0426986f2a72df87b719777152e20ec78d742b4ff5d07f1c3d17e3b114480b72

Analysis

max time kernel
142s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2023 14:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0426986f2a72df87b719777152e20ec78d742b4ff5d07f1c3d17e3b114480b72.exe
Size

1.3MB
MD5

ca72da36e0776c0b017d65e9d12a1d2a
SHA1

9eade7229a0b2c58f6bfda227443f83f1203bd50
SHA256

0426986f2a72df87b719777152e20ec78d742b4ff5d07f1c3d17e3b114480b72
SHA512

ca500292e269975148909c6c509a481017f2b629e27f20a6925eb7f0e47e51f65f6443e72d1302208feed3dc72707e4ada31430bce30bd69bfec57f798c00bd9
SSDEEP

24576:dshSQNYf0Mowstz4cq599tw85G27RpJlI5Qia:dMSlstd893nVpJzia

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
3324	0426986f2a72df87b719777152e20ec78d742b4ff5d07f1c3d17e3b114480b72.exe
3324	0426986f2a72df87b719777152e20ec78d742b4ff5d07f1c3d17e3b114480b72.exe
3324	0426986f2a72df87b719777152e20ec78d742b4ff5d07f1c3d17e3b114480b72.exe
3324	0426986f2a72df87b719777152e20ec78d742b4ff5d07f1c3d17e3b114480b72.exe
3324	0426986f2a72df87b719777152e20ec78d742b4ff5d07f1c3d17e3b114480b72.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	0426986f2a72df87b719777152e20ec78d742b4ff5d07f1c3d17e3b114480b72.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133419130132305451"	0426986f2a72df87b719777152e20ec78d742b4ff5d07f1c3d17e3b114480b72.exe

Modifies system certificate store 2 TTPs 9 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\9D158ED214538B628B051CDCBE50DF8C89BBC20D\Blob = 0f00000001000000200000009f4ea12aef7b75c65229a1b6986b1bd35e7615beee7d6a2a23e1ea09911b8e340b000000010000003800000044004f005f004e004f0054005f00540052005500530054005f0046006900640064006c006500720052006f006f0074002d004300450000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000020000007b00420032003600420043003300460035002d0044004100310034002d0034003000300039002d0038004500460046002d003800380045003000340032003700370042003400450030007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000300000001000000140000009d158ed214538b628b051cdcbe50df8c89bbc20d2000000001000000b6030000308203b23082029aa0030201020210189957f4af8aeb9e4dce75286199ca19300d06092a864886f70d01010b05003067312b3029060355040b0c224372656174656420627920687474703a2f2f7777772e666964646c6572322e636f6d31153013060355040a0c0c444f5f4e4f545f54525553543121301f06035504030c18444f5f4e4f545f54525553545f466964646c6572526f6f74301e170d3232313031353036353635325a170d3238313031343036353635325a3067312b3029060355040b0c224372656174656420627920687474703a2f2f7777772e666964646c6572322e636f6d31153013060355040a0c0c444f5f4e4f545f54525553543121301f06035504030c18444f5f4e4f545f54525553545f466964646c6572526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b28e707bb18f302bb1996cfbb48cf08d441c2a55550ac6a278a61936e0ad37fd47d0958ae4a4da29f0f80b06711b61bd93f86ea2625f2c9d9a582dea3b09857da4ef90cc4263e00f3c166e12f7bc6fea4a3cc5be9bc2a516fe7857333edf8b8c19a9cd5c88d6d59c857d0acd78fb66936057273158ab4df18ee6eb57dda2e779da217a9b90f55bf18ae9ecb6637aab7c082dd9716d69c49a00948c7d1e6edb01c46e03364e156cce47797718ad455048b8f45435a5b77afb58c298964b1838fc3e142ebe3eb591d13fe07e85cb08be1eebe9e0e59ebd9cd2105f631d14ad88ef62cff6b875029bd5c3dc85e410987c0e23e22e8283765a6dc33c042a092f7a0d0203010001a35a305830130603551d25040c300a06082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414769082ed80775e654aadc07ec489f66d05dbdbf7300e0603551d0f0101ff040403020106300d06092a864886f70d01010b050003820101003e207a70b9f4a0a50cbc315a6288041b2489765868cbfa5f6f8d8eceda1955286f13e272d826b9ff9b198978f2ecc882a7c10553346d6a96b457da56e6a4902317160c935a1294e403c3c2c68c0e813a58a1572ccdf127014e3cdaf9b3de58adea20c4d788a01aaeeddd77b64d1ccbf38b43df958b8454bfc07eb0737d9ca95c31df32f77c10dd0bacd56b71f7db71d2c0f6a1bac16fa54f57784a674bee420143f61198410c0f9283cbd98d451f775aa6cd58968820ff7eaedce906cbeefe2052df92547bdbff76b6cc05b7d68f1ce09aacd53fc11f3f7d424fbac69b674d413ee2ee4973b2a64bedf0a9f412f683d5df574952886e4b1a086bc78fbebe4da7	0426986f2a72df87b719777152e20ec78d742b4ff5d07f1c3d17e3b114480b72.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\9D158ED214538B628B051CDCBE50DF8C89BBC20D\Blob = 140000000100000014000000769082ed80775e654aadc07ec489f66d05dbdbf70300000001000000140000009d158ed214538b628b051cdcbe50df8c89bbc20d0200000001000000cc0000001c0000006c00000001000000000000000000000000000000020000007b00420032003600420043003300460035002d0044004100310034002d0034003000300039002d0038004500460046002d003800380045003000340032003700370042003400450030007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000003800000044004f005f004e004f0054005f00540052005500530054005f0046006900640064006c006500720052006f006f0074002d004300450000000f00000001000000200000009f4ea12aef7b75c65229a1b6986b1bd35e7615beee7d6a2a23e1ea09911b8e342000000001000000b6030000308203b23082029aa0030201020210189957f4af8aeb9e4dce75286199ca19300d06092a864886f70d01010b05003067312b3029060355040b0c224372656174656420627920687474703a2f2f7777772e666964646c6572322e636f6d31153013060355040a0c0c444f5f4e4f545f54525553543121301f06035504030c18444f5f4e4f545f54525553545f466964646c6572526f6f74301e170d3232313031353036353635325a170d3238313031343036353635325a3067312b3029060355040b0c224372656174656420627920687474703a2f2f7777772e666964646c6572322e636f6d31153013060355040a0c0c444f5f4e4f545f54525553543121301f06035504030c18444f5f4e4f545f54525553545f466964646c6572526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b28e707bb18f302bb1996cfbb48cf08d441c2a55550ac6a278a61936e0ad37fd47d0958ae4a4da29f0f80b06711b61bd93f86ea2625f2c9d9a582dea3b09857da4ef90cc4263e00f3c166e12f7bc6fea4a3cc5be9bc2a516fe7857333edf8b8c19a9cd5c88d6d59c857d0acd78fb66936057273158ab4df18ee6eb57dda2e779da217a9b90f55bf18ae9ecb6637aab7c082dd9716d69c49a00948c7d1e6edb01c46e03364e156cce47797718ad455048b8f45435a5b77afb58c298964b1838fc3e142ebe3eb591d13fe07e85cb08be1eebe9e0e59ebd9cd2105f631d14ad88ef62cff6b875029bd5c3dc85e410987c0e23e22e8283765a6dc33c042a092f7a0d0203010001a35a305830130603551d25040c300a06082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414769082ed80775e654aadc07ec489f66d05dbdbf7300e0603551d0f0101ff040403020106300d06092a864886f70d01010b050003820101003e207a70b9f4a0a50cbc315a6288041b2489765868cbfa5f6f8d8eceda1955286f13e272d826b9ff9b198978f2ecc882a7c10553346d6a96b457da56e6a4902317160c935a1294e403c3c2c68c0e813a58a1572ccdf127014e3cdaf9b3de58adea20c4d788a01aaeeddd77b64d1ccbf38b43df958b8454bfc07eb0737d9ca95c31df32f77c10dd0bacd56b71f7db71d2c0f6a1bac16fa54f57784a674bee420143f61198410c0f9283cbd98d451f775aa6cd58968820ff7eaedce906cbeefe2052df92547bdbff76b6cc05b7d68f1ce09aacd53fc11f3f7d424fbac69b674d413ee2ee4973b2a64bedf0a9f412f683d5df574952886e4b1a086bc78fbebe4da7	0426986f2a72df87b719777152e20ec78d742b4ff5d07f1c3d17e3b114480b72.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\9D158ED214538B628B051CDCBE50DF8C89BBC20D\Blob = 19000000010000001000000092307aec8dd56c7159e49ad7abb16fb4140000000100000014000000769082ed80775e654aadc07ec489f66d05dbdbf70300000001000000140000009d158ed214538b628b051cdcbe50df8c89bbc20d0200000001000000cc0000001c0000006c00000001000000000000000000000000000000020000007b00420032003600420043003300460035002d0044004100310034002d0034003000300039002d0038004500460046002d003800380045003000340032003700370042003400450030007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000003800000044004f005f004e004f0054005f00540052005500530054005f0046006900640064006c006500720052006f006f0074002d004300450000000f00000001000000200000009f4ea12aef7b75c65229a1b6986b1bd35e7615beee7d6a2a23e1ea09911b8e34040000000100000010000000011abfde0cf1a47f837c4ba1d362e3ab2000000001000000b6030000308203b23082029aa0030201020210189957f4af8aeb9e4dce75286199ca19300d06092a864886f70d01010b05003067312b3029060355040b0c224372656174656420627920687474703a2f2f7777772e666964646c6572322e636f6d31153013060355040a0c0c444f5f4e4f545f54525553543121301f06035504030c18444f5f4e4f545f54525553545f466964646c6572526f6f74301e170d3232313031353036353635325a170d3238313031343036353635325a3067312b3029060355040b0c224372656174656420627920687474703a2f2f7777772e666964646c6572322e636f6d31153013060355040a0c0c444f5f4e4f545f54525553543121301f06035504030c18444f5f4e4f545f54525553545f466964646c6572526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b28e707bb18f302bb1996cfbb48cf08d441c2a55550ac6a278a61936e0ad37fd47d0958ae4a4da29f0f80b06711b61bd93f86ea2625f2c9d9a582dea3b09857da4ef90cc4263e00f3c166e12f7bc6fea4a3cc5be9bc2a516fe7857333edf8b8c19a9cd5c88d6d59c857d0acd78fb66936057273158ab4df18ee6eb57dda2e779da217a9b90f55bf18ae9ecb6637aab7c082dd9716d69c49a00948c7d1e6edb01c46e03364e156cce47797718ad455048b8f45435a5b77afb58c298964b1838fc3e142ebe3eb591d13fe07e85cb08be1eebe9e0e59ebd9cd2105f631d14ad88ef62cff6b875029bd5c3dc85e410987c0e23e22e8283765a6dc33c042a092f7a0d0203010001a35a305830130603551d25040c300a06082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414769082ed80775e654aadc07ec489f66d05dbdbf7300e0603551d0f0101ff040403020106300d06092a864886f70d01010b050003820101003e207a70b9f4a0a50cbc315a6288041b2489765868cbfa5f6f8d8eceda1955286f13e272d826b9ff9b198978f2ecc882a7c10553346d6a96b457da56e6a4902317160c935a1294e403c3c2c68c0e813a58a1572ccdf127014e3cdaf9b3de58adea20c4d788a01aaeeddd77b64d1ccbf38b43df958b8454bfc07eb0737d9ca95c31df32f77c10dd0bacd56b71f7db71d2c0f6a1bac16fa54f57784a674bee420143f61198410c0f9283cbd98d451f775aa6cd58968820ff7eaedce906cbeefe2052df92547bdbff76b6cc05b7d68f1ce09aacd53fc11f3f7d424fbac69b674d413ee2ee4973b2a64bedf0a9f412f683d5df574952886e4b1a086bc78fbebe4da7	0426986f2a72df87b719777152e20ec78d742b4ff5d07f1c3d17e3b114480b72.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\9D158ED214538B628B051CDCBE50DF8C89BBC20D\Blob = 5c000000010000000400000000080000040000000100000010000000011abfde0cf1a47f837c4ba1d362e3ab0f00000001000000200000009f4ea12aef7b75c65229a1b6986b1bd35e7615beee7d6a2a23e1ea09911b8e340b000000010000003800000044004f005f004e004f0054005f00540052005500530054005f0046006900640064006c006500720052006f006f0074002d004300450000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000020000007b00420032003600420043003300460035002d0044004100310034002d0034003000300039002d0038004500460046002d003800380045003000340032003700370042003400450030007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000300000001000000140000009d158ed214538b628b051cdcbe50df8c89bbc20d140000000100000014000000769082ed80775e654aadc07ec489f66d05dbdbf719000000010000001000000092307aec8dd56c7159e49ad7abb16fb42000000001000000b6030000308203b23082029aa0030201020210189957f4af8aeb9e4dce75286199ca19300d06092a864886f70d01010b05003067312b3029060355040b0c224372656174656420627920687474703a2f2f7777772e666964646c6572322e636f6d31153013060355040a0c0c444f5f4e4f545f54525553543121301f06035504030c18444f5f4e4f545f54525553545f466964646c6572526f6f74301e170d3232313031353036353635325a170d3238313031343036353635325a3067312b3029060355040b0c224372656174656420627920687474703a2f2f7777772e666964646c6572322e636f6d31153013060355040a0c0c444f5f4e4f545f54525553543121301f06035504030c18444f5f4e4f545f54525553545f466964646c6572526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b28e707bb18f302bb1996cfbb48cf08d441c2a55550ac6a278a61936e0ad37fd47d0958ae4a4da29f0f80b06711b61bd93f86ea2625f2c9d9a582dea3b09857da4ef90cc4263e00f3c166e12f7bc6fea4a3cc5be9bc2a516fe7857333edf8b8c19a9cd5c88d6d59c857d0acd78fb66936057273158ab4df18ee6eb57dda2e779da217a9b90f55bf18ae9ecb6637aab7c082dd9716d69c49a00948c7d1e6edb01c46e03364e156cce47797718ad455048b8f45435a5b77afb58c298964b1838fc3e142ebe3eb591d13fe07e85cb08be1eebe9e0e59ebd9cd2105f631d14ad88ef62cff6b875029bd5c3dc85e410987c0e23e22e8283765a6dc33c042a092f7a0d0203010001a35a305830130603551d25040c300a06082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414769082ed80775e654aadc07ec489f66d05dbdbf7300e0603551d0f0101ff040403020106300d06092a864886f70d01010b050003820101003e207a70b9f4a0a50cbc315a6288041b2489765868cbfa5f6f8d8eceda1955286f13e272d826b9ff9b198978f2ecc882a7c10553346d6a96b457da56e6a4902317160c935a1294e403c3c2c68c0e813a58a1572ccdf127014e3cdaf9b3de58adea20c4d788a01aaeeddd77b64d1ccbf38b43df958b8454bfc07eb0737d9ca95c31df32f77c10dd0bacd56b71f7db71d2c0f6a1bac16fa54f57784a674bee420143f61198410c0f9283cbd98d451f775aa6cd58968820ff7eaedce906cbeefe2052df92547bdbff76b6cc05b7d68f1ce09aacd53fc11f3f7d424fbac69b674d413ee2ee4973b2a64bedf0a9f412f683d5df574952886e4b1a086bc78fbebe4da7	0426986f2a72df87b719777152e20ec78d742b4ff5d07f1c3d17e3b114480b72.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\SystemCertificates\REQUEST	0426986f2a72df87b719777152e20ec78d742b4ff5d07f1c3d17e3b114480b72.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\9D158ED214538B628B051CDCBE50DF8C89BBC20D	0426986f2a72df87b719777152e20ec78d742b4ff5d07f1c3d17e3b114480b72.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\9D158ED214538B628B051CDCBE50DF8C89BBC20D\Blob = 040000000100000010000000011abfde0cf1a47f837c4ba1d362e3ab0f00000001000000200000009f4ea12aef7b75c65229a1b6986b1bd35e7615beee7d6a2a23e1ea09911b8e34140000000100000014000000769082ed80775e654aadc07ec489f66d05dbdbf719000000010000001000000092307aec8dd56c7159e49ad7abb16fb40300000001000000140000009d158ed214538b628b051cdcbe50df8c89bbc20d5c0000000100000004000000000800002000000001000000b6030000308203b23082029aa0030201020210189957f4af8aeb9e4dce75286199ca19300d06092a864886f70d01010b05003067312b3029060355040b0c224372656174656420627920687474703a2f2f7777772e666964646c6572322e636f6d31153013060355040a0c0c444f5f4e4f545f54525553543121301f06035504030c18444f5f4e4f545f54525553545f466964646c6572526f6f74301e170d3232313031353036353635325a170d3238313031343036353635325a3067312b3029060355040b0c224372656174656420627920687474703a2f2f7777772e666964646c6572322e636f6d31153013060355040a0c0c444f5f4e4f545f54525553543121301f06035504030c18444f5f4e4f545f54525553545f466964646c6572526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b28e707bb18f302bb1996cfbb48cf08d441c2a55550ac6a278a61936e0ad37fd47d0958ae4a4da29f0f80b06711b61bd93f86ea2625f2c9d9a582dea3b09857da4ef90cc4263e00f3c166e12f7bc6fea4a3cc5be9bc2a516fe7857333edf8b8c19a9cd5c88d6d59c857d0acd78fb66936057273158ab4df18ee6eb57dda2e779da217a9b90f55bf18ae9ecb6637aab7c082dd9716d69c49a00948c7d1e6edb01c46e03364e156cce47797718ad455048b8f45435a5b77afb58c298964b1838fc3e142ebe3eb591d13fe07e85cb08be1eebe9e0e59ebd9cd2105f631d14ad88ef62cff6b875029bd5c3dc85e410987c0e23e22e8283765a6dc33c042a092f7a0d0203010001a35a305830130603551d25040c300a06082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414769082ed80775e654aadc07ec489f66d05dbdbf7300e0603551d0f0101ff040403020106300d06092a864886f70d01010b050003820101003e207a70b9f4a0a50cbc315a6288041b2489765868cbfa5f6f8d8eceda1955286f13e272d826b9ff9b198978f2ecc882a7c10553346d6a96b457da56e6a4902317160c935a1294e403c3c2c68c0e813a58a1572ccdf127014e3cdaf9b3de58adea20c4d788a01aaeeddd77b64d1ccbf38b43df958b8454bfc07eb0737d9ca95c31df32f77c10dd0bacd56b71f7db71d2c0f6a1bac16fa54f57784a674bee420143f61198410c0f9283cbd98d451f775aa6cd58968820ff7eaedce906cbeefe2052df92547bdbff76b6cc05b7d68f1ce09aacd53fc11f3f7d424fbac69b674d413ee2ee4973b2a64bedf0a9f412f683d5df574952886e4b1a086bc78fbebe4da7	0426986f2a72df87b719777152e20ec78d742b4ff5d07f1c3d17e3b114480b72.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\9D158ED214538B628B051CDCBE50DF8C89BBC20D	0426986f2a72df87b719777152e20ec78d742b4ff5d07f1c3d17e3b114480b72.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\9D158ED214538B628B051CDCBE50DF8C89BBC20D\Blob = 040000000100000010000000011abfde0cf1a47f837c4ba1d362e3ab0f00000001000000200000009f4ea12aef7b75c65229a1b6986b1bd35e7615beee7d6a2a23e1ea09911b8e340b000000010000003800000044004f005f004e004f0054005f00540052005500530054005f0046006900640064006c006500720052006f006f0074002d004300450000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000020000007b00420032003600420043003300460035002d0044004100310034002d0034003000300039002d0038004500460046002d003800380045003000340032003700370042003400450030007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000300000001000000140000009d158ed214538b628b051cdcbe50df8c89bbc20d140000000100000014000000769082ed80775e654aadc07ec489f66d05dbdbf72000000001000000b6030000308203b23082029aa0030201020210189957f4af8aeb9e4dce75286199ca19300d06092a864886f70d01010b05003067312b3029060355040b0c224372656174656420627920687474703a2f2f7777772e666964646c6572322e636f6d31153013060355040a0c0c444f5f4e4f545f54525553543121301f06035504030c18444f5f4e4f545f54525553545f466964646c6572526f6f74301e170d3232313031353036353635325a170d3238313031343036353635325a3067312b3029060355040b0c224372656174656420627920687474703a2f2f7777772e666964646c6572322e636f6d31153013060355040a0c0c444f5f4e4f545f54525553543121301f06035504030c18444f5f4e4f545f54525553545f466964646c6572526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b28e707bb18f302bb1996cfbb48cf08d441c2a55550ac6a278a61936e0ad37fd47d0958ae4a4da29f0f80b06711b61bd93f86ea2625f2c9d9a582dea3b09857da4ef90cc4263e00f3c166e12f7bc6fea4a3cc5be9bc2a516fe7857333edf8b8c19a9cd5c88d6d59c857d0acd78fb66936057273158ab4df18ee6eb57dda2e779da217a9b90f55bf18ae9ecb6637aab7c082dd9716d69c49a00948c7d1e6edb01c46e03364e156cce47797718ad455048b8f45435a5b77afb58c298964b1838fc3e142ebe3eb591d13fe07e85cb08be1eebe9e0e59ebd9cd2105f631d14ad88ef62cff6b875029bd5c3dc85e410987c0e23e22e8283765a6dc33c042a092f7a0d0203010001a35a305830130603551d25040c300a06082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414769082ed80775e654aadc07ec489f66d05dbdbf7300e0603551d0f0101ff040403020106300d06092a864886f70d01010b050003820101003e207a70b9f4a0a50cbc315a6288041b2489765868cbfa5f6f8d8eceda1955286f13e272d826b9ff9b198978f2ecc882a7c10553346d6a96b457da56e6a4902317160c935a1294e403c3c2c68c0e813a58a1572ccdf127014e3cdaf9b3de58adea20c4d788a01aaeeddd77b64d1ccbf38b43df958b8454bfc07eb0737d9ca95c31df32f77c10dd0bacd56b71f7db71d2c0f6a1bac16fa54f57784a674bee420143f61198410c0f9283cbd98d451f775aa6cd58968820ff7eaedce906cbeefe2052df92547bdbff76b6cc05b7d68f1ce09aacd53fc11f3f7d424fbac69b674d413ee2ee4973b2a64bedf0a9f412f683d5df574952886e4b1a086bc78fbebe4da7	0426986f2a72df87b719777152e20ec78d742b4ff5d07f1c3d17e3b114480b72.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3324	0426986f2a72df87b719777152e20ec78d742b4ff5d07f1c3d17e3b114480b72.exe
3324	0426986f2a72df87b719777152e20ec78d742b4ff5d07f1c3d17e3b114480b72.exe
3324	0426986f2a72df87b719777152e20ec78d742b4ff5d07f1c3d17e3b114480b72.exe
3324	0426986f2a72df87b719777152e20ec78d742b4ff5d07f1c3d17e3b114480b72.exe
3324	0426986f2a72df87b719777152e20ec78d742b4ff5d07f1c3d17e3b114480b72.exe
3324	0426986f2a72df87b719777152e20ec78d742b4ff5d07f1c3d17e3b114480b72.exe
3324	0426986f2a72df87b719777152e20ec78d742b4ff5d07f1c3d17e3b114480b72.exe
3324	0426986f2a72df87b719777152e20ec78d742b4ff5d07f1c3d17e3b114480b72.exe
3324	0426986f2a72df87b719777152e20ec78d742b4ff5d07f1c3d17e3b114480b72.exe
3324	0426986f2a72df87b719777152e20ec78d742b4ff5d07f1c3d17e3b114480b72.exe
3324	0426986f2a72df87b719777152e20ec78d742b4ff5d07f1c3d17e3b114480b72.exe
3324	0426986f2a72df87b719777152e20ec78d742b4ff5d07f1c3d17e3b114480b72.exe
3324	0426986f2a72df87b719777152e20ec78d742b4ff5d07f1c3d17e3b114480b72.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3324	0426986f2a72df87b719777152e20ec78d742b4ff5d07f1c3d17e3b114480b72.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3324	0426986f2a72df87b719777152e20ec78d742b4ff5d07f1c3d17e3b114480b72.exe
3324	0426986f2a72df87b719777152e20ec78d742b4ff5d07f1c3d17e3b114480b72.exe

C:\Users\Admin\AppData\Local\Temp\0426986f2a72df87b719777152e20ec78d742b4ff5d07f1c3d17e3b114480b72.exe
"C:\Users\Admin\AppData\Local\Temp\0426986f2a72df87b719777152e20ec78d742b4ff5d07f1c3d17e3b114480b72.exe"
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4192

C:\Windows\system32\pacjsworker.exe
C:\Windows\system32\pacjsworker.exe b70dc7a1-4042-4560-9073-c444ac1fe1eb eaf21a68-386b-413d-8933-9f6f786e01d1
1⤵
PID:640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FiddlerCore4.dll

Filesize
505KB

MD5
79fe5228b7ccdc88cf7ddba2893ea71f

SHA1
4313028e5354d66be81fd2103a16b16e1ad1a6f3

SHA256
5850d403352d76e7f7ebda93a7bff5ab1ea57c91a54a2f6c2cfaf1c9d356d55f

SHA512
f46380ccd2fcb8246206f176f17c1931d57c3bc1312c95e059cf9feab4bc392ad31fa6ffc6a1dac3b0bd70c5393ab1c2cf21729e357cb7c523d487dd92aacac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\FiddlerCore4.dll

Filesize
505KB

MD5
79fe5228b7ccdc88cf7ddba2893ea71f

SHA1
4313028e5354d66be81fd2103a16b16e1ad1a6f3

SHA256
5850d403352d76e7f7ebda93a7bff5ab1ea57c91a54a2f6c2cfaf1c9d356d55f

SHA512
f46380ccd2fcb8246206f176f17c1931d57c3bc1312c95e059cf9feab4bc392ad31fa6ffc6a1dac3b0bd70c5393ab1c2cf21729e357cb7c523d487dd92aacac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp7C64.tmp

Filesize
2KB

MD5
47d41524de9eab52342c4d651bf0c078

SHA1
108bb1d1824615f07289ca923abbef0dc48ef761

SHA256
f0ce656ae7197d1b51e8a6508c1264786bead1e5eac00ed545ed749a61e74b00

SHA512
e5daea6119342a2d3ed52cea79fce3ce02ffd3e7118c86e7c37fc73c34b6cbd66ffef9451205546677219b40a7dd8eb7ab3dd435ed32c04b8c52458d066553e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp8213.tmp

Filesize
2KB

MD5
3242670c263356e7972280b939cbd597

SHA1
cddaa2c20f53070a600b049b0e1bb16004b0fd00

SHA256
d720392d08764cf57c384cad606462e88cc83845dd287670f5f0b25c8419931c

SHA512
3a51a989bfe700d4b05eaf2caa333b67b92ceb5e0d1c9c142bc9f60afeb73adba948c1f99efdd9ed90a2c90ffb8d91a8a79002687c0792e5d7b638565ba48743

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpDFB5.tmp

Filesize
2KB

MD5
e87c68a01246a6199da740661bdb68dd

SHA1
81ee87bbcb196a1a90c7df3cea793908bd977d96

SHA256
7f073b8a47f7de61c8418b2ea5466228124572fa4ab21f2b179a5c0095c99ab3

SHA512
b75574489daf60d1c35c373c76aa399801ebe63fb348c389e3116dfa7fe701a699392ad720ebe8e4cd18918eb12f77df3bd88717fb153659cf1854bb5ef90616

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpE787.tmp

Filesize
2KB

MD5
5890fcef50747fbabea7320de25794a7

SHA1
7c4c27c0a5ab92340ea1f6dbdc0e27392a85a9a5

SHA256
a0f73475450a1b1505469b7ad42dfabdcfca61c3cdcba522101fef6a1478d7a8

SHA512
510b5f922d91cf1809ec045d571f2011b1488b4caef5a1a0ded7e9b6ad594dc1062fc7ad2422ce4251b2a76f52fe30e82008bf4dc4bae987d001c7b51349fb9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\efd.dll

Filesize
35KB

MD5
2fce4202a6fed07730175335b2bde1ea

SHA1
9c7e039ab121c8fe0aaa64b2a75224d41c35365a

SHA256
1e402b803fead55dc58fc2c08997319d2cbf9fd958e8ff388ed276e585900865

SHA512
e2bc52b79927cec05e0a12b89489a42726a3fc2c7f9b2f6544c28d7d8c41d6e890464b145d21dce334589b014e3a00ede823ec11b96b4406cba9d58e2c0a5150

Download Submit
C:\Users\Admin\AppData\Local\Temp\efd.dll

Filesize
35KB

MD5
2fce4202a6fed07730175335b2bde1ea

SHA1
9c7e039ab121c8fe0aaa64b2a75224d41c35365a

SHA256
1e402b803fead55dc58fc2c08997319d2cbf9fd958e8ff388ed276e585900865

SHA512
e2bc52b79927cec05e0a12b89489a42726a3fc2c7f9b2f6544c28d7d8c41d6e890464b145d21dce334589b014e3a00ede823ec11b96b4406cba9d58e2c0a5150

Download Submit
C:\Users\Admin\AppData\Local\Temp\efd.dll

Filesize
35KB

MD5
2fce4202a6fed07730175335b2bde1ea

SHA1
9c7e039ab121c8fe0aaa64b2a75224d41c35365a

SHA256
1e402b803fead55dc58fc2c08997319d2cbf9fd958e8ff388ed276e585900865

SHA512
e2bc52b79927cec05e0a12b89489a42726a3fc2c7f9b2f6544c28d7d8c41d6e890464b145d21dce334589b014e3a00ede823ec11b96b4406cba9d58e2c0a5150

Download Submit
C:\Users\Admin\AppData\Local\Temp\efd.dll

Filesize
35KB

MD5
2fce4202a6fed07730175335b2bde1ea

SHA1
9c7e039ab121c8fe0aaa64b2a75224d41c35365a

SHA256
1e402b803fead55dc58fc2c08997319d2cbf9fd958e8ff388ed276e585900865

SHA512
e2bc52b79927cec05e0a12b89489a42726a3fc2c7f9b2f6544c28d7d8c41d6e890464b145d21dce334589b014e3a00ede823ec11b96b4406cba9d58e2c0a5150

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1926387074-3400613176-3566796709-1000\5728e61bbbd011262b7cf4765118dbc5_efd86015-5e59-4b86-a8a7-251861554f93

Filesize
2KB

MD5
6e8d20af1d3c68e5e7a3c36fa6875d7b

SHA1
6586d0138ab1023c1cbdcd5d3b49c680ad41e1bf

SHA256
c81741c39fd7fae3d5a9e51cda64c2c2451690b4aef44e3766da7c784944b105

SHA512
28b72bbaf9c0783a3822a7dfac1c81647769d029651a4ca256a86f490e50942ccc86a07ce23309ef14875a465c5fcb7cb16ad10ae35ed6d5d9b08e9cbeafc8c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1926387074-3400613176-3566796709-1000\f5ac31cd48f9b76ef6060fa6039226fa_efd86015-5e59-4b86-a8a7-251861554f93

Filesize
2KB

MD5
7e153e1ba9c0cf2a99e63970270d954a

SHA1
620af4a4791fc6ba3b7a1bb4b1cee751004c2b72

SHA256
ae03b8a0e55e48b88730948fe7c13de4216915c9bc57189718b71800d424b135

SHA512
baf8422d7b65fa5c0c699e82c90a0846d0089c6a4302a97a93a9afa8aec1c7c4fe53fc4dcddf064144906e5320a7db1f0c2dc36c9f5230cd5099625e65925bc6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\0D3BA130222A8B9910A5F623BF6664E168468931

Filesize
1KB

MD5
624720944679fdc86c8dc0b6e0da67ad

SHA1
6c34e31c1ac12497fea19056f943e10e28442940

SHA256
7e6a6029daa39ecd0140356e75c71e2615c08765687f5e11a0feea5d3ce0447e

SHA512
9dcca77a23f81d2d912dd1fb6d7753542851e5789533c01a19cbe409870426d2a95a42792b821d8e5fcf8997d0fdb6ec38c1aa398e62e4d64c77a39e8a208e59

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\91ABB99EBE766AB764A3976F5441B92DCF4B7A65

Filesize
1KB

MD5
867f611d7556b36df459e199885aa91e

SHA1
782e299539034a1cc033d4b0a1177a2735a01de4

SHA256
f2fccca4ef82fc8ca4a6b1641775b1fd0f3280485faff2dcb37f342af54a4031

SHA512
2b5fb69cbb76bdce5f8353a4b383035e153618d6ddbaae3c11d05b869e7b2415c01927c074df7272aaad0d2140ff165b05207374624abfcc39c0b9dca06c62dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\9D158ED214538B628B051CDCBE50DF8C89BBC20D

Filesize
1KB

MD5
d0bed0c480c99a2f23f18195134c515a

SHA1
a95c34d8c11422387b6950ee37497a1150d7b053

SHA256
af16139b05ac3f800f4784224420b7967986b73b4de9d572b7444c8020ffcc9e

SHA512
af04e54731983154eb612af27af429688d78cf7474a652e07ea3ff5ef4033503ada5db293af6ed5f5621b0e4a39cc4c604d6da26ff3bdce898ce48f8b6c4e4f2

Download Submit
memory/3324-26-0x0000000005180000-0x0000000005724000-memory.dmp

Filesize
5.6MB

Download
memory/3324-15-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/3324-25-0x0000000002C00000-0x0000000002C82000-memory.dmp

Filesize
520KB

Download
memory/3324-20-0x0000000075630000-0x000000007563D000-memory.dmp

Filesize
52KB

Download
memory/3324-110-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/3324-111-0x0000000074720000-0x0000000074ED0000-memory.dmp

Filesize
7.7MB

Download
memory/3324-21-0x0000000074720000-0x0000000074ED0000-memory.dmp

Filesize
7.7MB

Download
memory/3324-19-0x0000000002800000-0x000000000280D000-memory.dmp

Filesize
52KB

Download