Resubmissions
22-08-2024 15:33
240822-sy6bqsvbng 710-03-2024 16:21
240310-ttpc4aga89 1010-03-2024 12:34
240310-prvpwacf93 10Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-03-2024 12:34
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20240226-en
General
-
Target
file.exe
-
Size
2.4MB
-
MD5
b11c3fad2e48022f58635df7368d6441
-
SHA1
63883fee892ac1e0d44f568913931c0d59b343d1
-
SHA256
2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80
-
SHA512
6c68523b259c307e1c4ff4c6809fb20e5d9d9998a32d03ca06eaf29ec8f27bcaca2cafd9b57420b307160b3ebfeac16d234b99f6119f8f3038f4b5bf4b169023
-
SSDEEP
49152:jCqqfqaaK++EFUw2PsQMIZnLzn8FGaqxMBeVBBzKl:jONGXqGY1y
Malware Config
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
smokeloader
pub1
Extracted
djvu
http://sajdfue.com/test1/get.php
-
extension
.wisz
-
offline_id
4p0Nzrg1q0ND5of5Gtp2UBjthSXuE8VxnMrd4vt1
-
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/a832401adcd58098c699f768ffea4f1720240305114308/7e601a Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0853PsawqS
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Vidar Stealer 1 IoCs
resource yara_rule behavioral1/memory/2072-513-0x00000000001C0000-0x00000000001F2000-memory.dmp family_vidar_v7 -
Detected Djvu ransomware 9 IoCs
resource yara_rule behavioral1/memory/1876-413-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2484-420-0x0000000001E20000-0x0000000001F3B000-memory.dmp family_djvu behavioral1/memory/1876-421-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1876-459-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2732-484-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2732-485-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2732-489-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2732-503-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2732-495-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba payload 3 IoCs
resource yara_rule behavioral1/memory/1536-257-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/1536-259-0x0000000002A70000-0x000000000335B000-memory.dmp family_glupteba behavioral1/memory/2824-314-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\OfGko1bZzBM1bzFb5LZvvAbE.exe = "0" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" OfGko1bZzBM1bzFb5LZvvAbE.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 892 netsh.exe -
Drops startup file 5 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FtARml6NECrzLUGLB7hgMhwu.bat installutil.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pIOEFc6hWJr0ydchr4qX0pdM.bat installutil.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gbRb1W98nJwYQkPShG3885Kw.bat installutil.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7k5hHQOMhVXIgk5NOvr2fzWN.bat installutil.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Qqm1DwwHC3wYyZ7mEKL5cCWr.bat installutil.exe -
Executes dropped EXE 17 IoCs
pid Process 1408 lhaKue16whW8WUISCby4hZAF.exe 1500 lhaKue16whW8WUISCby4hZAF.tmp 2152 NolrxR1gqvTZnweAPnvkbGms.exe 2828 syncUpd.exe 1536 OfGko1bZzBM1bzFb5LZvvAbE.exe 1872 sOTZbo1xnbBjnslt8Zdndn9H.exe 2824 OfGko1bZzBM1bzFb5LZvvAbE.exe 1732 csrss.exe 584 BroomSetup.exe 1096 patch.exe 2336 injector.exe 2484 6F19.exe 1876 6F19.exe 2948 6F19.exe 2732 6F19.exe 2072 build2.exe 2536 build2.exe -
Loads dropped DLL 38 IoCs
pid Process 2728 installutil.exe 1408 lhaKue16whW8WUISCby4hZAF.exe 2728 installutil.exe 1500 lhaKue16whW8WUISCby4hZAF.tmp 1500 lhaKue16whW8WUISCby4hZAF.tmp 1500 lhaKue16whW8WUISCby4hZAF.tmp 2152 NolrxR1gqvTZnweAPnvkbGms.exe 2152 NolrxR1gqvTZnweAPnvkbGms.exe 2152 NolrxR1gqvTZnweAPnvkbGms.exe 2728 installutil.exe 2728 installutil.exe 2728 installutil.exe 2728 installutil.exe 2152 NolrxR1gqvTZnweAPnvkbGms.exe 2824 OfGko1bZzBM1bzFb5LZvvAbE.exe 2824 OfGko1bZzBM1bzFb5LZvvAbE.exe 2152 NolrxR1gqvTZnweAPnvkbGms.exe 852 Process not Found 1732 csrss.exe 1096 patch.exe 1096 patch.exe 1096 patch.exe 1096 patch.exe 1096 patch.exe 2484 6F19.exe 2828 syncUpd.exe 2828 syncUpd.exe 1876 6F19.exe 1876 6F19.exe 2948 6F19.exe 2732 6F19.exe 2732 6F19.exe 376 WerFault.exe 376 WerFault.exe 376 WerFault.exe 1096 patch.exe 1096 patch.exe 1096 patch.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 556 icacls.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x0007000000016c15-324.dat upx behavioral1/files/0x0007000000016c15-317.dat upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\OfGko1bZzBM1bzFb5LZvvAbE.exe = "0" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" OfGko1bZzBM1bzFb5LZvvAbE.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\bf75f872-64ea-4beb-9242-0cdc8b441b91\\6F19.exe\" --AutoStart" 6F19.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 2 pastebin.com 5 pastebin.com -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 67 api.2ip.ua 60 api.2ip.ua 61 api.2ip.ua -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2516 set thread context of 2728 2516 file.exe 28 PID 2484 set thread context of 1876 2484 6F19.exe 68 PID 2948 set thread context of 2732 2948 6F19.exe 72 PID 2072 set thread context of 2536 2072 build2.exe 75 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN OfGko1bZzBM1bzFb5LZvvAbE.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Logs\CBS\CbsPersist_20240310123451.cab makecab.exe File opened for modification C:\Windows\rss OfGko1bZzBM1bzFb5LZvvAbE.exe File created C:\Windows\rss\csrss.exe OfGko1bZzBM1bzFb5LZvvAbE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 376 2536 WerFault.exe 75 -
NSIS installer 2 IoCs
resource yara_rule behavioral1/files/0x0006000000015c2f-188.dat nsis_installer_2 behavioral1/files/0x0006000000015c2f-201.dat nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sOTZbo1xnbBjnslt8Zdndn9H.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sOTZbo1xnbBjnslt8Zdndn9H.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sOTZbo1xnbBjnslt8Zdndn9H.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 syncUpd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString syncUpd.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 560 schtasks.exe 2904 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" OfGko1bZzBM1bzFb5LZvvAbE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" OfGko1bZzBM1bzFb5LZvvAbE.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 patch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 build2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a build2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 csrss.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a build2.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1500 lhaKue16whW8WUISCby4hZAF.tmp 1500 lhaKue16whW8WUISCby4hZAF.tmp 1872 sOTZbo1xnbBjnslt8Zdndn9H.exe 1872 sOTZbo1xnbBjnslt8Zdndn9H.exe 2828 syncUpd.exe 1216 Process not Found 1536 OfGko1bZzBM1bzFb5LZvvAbE.exe 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1872 sOTZbo1xnbBjnslt8Zdndn9H.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2728 installutil.exe Token: SeDebugPrivilege 1536 OfGko1bZzBM1bzFb5LZvvAbE.exe Token: SeImpersonatePrivilege 1536 OfGko1bZzBM1bzFb5LZvvAbE.exe Token: SeShutdownPrivilege 1216 Process not Found Token: SeSystemEnvironmentPrivilege 1732 csrss.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1500 lhaKue16whW8WUISCby4hZAF.tmp -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 584 BroomSetup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2516 wrote to memory of 2728 2516 file.exe 28 PID 2516 wrote to memory of 2728 2516 file.exe 28 PID 2516 wrote to memory of 2728 2516 file.exe 28 PID 2516 wrote to memory of 2728 2516 file.exe 28 PID 2516 wrote to memory of 2728 2516 file.exe 28 PID 2516 wrote to memory of 2728 2516 file.exe 28 PID 2516 wrote to memory of 2728 2516 file.exe 28 PID 2516 wrote to memory of 2728 2516 file.exe 28 PID 2516 wrote to memory of 2728 2516 file.exe 28 PID 2516 wrote to memory of 2728 2516 file.exe 28 PID 2516 wrote to memory of 2728 2516 file.exe 28 PID 2516 wrote to memory of 2728 2516 file.exe 28 PID 2516 wrote to memory of 2540 2516 file.exe 29 PID 2516 wrote to memory of 2540 2516 file.exe 29 PID 2516 wrote to memory of 2540 2516 file.exe 29 PID 2516 wrote to memory of 2540 2516 file.exe 29 PID 2516 wrote to memory of 2540 2516 file.exe 29 PID 2516 wrote to memory of 2540 2516 file.exe 29 PID 2516 wrote to memory of 2540 2516 file.exe 29 PID 2728 wrote to memory of 1408 2728 installutil.exe 30 PID 2728 wrote to memory of 1408 2728 installutil.exe 30 PID 2728 wrote to memory of 1408 2728 installutil.exe 30 PID 2728 wrote to memory of 1408 2728 installutil.exe 30 PID 2728 wrote to memory of 1408 2728 installutil.exe 30 PID 2728 wrote to memory of 1408 2728 installutil.exe 30 PID 2728 wrote to memory of 1408 2728 installutil.exe 30 PID 1408 wrote to memory of 1500 1408 lhaKue16whW8WUISCby4hZAF.exe 31 PID 1408 wrote to memory of 1500 1408 lhaKue16whW8WUISCby4hZAF.exe 31 PID 1408 wrote to memory of 1500 1408 lhaKue16whW8WUISCby4hZAF.exe 31 PID 1408 wrote to memory of 1500 1408 lhaKue16whW8WUISCby4hZAF.exe 31 PID 1408 wrote to memory of 1500 1408 lhaKue16whW8WUISCby4hZAF.exe 31 PID 1408 wrote to memory of 1500 1408 lhaKue16whW8WUISCby4hZAF.exe 31 PID 1408 wrote to memory of 1500 1408 lhaKue16whW8WUISCby4hZAF.exe 31 PID 2728 wrote to memory of 2152 2728 installutil.exe 32 PID 2728 wrote to memory of 2152 2728 installutil.exe 32 PID 2728 wrote to memory of 2152 2728 installutil.exe 32 PID 2728 wrote to memory of 2152 2728 installutil.exe 32 PID 2152 wrote to memory of 2828 2152 NolrxR1gqvTZnweAPnvkbGms.exe 33 PID 2152 wrote to memory of 2828 2152 NolrxR1gqvTZnweAPnvkbGms.exe 33 PID 2152 wrote to memory of 2828 2152 NolrxR1gqvTZnweAPnvkbGms.exe 33 PID 2152 wrote to memory of 2828 2152 NolrxR1gqvTZnweAPnvkbGms.exe 33 PID 2728 wrote to memory of 1536 2728 installutil.exe 34 PID 2728 wrote to memory of 1536 2728 installutil.exe 34 PID 2728 wrote to memory of 1536 2728 installutil.exe 34 PID 2728 wrote to memory of 1536 2728 installutil.exe 34 PID 2728 wrote to memory of 1872 2728 installutil.exe 35 PID 2728 wrote to memory of 1872 2728 installutil.exe 35 PID 2728 wrote to memory of 1872 2728 installutil.exe 35 PID 2728 wrote to memory of 1872 2728 installutil.exe 35 PID 2824 wrote to memory of 2960 2824 OfGko1bZzBM1bzFb5LZvvAbE.exe 43 PID 2824 wrote to memory of 2960 2824 OfGko1bZzBM1bzFb5LZvvAbE.exe 43 PID 2824 wrote to memory of 2960 2824 OfGko1bZzBM1bzFb5LZvvAbE.exe 43 PID 2824 wrote to memory of 2960 2824 OfGko1bZzBM1bzFb5LZvvAbE.exe 43 PID 2960 wrote to memory of 892 2960 cmd.exe 46 PID 2960 wrote to memory of 892 2960 cmd.exe 46 PID 2960 wrote to memory of 892 2960 cmd.exe 46 PID 2824 wrote to memory of 1732 2824 OfGko1bZzBM1bzFb5LZvvAbE.exe 48 PID 2824 wrote to memory of 1732 2824 OfGko1bZzBM1bzFb5LZvvAbE.exe 48 PID 2824 wrote to memory of 1732 2824 OfGko1bZzBM1bzFb5LZvvAbE.exe 48 PID 2824 wrote to memory of 1732 2824 OfGko1bZzBM1bzFb5LZvvAbE.exe 48 PID 2152 wrote to memory of 584 2152 NolrxR1gqvTZnweAPnvkbGms.exe 49 PID 2152 wrote to memory of 584 2152 NolrxR1gqvTZnweAPnvkbGms.exe 49 PID 2152 wrote to memory of 584 2152 NolrxR1gqvTZnweAPnvkbGms.exe 49 PID 2152 wrote to memory of 584 2152 NolrxR1gqvTZnweAPnvkbGms.exe 49 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"2⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Users\Admin\Pictures\lhaKue16whW8WUISCby4hZAF.exe"C:\Users\Admin\Pictures\lhaKue16whW8WUISCby4hZAF.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Users\Admin\AppData\Local\Temp\is-L1KPC.tmp\lhaKue16whW8WUISCby4hZAF.tmp"C:\Users\Admin\AppData\Local\Temp\is-L1KPC.tmp\lhaKue16whW8WUISCby4hZAF.tmp" /SL5="$60160,1697450,56832,C:\Users\Admin\Pictures\lhaKue16whW8WUISCby4hZAF.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1500
-
-
-
C:\Users\Admin\Pictures\NolrxR1gqvTZnweAPnvkbGms.exe"C:\Users\Admin\Pictures\NolrxR1gqvTZnweAPnvkbGms.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Users\Admin\AppData\Local\Temp\syncUpd.exeC:\Users\Admin\AppData\Local\Temp\syncUpd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2828
-
-
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeC:\Users\Admin\AppData\Local\Temp\BroomSetup.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:584 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "5⤵PID:1272
-
C:\Windows\SysWOW64\chcp.comchcp 12516⤵PID:1736
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F6⤵
- Creates scheduled task(s)
PID:560
-
-
-
-
-
C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe"C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1536 -
C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe"C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe"4⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:892
-
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1732 -
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
PID:2904
-
-
C:\Windows\system32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵PID:2400
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1096
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll6⤵
- Executes dropped EXE
PID:2336
-
-
-
-
-
C:\Users\Admin\Pictures\sOTZbo1xnbBjnslt8Zdndn9H.exe"C:\Users\Admin\Pictures\sOTZbo1xnbBjnslt8Zdndn9H.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1872
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"2⤵PID:2540
-
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240310123451.log C:\Windows\Logs\CBS\CbsPersist_20240310123451.cab1⤵
- Drops file in Windows directory
PID:2536
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\3B6B.bat" "1⤵PID:2640
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:2068
-
-
C:\Users\Admin\AppData\Local\Temp\6F19.exeC:\Users\Admin\AppData\Local\Temp\6F19.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2484 -
C:\Users\Admin\AppData\Local\Temp\6F19.exeC:\Users\Admin\AppData\Local\Temp\6F19.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1876 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\bf75f872-64ea-4beb-9242-0cdc8b441b91" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:556
-
-
C:\Users\Admin\AppData\Local\Temp\6F19.exe"C:\Users\Admin\AppData\Local\Temp\6F19.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2948 -
C:\Users\Admin\AppData\Local\Temp\6F19.exe"C:\Users\Admin\AppData\Local\Temp\6F19.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Users\Admin\AppData\Local\11eb1c8b-3860-4b19-acdb-d91fa147b68d\build2.exe"C:\Users\Admin\AppData\Local\11eb1c8b-3860-4b19-acdb-d91fa147b68d\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2072 -
C:\Users\Admin\AppData\Local\11eb1c8b-3860-4b19-acdb-d91fa147b68d\build2.exe"C:\Users\Admin\AppData\Local\11eb1c8b-3860-4b19-acdb-d91fa147b68d\build2.exe"6⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2536 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 14487⤵
- Loads dropped DLL
- Program crash
PID:376
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5f461bbe62b7d0ecb6d410ecb2a8f5f99
SHA149a22334941d9830647f4a14e27ce8fae99b2f21
SHA256da736c5fd3b804a5b5ef646ba348ff5579773279225880400fb0e4b317ffaa77
SHA512418d85dbbc53bf458095a49908481cd7ea4836f5602726c26aa0a20563a5b185e8cab076932e317674e63164246ca962b424732ef7f10788a58b8e36d99b8e96
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD5f2909676fb8ee02c35614f2b40e0eaac
SHA1c06ba7b1c343da8c5a1d40829d4343c2cf258837
SHA25677a760a8d9cc583d1ad30b3843fa5232c83bbb6d761ece67f48487b4bee34e02
SHA5129002bf1d25a1267d31e1c1428c40432c3ec727b0da4099fec5c307391426caeb46fdef1446f6d1a4de7832330a84307457231930eb12ec23e1e02fd5333cd0be
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD580e016c08a337d423b0ed3c4888c07d8
SHA1f737d3efa1282ba8caefbd0d144d73bfaf5ad76d
SHA256add7ce69f6f50c6e6966953f1923652373bb22ef29dade2077668b8cd9108398
SHA51220304feb78ab758a5b204506d165f67de528fa43d23e04887037c95b1193d11e7d5f5dc98b0c9b22cdca048e294a9477c9573667efd54032e3fe9e32d47fefa9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5fa11f347ee87e890bba56ad98e5f8f59
SHA13be5964c311fd6636449f4ba3aef19d3794dc8ca
SHA256676ee5f935449e8ee1239796ae768a86905b5709973a4d721c03d6b938a0d584
SHA5122e9c32fd657828079fdbf3618b5a091b101e9be3cde328db70a9a2c5f9e306f2c0c36475d129285d291e2345bcc779efe84794583936272cf5373827cafb85d6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD517419eb8ce7fecd54fb1c48bf233d0a1
SHA18142fa6ac9e59fc61bc1e8395357cc593b52593e
SHA2566b8ed5bf7421d81239f24fd924ba59ffd1b79317ae7f6969e371af9416f5bbe1
SHA5129cafd96fb1679408b41fad56c80ddc8d4a0cdd201257e7439d8fa36637474d2d2b8943e95d104a9745767440d31ea5fda17672cc434c0fb28303335356d19a89
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD5eb96f07633ddfd91017eb8346bc61045
SHA1b5b67767a37275a59e1a05bb4dbc9e2f5061ec1c
SHA256f535edcbdcb9404a4f27a98f45942c99e00ba38ad49a55d44dce61d6b0a66c5a
SHA512d3d270572494b64d440bacfef96880a84364e7a401b66d318a4004d0ad4017b09ea5e8a834387d78df00233ba7622bc37b4504339fe8c9049f6a785dfb115a67
-
Filesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
Filesize
700KB
MD5b5012ad3f7b79ece2bf795a53b69fd9e
SHA140cffd108e02bc172f9c632e6da0d6abe468846f
SHA2561e85da371e7d28623567725f04af71d792c7e3323f42fddd53500e691249002a
SHA512b7bfe32b5dae377b773d67e9cb7fde7e4052514cfd928252963babafa0234429a5a2c28dfd7ff38c3fcb9a728e742506f7b3c095a04cd950f1296a0e664878b5
-
Filesize
640KB
MD52fbbb06d9f40eed8c34d9583c74e73ae
SHA1bde94386fac3f4d6df9bdabc4f1022916eacf968
SHA2562dabe2118e640c35b540c93af67e96899f70d7d41c2e14cfc18ec237739c41d1
SHA51226cd70a382d2bd07a1c1dac1a89258b2e0e0a441c77f599926e4ec0724652432a96a5bf538fe60c4667238fd989e5c6ef5e7a98c295a3276aa6312d054b6fe72
-
Filesize
1.3MB
MD5eeec6de42a9722eade59935376fdae88
SHA1d4a4682680674e9f151a2a5544795758e4d9d824
SHA256d8079f789a1d2d6dc9c4362243db3bf5ff9433a4dd938bef103620a7a6d34b48
SHA512db4d3b7d3955bae64d27333b7404f096c75121de71f902121382cccaf79dc4ed16cf04b5fdaf80f7e5d78fb3d5aeeff5a0dbacc1cf1ec79d9a31acfc05bdbeb3
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
Filesize
591KB
MD5e2f68dc7fbd6e0bf031ca3809a739346
SHA19c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA51226256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579
-
Filesize
128B
MD511bb3db51f701d4e42d3287f71a6a43e
SHA163a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA2566be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2
-
Filesize
832KB
MD53cb379bc5693907e79679015e56e1045
SHA17362d306923507aa12e94eb7dbcae9f30f398df2
SHA2566daca81b06d8f24046407bf14712583deb94ba329f1611c7f33de7ec097d15fc
SHA512b59dfb846621cb4e99271003885daddf01895fb7ada553ce7be77c42c8ccfcf252ec187562d58f11eabed2ebece64f71e0a65b63d9019b8803e6b105ffb770ca
-
Filesize
832KB
MD5482dd0af025d3f44d682c90e31226693
SHA13ba175cf8249b21ac966419e67d42d4d448bc3a8
SHA25675a57865393d70ec57a6bfd8dd4c1a6947391500600b1b1c6fe66e5b35a8b0a8
SHA512ea2fef120bf3a0c75de5426d547c76f07d910b05d678daed9b37c9c98f441e3054aa4e6702e399500cfa953de9f2a3f62974f9cfbf148259a544d5f03c1f1559
-
Filesize
896KB
MD58a8590f9ead0c82250938616f05ed580
SHA1c453ea2dfa02f192c473459d57776470adb27701
SHA2562a8e165b9a5970c01678e7aad11c8c762875b58e0bf34a4c5ebd5ee5c50c214f
SHA512b673a68911349b02e6b973f8f05f37a946d6e5b8ca98cfd63c7da1411b39d6d84f7e4e82e35bdd22676190aceeebb849754dc2278a28fccf31aca1db354e29a7
-
Filesize
4.1MB
MD5fbd8c3441a6860996d762513c9db1bc9
SHA1bf1c2916cec7eeb327d0857a1f484268425a7239
SHA256dbdc20d075f94e8979dd5a75f6a26b47d60de1e88552bfda1805abab08f6454a
SHA512c516760a64d2a5c166ba6cc14cda4b558c2f9db53465a98bfc50cc78c9a237809cb7a725f6e987ce32c93f8c49e6f1c1135fe7995bfd47df2c71030842ff6216
-
Filesize
172KB
MD538783b735530ec3595f8cfc57704e0a4
SHA1297d2424423506702a6f42fff06b37a89a9fc8e6
SHA25695d772adaee04f58f13c59ab65bcbefe9d6d6b2fc9b0f5fb6b4304902c5b2a8d
SHA512980ff17ecdd36f1efbaced0b9599d4032eb4b27d5836c7d9d26828e478a75c73f4604bb568052aacc7519a54feb517efbf475e4d2610d8af6dbd4d6afb45fb4f
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
219KB
MD5d37b17fc3b9162060a60cd9c9f5f7e2c
SHA15bcd761db5662cebdb06f372d8cb731a9b98d1c5
SHA25636826a94f7aabd1f0d71abc6850e64a499768bd30cab361e8724d546e495e35f
SHA51204b0fcc597afba17b8be46eacee58c7e8d38c7efa9247ab5b3cbf1ae3ed8dc2e6e909b7dab28b2a41f08fb37e950abb6ca97553adf0e20335c6864d942bef6ea
-
Filesize
1.4MB
MD583136f38c4a7f35670b7c621ddb3758b
SHA1775896a3b1508a92c700c7ecf0618623eac9a8fe
SHA2569e7a82abd386798c82788cbd73d4b8f0c20a8a489f1092254d796312c30d9fe3
SHA512551ea18d199376198e42c9c6cec25bc7e9a97c9fa5b699b48ba1fd4e62658b82e3898ab9e4dc56cc81db7676e2dfb1075e4533724f0734973db0f856c2a55f15
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
1.7MB
MD513aaafe14eb60d6a718230e82c671d57
SHA1e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3
-
Filesize
1.5MB
MD5f0616fa8bc54ece07e3107057f74e4db
SHA1b33995c4f9a004b7d806c4bb36040ee844781fca
SHA2566e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026
SHA51215242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c
-
Filesize
690KB
MD5085aca27fe0b6d4c479500fb4a586129
SHA188e775fab99e3bc02e2bc44b0171b8a70cc5f9a3
SHA2566cdeb9602e2346ea8c4b86eaf32bf07dea3350a9fa4ae99f5c15fcde96055cb7
SHA512a7d37e57f1421a8b407204aad3089995dd2eb6fc03a37dbb0f2b8a3c387143f55e1e41c04059db265f330e96fd17d8d7c56bfc4398810b90b69cbe59e156339b
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
21KB
MD52b342079303895c50af8040a91f30f71
SHA1b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA2562d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47
-
Filesize
5.3MB
MD51afff8d5352aecef2ecd47ffa02d7f7d
SHA18b115b84efdb3a1b87f750d35822b2609e665bef
SHA256c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb
-
Filesize
163KB
MD55c399d34d8dc01741269ff1f1aca7554
SHA1e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA5128ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d
-
Filesize
200KB
MD54daa194c9f29f77b6a97afcc50793020
SHA1fa03fe3b16bc39ca17366c7b22bd71d0693cbf6f
SHA256421f8d69e9d99d7e447bae84e0574e19c9210c6f6121944408be0669aa63c56e
SHA5120638935945b3c181b59bda9dc13e53fc88cbbabe046af0460049f6e89688a9cd4e67783b93002330aa94cd25a04db492e1791bad4cc6c634ab6975affd63ba05
-
Filesize
1.8MB
MD5d51f80d00267e9fc01cc48ac8f95011d
SHA1b6ef313ff8d11539efea9dc5af320c02322cf7cd
SHA2566b7b6ad3d8629398cec54420ad9e9680c0af3cebffb3472ae74529d54413610f
SHA512345aef01f0915cfcf2bf63a0d6306e4c6cc94dd2c4e6f697f3950223426fe633ac4ae132948a9523422a0d5249cf2ff266252e1b25f1e1f796525af409303541
-
Filesize
704KB
MD578441713602f8860f76dcb726d35c787
SHA1be11ed46be79a6bf22290a887cc289d7a9bdeb48
SHA25699e1a8a9641c7592de2101ed1de297d37226036e29f7839ca93c7ad5409a60af
SHA512ab23f06273f4337c2ec0bb8ee53c736cfb93b6b58bb700a43c969be7c233881474afca360d21bad952a0f19f25ee8cb675f8ea7cce1e9f0f41c41033f12baef6
-
Filesize
1.1MB
MD5a986ce3528016c2ffcde420bb96b512d
SHA18b585b93affe59368178e9023d996313d7f47c9d
SHA2562649c645c83931d868558ef841c1ff6d0b7437e04afe2d42aa3767335ad020d7
SHA512ac7856b4e02c388655220169396f248d16f03ed1bb42a37754941dc6b8156cb71fe3ea6eeac8a96a4ec2d83b19bfe46d1a1b9a23bb40fc4aa7f71b1b8656035e
-
Filesize
2.0MB
MD5328adf79d56fef9b88089e2ccb17c8a0
SHA135a90318f8ab8ec3f99ca37b9d4b212e78867420
SHA256d8e189e63bbe2fe65b973190b5ed8dbad9e7e90d2a086cfc0f1745c3d06e525b
SHA512f16e15cf2f1012ceeba6017590e5f5fa3aec4a6441b29df6808d4f68fdbca4201d53c25aca84cba9549fff052864a5ec7ff7dc9022bd75e07fa4e9b5c8284667
-
Filesize
2.5MB
MD52ec31076d683cf595adf4cbafa1decaf
SHA12eb30b05f06b5b2fb713f5b3c9a77e688a960da5
SHA2569ad06ce953efb55a21808915e20a9ad7207f81ad0c12c1dbd61bdb78118c3aeb
SHA5123ffd9fe7fd9d4574c7e39a6c5f80d09a82f87b281b1c74f088afe421f7b8b306262ba0f6156fad262f036b69c5a51e5f0a3ff62be54e51097b94919c041f1a08