Overview
overview
10Static
static
109070036232...0N.exe
windows7-x64
109070036232...0N.exe
windows10-2004-x64
10$0.dll
windows7-x64
3$0.dll
windows10-2004-x64
3$2.exe
windows7-x64
3$2.exe
windows10-2004-x64
3$3.exe
windows7-x64
3$3.exe
windows10-2004-x64
3$COMMONFIL...st.exe
windows7-x64
3$COMMONFIL...st.exe
windows10-2004-x64
3$COMMONFIL...64.exe
windows7-x64
1$COMMONFIL...64.exe
windows10-2004-x64
1$COMMONFIL...dr.dll
windows7-x64
1$COMMONFIL...dr.dll
windows10-2004-x64
1$COMMONFIL...dr.sys
windows7-x64
1$COMMONFIL...dr.sys
windows10-2004-x64
1$COMMONFIL...dr.dll
windows7-x64
3$COMMONFIL...dr.dll
windows10-2004-x64
3$COMMONFIL...dr.sys
windows7-x64
1$COMMONFIL...dr.sys
windows10-2004-x64
1$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3ssranghk.dll
windows7-x64
3ssranghk.dll
windows10-2004-x64
3Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
16-08-2024 19:31
Behavioral task
behavioral1
Sample
9070036232769ef3d265188fff67ea50N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
9070036232769ef3d265188fff67ea50N.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$0.dll
Resource
win7-20240705-en
Behavioral task
behavioral4
Sample
$0.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
$2.exe
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
$2.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
$3.exe
Resource
win7-20240729-en
Behavioral task
behavioral8
Sample
$3.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
$COMMONFILES/supportdotcom/rang/driverinst.exe
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
$COMMONFILES/supportdotcom/rang/driverinst.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
$COMMONFILES/supportdotcom/rang/driverinst64.exe
Resource
win7-20240705-en
Behavioral task
behavioral12
Sample
$COMMONFILES/supportdotcom/rang/driverinst64.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
$COMMONFILES/supportdotcom/rang/nt_amd64/ssmirrdr.dll
Resource
win7-20240708-en
Behavioral task
behavioral14
Sample
$COMMONFILES/supportdotcom/rang/nt_amd64/ssmirrdr.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
$COMMONFILES/supportdotcom/rang/nt_amd64/ssmirrdr.sys
Resource
win7-20240704-en
Behavioral task
behavioral16
Sample
$COMMONFILES/supportdotcom/rang/nt_amd64/ssmirrdr.sys
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
$COMMONFILES/supportdotcom/rang/nt_x86/ssmirrdr.dll
Resource
win7-20240705-en
Behavioral task
behavioral18
Sample
$COMMONFILES/supportdotcom/rang/nt_x86/ssmirrdr.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
$COMMONFILES/supportdotcom/rang/nt_x86/ssmirrdr.sys
Resource
win7-20240704-en
Behavioral task
behavioral20
Sample
$COMMONFILES/supportdotcom/rang/nt_x86/ssmirrdr.sys
Resource
win10v2004-20240802-en
Behavioral task
behavioral21
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240708-en
Behavioral task
behavioral22
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral23
Sample
ssranghk.dll
Resource
win7-20240704-en
Behavioral task
behavioral24
Sample
ssranghk.dll
Resource
win10v2004-20240802-en
General
-
Target
9070036232769ef3d265188fff67ea50N.exe
-
Size
1.9MB
-
MD5
9070036232769ef3d265188fff67ea50
-
SHA1
1d1aabe9cc3e2259452e31c8bcaddfbd845fc003
-
SHA256
061be13ea4ba484514d798f70838648d72f09a5ca6c58a608d9b6d28e63146d1
-
SHA512
a3397b4f583b2839be791552515c063d3d5505909449ef94370e1e6163a0b1e8d359a8d19273c911b4b49bfc4537737631b7677aa759014723d79df8b2d8ea9f
-
SSDEEP
49152:8gwH+Hl2+jmaJhsYAH5e6duUPUau0rqURpUpE129j:pF2+/ZAHRu0UwmypUrJ
Malware Config
Signatures
-
Detects Strela Stealer payload 1 IoCs
resource yara_rule behavioral1/files/0x0005000000018736-30.dat family_strela -
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\system32\DRIVERS\SETE9A4.tmp DrvInst.exe File created C:\Windows\system32\DRIVERS\SETE9A4.tmp DrvInst.exe File opened for modification C:\Windows\system32\DRIVERS\ssmirrdr.sys DrvInst.exe -
Executes dropped EXE 5 IoCs
pid Process 3056 driverinst64.exe 2644 ssrangsv.exe 2060 ssrangsv.exe 2160 ssrangsv.exe 860 ssrangui.exe -
Loads dropped DLL 11 IoCs
pid Process 2956 9070036232769ef3d265188fff67ea50N.exe 2956 9070036232769ef3d265188fff67ea50N.exe 2956 9070036232769ef3d265188fff67ea50N.exe 2956 9070036232769ef3d265188fff67ea50N.exe 2956 9070036232769ef3d265188fff67ea50N.exe 2956 9070036232769ef3d265188fff67ea50N.exe 2160 ssrangsv.exe 2160 ssrangsv.exe 2160 ssrangsv.exe 2160 ssrangsv.exe 2160 ssrangsv.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 39 IoCs
description ioc Process File opened for modification C:\Windows\System32\DriverStore\Temp\{1f979ddb-420e-0f81-548d-fb4926e84f66}\nt_amd64\SETE89B.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{1f979ddb-420e-0f81-548d-fb4926e84f66}\nt_amd64 DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{1f979ddb-420e-0f81-548d-fb4926e84f66} DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt driverinst64.exe File opened for modification C:\Windows\System32\DriverStore\infpub.dat driverinst64.exe File opened for modification C:\Windows\system32\ssmirrdr.dll DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{1f979ddb-420e-0f81-548d-fb4926e84f66}\nt_amd64\ssmirrdr.dll DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{1f979ddb-420e-0f81-548d-fb4926e84f66}\SETE89C.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{1f979ddb-420e-0f81-548d-fb4926e84f66}\SETE89D.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\ssmirrdr.inf_amd64_neutral_f60e4a3bb7f7b95a\ssmirrdr.PNF DrvInst.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\YFMPAZ73.txt ssrangsv.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 ssrangsv.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 ssrangsv.exe File created C:\Windows\System32\DriverStore\Temp\{1f979ddb-420e-0f81-548d-fb4926e84f66}\nt_amd64\SETE89B.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{1f979ddb-420e-0f81-548d-fb4926e84f66}\SETE89D.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{1f979ddb-420e-0f81-548d-fb4926e84f66}\ssmirrdr-nt_amd64.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infstrng.dat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infstor.dat DrvInst.exe File created C:\Windows\system32\SETE9C4.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{1f979ddb-420e-0f81-548d-fb4926e84f66}\nt_amd64\SETE88B.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{1f979ddb-420e-0f81-548d-fb4926e84f66}\nt_amd64\ssmirrdr.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{1f979ddb-420e-0f81-548d-fb4926e84f66}\SETE89C.tmp DrvInst.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C ssrangsv.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 ssrangsv.exe File opened for modification C:\Windows\System32\DriverStore\infpub.dat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infstrng.dat driverinst64.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\current_time_in_US-CA[1].htm ssrangsv.exe File created C:\Windows\System32\DriverStore\FileRepository\ssmirrdr.inf_amd64_neutral_f60e4a3bb7f7b95a\ssmirrdr.PNF DrvInst.exe File created C:\Windows\System32\DriverStore\INFCACHE.0 DrvInst.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\current_time_in_US-CA[1].aspx ssrangsv.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\YFMPAZ73.txt ssrangsv.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{1f979ddb-420e-0f81-548d-fb4926e84f66}\ssmirrdr.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infpub.dat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infstrng.dat DrvInst.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat ssrangsv.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C ssrangsv.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 ssrangsv.exe File created C:\Windows\System32\DriverStore\Temp\{1f979ddb-420e-0f81-548d-fb4926e84f66}\nt_amd64\SETE88B.tmp DrvInst.exe File opened for modification C:\Windows\system32\SETE9C4.tmp DrvInst.exe -
Drops file in Program Files directory 20 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\supportdotcom\rang\ 9070036232769ef3d265188fff67ea50N.exe File created C:\Program Files (x86)\Common Files\supportdotcom\rang\nt_x86\ssmirrdr.sys 9070036232769ef3d265188fff67ea50N.exe File opened for modification C:\Program Files (x86)\supportdotcom\rang\nseE69A.tmp 9070036232769ef3d265188fff67ea50N.exe File opened for modification C:\Program Files (x86)\supportdotcom\rang\nstE6AA.tmp 9070036232769ef3d265188fff67ea50N.exe File created C:\Program Files (x86)\supportdotcom\rang\ca-bundle.crt 9070036232769ef3d265188fff67ea50N.exe File created C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst.exe 9070036232769ef3d265188fff67ea50N.exe File created C:\Program Files (x86)\Common Files\supportdotcom\rang\ssmirrdr-nt_amd64.cat 9070036232769ef3d265188fff67ea50N.exe File created C:\Program Files (x86)\Common Files\supportdotcom\rang\ssmirrdr.inf 9070036232769ef3d265188fff67ea50N.exe File created C:\Program Files (x86)\Common Files\supportdotcom\rang\nt_x86\ssmirrdr.dll 9070036232769ef3d265188fff67ea50N.exe File created C:\Program Files (x86)\supportdotcom\rang\support.ico 9070036232769ef3d265188fff67ea50N.exe File created C:\Program Files (x86)\supportdotcom\rang\logs\ssrangsv_[8-16-2024 - 19.32.2].log ssrangsv.exe File created C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe 9070036232769ef3d265188fff67ea50N.exe File created C:\Program Files (x86)\Common Files\supportdotcom\rang\nt_amd64\ssmirrdr.sys 9070036232769ef3d265188fff67ea50N.exe File opened for modification C:\Program Files (x86)\supportdotcom\rang\nstE6F9.tmp 9070036232769ef3d265188fff67ea50N.exe File created C:\Program Files (x86)\supportdotcom\rang\uninst.exe 9070036232769ef3d265188fff67ea50N.exe File created C:\Program Files (x86)\supportdotcom\rang\logs\ssrangsv_[8-16-2024 - 19.32.1].log ssrangsv.exe File created C:\Program Files (x86)\Common Files\supportdotcom\rang\ssmirrdr-nt_x86.cat 9070036232769ef3d265188fff67ea50N.exe File created C:\Program Files (x86)\Common Files\supportdotcom\rang\nt_amd64\ssmirrdr.dll 9070036232769ef3d265188fff67ea50N.exe File created C:\Program Files (x86)\supportdotcom\rang\ssranghk.dll 9070036232769ef3d265188fff67ea50N.exe File created C:\Program Files (x86)\supportdotcom\rang\logs\ssrangsv_[8-16-2024 - 19.31.58].log ssrangsv.exe -
Drops file in Windows directory 14 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.app.log driverinst64.exe File opened for modification C:\Windows\setupact.log driverinst64.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\setupact.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev2 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\oem2.inf DrvInst.exe File created C:\Windows\INF\oem2.PNF DrvInst.exe File opened for modification C:\Windows\setuperr.log driverinst64.exe File opened for modification C:\Windows\INF\setupapi.dev.log driverinst64.exe File created C:\Windows\INF\oem2.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\setuperr.log DrvInst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ssrangui.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9070036232769ef3d265188fff67ea50N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ssrangsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ssrangsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ssrangsv.exe -
Modifies Control Panel 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Control Panel\Desktop\ScreenSaveActive = "0" ssrangui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Control Panel\Desktop\ScreenSaveTimeOut = "0" ssrangui.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main ssrangui.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" ssrangsv.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates ssrangsv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust ssrangsv.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ssrangsv.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ssrangsv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My ssrangsv.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000006000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0025000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ssrangsv.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" ssrangsv.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-b5-a0-c5-84-ec\WpadDecisionTime = f05c762f13f0da01 ssrangsv.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates ssrangsv.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs ssrangsv.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-b5-a0-c5-84-ec ssrangsv.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs ssrangsv.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs ssrangsv.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs ssrangsv.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs ssrangsv.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs ssrangsv.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs ssrangsv.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-b5-a0-c5-84-ec\WpadDetectedUrl ssrangsv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates ssrangsv.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0025000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ssrangsv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0025000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ssrangsv.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad ssrangsv.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" ssrangsv.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs ssrangsv.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-b5-a0-c5-84-ec\WpadDecisionReason = "1" ssrangsv.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\CertificateRevocation = "0" ssrangsv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA ssrangsv.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs ssrangsv.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{353879F2-CEFB-457D-814F-FD0D1F336EDD}\WpadDecisionTime = f09fb10b13f0da01 ssrangsv.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-b5-a0-c5-84-ec\WpadDecisionTime = 700a921d13f0da01 ssrangsv.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs ssrangsv.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-b5-a0-c5-84-ec\WpadDecisionTime = f09fb10b13f0da01 ssrangsv.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000005000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0025000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ssrangsv.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{437A2AB1-CA7F-4896-8F61-C76826FB602D} ssrangsv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7FFB5080-D7EA-42D9-8EE4-A5DD03FE0EC6} ssrangsv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4026DFB9-7691-4142-B71C-DCF08EA4DD9C}\ProxyStubClsid32 ssrangsv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author ssrangsv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\CLSID ssrangsv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B1921E1-54AC-11D3-9144-00104BA11C5E} ssrangsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{43826D1E-E718-42EE-BC55-A1E261C37BFE}\ = "IShellItem" ssrangsv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{72EB0E17-AF29-425E-A698-613587058A9A}\ProxyStubClsid32 ssrangsv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8279FEB8-5CA4-45C4-BE27-770DCDEA1DEB}\ProxyStubClsid32 ssrangsv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID ssrangsv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AF6E03F-D664-4EF4-9626-F7E0ED36755E}\ProxyStubClsid32 ssrangsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{17F48517-F305-4321-A08D-B25A834918FD}\ = "ISyncMgrSessionCreator" ssrangsv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{90701133-BE32-4129-A65C-99E616CAFFF4}\ProxyStubClsid32 ssrangsv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EA1AFB91-9E28-4B86-90E9-9E9F8A5EEFAF} ssrangsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9206E9DC-8C77-4D4B-ADF0-4E5FE5F204AB}\ProxyStubClsid32\ = "{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}" ssrangsv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9DD5C44E-8D20-45A9-BFE3-645CEEBC2C9F}\ProxyStubClsid32 ssrangsv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9DD5C44E-8D20-45A9-BFE3-645CEEBC2C9F}\NumMethods ssrangsv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{458725B9-129D-4135-A998-9CEAFEC27007}\NumMethods ssrangsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{37E412F9-016E-44C2-81FF-DB3ADD774266}\ = "ISyncMgrEventStore" ssrangsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}" ssrangsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C691564-057C-430A-BC66-2120BFB048F7}\NumMethods\ = "7" ssrangsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3AB4C8DA-D038-4830-8DD9-3253C55A127F}\SynchronousInterface\ = "{4E982FED-D14B-440C-B8D6-BB386453D386}" ssrangsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6CB95A6A-88B6-4DC4-B3EA-3A776D1E8EFF}\NumMethods\ = "32" ssrangsv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9C204249-C443-4BA4-85ED-C972681DB137}\NumMethods ssrangsv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{90701133-BE32-4129-A65C-99E616CAFFF4}\NumMethods ssrangsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C12EE83-8A58-43FD-86C9-299D33722039}\NumMethods\ = "8" ssrangsv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{193215BF-3815-441A-98BC-589DB62452A6} ssrangsv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{099AB00E-1FE6-4460-9E1B-4B2567DA41CA}\NumMethods ssrangsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{95CE8410-7027-11D1-B879-006008059382}\ = "IShellTreeWalker" ssrangsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B5AB9C96-C11D-43E7-B44C-79B13EE7AC6F}\ = "ICreateNewLink" ssrangsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\ = "JScript Language" ssrangsv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{15D93B62-9918-4E4C-857E-D1AD2D143F4F}\NumMethods ssrangsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A9D9026-0E6E-464C-B000-42ECC07DE673}\ProxyStubClsid32\ = "{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}" ssrangsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000214EE-0000-0000-C000-000000000046}\ = "IShellLinkA" ssrangsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{69537F58-D5B9-4F49-BFE6-63E88D9978DA}\ProxyStubClsid32\ = "{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}" ssrangsv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A73CE67A-8AB1-44F1-8D43-D2FCBF6B1CD0}\NumMethods ssrangsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{659AD78F-1608-4A89-97D3-C8D741FDD0BC}\ProxyStubClsid32\ = "{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}" ssrangsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6F439BA7-0B57-41BA-8147-311D90A39C33}\ = "IViewPropertyInfo" ssrangsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9838AAB6-32FD-455A-823D-83CFE06E4D48}\NumMethods\ = "7" ssrangsv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C583CCFB-CBD7-4F55-9E81-C8258D56D8F6} ssrangsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2834D6ED-297E-4E72-8A51-961E86F05152}\ = "AsyncIAssociatedIdentityProvider" ssrangsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A0FFBC28-5482-4366-BE27-3E81E78E06C2}\NumMethods\ = "15" ssrangsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CF8FC579-C396-4774-85F1-D908A831156E}\NumMethods\ = "7" ssrangsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1823E7BA-EC36-447A-9B2E-B4912E15AFE7}\NumMethods\ = "4" ssrangsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{389153AB-EA42-457F-9704-7AB979C9EF93}\NumMethods\ = "7" ssrangsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50C852B0-C95F-4FEE-BE00-87DC18B2661B}\ = "IEnumAccounts" ssrangsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{88E39E80-3578-11CF-AE69-08002B2E1262}\ProxyStubClsid32\ = "{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}" ssrangsv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D8F6AD5B-B44F-4BCC-88FD-EB3473DB7502}\ProxyStubClsid32 ssrangsv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{95A391C5-9ED4-4C28-8401-AB9E06719E11}\NumMethods ssrangsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{60CE96BB-B6F9-42DC-B84E-5E5D9C370A6F}\ = "IFrameModule" ssrangsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Encoder\ = "Script Encoder Object" ssrangsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EA69859A-DB5B-4C4A-8A8F-AE9759027534}\NumMethods\ = "6" ssrangsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E693CF68-D967-4112-8763-99172AEE5E5A}\ = "IVisualProperties" ssrangsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B669937F-94C3-45D8-A950-38C43C9BE7A8}\ProxyStubClsid32\ = "{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}" ssrangsv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author\CLSID ssrangsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{22C440DF-4720-4B3A-A472-0CCB6E6CDD97}\ProxyStubClsid32\ = "{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}" ssrangsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\ = "JScript Language" ssrangsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EC36F3E-5BA3-4C3D-BF39-10F76C3F7CC6}\ = "IDriveFolderExt" ssrangsv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B5AB9C96-C11D-43E7-B44C-79B13EE7AC6F}\ProxyStubClsid32 ssrangsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D3B521A9-64FB-463E-B2CD-6EBBD1C50330}\ = "IResultSetManager" ssrangsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{18140CBD-AA23-4384-A38D-6A8D3E2BE505}\NumMethods\ = "7" ssrangsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{12929CA2-37E4-440A-815A-759D7DF24EC6}\ = "ILibraryFactory" ssrangsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A87781B-39A7-4A1F-AAB3-A39B9C34A7D9}\NumMethods\ = "4" ssrangsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3AA7AF7E-9B36-420C-A8E3-F77D4674A488}\NumMethods\ = "12" ssrangsv.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 ssrangsv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 ssrangsv.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeRestorePrivilege 3056 driverinst64.exe Token: SeRestorePrivilege 3056 driverinst64.exe Token: SeRestorePrivilege 3056 driverinst64.exe Token: SeRestorePrivilege 3056 driverinst64.exe Token: SeRestorePrivilege 3056 driverinst64.exe Token: SeRestorePrivilege 3056 driverinst64.exe Token: SeRestorePrivilege 3056 driverinst64.exe Token: SeRestorePrivilege 3056 driverinst64.exe Token: SeRestorePrivilege 3056 driverinst64.exe Token: SeRestorePrivilege 3056 driverinst64.exe Token: SeRestorePrivilege 3056 driverinst64.exe Token: SeRestorePrivilege 3056 driverinst64.exe Token: SeRestorePrivilege 3056 driverinst64.exe Token: SeRestorePrivilege 3056 driverinst64.exe Token: SeRestorePrivilege 2560 DrvInst.exe Token: SeRestorePrivilege 2560 DrvInst.exe Token: SeRestorePrivilege 2560 DrvInst.exe Token: SeRestorePrivilege 2560 DrvInst.exe Token: SeRestorePrivilege 2560 DrvInst.exe Token: SeRestorePrivilege 2560 DrvInst.exe Token: SeRestorePrivilege 2560 DrvInst.exe Token: SeRestorePrivilege 2560 DrvInst.exe Token: SeRestorePrivilege 2560 DrvInst.exe Token: SeRestorePrivilege 2560 DrvInst.exe Token: SeRestorePrivilege 2560 DrvInst.exe Token: SeRestorePrivilege 2560 DrvInst.exe Token: SeRestorePrivilege 2560 DrvInst.exe Token: SeRestorePrivilege 2560 DrvInst.exe Token: SeRestorePrivilege 3056 driverinst64.exe Token: SeLoadDriverPrivilege 3056 driverinst64.exe Token: SeRestorePrivilege 1976 DrvInst.exe Token: SeRestorePrivilege 1976 DrvInst.exe Token: SeRestorePrivilege 1976 DrvInst.exe Token: SeRestorePrivilege 1976 DrvInst.exe Token: SeRestorePrivilege 1976 DrvInst.exe Token: SeRestorePrivilege 1976 DrvInst.exe Token: SeRestorePrivilege 1976 DrvInst.exe Token: SeRestorePrivilege 1976 DrvInst.exe Token: SeRestorePrivilege 1976 DrvInst.exe Token: SeLoadDriverPrivilege 1976 DrvInst.exe Token: SeLoadDriverPrivilege 1976 DrvInst.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 860 ssrangui.exe 860 ssrangui.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2956 wrote to memory of 3056 2956 9070036232769ef3d265188fff67ea50N.exe 31 PID 2956 wrote to memory of 3056 2956 9070036232769ef3d265188fff67ea50N.exe 31 PID 2956 wrote to memory of 3056 2956 9070036232769ef3d265188fff67ea50N.exe 31 PID 2956 wrote to memory of 3056 2956 9070036232769ef3d265188fff67ea50N.exe 31 PID 2956 wrote to memory of 2644 2956 9070036232769ef3d265188fff67ea50N.exe 32 PID 2956 wrote to memory of 2644 2956 9070036232769ef3d265188fff67ea50N.exe 32 PID 2956 wrote to memory of 2644 2956 9070036232769ef3d265188fff67ea50N.exe 32 PID 2956 wrote to memory of 2644 2956 9070036232769ef3d265188fff67ea50N.exe 32 PID 2956 wrote to memory of 2060 2956 9070036232769ef3d265188fff67ea50N.exe 36 PID 2956 wrote to memory of 2060 2956 9070036232769ef3d265188fff67ea50N.exe 36 PID 2956 wrote to memory of 2060 2956 9070036232769ef3d265188fff67ea50N.exe 36 PID 2956 wrote to memory of 2060 2956 9070036232769ef3d265188fff67ea50N.exe 36 PID 2160 wrote to memory of 860 2160 ssrangsv.exe 38 PID 2160 wrote to memory of 860 2160 ssrangsv.exe 38 PID 2160 wrote to memory of 860 2160 ssrangsv.exe 38 PID 2160 wrote to memory of 860 2160 ssrangsv.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\9070036232769ef3d265188fff67ea50N.exe"C:\Users\Admin\AppData\Local\Temp\9070036232769ef3d265188fff67ea50N.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe"C:\Program Files (x86)\Common Files\supportdotcom\rang/driverinst64.exe" /Install2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3056
-
-
C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe"C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe" /provider supportdotcom /setup2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2644
-
-
C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe"C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe" /provider supportdotcom /regserver /start2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2060
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{57b13fbe-8800-420b-17dd-7d1205a6396b}\ssmirrdr.inf" "9" "67bd61347" "00000000000003D0" "WinSta0\Default" "00000000000002F0" "208" "c:\program files (x86)\common files\supportdotcom\rang"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2560
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\SSMIRR_DRIVER\0000" "C:\Windows\INF\oem2.inf" "ssmirrdr.inf:ssmirrdr.Mfg.ntamd64:ssmirrdr:2.0.0.0:ssmirr_driver" "67bd61347" "00000000000003D0" "00000000000005CC" "00000000000005E4"1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1976
-
C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe"C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe" -service "-provider" "supportdotcom"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Program Files (x86)\supportdotcom\rang\ssrangui.exe"ssrangui.exe" -start -ec 1 3631146199 -agentFriendlyName 'Solutions Engineer'2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:860
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1960
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
249KB
MD5151856cfe9156091831b937aec612d46
SHA1001b8dac977e70d8b65f133c537fe0b3209b8226
SHA256e807d7c405f6077dd57be20254adfaea0c9d02d1c9ab95035424818d082c4325
SHA512063df5476bd9f0f8dafa8c7ebeb4b0688640893b07fe89ce313b07ec26842a2845fe95f7955147c387cd15787af6ef3b050ad8d1e6863c667c5192d858e61ffa
-
Filesize
1.7MB
MD5867f418fffc2dd61dd3fc065f4ab29bb
SHA19558d4995c70048cfcd7cfd4718f38babd6ba581
SHA2562d2648a2e454e1637086d90b0a9071df66dd3de61c42ae88e4b1362aa51b21e4
SHA512ebcaa8e676509b56bae4318ca800383b8b306b8425a0a5e4c55c69a9bc38937a5f806874924efb8b6f6b0624ad0c09b140c4c63127a2573069ac178f03817238
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3H1FOMV1\errorPageStrings[1]
Filesize2KB
MD5e3e4a98353f119b80b323302f26b78fa
SHA120ee35a370cdd3a8a7d04b506410300fd0a6a864
SHA2569466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66
SHA512d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3H1FOMV1\httpErrorPagesScripts[2]
Filesize8KB
MD53f57b781cb3ef114dd0b665151571b7b
SHA1ce6a63f996df3a1cccb81720e21204b825e0238c
SHA25646e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad
SHA5128cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X761FPIN\NewErrorPageTemplate[1]
Filesize1KB
MD5cdf81e591d9cbfb47a7f97a2bcdb70b9
SHA18f12010dfaacdecad77b70a3e781c707cf328496
SHA256204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd
SHA512977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X761FPIN\dnserrordiagoff[1]
Filesize1KB
MD547f581b112d58eda23ea8b2e08cf0ff0
SHA16ec1df5eaec1439573aef0fb96dabfc953305e5b
SHA256b1c947d00db5fce43314c56c663dbeae0ffa13407c9c16225c17ccefc3afa928
SHA512187383eef3d646091e9f68eff680a11c7947b3d9b54a78cc6de4a04629d7037e9c97673ac054a6f1cf591235c110ca181a6b69ecba0e5032168f56f4486fff92
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD5f4846779ddeeb1fd5b7ea3ebfcc44f80
SHA15b62b115a0882180c8b751ecf3acc7d95b80c130
SHA256438d4ffe2d92d78557be60c87fbff96d94350e6048359ed7933f3b08aa327170
SHA512621dbeeb93235a1b1c33628ff43be4546ea3f4eae5c2129dc8ef2fb70a8d9fe31714ab777072251d4472c3df3dc583315f197d6450203529887f5843cfb8f193
-
C:\Windows\System32\DriverStore\FileRepository\ssmirrdr.inf_amd64_neutral_f60e4a3bb7f7b95a\ssmirrdr.PNF
Filesize9KB
MD5491da3364f51e6b86aa1c262bc4e58a0
SHA1421f0e9da4a27df8030425b3c42a85eff1238bcc
SHA256bb11c0eaf9a474c938cbc83eb1ddca34e0975995db03ce86e2130c43bc79ddeb
SHA512f8e8155f3a0d0bf7688753dc88eb73818ef5ad718f557cfd6d550701364954cad7837e1fe8f611eec2fcb95a7be61a40d361ac4523f899c98349905af251ad4a
-
Filesize
1.4MB
MD51f161950a68f51b835b12da46f52f61b
SHA113ad836fa165ff9234e220b4ca23903cc9bb0002
SHA256106b8f336265fa5ca40d242a974dd46be04d4a5109d3afe7172a7d8e68b1842f
SHA512cd28686441d61cfd197bba1a5609c2192de7ddb34f3ddd35a733927aecce055b452477c7c35c23fa4f4983d91881d5597c904476889de791ddda97259d48d3e2
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
9KB
MD53c1c01a2c39644614bb1a4d791ab7bb2
SHA1486893288e6bc758c363a828ff79481f3d5412e8
SHA2564c25d543a10f3018e764a59843b97490e1dd6cd43c9aa5473d07ba0c0f87ef62
SHA51217332a96b2644987591aa77b3cf85090a3c77f9183783c24dd01bbe12412f7c07a8b33ef160da11fbb35e9f7d2754f42c5dc704275d94a418fbbd7d86cd2ce12
-
Filesize
31KB
MD528b26600204f79045eda8f7fd8ca3c86
SHA1b9f19e36b80eb862370d99b466664380440af6d5
SHA2565140f07b878efd1b74ee9f5821a207d1cee65952702ff75c49a4522face230c6
SHA512aebd4425b846883e1f49da18edf3b7c96a9fb9ddb7ce709938b21eae169bdaeb5ce6bf8593638b5c887b26de7476b793a4691a7d56e46796bb658f1e516ad3c1
-
Filesize
9KB
MD51100066057fbf612b573efd3b21383f1
SHA1f95db83ea936f1fe70583a4eca810da807167dfe
SHA256894f5a999e03807dffea67938d2e456d50d9e5511fe91d2e2293c51d98b3d87d
SHA51262850de88b00daeab3299fec2bbd9aa0b07f766b96f42392310cb4f23c9e50f0aa8bc87f82e28cd99c195ea205a26c083d048cbac3341861dcee4a5eabb9dea8
-
Filesize
8KB
MD531f007d8f2de5e945dc2e2234628bc37
SHA176fb2cd66c869bae25589298a971b458bd06c18e
SHA256a179d2176962ff702eb57417f931deb3e8c9f2cfb61311d767b243e111b83973
SHA512170e8ac2cb4decb9fe07f8811c58155c377fc20af3748bcc33cdb203a2780c749f0cc721ba293874ecab1e0423682679ff7a1bccc26caa185af279796112dc18
-
Filesize
2KB
MD56c4423d9cb9921a25de76b2d9f390f74
SHA15abdfd7b7d0e454a6ac117c90077b3379e48d666
SHA2563cb8307e59f4483ec329cd2b92690a877eb4b3a0c3633c9e012a4f8aac249c82
SHA5129f28e9a824e0983e180bcefdd347ee145c406e920f660622e34bedf5c3b7e7cd083c3f60528f135e341621248a53ad16cca5ebbb6c8b66af166304ab8b94628c
-
Filesize
16KB
MD5198aecd00486eadd45b763ecf6b850ef
SHA18141e2a173f5ed8a1ee4111a9dbf3973f87583e7
SHA256da94f1da1d256ad7edcacb856d7712fae587714e8372462871b9b8390697e66e
SHA5129968dc12d98ca2e7a4d6a90f01228d27c2c67f46cfe2e5cac61c1ada698e84e1fd43afd7b30dd30240ed6eea1ff5fb6e1f9ba7d15303baa889a34f24d4f46703
-
Filesize
2.2MB
MD53c58ee787f100d9c124fde7d41e2b40c
SHA1794539da76db30d2193bc0e7f705a66816994773
SHA2569ba659ce26f5e4bc1dd98d7d41ac1514bb2853d68c3d56707f7a050cfb08ed87
SHA5122340c7f37ff53fcc9cecc77b0e87f6b86600f3cd08aa8bb0da87b9e041943cfcac87d6660187611cf7ee0eeb900a6f28272251bd60e0f2664da0e49c19667a5f
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f