joker | aacf3d4a52d20f71a8f5a78505145d24fe378b23aa2008fb0197557ca28a1ac7

Analysis

max time kernel
152s
max time network
156s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21-10-2022 06:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aacf3d4a52d20f71a8f5a78505145d24fe378b23aa2008fb0197557ca28a1ac7.exe
Size

678KB
MD5

459a7c65a7356c462d338762a9a9a310
SHA1

50d6a90197394e589ced3008fe2c65abc13635b2
SHA256

aacf3d4a52d20f71a8f5a78505145d24fe378b23aa2008fb0197557ca28a1ac7
SHA512

2c4054de1a040c4cb3150880e1804870973bf0e6edcecb3ef513ab76dbf69cf6051dabe67b4811f4ee91a9059170e69c8245f67cacc1d0f1ea3eae089109e82e
SSDEEP

12288:0eOtTM7xyL7Irnc9UtTsDvMLafJCqRLQn3PRvX+PghHMpH6KR5M:MtTsxSMX8MOfJCqJW/IEsI

Score

10^/10

joker infostealer trojan upx

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Executes dropped EXE 4 IoCs

pid	Process
1724	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
784	e.exe
912	8.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000012744-64.dat	upx
behavioral1/files/0x0008000000012744-69.dat	upx
behavioral1/files/0x0008000000012758-72.dat	upx
behavioral1/memory/912-74-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/files/0x0008000000012758-70.dat	upx
behavioral1/files/0x0008000000012758-68.dat	upx
behavioral1/files/0x0008000000012744-65.dat	upx
behavioral1/memory/1452-76-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/files/0x0008000000012758-80.dat	upx
behavioral1/memory/1452-79-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1452-78-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1452-81-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1452-82-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1452-96-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1452-94-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1452-92-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1452-90-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1452-88-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1452-86-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1452-84-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1452-106-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1452-114-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1452-116-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1452-122-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1452-120-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1452-118-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1452-112-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1452-110-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1452-108-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1452-104-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1452-102-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1452-100-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1452-98-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1452-124-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1452-123-0x0000000000400000-0x00000000005BE000-memory.dmp	upx
behavioral1/memory/1452-125-0x0000000000400000-0x00000000005BE000-memory.dmp	upx
behavioral1/memory/1452-126-0x0000000010000000-0x000000001003D000-memory.dmp	upx

Loads dropped DLL 8 IoCs

pid	Process
584	aacf3d4a52d20f71a8f5a78505145d24fe378b23aa2008fb0197557ca28a1ac7.exe
584	aacf3d4a52d20f71a8f5a78505145d24fe378b23aa2008fb0197557ca28a1ac7.exe
584	aacf3d4a52d20f71a8f5a78505145d24fe378b23aa2008fb0197557ca28a1ac7.exe
584	aacf3d4a52d20f71a8f5a78505145d24fe378b23aa2008fb0197557ca28a1ac7.exe
1724	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1724	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1724	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1724	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mn.dll	8.exe
File created	C:\Windows\SysWOW64\deleteinstaller.txt	8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 14 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.xxwg8.com	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.xxwg8.com\ = "126"	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\xxwg8.com\Total = "126"	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\xxwg8.com	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\xxwg8.com\NumberOfSubdomains = "1"	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.xxwg8.com\ = "63"	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\xxwg8.com\Total = "63"	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe

Modifies system certificate store 2 TTPs 21 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 0f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c61800000001000000100000002fe1f70bb05d7c92335bc5e05b984da6190000000100000010000000f044424c506513d62804c04f719403f9030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405040000000100000010000000e829e65d7c4307d6fbc13c179e037a3620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3490f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 040000000100000010000000e829e65d7c4307d6fbc13c179e037a36030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a4050f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da6140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c61800000001000000100000002fe1f70bb05d7c92335bc5e05b984da6190000000100000010000000f044424c506513d62804c04f719403f90f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce040000000100000010000000e829e65d7c4307d6fbc13c179e037a36030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a40520000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 190000000100000010000000f044424c506513d62804c04f719403f9040000000100000010000000e829e65d7c4307d6fbc13c179e037a36030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a4051800000001000000100000002fe1f70bb05d7c92335bc5e05b984da6140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c60f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce20000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 1800000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405040000000100000010000000e829e65d7c4307d6fbc13c179e037a36190000000100000010000000f044424c506513d62804c04f719403f920000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
584	aacf3d4a52d20f71a8f5a78505145d24fe378b23aa2008fb0197557ca28a1ac7.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
912	8.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
1452	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 584 wrote to memory of 1724	584	aacf3d4a52d20f71a8f5a78505145d24fe378b23aa2008fb0197557ca28a1ac7.exe	28
PID 584 wrote to memory of 1724	584	aacf3d4a52d20f71a8f5a78505145d24fe378b23aa2008fb0197557ca28a1ac7.exe	28
PID 584 wrote to memory of 1724	584	aacf3d4a52d20f71a8f5a78505145d24fe378b23aa2008fb0197557ca28a1ac7.exe	28
PID 584 wrote to memory of 1724	584	aacf3d4a52d20f71a8f5a78505145d24fe378b23aa2008fb0197557ca28a1ac7.exe	28
PID 584 wrote to memory of 784	584	aacf3d4a52d20f71a8f5a78505145d24fe378b23aa2008fb0197557ca28a1ac7.exe	29
PID 584 wrote to memory of 784	584	aacf3d4a52d20f71a8f5a78505145d24fe378b23aa2008fb0197557ca28a1ac7.exe	29
PID 584 wrote to memory of 784	584	aacf3d4a52d20f71a8f5a78505145d24fe378b23aa2008fb0197557ca28a1ac7.exe	29
PID 584 wrote to memory of 784	584	aacf3d4a52d20f71a8f5a78505145d24fe378b23aa2008fb0197557ca28a1ac7.exe	29
PID 1724 wrote to memory of 912	1724	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe	30
PID 1724 wrote to memory of 912	1724	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe	30
PID 1724 wrote to memory of 912	1724	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe	30
PID 1724 wrote to memory of 912	1724	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe	30
PID 1724 wrote to memory of 1452	1724	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe	31
PID 1724 wrote to memory of 1452	1724	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe	31
PID 1724 wrote to memory of 1452	1724	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe	31
PID 1724 wrote to memory of 1452	1724	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe	31
PID 912 wrote to memory of 1276	912	8.exe	15

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1276
- C:\Users\Admin\AppData\Local\Temp\aacf3d4a52d20f71a8f5a78505145d24fe378b23aa2008fb0197557ca28a1ac7.exe
  "C:\Users\Admin\AppData\Local\Temp\aacf3d4a52d20f71a8f5a78505145d24fe378b23aa2008fb0197557ca28a1ac7.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:584
- - C:\Users\Admin\AppData\Local\Temp\Temp\CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
    "C:\Users\Admin\AppData\Local\Temp\Temp\CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1724
  - - C:\Users\Admin\AppData\Local\Temp\8.exe
      "C:\Users\Admin\AppData\Local\Temp\8.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:912
  - - C:\Users\Admin\AppData\Local\Temp\CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
      "C:\Users\Admin\AppData\Local\Temp\CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe"
      4⤵
      Executes dropped EXE
      Modifies Internet Explorer settings
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1452
- - C:\Users\Admin\AppData\Local\Temp\Temp\e.exe
    "C:\Users\Admin\AppData\Local\Temp\Temp\e.exe"
    3⤵
    - Executes dropped EXE
    PID:784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8.exe

Filesize
25KB

MD5
92f20eaf50a3466ecbaff86e46cd8f9a

SHA1
40b92ef5175b5ce3692ab7a54c489fefa94c6cd8

SHA256
2f85810c047c2c9bd5745c2fbc30f82c345d82dd8a9ab2ce523ebd077632b6d6

SHA512
d0c8a4ae86a6d98ed8c98a0c7bdf530c7460d891c079029b1036c74bae740c706d2df74e49b0ca93f58e6e8aecea39c591a75569458dd4378b9931726872ad65

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe

Filesize
502KB

MD5
18d4d2865ad668f38528c3be82a424ab

SHA1
ad2d4e3a229b55733b741705628e6d604844ddb1

SHA256
dcfffee28b09fb92272442a7206f3f5d87ba0c8da4df1be3950b7172cb6e7232

SHA512
9a21247118dcc2f79272fa6056cf175e287ba8312e75dfd326601f36c0f7991110a6e11b47acbea69e61576577bbb5b320bb2e39faf6fc9a9c3b251806c6e86a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe

Filesize
502KB

MD5
18d4d2865ad668f38528c3be82a424ab

SHA1
ad2d4e3a229b55733b741705628e6d604844ddb1

SHA256
dcfffee28b09fb92272442a7206f3f5d87ba0c8da4df1be3950b7172cb6e7232

SHA512
9a21247118dcc2f79272fa6056cf175e287ba8312e75dfd326601f36c0f7991110a6e11b47acbea69e61576577bbb5b320bb2e39faf6fc9a9c3b251806c6e86a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe

Filesize
577KB

MD5
090f211113248f827acf9081fce995cd

SHA1
783d02d630947b4daac3a487464022604f0eac7e

SHA256
3fee75e83c51f7e61b5add690ef73329fda7cf25be5448b723ca6a0160ce7741

SHA512
8db45b622c8a39dbbb0c8560f97a3639c40bdeab615e40338f076134c4b206de531aede3c571a25b0e70fc314eb47284e14ad1b126ed2e781393bb82c71af8a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\e.exe

Filesize
82KB

MD5
a637735cc3beb5182fa61b66581a5d41

SHA1
cdc26d8a8342f9d8395b0d82e58492399cdcd3da

SHA256
b447be14730611eb664b4971503985b25edf8ed9d84ae6eb1118bec2388a8793

SHA512
b327eac50e68930cf18d907878ee0a949cb6fa7caa4f535d00be79954418ec97457fdfe82977ea4a7e35beef58afb4f01e10de9490e3ad030bad5c3fc96c1037

Download Submit
\Users\Admin\AppData\Local\Temp\8.exe

Filesize
25KB

MD5
92f20eaf50a3466ecbaff86e46cd8f9a

SHA1
40b92ef5175b5ce3692ab7a54c489fefa94c6cd8

SHA256
2f85810c047c2c9bd5745c2fbc30f82c345d82dd8a9ab2ce523ebd077632b6d6

SHA512
d0c8a4ae86a6d98ed8c98a0c7bdf530c7460d891c079029b1036c74bae740c706d2df74e49b0ca93f58e6e8aecea39c591a75569458dd4378b9931726872ad65

Download Submit
\Users\Admin\AppData\Local\Temp\8.exe

Filesize
25KB

MD5
92f20eaf50a3466ecbaff86e46cd8f9a

SHA1
40b92ef5175b5ce3692ab7a54c489fefa94c6cd8

SHA256
2f85810c047c2c9bd5745c2fbc30f82c345d82dd8a9ab2ce523ebd077632b6d6

SHA512
d0c8a4ae86a6d98ed8c98a0c7bdf530c7460d891c079029b1036c74bae740c706d2df74e49b0ca93f58e6e8aecea39c591a75569458dd4378b9931726872ad65

Download Submit
\Users\Admin\AppData\Local\Temp\CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe

Filesize
502KB

MD5
18d4d2865ad668f38528c3be82a424ab

SHA1
ad2d4e3a229b55733b741705628e6d604844ddb1

SHA256
dcfffee28b09fb92272442a7206f3f5d87ba0c8da4df1be3950b7172cb6e7232

SHA512
9a21247118dcc2f79272fa6056cf175e287ba8312e75dfd326601f36c0f7991110a6e11b47acbea69e61576577bbb5b320bb2e39faf6fc9a9c3b251806c6e86a

Download Submit
\Users\Admin\AppData\Local\Temp\CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe

Filesize
502KB

MD5
18d4d2865ad668f38528c3be82a424ab

SHA1
ad2d4e3a229b55733b741705628e6d604844ddb1

SHA256
dcfffee28b09fb92272442a7206f3f5d87ba0c8da4df1be3950b7172cb6e7232

SHA512
9a21247118dcc2f79272fa6056cf175e287ba8312e75dfd326601f36c0f7991110a6e11b47acbea69e61576577bbb5b320bb2e39faf6fc9a9c3b251806c6e86a

Download Submit
\Users\Admin\AppData\Local\Temp\Temp\CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe

Filesize
577KB

MD5
090f211113248f827acf9081fce995cd

SHA1
783d02d630947b4daac3a487464022604f0eac7e

SHA256
3fee75e83c51f7e61b5add690ef73329fda7cf25be5448b723ca6a0160ce7741

SHA512
8db45b622c8a39dbbb0c8560f97a3639c40bdeab615e40338f076134c4b206de531aede3c571a25b0e70fc314eb47284e14ad1b126ed2e781393bb82c71af8a1

Download Submit
\Users\Admin\AppData\Local\Temp\Temp\CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe

Filesize
577KB

MD5
090f211113248f827acf9081fce995cd

SHA1
783d02d630947b4daac3a487464022604f0eac7e

SHA256
3fee75e83c51f7e61b5add690ef73329fda7cf25be5448b723ca6a0160ce7741

SHA512
8db45b622c8a39dbbb0c8560f97a3639c40bdeab615e40338f076134c4b206de531aede3c571a25b0e70fc314eb47284e14ad1b126ed2e781393bb82c71af8a1

Download Submit
\Users\Admin\AppData\Local\Temp\Temp\e.exe

Filesize
82KB

MD5
a637735cc3beb5182fa61b66581a5d41

SHA1
cdc26d8a8342f9d8395b0d82e58492399cdcd3da

SHA256
b447be14730611eb664b4971503985b25edf8ed9d84ae6eb1118bec2388a8793

SHA512
b327eac50e68930cf18d907878ee0a949cb6fa7caa4f535d00be79954418ec97457fdfe82977ea4a7e35beef58afb4f01e10de9490e3ad030bad5c3fc96c1037

Download Submit
\Users\Admin\AppData\Local\Temp\Temp\e.exe

Filesize
82KB

MD5
a637735cc3beb5182fa61b66581a5d41

SHA1
cdc26d8a8342f9d8395b0d82e58492399cdcd3da

SHA256
b447be14730611eb664b4971503985b25edf8ed9d84ae6eb1118bec2388a8793

SHA512
b327eac50e68930cf18d907878ee0a949cb6fa7caa4f535d00be79954418ec97457fdfe82977ea4a7e35beef58afb4f01e10de9490e3ad030bad5c3fc96c1037

Download Submit
memory/584-54-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/784-67-0x0000000000400000-0x00000000004199A2-memory.dmp

Filesize
102KB

Download
memory/912-74-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1452-81-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1452-106-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1452-76-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1452-79-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1452-78-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1452-126-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1452-82-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1452-96-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1452-94-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1452-92-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1452-90-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1452-88-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1452-86-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1452-84-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1452-125-0x0000000000400000-0x00000000005BE000-memory.dmp

Filesize
1.7MB

Download
memory/1452-114-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1452-116-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1452-122-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1452-120-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1452-118-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1452-112-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1452-110-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1452-108-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1452-104-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1452-102-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1452-100-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1452-98-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1452-124-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1452-123-0x0000000000400000-0x00000000005BE000-memory.dmp

Filesize
1.7MB

Download
memory/1724-73-0x0000000000400000-0x0000000000491D08-memory.dmp

Filesize
583KB

Download