| File name: | TrueLore.zlzbcgzs.application |
| Full analysis: | https://app.any.run/tasks/fc82f850-acaf-4258-97de-4a912d7a5997 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | July 10, 2020, 01:22:08 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/xml |
| File info: | XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines |
| MD5: | 021033AD67CDE8326535D5D95FAE0517 |
| SHA1: | DDD35BBFFF45DAE0B1B89022BCD8145A07A011AA |
| SHA256: | 7352981F789546ED7ED88D0B4E32E32CBD3124092DE6FAD8ACE1684160672BD4 |
| SSDEEP: | 192:fmrMCLxvmuAMOM+BLELPMOM+UX8oWEqeevPBSAK3GrdsdFA:+AYmu1b+yLEb+O5WtBvwAdsdG |
MALICIOUS
Downloads executable files from the Internet
- dfsvc.exe (PID: 2892)
Application was dropped or rewritten from another process
- TrueLore.筑龙招标采购助手.exe (PID: 1060)
- TrueLore.zlzbcgzs.exe (PID: 1928)
Starts Visual C# compiler
- TrueLore.筑龙招标采购助手.exe (PID: 1060)
Loads dropped or rewritten executable
- TrueLore.筑龙招标采购助手.exe (PID: 1060)
Changes settings of System certificates
- TrueLore.筑龙招标采购助手.exe (PID: 1060)
SUSPICIOUS
Starts Internet Explorer
- MSOXMLED.EXE (PID: 980)
Reads Internet Cache Settings
- dfsvc.exe (PID: 2892)
Creates files in the user directory
- dfsvc.exe (PID: 2892)
Reads internet explorer settings
- dfsvc.exe (PID: 2892)
Executable content was dropped or overwritten
- dfsvc.exe (PID: 2892)
Creates a software uninstall entry
- dfsvc.exe (PID: 2892)
Reads Environment values
- dfsvc.exe (PID: 2892)
Adds / modifies Windows certificates
- TrueLore.筑龙招标采购助手.exe (PID: 1060)
INFO
Reads Internet Cache Settings
- iexplore.exe (PID: 1092)
- iexplore.exe (PID: 760)
Reads settings of System Certificates
- dfsvc.exe (PID: 2892)
- iexplore.exe (PID: 2524)
- TrueLore.筑龙招标采购助手.exe (PID: 1060)
- iexplore.exe (PID: 1092)
Manual execution by user
- rundll32.exe (PID: 1748)
- wmplayer.exe (PID: 2360)
Application launched itself
- iexplore.exe (PID: 1092)
Dropped object may contain Bitcoin addresses
- dfsvc.exe (PID: 2892)
- TrueLore.zlzbcgzs.exe (PID: 1928)
- TrueLore.筑龙招标采购助手.exe (PID: 1060)
Reads internet explorer settings
- iexplore.exe (PID: 760)
- iexplore.exe (PID: 2524)
Creates files in the user directory
- iexplore.exe (PID: 1092)
Changes internet zones settings
- iexplore.exe (PID: 1092)
Changes settings of System certificates
- iexplore.exe (PID: 2524)
- iexplore.exe (PID: 1092)
Adds / modifies Windows certificates
- iexplore.exe (PID: 2524)
- iexplore.exe (PID: 1092)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .xml | | | Generic XML (UTF-8) (72.7) |
|---|---|---|
| .txt | | | Text - UTF-8 encoded (27.2) |
EXIF
XMP
| AssemblySchemaLocation: | urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd |
|---|---|
| AssemblyManifestVersion: | 1 |
| AssemblyXmlns: | urn:schemas-microsoft-com:asm.v2 |
| AssemblyAssemblyIdentityName: | TrueLore.zlzbcgzs.application |
| AssemblyAssemblyIdentityVersion: | 1.0.0.79 |
| AssemblyAssemblyIdentityPublicKeyToken: | bbb830196ee93892 |
| AssemblyAssemblyIdentityLanguage: | neutral |
| AssemblyAssemblyIdentityProcessorArchitecture: | x86 |
| AssemblyAssemblyIdentityXmlns: | urn:schemas-microsoft-com:asm.v1 |
| AssemblyDescriptionPublisher: | 北京筑龙信息技术有限责任公司 |
| AssemblyDescriptionProduct: | 筑龙招标采购助手 |
| AssemblyDescriptionXmlns: | urn:schemas-microsoft-com:asm.v1 |
| AssemblyDeploymentInstall: | |
| AssemblyDeploymentMapFileExtensions: | |
| AssemblyDeploymentMinimumRequiredVersion: | 1.0.0.78 |
| AssemblyDeploymentTrustURLParameters: | |
| AssemblyDeploymentSubscriptionUpdateBeforeApplicationStartup: | - |
| AssemblyDeploymentDeploymentProviderCodebase: | http://www.zhulong.com.cn:8080/ZBCGZS/TrueLore.zlzbcgzs.application |
| AssemblyDependencyDependentAssemblyDependencyType: | install |
| AssemblyDependencyDependentAssemblyCodebase: | Application Files\TrueLore.zlzbcgzs_1_0_0_79\TrueLore.zlzbcgzs.exe.manifest |
| AssemblyDependencyDependentAssemblySize: | 51613 |
| AssemblyDependencyDependentAssemblyAssemblyIdentityName: | TrueLore.zlzbcgzs.exe |
| AssemblyDependencyDependentAssemblyAssemblyIdentityVersion: | 1.0.0.79 |
| AssemblyDependencyDependentAssemblyAssemblyIdentityPublicKeyToken: | bbb830196ee93892 |
| AssemblyDependencyDependentAssemblyAssemblyIdentityLanguage: | neutral |
| AssemblyDependencyDependentAssemblyAssemblyIdentityProcessorArchitecture: | x86 |
| AssemblyDependencyDependentAssemblyAssemblyIdentityType: | win32 |
| AssemblyDependencyDependentAssemblyHashTransformsTransformAlgorithm: | urn:schemas-microsoft-com:HashTransforms.Identity |
| AssemblyDependencyDependentAssemblyHashDigestMethodAlgorithm: | http://www.w3.org/2000/09/xmldsig#sha1 |
| AssemblyDependencyDependentAssemblyHashDigestValue: | VFIGDL8ZaLARAwplGarxwQ62jU8= |
| AssemblyPublisherIdentityName: | CN=北京筑龙信息技术有限责任公司, O=北京筑龙信息技术有限责任公司, STREET=北京市海淀区上地六街28号院2号楼4层406室, L=北京, S=北京, PostalCode=100085, C=CN |
| AssemblyPublisherIdentityIssuerKeyHash: | 299160ff8a4dfaebf9a66ab8cff9e64bbd49ce12 |
| AssemblySignatureId: | StrongNameSignature |
| AssemblySignatureXmlns: | http://www.w3.org/2000/09/xmldsig# |
| AssemblySignatureSignedInfoCanonicalizationMethodAlgorithm: | http://www.w3.org/2001/10/xml-exc-c14n# |
| AssemblySignatureSignedInfoSignatureMethodAlgorithm: | http://www.w3.org/2000/09/xmldsig#rsa-sha1 |
| AssemblySignatureSignedInfoReferenceUri: | - |
| AssemblySignatureSignedInfoReferenceTransformsTransformAlgorithm: | http://www.w3.org/2000/09/xmldsig#enveloped-signature |
| AssemblySignatureSignedInfoReferenceDigestMethodAlgorithm: | http://www.w3.org/2000/09/xmldsig#sha1 |
| AssemblySignatureSignedInfoReferenceDigestValue: | nXc4f46FoGjAG4DTAtOQdrgF994= |
| AssemblySignatureSignatureValue: | kMrxaZUSZQe6ZtgQs58fF2fKALM/VpasHjtUE3zR7O4Qz5e7aFc4Xm859iLw56iG9RYGwDMbWD7IQ0tHT5lhWvF+Ava0p7Y7fDnoujMpMKmlyKntXLi4PiJXfXd+DvxMVR59/Dma5p4VjcQYm3b1gwUasfd2/v5MZX9DHyZP1yNBdVmWZIBqMUyzCDiqeQW44Zyj5kXaVyHTdaP+f/2lRnnrr+SpN83oaeN2MRaAd5GaPWr2zSa+4OBCXGmLuixJu0IYO7Lhef8dVpupqUQUYXM98Pgk+iZRVcOPw5kP2yqbL2qvmqRKLqNX44L7df4iUhTO0PL0l6JKW5vHtkdt7w== |
| AssemblySignatureKeyInfoId: | StrongNameKeyInfo |
| AssemblySignatureKeyInfoKeyValueRSAKeyValueModulus: | 4tvjE9hISXw2Bm/gz0FDUwvhO8L7SQAn82y/gG1154veprB0CkcX1x63fYfh4jvshMEYjaZHa6eSYssjfpaCOwxh5SD3MFTtCirTIIfdMyrzlJ0p1C5zbXmixDlA+dWSFpGJ0f6Tepf8vM/58MvjPPhiBqg/QEflciPafIq64e16yroYiclePphIN7TK3r8hGdLapXh9VJPJ2BczX9EWOyYmMXlIncvWpDciOZDHqwyAFxiBvV17Gqs7pUUIhtxkHD7i9MiAO5e0X3YjT1HoOrGG6U7UeejweL1iwz8k1Qyok4JfiEGiK8tkY3YYKNJivnZMpIhZaMpr+XiUTTDTZQ== |
| AssemblySignatureKeyInfoKeyValueRSAKeyValueExponent: | AQAB |
| AssemblySignatureKeyInfoRelDataLicenseGrantManifestInformationHash: | def705b87690d302d3801bc068a0858e7f38779d |
| AssemblySignatureKeyInfoRelDataLicenseGrantManifestInformationDescription: | - |
| AssemblySignatureKeyInfoRelDataLicenseGrantManifestInformationUrl: | - |
| AssemblySignatureKeyInfoRelDataLicenseGrantManifestInformationAssemblyIdentityName: | TrueLore.zlzbcgzs.application |
| AssemblySignatureKeyInfoRelDataLicenseGrantManifestInformationAssemblyIdentityVersion: | 1.0.0.79 |
| AssemblySignatureKeyInfoRelDataLicenseGrantManifestInformationAssemblyIdentityPublicKeyToken: | bbb830196ee93892 |
| AssemblySignatureKeyInfoRelDataLicenseGrantManifestInformationAssemblyIdentityLanguage: | neutral |
| AssemblySignatureKeyInfoRelDataLicenseGrantManifestInformationAssemblyIdentityProcessorArchitecture: | x86 |
| AssemblySignatureKeyInfoRelDataLicenseGrantManifestInformationAssemblyIdentityXmlns: | urn:schemas-microsoft-com:asm.v1 |
| AssemblySignatureKeyInfoRelDataLicenseGrantSignedBy: | - |
| AssemblySignatureKeyInfoRelDataLicenseGrantAuthenticodePublisherX509SubjectName: | CN=北京筑龙信息技术有限责任公司, O=北京筑龙信息技术有限责任公司, STREET=北京市海淀区上地六街28号院2号楼4层406室, L=北京, S=北京, PostalCode=100085, C=CN |
| AssemblySignatureKeyInfoRelDataLicenseIssuerSignatureId: | AuthenticodeSignature |
| AssemblySignatureKeyInfoRelDataLicenseIssuerSignatureXmlns: | http://www.w3.org/2000/09/xmldsig# |
| AssemblySignatureKeyInfoRelDataLicenseIssuerSignatureSignedInfoCanonicalizationMethodAlgorithm: | http://www.w3.org/2001/10/xml-exc-c14n# |
| AssemblySignatureKeyInfoRelDataLicenseIssuerSignatureSignedInfoSignatureMethodAlgorithm: | http://www.w3.org/2000/09/xmldsig#rsa-sha1 |
| AssemblySignatureKeyInfoRelDataLicenseIssuerSignatureSignedInfoReferenceUri: | - |
| AssemblySignatureKeyInfoRelDataLicenseIssuerSignatureSignedInfoReferenceTransformsTransformAlgorithm: | http://www.w3.org/2000/09/xmldsig#enveloped-signature |
| AssemblySignatureKeyInfoRelDataLicenseIssuerSignatureSignedInfoReferenceDigestMethodAlgorithm: | http://www.w3.org/2000/09/xmldsig#sha1 |
| AssemblySignatureKeyInfoRelDataLicenseIssuerSignatureSignedInfoReferenceDigestValue: | PAD2gnyjSP/pSPRPCaiTShYF3mg= |
| AssemblySignatureKeyInfoRelDataLicenseIssuerSignatureSignatureValue: | gxM0xGUciWVRQSk/JvGjhF3F+0ZBouhZ3YEgzP28JETxOXXdVjN3UlLfGXUBffWBuXF5q4MOfzKda4mipczIc1gqgz1gDJxHo/4we8GVGunl51wywlgQeSNdeVNOeYlcby37DK1YOs7Lw4qG3CjuTmgRwWj7i22VO06kwicM06FLRY7okvCdlyU64HOzf1XzcNvgFF7L+LJvp8MayYZBBoYSfvNN1e8/AEIZ9/52RZ0sauuyG0ir2PXEW8oRzH0/J8XgD0/vvX+LPAd0bBb0/EecJxMKUkqOyGZxY78UY3RRO6P0zY8oPWlbbqGHMcLkbvwtPunE3ARSTsWBhvWHvQ== |
| AssemblySignatureKeyInfoRelDataLicenseIssuerSignatureKeyInfoKeyValueRSAKeyValueModulus: | 4tvjE9hISXw2Bm/gz0FDUwvhO8L7SQAn82y/gG1154veprB0CkcX1x63fYfh4jvshMEYjaZHa6eSYssjfpaCOwxh5SD3MFTtCirTIIfdMyrzlJ0p1C5zbXmixDlA+dWSFpGJ0f6Tepf8vM/58MvjPPhiBqg/QEflciPafIq64e16yroYiclePphIN7TK3r8hGdLapXh9VJPJ2BczX9EWOyYmMXlIncvWpDciOZDHqwyAFxiBvV17Gqs7pUUIhtxkHD7i9MiAO5e0X3YjT1HoOrGG6U7UeejweL1iwz8k1Qyok4JfiEGiK8tkY3YYKNJivnZMpIhZaMpr+XiUTTDTZQ== |
| AssemblySignatureKeyInfoRelDataLicenseIssuerSignatureKeyInfoKeyValueRSAKeyValueExponent: | AQAB |
| AssemblySignatureKeyInfoRelDataLicenseIssuerSignatureKeyInfoX509DataX509Certificate: | MIIFgzCCBGugAwIBAgIQGy42NfIdrNJRc++SEf/MujANBgkqhkiG9w0BAQsFADB9MQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDEjMCEGA1UEAxMaQ09NT0RPIFJTQSBDb2RlIFNpZ25pbmcgQ0EwHhcNMTgxMTE2MDAwMDAwWhcNMjAxMTE1MjM1OTU5WjCB7DELMAkGA1UEBhMCQ04xDzANBgNVBBEMBjEwMDA4NTEPMA0GA1UECAwG5YyX5LqsMQ8wDQYDVQQHDAbljJfkuqwxQDA+BgNVBAkMN+WMl+S6rOW4gua1t+a3gOWMuuS4iuWcsOWFreihlzI45Y+36ZmiMuWPt+alvDTlsYI0MDblrqQxMzAxBgNVBAoMKuWMl+S6rOetkem+meS/oeaBr+aKgOacr+aciemZkOi0o+S7u+WFrOWPuDEzMDEGA1UEAwwq5YyX5Lqs562R6b6Z5L+h5oGv5oqA5pyv5pyJ6ZmQ6LSj5Lu75YWs5Y+4MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4tvjE9hISXw2Bm/gz0FDUwvhO8L7SQAn82y/gG1154veprB0CkcX1x63fYfh4jvshMEYjaZHa6eSYssjfpaCOwxh5SD3MFTtCirTIIfdMyrzlJ0p1C5zbXmixDlA+dWSFpGJ0f6Tepf8vM/58MvjPPhiBqg/QEflciPafIq64e16yroYiclePphIN7TK3r8hGdLapXh9VJPJ2BczX9EWOyYmMXlIncvWpDciOZDHqwyAFxiBvV17Gqs7pUUIhtxkHD7i9MiAO5e0X3YjT1HoOrGG6U7UeejweL1iwz8k1Qyok4JfiEGiK8tkY3YYKNJivnZMpIhZaMpr+XiUTTDTZQIDAQABo4IBjTCCAYkwHwYDVR0jBBgwFoAUKZFg/4pN+uv5pmq4z/nmS71JzhIwHQYDVR0OBBYEFOC/vZB4h/i/tCvSxfUFjEm30nWCMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMBEGCWCGSAGG+EIBAQQEAwIEEDBGBgNVHSAEPzA9MDsGDCsGAQQBsjEBAgEDAjArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8ubmV0L0NQUzBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9SU0FDb2RlU2lnbmluZ0NBLmNybDB0BggrBgEFBQcBAQRoMGYwPgYIKwYBBQUHMAKGMmh0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1JTQUNvZGVTaWduaW5nQ0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wDQYJKoZIhvcNAQELBQADggEBAF1D7XKIujcMVGenjYDpf8VXFfUz0WLA0LrE1kLIsfvM6zWWFr/aNlkEq/d+3h9yNZU+ep7+lixuyNfm38bsM/tvrn/HEqIMxCilUySBZLIbjztqcA+0RIyQUz8pqJhW1kINfAeYveRILmI2XyLo81BGoOosIulAsj8ShjVbewjzWSQEgLE5VhOF0KVGkv3XUUmOdt9TckCGzcs1VXceU/dYKpppm3RFcRL0QEFOWfKeRh/y4qCWU9S2tR9Zy+IQ6kzmF14Jl2vDYWogwc09VGJ2+aTiw/TvKHY8DGPLSVn+oQFQh2tNg2grc3Wc04ziL4KH6+Yxv800kKQ+hAqdKWM= |
Total processes
55
Monitored processes
12
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 684 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESB0BE.tmp" "c:\Users\admin\AppData\Local\Temp\CSCB0BD.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | — | csc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 8.00.50727.4940 (Win7SP1.050727-5400) Modules
| |||||||||||||||
| 760 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1092 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | — | iexplore.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
| 980 | "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\admin\Desktop\TrueLore.zlzbcgzs.application.xml" | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: XML Editor Exit code: 0 Version: 14.0.4750.1000 Modules
| |||||||||||||||
| 1060 | "C:\Users\admin\AppData\Local\Apps\2.0\N37AQYYV.B1C\M7X6LVJZ.2M6\true..tion_bbb830196ee93892_0001.0000_f193c091853dc80d\Output\TrueLore.筑龙招标采购助手.exe" false | C:\Users\admin\AppData\Local\Apps\2.0\N37AQYYV.B1C\M7X6LVJZ.2M6\true..tion_bbb830196ee93892_0001.0000_f193c091853dc80d\Output\TrueLore.筑龙招标采购助手.exe | TrueLore.zlzbcgzs.exe | ||||||||||||
User: admin Company: 北京筑龙信息技术有限责任公司 Integrity Level: HIGH Description: 筑龙招标采购助手 Exit code: 0 Version: 1.0.0.114 Modules
| |||||||||||||||
| 1092 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | MSOXMLED.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
| 1748 | "rundll32.exe" dfshim.dll,ShOpenVerbApplication C:\Users\admin\Desktop\TrueLore.zlzbcgzs.application | C:\Windows\system32\rundll32.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1928 | "C:\Users\admin\AppData\Local\Apps\2.0\N37AQYYV.B1C\M7X6LVJZ.2M6\true..tion_bbb830196ee93892_0001.0000_f193c091853dc80d\TrueLore.zlzbcgzs.exe" | C:\Users\admin\AppData\Local\Apps\2.0\N37AQYYV.B1C\M7X6LVJZ.2M6\true..tion_bbb830196ee93892_0001.0000_f193c091853dc80d\TrueLore.zlzbcgzs.exe | — | dfsvc.exe | |||||||||||
User: admin Company: 北京筑龙信息技术有限责任公司 Integrity Level: MEDIUM Description: 筑龙招标采购助手 Exit code: 0 Version: 1.0.0.105 Modules
| |||||||||||||||
| 2072 | "C:\Program Files\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:1 | C:\Program Files\Windows Media Player\setup_wm.exe | — | wmplayer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Windows Media Configuration Utility Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2360 | "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:1 | C:\Program Files\Windows Media Player\wmplayer.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2524 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1092 CREDAT:78849 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
Total events
13 871
Read events
1 877
Write events
8 552
Delete events
3 442
Modification events
| (PID) Process: | (1092) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
| Operation: | write | Name: | NextCheckForUpdateLowDateTime |
Value: 2720877146 | |||
| (PID) Process: | (1092) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
| Operation: | write | Name: | NextCheckForUpdateHighDateTime |
Value: 30824024 | |||
| (PID) Process: | (1092) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (1092) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (1092) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (980) MSOXMLED.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (980) MSOXMLED.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (980) MSOXMLED.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (1092) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
| Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
| (PID) Process: | (1092) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
Executable files
88
Suspicious files
18
Text files
135
Unknown types
4
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1092 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
| 2892 | dfsvc.exe | C:\Users\admin\AppData\Local\Temp\Deployment\620RLD0L.BBK\R3JC1LXA.90X.application | xml | |
MD5:— | SHA256:— | |||
| 2892 | dfsvc.exe | C:\Users\admin\AppData\Local\Temp\Deployment\TV6V10Q5.YBY\CL13BGPP.050\TrueLore.zlzbcgzs.exe.manifest | xml | |
MD5:— | SHA256:— | |||
| 2892 | dfsvc.exe | C:\Users\admin\AppData\Local\Temp\Deployment\TV6V10Q5.YBY\CL13BGPP.050\Output\TrueLore.驱动检查.Common.dll | executable | |
MD5:— | SHA256:— | |||
| 2892 | dfsvc.exe | C:\Users\admin\AppData\Local\Temp\Deployment\TV6V10Q5.YBY\CL13BGPP.050\Output\TrueLore.Windows.Forms.dll | executable | |
MD5:— | SHA256:— | |||
| 2892 | dfsvc.exe | C:\Users\admin\AppData\Local\Temp\Deployment\WCTNVNTB.RRD\GODWZOLA.705.application | xml | |
MD5:— | SHA256:— | |||
| 2892 | dfsvc.exe | C:\Users\admin\AppData\Local\Temp\Deployment\TV6V10Q5.YBY\CL13BGPP.050\Output\Html\images\botton5-normal.png | image | |
MD5:— | SHA256:— | |||
| 2892 | dfsvc.exe | C:\Users\admin\AppData\Local\Temp\Deployment\TV6V10Q5.YBY\CL13BGPP.050\zhulongmofang-desk.ico | image | |
MD5:— | SHA256:— | |||
| 2892 | dfsvc.exe | C:\Users\admin\AppData\Local\Temp\Deployment\TV6V10Q5.YBY\CL13BGPP.050\Output\Html\images\botton9-hover.png | image | |
MD5:— | SHA256:— | |||
| 2892 | dfsvc.exe | C:\Users\admin\AppData\Local\Temp\Deployment\TV6V10Q5.YBY\CL13BGPP.050\Output\Html\images\banner06.png | image | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
111
TCP/UDP connections
14
DNS requests
13
Threats
2
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2892 | dfsvc.exe | GET | 200 | 120.55.198.20:8080 | http://www.zhulong.com.cn:8080/ZBCGZS/Application%20Files/TrueLore.zlzbcgzs_1_0_0_79/Output/TrueLore.%E9%A9%B1%E5%8A%A8%E6%A3%80%E6%9F%A5.Common.dll.deploy | CN | executable | 248 Kb | suspicious |
2892 | dfsvc.exe | GET | 200 | 120.55.198.20:8080 | http://www.zhulong.com.cn:8080/ZBCGZS/Application%20Files/TrueLore.zlzbcgzs_1_0_0_79/Output/Html/images/banner09.png.deploy | CN | image | 152 Kb | suspicious |
2892 | dfsvc.exe | GET | 200 | 120.55.198.20:8080 | http://www.zhulong.com.cn:8080/ZBCGZS/Application%20Files/TrueLore.zlzbcgzs_1_0_0_79/Output/Html/images/botton5-normal.png.deploy | CN | image | 1.50 Kb | suspicious |
2892 | dfsvc.exe | GET | 200 | 120.55.198.20:8080 | http://www.zhulong.com.cn:8080/ZBCGZS/TrueLore.zlzbcgzs.application | CN | xml | 9.83 Kb | suspicious |
2892 | dfsvc.exe | GET | 200 | 120.55.198.20:8080 | http://www.zhulong.com.cn:8080/ZBCGZS/Application%20Files/TrueLore.zlzbcgzs_1_0_0_79/Output/Html/images/botton9-hover.png.deploy | CN | image | 1014 b | suspicious |
2892 | dfsvc.exe | GET | 200 | 120.55.198.20:8080 | http://www.zhulong.com.cn:8080/ZBCGZS/Application%20Files/TrueLore.zlzbcgzs_1_0_0_79/zhulongmofang-desk.ico.deploy | CN | image | 344 Kb | suspicious |
2892 | dfsvc.exe | GET | 200 | 120.55.198.20:8080 | http://www.zhulong.com.cn:8080/ZBCGZS/Application%20Files/TrueLore.zlzbcgzs_1_0_0_79/Output/Aspose.Words.dll.deploy | CN | executable | 11.8 Mb | suspicious |
2892 | dfsvc.exe | GET | 200 | 120.55.198.20:8080 | http://www.zhulong.com.cn:8080/ZBCGZS/Application%20Files/TrueLore.zlzbcgzs_1_0_0_79/TrueLore.zlzbcgzs.exe.manifest | CN | xml | 50.4 Kb | suspicious |
2892 | dfsvc.exe | GET | 200 | 120.55.198.20:8080 | http://www.zhulong.com.cn:8080/ZBCGZS/Application%20Files/TrueLore.zlzbcgzs_1_0_0_79/Output/Html/images/botton3-hover.png.deploy | CN | image | 1.96 Kb | suspicious |
2892 | dfsvc.exe | GET | 200 | 120.55.198.20:8080 | http://www.zhulong.com.cn:8080/ZBCGZS/Application%20Files/TrueLore.zlzbcgzs_1_0_0_79/Output/TrueLore.Windows.Forms.dll.deploy | CN | executable | 847 Kb | suspicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1092 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2892 | dfsvc.exe | 120.55.198.20:8080 | www.zhulong.com.cn | Hangzhou Alibaba Advertising Co.,Ltd. | CN | suspicious |
1092 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
1092 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2524 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
1060 | TrueLore.筑龙招标采购助手.exe | 120.55.198.20:80 | www.zhulong.com.cn | Hangzhou Alibaba Advertising Co.,Ltd. | CN | suspicious |
1092 | iexplore.exe | 204.79.197.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
www.zhulong.com.cn |
| suspicious |
iecvlist.microsoft.com |
| whitelisted |
r20swj13mr.microsoft.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
ieonline.microsoft.com |
| whitelisted |
tbzs.zhulong.com.cn |
| unknown |
dns.msftncsi.com |
| shared |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2892 | dfsvc.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2892 | dfsvc.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
Process | Message |
|---|---|
dfsvc.exe |
*** Status originated: -1073741811
*** Source File: d:\iso_whid\x86fre\base\isolation\hier_hierarchy.cpp, line 230
|
dfsvc.exe |
*** Status originated: -1073741811
*** Source File: d:\iso_whid\x86fre\base\isolation\hier_hierarchy.cpp, line 230
|
dfsvc.exe |
*** Status originated: -1073741811
*** Source File: d:\iso_whid\x86fre\base\isolation\hier_hierarchy.cpp, line 230
|
dfsvc.exe |
*** Status originated: -1073741811
*** Source File: d:\iso_whid\x86fre\base\isolation\hier_hierarchy.cpp, line 230
|
dfsvc.exe |
*** Status originated: -1073741811
*** Source File: d:\iso_whid\x86fre\base\isolation\hier_hierarchy.cpp, line 230
|
dfsvc.exe |
*** Status Originated: -1073741772
*** Source File: d:\iso_whid\x86fre\base\isolation\win32\isoreg_direct.cpp, line 1127
|