joker | aacf3d4a52d20f71a8f5a78505145d24fe378b23aa2008fb0197557ca28a1ac7

Analysis

max time kernel
154s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21-10-2022 06:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aacf3d4a52d20f71a8f5a78505145d24fe378b23aa2008fb0197557ca28a1ac7.exe
Size

678KB
MD5

459a7c65a7356c462d338762a9a9a310
SHA1

50d6a90197394e589ced3008fe2c65abc13635b2
SHA256

aacf3d4a52d20f71a8f5a78505145d24fe378b23aa2008fb0197557ca28a1ac7
SHA512

2c4054de1a040c4cb3150880e1804870973bf0e6edcecb3ef513ab76dbf69cf6051dabe67b4811f4ee91a9059170e69c8245f67cacc1d0f1ea3eae089109e82e
SSDEEP

12288:0eOtTM7xyL7Irnc9UtTsDvMLafJCqRLQn3PRvX+PghHMpH6KR5M:MtTsxSMX8MOfJCqJW/IEsI

Score

10^/10

joker infostealer trojan upx

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Executes dropped EXE 4 IoCs

pid	Process
2292	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
2912	e.exe
4760	8.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe

UPX packed file 34 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000b000000022e0d-139.dat	upx
behavioral2/files/0x0009000000022e17-142.dat	upx
behavioral2/files/0x000b000000022e0d-140.dat	upx
behavioral2/files/0x0009000000022e17-144.dat	upx
behavioral2/memory/4760-146-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/876-147-0x0000000000400000-0x00000000005BE000-memory.dmp	upx
behavioral2/memory/876-148-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/876-150-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/876-151-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/876-153-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/876-152-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/876-155-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/876-159-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/876-157-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/876-161-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/876-163-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/876-165-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/876-167-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/876-169-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/876-171-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/876-181-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/876-179-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/876-183-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/876-185-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/876-187-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/876-189-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/876-177-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/876-193-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/876-191-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/876-175-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/876-173-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/876-194-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/876-195-0x0000000000400000-0x00000000005BE000-memory.dmp	upx
behavioral2/memory/876-196-0x0000000010000000-0x000000001003D000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	aacf3d4a52d20f71a8f5a78505145d24fe378b23aa2008fb0197557ca28a1ac7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mn.dll	8.exe
File created	C:\Windows\SysWOW64\deleteinstaller.txt	8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4648	2912	WerFault.exe	82

Modifies Internet Explorer settings 1 TTPs 16 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\xxwg8.com	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.xxwg8.com\ = "126"	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\xxwg8.com\Total = "126"	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\xxwg8.com\NumberOfSubdomains = "1"	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.xxwg8.com\ = "63"	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\xxwg8.com	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.xxwg8.com	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\xxwg8.com\Total = "63"	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 5c0000000100000004000000000800000f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c61800000001000000100000002fe1f70bb05d7c92335bc5e05b984da6030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405040000000100000010000000e829e65d7c4307d6fbc13c179e037a36190000000100000010000000f044424c506513d62804c04f719403f920000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 1800000001000000100000002fe1f70bb05d7c92335bc5e05b984da6190000000100000010000000f044424c506513d62804c04f719403f9040000000100000010000000e829e65d7c4307d6fbc13c179e037a36030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c60f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce5c00000001000000040000000008000020000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f95c0000000100000004000000000800001800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c61800000001000000100000002fe1f70bb05d7c92335bc5e05b984da65c000000010000000400000000080000190000000100000010000000f044424c506513d62804c04f719403f90f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce040000000100000010000000e829e65d7c4307d6fbc13c179e037a36030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a40520000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 040000000100000010000000e829e65d7c4307d6fbc13c179e037a36030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a4050f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f95c0000000100000004000000000800001800000001000000100000002fe1f70bb05d7c92335bc5e05b984da6140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 0f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c61800000001000000100000002fe1f70bb05d7c92335bc5e05b984da65c000000010000000400000000080000190000000100000010000000f044424c506513d62804c04f719403f9030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405040000000100000010000000e829e65d7c4307d6fbc13c179e037a3620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 190000000100000010000000f044424c506513d62804c04f719403f9040000000100000010000000e829e65d7c4307d6fbc13c179e037a36030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a4055c0000000100000004000000000800001800000001000000100000002fe1f70bb05d7c92335bc5e05b984da6140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c60f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce20000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
380	aacf3d4a52d20f71a8f5a78505145d24fe378b23aa2008fb0197557ca28a1ac7.exe
380	aacf3d4a52d20f71a8f5a78505145d24fe378b23aa2008fb0197557ca28a1ac7.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4760	8.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
876	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 380 wrote to memory of 2292	380	aacf3d4a52d20f71a8f5a78505145d24fe378b23aa2008fb0197557ca28a1ac7.exe	87
PID 380 wrote to memory of 2292	380	aacf3d4a52d20f71a8f5a78505145d24fe378b23aa2008fb0197557ca28a1ac7.exe	87
PID 380 wrote to memory of 2292	380	aacf3d4a52d20f71a8f5a78505145d24fe378b23aa2008fb0197557ca28a1ac7.exe	87
PID 380 wrote to memory of 2912	380	aacf3d4a52d20f71a8f5a78505145d24fe378b23aa2008fb0197557ca28a1ac7.exe	82
PID 380 wrote to memory of 2912	380	aacf3d4a52d20f71a8f5a78505145d24fe378b23aa2008fb0197557ca28a1ac7.exe	82
PID 380 wrote to memory of 2912	380	aacf3d4a52d20f71a8f5a78505145d24fe378b23aa2008fb0197557ca28a1ac7.exe	82
PID 2292 wrote to memory of 4760	2292	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe	86
PID 2292 wrote to memory of 4760	2292	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe	86
PID 2292 wrote to memory of 4760	2292	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe	86
PID 4760 wrote to memory of 512	4760	8.exe	40
PID 2292 wrote to memory of 876	2292	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe	84
PID 2292 wrote to memory of 876	2292	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe	84
PID 2292 wrote to memory of 876	2292	CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe	84

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:512
- C:\Users\Admin\AppData\Local\Temp\aacf3d4a52d20f71a8f5a78505145d24fe378b23aa2008fb0197557ca28a1ac7.exe
  "C:\Users\Admin\AppData\Local\Temp\aacf3d4a52d20f71a8f5a78505145d24fe378b23aa2008fb0197557ca28a1ac7.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:380
- - C:\Users\Admin\AppData\Local\Temp\Temp\e.exe
    "C:\Users\Admin\AppData\Local\Temp\Temp\e.exe"
    3⤵
    - Executes dropped EXE
    PID:2912
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 216
      4⤵
      Program crash
      PID:4648
- - C:\Users\Admin\AppData\Local\Temp\Temp\CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
    "C:\Users\Admin\AppData\Local\Temp\Temp\CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2912 -ip 2912
1⤵
PID:4708

C:\Users\Admin\AppData\Local\Temp\CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe
"C:\Users\Admin\AppData\Local\Temp\CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe"
1⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:876

C:\Users\Admin\AppData\Local\Temp\8.exe
"C:\Users\Admin\AppData\Local\Temp\8.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8.exe

Filesize
25KB

MD5
92f20eaf50a3466ecbaff86e46cd8f9a

SHA1
40b92ef5175b5ce3692ab7a54c489fefa94c6cd8

SHA256
2f85810c047c2c9bd5745c2fbc30f82c345d82dd8a9ab2ce523ebd077632b6d6

SHA512
d0c8a4ae86a6d98ed8c98a0c7bdf530c7460d891c079029b1036c74bae740c706d2df74e49b0ca93f58e6e8aecea39c591a75569458dd4378b9931726872ad65

Download Submit
C:\Users\Admin\AppData\Local\Temp\8.exe

Filesize
25KB

MD5
92f20eaf50a3466ecbaff86e46cd8f9a

SHA1
40b92ef5175b5ce3692ab7a54c489fefa94c6cd8

SHA256
2f85810c047c2c9bd5745c2fbc30f82c345d82dd8a9ab2ce523ebd077632b6d6

SHA512
d0c8a4ae86a6d98ed8c98a0c7bdf530c7460d891c079029b1036c74bae740c706d2df74e49b0ca93f58e6e8aecea39c591a75569458dd4378b9931726872ad65

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe

Filesize
502KB

MD5
18d4d2865ad668f38528c3be82a424ab

SHA1
ad2d4e3a229b55733b741705628e6d604844ddb1

SHA256
dcfffee28b09fb92272442a7206f3f5d87ba0c8da4df1be3950b7172cb6e7232

SHA512
9a21247118dcc2f79272fa6056cf175e287ba8312e75dfd326601f36c0f7991110a6e11b47acbea69e61576577bbb5b320bb2e39faf6fc9a9c3b251806c6e86a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe

Filesize
502KB

MD5
18d4d2865ad668f38528c3be82a424ab

SHA1
ad2d4e3a229b55733b741705628e6d604844ddb1

SHA256
dcfffee28b09fb92272442a7206f3f5d87ba0c8da4df1be3950b7172cb6e7232

SHA512
9a21247118dcc2f79272fa6056cf175e287ba8312e75dfd326601f36c0f7991110a6e11b47acbea69e61576577bbb5b320bb2e39faf6fc9a9c3b251806c6e86a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe

Filesize
577KB

MD5
090f211113248f827acf9081fce995cd

SHA1
783d02d630947b4daac3a487464022604f0eac7e

SHA256
3fee75e83c51f7e61b5add690ef73329fda7cf25be5448b723ca6a0160ce7741

SHA512
8db45b622c8a39dbbb0c8560f97a3639c40bdeab615e40338f076134c4b206de531aede3c571a25b0e70fc314eb47284e14ad1b126ed2e781393bb82c71af8a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\CFÌìÉñ¸¨Öú¹¤¾ß0327°æSP1.exe

Filesize
577KB

MD5
090f211113248f827acf9081fce995cd

SHA1
783d02d630947b4daac3a487464022604f0eac7e

SHA256
3fee75e83c51f7e61b5add690ef73329fda7cf25be5448b723ca6a0160ce7741

SHA512
8db45b622c8a39dbbb0c8560f97a3639c40bdeab615e40338f076134c4b206de531aede3c571a25b0e70fc314eb47284e14ad1b126ed2e781393bb82c71af8a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\e.exe

Filesize
82KB

MD5
a637735cc3beb5182fa61b66581a5d41

SHA1
cdc26d8a8342f9d8395b0d82e58492399cdcd3da

SHA256
b447be14730611eb664b4971503985b25edf8ed9d84ae6eb1118bec2388a8793

SHA512
b327eac50e68930cf18d907878ee0a949cb6fa7caa4f535d00be79954418ec97457fdfe82977ea4a7e35beef58afb4f01e10de9490e3ad030bad5c3fc96c1037

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\e.exe

Filesize
82KB

MD5
a637735cc3beb5182fa61b66581a5d41

SHA1
cdc26d8a8342f9d8395b0d82e58492399cdcd3da

SHA256
b447be14730611eb664b4971503985b25edf8ed9d84ae6eb1118bec2388a8793

SHA512
b327eac50e68930cf18d907878ee0a949cb6fa7caa4f535d00be79954418ec97457fdfe82977ea4a7e35beef58afb4f01e10de9490e3ad030bad5c3fc96c1037

Download Submit
memory/876-185-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/876-163-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/876-196-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/876-195-0x0000000000400000-0x00000000005BE000-memory.dmp

Filesize
1.7MB

Download
memory/876-194-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/876-173-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/876-147-0x0000000000400000-0x00000000005BE000-memory.dmp

Filesize
1.7MB

Download
memory/876-148-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/876-150-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/876-151-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/876-153-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/876-152-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/876-155-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/876-159-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/876-157-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/876-161-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/876-175-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/876-165-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/876-167-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/876-169-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/876-171-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/876-181-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/876-179-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/876-183-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/876-191-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/876-187-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/876-189-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/876-177-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/876-193-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2292-143-0x0000000000400000-0x0000000000491D08-memory.dmp

Filesize
583KB

Download
memory/2912-145-0x0000000000400000-0x00000000004199A2-memory.dmp

Filesize
102KB

Download
memory/4760-146-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download