dbfcbabd95af3dee2c98d93ea34d8b036cf3060e71a22b3f79c7fad64aa75f1d

Analysis

max time kernel
141s
max time network
146s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 14:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dbfcbabd95af3dee2c98d93ea34d8b036cf3060e71a22b3f79c7fad64aa75f1d.exe
Size

125KB
MD5

ab17416207cde89fc2c45e806700cfa0
SHA1

5cbd44c53520cc632989ba6f3e865438ddb2d776
SHA256

dbfcbabd95af3dee2c98d93ea34d8b036cf3060e71a22b3f79c7fad64aa75f1d
SHA512

f2f49157d3f748401a06f386807625e3bd8d79e8f3fec470c4336f0e8bb376e19df9e1adad48c9fd9e9bedbe4bc43cfd88de1e4b0b60c542454540ffc1983b72
SSDEEP

1536:kyXNFR9JM78SeBcKifBQI1+hlczhE+eCqWC3MyVVw/LTK2hLV+AmqWf:bzk8SpK2qI1/hiWDyEq2hLV+AC

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

calendar_lua_2449.exe

description ioc process

File created C:\Windows\system32\drivers\CDTimeProtect.sys calendar_lua_2449.exe
Executes dropped EXE 5 IoCs

Processes:

calendar_lua_2449.exeDtlTimeServices.exeCalendarMain.exeDtlTimeSvr.exeInternetTime.exe

pid process

1100 calendar_lua_2449.exe
1764 DtlTimeServices.exe
632 CalendarMain.exe
1320 DtlTimeSvr.exe
1600 InternetTime.exe

description	ioc	process
File created	C:\Windows\system32\drivers\CDTimeProtect.sys	calendar_lua_2449.exe

pid	process
1100	calendar_lua_2449.exe
1764	DtlTimeServices.exe
632	CalendarMain.exe
1320	DtlTimeSvr.exe
1600	InternetTime.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

calendar_lua_2449.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\CalendarDriver\ImagePath = "\\SystemRoot\\system32\\drivers\\CDTimeProtect.sys"	calendar_lua_2449.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\calendar_lua_2449.exe	upx
C:\Users\Admin\AppData\Local\Temp\calendar_lua_2449.exe	upx
behavioral1/memory/1100-59-0x0000000000A00000-0x0000000001CAB000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\calendar_lua_2449.exe	upx
behavioral1/memory/1100-107-0x0000000000A00000-0x0000000001CAB000-memory.dmp	upx
behavioral1/memory/1100-114-0x0000000000A00000-0x0000000001CAB000-memory.dmp	upx

Loads dropped DLL 25 IoCs

Processes:

dbfcbabd95af3dee2c98d93ea34d8b036cf3060e71a22b3f79c7fad64aa75f1d.execalendar_lua_2449.exeCalendarMain.exeInternetTime.exeDtlTimeSvr.exe

pid	process
1340	dbfcbabd95af3dee2c98d93ea34d8b036cf3060e71a22b3f79c7fad64aa75f1d.exe
1100	calendar_lua_2449.exe
1100	calendar_lua_2449.exe
1100	calendar_lua_2449.exe
1100	calendar_lua_2449.exe
1100	calendar_lua_2449.exe
1100	calendar_lua_2449.exe
1100	calendar_lua_2449.exe
1100	calendar_lua_2449.exe
1100	calendar_lua_2449.exe
632	CalendarMain.exe
632	CalendarMain.exe
632	CalendarMain.exe
632	CalendarMain.exe
632	CalendarMain.exe
632	CalendarMain.exe
632	CalendarMain.exe
1100	calendar_lua_2449.exe
632	CalendarMain.exe
632	CalendarMain.exe
1100	calendar_lua_2449.exe
1100	calendar_lua_2449.exe
1600	InternetTime.exe
1320	DtlTimeSvr.exe
1320	DtlTimeSvr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

calendar_lua_2449.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	calendar_lua_2449.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\dtlCalendar = "\"C:\\Program Files (x86)\\DTLSoft\\rili\\CalendarMain.exe\" /start"	calendar_lua_2449.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

Processes:

DtlTimeSvr.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F	DtlTimeSvr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9A19ADAD9D098E039450ABBEDD5616EB_AA0282298B2709BDB3EAEC793B69D5D2	DtlTimeSvr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9A19ADAD9D098E039450ABBEDD5616EB_AA0282298B2709BDB3EAEC793B69D5D2	DtlTimeSvr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6	DtlTimeSvr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6	DtlTimeSvr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F	DtlTimeSvr.exe

Drops file in Program Files directory 64 IoCs

Processes:

calendar_lua_2449.exeDtlTimeServices.exe

description	ioc	process
File created	C:\Program Files (x86)\DTLSoft\rili\substat.dll	calendar_lua_2449.exe
File created	C:\Program Files (x86)\DTLSoft\rili\uninstall.dll	calendar_lua_2449.exe
File created	C:\Program Files (x86)\DTLSoft\rili\Uninst.dar1	calendar_lua_2449.exe
File opened for modification	C:\Program Files (x86)\DTLSoft\rili\data\BianQian\res\Winter\lock1_icon.png	calendar_lua_2449.exe
File opened for modification	C:\Program Files (x86)\DTLSoft\rili\bind\HTTPDownloadUI.exe	calendar_lua_2449.exe
File created	C:\Program Files (x86)\DTLSoft\rili\data\BianQian\res\Summer\lock2_icon.png	calendar_lua_2449.exe
File opened for modification	C:\Program Files (x86)\DTLSoft\rili\data\BianQian\res\Lovely\topmost1_icon.png	calendar_lua_2449.exe
File created	C:\Program Files (x86)\DTLSoft\rili\data\BianQian\res\Lovely\font_icon.png	calendar_lua_2449.exe
File created	C:\Program Files (x86)\DTLSoft\rili\data\BianQian\res\Spring\lock1_icon.png	calendar_lua_2449.exe
File opened for modification	C:\Program Files (x86)\DTLSoft\rili\City.db	calendar_lua_2449.exe
File opened for modification	C:\Program Files (x86)\DTLSoft\rili\AffRemind.dll	calendar_lua_2449.exe
File created	C:\Program Files (x86)\DTLSoft\rili\data\BianQian\res\Spring\lock2_icon.png	calendar_lua_2449.exe
File created	C:\Program Files (x86)\DTLSoft\rili\data\BianQian\res\Winter\topmost2_icon.png	calendar_lua_2449.exe
File created	C:\Program Files (x86)\DTLSoft\rili\data\yiji.db	calendar_lua_2449.exe
File opened for modification	C:\Program Files (x86)\DTLSoft\rili\CommonWebExternal.exe	calendar_lua_2449.exe
File opened for modification	C:\Program Files (x86)\DTLSoft\rili\bind\HttpDownloadHelper.exe	calendar_lua_2449.exe
File opened for modification	C:\Program Files (x86)\DTLSoft\rili\MyTheme.dll	calendar_lua_2449.exe
File opened for modification	C:\Program Files (x86)\DTLSoft\rili\QPreview.dll	calendar_lua_2449.exe
File opened for modification	C:\Program Files (x86)\DTLSoft\rili\data\BianQian\res\Winter\del_icon.png	calendar_lua_2449.exe
File created	C:\Program Files (x86)\DTLSoft\rili\data\BianQian\res\templates.xml	calendar_lua_2449.exe
File opened for modification	C:\Program Files (x86)\DTLSoft\rili\data\BianQian\res\Winter\menu_icon.png	calendar_lua_2449.exe
File created	C:\Program Files (x86)\DTLSoft\rili\HttpDown.dll	calendar_lua_2449.exe
File opened for modification	C:\Program Files (x86)\DTLSoft\rili\SkinBase.dll	calendar_lua_2449.exe
File opened for modification	C:\Program Files (x86)\DTLSoft\rili\tipsdll.dll	calendar_lua_2449.exe
File created	C:\Program Files (x86)\DTLSoft\rili\DtlTimeSvr.exe	DtlTimeServices.exe
File created	C:\Program Files (x86)\DTLSoft\rili\data\BianQian\res\sheepskin\ClearBQ.png	calendar_lua_2449.exe
File opened for modification	C:\Program Files (x86)\DTLSoft\rili\data\BianQian\res\Lovely\lock2_icon.png	calendar_lua_2449.exe
File created	C:\Program Files (x86)\DTLSoft\rili\data\BianQian\res\Lovely\topmost2_icon.png	calendar_lua_2449.exe
File opened for modification	C:\Program Files (x86)\DTLSoft\rili\data\BianQian\res\Winter\topmost2_icon.png	calendar_lua_2449.exe
File created	C:\Program Files (x86)\DTLSoft\rili\data\BianQian\res\Lovely\add_icon.png	calendar_lua_2449.exe
File created	C:\Program Files (x86)\DTLSoft\rili\data\BianQian\res\Winter\ClearBQ.png	calendar_lua_2449.exe
File created	C:\Program Files (x86)\DTLSoft\rili\data\BianQian\res\Winter\font_icon.png	calendar_lua_2449.exe
File created	C:\Program Files (x86)\DTLSoft\rili\data\BianQian\res\Winter\has_remind_icon.png	calendar_lua_2449.exe
File created	C:\Program Files (x86)\DTLSoft\rili\data\BianQian\res\Summer\lock1_icon.png	calendar_lua_2449.exe
File opened for modification	C:\Program Files (x86)\DTLSoft\rili\data\BianQian\res\Autumn\lock2_icon.png	calendar_lua_2449.exe
File opened for modification	C:\Program Files (x86)\DTLSoft\rili\data\BianQian\res\sheepskin\topmost2_icon.png	calendar_lua_2449.exe
File opened for modification	C:\Program Files (x86)\DTLSoft\rili\data\BianQian\res\Lovely\topmost2_icon.png	calendar_lua_2449.exe
File opened for modification	C:\Program Files (x86)\DTLSoft\rili\data\BianQian\res\Heart\ClearBQ.png	calendar_lua_2449.exe
File created	C:\Program Files (x86)\DTLSoft\rili\data\BianQian\res\Spring\ClearBQ.png	calendar_lua_2449.exe
File created	C:\Program Files (x86)\DTLSoft\rili\WhatIsNew.txt	calendar_lua_2449.exe
File created	C:\Program Files (x86)\DTLSoft\rili\Updater\DTLUpg.exe	calendar_lua_2449.exe
File opened for modification	C:\Program Files (x86)\DTLSoft\rili\data\BianQian\res\Spring\lock1_icon.png	calendar_lua_2449.exe
File opened for modification	C:\Program Files (x86)\DTLSoft\rili\InstallDevice.dll	calendar_lua_2449.exe
File created	C:\Program Files (x86)\DTLSoft\rili\data\BianQian\res\Spring\close_icon.png	calendar_lua_2449.exe
File created	C:\Program Files (x86)\DTLSoft\rili\data\BianQian\res\Lovely\lock1_icon.png	calendar_lua_2449.exe
File opened for modification	C:\Program Files (x86)\DTLSoft\rili\data\BianQian\res\Spring\topmost1_icon.png	calendar_lua_2449.exe
File created	C:\Program Files (x86)\DTLSoft\rili\data\BianQian\res\Winter\topmost1_icon.png	calendar_lua_2449.exe
File opened for modification	C:\Program Files (x86)\DTLSoft\rili\HistoryToday.db	calendar_lua_2449.exe
File created	C:\Program Files (x86)\DTLSoft\rili\Plugin\res.rdb	calendar_lua_2449.exe
File created	C:\Program Files (x86)\DTLSoft\rili\usbdetect.dll	calendar_lua_2449.exe
File opened for modification	C:\Program Files (x86)\DTLSoft\rili\data\BianQian\res\Spring\ClearBQ.png	calendar_lua_2449.exe
File opened for modification	C:\Program Files (x86)\DTLSoft\rili\data\BianQian\res\Lovely\lock1_icon.png	calendar_lua_2449.exe
File created	C:\Program Files (x86)\DTLSoft\rili\data\BianQian\res\Lovely\del_icon.png	calendar_lua_2449.exe
File opened for modification	C:\Program Files (x86)\DTLSoft\rili\data\BianQian\res\Heart\has_remind_icon.png	calendar_lua_2449.exe
File created	C:\Program Files (x86)\DTLSoft\rili\Calendar64.dll	calendar_lua_2449.exe
File created	C:\Program Files (x86)\DTLSoft\rili\uninsthlp.dll	calendar_lua_2449.exe
File created	C:\Program Files (x86)\DTLSoft\rili\CalendarProtect.dllx64	calendar_lua_2449.exe
File created	C:\Program Files (x86)\DTLSoft\rili\res\AppFrame\waiting.gif	calendar_lua_2449.exe
File opened for modification	C:\Program Files (x86)\DTLSoft\rili\data\BianQian\res\Summer\close_icon.png	calendar_lua_2449.exe
File created	C:\Program Files (x86)\DTLSoft\rili\Rltcp.dll	calendar_lua_2449.exe
File opened for modification	C:\Program Files (x86)\DTLSoft\rili\CalendarDesktop.dll	calendar_lua_2449.exe
File created	C:\Program Files (x86)\DTLSoft\rili\MonitorKey.dll	calendar_lua_2449.exe
File opened for modification	C:\Program Files (x86)\DTLSoft\rili\data\BianQian\res\Heart\lock1_icon.png	calendar_lua_2449.exe
File created	C:\Program Files (x86)\DTLSoft\rili\data\BianQian\res\Autumn\topmost1_icon.png	calendar_lua_2449.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

calendar_lua_2449.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\CalendarMain.exe = "9000"	calendar_lua_2449.exe

Modifies data under HKEY_USERS 51 IoCs

Processes:

DtlTimeSvr.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CTLs	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DtlTimeSvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CRLs	DtlTimeSvr.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

DtlTimeSvr.execalendar_lua_2449.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	DtlTimeSvr.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	DtlTimeSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	calendar_lua_2449.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	calendar_lua_2449.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	calendar_lua_2449.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

calendar_lua_2449.exe

pid process

1100 calendar_lua_2449.exe
1100 calendar_lua_2449.exe
1100 calendar_lua_2449.exe
1100 calendar_lua_2449.exe
1100 calendar_lua_2449.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

InternetTime.exeDtlTimeSvr.exe

description pid process

Token: SeSystemtimePrivilege 1600 InternetTime.exe
Token: SeSystemtimePrivilege 1320 DtlTimeSvr.exe

pid	process
1100	calendar_lua_2449.exe
1100	calendar_lua_2449.exe
1100	calendar_lua_2449.exe
1100	calendar_lua_2449.exe
1100	calendar_lua_2449.exe

pid	process
464

description	pid	process
Token: SeSystemtimePrivilege	1600	InternetTime.exe
Token: SeSystemtimePrivilege	1320	DtlTimeSvr.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

dbfcbabd95af3dee2c98d93ea34d8b036cf3060e71a22b3f79c7fad64aa75f1d.execalendar_lua_2449.exe

description	pid	process	target process
PID 1340 wrote to memory of 1100	1340	dbfcbabd95af3dee2c98d93ea34d8b036cf3060e71a22b3f79c7fad64aa75f1d.exe	calendar_lua_2449.exe
PID 1340 wrote to memory of 1100	1340	dbfcbabd95af3dee2c98d93ea34d8b036cf3060e71a22b3f79c7fad64aa75f1d.exe	calendar_lua_2449.exe
PID 1340 wrote to memory of 1100	1340	dbfcbabd95af3dee2c98d93ea34d8b036cf3060e71a22b3f79c7fad64aa75f1d.exe	calendar_lua_2449.exe
PID 1340 wrote to memory of 1100	1340	dbfcbabd95af3dee2c98d93ea34d8b036cf3060e71a22b3f79c7fad64aa75f1d.exe	calendar_lua_2449.exe
PID 1340 wrote to memory of 1100	1340	dbfcbabd95af3dee2c98d93ea34d8b036cf3060e71a22b3f79c7fad64aa75f1d.exe	calendar_lua_2449.exe
PID 1340 wrote to memory of 1100	1340	dbfcbabd95af3dee2c98d93ea34d8b036cf3060e71a22b3f79c7fad64aa75f1d.exe	calendar_lua_2449.exe
PID 1340 wrote to memory of 1100	1340	dbfcbabd95af3dee2c98d93ea34d8b036cf3060e71a22b3f79c7fad64aa75f1d.exe	calendar_lua_2449.exe
PID 1100 wrote to memory of 1472	1100	calendar_lua_2449.exe	regsvr32.exe
PID 1100 wrote to memory of 1472	1100	calendar_lua_2449.exe	regsvr32.exe
PID 1100 wrote to memory of 1472	1100	calendar_lua_2449.exe	regsvr32.exe
PID 1100 wrote to memory of 1472	1100	calendar_lua_2449.exe	regsvr32.exe
PID 1100 wrote to memory of 1472	1100	calendar_lua_2449.exe	regsvr32.exe
PID 1100 wrote to memory of 1472	1100	calendar_lua_2449.exe	regsvr32.exe
PID 1100 wrote to memory of 1472	1100	calendar_lua_2449.exe	regsvr32.exe
PID 1100 wrote to memory of 1764	1100	calendar_lua_2449.exe	DtlTimeServices.exe
PID 1100 wrote to memory of 1764	1100	calendar_lua_2449.exe	DtlTimeServices.exe
PID 1100 wrote to memory of 1764	1100	calendar_lua_2449.exe	DtlTimeServices.exe
PID 1100 wrote to memory of 1764	1100	calendar_lua_2449.exe	DtlTimeServices.exe
PID 1100 wrote to memory of 632	1100	calendar_lua_2449.exe	CalendarMain.exe
PID 1100 wrote to memory of 632	1100	calendar_lua_2449.exe	CalendarMain.exe
PID 1100 wrote to memory of 632	1100	calendar_lua_2449.exe	CalendarMain.exe
PID 1100 wrote to memory of 632	1100	calendar_lua_2449.exe	CalendarMain.exe
PID 1100 wrote to memory of 1600	1100	calendar_lua_2449.exe	InternetTime.exe
PID 1100 wrote to memory of 1600	1100	calendar_lua_2449.exe	InternetTime.exe
PID 1100 wrote to memory of 1600	1100	calendar_lua_2449.exe	InternetTime.exe
PID 1100 wrote to memory of 1600	1100	calendar_lua_2449.exe	InternetTime.exe

C:\Users\Admin\AppData\Local\Temp\dbfcbabd95af3dee2c98d93ea34d8b036cf3060e71a22b3f79c7fad64aa75f1d.exe
"C:\Users\Admin\AppData\Local\Temp\dbfcbabd95af3dee2c98d93ea34d8b036cf3060e71a22b3f79c7fad64aa75f1d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1340

C:\Users\Admin\AppData\Local\Temp\calendar_lua_2449.exe
"C:\Users\Admin\AppData\Local\Temp\calendar_lua_2449.exe"
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s -u "C:\ProgramData\DtlCalendar\CalendarDesktop64.dll"
3⤵
PID:1472

C:\Program Files (x86)\DTLSoft\rili\CalendarMain.exe
"C:\Program Files (x86)\DTLSoft\rili\CalendarMain.exe" /start /silent
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:632

C:\Program Files (x86)\DTLSoft\rili\DtlTimeServices.exe
"C:\Program Files (x86)\DTLSoft\rili\DtlTimeServices.exe" -i
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1764

C:\Program Files (x86)\DTLSoft\rili\InternetTime.exe
"C:\Program Files (x86)\DTLSoft\rili\InternetTime.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Program Files (x86)\DTLSoft\rili\DtlTimeSvr.exe
"C:\Program Files (x86)\DTLSoft\rili\DtlTimeSvr.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1320

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\DTLSoft\rili\CalendarDesktop.dll
Filesize
158KB

MD5
5ff1378e1f259414ddc4f3e9190cbe76

SHA1
3c8ea773ee54513f7cd0ff132cb78b054b00f3b9

SHA256
79bf1c7d2af88c539c904562d61902bea1463eb64319a3fe9b3f76938430bf16

SHA512
668d279a9c55b8d72406cfd18de516dded41fd14a457e340dfb3b69c74142eb2076fe9f4ce35d4388408a94c8c46f5ca0ee0b7b990d1a53f43ca00ec7198dce8

Download Submit
C:\Program Files (x86)\DTLSoft\rili\CalendarMain.exe
Filesize
2.7MB

MD5
3acb7ff9e6a475df5695b07f2cde75aa

SHA1
653a53185588673accb4f453d158f2aa65c37aae

SHA256
ab9b5850b6a69fa11c31f520efbd23c62a6b07cabbc8f452a1dd6e54dc8650db

SHA512
c1d784867c83c47c05352ed84c8e20267e990d68db84172f8c99aebe0c2cbf9148c2aaffe0f1dce20f4f98977666a7e2387a1c804aaa050cbac2665bbc536233

Download Submit
C:\Program Files (x86)\DTLSoft\rili\CheckProtect.dll
Filesize
62KB

MD5
f3b27e6c673fc684b0ca69dc785d70b5

SHA1
727d71ea4892494d49de1a6b8e225575b8c748c8

SHA256
2c782cb3cece3b64cbe081ed1b1a99368d7123a9e238cdb1faba6815df0e321c

SHA512
14304cd79484d2c14e89f03feb870cfcd52ea4bef0f15e13c2fb5c829a514059795c4ed2fd3ca57ed1c803bf159e8a2d02c5c0bb0aa7d58a85be2522629efd78

Download Submit
C:\Program Files (x86)\DTLSoft\rili\DtlCrashCatch.dll
Filesize
167KB

MD5
17af7ff058d1fdacda2f6154863ef516

SHA1
b3e1462137e266f8200fdfb27843be55971d6ef5

SHA256
0a0352c85eea25c70b232c482e562a396538025441eca3c80fd406a240ea50ce

SHA512
fd60cb81f81173eb1b4a695fc42c03568003e94341c7ec7dfcbd0dfd3a51a72060b49c6e5f1136438e8643d6a61b2921e4b0baa5569dbdbe6ce69b5736f3e6f9

Download Submit
C:\Program Files (x86)\DTLSoft\rili\DtlTimeServices.exe
Filesize
75KB

MD5
cd84009636825961e519d26cea05515a

SHA1
0b049be9cbaaa9f06808c1ec119ed04ad4229f8e

SHA256
4b94ada97afa96a9475e75660e279a7320eb4435d3f15f9d03366f313384d2b9

SHA512
44d4080fb81442d1a4480cb2926b70aed9a8074fa14d25ef4969c43ea4481d3aa632b06d594f7705e6d2c8e6b1322af5b9207e47ed80dd14985d16bb81d6e161

Download Submit
C:\Program Files (x86)\DTLSoft\rili\DtlTimeServices.exe
Filesize
75KB

MD5
cd84009636825961e519d26cea05515a

SHA1
0b049be9cbaaa9f06808c1ec119ed04ad4229f8e

SHA256
4b94ada97afa96a9475e75660e279a7320eb4435d3f15f9d03366f313384d2b9

SHA512
44d4080fb81442d1a4480cb2926b70aed9a8074fa14d25ef4969c43ea4481d3aa632b06d594f7705e6d2c8e6b1322af5b9207e47ed80dd14985d16bb81d6e161

Download Submit
C:\Program Files (x86)\DTLSoft\rili\DtlTimeSvr.exe
Filesize
75KB

MD5
cd84009636825961e519d26cea05515a

SHA1
0b049be9cbaaa9f06808c1ec119ed04ad4229f8e

SHA256
4b94ada97afa96a9475e75660e279a7320eb4435d3f15f9d03366f313384d2b9

SHA512
44d4080fb81442d1a4480cb2926b70aed9a8074fa14d25ef4969c43ea4481d3aa632b06d594f7705e6d2c8e6b1322af5b9207e47ed80dd14985d16bb81d6e161

Download Submit
C:\Program Files (x86)\DTLSoft\rili\DtlTimeSvr.exe
Filesize
75KB

MD5
cd84009636825961e519d26cea05515a

SHA1
0b049be9cbaaa9f06808c1ec119ed04ad4229f8e

SHA256
4b94ada97afa96a9475e75660e279a7320eb4435d3f15f9d03366f313384d2b9

SHA512
44d4080fb81442d1a4480cb2926b70aed9a8074fa14d25ef4969c43ea4481d3aa632b06d594f7705e6d2c8e6b1322af5b9207e47ed80dd14985d16bb81d6e161

Download Submit
C:\Program Files (x86)\DTLSoft\rili\InternetTime.exe
Filesize
116KB

MD5
48530467ab049ad10d3e0b86d9db53de

SHA1
897aff68b3e2f1a9ce8ca30571c80a42cdfa227d

SHA256
69552a3d251c42f9f3278ff3e9248b4513e3c958cc43bdac926af7f2cfb1160d

SHA512
f7d2ed7a81b28de5929727ef3f0784cf678ec68029bfc45f9c8e0022703e78132844fc0cfef4237ce7ecf5ff0022a3d6c34953ef277892902f2193812d51fd18

Download Submit
C:\Program Files (x86)\DTLSoft\rili\RICHED20.dll
Filesize
942KB

MD5
450013df2b53104a350b43e835f41dd3

SHA1
f8d4159a56c296e80eeea566e33826cd5c525c8b

SHA256
d6af2634bc867aaf7ed034458dca5afb98c5312465dd158497f3a2e4b60a25f5

SHA512
ffab730ccbf312f86d31f31465cfd32bb32a145edb5d5150a07167ab19127110d35c6913612e08e59b23d9821aa0f759d575f37c6667f651b996a53da706f96a

Download Submit
C:\Program Files (x86)\DTLSoft\rili\Rltcp.dll
Filesize
83KB

MD5
ffb1ba7acda13291a9a09e84aad7ea99

SHA1
854ff64e64f65863caf96cc825f00feaa001abbd

SHA256
b540a50d6e5b8e04213d01f36df09daca66bba97aa6bc0ffd540b72573946ce8

SHA512
f9d75288ad94ebe7aed2a6a0499ac4b54b72ad891ad6332f059962389b215420a0aa827c5fc08acfb969701391afa95dc0c6ad57d502d30620708a35006000fb

Download Submit
C:\Program Files (x86)\DTLSoft\rili\SkinBase.dll
Filesize
131KB

MD5
027e17a24cad1464a3de3c94d82175d2

SHA1
40899656bcfc0df58ba6f256c63d12f276fdc2ab

SHA256
aed1566b1d451ad44a859f86d0120a1cb9b555e2a0605fac6dd705d166548d67

SHA512
ee72dfb23c5d4eb71de1f5f6e3ed559218da565af8c6c95c71a0c33cfc7442ea20dd5d5394275161ae9737cecec7a5be0a00b9dd45622b3912533a85a3701eda

Download Submit
C:\Program Files (x86)\DTLSoft\rili\pcid.dll
Filesize
118KB

MD5
2d42bba0fa21bc94192ff2db34db0401

SHA1
69a589a17a5f69bfe411e8141a23bc1e311e368c

SHA256
e612fdf205335cac5cacdd89922fbf724229794af4cdbeb46e69e199f75ef14b

SHA512
71d78ff8a17db79a28110b03f9b535ac8a197d443bed6374810652e723528ca6a090bba94e136bc70d1c334f1f72b0187400716e327f6217330f6a336dedea5f

Download Submit
C:\Program Files (x86)\DTLSoft\rili\sqlite3.dll
Filesize
706KB

MD5
ef02bac41866db445a6a6217b84c3ac8

SHA1
b5ffdabe536e78705712cc7f65bfbc98e5ea74e8

SHA256
d4c246ddcebc6f6d707a65e405d3bf8960554bda35e0f3af61dc2de69d1b0940

SHA512
0b2097f1c4f282f3df1bdf266e619ebbf6ee83d8e44e90090d284ac25ce62df92c05b64fd0af83c62f2bbf8e9fbfe8e9920e312ce2f34741c025c66d6647e2cc

Download Submit
C:\Program Files (x86)\DTLSoft\rili\substat.dll
Filesize
158KB

MD5
7066909662c4b3897267df3c04f00610

SHA1
cfa696f165e1d2c5ec65d5b5f12cda8413b990a6

SHA256
1189cfead006c8ea9700f645fd05ee7cb1b0877260e67a25f412a2fbadc7f8a8

SHA512
3ed562afabdc05204d97f9d234b54a61cf610c3184b8158a74bc242234f7c4b108f1576d6aa651ef8f76db75cea40a33a5f417ca8bff0ebdae7917d60564de95

Download Submit
C:\Program Files (x86)\DTLSoft\rili\udp.dll
Filesize
154KB

MD5
b4f5149193b3a09c502fb07424f3a779

SHA1
49af3cdaf87638e607044603e6f83567dd8c6279

SHA256
6dec67d582599bd4a4f011b7d6836681d76838f87e81e07733212f74473afe0d

SHA512
4c18be6f6ef8103a02d1dbb6f3c3b158779cde95e0e41202ed7a00072fd8d8b906fb268b14c70ebb6931c02a81570cc19ad712c5c3d56e0ebcc9a27683526fe9

Download Submit
C:\Program Files (x86)\DTLSoft\rili\updater\checkupdate.dll
Filesize
250KB

MD5
7ea22ba60a5a634903f1c7809de9ae51

SHA1
da0e48d09cbc40d52441f87244dacb7dab04b9c6

SHA256
8fb4aeb9c1a80b5fe57cf281ebfc77bb2bce740de7f04583f609c539ba13404d

SHA512
65c3c83e11da60258baa19ac455319c7124f49e0a1e4c3362a8b083a43a6edd0edf93e4b7159893a4247af3e5e8cba89cffa1865a065d2ee68a9afa6843d217d

Download Submit
C:\Users\Admin\AppData\Local\Temp\calendar_lua_2449.exe
Filesize
9.3MB

MD5
77cee1f24c7157198c482271c3b79123

SHA1
0f09a252794ed8c8e0cf1be782255e42b54260b8

SHA256
24c0062ec77a25ab227b3f092b43175da598cd075df1acd9d6b3f7c808fb07fd

SHA512
690192f1580ffaf962241a5aaeb416d3097295fbda329b3e60cc0718e9068802fab6f23d6f115b9c8f46d7e21254b0945903647349511a4960060df2b3f97796

Download Submit
C:\Users\Admin\AppData\Local\Temp\calendar_lua_2449.exe
Filesize
9.3MB

MD5
77cee1f24c7157198c482271c3b79123

SHA1
0f09a252794ed8c8e0cf1be782255e42b54260b8

SHA256
24c0062ec77a25ab227b3f092b43175da598cd075df1acd9d6b3f7c808fb07fd

SHA512
690192f1580ffaf962241a5aaeb416d3097295fbda329b3e60cc0718e9068802fab6f23d6f115b9c8f46d7e21254b0945903647349511a4960060df2b3f97796

Download Submit
\Program Files (x86)\DTLSoft\rili\CalendarDesktop.dll
Filesize
158KB

MD5
5ff1378e1f259414ddc4f3e9190cbe76

SHA1
3c8ea773ee54513f7cd0ff132cb78b054b00f3b9

SHA256
79bf1c7d2af88c539c904562d61902bea1463eb64319a3fe9b3f76938430bf16

SHA512
668d279a9c55b8d72406cfd18de516dded41fd14a457e340dfb3b69c74142eb2076fe9f4ce35d4388408a94c8c46f5ca0ee0b7b990d1a53f43ca00ec7198dce8

Download Submit
\Program Files (x86)\DTLSoft\rili\CalendarDesktop.dll
Filesize
158KB

MD5
5ff1378e1f259414ddc4f3e9190cbe76

SHA1
3c8ea773ee54513f7cd0ff132cb78b054b00f3b9

SHA256
79bf1c7d2af88c539c904562d61902bea1463eb64319a3fe9b3f76938430bf16

SHA512
668d279a9c55b8d72406cfd18de516dded41fd14a457e340dfb3b69c74142eb2076fe9f4ce35d4388408a94c8c46f5ca0ee0b7b990d1a53f43ca00ec7198dce8

Download Submit
\Program Files (x86)\DTLSoft\rili\CalendarMain.exe
Filesize
2.7MB

MD5
3acb7ff9e6a475df5695b07f2cde75aa

SHA1
653a53185588673accb4f453d158f2aa65c37aae

SHA256
ab9b5850b6a69fa11c31f520efbd23c62a6b07cabbc8f452a1dd6e54dc8650db

SHA512
c1d784867c83c47c05352ed84c8e20267e990d68db84172f8c99aebe0c2cbf9148c2aaffe0f1dce20f4f98977666a7e2387a1c804aaa050cbac2665bbc536233

Download Submit
\Program Files (x86)\DTLSoft\rili\CalendarMain.exe
Filesize
2.7MB

MD5
3acb7ff9e6a475df5695b07f2cde75aa

SHA1
653a53185588673accb4f453d158f2aa65c37aae

SHA256
ab9b5850b6a69fa11c31f520efbd23c62a6b07cabbc8f452a1dd6e54dc8650db

SHA512
c1d784867c83c47c05352ed84c8e20267e990d68db84172f8c99aebe0c2cbf9148c2aaffe0f1dce20f4f98977666a7e2387a1c804aaa050cbac2665bbc536233

Download Submit
\Program Files (x86)\DTLSoft\rili\CalendarMain.exe
Filesize
2.7MB

MD5
3acb7ff9e6a475df5695b07f2cde75aa

SHA1
653a53185588673accb4f453d158f2aa65c37aae

SHA256
ab9b5850b6a69fa11c31f520efbd23c62a6b07cabbc8f452a1dd6e54dc8650db

SHA512
c1d784867c83c47c05352ed84c8e20267e990d68db84172f8c99aebe0c2cbf9148c2aaffe0f1dce20f4f98977666a7e2387a1c804aaa050cbac2665bbc536233

Download Submit
\Program Files (x86)\DTLSoft\rili\CalendarMain.exe
Filesize
2.7MB

MD5
3acb7ff9e6a475df5695b07f2cde75aa

SHA1
653a53185588673accb4f453d158f2aa65c37aae

SHA256
ab9b5850b6a69fa11c31f520efbd23c62a6b07cabbc8f452a1dd6e54dc8650db

SHA512
c1d784867c83c47c05352ed84c8e20267e990d68db84172f8c99aebe0c2cbf9148c2aaffe0f1dce20f4f98977666a7e2387a1c804aaa050cbac2665bbc536233

Download Submit
\Program Files (x86)\DTLSoft\rili\CalendarProtect.dll
Filesize
261KB

MD5
2e12ce048230e72d04b822f7afe22569

SHA1
d9520b2fc5a4d9667cbe3f8922e3ad6df2142b7d

SHA256
6a5017a5a5abc1debc2a9dd4ed471584fdceb38b8d5f8ae1358d7206c867e21c

SHA512
6bb7168cce2b80e47d6555bc210a1fdc6db789020cf084ea6e9e5191ede5fb369b669f0cf57d523d049afb98c3b1d5f055c7231eac4a5887648547ff83734354

Download Submit
\Program Files (x86)\DTLSoft\rili\CheckProtect.dll
Filesize
62KB

MD5
f3b27e6c673fc684b0ca69dc785d70b5

SHA1
727d71ea4892494d49de1a6b8e225575b8c748c8

SHA256
2c782cb3cece3b64cbe081ed1b1a99368d7123a9e238cdb1faba6815df0e321c

SHA512
14304cd79484d2c14e89f03feb870cfcd52ea4bef0f15e13c2fb5c829a514059795c4ed2fd3ca57ed1c803bf159e8a2d02c5c0bb0aa7d58a85be2522629efd78

Download Submit
\Program Files (x86)\DTLSoft\rili\DtlCrashCatch.dll
Filesize
167KB

MD5
17af7ff058d1fdacda2f6154863ef516

SHA1
b3e1462137e266f8200fdfb27843be55971d6ef5

SHA256
0a0352c85eea25c70b232c482e562a396538025441eca3c80fd406a240ea50ce

SHA512
fd60cb81f81173eb1b4a695fc42c03568003e94341c7ec7dfcbd0dfd3a51a72060b49c6e5f1136438e8643d6a61b2921e4b0baa5569dbdbe6ce69b5736f3e6f9

Download Submit
\Program Files (x86)\DTLSoft\rili\DtlTimeServices.exe
Filesize
75KB

MD5
cd84009636825961e519d26cea05515a

SHA1
0b049be9cbaaa9f06808c1ec119ed04ad4229f8e

SHA256
4b94ada97afa96a9475e75660e279a7320eb4435d3f15f9d03366f313384d2b9

SHA512
44d4080fb81442d1a4480cb2926b70aed9a8074fa14d25ef4969c43ea4481d3aa632b06d594f7705e6d2c8e6b1322af5b9207e47ed80dd14985d16bb81d6e161

Download Submit
\Program Files (x86)\DTLSoft\rili\InternetTime.exe
Filesize
116KB

MD5
48530467ab049ad10d3e0b86d9db53de

SHA1
897aff68b3e2f1a9ce8ca30571c80a42cdfa227d

SHA256
69552a3d251c42f9f3278ff3e9248b4513e3c958cc43bdac926af7f2cfb1160d

SHA512
f7d2ed7a81b28de5929727ef3f0784cf678ec68029bfc45f9c8e0022703e78132844fc0cfef4237ce7ecf5ff0022a3d6c34953ef277892902f2193812d51fd18

Download Submit
\Program Files (x86)\DTLSoft\rili\RICHED20.DLL
Filesize
942KB

MD5
450013df2b53104a350b43e835f41dd3

SHA1
f8d4159a56c296e80eeea566e33826cd5c525c8b

SHA256
d6af2634bc867aaf7ed034458dca5afb98c5312465dd158497f3a2e4b60a25f5

SHA512
ffab730ccbf312f86d31f31465cfd32bb32a145edb5d5150a07167ab19127110d35c6913612e08e59b23d9821aa0f759d575f37c6667f651b996a53da706f96a

Download Submit
\Program Files (x86)\DTLSoft\rili\Rltcp.dll
Filesize
83KB

MD5
ffb1ba7acda13291a9a09e84aad7ea99

SHA1
854ff64e64f65863caf96cc825f00feaa001abbd

SHA256
b540a50d6e5b8e04213d01f36df09daca66bba97aa6bc0ffd540b72573946ce8

SHA512
f9d75288ad94ebe7aed2a6a0499ac4b54b72ad891ad6332f059962389b215420a0aa827c5fc08acfb969701391afa95dc0c6ad57d502d30620708a35006000fb

Download Submit
\Program Files (x86)\DTLSoft\rili\Rltcp.dll
Filesize
83KB

MD5
ffb1ba7acda13291a9a09e84aad7ea99

SHA1
854ff64e64f65863caf96cc825f00feaa001abbd

SHA256
b540a50d6e5b8e04213d01f36df09daca66bba97aa6bc0ffd540b72573946ce8

SHA512
f9d75288ad94ebe7aed2a6a0499ac4b54b72ad891ad6332f059962389b215420a0aa827c5fc08acfb969701391afa95dc0c6ad57d502d30620708a35006000fb

Download Submit
\Program Files (x86)\DTLSoft\rili\SkinBase.dll
Filesize
131KB

MD5
027e17a24cad1464a3de3c94d82175d2

SHA1
40899656bcfc0df58ba6f256c63d12f276fdc2ab

SHA256
aed1566b1d451ad44a859f86d0120a1cb9b555e2a0605fac6dd705d166548d67

SHA512
ee72dfb23c5d4eb71de1f5f6e3ed559218da565af8c6c95c71a0c33cfc7442ea20dd5d5394275161ae9737cecec7a5be0a00b9dd45622b3912533a85a3701eda

Download Submit
\Program Files (x86)\DTLSoft\rili\Uninstall.exe
Filesize
764KB

MD5
101478af9f149b4547d5ee01f093f438

SHA1
1475c724ee92f59c94b706bc8f7f9a6d38f577da

SHA256
218167561286982c6143aa940ed70992706487949eb5bb404e26d1e0eb881a73

SHA512
96d9aa29d9eaea53f8f6de6c1e5792c7f6af20d38b67318112541559aa8ae947e60a9864ec82e8c29463e93fd9c8fb5311e7352d9a9833566c339f4a5bf4bc2f

Download Submit
\Program Files (x86)\DTLSoft\rili\Updater\CheckUpdate.dll
Filesize
250KB

MD5
7ea22ba60a5a634903f1c7809de9ae51

SHA1
da0e48d09cbc40d52441f87244dacb7dab04b9c6

SHA256
8fb4aeb9c1a80b5fe57cf281ebfc77bb2bce740de7f04583f609c539ba13404d

SHA512
65c3c83e11da60258baa19ac455319c7124f49e0a1e4c3362a8b083a43a6edd0edf93e4b7159893a4247af3e5e8cba89cffa1865a065d2ee68a9afa6843d217d

Download Submit
\Program Files (x86)\DTLSoft\rili\pcid.dll
Filesize
118KB

MD5
2d42bba0fa21bc94192ff2db34db0401

SHA1
69a589a17a5f69bfe411e8141a23bc1e311e368c

SHA256
e612fdf205335cac5cacdd89922fbf724229794af4cdbeb46e69e199f75ef14b

SHA512
71d78ff8a17db79a28110b03f9b535ac8a197d443bed6374810652e723528ca6a090bba94e136bc70d1c334f1f72b0187400716e327f6217330f6a336dedea5f

Download Submit
\Program Files (x86)\DTLSoft\rili\sqlite3.dll
Filesize
706KB

MD5
ef02bac41866db445a6a6217b84c3ac8

SHA1
b5ffdabe536e78705712cc7f65bfbc98e5ea74e8

SHA256
d4c246ddcebc6f6d707a65e405d3bf8960554bda35e0f3af61dc2de69d1b0940

SHA512
0b2097f1c4f282f3df1bdf266e619ebbf6ee83d8e44e90090d284ac25ce62df92c05b64fd0af83c62f2bbf8e9fbfe8e9920e312ce2f34741c025c66d6647e2cc

Download Submit
\Program Files (x86)\DTLSoft\rili\substat.dll
Filesize
158KB

MD5
7066909662c4b3897267df3c04f00610

SHA1
cfa696f165e1d2c5ec65d5b5f12cda8413b990a6

SHA256
1189cfead006c8ea9700f645fd05ee7cb1b0877260e67a25f412a2fbadc7f8a8

SHA512
3ed562afabdc05204d97f9d234b54a61cf610c3184b8158a74bc242234f7c4b108f1576d6aa651ef8f76db75cea40a33a5f417ca8bff0ebdae7917d60564de95

Download Submit
\Program Files (x86)\DTLSoft\rili\substat.dll
Filesize
158KB

MD5
7066909662c4b3897267df3c04f00610

SHA1
cfa696f165e1d2c5ec65d5b5f12cda8413b990a6

SHA256
1189cfead006c8ea9700f645fd05ee7cb1b0877260e67a25f412a2fbadc7f8a8

SHA512
3ed562afabdc05204d97f9d234b54a61cf610c3184b8158a74bc242234f7c4b108f1576d6aa651ef8f76db75cea40a33a5f417ca8bff0ebdae7917d60564de95

Download Submit
\Program Files (x86)\DTLSoft\rili\udp.dll
Filesize
154KB

MD5
b4f5149193b3a09c502fb07424f3a779

SHA1
49af3cdaf87638e607044603e6f83567dd8c6279

SHA256
6dec67d582599bd4a4f011b7d6836681d76838f87e81e07733212f74473afe0d

SHA512
4c18be6f6ef8103a02d1dbb6f3c3b158779cde95e0e41202ed7a00072fd8d8b906fb268b14c70ebb6931c02a81570cc19ad712c5c3d56e0ebcc9a27683526fe9

Download Submit
\Program Files (x86)\DTLSoft\rili\uninstall.dll
Filesize
478KB

MD5
8ab3c1a2717c90506e7a0971e7055059

SHA1
930017711bdfbf7b9b7e4c678d02965737d6df6a

SHA256
7f98d88100015fe11d06354de09a9b172648543f2d73b0d38587246df16e5dbe

SHA512
cb852b9aabc7e2e78d0ed517c8209c203727282b2f5eb73638d6727751fa0e3af8d2b8b8de008a469c3f5c15ba28c7059d0909d67c2195d4ec8c923d3c0ce64c

Download Submit
\Program Files (x86)\DTLSoft\rili\uninsthlp.dll
Filesize
82KB

MD5
54d1cd07effea587cc47b5db365d662b

SHA1
3d396a1b82ea60a699c5553055d25614ed514873

SHA256
bed1fbfbe4db7453a941204a00c6d0251a6052a052e5d40ba40d2eca4413eefe

SHA512
c93aab9f7d3a706d22cec828f395646c66dbb64a1a17ee49516bac371e41ead7c6a721553bd696fa97ba45850c4a7f0f493031ceb58f9f81d8f4cac2034a521e

Download Submit
\Users\Admin\AppData\Local\Temp\calendar_lua_2449.exe
Filesize
9.3MB

MD5
77cee1f24c7157198c482271c3b79123

SHA1
0f09a252794ed8c8e0cf1be782255e42b54260b8

SHA256
24c0062ec77a25ab227b3f092b43175da598cd075df1acd9d6b3f7c808fb07fd

SHA512
690192f1580ffaf962241a5aaeb416d3097295fbda329b3e60cc0718e9068802fab6f23d6f115b9c8f46d7e21254b0945903647349511a4960060df2b3f97796

Download Submit
memory/632-105-0x0000000002160000-0x0000000002187000-memory.dmp

Filesize
156KB

Download
memory/632-72-0x0000000000000000-mapping.dmp

Download
memory/632-88-0x0000000000340000-0x000000000035E000-memory.dmp

Filesize
120KB

Download
memory/632-93-0x0000000000810000-0x000000000084F000-memory.dmp

Filesize
252KB

Download
memory/1100-107-0x0000000000A00000-0x0000000001CAB000-memory.dmp

Filesize
18.7MB

Download
memory/1100-114-0x0000000000A00000-0x0000000001CAB000-memory.dmp

Filesize
18.7MB

Download
memory/1100-59-0x0000000000A00000-0x0000000001CAB000-memory.dmp

Filesize
18.7MB

Download
memory/1100-56-0x0000000000000000-mapping.dmp

Download
memory/1340-54-0x00000000758B1000-0x00000000758B3000-memory.dmp

Filesize
8KB

Download
memory/1472-61-0x0000000000000000-mapping.dmp

Download
memory/1600-110-0x0000000000000000-mapping.dmp

Download
memory/1764-69-0x0000000000000000-mapping.dmp

Download