Sample File: MD5 hash: 73bbfdb1989e95d1206a90fdb330a5fe SHA1 hash: 31b7ce2d834625f08fa5a336e5915e6668adfaa3 SHA256 hash: 51bc32788b49aca2384cd07dce9f8ac63f07f52c27cf33c938e01c64c374eee4 SSDEEP hash: 24576:M8RCFEr8W1tVIFy8aCbC8zl0LYJJyQ6+vYnbaFtMfvmdj:MwCF6Eu8zmMJyQzv9TMfut Filename(s): worldtime.exe Filetype: Windows Exe (x86-32) Mutex IOCs: Local\{53667D0F-9637-FD89-3837-2A81EC5BFE45} Local\{6C433A47-DB67-7E7B-C560-3F92C994E3E6} Local\{FB999B87-1EC7-E503-005F-32E93403862D} {36482DDE-1D22-D83C-57CA-A18C7B9E6580} {365593F7-1DCB-D8D1-57CA-A18C7B9E6580} {CEF02F91-D541-3029-CFE2-D96473361DD8} {F6123870-DDED-9815-178A-614C3B5E2540} Registry Key IOCs: HKEY_CURRENT_USER HKEY_CURRENT_USER\Control Panel\Desktop\AutoColorization HKEY_CURRENT_USER\Control Panel\Desktop\PaintDesktopVersion HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TokenBroker\DefaultAccount\providerId HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnableSPDY3_0 HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530\Client HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530\Ini HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530\Install HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530\Scr HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530\{111F6A44-3C4D-6BC7-CED5-30CFE2D96473} HKEY_CURRENT_USER\Software\Microsoft\Command Processor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideDrivesWithNoMedia HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NeverShowDrivesMask HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\GameDVR\VKToggleGameBar HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDisconnect HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogoff HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cabilipc HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search\SearchboxTaskbarMode HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search\UseApp HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF} {000214E6-0000-0000-C000-000000000046} 0xFFFF HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\HasFlushedShellExtCache HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\StartupNotify\EnableStartupAppNotification HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAUAsDefaultShutdownOption HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAUShutdownOption HKEY_CURRENT_USER\Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentVersion HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductID HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\CompletionChar HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DefaultColor HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DelayedExpansion HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DisableUNCCheck HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\EnableExtensions HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\PathCompletionChar HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\DisplayVersion HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\MonitorRegistry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\ValidateRegItems HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\MonitorRegistry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\ValidateRegItems HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FlyoutMenuSettings\ShowHibernateOption HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FlyoutMenuSettings\ShowSleepOption HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\MonitorRegistry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\ValidateRegItems HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\RemovableDrives\MonitorRegistry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\RemovableDrives\ValidateRegItems HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\UsersFiles\NameSpace\DelegateFolders\StorageDelegate HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\UsersFiles\NameSpace\DelegateFolders\StorageDelegateSuppressionPolicy HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\UsersFiles\NameSpace\MonitorRegistry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\UsersFiles\NameSpace\ValidateRegItems HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ImmersiveShell\Launcher\AllowAutoAppRestartOnCrash HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDisconnect HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogoff HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\COM\{088E8DFB-2464-4C21-BAD2-F0AA6DB5D4BC}\Disabled HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\COM\{6AE07DC1-0244-4C6F-9AB0-5017A56357C3}\Disabled HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\COM\{9DAC2C1E-7C5C-40EB-833B-323E85A1CE84}\Disabled HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\COM\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}\Disabled HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\COM\{CA236752-2E77-4386-B63B-0E34774A413D}\Disabled HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\COM\{D26DE5C1-C061-43F7-9C40-7517526CF1C1}\Disabled HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{01979c6a-42fa-414c-b8aa-eee2c8202018}\Disabled HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}\Disabled HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{134EA407-755D-4A93-B8A6-F290CD155023}\Disabled HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{2374911B-B114-42FE-900D-54F95FEE92E5}\Disabled HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{34A3697E-0F10-4E48-AF3C-F869B5BABEBB}\Disabled HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482}\Disabled HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{96F4A050-7E31-453C-88BE-9634F4E02139}\Disabled HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{A5268B8E-7DB5-465b-BAB7-BDCDA39A394A}\Disabled HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{AA4C798D-D91B-4B07-A013-787F5803D6FC}\Disabled HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{B447B4DB-7780-11E0-ADA3-18A90531A85A}\Disabled HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}\Disabled HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\EnableSmartScreen HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAUAsDefaultShutdownOption HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAUShutdownOption HKEY_USERS HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530\Client HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530\Install HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Run HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Run\cabilipc InprocHandler InprocHandler32 Storage\FilterMask TreatAs W32:00000000000301F2\VirtualDesktop Domain IOCs: - None - IP IOCs: - None - URL IOCs: - None - File IOCs: Filenames: "C:\Users\CIIHMN~1\AppData\Local\Temp\19FE\E47F.bat" "C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe" C:\Users\CIIHMN~1\AppData\Local\Temp\19FE C:\Users\CIIHMN~1\AppData\Local\Temp\19FE.tmp C:\Users\CIIHMN~1\AppData\Local\Temp\19FE\E47F.bat C:\Users\CIIHMN~1\AppData\Local\Temp\19FE\E47F.tmp C:\Users\CIIHMN~1\AppData\Local\Temp\98F9CE91 C:\Users\CIIHMN~1\Desktop\WORLDT~1.EXE C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe C:\Users\CIiHmnxMn6Ps\Desktop C:\Users\CIiHmnxMn6Ps\Desktop\worldtime.exe C:\Windows\SYSTEM32\ntdll.dll C:\Windows\system32\c_1252.nls \??\C:\Users\CIIHMN~1\AppData\Local\Temp\19FE\E47F.bat MD5 hashes: 2af2261a8591e22a5e3c41fc603a4340 73bbfdb1989e95d1206a90fdb330a5fe 9d00145017261466596a4e6e66480fb6 d41d8cd98f00b204e9800998ecf8427e SHA1 hashes: 31b7ce2d834625f08fa5a336e5915e6668adfaa3 5288c791ee5766998bf3522abba9d33b3ec21a74 c46a5f2b4aed20df44c8d4cb394abd101b8a274e da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 hashes: 51bc32788b49aca2384cd07dce9f8ac63f07f52c27cf33c938e01c64c374eee4 ddbbdd9a5e9ac3df7eeeffed148aa2ef075e4b186383e6121259292235ad6cc7 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 ef6111afc2b62eef53a1e3a9a7fe2f5762e0e58d8e1274ede2c987d1303701ce SSDEEP hashes: 24576:M8RCFEr8W1tVIFy8aCbC8zl0LYJJyQ6+vYnbaFtMfvmdj:MwCF6Eu8zmMJyQzv9TMfut 24576:Zy8RCFEr8W1tVIFy8aCbC8zl0LYJJyQ6+vYnbaFtMfvmdj:ZywCF6Eu8zmMJyQzv9TMfut 3:5WxvGLK6OWRNfeURwv+gU64vHXMJATkUE1zWxvfBos+n:IAlRhmvGvvHXMJ2dm6xBL+n 3::