fb77faa758e7ffc0397fc7742ba0d9ee85a0a

SHA256
91b01301cd6c5b12a8071c9fe555f265f711a69019231a324282d760d023e56e

SHA512
16f1f61ba7c90cd3fb04c268dee1f18ac7c62915f2524488e48b2d2817b107c229d6cec17e077592fc9a3ff1ac2b1d0c2cee1e48181c17362ddecb49e573824c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a402dc5fc32f702e5d5f02dd806d9464

SHA1
bbfb39515c231f3cd6b7ab4362ecdb16f9ea10f1

SHA256
0ef4527f90bd6a9a75ed7c6b0f97c9719a235556174dab49fe08d9879701e45a

SHA512
27e54c3e1927827b8e6a0a5891cf216ab6dcf54387412e01c3f4a2830b20b2feaf7cc9addf8088c5f5446376ec056cd37b1fdc70baafc3fae4aac14317611ca4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
38f87c32a6a594420655e4f9623be46e

SHA1
242f27d0a6cdb32e7f5df45d176a8741bf69a195

SHA256
45218e9b8c6fcccb4f2e6d6d413e4e2cc0b5a52b8a7fc06898c5a3623c4bcfbd

SHA512
521c303ef6f56db63301ecaaef2d1c8a8115e439f13bae00482bf81a58338fed6bd436d24bdf9d2ea22aef67b9da8099664de26b01d322632d56ab6bb72fdb79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
256b31c960ff0add16bb26d5366fba01

SHA1
6d4dccd0b771f00912e87621d1b26f7d2fe967a7

SHA256
3b583474aad5aee2fb622a7332398aa2d8050d2e3f3902da74b93e083a4b91bc

SHA512
4d8d5e5c062874f1c11aa26a0180c703310e1f1dc92313e03fd17c5f0c09cb0fed828bf764279a639b7971d862bac123e2dc3c8d587e9b7e1f9fbed46095efaa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
22c2cd3516b8c237c59e2c6388a40b3f

SHA1
7c84b6e95f268f1fe9db81613e4e99509eae8655

SHA256
e3c2b6968dad4536dcfe291176dd1147fb38e9937697476f940b7e73a0158bfa

SHA512
554156f58d53ff9b8a68cd5ee65603aa62a7a0d35a88c8de7199ecd338fddd9d4891201f53a7877939fb0a2bf0955284866d9479928743500f16a10e6544fb51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cd1b01dc5b774121d761aa60635f9af6

SHA1
c99f0559ad0f5df623c5f4d3fd7154c71895bed9

SHA256
9afeb3e2af1aff993064529b798602c82cf985f26453793c2ed9931b2e1f2f97

SHA512
1eb9bf35c17474c8c7727f1d8f208b20e5aedb957d7d08c4a5e8372bef332e27a822871b0270b3a02274a65160370aa65ff7eb9eab46347b2b8739d74187e05b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
207fd33d5acb41e2e0434eb686980215

SHA1
2aa3789eb10a671f3b97b2d92b49bd89a058ed4a

SHA256
0559ebf8e9f91751913e5305ab018b63843d02641cdeed46f1cf10899ecf8fbf

SHA512
4f693df1432824394b5aa118820dd11e0bd302eaa66723d1c708ddfe1f175366080928de10961fade7aeaa9529b127619dbc641a2c0c721a1a6407eca2444755

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ba5f82e39a8684ed7735d9c35932c0b3

SHA1
7228f1d3e4b112cae1d35f647ff7af916fb1509b

SHA256
6f636bd40df69aa7d9683422fca73ed5b4ed00334ebd170bdb9427a348839eac

SHA512
eb92380e48921162cbc54fa2c2db6d86e450dc2cdd18683c1e9bc590b0944d662d4fa11c4c9484020cb9c458254e508101da3f051b792dcc145b161d0589a2f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{37AACE71-D6A9-11EE-B23F-66DD11CD6629}.dat

Filesize
5KB

MD5
89f543c2a6ed1cf5134ccb90ccba3dd2

SHA1
71f34568b2f0d20d50dc3e88a511dcbe24621c51

SHA256
23bd000fb2384fffcb2a7b68cd579f5e0ed4567e13d852d8ddd1b580c7fe625a

SHA512
03e7a034c292b3ed67b468d93f37569d7ce360e5c67f01623f2586db0b6e836ccbc07d60600f78caea3cf29d6788f30946a39dfed64ffd47d0671330bacc27f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2B46.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2C82.tmp

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2CB6.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
\Program Files (x86)\jishu_100202\jishu_100202.exe

Filesize
1.0MB

MD5
e2590fb7bac27dbfa512820e9139f28b

SHA1
209d8d0b77c7a8863a3c68464ce47f6a3f00d454

SHA256
4369c213390dd318aaf57b841e338f0b781b16e61713c39e3d961d6065de1821

SHA512
a6b8cdac512c2d05eb2270f8b4f64248cc177785acbd8d4f0ad725acdd2c894f639e7e7259066a8014a79d69f213812dc09793a2bad7a3d6bd9a511f3ee57223

Download Submit
\Users\Admin\AppData\Local\Temp\nsj6A68.tmp\FindProcDLL.dll

Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
\Users\Admin\AppData\Local\Temp\nsj6A68.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit