Analysis
-
max time kernel
28s -
max time network
303s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
01-01-2024 05:10
Static task
static1
1 signatures
General
-
Target
ff3022cc92fd5e0eb46d34568825a3d914a3ce7d24cea60660cdb3247956f098.exe
-
Size
18.8MB
-
MD5
ed2fd5173af900c56220101ce6648515
-
SHA1
d8783b8dc155314c5680aebddd4e36df7ddfebbf
-
SHA256
ff3022cc92fd5e0eb46d34568825a3d914a3ce7d24cea60660cdb3247956f098
-
SHA512
ef7bac0140e2e492a4d1751d9a6d1fe6ec94649bd6a00006f159a067b774ee8870d567e0fae2e08ebf16db3d11c2dfe2fcf5884d7d27d74fdba34781500f9806
-
SSDEEP
393216:deNXiJAZn67vPin33BIkI5k/y0KX7rEtwbsAlx6A1wK:ExZGQIH5bVdbsU
Malware Config
Extracted
Family
smokeloader
Botnet
up3
Extracted
Family
smokeloader
Version
2020
C2
http://host-file-host6.com/
http://host-host-file8.com/
rc4.i32
rc4.i32
Extracted
Family
stealc
C2
http://185.172.128.79
Attributes
-
url_path
/3886d2276f6914c4.php
rc4.plain
Signatures
-
Glupteba payload 10 IoCs
resource yara_rule behavioral1/memory/2832-140-0x0000000002B90000-0x000000000347B000-memory.dmp family_glupteba behavioral1/memory/2832-181-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/2832-244-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/2832-256-0x0000000002B90000-0x000000000347B000-memory.dmp family_glupteba behavioral1/memory/2036-263-0x0000000002AB0000-0x000000000339B000-memory.dmp family_glupteba behavioral1/memory/2036-265-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/2036-285-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/3028-290-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/3028-376-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/3028-431-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe -
Enumerates VirtualBox registry keys 2 TTPs 10 IoCs
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxGuest AB9B.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxMouse AB9B.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxMouse AB9B.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxService AB9B.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxService AB9B.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxVideo AB9B.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxGuest AB9B.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxSF AB9B.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxSF AB9B.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxVideo AB9B.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 2156 netsh.exe -
Sets file execution options in registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\35ukikuc.exe AB9B.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\35ukikuc.exe\DisableExceptionChainValidation AB9B.exe -
Executes dropped EXE 14 IoCs
pid Process 2924 InstallSetup8.exe 2716 conhost.exe 2832 31839b57a4f11171d6abc8bbc4451ee4.exe 2692 tuc4.exe 2080 etopt.exe 2620 tuc4.tmp 2748 toolspub2.exe 2644 BroomSetup.exe 2036 31839b57a4f11171d6abc8bbc4451ee4.exe 1464 nsy5F81.tmp.exe 3028 csrss.exe 2220 patch.exe 1508 injector.exe 1236 AB9B.exe -
Loads dropped DLL 30 IoCs
pid Process 1736 ff3022cc92fd5e0eb46d34568825a3d914a3ce7d24cea60660cdb3247956f098.exe 1736 ff3022cc92fd5e0eb46d34568825a3d914a3ce7d24cea60660cdb3247956f098.exe 1736 ff3022cc92fd5e0eb46d34568825a3d914a3ce7d24cea60660cdb3247956f098.exe 1736 ff3022cc92fd5e0eb46d34568825a3d914a3ce7d24cea60660cdb3247956f098.exe 1736 ff3022cc92fd5e0eb46d34568825a3d914a3ce7d24cea60660cdb3247956f098.exe 1736 ff3022cc92fd5e0eb46d34568825a3d914a3ce7d24cea60660cdb3247956f098.exe 1736 ff3022cc92fd5e0eb46d34568825a3d914a3ce7d24cea60660cdb3247956f098.exe 2716 conhost.exe 2692 tuc4.exe 2620 tuc4.tmp 2620 tuc4.tmp 2924 InstallSetup8.exe 2080 etopt.exe 2620 tuc4.tmp 2620 tuc4.tmp 2080 etopt.exe 2924 InstallSetup8.exe 2924 InstallSetup8.exe 2924 InstallSetup8.exe 2924 InstallSetup8.exe 2924 InstallSetup8.exe 2036 31839b57a4f11171d6abc8bbc4451ee4.exe 2036 31839b57a4f11171d6abc8bbc4451ee4.exe 840 Process not Found 2220 patch.exe 2220 patch.exe 2220 patch.exe 2220 patch.exe 2220 patch.exe 3028 csrss.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Registers COM server for autorun 1 TTPs 11 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\CLSID\{1F42C5DF-585B-22E1-19B9-D0AC1C19D0CC}\InProcServer32 etopt.exe Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\CLSID\{2E42C5DF-585B-22E1-19B9-D0AC1C19D0CC}\InProcServer32 etopt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F42C5DF-585B-22E1-19B9-D0AC1C19D0CC}\InProcServer32\ThreadingModel = "Apartment" etopt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E42C5DF-585B-22E1-19B9-D0AC1C19D0CC}\InProcServer32\ = "C:\\Windows\\servicing\\Editions\\FineNet.dll" etopt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E42C5DF-585B-22E1-19B9-D0AC1C19D0CC}\InProcServer32\ThreadingModel = "Apartment" etopt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F42C5DF-585B-22E1-19B9-D0AC1C19D0CC}\InProcServer32 etopt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E42C5DF-585B-22E1-19B9-D0AC1C19D0CC}\InProcServer32 etopt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A42C5DF-585B-22E1-19B9-D0AC1C19D0CC}\InProcServer32 etopt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A42C5DF-585B-22E1-19B9-D0AC1C19D0CC}\InProcServer32\ = "C:\\Windows\\servicing\\Editions\\FineNet.dll" etopt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A42C5DF-585B-22E1-19B9-D0AC1C19D0CC}\InProcServer32\ThreadingModel = "Apartment" etopt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F42C5DF-585B-22E1-19B9-D0AC1C19D0CC}\InProcServer32\ = "C:\\Windows\\servicing\\Editions\\FineNet.dll" etopt.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 31839b57a4f11171d6abc8bbc4451ee4.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA AB9B.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 api.ipify.org -
Modifies boot configuration data using bcdedit 1 IoCs
pid Process 1536 bcdedit.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1236 AB9B.exe 1740 explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2716 set thread context of 2748 2716 conhost.exe 30 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 31839b57a4f11171d6abc8bbc4451ee4.exe -
Drops file in Program Files directory 56 IoCs
description ioc Process File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-8DA8Q.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-G1ULH.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-C4PJT.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-7JUM2.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\stuff\is-N7PEV.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-1HN1R.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\unins000.dat tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-FV8V1.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-UN8GE.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-NQRVN.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-S063D.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-80QG1.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-044F9.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-UJNN0.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\stuff\is-7JA6V.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-R3Q3G.tmp tuc4.tmp File created C:\Program Files (x86)\360\360Safe\deepscan\speedmem2.hg etopt.exe File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-ECNTP.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-M72QP.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-1H0DO.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-B8CEJ.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-K07B7.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-J6DKD.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-M03V6.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-OPJKI.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-M9D3K.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-SSBI4.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-C41FN.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\plugins\internal\is-DMSI1.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-V30TS.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\plugins\internal\is-A7GNP.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-JM3A1.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-RR8OA.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-BDLMO.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-VRB1N.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-0H3PE.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-DEDF0.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-M9SOJ.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-JAQQ4.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\stuff\is-1VBGA.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-AT6OF.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-6DCGM.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-MT853.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-UVEKS.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-CO5EO.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\is-SGU17.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-7RCR1.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-8PADN.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-B2MF1.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-O6FLR.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-2G9OT.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\lessmsi\is-02KJD.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-DH1SN.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-2U5MA.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-3PIO8.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-HOAUK.tmp tuc4.tmp -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\rss 31839b57a4f11171d6abc8bbc4451ee4.exe File created C:\Windows\rss\csrss.exe 31839b57a4f11171d6abc8bbc4451ee4.exe File created C:\Windows\servicing\Editions\FineNet.dll etopt.exe File created C:\Windows\Logs\CBS\CbsPersist_20240101051102.cab makecab.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2700 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2320 2924 WerFault.exe 37 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AB9B.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AB9B.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 nsy5F81.tmp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString nsy5F81.tmp.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1928 schtasks.exe 1488 schtasks.exe 2808 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe -
Modifies registry class 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E42C5DF-585B-22E1-19B9-D0AC1C19D0CC}\InProcServer32\ = "C:\\Windows\\servicing\\Editions\\FineNet.dll" etopt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\FileSystemEx etopt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F42C5DF-585B-22E1-19B9-D0AC1C19D0CC}\InProcServer32 etopt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID etopt.exe Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\CLSID\{1F42C5DF-585B-22E1-19B9-D0AC1C19D0CC}\InProcServer32 etopt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E42C5DF-585B-22E1-19B9-D0AC1C19D0CC}\InProcServer32 etopt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A42C5DF-585B-22E1-19B9-D0AC1C19D0CC}\InProcServer32 etopt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F42C5DF-585B-22E1-19B9-D0AC1C19D0CC} etopt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E42C5DF-585B-22E1-19B9-D0AC1C19D0CC} etopt.exe Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\CLSID\{2E42C5DF-585B-22E1-19B9-D0AC1C19D0CC}\InProcServer32 etopt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A42C5DF-585B-22E1-19B9-D0AC1C19D0CC}\InProcServer32\ThreadingModel = "Apartment" etopt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F42C5DF-585B-22E1-19B9-D0AC1C19D0CC}\InProcServer32\ = "C:\\Windows\\servicing\\Editions\\FineNet.dll" etopt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E42C5DF-585B-22E1-19B9-D0AC1C19D0CC}\InProcServer32\ThreadingModel = "Apartment" etopt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\FileSystemEx\ = "{2E42C5DF-585B-22E1-19B9-D0AC1C19D0CC}" etopt.exe Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\CLSID etopt.exe Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\CLSID\{1F42C5DF-585B-22E1-19B9-D0AC1C19D0CC} etopt.exe Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\CLSID\{2E42C5DF-585B-22E1-19B9-D0AC1C19D0CC} etopt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\ShellEx\{e357fccd-a995-4576-b01f-234630154e96} etopt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\{e357fccd-a995-4576-b01f-234630154e96}\ = "{1A42C5DF-585B-22E1-19B9-D0AC1C19D0CC}" etopt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A42C5DF-585B-22E1-19B9-D0AC1C19D0CC} etopt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A42C5DF-585B-22E1-19B9-D0AC1C19D0CC}\InProcServer32\ = "C:\\Windows\\servicing\\Editions\\FineNet.dll" etopt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F42C5DF-585B-22E1-19B9-D0AC1C19D0CC}\InProcServer32\ThreadingModel = "Apartment" etopt.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 csrss.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe -
Runs regedit.exe 1 IoCs
pid Process 1700 regedit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2748 toolspub2.exe 2748 toolspub2.exe 2080 etopt.exe 2080 etopt.exe 2080 etopt.exe 2080 etopt.exe 2080 etopt.exe 2080 etopt.exe 2080 etopt.exe 2080 etopt.exe 2832 31839b57a4f11171d6abc8bbc4451ee4.exe 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 2036 31839b57a4f11171d6abc8bbc4451ee4.exe 1224 Process not Found 2036 31839b57a4f11171d6abc8bbc4451ee4.exe 2036 31839b57a4f11171d6abc8bbc4451ee4.exe 2036 31839b57a4f11171d6abc8bbc4451ee4.exe 2036 31839b57a4f11171d6abc8bbc4451ee4.exe 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 2748 toolspub2.exe 1236 AB9B.exe 1236 AB9B.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 2832 31839b57a4f11171d6abc8bbc4451ee4.exe Token: SeImpersonatePrivilege 2832 31839b57a4f11171d6abc8bbc4451ee4.exe Token: SeSystemEnvironmentPrivilege 3028 csrss.exe Token: SeDebugPrivilege 1236 AB9B.exe Token: SeRestorePrivilege 1236 AB9B.exe Token: SeBackupPrivilege 1236 AB9B.exe Token: SeLoadDriverPrivilege 1236 AB9B.exe Token: SeCreatePagefilePrivilege 1236 AB9B.exe Token: SeShutdownPrivilege 1236 AB9B.exe Token: SeTakeOwnershipPrivilege 1236 AB9B.exe Token: SeChangeNotifyPrivilege 1236 AB9B.exe Token: SeCreateTokenPrivilege 1236 AB9B.exe Token: SeMachineAccountPrivilege 1236 AB9B.exe Token: SeSecurityPrivilege 1236 AB9B.exe Token: SeAssignPrimaryTokenPrivilege 1236 AB9B.exe Token: SeCreateGlobalPrivilege 1236 AB9B.exe Token: 33 1236 AB9B.exe Token: SeDebugPrivilege 1740 explorer.exe Token: SeRestorePrivilege 1740 explorer.exe Token: SeBackupPrivilege 1740 explorer.exe Token: SeLoadDriverPrivilege 1740 explorer.exe Token: SeCreatePagefilePrivilege 1740 explorer.exe Token: SeShutdownPrivilege 1740 explorer.exe Token: SeTakeOwnershipPrivilege 1740 explorer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2620 tuc4.tmp -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2644 BroomSetup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1736 wrote to memory of 2924 1736 ff3022cc92fd5e0eb46d34568825a3d914a3ce7d24cea60660cdb3247956f098.exe 37 PID 1736 wrote to memory of 2924 1736 ff3022cc92fd5e0eb46d34568825a3d914a3ce7d24cea60660cdb3247956f098.exe 37 PID 1736 wrote to memory of 2924 1736 ff3022cc92fd5e0eb46d34568825a3d914a3ce7d24cea60660cdb3247956f098.exe 37 PID 1736 wrote to memory of 2924 1736 ff3022cc92fd5e0eb46d34568825a3d914a3ce7d24cea60660cdb3247956f098.exe 37 PID 1736 wrote to memory of 2924 1736 ff3022cc92fd5e0eb46d34568825a3d914a3ce7d24cea60660cdb3247956f098.exe 37 PID 1736 wrote to memory of 2924 1736 ff3022cc92fd5e0eb46d34568825a3d914a3ce7d24cea60660cdb3247956f098.exe 37 PID 1736 wrote to memory of 2924 1736 ff3022cc92fd5e0eb46d34568825a3d914a3ce7d24cea60660cdb3247956f098.exe 37 PID 1736 wrote to memory of 2716 1736 ff3022cc92fd5e0eb46d34568825a3d914a3ce7d24cea60660cdb3247956f098.exe 45 PID 1736 wrote to memory of 2716 1736 ff3022cc92fd5e0eb46d34568825a3d914a3ce7d24cea60660cdb3247956f098.exe 45 PID 1736 wrote to memory of 2716 1736 ff3022cc92fd5e0eb46d34568825a3d914a3ce7d24cea60660cdb3247956f098.exe 45 PID 1736 wrote to memory of 2716 1736 ff3022cc92fd5e0eb46d34568825a3d914a3ce7d24cea60660cdb3247956f098.exe 45 PID 1736 wrote to memory of 2832 1736 ff3022cc92fd5e0eb46d34568825a3d914a3ce7d24cea60660cdb3247956f098.exe 28 PID 1736 wrote to memory of 2832 1736 ff3022cc92fd5e0eb46d34568825a3d914a3ce7d24cea60660cdb3247956f098.exe 28 PID 1736 wrote to memory of 2832 1736 ff3022cc92fd5e0eb46d34568825a3d914a3ce7d24cea60660cdb3247956f098.exe 28 PID 1736 wrote to memory of 2832 1736 ff3022cc92fd5e0eb46d34568825a3d914a3ce7d24cea60660cdb3247956f098.exe 28 PID 1736 wrote to memory of 2692 1736 ff3022cc92fd5e0eb46d34568825a3d914a3ce7d24cea60660cdb3247956f098.exe 29 PID 1736 wrote to memory of 2692 1736 ff3022cc92fd5e0eb46d34568825a3d914a3ce7d24cea60660cdb3247956f098.exe 29 PID 1736 wrote to memory of 2692 1736 ff3022cc92fd5e0eb46d34568825a3d914a3ce7d24cea60660cdb3247956f098.exe 29 PID 1736 wrote to memory of 2692 1736 ff3022cc92fd5e0eb46d34568825a3d914a3ce7d24cea60660cdb3247956f098.exe 29 PID 1736 wrote to memory of 2692 1736 ff3022cc92fd5e0eb46d34568825a3d914a3ce7d24cea60660cdb3247956f098.exe 29 PID 1736 wrote to memory of 2692 1736 ff3022cc92fd5e0eb46d34568825a3d914a3ce7d24cea60660cdb3247956f098.exe 29 PID 1736 wrote to memory of 2692 1736 ff3022cc92fd5e0eb46d34568825a3d914a3ce7d24cea60660cdb3247956f098.exe 29 PID 1736 wrote to memory of 2080 1736 ff3022cc92fd5e0eb46d34568825a3d914a3ce7d24cea60660cdb3247956f098.exe 33 PID 1736 wrote to memory of 2080 1736 ff3022cc92fd5e0eb46d34568825a3d914a3ce7d24cea60660cdb3247956f098.exe 33 PID 1736 wrote to memory of 2080 1736 ff3022cc92fd5e0eb46d34568825a3d914a3ce7d24cea60660cdb3247956f098.exe 33 PID 1736 wrote to memory of 2080 1736 ff3022cc92fd5e0eb46d34568825a3d914a3ce7d24cea60660cdb3247956f098.exe 33 PID 2716 wrote to memory of 2748 2716 conhost.exe 30 PID 2716 wrote to memory of 2748 2716 conhost.exe 30 PID 2716 wrote to memory of 2748 2716 conhost.exe 30 PID 2716 wrote to memory of 2748 2716 conhost.exe 30 PID 2716 wrote to memory of 2748 2716 conhost.exe 30 PID 2716 wrote to memory of 2748 2716 conhost.exe 30 PID 2716 wrote to memory of 2748 2716 conhost.exe 30 PID 2692 wrote to memory of 2620 2692 tuc4.exe 32 PID 2692 wrote to memory of 2620 2692 tuc4.exe 32 PID 2692 wrote to memory of 2620 2692 tuc4.exe 32 PID 2692 wrote to memory of 2620 2692 tuc4.exe 32 PID 2692 wrote to memory of 2620 2692 tuc4.exe 32 PID 2692 wrote to memory of 2620 2692 tuc4.exe 32 PID 2692 wrote to memory of 2620 2692 tuc4.exe 32 PID 2924 wrote to memory of 2644 2924 InstallSetup8.exe 31 PID 2924 wrote to memory of 2644 2924 InstallSetup8.exe 31 PID 2924 wrote to memory of 2644 2924 InstallSetup8.exe 31 PID 2924 wrote to memory of 2644 2924 InstallSetup8.exe 31 PID 2924 wrote to memory of 2644 2924 InstallSetup8.exe 31 PID 2924 wrote to memory of 2644 2924 InstallSetup8.exe 31 PID 2924 wrote to memory of 2644 2924 InstallSetup8.exe 31 PID 2924 wrote to memory of 1464 2924 InstallSetup8.exe 42 PID 2924 wrote to memory of 1464 2924 InstallSetup8.exe 42 PID 2924 wrote to memory of 1464 2924 InstallSetup8.exe 42 PID 2924 wrote to memory of 1464 2924 InstallSetup8.exe 42 PID 2036 wrote to memory of 2600 2036 31839b57a4f11171d6abc8bbc4451ee4.exe 44 PID 2036 wrote to memory of 2600 2036 31839b57a4f11171d6abc8bbc4451ee4.exe 44 PID 2036 wrote to memory of 2600 2036 31839b57a4f11171d6abc8bbc4451ee4.exe 44 PID 2036 wrote to memory of 2600 2036 31839b57a4f11171d6abc8bbc4451ee4.exe 44 PID 2600 wrote to memory of 2156 2600 cmd.exe 46 PID 2600 wrote to memory of 2156 2600 cmd.exe 46 PID 2600 wrote to memory of 2156 2600 cmd.exe 46 PID 2036 wrote to memory of 3028 2036 31839b57a4f11171d6abc8bbc4451ee4.exe 47 PID 2036 wrote to memory of 3028 2036 31839b57a4f11171d6abc8bbc4451ee4.exe 47 PID 2036 wrote to memory of 3028 2036 31839b57a4f11171d6abc8bbc4451ee4.exe 47 PID 2036 wrote to memory of 3028 2036 31839b57a4f11171d6abc8bbc4451ee4.exe 47 PID 3028 wrote to memory of 1508 3028 csrss.exe 55 PID 3028 wrote to memory of 1508 3028 csrss.exe 55 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff3022cc92fd5e0eb46d34568825a3d914a3ce7d24cea60660cdb3247956f098.exe"C:\Users\Admin\AppData\Local\Temp\ff3022cc92fd5e0eb46d34568825a3d914a3ce7d24cea60660cdb3247956f098.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832 -
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"3⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"4⤵
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes5⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2156
-
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\system32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f5⤵PID:1476
-
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- Creates scheduled task(s)
PID:1928
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:2220
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll5⤵
- Executes dropped EXE
PID:1508
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v5⤵
- Modifies boot configuration data using bcdedit
PID:1536
-
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- Creates scheduled task(s)
PID:2808
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"5⤵PID:884
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵PID:2240
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵
- Launches sc.exe
PID:2700
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuc4.exe"C:\Users\Admin\AppData\Local\Temp\tuc4.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Users\Admin\AppData\Local\Temp\is-CU3O1.tmp\tuc4.tmp"C:\Users\Admin\AppData\Local\Temp\is-CU3O1.tmp\tuc4.tmp" /SL5="$60122,7884275,54272,C:\Users\Admin\AppData\Local\Temp\tuc4.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:2620
-
-
-
C:\Users\Admin\AppData\Local\Temp\etopt.exe"C:\Users\Admin\AppData\Local\Temp\etopt.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2080
-
-
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"2⤵PID:2716
-
-
C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe"C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\nsy5F81.tmp.exeC:\Users\Admin\AppData\Local\Temp\nsy5F81.tmp.exe3⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1464
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 9283⤵
- Program crash
PID:2320
-
-
-
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2748
-
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeC:\Users\Admin\AppData\Local\Temp\BroomSetup.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2644
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240101051102.log C:\Windows\Logs\CBS\CbsPersist_20240101051102.cab1⤵
- Drops file in Windows directory
PID:2084
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "14061145524075834431291593723-62233320117216164182136747614-1345413249-1270078564"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2716
-
C:\Users\Admin\AppData\Local\Temp\AB9B.exeC:\Users\Admin\AppData\Local\Temp\AB9B.exe1⤵
- Enumerates VirtualBox registry keys
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1236 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\35ukikuc_1.exe/suac3⤵PID:2836
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\SysWOW64\regedit.exe"4⤵
- Runs regedit.exe
PID:1700
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x1BB70478" /TR "C:\PROGRA~3\JAVAUP~1\35ukikuc.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:1488
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\B720.exeC:\Users\Admin\AppData\Local\Temp\B720.exe1⤵PID:2700
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵PID:988
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
5Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
382KB
MD57bc600636df910a18eda22e9b44bf2a0
SHA13b8285384c871428b704ddd68177a0dd64fedb57
SHA25680f13e1e33103f317376cb0d6a8295ba68b2f3d801e5a79718fe9748d5cfb135
SHA5129d5c9a5b8d7d815d01422825bd404e8c15758a871f5472032a87fa17c2a64f3ec6a62857f4191151f2df05bbcb0f6ca5625665b448f1abae83cefdbd7afa141f
-
Filesize
92KB
MD534a8ce442674425ae01d01e7f4c88bcb
SHA1d7d30970aa75ce1271402a0adae465fe1f9995c9
SHA2567a084687df35c670ce06698e719664a55198c43660d47fc8fb16afda7ac59062
SHA5129ddecb5b6827a1aff9682cc442d03a9a711dadf2325a4e3044eb3e8b3b465f0bfbf61b916408da1cc84585185c2794a80d1c636a7646441ed2f104fea6386ea3
-
Filesize
137KB
MD50ef3debf14ebb863953569d7c0a0990a
SHA1c04a0b3f2e6538e7e3fbeb19fd74db9a283ae7aa
SHA25682714b5f85e7bd57f9f3e8289701bcd783d95dcec1f81938bc7c982e091e81e9
SHA512642a5c6c0b11032b5d2d583b2b9d60a5251c56c367e3eb085fcfc49c2d1179ef4f31386c5407586a2abd42c9059b81b7f10e29d502c670d09513823092721e9c
-
Filesize
283KB
MD52d24e3baa2a16e47bee10e91381e6391
SHA1013b59b2cd69e93694196dfb34fddc8684cfd619
SHA256ff2e975c649d66476c48ac9fe64455eb0727fede676d000728d09d62d2dc6db4
SHA512be515895b29390e1c9c44620f7b18c8ae57d08627b8bbf7484b551ccf079011f95baa78e71c1a2a6280b544dd06444b509b7c9ba126b525d813afd68010b03e7