79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094

Analysis

max time kernel
152s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2022 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Size

124KB
MD5

bf79266eaae1d3ae286fea8f3e866b6d
SHA1

eb89af8eae6063f98b7cb916771e5456b680487a
SHA256

79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094
SHA512

9cd3b7824c1840cf21241cde1cb05e408f426aa6cbcb63f136b57234832640ba05700f617c3835997323c8149f10da8e4c06c61179bef8bf70fa77ad1e053e03
SSDEEP

1536:s1qcQMheJwmbyUtQppjEYLyXZn5iiNFuBAoP0qS/HNl/dxOiAOayssPVeOgTB:e9hYy/QSq5T5oMqS/xx966Vkl

Score

10^/10

evasion persistence spyware stealer

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\users\admin\appdata\local\temp\79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe = "c:\\users\\admin\\appdata\\local\\temp\\79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe:*:Enabled:SMPN"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wdfmgr = "c:\\windows\\wdfmgr.exe"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msrpc = "c:\\windows\\msrpc.exe"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wdfmgr\ImagePath = "c:\\windows\\wdfmgr.exe"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wdfmgr = "c:\\windows\\wdfmgr.exe"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\wdfmgr = "c:\\windows\\wdfmgr.exe"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsassv = "c:\\windows\\lsassv.exe"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\f:	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
File opened (read-only)	\??\y:	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
File opened (read-only)	\??\w:	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
File opened (read-only)	\??\n:	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
File opened (read-only)	\??\m:	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
File opened (read-only)	\??\l:	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
File opened (read-only)	\??\z:	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
File opened (read-only)	\??\x:	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
File opened (read-only)	\??\s:	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
File opened (read-only)	\??\p:	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
File opened (read-only)	\??\j:	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
File opened (read-only)	\??\r:	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
File opened (read-only)	\??\k:	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
File opened (read-only)	\??\h:	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
File opened (read-only)	\??\g:	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
File opened (read-only)	\??\e:	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
File opened (read-only)	\??\v:	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
File opened (read-only)	\??\u:	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
File opened (read-only)	\??\t:	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
File opened (read-only)	\??\q:	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
File opened (read-only)	\??\o:	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
File opened (read-only)	\??\i:	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\regedit.exe	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\mui\rctfd.sys	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
File created	\??\c:\windows\msrpc.exe	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
File created	\??\c:\windows\calc.exe	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
File opened for modification	\??\c:\windows\regedit2.exe	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
File created	\??\c:\windows\Start Menu\Programs\Startup\AdobeLoader.scr	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
File created	\??\c:\windows\regedit2.exe	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
File created	\??\c:\windows\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\AdobeLoader.scr	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
File created	\??\c:\windows\wdfmgr.exe	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
File opened for modification	\??\c:\windows\wdfmgr.exe	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
File created	\??\c:\windows\lsassv.exe	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
File opened for modification	\??\c:\windows\lsassv.exe	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
File opened for modification	\??\c:\windows\msrpc.exe	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
File opened for modification	\??\c:\windows\calc.exe	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\\jsaddins\\locallaunch\\locallaunch.css"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "16370"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "21696"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "8228"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "9931"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "9836"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\WebResources\\Resource0\\static\\js\\plugins\\my-computer-select\\js\\nls\\sk-sk\\ui-strings.js"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\WebResources\\Resource0\\static\\js\\plugins\\tracked-send\\js\\plugins\\tracked-send\\images\\cstm_brand_preview2x.png"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files\\Microsoft Office\\root\\vfs\\ProgramFilesCommonX86\\Microsoft Shared\\VBA\\VBA7.1\\1033\\VBHW6.CHM"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "8189"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "14037"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files (x86)\\Common Files\\System\\en-US\\wab32res.dll.mui"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "22107"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files\\Java\\jdk1.8.0_66\\lib\\visualvm\\platform\\modules\\org-netbeans-core-output2.jar"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "11559"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "5725"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "10935"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Code Cache\\wasm\\index-dir\\the-real-index"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "2805"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "5102"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "5670"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files\\WindowsApps\\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\\Store.Purchase\\Controls\\SignInControl.xaml"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\\images\\contrast-white\\LinkedInboxMediumTile.scale-200.png"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\plug_ins\\Multimedia\\MPP\\Flash.mpp"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "17356"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files\\Java\\jre1.8.0_66\\bin\\mlib_image.dll"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "4086"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files\\WindowsApps\\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "12378"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "15994"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "17426"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "19110"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files\\Microsoft Office\\root\\vfs\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\api-ms-win-core-synch-l1-2-0.dll"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "8375"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Entity.dll"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Session Storage\\LOG"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\\Assets\\SecondaryTiles\\Directions\\Place\\RTL\\contrast-white\\MedTile.scale-100.png"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files (x86)\\Microsoft\\Edge\\Application\\92.0.902.67\\Locales\\en-GB.pak"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\ProgramData\\Microsoft\\Windows\\AppRepository\\Packages\\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\\ActivationStore.dat.LOG1"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files\\WindowsApps\\DeletedAllUserPackages\\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\\AppxManifest.xml"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files\\WindowsApps\\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\\x64\\msvp9dec_store.dll"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files\\WindowsApps\\DeletedAllUserPackages\\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\\Assets\\InsiderHubWideTile.scale-125_contrast-white.png"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\\images\\contrast-white\\OneNoteSectionMedTile.scale-125.png"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "17233"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\Code Cache\\js\\index"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files\\Microsoft Office\\root\\vfs\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\DataModel\\Microsoft.Excel.Amo.dll"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color32.bmp"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "10479"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "14126"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "16390"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\353698\\imprbeacons.dat"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files\\Google\\Chrome\\Application\\89.0.4389.114\\Locales\\el.pak"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "7902"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "15523"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fr\\System.Data.Services.resources.dll"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "7878"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\DSCResources\\en-US\\PackageManagementDscUtilities.strings.psd1"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "16853"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\WebResources\\Resource0\\static\\js\\plugins\\unified-share\\images\\Close2x.png"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "611"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files\\Java\\jdk1.8.0_66\\lib\\missioncontrol\\plugins\\com.jrockit.mc.components.ui.zh_CN_5.5.0.165303.jar"	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3016	79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe

C:\Users\Admin\AppData\Local\Temp\79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe
"C:\Users\Admin\AppData\Local\Temp\79f55eb782eea62760ccffef01dd57781bad07533eeb5c1ff166a45889a85094.exe"
1⤵
- Modifies firewall policy service
- Adds policy Run key to start application
- Sets service image path in registry
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3016