633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930

Analysis

max time kernel
116s
max time network
146s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe
Size

1.4MB
MD5

f7577a6fc9c05c81dc2576c932453742
SHA1

30f1189f61008f6bff2878e23732aeac0151a84e
SHA256

633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930
SHA512

fedc847fd044058ee6306831f05889e78722ea5a7b6cc9519133c920080b16d1822f47690ad3a4f4e07bf0b6dc3957f5641dd769883a6b92ddff22e1e1e1c4df
SSDEEP

24576:xIfXENOIcLm+dJ690iSmX0mgV9U6Sq53PHnpb0Es5zUsXkS9S7spu:xIf0NOIcLddZzrmwUK53Pnpb0H5pRAsg

Score

8^/10

adware persistence spyware stealer vmprotect

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

RJFC.exe

pid process

1876 RJFC.exe

pid	process
1876	RJFC.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{598AC71E-BE58-3981-B78A-5C138F423AD6}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{598AC71E-BE58-3981-B78A-5C138F423AD6}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\VolIE\\FoxPro_64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{598AC71E-BE58-3981-B78A-5C138F423AD6}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/1324-55-0x00000000008B0000-0x0000000001B73000-memory.dmp	vmprotect
behavioral1/memory/1324-58-0x00000000008B0000-0x0000000001B73000-memory.dmp	vmprotect
behavioral1/memory/1324-84-0x00000000008B0000-0x0000000001B73000-memory.dmp	vmprotect

Deletes itself 1 IoCs

Processes:

cscript.exe

pid process

520 cscript.exe
Loads dropped DLL 3 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exe

pid process

2036 regsvr32.exe
1320 regsvr32.exe
2004 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
520	cscript.exe

pid	process
2036	regsvr32.exe
1320	regsvr32.exe
2004	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 14 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{598AC71E-BE58-3981-B78A-5C138F423AD6}\ = "FoxPro"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{598AC71E-BE58-3981-B78A-5C138F423AD6}\ = "FoxPro"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{598AC71E-BE58-3981-B78A-5C138F423AD6}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{598AC71E-BE58-3981-B78A-5C138F423AD6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{598AC71E-BE58-3981-B78A-5C138F423AD6}\ = "FoxPro"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{598AC71E-BE58-3981-B78A-5C138F423AD6}\ = "FoxPro"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{598AC71E-BE58-3981-B78A-5C138F423AD6}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{598AC71E-BE58-3981-B78A-5C138F423AD6}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{598AC71E-BE58-3981-B78A-5C138F423AD6}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{598AC71E-BE58-3981-B78A-5C138F423AD6}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{598AC71E-BE58-3981-B78A-5C138F423AD6}	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{598AC71E-BE58-3981-B78A-5C138F423AD6}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{598AC71E-BE58-3981-B78A-5C138F423AD6}	regsvr32.exe

Drops file in System32 directory 5 IoCs

Processes:

633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe

description	ioc	process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe
File opened for modification	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe
File opened for modification	C:\Windows\System32\GroupPolicy	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe

pid process

1324 633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe

pid	process
1324	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe

Drops file in Program Files directory 3 IoCs

Processes:

633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe

description	ioc	process
File created	C:\Program Files (x86)\Office\Office.exe	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe
File opened for modification	C:\Program Files (x86)\Office\Office.exe	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe
File created	C:\Program Files (x86)\Java\Java.exe	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1752 schtasks.exe
812 schtasks.exe
780 schtasks.exe
572 schtasks.exe
580 schtasks.exe

pid	process
1752	schtasks.exe
812	schtasks.exe
780	schtasks.exe
572	schtasks.exe
580	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0929de16903d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{012E7951-6F5D-11ED-B63A-76C12A601AFA} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000b824b7e75fd3a6d3ce97f3d7b7e7261ad64aed7e7c1acd1e303bd7bb1a1309ea000000000e8000000002000020000000a2b657ac49ce327e16e1226b22b25d06abdb1627a55d88de82bb339cd46da0e62000000088ade78af3833adaeefea2d0907d1ef0052ecb2c320b1df68d9ed0c62edc04f540000000baeca11f15b4ba51aaa116c89de213d074bdc0e06d277bf5fde2c06ef8a6a9727ac2bcb6496e852098828fb66c70af8bd9a035038214e6b9781676e210a30e15	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a000000000200000000001066000000010000200000000dbe240859b48576b187eb1fc5aa47365bf40b1a5c43d3dfc3cd08643ee95e6c000000000e8000000002000020000000f63914dc7fc5fd30bdedd9bfd9c5d315599155f100e1b57be10bb38fdf31a0f650010000701dd334d680c983db10f29fb2a10f8d72c3a52ebc324ba77d16f1fb24c46ec44c88896ead372d07901f4c2141eadd1e57893106fbdfc445d8b343b3ef081578154eb11b6011e979fe9d589a3686881a51277585b2f7ef785e52c7a3b94656e8b2839d12c7eb1b74d1959132be3e57f11ccad09f1a443f87f29db7f253ccab6cf861dbe96a05d0330a29a0adaf634fd2ab26174f16dd4551fe41dcbc204d7fecdc720b9263da57bf0516d40e865c41f8d9bc3080a04cdd198e3bef6a66edb0be50f251cd341f3763b2925990a69b084258c88ead9e9bfc01c5ebb8b88a8f73c805b353541fef4e43a702f655f3ecbfd6892930fb2b7ba7f3b472e15ebe152d42714381702db30faf3e12f077f0953fedbb28b2373d666c2e71839be2b993dfc3063f097b5dd679ff203487d60e20af418b10fc78822e67e69b62df759e8be6beb2fd0966483f04484453162ecc9f18ca40000000e68519eb9de4481aaee4e0933232c21d3f911fbdb67729696a4af5365e52317f8504a4dec04eb5fdae00dc406b31b9643677bae61a8d95f083ee2899ffb41383	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376433051"	iexplore.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{63D2A451-3351-178C-7BC4-13C4D58A7652}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxPro.FoxPro\CurVer\ = "FoxPro.FoxPro.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{598AC71E-BE58-3981-B78A-5C138F423AD6}\TypeLib\ = "{3FC2D59A-5C76-1E97-30DC-1EC6784419E5}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxPro.FoxPro.1\ = "FoxPro Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FC2D59A-5C76-1E97-30DC-1EC6784419E5}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{63D2A451-3351-178C-7BC4-13C4D58A7652}\TypeLib\ = "{3FC2D59A-5C76-1E97-30DC-1EC6784419E5}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{63D2A451-3351-178C-7BC4-13C4D58A7652}\ = "IFoxProBHO"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxPro.FoxPro\ = "FoxPro Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{598AC71E-BE58-3981-B78A-5C138F423AD6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FC2D59A-5C76-1E97-30DC-1EC6784419E5}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FC2D59A-5C76-1E97-30DC-1EC6784419E5}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{598AC71E-BE58-3981-B78A-5C138F423AD6}\ = "FoxPro Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{598AC71E-BE58-3981-B78A-5C138F423AD6}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{598AC71E-BE58-3981-B78A-5C138F423AD6}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{598AC71E-BE58-3981-B78A-5C138F423AD6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FC2D59A-5C76-1E97-30DC-1EC6784419E5}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Roaming\\VolIE\\FoxPro_32.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxPro.FoxPro\CLSID\ = "{598AC71E-BE58-3981-B78A-5C138F423AD6}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{598AC71E-BE58-3981-B78A-5C138F423AD6}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{6DD1B906-45FA-4A57-9AC6-01108C25067F}\ = "FoxPro"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxPro.FoxPro\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{598AC71E-BE58-3981-B78A-5C138F423AD6}\VersionIndependentProgID\ = "FoxPro.FoxPro"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{63D2A451-3351-178C-7BC4-13C4D58A7652}\ = "IFoxProBHO"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{63D2A451-3351-178C-7BC4-13C4D58A7652}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\FoxPro.DLL\AppID = "{6DD1B906-45FA-4A57-9AC6-01108C25067F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxPro.FoxPro.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{598AC71E-BE58-3981-B78A-5C138F423AD6}\TypeLib\ = "{3FC2D59A-5C76-1E97-30DC-1EC6784419E5}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FC2D59A-5C76-1E97-30DC-1EC6784419E5}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{63D2A451-3351-178C-7BC4-13C4D58A7652}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{598AC71E-BE58-3981-B78A-5C138F423AD6}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{598AC71E-BE58-3981-B78A-5C138F423AD6}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{598AC71E-BE58-3981-B78A-5C138F423AD6}\ProgID\ = "FoxPro.FoxPro.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{598AC71E-BE58-3981-B78A-5C138F423AD6}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\VolIE\\FoxPro_32.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{598AC71E-BE58-3981-B78A-5C138F423AD6}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FC2D59A-5C76-1E97-30DC-1EC6784419E5}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxPro.FoxPro.1\CLSID\ = "{598AC71E-BE58-3981-B78A-5C138F423AD6}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{598AC71E-BE58-3981-B78A-5C138F423AD6}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxPro.FoxPro.1\CLSID\ = "{598AC71E-BE58-3981-B78A-5C138F423AD6}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{598AC71E-BE58-3981-B78A-5C138F423AD6}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxPro.FoxPro\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{63D2A451-3351-178C-7BC4-13C4D58A7652}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{598AC71E-BE58-3981-B78A-5C138F423AD6}\VersionIndependentProgID\ = "FoxPro.FoxPro"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FC2D59A-5C76-1E97-30DC-1EC6784419E5}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Roaming\\VolIE\\FoxPro_64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\FoxPro.DLL	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxPro.FoxPro\ = "FoxPro Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxPro.FoxPro.1\ = "FoxPro Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{598AC71E-BE58-3981-B78A-5C138F423AD6}\ProgID\ = "FoxPro.FoxPro.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{598AC71E-BE58-3981-B78A-5C138F423AD6}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{63D2A451-3351-178C-7BC4-13C4D58A7652}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{63D2A451-3351-178C-7BC4-13C4D58A7652}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FC2D59A-5C76-1E97-30DC-1EC6784419E5}\1.0\ = "FoxPro 3.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{63D2A451-3351-178C-7BC4-13C4D58A7652}\TypeLib\ = "{3FC2D59A-5C76-1E97-30DC-1EC6784419E5}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\FoxPro.DLL\AppID = "{6DD1B906-45FA-4A57-9AC6-01108C25067F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{598AC71E-BE58-3981-B78A-5C138F423AD6}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{63D2A451-3351-178C-7BC4-13C4D58A7652}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{6DD1B906-45FA-4A57-9AC6-01108C25067F}\ = "FoxPro"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FC2D59A-5C76-1E97-30DC-1EC6784419E5}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{63D2A451-3351-178C-7BC4-13C4D58A7652}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxPro.FoxPro\CLSID\ = "{598AC71E-BE58-3981-B78A-5C138F423AD6}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxPro.FoxPro\CurVer\ = "FoxPro.FoxPro.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{598AC71E-BE58-3981-B78A-5C138F423AD6}\ = "FoxPro Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{598AC71E-BE58-3981-B78A-5C138F423AD6}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FC2D59A-5C76-1E97-30DC-1EC6784419E5}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{63D2A451-3351-178C-7BC4-13C4D58A7652}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{6DD1B906-45FA-4A57-9AC6-01108C25067F}	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe

pid process

1324 633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

112 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

112 iexplore.exe
112 iexplore.exe
952 IEXPLORE.EXE
952 IEXPLORE.EXE
952 IEXPLORE.EXE
952 IEXPLORE.EXE

pid	process
1324	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe

pid	process
112	iexplore.exe

pid	process
112	iexplore.exe
112	iexplore.exe
952	IEXPLORE.EXE
952	IEXPLORE.EXE
952	IEXPLORE.EXE
952	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.execscript.exeregsvr32.exeiexplore.exe

description	pid	process	target process
PID 1324 wrote to memory of 1160	1324	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe	schtasks.exe
PID 1324 wrote to memory of 1160	1324	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe	schtasks.exe
PID 1324 wrote to memory of 1160	1324	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe	schtasks.exe
PID 1324 wrote to memory of 1160	1324	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe	schtasks.exe
PID 1324 wrote to memory of 580	1324	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe	schtasks.exe
PID 1324 wrote to memory of 580	1324	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe	schtasks.exe
PID 1324 wrote to memory of 580	1324	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe	schtasks.exe
PID 1324 wrote to memory of 580	1324	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe	schtasks.exe
PID 1324 wrote to memory of 588	1324	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe	schtasks.exe
PID 1324 wrote to memory of 588	1324	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe	schtasks.exe
PID 1324 wrote to memory of 588	1324	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe	schtasks.exe
PID 1324 wrote to memory of 588	1324	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe	schtasks.exe
PID 1324 wrote to memory of 1752	1324	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe	schtasks.exe
PID 1324 wrote to memory of 1752	1324	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe	schtasks.exe
PID 1324 wrote to memory of 1752	1324	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe	schtasks.exe
PID 1324 wrote to memory of 1752	1324	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe	schtasks.exe
PID 1324 wrote to memory of 812	1324	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe	schtasks.exe
PID 1324 wrote to memory of 812	1324	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe	schtasks.exe
PID 1324 wrote to memory of 812	1324	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe	schtasks.exe
PID 1324 wrote to memory of 812	1324	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe	schtasks.exe
PID 1324 wrote to memory of 828	1324	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe	cscript.exe
PID 1324 wrote to memory of 828	1324	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe	cscript.exe
PID 1324 wrote to memory of 828	1324	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe	cscript.exe
PID 1324 wrote to memory of 828	1324	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe	cscript.exe
PID 828 wrote to memory of 1320	828	cscript.exe	regsvr32.exe
PID 828 wrote to memory of 1320	828	cscript.exe	regsvr32.exe
PID 828 wrote to memory of 1320	828	cscript.exe	regsvr32.exe
PID 828 wrote to memory of 1320	828	cscript.exe	regsvr32.exe
PID 828 wrote to memory of 1320	828	cscript.exe	regsvr32.exe
PID 828 wrote to memory of 1320	828	cscript.exe	regsvr32.exe
PID 828 wrote to memory of 1320	828	cscript.exe	regsvr32.exe
PID 828 wrote to memory of 2036	828	cscript.exe	regsvr32.exe
PID 828 wrote to memory of 2036	828	cscript.exe	regsvr32.exe
PID 828 wrote to memory of 2036	828	cscript.exe	regsvr32.exe
PID 828 wrote to memory of 2036	828	cscript.exe	regsvr32.exe
PID 828 wrote to memory of 2036	828	cscript.exe	regsvr32.exe
PID 828 wrote to memory of 2036	828	cscript.exe	regsvr32.exe
PID 828 wrote to memory of 2036	828	cscript.exe	regsvr32.exe
PID 2036 wrote to memory of 2004	2036	regsvr32.exe	regsvr32.exe
PID 2036 wrote to memory of 2004	2036	regsvr32.exe	regsvr32.exe
PID 2036 wrote to memory of 2004	2036	regsvr32.exe	regsvr32.exe
PID 2036 wrote to memory of 2004	2036	regsvr32.exe	regsvr32.exe
PID 2036 wrote to memory of 2004	2036	regsvr32.exe	regsvr32.exe
PID 2036 wrote to memory of 2004	2036	regsvr32.exe	regsvr32.exe
PID 2036 wrote to memory of 2004	2036	regsvr32.exe	regsvr32.exe
PID 1324 wrote to memory of 112	1324	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe	iexplore.exe
PID 1324 wrote to memory of 112	1324	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe	iexplore.exe
PID 1324 wrote to memory of 112	1324	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe	iexplore.exe
PID 1324 wrote to memory of 112	1324	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe	iexplore.exe
PID 1324 wrote to memory of 836	1324	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe	schtasks.exe
PID 1324 wrote to memory of 836	1324	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe	schtasks.exe
PID 1324 wrote to memory of 836	1324	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe	schtasks.exe
PID 1324 wrote to memory of 836	1324	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe	schtasks.exe
PID 112 wrote to memory of 952	112	iexplore.exe	IEXPLORE.EXE
PID 112 wrote to memory of 952	112	iexplore.exe	IEXPLORE.EXE
PID 112 wrote to memory of 952	112	iexplore.exe	IEXPLORE.EXE
PID 112 wrote to memory of 952	112	iexplore.exe	IEXPLORE.EXE
PID 1324 wrote to memory of 780	1324	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe	schtasks.exe
PID 1324 wrote to memory of 780	1324	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe	schtasks.exe
PID 1324 wrote to memory of 780	1324	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe	schtasks.exe
PID 1324 wrote to memory of 780	1324	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe	schtasks.exe
PID 1324 wrote to memory of 1616	1324	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe	schtasks.exe
PID 1324 wrote to memory of 1616	1324	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe	schtasks.exe
PID 1324 wrote to memory of 1616	1324	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe	schtasks.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{598AC71E-BE58-3981-B78A-5C138F423AD6} = "1"	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe

C:\Users\Admin\AppData\Local\Temp\633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe
"C:\Users\Admin\AppData\Local\Temp\633dc1aac7fa6b61805d8cf2092171e0779aa9a47657537570375b70fec92930.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1324

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /Delete /tn "Office" /f
2⤵
PID:1160

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /Create /TR "\"C:\Program Files (x86)\Office\Office.exe\"" /SC DAILY /TN "Office" /ST 12:06:00 /du 0024:00 /RI 360 /RL HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:580

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /Delete /tn "9A5A8340-6B15" /f
2⤵
PID:588

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /Create /TR "\"C:\Users\Admin\AppData\Roaming\ARHome\Updater.exe\"" /SC ONIDLE /TN "9A5A8340-6B15" /I 1 /RL HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1752

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /Create /TN "Java Update" /TR "\"C:\Program Files (x86)\Java\Java.exe\"" /SC ONSTART /DELAY 0005:00 /RL HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:812

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\System32\cscript.exe" C:\Users\Admin\AppData\Local\IHH5rI.vbs
2⤵
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Roaming\VolIE\FoxPro_32.dll"
3⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:1320

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Roaming\VolIE\FoxPro_64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Roaming\VolIE\FoxPro_64.dll"
4⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:2004

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.acdcads.com/aff/thanks/updater-thanks.php?t=1386580451&wti=1000&s=1000&sta=1&av=None
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:112

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:112 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:952

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /Delete /tn "mium0d" /f
2⤵
PID:836

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /Create /TR "\"C:\Users\Admin\AppData\Roaming\miaul\RJFC.exe\"" /SC ONLOGON /TN "mium0d" /RL HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:780

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /Delete /tn "keepup" /f
2⤵
PID:1616

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /Create /TR "\"C:\Users\Admin\AppData\Roaming\miaul\RJFC.exe\"" /SC DAILY /TN "keepup" /ST 20:43:00 /du 0024:00 /RI 10 /RL HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:572

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\System32\cscript.exe" C:\Users\Admin\AppData\Local\IHH5rI.vbs
2⤵
- Deletes itself
PID:520

C:\Windows\system32\taskeng.exe
taskeng.exe {43BCF9AC-7146-4D37-99F5-12E793534C1C} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
1⤵
PID:1800

C:\Users\Admin\AppData\Roaming\miaul\RJFC.exe
C:\Users\Admin\AppData\Roaming\miaul\RJFC.exe
2⤵
- Executes dropped EXE
PID:1876

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\IHH5rI.vbs
Filesize
520B

MD5
f84de64817e033afc93090402498fe10

SHA1
0cbde725a7650151ed3b2b16f3f24a4e3e1e1968

SHA256
20b22d2c137fea3d52aab3b3bd5c4271c6d018d15cbb00367469407467e58a2f

SHA512
1bb87ff8e90f428158083b72f255bc129a00221a3e0bdcd29c7e2912c4f2d37a3e4ff7c1ed6a2d6438d7ccf7623e970a170a57b329770ad37ae409816f380ffb

Download Submit
C:\Users\Admin\AppData\Local\IHH5rI.vbs
Filesize
450B

MD5
dbccbed3050cdf2b8bef806ffdb9813b

SHA1
a113e7d1072abad94c36a11fef6b2b0b28845ae9

SHA256
815a193f97f5056dac1f992eafbf0d6b37081f14c53bb9686693522401263742

SHA512
baa3a529f3bf0903c0c57e871cf35e5d390c480bc566fc3909381f39c3ace658f4f2281d6ef224eedf7d1b7bdf89c8df0f2f447aadf6a55de2fd4bf5b49200fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4PEUH1PT.txt
Filesize
608B

MD5
07f0678db5b08120c76efd2413eb7328

SHA1
e72f0b061f4a8af7b64e3d7f10eca53d31e5ef91

SHA256
7fdd9c3a6823a17dde8cb29a4af7dc79779acc10d9eb71653c5e927aa0c34eef

SHA512
eaadb53883331829ed078b61cf15d426a45996fd7aaefedfb60c1d449b5671c9c0a72197bcae21beb26859b16c9562658d5986d633ab64534b46c4c4448f7539

Download Submit
C:\Users\Admin\AppData\Roaming\VolIE\FoxPro_32.dll
Filesize
182KB

MD5
ce31a05ee7c72fea9ea74dcc1a16e8d6

SHA1
e524c0f68b735138174137a034f5b5f7878917fb

SHA256
1a66dab0e452c64fca4ae8f976c8fd4b790926d246db9de88c95453c7cda255f

SHA512
a285766e17888135ba468a69bf460fc03b2fa5fdf64d479e6767e653abe5366dfd5d9ac319f39413559a1e496db18219c8f10fa22dc49fe0fd391c1c82b146c3

Download Submit
C:\Users\Admin\AppData\Roaming\VolIE\FoxPro_64.dll
Filesize
218KB

MD5
50d22dadb851a45d0594f23b23b9bc13

SHA1
2e042aed9b0aa3adc3c9e5b9728f6e8ee0c5d2a6

SHA256
a742c4aa880a36eac02e3cb2a3d07f0edc5a9f7c94c7c53e88264ec16594a07b

SHA512
90f2af018d03db1c9aa17f7fa98b4aa9d39c5a8de4433ab4e305a2212fa53581630c5d39061d22dabb73fe4b848a0d0973357521655b19c700ada574cc71242e

Download Submit
C:\Users\Admin\AppData\Roaming\miaul\RJFC.exe
Filesize
80KB

MD5
5afc57e409e859d48ebac2540a8e3460

SHA1
a260a5af72eb1f4982987abbc7aef26d604f1edb

SHA256
98e29511436dd9ec883eaec999d89bf86041fa2d8dddd922c00790ff920895ff

SHA512
207ad8eab68e88b9a20af44aa8cab7f350fe4a81d988cdac01984b0db5ff9a8a5a9e476f682f76637d236ef9b9ce6207d0ea3bfe6bbb4098a36f4a91f093ab53

Download Submit
C:\Users\Admin\AppData\Roaming\miaul\RJFC.exe
Filesize
80KB

MD5
5afc57e409e859d48ebac2540a8e3460

SHA1
a260a5af72eb1f4982987abbc7aef26d604f1edb

SHA256
98e29511436dd9ec883eaec999d89bf86041fa2d8dddd922c00790ff920895ff

SHA512
207ad8eab68e88b9a20af44aa8cab7f350fe4a81d988cdac01984b0db5ff9a8a5a9e476f682f76637d236ef9b9ce6207d0ea3bfe6bbb4098a36f4a91f093ab53

Download Submit
\Users\Admin\AppData\Roaming\VolIE\FoxPro_32.dll
Filesize
182KB

MD5
ce31a05ee7c72fea9ea74dcc1a16e8d6

SHA1
e524c0f68b735138174137a034f5b5f7878917fb

SHA256
1a66dab0e452c64fca4ae8f976c8fd4b790926d246db9de88c95453c7cda255f

SHA512
a285766e17888135ba468a69bf460fc03b2fa5fdf64d479e6767e653abe5366dfd5d9ac319f39413559a1e496db18219c8f10fa22dc49fe0fd391c1c82b146c3

Download Submit
\Users\Admin\AppData\Roaming\VolIE\FoxPro_64.dll
Filesize
218KB

MD5
50d22dadb851a45d0594f23b23b9bc13

SHA1
2e042aed9b0aa3adc3c9e5b9728f6e8ee0c5d2a6

SHA256
a742c4aa880a36eac02e3cb2a3d07f0edc5a9f7c94c7c53e88264ec16594a07b

SHA512
90f2af018d03db1c9aa17f7fa98b4aa9d39c5a8de4433ab4e305a2212fa53581630c5d39061d22dabb73fe4b848a0d0973357521655b19c700ada574cc71242e

Download Submit
\Users\Admin\AppData\Roaming\VolIE\FoxPro_64.dll
Filesize
218KB

MD5
50d22dadb851a45d0594f23b23b9bc13

SHA1
2e042aed9b0aa3adc3c9e5b9728f6e8ee0c5d2a6

SHA256
a742c4aa880a36eac02e3cb2a3d07f0edc5a9f7c94c7c53e88264ec16594a07b

SHA512
90f2af018d03db1c9aa17f7fa98b4aa9d39c5a8de4433ab4e305a2212fa53581630c5d39061d22dabb73fe4b848a0d0973357521655b19c700ada574cc71242e

Download Submit
memory/520-81-0x0000000000000000-mapping.dmp

Download
memory/572-80-0x0000000000000000-mapping.dmp

Download
memory/580-59-0x0000000000000000-mapping.dmp

Download
memory/588-60-0x0000000000000000-mapping.dmp

Download
memory/780-78-0x0000000000000000-mapping.dmp

Download
memory/812-62-0x0000000000000000-mapping.dmp

Download
memory/828-63-0x0000000000000000-mapping.dmp

Download
memory/836-77-0x0000000000000000-mapping.dmp

Download
memory/1160-57-0x0000000000000000-mapping.dmp

Download
memory/1320-66-0x0000000000000000-mapping.dmp

Download
memory/1324-54-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download
memory/1324-84-0x00000000008B0000-0x0000000001B73000-memory.dmp

Filesize
18.8MB

Download
memory/1324-58-0x00000000008B0000-0x0000000001B73000-memory.dmp

Filesize
18.8MB

Download
memory/1324-55-0x00000000008B0000-0x0000000001B73000-memory.dmp

Filesize
18.8MB

Download
memory/1616-79-0x0000000000000000-mapping.dmp

Download
memory/1752-61-0x0000000000000000-mapping.dmp

Download
memory/1876-87-0x0000000000000000-mapping.dmp

Download
memory/2004-74-0x0000000000000000-mapping.dmp

Download
memory/2004-75-0x000007FEFB781000-0x000007FEFB783000-memory.dmp

Filesize
8KB

Download
memory/2036-67-0x0000000000000000-mapping.dmp

Download