fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a

Analysis

max time kernel
152s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 10:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Size

94KB
MD5

395df6e70432829bec3852306ff63ecd
SHA1

0a3735863450d4fb8ed6173185e68022b2c17cda
SHA256

fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a
SHA512

5f8d4b01a5e3488d27bef72e3345d727fca1ca066650b41f8041bfd0f18becebc4ffcace27ce462b8e20312f3f85020f39a6c4c5026a78c8712ff41771633f0d
SSDEEP

1536:KuieF4ac5TP1zzi5Rhezd6mVx+Ysb+oou:K+NG1Pzd6mv+Yp

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{O82DPY0L-56WJ-PUBH-Q88E-6P01678KRVCI}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{MO7046W9-3761-3TU0-I4Y9-HM7E25WA2PQX}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{L6DF5VZO-592N-Q714-6Y94-762KV81J4A9I}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4L8X3LY-1246-914T-D4M8-Y3NZ12569ENU}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{IQVE44T1-E6R2-2LZF-JRXG-4MU2F77235AH}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{1IKWEC6V-825U-XL37-9E67-035RC13Q1HQP}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{9257WHSZ-V3MV-FK6R-EMKY-DD5V0F7R02M9}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{327C1PT8-KNTY-F470-437D-2RUW05V9G480}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Active Setup\Installed Components\{B56VJ5TB-HP88-E6P0-C66X-KQVCIR9XG6Q1}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{K673GQV0-NPXF-JO99-G5A1-546X3LT0288G}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Active Setup\Installed Components\{00ER892U-622M-W1F5-R1GS-90247Y2NY2H6}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{56803O8D-OLX2-J799-ER90-3PYF1NYXKK90}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{16W0358D-D4X8-J3XZ-1690-359F15Y9KK5A}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73GQV05P-XG3O-9925-AE54-6X34T028VGMU}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2G77W356-XLTZ-9EO8-9H77-Y3569N309FP9}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Active Setup\Installed Components\{57A5RAZF-4W92-PTII-7A2K-5W24RTFNL9E5}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AG27R017-TELS-8YHR-W0DQ-9GK59AH56155}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{UGFSS23N-A2L7-YHO5-WHGT-T83ORXM7ZY15}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{91460H25-A9MM-ACH8-0257-0I3QBANOCDI8}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Active Setup\Installed Components\{236902RC-JG7W-FPV0-COWU-JNN9F4PDB46X}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{7X0MYEB5-6B46-WXKR-P1J3-70IKY824S125}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Active Setup\Installed Components\{327C1PT8-KNTY-F470-437D-2RUW05V9G480}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{K673GQV0-NPXF-JO99-G5A1-546X3LT0288G}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{692HV713-P01L-79CM-57B5-RBAQ8XJ2PT3I}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{E67A34RB-NTQ1-GQAF-4MZ2-1T9YJP895M80}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13N50328-00L7-Z0Q5-YE3V-92OS8HHO8I48}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A05QS94-R8D3-6YY2-66D1-ST9478137ZZ2}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{8XL379F6-7B35-SC13-R1HQ-6F4NZ82J9YJQ}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{73GQV05P-XG3O-9925-AE54-6X34T028VGMU}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Active Setup\Installed Components\{FNRW22O8-I487-9F6T-B351-1OUB1HRAG4NZ}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{8X3MN124-6914-TE0N-8Z3N-PU257925V8DO}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7X0MYEB5-6B46-WXKR-P1J3-70IKY824S125}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{B56VJ5TB-HP88-E6P0-C66X-KQVCIR9XG6Q1}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{PW123SCH-5OBJ-R8A4-469B-P991J88F56WG}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2S9G3W8F-K6C1-4UY1-NOV0-P70BG49AIQ8J}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Active Setup\Installed Components\{8FPU0BOW-U3N9-924P-C046-W34S01JU70I8}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Active Setup\Installed Components\{5S0LQ89K-7BF3-UUB3-493H-M71GOX0F6031}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4L8X3LY-1246-914T-D4M8-Y3NZ12569ENU}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{91I770H7-X224-R125-895O-AG56TDMS9ZLT}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FNRW22O8-I487-9F6T-B351-1OUB1HRAG4NZ}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{67FF4T8K-TSX1-P69I-M6B4-T6C2P91KL9GE}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{RXU2KUDJ-5QCK-IXBB-5T0D-6Q02L8ZG57Y3}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{236902RC-JG7W-FPV0-COWU-JNN9F4PDB46X}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5O9A45A2-3570-GPWG-5P9B-46CHK6U0HQX3}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Active Setup\Installed Components\{4713P61L-J9CM-57BD-R6AF-4X92PT9IJP8K}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{2U89K5S9-540Z-G69Z-3LW9-LQT0E4RA26ZA}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{NW1CL8V3-3M91-2MBJ-O5TE-45833N9125C9}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{X91MOCLL-Q8I3-60E3-TELI-89H68CEQYW4P}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{2G611GS9-0287-32OY-2H6T-1IU90347ZIPZ}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{73GQV05P-XG3O-9925-AE54-6X34T028VGMU}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3RQ943W8-0M6U-0581-BHS0-B4XY0NSV0651}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{81L4TFEQ-RFHL-9236-XGM4-UGFSS23NA2L7}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{16W0358D-D4X8-J3XZ-1690-359F15Y9KK5A}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{91469G2N-ZYLL-5BGJ-P14R-P82P6ZMM61HK}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Active Setup\Installed Components\{91460H25-A9MM-ACH8-0257-0I3QBANOCDI8}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{23670H6X-HFQ0-C567-3L68-1IRYIGS0DO77}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{57A5RAZF-4W92-PTII-7A2K-5W24RTFNL9E5}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{3RQ943W8-0M6U-0581-BHS0-B4XY0NSV0651}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{VCMKV1H7-89CQ-803N-WD1L-WVIJ89DR9B3P}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{H6VX4680-358D-N4W2-I7XY-D690359E1MY8}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F557Y44U-128W-HNV9-BKUZ-2GT09N61DJ67}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{UB4JU1GR-88BP-8Z2M-V10K-WV3I89DQWBIO}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{MO7046W9-3761-3TU0-I4Y9-HM7E25WA2PQX}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\EXTENSIONS\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\EXTENSIONS\{2670000A-7350-4F3C-8081-5663EE0C6C49}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\EXTENSIONS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A919514-BA8B-43b3-B11A-7EFBB978E17B}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A919514-BA8B-43b3-B11A-7EFBB978E17B}	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	5004	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
Token: SeIncBasePriorityPrivilege	5004	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
5004	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
5004	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
5004	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
5004	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
5004	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
5004	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
5004	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
5004	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
5004	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
5004	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5004	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 3564	5004	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe	89
PID 5004 wrote to memory of 3564	5004	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe	89
PID 5004 wrote to memory of 3564	5004	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe	89
PID 5004 wrote to memory of 2628	5004	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe	91
PID 5004 wrote to memory of 2628	5004	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe	91
PID 5004 wrote to memory of 2628	5004	fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe	91

C:\Users\Admin\AppData\Local\Temp\fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe
"C:\Users\Admin\AppData\Local\Temp\fdf632aaefc99b36c89a9e1c8a7a07795b6f8a1aad7860eeca90d7273564d62a.exe"
1⤵
- Modifies Installed Components in the registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /u /s ToolBand2.dll
  2⤵
  PID:3564
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /u /s ToolBand2.dll
  2⤵
  PID:2628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads