e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37

Analysis

max time kernel
147s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 06:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
Size

6.3MB
MD5

9190aaff6a444edb896ed5c228c26276
SHA1

e7a1745c17b141159e87a6d8ade23ac7815c74d9
SHA256

e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37
SHA512

aa75ce03ef8594f066ffc2d16e0658637a6d9544c81555b8199a4d17fd42e35980e8a676f9f5b700ba966f3563cdd4816714014bcf5533e42b16379540c9a6b8
SSDEEP

196608:z6xePNL9ONBrYuU7yBCiAYPnGjzJIerhV5Q:zAA99ONuC5AYPnYJIe1V5

Score

7^/10

discovery evasion persistence privilege_escalation spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EsHttpServer = "\"C:\\Program Files (x86)\\EsWebSocketKit\\EsHttpServer.exe\""	EsWebSocketKit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ShuttleInterPass2000_YBXY = "C:\\Program Files (x86)\\YBXY Certificate Manager\\InterPass2000\\certd2ka_ybxy.exe"	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EsWebSocketKit = "\"C:\\Program Files (x86)\\EsWebSocketKit\\ESWebSocket.exe\""	EsWebSocketKit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EsFtWebSocketKit = "\"C:\\Program Files (x86)\\EsWebSocketKit\\EsFtWebSocket.exe\""	EsWebSocketKit.exe

Modifies Windows Firewall 2 TTPs 6 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1612	netsh.exe
4396	netsh.exe
2408	netsh.exe
528	netsh.exe
1680	netsh.exe
4292	netsh.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\stwebdll.dll	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
File created	C:\Windows\SysWOW64\PassGuardX64ForYBXY\passguardwin7ins.exe	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
File created	C:\Windows\SysWOW64\PassGuardCtrlForYBXY\passguardwin7ins.exe	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
File created	C:\Windows\SysWOW64\InterPass2000P11.sig	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
File created	C:\Windows\SysWOW64\InterPass2000P11_s.dll	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
File created	C:\Windows\SysWOW64\FTInitlize_bank.ocx	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
File created	C:\Windows\SysWOW64\default.INF	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
File created	C:\Windows\SysWOW64\PassGuardX64ForYBXY\PassGuardX64.inf	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
File created	C:\Windows\SysWOW64\InterPass2000P11.dll	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
File created	C:\Windows\SysWOW64\CEA_Crypt.dll	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
File created	C:\Windows\SysWOW64\printCtl4RA.dll	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
File created	C:\Windows\SysWOW64\PassGuardCtrlForYBXY\PassGuardCtrl.dll	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
File created	C:\Windows\SysWOW64\PassGuardCtrlForYBXY\PassGuardCtrl.inf	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
File created	C:\Windows\SysWOW64\PassGuardX64ForYBXY\PassGuardX64.dll	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
908	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\YBXY Certificate Manager\InterPass2000\lang\escertd_2052.lng	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
File created	C:\Program Files (x86)\EsWebSocketKit\EsWebSocket.exe	EsWebSocketKit.exe
File created	C:\Program Files (x86)\EsWebSocketKit\cert.cer	EsWebSocketKit.exe
File created	C:\Program Files (x86)\EsWebSocketKit\server.crt	EsWebSocketKit.exe
File created	C:\Program Files (x86)\EsWebSocketKit\cert.key	EsWebSocketKit.exe
File created	C:\Program Files (x86)\YBXY Certificate Manager\InterPass2000\lang\escertd_1033.lng	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
File created	C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe	EsWebSocketKit.exe
File created	C:\Program Files (x86)\EsWebSocketKit\server.key	EsWebSocketKit.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\root_cert_setting_for_websocket.js	EsWebSocketKit.exe
File created	C:\Program Files (x86)\YBXY Certificate Manager\InterPass2000\lang\esmgr_2052.lng	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
File created	C:\Program Files (x86)\YBXY Certificate Manager\InterPass2000\lang\escsp_1033.lng	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
File created	C:\Program Files (x86)\YBXY Certificate Manager\InterPass2000\lang\escsp_2052.lng	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
File created	C:\Program Files (x86)\YBXY Certificate Manager\InterPass2000\uninst.exe	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
File created	C:\Program Files (x86)\YBXY Certificate Manager\InterPass2000\AddTrustSite.exe	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
File opened for modification	C:\Program Files (x86)\YBXY Certificate Manager\InterPass2000\AddTrustSite.exe	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
File created	C:\Program Files (x86)\YBXY Certificate Manager\InterPass2000\certd2ka_YBXY.exe	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
File created	C:\Program Files (x86)\YBXY Certificate Manager\InterPass2000\lang\esmgr_1033.lng	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
File created	C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe	EsWebSocketKit.exe
File created	C:\Program Files (x86)\EsWebSocketKit\FirefoxMOIT.exe	EsWebSocketKit.exe
File created	C:\Program Files (x86)\EsWebSocketKit\IActiveXCtrl.dll	EsWebSocketKit.exe
File created	C:\Program Files (x86)\EsWebSocketKit\dh.pem	EsWebSocketKit.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\root_cert_setting_for_websocket.js	EsWebSocketKit.exe

Executes dropped EXE 20 IoCs

pid	Process
4880	EsWebSocketKit.exe
3432	AddTrustSite.exe
208	AddTrustSite.exe
2952	AddTrustSite.exe
3832	certd2ka_ybxy.exe
4352	regFirefox64.exe
4520	regFirefox64.exe
4264	ESWebSocket.exe
228	EsFtWebSocket.exe
4996	EsHttpServer.exe
3592	FirefoxMOIT.exe
4740	EsFtWebSocket.exe
4344	ESWebSocket.exe
4116	EsHttpServer.exe
3336	EsFtWebSocket.exe
3508	ESWebSocket.exe
4224	EsHttpServer.exe
3508	EsFtWebSocket.exe
4224	ESWebSocket.exe
4032	EsHttpServer.exe

Loads dropped DLL 62 IoCs

pid	Process
4284	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
4284	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
4284	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
4284	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
4284	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
4880	EsWebSocketKit.exe
2296	regsvr32.exe
4880	EsWebSocketKit.exe
4880	EsWebSocketKit.exe
4880	EsWebSocketKit.exe
4880	EsWebSocketKit.exe
4880	EsWebSocketKit.exe
4880	EsWebSocketKit.exe
3168	regsvr32.exe
1504	regsvr32.exe
1504	regsvr32.exe
1504	regsvr32.exe
1596	regsvr32.exe
4880	EsWebSocketKit.exe
4880	EsWebSocketKit.exe
908	regsvr32.exe
4880	EsWebSocketKit.exe
4880	EsWebSocketKit.exe
4284	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
4284	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
5068	rundll32.exe
3832	certd2ka_ybxy.exe
4880	EsWebSocketKit.exe
4880	EsWebSocketKit.exe
4880	EsWebSocketKit.exe
4880	EsWebSocketKit.exe
4352	regFirefox64.exe
4520	regFirefox64.exe
4880	EsWebSocketKit.exe
4880	EsWebSocketKit.exe
3592	FirefoxMOIT.exe
3592	FirefoxMOIT.exe
3592	FirefoxMOIT.exe
4880	EsWebSocketKit.exe
4880	EsWebSocketKit.exe
4880	EsWebSocketKit.exe
4880	EsWebSocketKit.exe
4880	EsWebSocketKit.exe
4880	EsWebSocketKit.exe
4880	EsWebSocketKit.exe
4880	EsWebSocketKit.exe
4880	EsWebSocketKit.exe
4880	EsWebSocketKit.exe
4880	EsWebSocketKit.exe
4880	EsWebSocketKit.exe
4880	EsWebSocketKit.exe
4880	EsWebSocketKit.exe
4880	EsWebSocketKit.exe
4880	EsWebSocketKit.exe
4880	EsWebSocketKit.exe
4880	EsWebSocketKit.exe
4880	EsWebSocketKit.exe
4880	EsWebSocketKit.exe
4880	EsWebSocketKit.exe
4880	EsWebSocketKit.exe
4880	EsWebSocketKit.exe
4880	EsWebSocketKit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EsWebSocketKit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddTrustSite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ESWebSocket.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EsHttpServer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EsFtWebSocket.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ESWebSocket.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EsHttpServer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddTrustSite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddTrustSite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EsHttpServer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EsFtWebSocket.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ESWebSocket.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EsFtWebSocket.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ESWebSocket.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EsHttpServer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EsFtWebSocket.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certd2ka_ybxy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FirefoxMOIT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
5020	taskkill.exe
2960	taskkill.exe
1140	taskkill.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27984DB8-C851-439E-B625-81740482BE7C}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DA6B9BDD-D3A9-4896-AB3D-36F6E7F6272A}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00A5A260-956A-49E4-82FF-58CE009742C5}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{22956032-28BC-4973-9970-299A40C86ABA}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{816C06DD-3116-4D55-AD48-0CF7ABAB96B1}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E408C69D-95DF-45ED-88C6-B51BD01BF8E7}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FTINITLIZE.FTinitlizeCtrl.1\CLSID\ = "{CC07C71C-70EE-4BB3-AE62-7D7EB9ADC0ED}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CC07C71C-70EE-4BB3-AE62-7D7EB9ADC0ED}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27984DB8-C851-439E-B625-81740482BE7C}\MiscStatus\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27984DB8-C851-439E-B625-81740482BE7C}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A480015F-0E3E-4E50-B231-CF6E8605DAC3}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{22956032-28BC-4973-9970-299A40C86ABA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{22956032-28BC-4973-9970-299A40C86ABA}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E408C69D-95DF-45ED-88C6-B51BD01BF8E7}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{690F53E3-1801-4BEE-9C49-EFFA78733803}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{DE4B4456-8E75-42BC-A6B8-0A09C59FCF78}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{690F53E3-1801-4BEE-9C49-EFFA78733803}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CC07C71C-70EE-4BB3-AE62-7D7EB9ADC0ED}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PrintCtl4RA.ctl4RA.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27984DB8-C851-439E-B625-81740482BE7C}\InprocServer32\ = "C:\\Windows\\SysWow64\\PRINTC~2.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DA6B9BDD-D3A9-4896-AB3D-36F6E7F6272A}\TypeLib\ = "{C6963EE8-3B10-44C6-96D1-D2C6D341465A}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{22956032-28BC-4973-9970-299A40C86ABA}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CC07C71C-70EE-4BB3-AE62-7D7EB9ADC0ED}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PrintCtl4RA.ctl4RA	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27984DB8-C851-439E-B625-81740482BE7C}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\PRINTC~2.DLL, 101"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DA6B9BDD-D3A9-4896-AB3D-36F6E7F6272A}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00A5A260-956A-49E4-82FF-58CE009742C5}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{690F53E3-1801-4BEE-9C49-EFFA78733803}\ = "_DFTinitlize"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A2C8BC3-5B68-4AE5-81D6-6DC378708F3E}\MiscStatus\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C6963EE8-3B10-44C6-96D1-D2C6D341465A}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DA6B9BDD-D3A9-4896-AB3D-36F6E7F6272A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A2C8BC3-5B68-4AE5-81D6-6DC378708F3E}\TypeLib\ = "{C6963EE8-3B10-44C6-96D1-D2C6D341465A}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stwebdll.webdll.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{22956032-28BC-4973-9970-299A40C86ABA}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D93D397-11A6-46AE-A8AB-6ED98CB1322B}\ = "_DFTinitlizeEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27984DB8-C851-439E-B625-81740482BE7C}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A2C8BC3-5B68-4AE5-81D6-6DC378708F3E}\Control	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{690F53E3-1801-4BEE-9C49-EFFA78733803}\TypeLib\ = "{E408C69D-95DF-45ED-88C6-B51BD01BF8E7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45AF09DF-3932-434E-9790-B06B8244E203}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27984DB8-C851-439E-B625-81740482BE7C}\ProgID\ = "PrintCtl4RA.ctl4RA.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{56B8E9B3-B5A7-4435-B66A-AF624BD92D74}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A2C8BC3-5B68-4AE5-81D6-6DC378708F3E}\InprocServer32\ = "C:\\Windows\\SysWow64\\PassGuardCtrlForYBXY\\PassGuardCtrl.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A480015F-0E3E-4E50-B231-CF6E8605DAC3}\TypeLib\ = "{C6963EE8-3B10-44C6-96D1-D2C6D341465A}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CC07C71C-70EE-4BB3-AE62-7D7EB9ADC0ED}\ = "FTinitlize Control"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CC07C71C-70EE-4BB3-AE62-7D7EB9ADC0ED}\TypeLib\ = "{E408C69D-95DF-45ED-88C6-B51BD01BF8E7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27984DB8-C851-439E-B625-81740482BE7C}\ToolboxBitmap32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27984DB8-C851-439E-B625-81740482BE7C}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3762ABC3-D228-4CA4-B50D-7E5CD3B24F02}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DA6B9BDD-D3A9-4896-AB3D-36F6E7F6272A}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00A5A260-956A-49E4-82FF-58CE009742C5}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27984DB8-C851-439E-B625-81740482BE7C}\Insertable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C6963EE8-3B10-44C6-96D1-D2C6D341465A}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\PassGuardCtrl.DLL\AppID = "{DE4B4456-8E75-42BC-A6B8-0A09C59FCF78}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A2C8BC3-5B68-4AE5-81D6-6DC378708F3E}\ = "PassGuard Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A2C8BC3-5B68-4AE5-81D6-6DC378708F3E}\ProgID\ = "PassGuardCtrl.PassGuard.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A480015F-0E3E-4E50-B231-CF6E8605DAC3}\TypeLib\ = "{C6963EE8-3B10-44C6-96D1-D2C6D341465A}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DA6B9BDD-D3A9-4896-AB3D-36F6E7F6272A}\ = "IPassGuard"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{816C06DD-3116-4D55-AD48-0CF7ABAB96B1}\ = "Iwebdll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A2C8BC3-5B68-4AE5-81D6-6DC378708F3E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A480015F-0E3E-4E50-B231-CF6E8605DAC3}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DA6B9BDD-D3A9-4896-AB3D-36F6E7F6272A}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{22956032-28BC-4973-9970-299A40C86ABA}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\stwebdll.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E408C69D-95DF-45ED-88C6-B51BD01BF8E7}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{56B8E9B3-B5A7-4435-B66A-AF624BD92D74}\TypeLib\Version = "1.0"	regsvr32.exe

Modifies system certificate store 2 TTPs 18 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F\Blob = 0300000001000000140000003e2bf7f2031b96f38ce6c4d8a85d3e2d58476a0f2000000001000000cd070000308207c9308205b1a003020102020101300d06092a864886f70d0101050500307d310b300906035504061302494c31163014060355040a130d5374617274436f6d204c74642e312b3029060355040b1322536563757265204469676974616c204365727469666963617465205369676e696e6731293027060355040313205374617274436f6d2043657274696669636174696f6e20417574686f72697479301e170d3036303931373139343633365a170d3336303931373139343633365a307d310b300906035504061302494c31163014060355040a130d5374617274436f6d204c74642e312b3029060355040b1322536563757265204469676974616c204365727469666963617465205369676e696e6731293027060355040313205374617274436f6d2043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a0282020100c188db09bc6c467c789f957bb53390f27262d6c1362022245ecee977f2430aa20664a4cc8e36f838e623f06e6db13cdd72a3851ca1d33db4332bd32faffeeab0415967b6c4067d0a9e7485d6794c80377adf39055259f7f41b4643a4d28585d2c371f3756234ba2c8a7f1e8feeed34d011c796cd523dba33d6dd4dde0b3b4a4b9fc2262ffab5161c723577ca3c5de6cae1268b1a36765c01db741425feedb5a0880fdd78ca2d1f079730012d7279fa46d6132aa8b9a6ab83491de5f2efdde4018e180a8f6353168562a90e193accb566a6c26b7407e42be1763eb46dd8f644e173621f3bc4bea05356256c5109f7aaabcabf76fd6d9bf39ddbbf3d66bc0c56aaaf9848953a4bdfa75850d93875a95bea430c02ff99ebe86c4d705b29659cddaa5dccaf0131ec0cebd28de8ea9c7be66ef727660c1a48d76e42e33fde213e7be10d70fb63aaa86c1a54b45c257ac9a2c98b16a6bb2c7e175e054d586e121d01ee12100dc6327f18fffcf4facd6e91e83649be1a48698bc2964d1a12b26917c10a90d6fa792248bfba7b69f870c7fa7a37d8d80dd2764f57ff90b7e391d2ddefc260b7673addfeaa9cf0d48b7f7222cec69f97b6f8af8aa010a8d9fb18c6b6b55c523c89b6192a73010a0f03b31260f27a2f81dba36eff263097f58bdd8957b6ad3db3af2bc5b77602f0a5d62b9a86142a72f6e3338c5d094b13dfbb8c7413524b0203010001a38202523082024e300c0603551d13040530030101ff300b0603551d0f0404030201ae301d0603551d0e041604144e0bef1aa4405ba517698730ca346843d041aef230640603551d1f045d305b302ca02aa0288626687474703a2f2f636572742e7374617274636f6d2e6f72672f73667363612d63726c2e63726c302ba029a0278625687474703a2f2f63726c2e7374617274636f6d2e6f72672f73667363612d63726c2e63726c3082015d0603551d2004820154308201503082014c060b2b0601040181b5370101013082013b302f06082b060105050702011623687474703a2f2f636572742e7374617274636f6d2e6f72672f706f6c6963792e706466303506082b060105050702011629687474703a2f2f636572742e7374617274636f6d2e6f72672f696e7465726d6564696174652e7064663081d006082b060105050702023081c330271620537461727420436f6d6d65726369616c20285374617274436f6d29204c74642e30030201011a81974c696d69746564204c696162696c6974792c2072656164207468652073656374696f6e202a4c6567616c204c696d69746174696f6e732a206f6620746865205374617274436f6d2043657274696669636174696f6e20417574686f7269747920506f6c69637920617661696c61626c6520617420687474703a2f2f636572742e7374617274636f6d2e6f72672f706f6c6963792e706466301106096086480186f8420101040403020007303806096086480186f842010d042b16295374617274436f6d20467265652053534c2043657274696669636174696f6e20417574686f72697479300d06092a864886f70d01010505000382020100166c99f4660c34f5d0855e7d0aecda104e381c5edfa625054b9132c1e83bf13ddd44095b07498a29cb6602b7b19af72598093c8e1be1dd36872b4bbb68d339663da026c7f239911d51ab827b7ed5ce5ae4e2035770699708f95e58a60adf8c069a451616380a5e57f662c77a0205e6bc1eb5f29ef4a92983f8b214e36e288744c3901ade38a93cac434d6445cedd28a95cf2737b04f817e8abb1f32e5c646e73313a12b8bcb311e47d8f81519a3b8d89f44d93667b3c03edd39a1d9af36550f5a0d0759f2faff0ea824398f8699c8979c4438e4672e3643612aff7251e388990777ec36b6ab9c3cb444bac78908be7c72c1e4b1144c8345227cd0a5d9f85c189d51a78f295105332dd80846675d9b56828fb612ebe84a838c0991286a51e6764ad062e2fa97085c7960f7c8965f58e43540eabdda580399460c034c996702ca312f51f487bbd1c7e6bb79d90f4223baef8fc2acafa8252a0efaf4b5593ebc1b5f0228bac344e262204a1872c754ab7e57d13d7b80c64c036d2c92f86128c2309c11b823b7349a36a578794e5d678c5994363e34de0772de165997269041a4709e60f015624fb1fbf0e79a9582eb9c409017e95ba6d00063eb2ea4a1039d8d02bf5bfec75bf9702c5091b08dc5537e281fb3784436220cae7564b65eafe6cc1249324a134eb05ff9a22ae9b7d3ff165510aa6306ab3f4881c800dfc728ae8835e	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\SystemCertificates\softbank\CRLs	certd2ka_ybxy.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5B2CB7BC03D02624FC74258DF56BA16EF1AD7D93\Blob = 040000000100000010000000b6ada6ec197166ac670578e5179ea8d30f000000010000002000000027c5042bd2e1421369948ea130e4e7604817c0d13045932ed48a2cb10c8caa0c1400000001000000140000004b9d236fccf3dd4d028b0d1e2f732a102b0768131900000001000000100000002f27ccec88d8b37b4748eb029e5e86730300000001000000140000005b2cb7bc03d02624fc74258df56ba16ef1ad7d935c00000001000000040000000008000020000000010000000703000030820303308201eba003020102021458ec850fc4222148b495042df3060fec709d745d300d06092a864886f70d01010b050030143112301006035504030c096c6f63616c686f7374301e170d3231313032323031313631355a170d3331313032303031313631355a30143112301006035504030c096c6f63616c686f737430820122300d06092a864886f70d01010105000382010f003082010a0282010100acf048bf504d5458d7d5f423a75f344bdb725c6d3f66168de6ae5b6d2c1ddc1cf68b2f502c3289b4ad85fff349de511077c574ce25c1f70db80b5af9dc092e48922fe4b4fb1a0dd6aa55fbb35b6b24ab55cc84bc7d5eeaabb27a86a83b5f134c19e6f00b05dbed856645a4ae83f829b7d59e7f396826c05184f161ee5887d63e195070b589c4b51a9953e4112ef501439fb426003bae81bc99a4dd110aaf2122a345e53e96cbf195a365bd4ae7abce44f1e58221bdd2cf0a364611271fd2c83da396e4289cf0ff56b9691371749b1d4b0c358f37c5f62da15133b19775487a17c1ebab90b1122f690708fc29b6fe0fc17d205d6049d4cdd8cc2057dc144d08310203010001a34d304b300b0603551d0f0404030205e030130603551d25040c300a06082b0601050507030130270603551d110420301e82096c6f63616c686f7374820b2a2e6c6f63616c686f737487047f000001300d06092a864886f70d01010b050003820101008fb9b28d4187eda354b68f275b6dd7a0fc3578814230a378a476c0aa73065e552c15b08058c06cbc6eb475d9c567f8740eb984bc6029e532813863e5daf46894b34d4b7d12c3d73f3ba304605a3b60199f773ec824280cc428a63b326dd0e2a15bb442153022f7c776fefea68182dd451e2e3e3c15e01628b0f349ddada030119b31017827042e49d765c079ddd584c0b8b09145e2d7ecee92c2832c1f2f9f5bd91357a890c633faefd7d1270994bfd07fab90b19323d358a7ea0327031b2b50dd965e6050f061256e5e231e526c59da97449cb6f721ea69abdb6e92fe2513230001500f17add84a5434ed657b621f6f0daf2dec22abe700c064642e87680094	EsWebSocketKit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DBB84423C928ABE889D0E368FC3191D151DDB1AB	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\8C224916B75F76154FB31079A5643800E4D5EEAA	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\8C224916B75F76154FB31079A5643800E4D5EEAA\Blob = 0300000001000000140000008c224916b75f76154fb31079a5643800e4d5eeaa2000000001000000f8020000308202f4308201dea0030201020202009d300b06092a864886f70d0101053033310b300906035504061302434e310d300b060355040a0c04434d43413115301306035504030c0c434d434120526f6f74204341301e170d3135303431343136303030305a170d3230303431343136303030305a3039310b300906035504061302434e310d300b060355040a0c04434d4341311b301906035504030c12434d434120456e746572707269736520434130819f300d06092a864886f70d010101050003818d0030818902818100b164151ce6334782af289cfde447224c62bb0e5fb7096107b719b4b13d1367123c59e679d51e0148f00d3cb421edc638a5b9837120e0d1210ec752435612da64f2bf3fdf87b2d879e11a84509a75bcb7092e78864217a293eb91210c3a07dc6bf01976d931b071364a964eadd9e6e1eb8115cf329b04e6801aa61c6b18a80c7b0203010001a38193308190301f0603551d23041830168014d2b2977ba1a448cb753dede0492b3052902d70fd301d0603551d0e04160414c615ed2e6c22f594d1e4d5e1c4ba9dbb2ff74502300c0603551d13040530030101ff30330603551d20042c302a300c060a2a811c86f17601010101300c060a2a811c86f17601010102300c060a2a811c86f17601010103300b0603551d0f040403020106300b06092a864886f70d01010503820101003d94314d96c89ba20fc0b6fc0d95dab7702475d0b2f887450919caab072db5de58c2b78687d2967356619c60e39c1add5da9c4a0425a66a76d2f9a327ea7d0c4b1f5c6a0f7c83a63b4b70233a67d56353184891f5890624ea8915574946ce04605d3cae431cdb7a612458a298dc3a175a479fa79e8b3fb97eb0174344aeae25edc2afad537e271dd70d391fa1aee9713286f00c46b9786851a6500a5ba9ac5e79272d522c28b08d09f19c8187a876dd0190b688ecc0861da853ec674e3673692a609ab6558ce33d45f1a790ec8a1b7e697543e00a1a72eed49e13f1511907012cc03358e79dd570e6eacc029f7f5e42d4951eb1807159e29cc920c3be9fe34a6	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\5B2CB7BC03D02624FC74258DF56BA16EF1AD7D93	EsWebSocketKit.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DBB84423C928ABE889D0E368FC3191D151DDB1AB\Blob = 030000000100000014000000dbb84423c928abe889d0e368fc3191d151ddb1ab20000000010000003a030000308203363082021ea00302010202106f0ce95269c8629902ff63a5ccebed3c300d06092a864886f70d0101050500302e310b300906035504061302434e310e300c060355040a13054f53434341310f300d06035504031306524f4f544341301e170d3035303832383038313631365a170d3235303832333038313631365a302e310b300906035504061302434e310e300c060355040a13054f53434341310f300d06035504031306524f4f54434130820122300d06092a864886f70d01010105000382010f003082010a0282010100d8f9858d752d29f5845f3a0cd4ca0b3e7181d06a4a2c407ef640b593036d74cb5a20c6c3e7929b1a0f65644866bf85dd5aa9d7026d8c4e07b533514b1d99ebb34ebd78e4ed1e2cc881c6a04d97c3e6a4149c7eed7c3b6697311802733d7b927e980e0028b9031be8135e6a4cfdccef9b124a08809013e49b6740a07f5dab63b0bf64ed700a821e3b5b1116e341e6d27d856d9f3ee2a925619f49fc3988588a0438755640966bfc22f76c2834575431c0fb3d0c3d2444786a318b9e1eb216c2744611291680072b3d52e01f22abe6cef954519b1ad0dd173f44594e396e8dc4f4365db83651c025b52d6198a5bc096188b400f6b502188d60f422e61de9d40c910203010001a350304e301f0603551d23041830168014fac25e1a1b9fd09f7bc7d06e8e69a69954377dd1301d0603551d0e04160414fac25e1a1b9fd09f7bc7d06e8e69a69954377dd1300c0603551d13040530030101ff300d06092a864886f70d010105050003820101003d5c705abe69a0da0bc3a28bdf44fb11b5d7324190cbe1f84eb2594c33c82526f36109db797f8600bc295a862a007dc1e7a6295cbee4de7084a4bc5cfe39a3804b8dffdc9777acb5c9c57fb3ffb4d4c47059c24218a5cbd61d13a20e768ad81631e8eda7e2609dbc04c641c5da52c9dee08d507027a98aef57ee9606bec12951c2ad5d1b7722ba9c6c6c6712e99bf50fe4fec5904630ccdf6e7e8bf8f60c9eeabef02af6b51d2a9e10cc9d199ba48078b43ba9cc91ac321b2cd9425ce68000999bcc95398d8fd83fe91b3dabd50bb371688b245b0b065b565719e092231c778f19433f6737f936f2f99476f140cb1c4d8d608cfaded3181c4caccaf8c8871f33	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\AF50A73BFC0F7AE01F9399701042CAF85181626A\Blob = 030000000100000014000000af50a73bfc0f7ae01f9399701042caf85181626a2000000001000000f8020000308202f4308201dea0030201020202009f300b06092a864886f70d0101053033310b300906035504061302434e310d300b060355040a0c04434d43413115301306035504030c0c434d434120526f6f74204341301e170d3135303431343136303030305a170d3230303431343136303030305a3039310b300906035504061302434e310d300b060355040a0c04434d4341311b301906035504030c12434d434120496e646976696475616c20434130819f300d06092a864886f70d010101050003818d003081890281810099d60d91b366e21bbf2b3450a7a119698879a8a11d2cc0ea4b6ad316fc9dd2dc93f974e304433186a7e8c06d89d064f04fd53c1061dbb33ecca230281d95a48285ba49454a0356eb05519f7a6b9caf7b59d007796440dfcb0b983cda6fd6a6ad633c6c8291018ede5dd7bcb01e77bd9e24d4e5ca80161f584e3894caf83b8ae10203010001a38193308190301f0603551d23041830168014d2b2977ba1a448cb753dede0492b3052902d70fd301d0603551d0e0416041478c27ce628b0f8cfe66b4ababe3acbf2a1820b41300c0603551d13040530030101ff30330603551d20042c302a300c060a2a811c86f17601010101300c060a2a811c86f17601010102300c060a2a811c86f17601010103300b0603551d0f040403020106300b06092a864886f70d010105038201010020de8f341d761d963d0f58b0f94ecc47738f4d9bdec34c14492b606c4e0aff962272af31907e08e82c43c10e58c5428f23501885496c85c5f062973e4f1ebc12a4dc589ac228028547f8d5c5e992749015bddebc4564eaf562255868106c67ab38ff84115e90eecefa044b8dedb23a2a8c82f659cc59e6a2e536b9a9219e1e2372c0b920de57f590bc8c328104175c5b30c70dc9bf0c00c15b17b8e8df59e5c2624cd4600c8869f184095ed296e1302b3efe476b1995ea4f17688638b3cb1c394b7484974f4dcfd268a6e276e0f3ca6de812c83da92320511a5ab9b57da3fa5d9b557baf055801061006ca4edea4b5d61a305573ca9a453b67524fec1d414297	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\SystemCertificates\softbank	certd2ka_ybxy.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\SystemCertificates\softbank\CTLs	certd2ka_ybxy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\07A909A89FC6857FEAD7726BF955F1E4E8EDF922	EsWebSocketKit.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\07A909A89FC6857FEAD7726BF955F1E4E8EDF922\Blob = 5c00000001000000040000000008000003000000010000001400000007a909a89fc6857fead7726bf955f1e4e8edf922190000000100000010000000b5d296234cf132adc29bb6fec0549c6214000000010000002000000031c1dcb87b45e72861bdea4038e309f052fc83115c30da4cfb5fbfb6ea0ae7770f000000010000002000000098d78429350107d66f9d9a4b7bf2cc0a4d1c75cb2062d1d02fbbd2105dc9880b0400000001000000100000001711793f00ff2d2fb5144003374c02832000000001000000d5030000308203d1308202b9a003020102021100bd261f436c61432fd735c301bb7bfc05300d06092a864886f70d01010b0500307c310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d53616e204672616e636973636f311c301a060355040a0c13776562736f636b6574406c6f63616c686f73743122302006035504030c19746c7363612e776562736f636b6574406c6f63616c686f7374301e170d3137303932323031343134305a170d3237303932303031343134305a307c310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d53616e204672616e636973636f311c301a060355040a0c13776562736f636b6574406c6f63616c686f73743122302006035504030c19746c7363612e776562736f636b6574406c6f63616c686f737430820122300d06092a864886f70d01010105000382010f003082010a0282010100bf4c1314166876a6dd73a80cd1777394390922f9edceb0f2cce4a3ddff9641089c2a0649a6de8c6154db3236fc10ba3abe9a8856d218fff49265cafa950d82e94d2cb091a26db2b4eb90489a1f609581ab65da9858c3ccb77fd633e6b23dce343d423ea0318aed787db8435a108bd1336a20ee7ae38be7e9482c82570829da911fa7c74937d38930b78a1b2a6ede1bc07e7bcec5d6280e25bca71006418456e551598472181b8d7d7c475177b2258134d93daa51b7962eded0bd6624f642ff8458c2d76287cb19975a3ceb2671499655a110cfc250c3fe764fbc3d435d9386b78bf05f91c4491c63ff0b81aa98d2e9f42bd2bb6a95f21e8be826f2411c7c598f0203010001a34e304c300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff30290603551d0e0422042031c1dcb87b45e72861bdea4038e309f052fc83115c30da4cfb5fbfb6ea0ae777300d06092a864886f70d01010b050003820101000509d1f6bcdc17bdb0b3942023ed6d3518675193959c12d912ac9d4a7e5476781360c75ecf9d3ce96188840fe0bb14f7ec1c3d042d6c1d05106aee718cd5828d62674a8f3f9f6891ae16468d7273c0cbb928ee3dd98afe6e6965123f1451f13609029eceb15ad4b88a1102ce230a7311306f1c6c9a9d6318f909e738b006076e0c37e37e0e2f2de0bc6c7a0e6c105adc4876d8c84c9f825577a4021452f40d73aeabbf4667f67c29bb4b78c91e240bb4f2a7bf0300d81c8abace56e5e1e6c0a246fa9283e660515f355bb53ea43d704b17a4623eb73686643679a7ef3eee39a6a04c7d307810d8996c77d72abcbb3ef4658e069eec2138227b9186d8b3906912	EsWebSocketKit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\6A309AD8E9F7BD514513F96D9370BF607F292BB2	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\6A309AD8E9F7BD514513F96D9370BF607F292BB2\Blob = 0300000001000000140000006a309ad8e9f7bd514513f96d9370bf607f292bb220000000010000007e0400003082047a30820362a003020102021023468fb9f9062b4ba73cd1e0af04694f300d06092a864886f70d0101050500302e310b300906035504061302434e310e300c060355040a13054f53434341310f300d06035504031306524f4f544341301e170d3130303631383031353034355a170d3230303631353031353034355a3033310b300906035504061302434e310d300b060355040a0c04434d43413115301306035504030c0c434d434120526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100d341d04d8802e89f29f423e25ab066aeb2f39ae260c1e28cbbb639d086dc3c2cf2b45da1d6935e9766933a9bf9865b2bc3bb5395afe0ff62d553e9917d55b076dab50a002ecade354486db725a91e0e59176d98097ba123dbb12aea68161ba9c7958d4badc8d4b7a4076c744440f6e939f6e45b0a83bf63a62894c8a6a93ea8d286f4551cb0d28262f8339b778b9892aa3e6b7cb639fa89f068e6795a5267958d4ca68b371279d32b84c01be6f538cd5443f0d34cc88229dca5185cda83eda9ee55bdbed5c2f154909dd44b5c8b5c5b1591eaac33e5c24e1e3d0b4781e0b002016e9d1b79aea28dbe22d312e3fb1ca527ac3e4f01d16dd407930c217d329f0b30203010001a382018d30820189301f0603551d23041830168014fac25e1a1b9fd09f7bc7d06e8e69a69954377dd1301d0603551d0e04160414d2b2977ba1a448cb753dede0492b3052902d70fd300e0603551d0f0101ff040403020106300c0603551d13040530030101ff308201270603551d1f0482011e3082011a3057a055a053a451304f310b300906035504061302434e310e300c060355040a13054f53434341310f300d06035504031306524f4f544341310c300a060355040b130343524c3111300f0603550403130863726c3130345f30308190a0818da0818a8681876c6461703a2f2f6c6461702e726f6f7463612e676f762e636e3a3338392f434e3d63726c3130345f302c4f553d43524c2c434e3d524f4f5443412c4f3d4f534343412c433d434e3f63657274696669636174655265766f636174696f6e4c6973743f626173653f6f626a656374636c6173733d63524c446973747269627574696f6e506f696e74302ca02aa0288626687474703a2f2f7777772e726f6f7463612e676f762e636e2f6361726c2f6361726c2e63726c300d06092a864886f70d010105050003820101003b2c049ca39e737b12849c43afc612f9a01771512b8faa163d784f9d571ccb345f18006b7df7ef089167f7f5eb5bac310e18c7f25b84a63f096fbfda9f26c5638fae5285fc75ef998808488ae38fecbb5a7cb8662b06a199e20139bc6069184de38772647e45e9696ac5f605e4ffc8d030c03d530f235ab1211db5ec0f9efee9aebfd775915a538d401bf75d907a3a6698388e3bf748a595b78cfaa6e6d274f739f8a03c49cd11be6171a7abedf8c7697f47f8b0055a1258eac6ca4b6891a6a83abf5d21efa3e5faa37153d8195b9c978e88c92d12382c016f4f48a841edea561a932299a9eaa2d114628ed731fccee88004b8f354d173d210be66de7c0a243e	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\AF50A73BFC0F7AE01F9399701042CAF85181626A	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\SystemCertificates\softbank\Certificates	certd2ka_ybxy.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2668	schtasks.exe
3540	schtasks.exe
3076	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4880	EsWebSocketKit.exe
4880	EsWebSocketKit.exe
4880	EsWebSocketKit.exe
4880	EsWebSocketKit.exe
4264	ESWebSocket.exe
4264	ESWebSocket.exe
228	EsFtWebSocket.exe
228	EsFtWebSocket.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5020	taskkill.exe
Token: SeDebugPrivilege	2960	taskkill.exe
Token: SeDebugPrivilege	1140	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3832	certd2ka_ybxy.exe
3832	certd2ka_ybxy.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 4880	4284	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe	87
PID 4284 wrote to memory of 4880	4284	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe	87
PID 4284 wrote to memory of 4880	4284	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe	87
PID 4284 wrote to memory of 2296	4284	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe	88
PID 4284 wrote to memory of 2296	4284	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe	88
PID 4284 wrote to memory of 2296	4284	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe	88
PID 4880 wrote to memory of 5020	4880	EsWebSocketKit.exe	89
PID 4880 wrote to memory of 5020	4880	EsWebSocketKit.exe	89
PID 4880 wrote to memory of 5020	4880	EsWebSocketKit.exe	89
PID 4284 wrote to memory of 3168	4284	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe	90
PID 4284 wrote to memory of 3168	4284	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe	90
PID 4284 wrote to memory of 3168	4284	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe	90
PID 4284 wrote to memory of 1504	4284	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe	92
PID 4284 wrote to memory of 1504	4284	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe	92
PID 4284 wrote to memory of 1504	4284	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe	92
PID 4284 wrote to memory of 1596	4284	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe	94
PID 4284 wrote to memory of 1596	4284	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe	94
PID 4284 wrote to memory of 1596	4284	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe	94
PID 1596 wrote to memory of 5076	1596	regsvr32.exe	95
PID 1596 wrote to memory of 5076	1596	regsvr32.exe	95
PID 4880 wrote to memory of 2960	4880	EsWebSocketKit.exe	96
PID 4880 wrote to memory of 2960	4880	EsWebSocketKit.exe	96
PID 4880 wrote to memory of 2960	4880	EsWebSocketKit.exe	96
PID 4284 wrote to memory of 908	4284	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe	98
PID 4284 wrote to memory of 908	4284	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe	98
PID 4284 wrote to memory of 908	4284	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe	98
PID 4284 wrote to memory of 3432	4284	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe	99
PID 4284 wrote to memory of 3432	4284	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe	99
PID 4284 wrote to memory of 3432	4284	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe	99
PID 4284 wrote to memory of 208	4284	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe	100
PID 4284 wrote to memory of 208	4284	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe	100
PID 4284 wrote to memory of 208	4284	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe	100
PID 4880 wrote to memory of 1140	4880	EsWebSocketKit.exe	101
PID 4880 wrote to memory of 1140	4880	EsWebSocketKit.exe	101
PID 4880 wrote to memory of 1140	4880	EsWebSocketKit.exe	101
PID 4284 wrote to memory of 2952	4284	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe	103
PID 4284 wrote to memory of 2952	4284	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe	103
PID 4284 wrote to memory of 2952	4284	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe	103
PID 4284 wrote to memory of 3832	4284	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe	105
PID 4284 wrote to memory of 3832	4284	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe	105
PID 4284 wrote to memory of 3832	4284	e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe	105
PID 4880 wrote to memory of 4692	4880	EsWebSocketKit.exe	106
PID 4880 wrote to memory of 4692	4880	EsWebSocketKit.exe	106
PID 4880 wrote to memory of 4692	4880	EsWebSocketKit.exe	106
PID 4880 wrote to memory of 4352	4880	EsWebSocketKit.exe	108
PID 4880 wrote to memory of 4352	4880	EsWebSocketKit.exe	108
PID 4880 wrote to memory of 4520	4880	EsWebSocketKit.exe	111
PID 4880 wrote to memory of 4520	4880	EsWebSocketKit.exe	111
PID 4880 wrote to memory of 4264	4880	EsWebSocketKit.exe	112
PID 4880 wrote to memory of 4264	4880	EsWebSocketKit.exe	112
PID 4880 wrote to memory of 4264	4880	EsWebSocketKit.exe	112
PID 4880 wrote to memory of 228	4880	EsWebSocketKit.exe	113
PID 4880 wrote to memory of 228	4880	EsWebSocketKit.exe	113
PID 4880 wrote to memory of 228	4880	EsWebSocketKit.exe	113
PID 4880 wrote to memory of 4996	4880	EsWebSocketKit.exe	114
PID 4880 wrote to memory of 4996	4880	EsWebSocketKit.exe	114
PID 4880 wrote to memory of 4996	4880	EsWebSocketKit.exe	114
PID 4880 wrote to memory of 3592	4880	EsWebSocketKit.exe	115
PID 4880 wrote to memory of 3592	4880	EsWebSocketKit.exe	115
PID 4880 wrote to memory of 3592	4880	EsWebSocketKit.exe	115
PID 4880 wrote to memory of 912	4880	EsWebSocketKit.exe	118
PID 4880 wrote to memory of 912	4880	EsWebSocketKit.exe	118
PID 4880 wrote to memory of 912	4880	EsWebSocketKit.exe	118
PID 4880 wrote to memory of 3076	4880	EsWebSocketKit.exe	120

C:\Users\Admin\AppData\Local\Temp\e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
"C:\Users\Admin\AppData\Local\Temp\e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Users\Admin\AppData\Local\Temp\EsWebSocketKit.exe
  C:\Users\Admin\AppData\Local\Temp\EsWebSocketKit.exe
  2⤵
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4880
- - C:\Windows\SysWOW64\taskkill.exe
    C:\Windows\system32\taskkill.exe /f /im ESWebSocket.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5020
- - C:\Windows\SysWOW64\taskkill.exe
    C:\Windows\system32\taskkill.exe /f /im EsFtWebSocket.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2960
- - C:\Windows\SysWOW64\taskkill.exe
    C:\Windows\system32\taskkill.exe /f /im EsHttpServer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1140
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation LoopbackExempt -a -n="Microsoft.MicrosoftEdge_8wekyb3d8bbwe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4692
- - C:\Users\Admin\AppData\Local\Temp\regFirefox64.exe
    C:\Users\Admin\AppData\Local\Temp\regFirefox64.exe /init /cert C:\Users\Admin\AppData\Local\Temp\cert.cer
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4352
- - C:\Users\Admin\AppData\Local\Temp\regFirefox64.exe
    C:\Users\Admin\AppData\Local\Temp\regFirefox64.exe /init /cert C:\Users\Admin\AppData\Local\Temp\ca.crt
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4520
- - C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe
    "C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4264
- - C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe
    "C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:228
- - C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe
    "C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4996
- - C:\Program Files (x86)\EsWebSocketKit\FirefoxMOIT.exe
    "C:\Program Files (x86)\EsWebSocketKit\FirefoxMOIT.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3592
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /TN FT_ESWebSocket_A8B1F6F5477B /F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:912
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /TN FT_SWebSocket_A8B1F6F5477B /tr "'C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe'" /sc MINUTE /mo 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3076
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /TN 1FT_OneEsHttpServer_B8B1F6F5477B /F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:372
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /TN 1FT_OneEsHttpServer_B8B1F6F5477B /tr "'C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe'" /sc MINUTE /mo 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2668
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /TN 2FT_TwoFtESWebSocket_C8B1F6F5477B /F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4464
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /TN 2FT_TwoFtESWebSocket_C8B1F6F5477B /tr "'C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe'" /sc MINUTE /mo 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3540
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name=EsFtWebSocket
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4292
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name=EsFtWebSocket dir=in action=allow program="C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe" enable=yes profile=public,private
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1612
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name=EsHttpServer
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4396
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name=EsHttpServer dir=in action=allow program="C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe" enable=yes profile=public,private
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2408
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name=EsWebSocket
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:528
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name=EsWebSocket dir=in action=allow program="C:\Program Files (x86)\EsWebSocketKit\EsWebSocket.exe" enable=yes profile=public,private
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1680
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "C:\Windows\system32\stwebdll.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2296
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "C:\Windows\system32\FTInitlize_bank.ocx"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:3168
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "C:\Windows\system32\printCtl4RA.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1504
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "C:\Windows\system32\PassGuardX64ForYBXY\PassGuardX64.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Windows\system32\PassGuardX64ForYBXY\PassGuardX64.dll"
    3⤵
    PID:5076
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "C:\Windows\system32\PassGuardCtrlForYBXY\PassGuardCtrl.dll"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:908
- C:\Program Files (x86)\YBXY Certificate Manager\InterPass2000\AddTrustSite.exe
  "C:\Program Files (x86)\YBXY Certificate Manager\InterPass2000\AddTrustSite.exe" http://www.xyrbank.com
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3432
- C:\Program Files (x86)\YBXY Certificate Manager\InterPass2000\AddTrustSite.exe
  "C:\Program Files (x86)\YBXY Certificate Manager\InterPass2000\AddTrustSite.exe" https://ebank.xyrbank.com
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:208
- C:\Program Files (x86)\YBXY Certificate Manager\InterPass2000\AddTrustSite.exe
  "C:\Program Files (x86)\YBXY Certificate Manager\InterPass2000\AddTrustSite.exe" http://10.130.248.52
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2952
- C:\Program Files (x86)\YBXY Certificate Manager\InterPass2000\certd2ka_ybxy.exe
  "C:\Program Files (x86)\YBXY Certificate Manager\InterPass2000\certd2ka_ybxy.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  PID:3832

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Windows\SYSTEM32\INTERP~2.DLL,eb_service
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5068

C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe
"C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4740

C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe
"C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4344

C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe
"C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4116

C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe
"C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3336

C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe
"C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3508

C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe
"C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4224

C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe
"C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3508

C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe
"C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4224

C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe
"C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe

Filesize
2.1MB

MD5
e88fcf35be36ccf3fa8ca6d441be74ac

SHA1
2fa310e1b8a0a1474b73c66c34a6feec2aa47c0f

SHA256
bb07c4b20e879b1feb42d8206f95ddf6c012871d8f5fe9773b47089f7772a712

SHA512
78cb8de754863f34e5add22e22e1307b51298462abd585c410e520e10f56502564e548189df3abd506b878640cfbf14ad4df4c11091f463b81231a2505ab7f59

Download Submit
C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe

Filesize
2.5MB

MD5
17ab752429d2e81d75cb6f09fb0583bc

SHA1
86dd820cce0902abbb1a840b0a1668b8938e6ae6

SHA256
3120f4bcc4b6e0d7ddf8245a51604219bdaa01ed94890ca0705c5588a1a254f6

SHA512
b0e5260997b52c6449506a911d5bc0605fb1293d4c6fa69dd70e27152327e6466437fdda0ab00b4112985b424893667fe97f2d95457affc3e42df88db9210532

Download Submit
C:\Program Files (x86)\EsWebSocketKit\EsWebSocket.exe

Filesize
2.1MB

MD5
f766dace38bac14936a1b955661b6876

SHA1
44b99d1eda89d91f022387168460dadd3e6409c0

SHA256
ea44506c86426feed0ac905a1e23f02ed20c7a33623bec9c8fc0a0986a3f02b0

SHA512
3c35536226078d305fd557a92c132e1b28a2ba420270a0f10eb3e9849655e5b471b40c71f6ee03c98845c12eb656e3c4b57ab5b6b80c45d7e0942d78baf6186c

Download Submit
C:\Program Files (x86)\YBXY Certificate Manager\InterPass2000\AddTrustSite.exe

Filesize
42KB

MD5
9e3d0253cfeb7751411ba3c02448fc55

SHA1
9ffd9e59fd67623559db9a683a1d4db6873a6036

SHA256
020e9fff2e948eebb572c6fc4acef872518ab80224c1e04b7ed1d049addfb9b4

SHA512
1624715f05f55474ccf9a4d8b9f6e7149751fca82674b1d22d61d6eece92f41a5bcaf5c2d8d02d92918fdc2633c56ac3b709563a5afec3ee4b96cfcd7e5f1538

Download Submit
C:\Program Files (x86)\YBXY Certificate Manager\InterPass2000\certd2ka_YBXY.exe

Filesize
492KB

MD5
282d6b186635991352f52c19544a1ce0

SHA1
41b403afb22c76151dbee7fcda3413a32d056c4c

SHA256
639ddf49abf8dee56f0eb1bfe71934645e5538f4c9117833a8ffbb05b1315fff

SHA512
cc9f19ce96c1e75ddc114990595ed816d652aec7e3ff526a4423008a19e7b67f94ec1cb82f3bb0d87fb1431839f810da6942c96ed6a2934f8fe4ea3fe2cddd75

Download Submit
C:\Program Files (x86)\YBXY Certificate Manager\InterPass2000\lang\escertd_1033.lng

Filesize
10KB

MD5
7c3ed4a2b31fedf247644c0c47135db6

SHA1
edeb4eeb035fe1a1809daed9dfacf7463e1a29dd

SHA256
417c51618b9e77036bd853862517cbdf52676d982563af31f41795ad29688540

SHA512
aa3bf17661c90ea8a3298c8b34c5cd7921238064f07ac5aab87fab301fd693863d63cc2583e745bb4bf38e6314cebbeb73f4e4588f0a297a3e9db45a7527b1a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMCAEn.cer

Filesize
1016B

MD5
0996d105ecbaee10e53ab535d21d21ba

SHA1
e24a4f0da4262153f6799812d40e19e1928e264e

SHA256
dffa2d535e1337e459a9dc4194c7f020998bd9b7403aee451b6b745be8f652d3

SHA512
a3dfcdf43a3acfd2221ec0661799110545ffb3e06705bad5c971d247344c5cbd1782ac839e67d7de859f126d6d745e702a2a7f7caff190e52a6db3d3a9e31706

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMCAPer.cer

Filesize
1016B

MD5
ebb99775526d4b90a22395ce5f760183

SHA1
93338502d43b3614a71ea8a80161cb43b59e8375

SHA256
734efa33dd0e80a7ca7d1462e9960cadf763713cb89c464220381d8765a471f7

SHA512
53440c0da60d82c34ac203464977838929f2c19afd9c40860fbe3f3e3ec2ae85b0498997c8288e789eb6d837ee35bd55a0e5ee7f5b99ef1d75b4b526d609a20f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMCARootCA.cer

Filesize
1KB

MD5
66946ea99d0498c1158b7ebf908ce758

SHA1
0fc9423125e255b2df578403122d8a8b507fe5aa

SHA256
357552f278403ecd0e73de37bfff7bfe3e496453aee84a57040aa69de38948a1

SHA512
ad51caeaace24d44634db7b922d191e095658f43ec5f1c8851873dcd4d10614351125e4c7ea6225ede24b944e735c55d9cc86775a42dd1de41f5712ea725f521

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsWebSocketKit.exe

Filesize
2.0MB

MD5
03608817f4280e182fe17dcc532b78af

SHA1
3810abd4bab3e9b962c96019a2e73422c90fbc31

SHA256
211e3a7eac588949321ab2bafd1317a18b5c33f5064faff26f5b1d409d73e4d3

SHA512
aa1f690f29e893b61a2ae18eb364457aab7086ccfa6394bd46b60e94f6d7834f93b6a5e336a32dae251fb79db0a70265d3ca0703c19cd6d99314aecef6cfae5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ROOTCA.cer

Filesize
1KB

MD5
951db0adbb07a2158ccc46d04dfb81d2

SHA1
85d219e7dac88ccf47eb663f8cf39153cfd66d75

SHA256
492cbd5aeae2e4bfef6587afaeb891c5b0d6eea46e1d45a572f0410e3217e53d

SHA512
f0cb1f48a3c9f0e987e26c98e0d22f4902b3cbb20ca097554591089160903d9452372effe2db26bc7e45e967e0cf165e1fea94a73453ccccdacdd83739aa428d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ca.crt

Filesize
1KB

MD5
2c4f4a547771e088e61346836dd1cfb3

SHA1
33cd72b6e1f1157d6a536a75bad6d4e0d91c5b86

SHA256
040072b3367930ac96b7bfc1f7366272ee9c18e85f5110119a4d7d07556eb296

SHA512
661266cf2c936e63558d6cd66d4fe51e4325287b293bb6bd06cae282bb14a31764baaed9914d79ec3a8e03d8c89f17180cc58da1384efcfb9c8df4c54f8644a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cert.cer

Filesize
1KB

MD5
9d537451e919743026967da200358440

SHA1
5a782f53bf8b9f487221e6d7e3b528612ae6883f

SHA256
27544f1e19e23eb009dbe88006b010eac236d54c3de73cc26b1ffe0372cef59a

SHA512
344d275eb14330dbcdf490eed437c12312b7e4f5aae02229d702fe07040a94b73bd15b0c1e99f03207444404f2c7d3b3192a674d13700cfd454ef6a660ef4a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaB8F3.tmp

Filesize
26KB

MD5
8e83b78d2e265d29a6751df565646da6

SHA1
f9a54b5f68d75a68391ebe8e56f2d4e6cffd6f69

SHA256
cd7b928678e0ad3c6a325103aaba21d00d4bac58fdf726f38c282f4f93def1b1

SHA512
7243a2487675b2f223747b77548be6fb337f3d92c82ec854becf422c84005096ed16e27d1ab7c6784f0b7bfe215c90eb65f0e2da07ec31eb38219b48d4c54424

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseB652.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseB652.tmp\UserInfo.dll

Filesize
4KB

MD5
d16e06c5de8fb8213a0464568ed9852f

SHA1
d063690dc0d2c824f714acb5c4bcede3aa193f03

SHA256
728472ba312ae8af7f30d758ab473e0772477a68fcd1d2d547dafe6d8800d531

SHA512
60502bb65d91a1a895f38bd0f070738152af58ffa4ac80bac3954aa8aad9fda9666e773988cbd00ce4741d2454bf5f2e0474ce8ea18cfe863ec4c36d09d1e27a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfC6AC.tmp\System.dll

Filesize
11KB

MD5
301a9c8739ed3ed955a1bdc472d26f32

SHA1
a830ab9ae6e8d046b7ab2611bea7a0a681f29a43

SHA256
6ec9fde89f067b1807325b05089c3ae4822ce7640d78e6f32dbe52f582de1d92

SHA512
41d88489ecb5ec64191493a1ed2ed7095678955d9fa72cccea2ae76dd794e62e7b5bd3aa2c313fb4bdf41c2f89f29e4cafe43d564ecad80fce1bf0a240b1e094

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskB8E2.tmp\nsExec.dll

Filesize
6KB

MD5
08e9796ca20c5fc5076e3ac05fb5709a

SHA1
07971d52dcbaa1054060073571ced046347177f7

SHA256
8165c7aef7de3d3e0549776535bedc380ad9be7bb85e60ad6436f71528d092af

SHA512
02618317d6ab0302324aae4d3c5fca56b21e68c899e211cfa9412cf73820a1f931e56753c904fd7e510c638b4463aedbfe9536790279e096ea0387b67013e0c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssFirefox.dll

Filesize
68KB

MD5
dd3a47083df04500bbed296cad50c17a

SHA1
8479a361c83ff6a1aeec222409f630d10b97abab

SHA256
057301b32288b473d16d494fad6a933f1d80bda5dedded6700dcfb98c0997ec3

SHA512
074715818bde2c659c34c87cfe251e634365ab6b309a2150b1a50ba97291148286789c70d3f2ab7f0a09a3f7119f90fac814590f1b49b88126df4eafaf86eb0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssFirefox64.dll

Filesize
99KB

MD5
f9d5e26985f3373c0cf6c81fc77282aa

SHA1
eb583db51757159aeac8f763eb47769e00a1697e

SHA256
563a0662dc1fe246cd228a822d11ea3d00a7582b382e991c2aa6efa1d8e44407

SHA512
85b5ab236ef0977e879638e6fbd0d7157bc030c5e5f63151a6373bd024e48228ab970b220a993ce59481b922ac9bb9891a9c69109d5bb29020d27bc4eca51e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\regFirefox64.exe

Filesize
45KB

MD5
8b26d23ed0026eaf0a58b3a082195ae2

SHA1
5b97c588f10cf7cf81fb6364247a94d59db0f908

SHA256
39e74e20de6b3be080f1454293546a50d0ef2f3a78b96b23c02bb35003a62833

SHA512
5853af3874fc4fa2a93b1f8ef3e42a78ed6451a13476696fbff188311099addbd9dabd87688a1c2bba75c8f57624aa5913cc37659d753969e20cdbd073854ecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\startCom.cer

Filesize
2KB

MD5
fef8c7c069b85010e982bfdfd6080013

SHA1
1f2af0a94a10876472db3882e751fdfe1b000eb3

SHA256
5be8e324c98024259c8e0fce783189a357405cdfb943f4fdfccde1d5ae232baf

SHA512
68ff73a59d921a6f993c68808d8cdd55940cd5990dd29467660ec3efb5b6a4db331a5112d643ee257e6bd8ebae20553c4d84fa8223df97e8c8661d2d1d7d4800

Download Submit
C:\Users\Admin\AppData\Roaming\mozilla\firefox\Profiles\lirn7gz7.default-release\cert9.db

Filesize
224KB

MD5
bdf315d5e49f31416500ff3ed0ebc5ae

SHA1
79a48544e8fa504768b5ee832ffc9c0748767ec4

SHA256
0334122b971c4ddda0e48c00b6a2c787aaf88d552e52b16a2484e29d997314dc

SHA512
81f563e1f06eb247425c8a86c8af57c93fff107b99f2991aa3db3c1b111dc65aa4ec57de8b87d8dc47bb76b89f1547b3d235defb13433c8f4f9dea38517fb844

Download Submit
C:\Users\Admin\AppData\Roaming\mozilla\firefox\Profiles\lirn7gz7.default-release\key4.db

Filesize
288KB

MD5
ff30e3f6b1a4f5b58daa93e9a85b65ec

SHA1
d85c78a0dfe96d71775c0eca1ebf89ead178e71a

SHA256
425f5d51dc9edc7898e359a7fc9e1ebd01869aebe8533ce786e7244b269bad28

SHA512
56ba3532a72ca3fdc30bc672049c5e9840552bd1ee63c51994c3fa7b6769578346fc5c03c3319e7a6f208d65a46b9584f7aa91eea1f413af6da80a1a81bfe882

Download Submit
C:\Windows\SysWOW64\CEA_Crypt.dll

Filesize
60KB

MD5
b57da4ef6c923514de0efe4d4f409ca2

SHA1
638ef69da94f513955db4e5349b69c1ecbf4b9d8

SHA256
1161c3fac4a43485640a80336dd0edbc5569f332b3f36839dcebc8663ab8761b

SHA512
ad755429be4ac006354cd8d4bf8877baef093418d6b3e20af6c7da8fb8e441314c3dc37544510c2462abc4204013da12c1747fa974242ebbc6f8484858a1496e

Download Submit
C:\Windows\SysWOW64\FTInitlize_bank.ocx

Filesize
50KB

MD5
f4641328913d7c18982cce4c99f580e0

SHA1
4250757a8455d59fdfdbff67d2b6b12939c83673

SHA256
09f584a625ea2f6b6c26a609c12457763504b4d0ee55cff4c2d9417f5a787fd8

SHA512
f3de30d3cd4312529c5706a1c377b3086987617dc9901c7e051c3c578d3f38c6888bc6898708f653962f832cf4ac5388f21ace66aadf15421686a139f55cb438

Download Submit
C:\Windows\SysWOW64\InterPass2000P11.dll

Filesize
892KB

MD5
809f63601ef78a3cbcbdfab1f4816f73

SHA1
6122e2108502b7e52c8a07e8953daf2dfd54c6dd

SHA256
806b77200f87f245a39da02bb7548654ce11cf7ebbbc123c72a93f93c74ca7f0

SHA512
6496887b99a271c06d6bc59b54c99e3fe6108bed199d86c07b5b3945dcd362a396a925a9579f8fe16239a3d794347504d63f031d51d70624e06021bcad3b1434

Download Submit
C:\Windows\SysWOW64\PassGuardCtrlForYBXY\PassGuardCtrl.dll

Filesize
2.0MB

MD5
174a19cd3a960100dbeb43fb9428bf02

SHA1
5bb0fa68ee4ec2a74b7c7ceb9ff1f42e42da54cb

SHA256
15333c63027b7e91c3298e566ee8bd1abcf61fb2699570280e66a84136ae7fba

SHA512
20f698d8651f61c370c840b9bbfbef8ee5b53c655c0d1b0dd704f2670bdaeb9366279e3182ff99a36b43f4d664dde1bbfeef9dc3032b0b5c769c3c81faf57aab

Download Submit
C:\Windows\SysWOW64\PassGuardX64ForYBXY\PassGuardX64.dll

Filesize
3.3MB

MD5
c51656b26119aacd1a46c0e0a595a39c

SHA1
b75d8b77297d2fd7f6f7763a3d50ea06beb396e6

SHA256
665e7de614a196741af1a52b48f91453136d0bce3e0048699b3b115e3c7078b9

SHA512
a2a3747dc518249599097bec700cb09b1551b6d9052d0225f5e4abf2d458acff6edd4867db81685bb94c71c6dc5302f868be8de170ca6804ab79288c5a5afaf7

Download Submit
C:\Windows\SysWOW64\printCtl4RA.dll

Filesize
124KB

MD5
a89ea3892bfe94be61231dedc9263cd8

SHA1
768a8e6a08621f22447567dd96fde590071696ef

SHA256
12d5a0d88d72b088face2209427d1d9f116179eb48a90da27902f5712590d86c

SHA512
d3bc89d4fdd2de9b6cd2ea11cc3c12f6a524c7f07164590bdc8f12f36cc59432ff0dd8cb63bcbf40fa18cc064ba5646fa2c0c931439c6f8d39579676e0d16761

Download Submit
C:\Windows\SysWOW64\stwebdll.dll

Filesize
104KB

MD5
92119ff7a175e5635b87726306d82635

SHA1
6125103765180006ff3923ab03bf32d33dd491cc

SHA256
89cf6ae4df753095e06b2237e1127c8d0cc6cb879d877287355de47b59d08f28

SHA512
2130595f4a2be6ede12ff65084cbb90ffcb898fb5eb379cffaee5a4967305b6aa3c2b04e1a954b9d84000eee4d76447ceaf6031d3d0b0b09d7adf8330a750622

Download Submit
memory/908-80-0x0000000074250000-0x0000000074454000-memory.dmp

Filesize
2.0MB

Download
memory/908-79-0x0000000074250000-0x0000000074454000-memory.dmp

Filesize
2.0MB

Download
memory/1596-67-0x00000000028C0000-0x0000000002C0C000-memory.dmp

Filesize
3.3MB

Download
memory/4284-147-0x00000000034D0000-0x00000000035B8000-memory.dmp

Filesize
928KB

Download
memory/4880-35-0x0000000002FE0000-0x0000000002FEA000-memory.dmp

Filesize
40KB

Download